Merge branch 'master' into dependabot/go_modules/google.golang.org/grpc-1.79.2

Author: dopey

README.md

@@ -29,7 +29,7 @@ You can use `step-ca` to:
 
 As you design your PKI, if you need any of the following, [consider our commerical CA](http://smallstep.com):
 - Multiple certificate authorities
-- Active revocation (CRL, OSCP)
+- Active revocation (CRL, OCSP)
 - Turnkey high-volume, high availability CA
 - An API for seamless IaC management of your PKI
 - Integrated support for SCEP & NDES, for migrating from legacy Active Directory Certificate Services deployments

acme/challenge.go

@@ -531,7 +531,7 @@ func validateWireOIDCClaims(o *wireprovisioner.OIDCOptions, token *oidc.IDToken,
 
 type wireDpopPayload struct {
 	// AccessToken is the token generated by wire-server
-	AccessToken string `json:"access_token"` //nolint:gosec // field name required by Wire protocol
+	AccessToken string `json:"access_token"`
 }
 
 func wireDPOP01Validate(ctx context.Context, ch *Challenge, db WireDB, accountJWK *jose.JSONWebKey, payload []byte) error {
@@ -1618,7 +1618,7 @@ func uitoa(val uint) string {
 		val = v
 	}
 	// val < 10
-	buf[i] = byte('0' + val) //nolint:gosec // val is always 0-9 here
+	buf[i] = byte('0' + val)
 	return string(buf[i:])
 }
 

api/crl.go

@@ -41,6 +41,6 @@ func CRL(w http.ResponseWriter, r *http.Request) {
 	} else {
 		w.Header().Add("Content-Type", "application/pkix-crl")
 		w.Header().Add("Content-Disposition", "attachment; filename=\"crl.der\"")
-		w.Write(crlInfo.Data) //nolint:gosec // writing CRL binary data
+		w.Write(crlInfo.Data)
 	}
 }

authority/admin/db/nosql/provisioner.go

@@ -29,16 +29,16 @@ type dbProvisioner struct {
 
 type dbBasicAuth struct {
 	Username string `json:"username"`
-	Password string `json:"password"` //nolint:gosec // field name for database storage
+	Password string `json:"password"`
 }
 
 type dbWebhook struct {
 	Name                 string       `json:"name"`
 	ID                   string       `json:"id"`
 	URL                  string       `json:"url"`
 	Kind                 string       `json:"kind"`
-	Secret               string       `json:"secret"`                //nolint:gosec // field name for database storage
-	BearerToken          string       `json:"bearerToken,omitempty"` //nolint:gosec // field name for database storage
+	Secret               string       `json:"secret"`
+	BearerToken          string       `json:"bearerToken,omitempty"`
 	BasicAuth            *dbBasicAuth `json:"basicAuth,omitempty"`
 	DisableTLSClientAuth bool         `json:"disableTLSClientAuth,omitempty"`
 	CertType             string       `json:"certType,omitempty"`

authority/config/config.go

@@ -79,7 +79,7 @@ type Config struct {
 	Monitoring       json.RawMessage      `json:"monitoring,omitempty"`
 	AuthorityConfig  *AuthConfig          `json:"authority,omitempty"`
 	TLS              *TLSOptions          `json:"tls,omitempty"`
-	Password         string               `json:"password,omitempty"` //nolint:gosec // field name for CA configuration
+	Password         string               `json:"password,omitempty"`
 	Templates        *templates.Templates `json:"templates,omitempty"`
 	CommonName       string               `json:"commonName,omitempty"`
 	CRL              *CRLConfig           `json:"crl,omitempty"`
@@ -263,7 +263,7 @@ func (c *Config) Save(filename string) error {
 	var b bytes.Buffer
 	enc := json.NewEncoder(&b)
 	enc.SetIndent("", "\t")
-	if err := enc.Encode(c); err != nil {
+	if err := enc.Encode(c); err != nil { //nolint:gosec // config struct contains password field by design
 		return fmt.Errorf("error encoding configuration: %w", err)
 	}
 	if err := os.WriteFile(filename, b.Bytes(), 0600); err != nil {

authority/provisioner/aws.go

@@ -469,7 +469,7 @@ func (p *AWS) readURLv1(url string) (*http.Response, error) {
 	if err != nil {
 		return nil, err
 	}
-	resp, err := client.Do(req) //nolint:gosec // request to AWS metadata service
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -485,7 +485,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set(awsMetadataTokenTTLHeader, p.config.tokenTTL)
-	resp, err := client.Do(req) //nolint:gosec // request to AWS metadata service
+	resp, err := client.Do(req)
 	if err != nil {
 		return nil, err
 	}
@@ -504,7 +504,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
 		return nil, err
 	}
 	req.Header.Set(awsMetadataTokenHeader, string(token))
-	resp, err = client.Do(req) //nolint:gosec // request to AWS metadata service
+	resp, err = client.Do(req)
 	if err != nil {
 		return nil, err
 	}

authority/provisioner/azure.go

@@ -66,8 +66,8 @@ func newAzureConfig(tenantID string) *azureConfig {
 }
 
 type azureIdentityToken struct {
-	AccessToken  string `json:"access_token"`  //nolint:gosec // field name required by Azure API
-	RefreshToken string `json:"refresh_token"` //nolint:gosec // field name required by Azure API
+	AccessToken  string `json:"access_token"`
+	RefreshToken string `json:"refresh_token"`
 	ClientID     string `json:"client_id"`
 	ExpiresIn    int64  `json:"expires_in,string"`
 	ExpiresOn    int64  `json:"expires_on,string"`
@@ -212,7 +212,7 @@ func (p *Azure) GetIdentityToken(subject, caURL string) (string, error) {
 	query.Add("api-version", azureIdentityTokenAPIVersion)
 	req.URL.RawQuery = query.Encode()
 
-	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to Azure metadata service
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", errors.Wrap(err, "error getting identity token, are you in a Azure VM?")
 	}
@@ -510,7 +510,7 @@ func (p *Azure) getAzureEnvironment() (string, error) {
 	query.Add("api-version", "2021-02-01")
 	req.URL.RawQuery = query.Encode()
 
-	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to Azure metadata service
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", errors.Wrap(err, "error getting azure instance environment, are you in a Azure VM?")
 	}

authority/provisioner/gcp.go

@@ -199,7 +199,7 @@ func (p *GCP) GetIdentityToken(subject, caURL string) (string, error) {
 		return "", errors.Wrap(err, "error creating identity request")
 	}
 	req.Header.Set("Metadata-Flavor", "Google")
-	resp, err := http.DefaultClient.Do(req) //nolint:gosec // request to GCP metadata service
+	resp, err := http.DefaultClient.Do(req)
 	if err != nil {
 		return "", errors.Wrap(err, "error doing identity request, are you in a GCP VM?")
 	}

authority/provisioner/k8sSA.go

@@ -36,7 +36,7 @@ const (
 type k8sSAPayload struct {
 	jose.Claims
 	Namespace          string `json:"kubernetes.io/serviceaccount/namespace,omitempty"`
-	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"` //nolint:gosec // field name required by Kubernetes API
+	SecretName         string `json:"kubernetes.io/serviceaccount/secret.name,omitempty"`
 	ServiceAccountName string `json:"kubernetes.io/serviceaccount/service-account.name,omitempty"`
 	ServiceAccountUID  string `json:"kubernetes.io/serviceaccount/service-account.uid,omitempty"`
 }

authority/provisioner/oidc.go

@@ -84,7 +84,7 @@ type OIDC struct {
 	Type                  string   `json:"type"`
 	Name                  string   `json:"name"`
 	ClientID              string   `json:"clientID"`
-	ClientSecret          string   `json:"clientSecret"` //nolint:gosec // field name required by OIDC configuration
+	ClientSecret          string   `json:"clientSecret"`
 	ConfigurationEndpoint string   `json:"configurationEndpoint"`
 	TenantID              string   `json:"tenantID,omitempty"`
 	Admins                []string `json:"admins,omitempty"`