chore(fmt): repo-wide gofmt -w sweep — close drift surfaced by ci-pipeline-cleanup Phase 4

Mechanical reformat. The new 'gofmt drift' CI step (added in ci-pipeline-cleanup Phase 4, commit 71b2245) surfaced 111 files with accumulated gofmt drift across cmd/, internal/, and deploy/test/. Each file's diff is gofmt-standard: whitespace adjustments, intra- group import sorting (alphabetical by import path within blank-line- separated groups), and struct-tag column alignment. No semantic changes — verified via 'git diff --ignore-all-space' which shows only the line-position deltas from import reordering. The gate stays in place after this commit. Going forward it catches gofmt drift at PR time.
2026-06-13 14:48:52 +00:00 · 2026-04-30 22:33:57 +00:00
parent 251db46f26
commit 482c7e8047
111 changed files with 761 additions and 770 deletions
@@ -798,9 +798,9 @@ func TestValidateConfig_DNSPersistIssuerDomainRequired(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":     srv.URL,
-		"email":             "test@example.com",
-		"challenge_type":    "dns-persist-01",
+		"directory_url":      srv.URL,
+		"email":              "test@example.com",
+		"challenge_type":     "dns-persist-01",
 		"dns_present_script": "/tmp/script.sh",
 		// Missing dns_persist_issuer_domain
 	})
@@ -870,9 +870,9 @@ func TestValidateConfig_DNS01WithPresentScript(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":     srv.URL,
-		"email":             "test@example.com",
-		"challenge_type":    "dns-01",
+		"directory_url":      srv.URL,
+		"email":              "test@example.com",
+		"challenge_type":     "dns-01",
 		"dns_present_script": "/bin/sh",
 		"dns_cleanup_script": "/bin/sh",
 	})
@@ -897,10 +897,10 @@ func TestValidateConfig_DNSPersist01WithAllFields(t *testing.T) {

 	c := New(nil, testLogger())
 	cfg, _ := json.Marshal(map[string]string{
-		"directory_url":           srv.URL,
-		"email":                   "test@example.com",
-		"challenge_type":          "dns-persist-01",
-		"dns_present_script":      "/bin/sh",
+		"directory_url":             srv.URL,
+		"email":                     "test@example.com",
+		"challenge_type":            "dns-persist-01",
+		"dns_present_script":        "/bin/sh",
 		"dns_persist_issuer_domain": "letsencrypt.org",
 	})

@@ -74,8 +74,8 @@ func TestGetRenewalInfo_NotFound(t *testing.T) {
 		if r.URL.Path == "/directory" && r.Method == http.MethodGet {
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(map[string]string{
-				"newOrder":    "/acme/new-order",
-				"newAccount":  "/acme/new-account",
+				"newOrder":   "/acme/new-order",
+				"newAccount": "/acme/new-account",
 			})
 			return
 		}
@@ -115,8 +115,8 @@ func TestGetRenewalInfo_ServerError(t *testing.T) {
 		if r.URL.Path == "/directory" && r.Method == http.MethodGet {
 			w.Header().Set("Content-Type", "application/json")
 			json.NewEncoder(w).Encode(map[string]string{
-				"newOrder":    "/acme/new-order",
-				"newAccount":  "/acme/new-account",
+				"newOrder":   "/acme/new-order",
+				"newAccount": "/acme/new-account",
 			})
 			return
 		}
@@ -106,7 +106,7 @@ type pebbleMockServer struct {
 	idSeq    int64
 	// Behavior toggles for failure-mode tests.
 	failNewAccount   bool
-	rateLimitedOrder int32 // atomic counter; non-zero ⇒ first N orders return 429
+	rateLimitedOrder int32  // atomic counter; non-zero ⇒ first N orders return 429
 	finalizeReturns  string // "" (default), "processing-stuck", "invalid"
 	authzPending     bool   // when true, new authzs start as "pending" and only flip to "valid" after the challenge endpoint is POSTed
 	challengeType    string // when set, the per-authz challenge type emitted (default "http-01")
@@ -990,12 +990,12 @@ func TestPebbleMock_ContextCancel_DuringIssuance(t *testing.T) {
 // ─────────────────────────────────────────────────────────────────────────────

 type mockDNSSolver struct {
-	mu              sync.Mutex
-	presented       map[string]string // domain → keyAuth (or recordValue)
-	cleanedUp       map[string]bool
-	presentErr      error
-	cleanErr        error
-	presentDelay    time.Duration
+	mu           sync.Mutex
+	presented    map[string]string // domain → keyAuth (or recordValue)
+	cleanedUp    map[string]bool
+	presentErr   error
+	cleanErr     error
+	presentDelay time.Duration
 }

 func newMockDNSSolver() *mockDNSSolver {
@@ -249,4 +249,3 @@ func signJWS(key *ecdsa.PrivateKey, kid, nonce, targetURL string, payload []byte

 	return json.Marshal(jws)
 }
-
@@ -105,9 +105,9 @@ type GetCertificateOutput struct {

 // RevokeCertificateInput represents the request to revoke a certificate.
 type RevokeCertificateInput struct {
-	CAArn               string
-	CertificateSerial   string
-	RevocationReason    string
+	CAArn             string
+	CertificateSerial string
+	RevocationReason  string
 }

 // GetCACertificateInput represents the request to retrieve the CA certificate.
@@ -395,14 +395,14 @@ func mapRevocationReason(reason *string) string {
 	}

 	reasonMap := map[string]string{
-		"unspecified":           "UNSPECIFIED",
-		"keyCompromise":         "KEY_COMPROMISE",
-		"caCompromise":          "CERTIFICATE_AUTHORITY_COMPROMISE",
-		"affiliationChanged":    "AFFILIATION_CHANGED",
-		"superseded":            "SUPERSEDED",
-		"cessationOfOperation":  "CESSATION_OF_OPERATION",
-		"certificateHold":       "CERTIFICATE_HOLD",
-		"privilegeWithdrawn":    "PRIVILEGE_WITHDRAWN",
+		"unspecified":          "UNSPECIFIED",
+		"keyCompromise":        "KEY_COMPROMISE",
+		"caCompromise":         "CERTIFICATE_AUTHORITY_COMPROMISE",
+		"affiliationChanged":   "AFFILIATION_CHANGED",
+		"superseded":           "SUPERSEDED",
+		"cessationOfOperation": "CESSATION_OF_OPERATION",
+		"certificateHold":      "CERTIFICATE_HOLD",
+		"privilegeWithdrawn":   "PRIVILEGE_WITHDRAWN",
 	}

 	if mapped, ok := reasonMap[*reason]; ok {
@@ -22,15 +22,15 @@ import (

 // mockACMPCAClient implements the ACMPCAClient interface for testing.
 type mockACMPCAClient struct {
-	issueCertificateErr    error
-	getCertificateErr      error
-	revokeCertificateErr   error
-	getCACertificateErr    error
-	issuedCertPEM          string
-	issuedChainPEM         string
-	caCertPEM              string
-	caCertChainPEM         string
-	lastIssueCertificateInput *awsacmpca.IssueCertificateInput
+	issueCertificateErr        error
+	getCertificateErr          error
+	revokeCertificateErr       error
+	getCACertificateErr        error
+	issuedCertPEM              string
+	issuedChainPEM             string
+	caCertPEM                  string
+	caCertChainPEM             string
+	lastIssueCertificateInput  *awsacmpca.IssueCertificateInput
 	lastRevokeCertificateInput *awsacmpca.RevokeCertificateInput
 }

@@ -90,9 +90,9 @@ func New(config *Config, logger *slog.Logger) *Connector {

 // orderRequest is the JSON body for DigiCert certificate order submission.
 type orderRequest struct {
-	Certificate   orderCert   `json:"certificate"`
-	Organization  orderOrg    `json:"organization"`
-	ValidityYears int         `json:"validity_years"`
+	Certificate   orderCert `json:"certificate"`
+	Organization  orderOrg  `json:"organization"`
+	ValidityYears int       `json:"validity_years"`
 }

 type orderCert struct {
@@ -162,7 +162,7 @@ func (c *Connector) IssueCertificate(ctx context.Context, request issuer.Issuanc
 	csrBase64 := base64.StdEncoding.EncodeToString(csrBlock.Bytes)

 	enrollReq := map[string]interface{}{
-		"certificate_request":      csrBase64,
+		"certificate_request":        csrBase64,
 		"certificate_authority_name": c.config.CAName,
 	}

@@ -175,7 +175,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.Header().Set("Content-Type", "application/json")

 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{base64.StdEncoding.EncodeToString(chainBlock.Bytes)},
 					"serial_number":     "123456",
 				}
@@ -242,7 +242,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "789012",
 				}
@@ -314,7 +314,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "123456",
 				}
@@ -356,7 +356,7 @@ func TestEJBCAConnector(t *testing.T) {
 				w.WriteHeader(http.StatusOK)
 				w.Header().Set("Content-Type", "application/json")
 				respData := map[string]interface{}{
-					"certificate":      base64.StdEncoding.EncodeToString(certBlock.Bytes),
+					"certificate":       base64.StdEncoding.EncodeToString(certBlock.Bytes),
 					"certificate_chain": []string{},
 					"serial_number":     "654321",
 				}
@@ -89,9 +89,9 @@ func NewWithHTTPClient(config *Config, logger *slog.Logger, client *http.Client)

 // enrollmentRequest is the JSON body for Entrust enrollment submission.
 type enrollmentRequest struct {
-	CSR                 string `json:"csr"`
-	ProfileId           string `json:"profileId,omitempty"`
-	SubjectAltNames     []san  `json:"subjectAltNames,omitempty"`
+	CSR                  string `json:"csr"`
+	ProfileId            string `json:"profileId,omitempty"`
+	SubjectAltNames      []san  `json:"subjectAltNames,omitempty"`
 	CertificateAuthority string `json:"certificateAuthority,omitempty"`
 }

@@ -107,9 +107,9 @@ func NewWithHTTPClient(config *Config, logger *slog.Logger, client *http.Client)

 // certificateRequest is the JSON body for GlobalSign certificate order submission.
 type certificateRequest struct {
-	CSR      string            `json:"csr"`
+	CSR       string           `json:"csr"`
 	SubjectDN subjectDNRequest `json:"subject_dn"`
-	SAN      sanRequest        `json:"san,omitempty"`
+	SAN       sanRequest       `json:"san,omitempty"`
 }

 type subjectDNRequest struct {
@@ -93,10 +93,10 @@ type Connector struct {
 	httpClient *http.Client

 	// OAuth2 token caching
-	mu          sync.Mutex
-	tokenCache  *cachedToken
-	saKey       *serviceAccountKey
-	rsaKey      *rsa.PrivateKey
+	mu         sync.Mutex
+	tokenCache *cachedToken
+	saKey      *serviceAccountKey
+	rsaKey     *rsa.PrivateKey
 }

 // New creates a new Google CAS connector with the given configuration and logger.
@@ -479,9 +479,9 @@ func (c *Connector) parseCertificate(certPEM []byte) (*x509.Certificate, string,
 // Format: [{"serial": "...", "revoked_at": "...", "reason_code": ...}, ...]
 func (c *Connector) marshalRevokedSerials(revokedCerts []issuer.RevokedCertEntry) ([]byte, error) {
 	type RevokedEntry struct {
-		Serial      string `json:"serial"`
-		RevokedAt   string `json:"revoked_at"`
-		ReasonCode  int    `json:"reason_code"`
+		Serial     string `json:"serial"`
+		RevokedAt  string `json:"revoked_at"`
+		ReasonCode int    `json:"reason_code"`
 	}

 	entries := make([]RevokedEntry, len(revokedCerts))
@@ -643,7 +643,7 @@ func generateTestCSR(cn string) (*x509.CertificateRequest, string, error) {
 	}

 	csrTemplate := x509.CertificateRequest{
-		Subject: subject,
+		Subject:  subject,
 		DNSNames: []string{cn, "www." + cn},
 	}

@@ -168,9 +168,9 @@ type signRequest struct {

 // signResponse is the JSON response from the step-ca /sign endpoint.
 type signResponse struct {
-	ServerPEM certificateChain `json:"serverPEM,omitempty"`
-	CaPEM     certificateChain `json:"caPEM,omitempty"`
-	CertChainPEM []certBlock  `json:"certChainPEM,omitempty"`
+	ServerPEM    certificateChain `json:"serverPEM,omitempty"`
+	CaPEM        certificateChain `json:"caPEM,omitempty"`
+	CertChainPEM []certBlock      `json:"certChainPEM,omitempty"`
 }

 type certificateChain struct {
@@ -380,14 +380,14 @@ func (c *Connector) generateProvisionerToken(subject string, sans []string) (str

 	// step-ca expects: aud = <ca-url>/1.0/sign (the sign endpoint audience)
 	claims := map[string]interface{}{
-		"sub":  subject,
-		"iss":  c.config.ProvisionerName,
-		"aud":  c.config.CAURL + "/1.0/sign",
-		"nbf":  now.Unix(),
-		"iat":  now.Unix(),
-		"exp":  now.Add(5 * time.Minute).Unix(),
-		"jti":  generateJTI(),
-		"sha":  kid, // step-ca uses this to look up the provisioner by key fingerprint
+		"sub": subject,
+		"iss": c.config.ProvisionerName,
+		"aud": c.config.CAURL + "/1.0/sign",
+		"nbf": now.Unix(),
+		"iat": now.Unix(),
+		"exp": now.Add(5 * time.Minute).Unix(),
+		"jti": generateJTI(),
+		"sha": kid, // step-ca uses this to look up the provisioner by key fingerprint
 	}

 	if len(sans) > 0 {
@@ -1574,9 +1574,9 @@ func TestLoadProvisionerKey_FileNotReadable(t *testing.T) {

 	// Test with a provisioner key path that can't be read
 	config := stepca.Config{
-		CAURL:              srv.URL,
-		ProvisionerName:    "test-provisioner",
-		ProvisionerKeyPath: "/root/.ssh/no_such_key", // Permission denied or doesn't exist
+		CAURL:               srv.URL,
+		ProvisionerName:     "test-provisioner",
+		ProvisionerKeyPath:  "/root/.ssh/no_such_key", // Permission denied or doesn't exist
 		ProvisionerPassword: "password",
 	}

@@ -1770,4 +1770,3 @@ func TestIntegration_FullLifecycle(t *testing.T) {
 		t.Errorf("Expected status 'completed', got '%s'", status.Status)
 	}
 }
-
@@ -86,9 +86,9 @@ func New(config *Config, logger *slog.Logger) *Connector {

 // vaultResponse is the standard Vault API response wrapper.
 type vaultResponse struct {
-	Data    json.RawMessage `json:"data"`
-	Errors  []string        `json:"errors,omitempty"`
-	Warnings []string       `json:"warnings,omitempty"`
+	Data     json.RawMessage `json:"data"`
+	Errors   []string        `json:"errors,omitempty"`
+	Warnings []string        `json:"warnings,omitempty"`
 }

 // signData holds the data returned from the /sign endpoint.