Fix new golangci-lint issues

Author: hslatman

command/ca/acme/eab/list.go

@@ -13,6 +13,7 @@ import (
 	"github.com/smallstep/cli-utils/errs"
 
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/internal/cast"
 	"github.com/smallstep/cli/utils/cautils"
 )
 
@@ -123,7 +124,7 @@ func listAction(ctx *cli.Context) (err error) {
 	startedPager := false
 
 	for {
-		options := []ca.AdminOption{ca.WithAdminCursor(cursor), ca.WithAdminLimit(int(limit))}
+		options := []ca.AdminOption{ca.WithAdminCursor(cursor), ca.WithAdminLimit(cast.Int(limit))}
 		eaksResponse, err := client.GetExternalAccountKeysPaginate(provisioner, reference, options...)
 		if err != nil {
 			return errors.Wrap(notImplemented(err), "error retrieving ACME EAB keys")

command/ca/provisioner/add.go

@@ -22,6 +22,7 @@ import (
 	"go.step.sm/crypto/pemutil"
 
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/internal/cast"
 	"github.com/smallstep/cli/internal/sliceutil"
 	"github.com/smallstep/cli/utils"
 )
@@ -846,10 +847,10 @@ func createSCEPDetails(ctx *cli.Context) (*linkedca.ProvisionerDetails, error) {
 		ForceCn:                       ctx.Bool("force-cn"),
 		Challenge:                     challenge,
 		Capabilities:                  ctx.StringSlice("capabilities"),
-		MinimumPublicKeyLength:        int32(ctx.Int("min-public-key-length")),
+		MinimumPublicKeyLength:        cast.Int32(ctx.Int("min-public-key-length")),
 		IncludeRoot:                   ctx.Bool("include-root"),
 		ExcludeIntermediate:           ctx.Bool("exclude-intermediate"),
-		EncryptionAlgorithmIdentifier: int32(ctx.Int("encryption-algorithm-identifier")),
+		EncryptionAlgorithmIdentifier: cast.Int32(ctx.Int("encryption-algorithm-identifier")),
 	}
 	decrypter := &linkedca.SCEPDecrypter{}
 	if decrypterCertificateFile := ctx.String("scep-decrypter-certificate-file"); decrypterCertificateFile != "" {

command/ca/provisioner/update.go

@@ -22,6 +22,7 @@ import (
 	"go.step.sm/crypto/pemutil"
 
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/internal/cast"
 	"github.com/smallstep/cli/internal/sliceutil"
 	"github.com/smallstep/cli/utils"
 )
@@ -972,7 +973,7 @@ func updateSCEPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 		details.Capabilities = ctx.StringSlice("capabilities")
 	}
 	if ctx.IsSet("min-public-key-length") {
-		details.MinimumPublicKeyLength = int32(ctx.Int("min-public-key-length"))
+		details.MinimumPublicKeyLength = cast.Int32(ctx.Int("min-public-key-length"))
 	}
 	if ctx.IsSet("include-root") {
 		details.IncludeRoot = ctx.Bool("include-root")
@@ -981,7 +982,7 @@ func updateSCEPDetails(ctx *cli.Context, p *linkedca.Provisioner) error {
 		details.ExcludeIntermediate = ctx.Bool("exclude-intermediate")
 	}
 	if ctx.IsSet("encryption-algorithm-identifier") {
-		details.EncryptionAlgorithmIdentifier = int32(ctx.Int("encryption-algorithm-identifier"))
+		details.EncryptionAlgorithmIdentifier = cast.Int32(ctx.Int("encryption-algorithm-identifier"))
 	}
 
 	decrypter := details.GetDecrypter()

command/crypto/otp/generate.go

@@ -14,6 +14,7 @@ import (
 	"github.com/smallstep/cli-utils/errs"
 
 	"github.com/smallstep/cli/flags"
+	"github.com/smallstep/cli/internal/cast"
 	"github.com/smallstep/cli/utils"
 )
 
@@ -130,8 +131,8 @@ func generate(ctx *cli.Context) (*otp.Key, error) {
 	return totp.Generate(totp.GenerateOpts{
 		Issuer:      ctx.String("issuer"),
 		AccountName: ctx.String("account"),
-		Period:      uint(ctx.Int("period")),
-		SecretSize:  uint(ctx.Int("secret-size")),
+		Period:      cast.Uint(ctx.Int("period")),
+		SecretSize:  cast.Uint(ctx.Int("secret-size")),
 		Digits:      otp.Digits(ctx.Int("length")),
 		Algorithm:   alg,
 	})

command/crypto/winpe/winpe_test.go

@@ -13,7 +13,7 @@ import (
 // This test will write the chrome.exe installer into a temporary file
 // Then it will just run the extractPE function.
 func TestExtract(t *testing.T) {
-	tmpfile, err := os.CreateTemp("", "step-crypto-winpe-extract-chrome.*.exe")
+	tmpfile, err := os.CreateTemp(t.TempDir(), "step-crypto-winpe-extract-chrome.*.exe")
 	assert.NoError(t, err)
 	defer os.Remove(tmpfile.Name())
 	defer tmpfile.Close()

go.mod

@@ -5,6 +5,7 @@ go 1.22.7
 require (
 	github.com/Microsoft/go-winio v0.6.2
 	github.com/ThomasRooney/gexpect v0.0.0-20161231170123-5482f0350944
+	github.com/ccoveille/go-safecast v1.5.0
 	github.com/fxamacker/cbor/v2 v2.7.0
 	github.com/go-jose/go-jose/v3 v3.0.3
 	github.com/google/go-cmp v0.6.0

go.sum

@@ -86,6 +86,8 @@ github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6r
 github.com/boombuler/barcode v1.0.1-0.20190219062509-6c824513bacc/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
 github.com/boombuler/barcode v1.0.1 h1:NDBbPmhS+EqABEs5Kg3n/5ZNjy73Pz7SIV+KCeqyXcs=
 github.com/boombuler/barcode v1.0.1/go.mod h1:paBWMcWSl3LHKBqUq+rly7CNSldXjb2rDl3JlRe0mD8=
+github.com/ccoveille/go-safecast v1.5.0 h1:cT/3uVQ/i5PTiJvhvkSU81HeKNurtyQtBndXEH3hDg4=
+github.com/ccoveille/go-safecast v1.5.0/go.mod h1:QqwNjxQ7DAqY0C721OIO9InMk9zCwcsO7tnRuHytad8=
 github.com/cespare/xxhash v1.1.0 h1:a6HrQnmkObjyL+Gs60czilIUGqrzKutQD6XZog3p+ko=
 github.com/cespare/xxhash v1.1.0/go.mod h1:XrSqR1VqqWfGrhpAt58auRo0WTKS1nRRg3ghfAqPWnc=
 github.com/cespare/xxhash/v2 v2.1.1/go.mod h1:VGX0DQ3Q6kWi7AoAeZDth3/j3BFtOZR5XLFGgcrjCOs=

internal/cast/cast.go

@@ -0,0 +1,108 @@
+package cast
+
+import (
+	"github.com/ccoveille/go-safecast"
+)
+
+type signed interface {
+	~int | ~int8 | ~int16 | ~int32 | ~int64
+}
+
+type unsigned interface {
+	~uint | ~uint8 | ~uint16 | ~uint32 | ~uint64
+}
+
+type number interface {
+	signed | unsigned
+}
+
+func SafeUint(x int) (uint, error) {
+	return safecast.ToUint(x)
+}
+
+func Uint(x int) uint {
+	u, err := SafeUint(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return u
+}
+
+func SafeInt(x uint) (int, error) {
+	return safecast.ToInt(x)
+}
+
+func Int(x uint) int {
+	i, err := SafeInt(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return i
+}
+
+func SafeInt64[T number](x T) (int64, error) {
+	return safecast.ToInt64(x)
+}
+
+func Int64[T number](x T) int64 {
+	i64, err := SafeInt64(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return i64
+}
+
+func SafeUint64[T signed](x T) (uint64, error) {
+	return safecast.ToUint64(x)
+}
+
+func Uint64[T signed](x T) uint64 {
+	u64, err := SafeUint64(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return u64
+}
+
+func SafeInt32[T signed](x T) (int32, error) {
+	return safecast.ToInt32(x)
+}
+
+func Int32[T signed](x T) int32 {
+	i32, err := SafeInt32(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return i32
+}
+
+func SafeUint32[T number](x T) (uint32, error) {
+	return safecast.ToUint32(x)
+}
+
+func Uint32[T number](x T) uint32 {
+	u32, err := SafeUint32(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return u32
+}
+
+func SafeUint8(x int) (uint8, error) {
+	return safecast.ToUint8(x)
+}
+
+func Uint8(x int) uint8 {
+	u8, err := SafeUint8(x)
+	if err != nil {
+		panic(err)
+	}
+
+	return u8
+}

internal/cast/cast_test.go

@@ -0,0 +1,91 @@
+package cast_test
+
+import (
+	"math"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+
+	"github.com/smallstep/cli/internal/cast"
+)
+
+func TestUintConvertsValues(t *testing.T) {
+	require.Equal(t, uint(0), cast.Uint(0))
+	require.Equal(t, uint(math.MaxInt), cast.Uint(math.MaxInt))
+	require.Equal(t, uint(42), cast.Uint(42))
+}
+
+func TestUintPanicsOnNegativeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint(-1) })
+}
+
+func TestIntConvertsValues(t *testing.T) {
+	require.Equal(t, int(0), cast.Int(0))
+	require.Equal(t, int(math.MaxInt), cast.Int(math.MaxInt))
+	require.Equal(t, int(42), cast.Int(42))
+}
+
+func TestIntPanicsOnLargeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Int(uint(math.MaxInt + 1)) })
+}
+
+func TestInt64ConvertsValues(t *testing.T) {
+	require.Equal(t, int64(0), cast.Int64(0))
+	require.Equal(t, int64(math.MaxInt), cast.Int64(math.MaxInt))
+	require.Equal(t, int64(42), cast.Int64(42))
+}
+
+func TestInt64PanicsOnLargeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Int64(uint64(math.MaxInt + 1)) })
+}
+
+func TestUint64ConvertsValues(t *testing.T) {
+	require.Equal(t, uint64(0), cast.Uint64(0))
+	require.Equal(t, uint64(math.MaxInt), cast.Uint64((math.MaxInt)))
+	require.Equal(t, uint64(42), cast.Uint64(42))
+}
+
+func TestUint64PanicsOnNegativeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint64(-1) })
+}
+
+func TestInt32ConvertsValues(t *testing.T) {
+	require.Equal(t, int32(0), cast.Int32(0))
+	require.Equal(t, int32(math.MaxInt32), cast.Int32(math.MaxInt32))
+	require.Equal(t, int32(42), cast.Int32(42))
+}
+
+func TestInt32PanicsOnTooSmallValue(t *testing.T) {
+	require.Panics(t, func() { cast.Int32(math.MinInt32 - 1) })
+}
+
+func TestInt32PanicsOnLargeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Int32(math.MaxInt32 + 1) })
+}
+
+func TestUint32ConvertsValues(t *testing.T) {
+	require.Equal(t, uint32(0), cast.Uint32(0))
+	require.Equal(t, uint32(math.MaxUint32), cast.Uint32(math.MaxUint32))
+	require.Equal(t, uint32(42), cast.Uint32(42))
+}
+
+func TestUint32PanicsOnNegativeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint32(-1) })
+}
+
+func TestUint32PanicsOnLargeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint32(math.MaxUint32 + 1) })
+}
+func TestUint8ConvertsValues(t *testing.T) {
+	require.Equal(t, uint8(0), cast.Uint8(0))
+	require.Equal(t, uint8(math.MaxUint8), cast.Uint8(math.MaxUint8))
+	require.Equal(t, uint8(42), cast.Uint8(42))
+}
+
+func TestUint8PanicsOnNegativeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint8(-1) })
+}
+
+func TestUint8PanicsOnLargeValue(t *testing.T) {
+	require.Panics(t, func() { cast.Uint8(math.MaxUint32 + 1) })
+}

internal/kdf/argon2.go

@@ -4,6 +4,7 @@ import (
 	"fmt"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/internal/cast"
 )
 
 const (
@@ -57,8 +58,8 @@ func newArgon2Params(s string) (*argon2Param, error) {
 	}
 
 	return &argon2Param{
-		t: uint32(t),
-		m: uint32(m),
-		p: uint8(p),
+		t: cast.Uint32(t),
+		m: cast.Uint32(m),
+		p: cast.Uint8(p),
 	}, nil
 }

internal/kdf/kdf.go

@@ -5,10 +5,13 @@ import (
 	"strconv"
 
 	"github.com/pkg/errors"
-	"go.step.sm/crypto/randutil"
 	"golang.org/x/crypto/argon2"
 	"golang.org/x/crypto/bcrypt"
 	"golang.org/x/crypto/scrypt"
+
+	"go.step.sm/crypto/randutil"
+
+	"github.com/smallstep/cli/internal/cast"
 )
 
 // KDF is the type that all the key derivation functions implements. The
@@ -109,7 +112,7 @@ func Compare(password, phc []byte) (bool, error) {
 		if version != 0 && version != argon2.Version {
 			return false, errors.Errorf("unsupported argon2 version '%d'", version)
 		}
-		hashedPass = argon2.Key(password, salt, p.t, p.m, p.p, uint32(len(hash)))
+		hashedPass = argon2.Key(password, salt, p.t, p.m, p.p, cast.Uint32(len(hash)))
 	case argon2idHash:
 		p, err := newArgon2Params(params)
 		if err != nil {
@@ -118,7 +121,7 @@ func Compare(password, phc []byte) (bool, error) {
 		if version != 0 && version != argon2.Version {
 			return false, errors.Errorf("unsupported argon2 version '%d'", version)
 		}
-		hashedPass = argon2.IDKey(password, salt, p.t, p.m, p.p, uint32(len(hash)))
+		hashedPass = argon2.IDKey(password, salt, p.t, p.m, p.p, cast.Uint32(len(hash)))
 	default:
 		return false, errors.Errorf("invalid or unsupported hash method with id '%s'", id)
 	}

internal/sshutil/agent.go

@@ -7,6 +7,7 @@ import (
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/smallstep/cli/internal/cast"
 	"golang.org/x/crypto/ssh"
 	"golang.org/x/crypto/ssh/agent"
 )
@@ -66,7 +67,7 @@ func WithRemoveExpiredCerts(t time.Time) AgentOption {
 	return func(o *options) {
 		o.removeExpiredKey = func(a *Agent, k *agent.Key) bool {
 			if cert, err := ParseCertificate(k.Marshal()); err == nil {
-				if before := int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) {
+				if before := cast.Int64(cert.ValidBefore); cert.ValidBefore != uint64(ssh.CertTimeInfinity) && (unixNow >= before || before < 0) {
 					if err := a.Remove(k); err == nil {
 						return true
 					}
@@ -244,7 +245,7 @@ func (a *Agent) RemoveAllKeys(opts ...AgentOption) (bool, error) {
 func (a *Agent) AddCertificate(subject string, cert *ssh.Certificate, priv interface{}) error {
 	var (
 		lifetime uint64
-		now      = uint64(time.Now().Unix())
+		now      = cast.Uint64(time.Now().Unix())
 	)
 	switch {
 	case cert.ValidBefore == ssh.CertTimeInfinity:
@@ -265,6 +266,6 @@ func (a *Agent) AddCertificate(subject string, cert *ssh.Certificate, priv inter
 		PrivateKey:   priv,
 		Certificate:  cert,
 		Comment:      subject,
-		LifetimeSecs: uint32(lifetime),
+		LifetimeSecs: cast.Uint32(lifetime),
 	}), "error adding key to agent")
 }