diff --git a/internal/concierge/apiserver/apiserver.go b/internal/concierge/apiserver/apiserver.go index 7b5c5d637..8e4e4ea52 100644 --- a/internal/concierge/apiserver/apiserver.go +++ b/internal/concierge/apiserver/apiserver.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apiserver @@ -79,7 +79,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { GenericAPIServer: genericServer, } - var errs []error //nolint:prealloc + var errs []error for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ func() (schema.GroupVersionResource, rest.Storage) { tokenCredReqGVR := c.ExtraConfig.LoginConciergeGroupVersion.WithResource("tokencredentialrequests") diff --git a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go index c99a62a0c..a05c28d9c 100644 --- a/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go +++ b/internal/controller/authenticator/jwtcachefiller/jwtcachefiller.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package jwtcachefiller implements a controller for filling an authncache.Cache with each @@ -305,7 +305,7 @@ func (c *jwtCacheFillerController) doExpensiveValidations( okSoFar bool, ) (*cachedJWTAuthenticator, []*metav1.Condition, []error) { var conditions []*metav1.Condition - var errs []error + errs := make([]error, 0, 4) client := phttp.Default(caBundle.CertPool()) client.Timeout = 30 * time.Second // copied from Kube OIDC code diff --git a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go index 53d90caac..d05a831bf 100644 --- a/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go +++ b/internal/controller/authenticator/webhookcachefiller/webhookcachefiller.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package webhookcachefiller implements a controller for filling an authncache.Cache with each added/updated WebhookAuthenticator. @@ -256,7 +256,7 @@ func (c *webhookCacheFillerController) doExpensiveValidations( ) (*cachedWebhookAuthenticator, []*metav1.Condition, []error) { var newWebhookAuthenticatorForCache *cachedWebhookAuthenticator var conditions []*metav1.Condition - var errs []error + errs := make([]error, 0, 2) conditions, tlsNegotiateErr := c.validateConnection(ctx, caBundle.CertPool(), endpointHostPort, conditions, okSoFar, usingProxyForHost, logger) errs = append(errs, tlsNegotiateErr) diff --git a/internal/controller/supervisorconfig/federation_domain_watcher.go b/internal/controller/supervisorconfig/federation_domain_watcher.go index 8d60306c3..89536d8da 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisorconfig @@ -682,7 +682,7 @@ func appendIdentityProvidersFoundCondition( conditions []*metav1.Condition, ) []*metav1.Condition { if len(idpNotFoundIndices) != 0 { - messages := []string{} + messages := make([]string, 0, len(idpNotFoundIndices)) for _, idpNotFoundIndex := range idpNotFoundIndices { messages = append(messages, fmt.Sprintf("cannot find resource specified by .spec.identityProviders[%d].objectRef (with name %q)", idpNotFoundIndex, federationDomainIdentityProviders[idpNotFoundIndex].ObjectRef.Name)) diff --git a/internal/controller/supervisorconfig/federation_domain_watcher_test.go b/internal/controller/supervisorconfig/federation_domain_watcher_test.go index 7a45ad3d2..5989e28d3 100644 --- a/internal/controller/supervisorconfig/federation_domain_watcher_test.go +++ b/internal/controller/supervisorconfig/federation_domain_watcher_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package supervisorconfig @@ -2182,7 +2182,7 @@ func makeFederationDomainIdentityProviderComparable(fdi *federationdomainprovide } func convertToComparableType(fdis []*federationdomainproviders.FederationDomainIssuer) []*comparableFederationDomainIssuer { - result := []*comparableFederationDomainIssuer{} + result := make([]*comparableFederationDomainIssuer, 0, len(fdis)) for _, fdi := range fdis { identityProviders := fdi.IdentityProviders() comparableFDIs := make([]*comparableFederationDomainIdentityProvider, len(identityProviders)) @@ -2217,7 +2217,7 @@ func expectedFederationDomainStatusUpdate( } func getFederationDomainStatusUpdates(t *testing.T, actions []coretesting.Action) []*supervisorconfigv1alpha1.FederationDomain { - federationDomains := []*supervisorconfigv1alpha1.FederationDomain{} + federationDomains := make([]*supervisorconfigv1alpha1.FederationDomain, 0, len(actions)) for _, action := range actions { updateAction, ok := action.(coretesting.UpdateAction) @@ -2320,7 +2320,7 @@ func TestTransformationPipelinesCanBeTestedForEqualityUsingSourceToMakeTestingEa equalPipeline := idtransform.NewTransformationPipeline() differentPipeline1 := idtransform.NewTransformationPipeline() differentPipeline2 := idtransform.NewTransformationPipeline() - expectedSourceList := []any{} + expectedSourceList := make([]any, 0, len(transforms)) for i, transform := range transforms { // Compile and append to a pipeline. diff --git a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go index 56fd12146..6a11b9f69 100644 --- a/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go +++ b/internal/controller/supervisorconfig/githubupstreamwatcher/github_upstream_watcher.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package githubupstreamwatcher implements a controller which watches GitHubIdentityProviders. @@ -310,7 +310,7 @@ func (c *gitHubWatcherController) validateUpstreamAndUpdateConditions(ctx contex *upstreamgithub.Provider, // If validated, returns the config error, // This error will only refer to programmatic errors such as inability to perform a connection probe or dereference a pointer, not configuration errors ) { - conditions := make([]*metav1.Condition, 0) + conditions := make([]*metav1.Condition, 0, 6) applicationErrors := make([]error, 0) clientSecretCondition, clientID, clientSecret, clientSecretErr := c.validateClientSecret(upstream.Spec.Client.SecretName) diff --git a/internal/crypto/ptls/common_test.go b/internal/crypto/ptls/common_test.go index 147cb840e..c80544bb6 100644 --- a/internal/crypto/ptls/common_test.go +++ b/internal/crypto/ptls/common_test.go @@ -1,4 +1,4 @@ -// Copyright 2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package ptls @@ -74,7 +74,7 @@ func TestSetAllowedCiphersForTLSOneDotTwo(t *testing.T) { err := SetUserConfiguredAllowedCipherSuitesForTLSOneDotTwo(userConfiguredAllowedCipherSuites) require.NoError(t, err) stored := getUserConfiguredAllowedCipherSuitesForTLSOneDotTwo() - var storedNames []string + storedNames := make([]string, 0, len(stored)) for _, suite := range stored { storedNames = append(storedNames, suite.Name) } diff --git a/internal/federationdomain/endpoints/token/token_handler_test.go b/internal/federationdomain/endpoints/token/token_handler_test.go index f722bc7a0..3b321928f 100644 --- a/internal/federationdomain/endpoints/token/token_handler_test.go +++ b/internal/federationdomain/endpoints/token/token_handler_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package token @@ -5980,7 +5980,7 @@ func deepCopyRequestForm(r *http.Request) *http.Request { } func getMapKeys(m map[string]any) []string { - keys := make([]string, 0) + keys := make([]string, 0, len(m)) for key := range m { keys = append(keys, key) } diff --git a/internal/federationdomain/endpointsmanager/manager_test.go b/internal/federationdomain/endpointsmanager/manager_test.go index 4f2d965c8..cc02e7e0a 100644 --- a/internal/federationdomain/endpointsmanager/manager_test.go +++ b/internal/federationdomain/endpointsmanager/manager_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package endpointsmanager @@ -110,7 +110,7 @@ func TestManager(t *testing.T) { expectedFlowsJSON, err := json.Marshal(expectedFlows) require.NoError(t, err) - expectedIDPJSONList := []string{} + expectedIDPJSONList := make([]string, 0, len(expectedIDPNames)) for i := range expectedIDPNames { expectedIDPJSONList = append(expectedIDPJSONList, fmt.Sprintf(`{"name":"%s","type":"%s","flows":%s}`, expectedIDPNames[i], expectedIDPTypes, expectedFlowsJSON)) diff --git a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go index 2e4aa887b..ff61a8453 100644 --- a/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go +++ b/internal/federationdomain/federationdomainproviders/federation_domain_identity_providers_lister_finder.go @@ -1,4 +1,4 @@ -// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package federationdomainproviders @@ -74,7 +74,7 @@ func NewFederationDomainIdentityProvidersListerFinder( wrappedLister idplister.UpstreamIdentityProvidersLister, ) *FederationDomainIdentityProvidersListerFinder { // Create a copy of the input slice so we won't need to worry about the caller accidentally changing it. - copyOfFederationDomainIdentityProviders := []*FederationDomainIdentityProvider{} + copyOfFederationDomainIdentityProviders := make([]*FederationDomainIdentityProvider, 0, len(federationDomainIssuer.IdentityProviders())) // Create a map and a set for quick lookups of the same data that was passed in via the // federationDomainIssuer parameter. allowedResourceUIDs := sets.New[types.UID]() diff --git a/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go b/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go index 9cdff65a5..4d37db44e 100644 --- a/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go +++ b/internal/federationdomain/resolvedprovider/resolvedoidc/resolved_oidc_provider.go @@ -1,4 +1,4 @@ -// Copyright 2024-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2024-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package resolvedoidc @@ -106,11 +106,12 @@ func (p *FederationDomainResolvedOIDCIdentityProvider) UpstreamAuthorizeRedirect Scopes: p.Provider.GetScopes(), } - authCodeOptions := []oauth2.AuthCodeOption{ + authCodeOptions := make([]oauth2.AuthCodeOption, 0, 3+len(p.Provider.GetAdditionalAuthcodeParams())) + authCodeOptions = append(authCodeOptions, state.Nonce.Param(), state.PKCE.Challenge(), state.PKCE.Method(), - } + ) for key, val := range p.Provider.GetAdditionalAuthcodeParams() { authCodeOptions = append(authCodeOptions, oauth2.SetAuthURLParam(key, val)) diff --git a/internal/groupsuffix/groupsuffix.go b/internal/groupsuffix/groupsuffix.go index 61a9c168c..30699fe2c 100644 --- a/internal/groupsuffix/groupsuffix.go +++ b/internal/groupsuffix/groupsuffix.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package groupsuffix @@ -178,7 +178,7 @@ func Unreplace(baseAPIGroup, apiGroupSuffix string) (string, bool) { // makes sure that the provided apiGroupSuffix is a valid DNS-1123 subdomain with at least one dot, // to match Kubernetes behavior. func Validate(apiGroupSuffix string) error { - var errs []error //nolint:prealloc + var errs []error if len(strings.Split(apiGroupSuffix, ".")) < 2 { errs = append(errs, constable.Error("must contain '.'")) diff --git a/internal/idtransform/identity_transformations.go b/internal/idtransform/identity_transformations.go index d8f2d3306..7c686c87c 100644 --- a/internal/idtransform/identity_transformations.go +++ b/internal/idtransform/identity_transformations.go @@ -1,4 +1,4 @@ -// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package idtransform defines upstream-to-downstream identity transformations which could be @@ -90,7 +90,7 @@ func (p *TransformationPipeline) Evaluate(ctx context.Context, username string, } func (p *TransformationPipeline) Source() []any { - result := []any{} + result := make([]any, 0, len(p.transforms)) for _, transform := range p.transforms { result = append(result, transform.Source()) } diff --git a/internal/idtransform/identity_transformations_test.go b/internal/idtransform/identity_transformations_test.go index 051df6681..f0ec25011 100644 --- a/internal/idtransform/identity_transformations_test.go +++ b/internal/idtransform/identity_transformations_test.go @@ -1,4 +1,4 @@ -// Copyright 2023-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2023-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package idtransform @@ -44,7 +44,7 @@ func (a fakeNilGroupTransformer) Source() any { type fakeAppendStringTransformer struct{} func (a fakeAppendStringTransformer) Evaluate(_ctx context.Context, username string, groups []string) (*TransformationResult, error) { - newGroups := []string{} + newGroups := make([]string, 0, len(groups)) for _, group := range groups { newGroups = append(newGroups, group+":transformed") } @@ -78,7 +78,7 @@ func (a fakeDeleteUsernameAndGroupsTransformer) Source() any { type fakeAuthenticationDisallowedTransformer struct{} func (a fakeAuthenticationDisallowedTransformer) Evaluate(_ctx context.Context, username string, groups []string) (*TransformationResult, error) { - newGroups := []string{} + newGroups := make([]string, 0, len(groups)) for _, group := range groups { newGroups = append(newGroups, group+":disallowed") } diff --git a/internal/supervisor/apiserver/apiserver.go b/internal/supervisor/apiserver/apiserver.go index f23bced65..91a73d760 100644 --- a/internal/supervisor/apiserver/apiserver.go +++ b/internal/supervisor/apiserver/apiserver.go @@ -1,4 +1,4 @@ -// Copyright 2022-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package apiserver @@ -80,7 +80,7 @@ func (c completedConfig) New() (*PinnipedServer, error) { GenericAPIServer: genericServer, } - var errs []error //nolint:prealloc + var errs []error for _, f := range []func() (schema.GroupVersionResource, rest.Storage){ func() (schema.GroupVersionResource, rest.Storage) { clientSecretReqGVR := c.ExtraConfig.ClientSecretSupervisorGroupVersion.WithResource("oidcclientsecretrequests") diff --git a/internal/testutil/fakekubeapi/fakekubeapi.go b/internal/testutil/fakekubeapi/fakekubeapi.go index 3c8b5a0cf..65c70374a 100644 --- a/internal/testutil/fakekubeapi/fakekubeapi.go +++ b/internal/testutil/fakekubeapi/fakekubeapi.go @@ -1,4 +1,4 @@ -// Copyright 2021-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2021-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 /* @@ -113,7 +113,7 @@ func decodeObj(r *http.Request) (runtime.Object, error) { } var obj runtime.Object - var errs []error //nolint:prealloc + var errs []error codecsThatWeUseInOurCode := []runtime.NegotiatedSerializer{ kubescheme.Codecs, aggregatorclientscheme.Codecs, diff --git a/internal/testutil/oidcclient.go b/internal/testutil/oidcclient.go index 98c11c5f9..3f02db565 100644 --- a/internal/testutil/oidcclient.go +++ b/internal/testutil/oidcclient.go @@ -1,4 +1,4 @@ -// Copyright 2022-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2022-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package testutil @@ -36,8 +36,9 @@ const ( // allDynamicClientScopes returns a slice of all scopes that are supported by the Supervisor for dynamic clients. func allDynamicClientScopes() []supervisorconfigv1alpha1.Scope { - scopes := []supervisorconfigv1alpha1.Scope{} - for _, s := range strings.Split(AllDynamicClientScopesSpaceSep, " ") { + splitOnSpace := strings.Split(AllDynamicClientScopesSpaceSep, " ") + scopes := make([]supervisorconfigv1alpha1.Scope, 0, len(splitOnSpace)) + for _, s := range splitOnSpace { scopes = append(scopes, supervisorconfigv1alpha1.Scope(s)) } return scopes diff --git a/pkg/oidcclient/login.go b/pkg/oidcclient/login.go index 0e5a78ed9..2cd8a911a 100644 --- a/pkg/oidcclient/login.go +++ b/pkg/oidcclient/login.go @@ -1,4 +1,4 @@ -// Copyright 2020-2024 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 // Package oidcclient implements a CLI OIDC login flow. @@ -646,7 +646,7 @@ func (h *handlerState) maybePerformPinnipedSupervisorValidations() (idpdiscovery if !slices.Contains(supportedIDPTypes, h.upstreamIdentityProviderType) { convertIDPListToQuotedStringList := func() []string { - var temp []string + temp := make([]string, 0, len(supportedIDPTypes)) for _, idpType := range supportedIDPTypes { temp = append(temp, fmt.Sprintf("%q", idpType)) } @@ -706,7 +706,7 @@ func (h *handlerState) maybePerformPinnipedSupervisorValidations() (idpdiscovery loginFlow = foundIDP.Flows[0] } - var authorizeOptions []oauth2.AuthCodeOption + authorizeOptions := make([]oauth2.AuthCodeOption, 0, 2) authorizeOptions = append(authorizeOptions, oauth2.SetAuthURLParam(oidcapi.AuthorizeUpstreamIDPNameParamName, h.upstreamIdentityProviderName), diff --git a/test/integration/concierge_impersonation_proxy_test.go b/test/integration/concierge_impersonation_proxy_test.go index b4f6ab55e..95815d1da 100644 --- a/test/integration/concierge_impersonation_proxy_test.go +++ b/test/integration/concierge_impersonation_proxy_test.go @@ -1723,7 +1723,7 @@ func TestImpersonationProxy(t *testing.T) { //nolint:gocyclo // yeah, it's compl } expectedAnnotations := func(credentialIssuerSpecAnnotations map[string]string, otherAnnotations map[string]string) map[string]string { - credentialIssuerSpecAnnotationKeys := []string{} + credentialIssuerSpecAnnotationKeys := make([]string, 0, len(credentialIssuerSpecAnnotations)) expectedAnnotations := map[string]string{} // Expect the annotations specified on the CredentialIssuer spec to be present. for k, v := range credentialIssuerSpecAnnotations { diff --git a/test/integration/supervisor_login_test.go b/test/integration/supervisor_login_test.go index fbd1e22b5..b5480cd16 100644 --- a/test/integration/supervisor_login_test.go +++ b/test/integration/supervisor_login_test.go @@ -1,4 +1,4 @@ -// Copyright 2020-2025 the Pinniped contributors. All Rights Reserved. +// Copyright 2020-2026 the Pinniped contributors. All Rights Reserved. // SPDX-License-Identifier: Apache-2.0 package integration @@ -346,7 +346,7 @@ func TestSupervisorLogin_Browser(t *testing.T) { regexp.QuoteMeta("&sub=") + ".+" + "$" - tests := []*supervisorLoginTestcase{ + tests := []*supervisorLoginTestcase{ //nolint:prealloc { name: "oidc with default username and groups claim settings", maybeSkip: skipNever, @@ -2829,7 +2829,7 @@ func supervisorLoginGithubTestcases( func wantGroupsInAdditionalClaimsIfGroupsExist(additionalClaims map[string]any, wantGroupsAdditionalClaimName string, wantGroups []string) map[string]any { if len(wantGroups) > 0 { - var wantGroupsAnyType []any + wantGroupsAnyType := make([]any, 0, len(wantGroups)) for _, group := range wantGroups { wantGroupsAnyType = append(wantGroupsAnyType, group) } @@ -2909,7 +2909,7 @@ func conditionsSummaryFromActualConditions( caBundleConfigured bool, expectedLDAPConnectionValidMessage string, ) [][]string { - conditionsSummary := [][]string{} + conditionsSummary := make([][]string, 0, len(conditions)) for _, condition := range conditions { conditionsSummary = append(conditionsSummary, []string{condition.Type, string(condition.Status), condition.Reason}) t.Logf("Saw identity provider with Status.Condition Type=%s Status=%s Reason=%s Message=%s", @@ -3351,7 +3351,7 @@ func verifyTokenResponse( idTokenClaims := map[string]any{} err = idToken.Claims(&idTokenClaims) require.NoError(t, err) - idTokenClaimNames := []string{} + idTokenClaimNames := make([]string, 0, len(idTokenClaims)) for k := range idTokenClaims { idTokenClaimNames = append(idTokenClaimNames, k) }