refactor: consolidate constants and close response bodies

Author: haasonsaas

agent/internal/posture/windows.go

@@ -5,6 +5,15 @@ import (
 	"strings"
 )
 
+const (
+	newlineSeparator     = "\n"
+	ruleNamePrefix       = "Rule Name:"
+	displayNamePrefix    = "displayName="
+	displayNamePrefixLen = len(displayNamePrefix)
+	powershellCmd        = "powershell"
+	powershellFlag       = "-Command"
+)
+
 // WindowsCollector collects device posture on Windows systems
 type WindowsCollector struct{}
 
@@ -48,7 +57,7 @@ func (c *WindowsCollector) collectOSInfo(os *OperatingSystem) error {
 		return err
 	}
 
-	lines := strings.Split(output, "\n")
+	lines := strings.Split(output, newlineSeparator)
 	for _, line := range lines {
 		line = strings.TrimSpace(line)
 		if line == "" {
@@ -90,10 +99,10 @@ func (c *WindowsCollector) collectFirewallStatus(fw *FirewallStatus) error {
 	if fw.Enabled {
 		ruleOutput, err := runCommand("netsh", "advfirewall", "firewall", "show", "rule", "name=all")
 		if err == nil {
-			lines := strings.Split(ruleOutput, "\n")
+			lines := strings.Split(ruleOutput, newlineSeparator)
 			ruleCount := 0
 			for _, line := range lines {
-				if strings.HasPrefix(strings.TrimSpace(line), "Rule Name:") {
+				if strings.HasPrefix(strings.TrimSpace(line), ruleNamePrefix) {
 					ruleCount++
 				}
 			}
@@ -107,18 +116,18 @@ func (c *WindowsCollector) collectFirewallStatus(fw *FirewallStatus) error {
 // checkAntiVirus checks Windows Defender and other antivirus software
 func (c *WindowsCollector) checkAntiVirus() bool {
 	// Check Windows Defender status
-	output, err := runCommand("powershell", "-Command", "Get-MpComputerStatus | Select-Object AntivirusEnabled")
+	output, err := runCommand(powershellCmd, powershellFlag, "Get-MpComputerStatus | Select-Object AntivirusEnabled")
 	if err == nil && strings.Contains(strings.ToLower(output), "true") {
 		return true
 	}
 
 	// Check for other antivirus software using WMI
 	output, err = runCommand("wmic", "/namespace:\\\\root\\SecurityCenter2", "path", "AntiVirusProduct", "get", "displayName", "/format:list")
 	if err == nil {
-		lines := strings.Split(output, "\n")
+		lines := strings.Split(output, newlineSeparator)
 		for _, line := range lines {
 			line = strings.TrimSpace(line)
-			if strings.HasPrefix(line, "displayName=") && len(line) > 12 {
+			if strings.HasPrefix(line, displayNamePrefix) && len(line) > displayNamePrefixLen {
 				return true // Found antivirus software
 			}
 		}
@@ -130,7 +139,7 @@ func (c *WindowsCollector) checkAntiVirus() bool {
 // checkSystemUpdated checks Windows Update status
 func (c *WindowsCollector) checkSystemUpdated() bool {
 	// Check for pending updates using PowerShell
-	output, err := runCommand("powershell", "-Command",
+	output, err := runCommand(powershellCmd, powershellFlag,
 		"Get-WUList -MicrosoftUpdate | Measure-Object | Select-Object -ExpandProperty Count")
 	if err == nil {
 		count := parseInt(strings.TrimSpace(output))
@@ -183,7 +192,7 @@ func (c *WindowsCollector) checkScreenLock() bool {
 	}
 
 	// Check lock screen settings
-	output, err = runCommand("powershell", "-Command",
+	output, err = runCommand(powershellCmd, powershellFlag,
 		"Get-ItemProperty -Path 'HKLM:\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System' -Name DisableCAD -ErrorAction SilentlyContinue")
 	if err == nil && !strings.Contains(output, "1") {
 		return true // Ctrl+Alt+Del required (indicates password policy)

agent/internal/service/service_test.go

@@ -229,8 +229,8 @@ func TestService_updatePosture(t *testing.T) {
 					return
 				}
 
-				if req.ID != "test-device" {
-					t.Errorf("Expected device ID 'test-device', got %s", req.ID)
+				if req.ID != testDeviceID {
+					t.Errorf("Expected device ID %q, got %s", testDeviceID, req.ID)
 				}
 
 				if req.Posture == "" {

pkg/pki/ca_test.go

@@ -19,8 +19,13 @@ func TestLoadOrCreateCA(t *testing.T) {
 	certPath := filepath.Join(tmpDir, "ca.pem")
 	keyPath := filepath.Join(tmpDir, "ca-key.pem")
 
+	const (
+		testCAName    = "test-ca"
+		testCADefault = "test-ca-default"
+	)
+
 	t.Run("creates new CA when files don't exist", func(t *testing.T) {
-		ca, err := LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour*24*365)
+		ca, err := LoadOrCreateCA(certPath, keyPath, testCAName, time.Hour*24*365)
 		if err != nil {
 			t.Fatalf("LoadOrCreateCA failed: %v", err)
 		}
@@ -34,8 +39,8 @@ func TestLoadOrCreateCA(t *testing.T) {
 		}
 
 		// Verify certificate properties
-		if ca.cert.Subject.CommonName != "test-ca" {
-			t.Errorf("Expected CommonName 'test-ca', got %s", ca.cert.Subject.CommonName)
+		if ca.cert.Subject.CommonName != testCAName {
+			t.Errorf("Expected CommonName %q, got %s", testCAName, ca.cert.Subject.CommonName)
 		}
 		if !ca.cert.IsCA {
 			t.Error("Certificate should be a CA")
@@ -53,8 +58,8 @@ func TestLoadOrCreateCA(t *testing.T) {
 		}
 
 		// Should load existing CA, not create new one with different name
-		if ca2.cert.Subject.CommonName != "test-ca" {
-			t.Errorf("Expected existing CommonName 'test-ca', got %s", ca2.cert.Subject.CommonName)
+		if ca2.cert.Subject.CommonName != testCAName {
+			t.Errorf("Expected existing CommonName %q, got %s", testCAName, ca2.cert.Subject.CommonName)
 		}
 	})
 
@@ -63,7 +68,7 @@ func TestLoadOrCreateCA(t *testing.T) {
 		certPath2 := filepath.Join(tmpDir2, "ca.pem")
 		keyPath2 := filepath.Join(tmpDir2, "ca-key.pem")
 
-		ca, err := LoadOrCreateCA(certPath2, keyPath2, "test-ca-default", 0)
+		ca, err := LoadOrCreateCA(certPath2, keyPath2, testCADefault, 0)
 		if err != nil {
 			t.Fatalf("LoadOrCreateCA failed: %v", err)
 		}
@@ -153,7 +158,7 @@ func TestCertificateAuthority_IssueCertificate(t *testing.T) {
 	certPath := filepath.Join(tmpDir, "ca.pem")
 	keyPath := filepath.Join(tmpDir, "ca-key.pem")
 
-	ca, err := LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour*24)
+	ca, err := LoadOrCreateCA(certPath, keyPath, testCAName, time.Hour*24)
 	if err != nil {
 		t.Fatalf("Failed to create CA: %v", err)
 	}
@@ -249,7 +254,7 @@ func TestCertificateAuthority_SignCSR(t *testing.T) {
 	certPath := filepath.Join(tmpDir, "ca.pem")
 	keyPath := filepath.Join(tmpDir, "ca-key.pem")
 
-	ca, err := LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour*24)
+	ca, err := LoadOrCreateCA(certPath, keyPath, testCAName, time.Hour*24)
 	if err != nil {
 		t.Fatalf("Failed to create CA: %v", err)
 	}
@@ -377,7 +382,7 @@ func TestCertificateAuthority_CertificatePEM(t *testing.T) {
 	certPath := filepath.Join(tmpDir, "ca.pem")
 	keyPath := filepath.Join(tmpDir, "ca-key.pem")
 
-	ca, err := LoadOrCreateCA(certPath, keyPath, "test-ca", time.Hour*24)
+	ca, err := LoadOrCreateCA(certPath, keyPath, testCAName, time.Hour*24)
 	if err != nil {
 		t.Fatalf("Failed to create CA: %v", err)
 	}
@@ -404,8 +409,8 @@ func TestCertificateAuthority_CertificatePEM(t *testing.T) {
 			t.Errorf("Failed to parse certificate from PEM: %v", err)
 		}
 
-		if cert.Subject.CommonName != "test-ca" {
-			t.Errorf("Expected CommonName 'test-ca', got %s", cert.Subject.CommonName)
+		if cert.Subject.CommonName != testCAName {
+			t.Errorf("Expected CommonName %q, got %s", testCAName, cert.Subject.CommonName)
 		}
 	})
 }

services/authz/server/server.go

@@ -418,16 +418,16 @@ func (s *Server) evaluateOPA(ctx context.Context, claims map[string]any, deviceI
 
 	start := time.Now()
 	var resp *http.Response
-	var callErr error
 	retryErr := retry.Do(ctx, s.retryCfg, func() error {
-		resp, callErr = s.client.Do(req)
-		if callErr != nil {
-			return callErr
+		r, err := s.client.Do(req)
+		if err != nil {
+			return err
 		}
-		if resp.StatusCode >= 500 {
-			_ = resp.Body.Close()
-			return fmt.Errorf("opa temporary error: %d", resp.StatusCode)
+		if r.StatusCode >= 500 {
+			_ = r.Body.Close()
+			return fmt.Errorf("opa temporary error: %d", r.StatusCode)
 		}
+		resp = r
 		return nil
 	})
 	if retryErr != nil {
@@ -516,61 +516,61 @@ func parseXFCC(xfcc string) string {
 
 func (s *Server) lookupDevice(ctx context.Context, deviceID string) map[string]any {
 	if deviceID == "" || s.cfg.InventoryAPI == "" {
-		return map[string]any{"id": deviceID, "posture": "unknown"}
+		return map[string]any{"id": deviceID, "posture": statusUnknown}
 	}
 
 	req, err := http.NewRequestWithContext(ctx, http.MethodGet, fmt.Sprintf("%s/v1/devices/%s", s.cfg.InventoryAPI, deviceID), nil)
 	if err != nil {
 		log.Printf("inventory request build failed: %v", err)
-		return map[string]any{"id": deviceID, "posture": "unknown"}
+		return map[string]any{"id": deviceID, "posture": statusUnknown}
 	}
 
 	start := time.Now()
 	var resp *http.Response
-	var callErr error
 	retryErr := retry.Do(ctx, s.retryCfg, func() error {
-		resp, callErr = s.invClient.Do(req)
-		if callErr != nil {
-			return callErr
+		r, err := s.invClient.Do(req)
+		if err != nil {
+			return err
 		}
-		if resp.StatusCode >= 500 {
-			_ = resp.Body.Close()
-			return fmt.Errorf("inventory temporary error: %d", resp.StatusCode)
+		if r.StatusCode >= 500 {
+			_ = r.Body.Close()
+			return fmt.Errorf("inventory temporary error: %d", r.StatusCode)
 		}
+		resp = r
 		return nil
 	})
 	if retryErr != nil {
 		telemetry.RecordDependencyRequest(ctx, "authz", "inventory", "lookup", time.Since(start), "error")
 		log.Printf("inventory request failed: %v", retryErr)
-		return map[string]any{"id": deviceID, "posture": "unknown"}
+		return map[string]any{"id": deviceID, "posture": statusUnknown}
 	}
 	defer resp.Body.Close()
 
 	if resp.StatusCode == http.StatusNotFound {
 		telemetry.RecordDependencyRequest(ctx, "authz", "inventory", "lookup", time.Since(start), "404")
-		return map[string]any{"id": deviceID, "posture": "unregistered"}
+		return map[string]any{"id": deviceID, "posture": statusUnregistered}
 	}
 	if resp.StatusCode != http.StatusOK {
 		b, readErr := io.ReadAll(resp.Body)
 		if readErr != nil {
 			telemetry.RecordDependencyRequest(ctx, "authz", "inventory", "lookup", time.Since(start), fmt.Sprintf("%d", resp.StatusCode))
 			log.Printf("inventory error %d: failed to read body: %v", resp.StatusCode, readErr)
-			return map[string]any{"id": deviceID, "posture": "unknown"}
+			return map[string]any{"id": deviceID, "posture": statusUnknown}
 		}
 		telemetry.RecordDependencyRequest(ctx, "authz", "inventory", "lookup", time.Since(start), fmt.Sprintf("%d", resp.StatusCode))
 		log.Printf("inventory error %d: %s", resp.StatusCode, string(b))
-		return map[string]any{"id": deviceID, "posture": "unknown"}
+		return map[string]any{"id": deviceID, "posture": statusUnknown}
 	}
 
 	var device inventoryDevice
 	if err := json.NewDecoder(resp.Body).Decode(&device); err != nil {
 		telemetry.RecordDependencyRequest(ctx, "authz", "inventory", "lookup", time.Since(start), "decode_error")
 		log.Printf("inventory decode failed: %v", err)
-		return map[string]any{"id": deviceID, "posture": "unknown"}
+		return map[string]any{"id": deviceID, "posture": statusUnknown}
 	}
 
 	if device.Posture == "" {
-		device.Posture = "unknown"
+		device.Posture = statusUnknown
 	}
 
 	// Parse posture JSON to extract trust score
@@ -913,16 +913,16 @@ func (s *Server) verifyMFACode(ctx context.Context, sessionID, code string) (boo
 
 	start := time.Now()
 	var resp *http.Response
-	var callErr error
 	retryErr := retry.Do(ctx, s.retryCfg, func() error {
-		resp, callErr = s.client.Do(req)
-		if callErr != nil {
-			return callErr
+		r, err := s.client.Do(req)
+		if err != nil {
+			return err
 		}
-		if resp.StatusCode >= 500 {
-			_ = resp.Body.Close()
-			return fmt.Errorf("mfa temporary error: %d", resp.StatusCode)
+		if r.StatusCode >= 500 {
+			_ = r.Body.Close()
+			return fmt.Errorf("mfa temporary error: %d", r.StatusCode)
 		}
+		resp = r
 		return nil
 	})
 	if retryErr != nil {