From 09bea664d50a870942a24e1c3a4336268f88ba7e Mon Sep 17 00:00:00 2001 From: shankar0123 Date: Mon, 11 May 2026 13:18:25 +0000 Subject: [PATCH] chore(fmt): gofmt cleanup on three pre-bundle drift files surfaced by v2.1.0 release-gate Phase 1 Phase 1 (make verify) of cowork/v2.1.0-release-gate.md surfaced three files with pre-existing gofmt drift that pre-dated the 2026-05-11 fix bundle work: internal/auth/oidc/domain/types.go internal/auth/oidc/integration_keycloak_rotate_test.go internal/auth/oidc/test_discovery.go The 2026-05-11 Fix 08 fmt-cleanup commit (b8fac59) fixed four files that the merge introduced; these three were noted as pre-existing master drift and intentionally left untouched at the time. The v2.1.0 release-gate spec's Phase 1 requires zero gofmt output from 'go fmt ./...' (Makefile::verify form), so the drift must close before tagging. Pure whitespace alignment, no semantic change. --- internal/auth/oidc/domain/types.go | 28 +++++++++---------- .../oidc/integration_keycloak_rotate_test.go | 4 +-- internal/auth/oidc/test_discovery.go | 20 ++++++------- 3 files changed, 26 insertions(+), 26 deletions(-) diff --git a/internal/auth/oidc/domain/types.go b/internal/auth/oidc/domain/types.go index c05a53b..6200bea 100644 --- a/internal/auth/oidc/domain/types.go +++ b/internal/auth/oidc/domain/types.go @@ -33,20 +33,20 @@ import ( // the field is non-empty + carries the v2 magic byte; actual // encryption / decryption happens in the service layer. type OIDCProvider struct { - ID string `json:"id"` // prefix `op-` - TenantID string `json:"tenant_id"` - Name string `json:"name"` - IssuerURL string `json:"issuer_url"` - ClientID string `json:"client_id"` - ClientSecretEncrypted []byte `json:"-"` // v2 blob; never JSON-encoded - RedirectURI string `json:"redirect_uri"` - GroupsClaimPath string `json:"groups_claim_path"` - GroupsClaimFormat string `json:"groups_claim_format"` - FetchUserinfo bool `json:"fetch_userinfo"` - Scopes []string `json:"scopes"` - AllowedEmailDomains []string `json:"allowed_email_domains"` - IATWindowSeconds int `json:"iat_window_seconds"` - JWKSCacheTTLSeconds int `json:"jwks_cache_ttl_seconds"` + ID string `json:"id"` // prefix `op-` + TenantID string `json:"tenant_id"` + Name string `json:"name"` + IssuerURL string `json:"issuer_url"` + ClientID string `json:"client_id"` + ClientSecretEncrypted []byte `json:"-"` // v2 blob; never JSON-encoded + RedirectURI string `json:"redirect_uri"` + GroupsClaimPath string `json:"groups_claim_path"` + GroupsClaimFormat string `json:"groups_claim_format"` + FetchUserinfo bool `json:"fetch_userinfo"` + Scopes []string `json:"scopes"` + AllowedEmailDomains []string `json:"allowed_email_domains"` + IATWindowSeconds int `json:"iat_window_seconds"` + JWKSCacheTTLSeconds int `json:"jwks_cache_ttl_seconds"` // Enabled gates whether the provider is offered on the LoginPage and // accepted at HandleAuthRequest. Audit 2026-05-10 MED-9 closure: // pre-fix the only way to take a provider offline was DELETE (which diff --git a/internal/auth/oidc/integration_keycloak_rotate_test.go b/internal/auth/oidc/integration_keycloak_rotate_test.go index 169201a..9a38047 100644 --- a/internal/auth/oidc/integration_keycloak_rotate_test.go +++ b/internal/auth/oidc/integration_keycloak_rotate_test.go @@ -46,10 +46,10 @@ import ( // 2. Rotate the realm's RSA key via the Keycloak admin API. // 3. Run a fresh /auth/oidc/login → /auth/oidc/callback flow. // - Keycloak signs the new ID token under the new (higher-priority) -// key. +// key. // - certctl's verifier holds the pre-rotate JWKS in cache. // - The verify trips kid-not-in-cache → MED-6 auto-refresh fires → -// second verify succeeds. +// second verify succeeds. // 4. Assert the callback succeeded without the test having called // RefreshKeys (which would mask the MED-6 path). // diff --git a/internal/auth/oidc/test_discovery.go b/internal/auth/oidc/test_discovery.go index 3bcb003..bf8cbff 100644 --- a/internal/auth/oidc/test_discovery.go +++ b/internal/auth/oidc/test_discovery.go @@ -21,16 +21,16 @@ import ( // (e.g. discovery OK but alg-downgrade tripped) returns // DiscoverySucceeded=true + a non-empty Errors slice. type TestDiscoveryResult struct { - DiscoverySucceeded bool `json:"discovery_succeeded"` - JWKSReachable bool `json:"jwks_reachable"` - SupportedAlgValues []string `json:"supported_alg_values"` - IssParamSupported bool `json:"iss_param_supported"` - IssuerEcho string `json:"issuer_echo,omitempty"` // the iss value the IdP advertised - AuthorizationURL string `json:"authorization_url,omitempty"` - TokenURL string `json:"token_url,omitempty"` - JWKSURI string `json:"jwks_uri,omitempty"` - UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"` - Errors []string `json:"errors,omitempty"` + DiscoverySucceeded bool `json:"discovery_succeeded"` + JWKSReachable bool `json:"jwks_reachable"` + SupportedAlgValues []string `json:"supported_alg_values"` + IssParamSupported bool `json:"iss_param_supported"` + IssuerEcho string `json:"issuer_echo,omitempty"` // the iss value the IdP advertised + AuthorizationURL string `json:"authorization_url,omitempty"` + TokenURL string `json:"token_url,omitempty"` + JWKSURI string `json:"jwks_uri,omitempty"` + UserInfoEndpoint string `json:"userinfo_endpoint,omitempty"` + Errors []string `json:"errors,omitempty"` } // TestDiscovery runs the read-only subset of getOrLoad against a