chore: fix lint and bump golangci-lint

.github/workflows/ci.yaml

@@ -94,7 +94,7 @@ jobs:
           GOGC: 100
         with:
           args: --timeout 10m0s
-          version: v1.55.2
+          version: v1.61.0
           skip-pkg-cache: true
       - name: Run go-acc (tests)
         run: |

.schema/config.schema.json

@@ -40,7 +40,7 @@
         },
         "mode": {
           "type": "integer",
-          "description": "Mode of unix socket in numeric form",
+          "description": "Mode of unix socket in numeric form, base 10.",
           "default": 493,
           "minimum": 0,
           "maximum": 511

Makefile

@@ -5,7 +5,7 @@ export PATH 					:= .bin:${PATH}
 export PWD 						:= $(shell pwd)
 export IMAGE_TAG 			:= $(if $(IMAGE_TAG),$(IMAGE_TAG),latest)
 
-GOLANGCI_LINT_VERSION = 1.55.2
+GOLANGCI_LINT_VERSION = 1.61.0
 
 GO_DEPENDENCIES = github.com/ory/go-acc \
 				  github.com/golang/mock/mockgen \

cmd/cmd_perform_authorization_code.go

@@ -359,16 +359,18 @@ func (rt *router) loginGET(w http.ResponseWriter, r *http.Request, _ httprouter.
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
+	defer raw.Body.Close() // to satisfy linter
 
 	if rt.skip && req.GetSkip() {
-		req, _, err := rt.cl.OAuth2API.AcceptOAuth2LoginRequest(r.Context()).
+		req, res, err := rt.cl.OAuth2API.AcceptOAuth2LoginRequest(r.Context()).
 			LoginChallenge(req.Challenge).
 			AcceptOAuth2LoginRequest(openapi.AcceptOAuth2LoginRequest{Subject: req.Subject}).
 			Execute()
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 		return
 	}
@@ -397,7 +399,7 @@ func (rt *router) loginPOST(w http.ResponseWriter, r *http.Request, _ httprouter
 		return
 	}
 	if r.FormValue("revoke-consents") == "on" {
-		_, err := rt.cl.OAuth2API.RevokeOAuth2ConsentSessions(r.Context()).
+		res, err := rt.cl.OAuth2API.RevokeOAuth2ConsentSessions(r.Context()).
 			Subject(r.FormValue("username")).
 			All(true).
 			Execute()
@@ -406,11 +408,12 @@ func (rt *router) loginPOST(w http.ResponseWriter, r *http.Request, _ httprouter
 		} else {
 			fmt.Fprintln(rt.cmd.ErrOrStderr(), "Revoked all previous consents")
 		}
+		defer res.Body.Close() // to satisfy linter
 	}
 	switch r.FormValue("action") {
 	case "accept":
 
-		req, _, err := rt.cl.OAuth2API.AcceptOAuth2LoginRequest(r.Context()).
+		req, res, err := rt.cl.OAuth2API.AcceptOAuth2LoginRequest(r.Context()).
 			LoginChallenge(r.FormValue("ls")).
 			AcceptOAuth2LoginRequest(openapi.AcceptOAuth2LoginRequest{
 				Subject:     r.FormValue("username"),
@@ -424,14 +427,16 @@ func (rt *router) loginPOST(w http.ResponseWriter, r *http.Request, _ httprouter
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 
 	case "deny":
-		req, _, err := rt.cl.OAuth2API.RejectOAuth2LoginRequest(r.Context()).LoginChallenge(r.FormValue("ls")).Execute()
+		req, res, err := rt.cl.OAuth2API.RejectOAuth2LoginRequest(r.Context()).LoginChallenge(r.FormValue("ls")).Execute()
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 
 	default:
@@ -447,9 +452,10 @@ func (rt *router) consentGET(w http.ResponseWriter, r *http.Request, _ httproute
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
+	defer raw.Body.Close() // to satisfy linter
 
 	if rt.skip && req.GetSkip() {
-		req, _, err := rt.cl.OAuth2API.AcceptOAuth2ConsentRequest(r.Context()).
+		req, res, err := rt.cl.OAuth2API.AcceptOAuth2ConsentRequest(r.Context()).
 			ConsentChallenge(req.Challenge).
 			AcceptOAuth2ConsentRequest(openapi.AcceptOAuth2ConsentRequest{
 				GrantScope:               req.GetRequestedScope(),
@@ -469,6 +475,7 @@ func (rt *router) consentGET(w http.ResponseWriter, r *http.Request, _ httproute
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 		return
 	}
@@ -487,6 +494,7 @@ func (rt *router) consentGET(w http.ResponseWriter, r *http.Request, _ httproute
 		http.Error(w, err.Error(), http.StatusInternalServerError)
 		return
 	}
+	defer raw.Body.Close() // to satisfy linter
 	prettyPrevConsent, err := prettyJSON(raw.Body)
 	if err != nil {
 		http.Error(w, err.Error(), http.StatusInternalServerError)
@@ -518,7 +526,7 @@ func (rt *router) consentPOST(w http.ResponseWriter, r *http.Request, _ httprout
 	}
 	switch r.FormValue("action") {
 	case "accept":
-		req, _, err := rt.cl.OAuth2API.AcceptOAuth2ConsentRequest(r.Context()).
+		req, res, err := rt.cl.OAuth2API.AcceptOAuth2ConsentRequest(r.Context()).
 			ConsentChallenge(r.FormValue("cs")).
 			AcceptOAuth2ConsentRequest(openapi.AcceptOAuth2ConsentRequest{
 				GrantScope:               r.Form["scope"],
@@ -538,16 +546,18 @@ func (rt *router) consentPOST(w http.ResponseWriter, r *http.Request, _ httprout
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 
 	case "deny":
-		req, _, err := rt.cl.OAuth2API.RejectOAuth2ConsentRequest(r.Context()).
+		req, res, err := rt.cl.OAuth2API.RejectOAuth2ConsentRequest(r.Context()).
 			ConsentChallenge(r.FormValue("cs")).
 			Execute()
 		if err != nil {
 			http.Error(w, err.Error(), http.StatusInternalServerError)
 			return
 		}
+		defer res.Body.Close() // to satisfy linter
 		http.Redirect(w, r, req.RedirectTo, http.StatusFound)
 
 	default:

driver/config/provider.go

@@ -6,6 +6,7 @@ package config
 import (
 	"context"
 	"fmt"
+	"math"
 	"net/http"
 	"net/url"
 	"strings"
@@ -134,15 +135,34 @@ func (p *DefaultProvider) GetHasherAlgorithm(ctx context.Context) x.HashAlgorith
 }
 
 func (p *DefaultProvider) HasherBcryptConfig(ctx context.Context) *hasherx.BCryptConfig {
+	var cost uint32
+	costInt := p.GetBCryptCost(ctx)
+	if costInt < 0 {
+		cost = 10
+	} else if costInt > math.MaxUint32 {
+		cost = math.MaxUint32
+	} else {
+		cost = uint32(costInt)
+	}
 	return &hasherx.BCryptConfig{
-		Cost: uint32(p.GetBCryptCost(ctx)),
+		Cost: cost,
 	}
 }
 
 func (p *DefaultProvider) HasherPBKDF2Config(ctx context.Context) *hasherx.PBKDF2Config {
+	var iters uint32
+	itersInt := p.getProvider(ctx).Int(KeyPBKDF2Iterations)
+	if itersInt < 1 {
+		iters = 1
+	} else if itersInt > math.MaxUint32 {
+		iters = math.MaxUint32
+	} else {
+		iters = uint32(itersInt)
+	}
+
 	return &hasherx.PBKDF2Config{
 		Algorithm:  "sha256",
-		Iterations: uint32(p.getProvider(ctx).Int(KeyPBKDF2Iterations)),
+		Iterations: iters,
 		SaltLength: 16,
 		KeyLength:  32,
 	}

driver/config/serve.go

@@ -6,7 +6,8 @@ package config
 import (
 	"context"
 	"fmt"
-	"os"
+	"io/fs"
+	"math"
 	"strings"
 
 	"github.com/ory/x/contextx"
@@ -63,10 +64,19 @@ func (p *DefaultProvider) ListenOn(iface ServeInterface) string {
 }
 
 func (p *DefaultProvider) SocketPermission(iface ServeInterface) *configx.UnixPermission {
+	var mode fs.FileMode
+	modeInt := p.getProvider(contextx.RootContext).IntF(iface.Key(KeySuffixSocketMode), 0755)
+	if modeInt < 0 {
+		mode = 0
+	} else if modeInt > math.MaxUint32 {
+		mode = 0777
+	} else {
+		mode = fs.FileMode(modeInt)
+	}
 	return &configx.UnixPermission{
 		Owner: p.getProvider(contextx.RootContext).String(iface.Key(KeySuffixSocketOwner)),
 		Group: p.getProvider(contextx.RootContext).String(iface.Key(KeySuffixSocketGroup)),
-		Mode:  os.FileMode(p.getProvider(contextx.RootContext).IntF(iface.Key(KeySuffixSocketMode), 0755)),
+		Mode:  mode,
 	}
 }
 

spec/config.json

@@ -40,7 +40,7 @@
         },
         "mode": {
           "type": "integer",
-          "description": "Mode of unix socket in numeric form",
+          "description": "Mode of unix socket in numeric form, base 10.",
           "default": 493,
           "minimum": 0,
           "maximum": 511

x/int_to_bytes.go

@@ -12,7 +12,7 @@ import (
 // IntToBytes converts an int64 to a byte slice. It is the inverse of BytesToInt.
 func IntToBytes(i int64) []byte {
 	b := make([]byte, 8)
-	binary.LittleEndian.PutUint64(b, uint64(i))
+	binary.LittleEndian.PutUint64(b, uint64(i)) //nolint:gosec
 
 	return b
 }
@@ -22,5 +22,5 @@ func BytesToInt(b []byte) (int64, error) {
 	if len(b) != 8 {
 		return 0, errors.New("byte slice must be 8 bytes long")
 	}
-	return int64(binary.LittleEndian.Uint64(b)), nil
+	return int64(binary.LittleEndian.Uint64(b)), nil //nolint:gosec
 }