refactor(secrets): standardize empty literals

Author: haasonsaas

cmd/inventory/main.go

@@ -24,7 +24,10 @@ func main() {
 
 	// Load database configuration from secrets
 	dbConfig := secretHelper.LoadDatabaseConfig()
-	dsn := secretHelper.BuildDSN(dbConfig)
+	dsn, err := secretHelper.BuildDSN(dbConfig)
+	if err != nil {
+		log.Fatalf("inventory dsn: %v", err)
+	}
 
 	// Load TLS configuration from secrets
 	tlsConfig := secretHelper.LoadTLSConfig("INVENTORY")

cmd/migrate/main.go

@@ -26,7 +26,10 @@ func main() {
 
 	// Load database configuration
 	dbConfig := secretHelper.LoadDatabaseConfig()
-	databaseURL := secretHelper.BuildDSN(dbConfig)
+	databaseURL, err := secretHelper.BuildDSN(dbConfig)
+	if err != nil {
+		log.Fatalf("migrate dsn: %v", err)
+	}
 
 	// Create migrator instance
 	m, err := migrate.New(*migrationsDir, databaseURL)

pkg/secrets/azure.go

@@ -11,6 +11,13 @@ import (
 	"github.com/Azure/azure-sdk-for-go/sdk/security/keyvault/azsecrets"
 )
 
+const (
+	azureKeyVaultURLKey = "AZURE_KEYVAULT_URL"
+	azureClientIDKey    = "AZURE_CLIENT_ID"
+	dashRune            = '-'
+	defaultSecretName   = "secret"
+)
+
 // AzureManager implements secret management using Azure Key Vault
 type AzureManager struct {
 	client   *azsecrets.Client
@@ -19,10 +26,10 @@ type AzureManager struct {
 
 // NewAzureManager creates a new Azure Key Vault-based secret manager
 func NewAzureManager(cfg Config) (*AzureManager, error) {
-	vaultURL := cfg.Extra["AZURE_KEYVAULT_URL"]
-	if vaultURL == "" {
-		if vaultURL = os.Getenv("AZURE_KEYVAULT_URL"); vaultURL == "" {
-			return nil, fmt.Errorf("AZURE_KEYVAULT_URL is required")
+	vaultURL := cfg.Extra[azureKeyVaultURLKey]
+	if vaultURL == emptyString {
+		if vaultURL = os.Getenv(azureKeyVaultURLKey); vaultURL == emptyString {
+			return nil, fmt.Errorf("%s is required", azureKeyVaultURLKey)
 		}
 	}
 
@@ -46,7 +53,7 @@ func NewAzureManager(cfg Config) (*AzureManager, error) {
 // createAzureCredential creates an appropriate Azure credential
 func createAzureCredential(cfg Config) (azcore.TokenCredential, error) {
 	// Try managed identity first (recommended for Azure-hosted applications)
-	if clientID := cfg.Extra["AZURE_CLIENT_ID"]; clientID != "" {
+	if clientID := cfg.Extra[azureClientIDKey]; clientID != emptyString {
 		cred, err := azidentity.NewManagedIdentityCredential(&azidentity.ManagedIdentityCredentialOptions{
 			ID: azidentity.ClientID(clientID),
 		})
@@ -69,13 +76,13 @@ func (m *AzureManager) GetSecret(ctx context.Context, key string) (string, error
 	secretName := m.normalizeSecretName(key)
 
 	// Get the latest version of the secret
-	resp, err := m.client.GetSecret(ctx, secretName, "", nil)
+	resp, err := m.client.GetSecret(ctx, secretName, emptyString, nil)
 	if err != nil {
-		return "", fmt.Errorf("failed to get secret %s: %w", secretName, err)
+		return emptyString, fmt.Errorf("failed to get secret %s: %w", secretName, err)
 	}
 
 	if resp.Value == nil {
-		return "", fmt.Errorf("secret %s has no value", secretName)
+		return emptyString, fmt.Errorf("secret %s has no value", secretName)
 	}
 
 	return *resp.Value, nil
@@ -117,20 +124,20 @@ func (m *AzureManager) SetSecret(ctx context.Context, key, value string) error {
 func (m *AzureManager) normalizeSecretName(name string) string {
 	// Replace invalid characters with dashes
 	normalized := strings.Map(func(r rune) rune {
-		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == '-' {
+		if (r >= 'a' && r <= 'z') || (r >= 'A' && r <= 'Z') || (r >= '0' && r <= '9') || r == dashRune {
 			return r
 		}
-		return '-'
+		return dashRune
 	}, name)
 
 	// Remove leading/trailing dashes and ensure it starts with a letter or number
-	normalized = strings.Trim(normalized, "-")
+	normalized = strings.Trim(normalized, string(dashRune))
 	if len(normalized) == 0 {
-		normalized = "secret"
+		normalized = defaultSecretName
 	}
 
 	// Ensure it starts with alphanumeric
-	if normalized[0] == '-' {
+	if normalized[0] == dashRune {
 		normalized = "s" + normalized
 	}
 

pkg/secrets/helper.go

@@ -2,6 +2,7 @@ package secrets
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"os"
 	"strings"
@@ -55,13 +56,16 @@ func (h *Helper) GetOrDefault(key, defaultValue string) string {
 	return value
 }
 
-// GetRequired gets a required secret, logging a fatal error if not found
-func (h *Helper) GetRequired(key string) string {
+// GetRequired gets a required secret, returning an error if not found
+func (h *Helper) GetRequired(key string) (string, error) {
 	value, err := h.manager.GetSecret(h.ctx, key)
-	if err != nil || value == "" {
-		log.Fatalf("Required secret not found: %s", key)
+	if err != nil {
+		return "", err
 	}
-	return value
+	if value == "" {
+		return "", fmt.Errorf("required secret not found: %s", key)
+	}
+	return value, nil
 }
 
 // GetMultipleOrDefaults gets multiple secrets with fallback defaults
@@ -125,18 +129,19 @@ func (h *Helper) LoadAPIKeys() map[string]string {
 }
 
 // BuildDSN builds a database connection string from secret values
-func (h *Helper) BuildDSN(dbConfig map[string]string) string {
-	if dbConfig["POSTGRES_PASSWORD"] == "" {
-		log.Fatal("POSTGRES_PASSWORD is required")
+func (h *Helper) BuildDSN(dbConfig map[string]string) (string, error) {
+	password, ok := dbConfig["POSTGRES_PASSWORD"]
+	if !ok || password == "" {
+		return "", fmt.Errorf("POSTGRES_PASSWORD is required")
 	}
 
 	return BuildPostgresDSN(
 		dbConfig["POSTGRES_USER"],
-		dbConfig["POSTGRES_PASSWORD"],
+		password,
 		dbConfig["POSTGRES_HOST"],
 		dbConfig["POSTGRES_PORT"],
 		dbConfig["POSTGRES_DB"],
-	)
+	), nil
 }
 
 // BuildPostgresDSN builds a PostgreSQL connection string

pkg/secrets/secrets.go

@@ -7,6 +7,8 @@ import (
 	"strings"
 )
 
+const emptyString = ""
+
 // Manager defines the interface for secret management
 type Manager interface {
 	GetSecret(ctx context.Context, key string) (string, error)
@@ -31,7 +33,7 @@ func NewManager(cfg Config) (Manager, error) {
 		return NewVaultManager(cfg)
 	case "azure":
 		return NewAzureManager(cfg)
-	case "env", "":
+	case "env", emptyString:
 		return NewEnvManager(cfg), nil
 	default:
 		return nil, fmt.Errorf("unsupported secret manager type: %s", cfg.Type)
@@ -41,7 +43,7 @@ func NewManager(cfg Config) (Manager, error) {
 // GetSecret is a convenience function to get a single secret
 func GetSecret(ctx context.Context, manager Manager, key, fallback string) string {
 	value, err := manager.GetSecret(ctx, key)
-	if err != nil || value == "" {
+	if err != nil || value == emptyString {
 		return fallback
 	}
 	return value
@@ -58,14 +60,14 @@ func NewEnvManager(cfg Config) *EnvManager {
 }
 
 // GetSecret retrieves a secret from environment variables
-func (m *EnvManager) GetSecret(ctx context.Context, key string) (string, error) {
+func (m *EnvManager) GetSecret(_ context.Context, key string) (string, error) {
 	envKey := key
-	if m.prefix != "" {
+	if m.prefix != emptyString {
 		envKey = m.prefix + key
 	}
 
 	value := os.Getenv(envKey)
-	if value == "" {
+	if value == emptyString {
 		return "", fmt.Errorf("secret not found: %s", key)
 	}
 
@@ -88,9 +90,9 @@ func (m *EnvManager) GetSecrets(ctx context.Context, keys []string) (map[string]
 }
 
 // SetSecret sets a secret in environment variables (not persistent)
-func (m *EnvManager) SetSecret(ctx context.Context, key, value string) error {
+func (m *EnvManager) SetSecret(_ context.Context, key, value string) error {
 	envKey := key
-	if m.prefix != "" {
+	if m.prefix != emptyString {
 		envKey = m.prefix + key
 	}
 

pkg/secrets/vault.go

@@ -11,6 +11,18 @@ import (
 )
 
 // VaultManager implements secret management using HashiCorp Vault
+const (
+	slash              = "/"
+	valueKey           = "value"
+	dataKey            = "data"
+	vaultAddrKey       = "VAULT_ADDR"
+	vaultTokenFileKey  = "VAULT_TOKEN_FILE"
+	vaultTokenKey      = "VAULT_TOKEN"
+	vaultSecretPathKey = "VAULT_SECRET_PATH"
+	vaultK8sRoleKey    = "VAULT_K8S_ROLE"
+	serviceAccountPath = "/var/run/secrets/kubernetes.io/serviceaccount/token"
+)
+
 type VaultManager struct {
 	client *api.Client
 	prefix string
@@ -21,12 +33,12 @@ func NewVaultManager(cfg Config) (*VaultManager, error) {
 	vaultConfig := api.DefaultConfig()
 
 	// Set Vault address
-	if addr := cfg.Extra["VAULT_ADDR"]; addr != "" {
+	if addr := cfg.Extra[vaultAddrKey]; addr != emptyString {
 		vaultConfig.Address = addr
-	} else if addr := os.Getenv("VAULT_ADDR"); addr != "" {
+	} else if addr := os.Getenv(vaultAddrKey); addr != emptyString {
 		vaultConfig.Address = addr
 	} else {
-		return nil, fmt.Errorf("VAULT_ADDR is required")
+		return nil, fmt.Errorf("%s is required", vaultAddrKey)
 	}
 
 	client, err := api.NewClient(vaultConfig)
@@ -41,14 +53,14 @@ func NewVaultManager(cfg Config) (*VaultManager, error) {
 
 	return &VaultManager{
 		client: client,
-		prefix: cfg.Extra["VAULT_SECRET_PATH"],
+		prefix: cfg.Extra[vaultSecretPathKey],
 	}, nil
 }
 
 // authenticateVault handles Vault authentication using various methods
 func authenticateVault(client *api.Client, cfg Config) error {
 	// Try token file first
-	if tokenFile := cfg.Extra["VAULT_TOKEN_FILE"]; tokenFile != "" {
+	if tokenFile := cfg.Extra[vaultTokenFileKey]; tokenFile != emptyString {
 		token, err := readSecretFile(tokenFile)
 		if err != nil {
 			return fmt.Errorf("failed to read token file %s: %w", tokenFile, err)
@@ -58,21 +70,21 @@ func authenticateVault(client *api.Client, cfg Config) error {
 	}
 
 	// Try direct token
-	if token := cfg.Extra["VAULT_TOKEN"]; token != "" {
+	if token := cfg.Extra[vaultTokenKey]; token != emptyString {
 		client.SetToken(token)
 		return nil
 	}
 
 	// Try environment token
-	if token := os.Getenv("VAULT_TOKEN"); token != "" {
+	if token := os.Getenv(vaultTokenKey); token != emptyString {
 		client.SetToken(token)
 		return nil
 	}
 
 	// Try Kubernetes authentication
-	if serviceAccountTokenFile := "/var/run/secrets/kubernetes.io/serviceaccount/token"; fileExists(serviceAccountTokenFile) {
-		if role := cfg.Extra["VAULT_K8S_ROLE"]; role != "" {
-			return authenticateKubernetes(client, serviceAccountTokenFile, role)
+	if fileExists(serviceAccountPath) {
+		if role := cfg.Extra[vaultK8sRoleKey]; role != emptyString {
+			return authenticateKubernetes(client, serviceAccountPath, role)
 		}
 	}
 
@@ -105,7 +117,7 @@ func authenticateKubernetes(client *api.Client, tokenFile, role string) error {
 }
 
 // GetSecret retrieves a secret from Vault
-func (m *VaultManager) GetSecret(ctx context.Context, key string) (string, error) {
+func (m *VaultManager) GetSecret(_ context.Context, key string) (string, error) {
 	secretPath := m.buildSecretPath(key)
 
 	secret, err := m.client.Logical().Read(secretPath)
@@ -119,12 +131,12 @@ func (m *VaultManager) GetSecret(ctx context.Context, key string) (string, error
 
 	// Handle KV v2 (data wrapper)
 	data := secret.Data
-	if dataMap, ok := data["data"].(map[string]interface{}); ok {
+	if dataMap, ok := data[dataKey].(map[string]interface{}); ok {
 		data = dataMap
 	}
 
 	// Get the value
-	value, ok := data["value"]
+	value, ok := data[valueKey]
 	if !ok {
 		// Try the key name itself
 		value, ok = data[filepath.Base(key)]
@@ -161,13 +173,13 @@ func (m *VaultManager) SetSecret(ctx context.Context, key, value string) error {
 	secretPath := m.buildSecretPath(key)
 
 	data := map[string]interface{}{
-		"value": value,
+		valueKey: value,
 	}
 
 	// Handle KV v2 (data wrapper)
 	if m.isKVv2() {
 		data = map[string]interface{}{
-			"data": data,
+			dataKey: data,
 		}
 	}
 
@@ -181,11 +193,11 @@ func (m *VaultManager) SetSecret(ctx context.Context, key, value string) error {
 
 // buildSecretPath constructs the full secret path with prefix
 func (m *VaultManager) buildSecretPath(key string) string {
-	if m.prefix == "" {
+	if m.prefix == emptyString {
 		return key
 	}
 
-	return strings.TrimSuffix(m.prefix, "/") + "/" + strings.TrimPrefix(key, "/")
+	return strings.TrimSuffix(m.prefix, slash) + slash + strings.TrimPrefix(key, slash)
 }
 
 // isKVv2 checks if we're using KV secrets engine v2