Fix linting issues: replace magic numbers and string literals with constants

haasonsaas · ampcode-com · haasonsaas · commit a8c2e006e351 · 2025-10-19T08:36:32.000-07:00
- services/mfa/server.go: Add and use constants for response fields, status values, and URL parameters - pkg/metrics/metrics.go: Extract histogram buckets and policy names into constants - pkg/pki/*_test.go: Use existing file permission constants instead of hardcoded octal values This addresses magic number and string literal linting issues by extracting common values into named constants, improving code maintainability and reducing duplication. Co-authored-by: Amp <amp@ampcode.com> Amp-Thread-ID: https://ampcode.com/threads/T-5be4213f-26eb-400c-bb7b-d4c79b7ee6fe
diff --git a/pkg/metrics/metrics.go b/pkg/metrics/metrics.go
@@ -7,6 +7,18 @@ import (
 	"github.com/prometheus/client_golang/prometheus/promauto"
 )
 
+const (
+	// Policy constants
+	keepAllowPolicy = "keep/allow"
+)
+
+// Histogram bucket constants
+var (
+	opaEvaluationBuckets = []float64{0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0}
+	trustScoreBuckets    = []float64{0, 20, 40, 60, 80, 100}
+	databaseQueryBuckets = []float64{0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0}
+)
+
 var (
 	// HTTP request metrics
 	HTTPRequestsTotal = promauto.NewCounterVec(
@@ -39,7 +51,7 @@ var (
 		prometheus.HistogramOpts{
 			Name:    "opa_evaluation_duration_seconds",
 			Help:    "OPA policy evaluation duration in seconds",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0},
+			Buckets: opaEvaluationBuckets,
 		},
 		[]string{"service", "policy"},
 	)
@@ -57,7 +69,7 @@ var (
 		prometheus.HistogramOpts{
 			Name:    "device_trust_scores",
 			Help:    "Device trust score distribution",
-			Buckets: []float64{0, 20, 40, 60, 80, 100},
+			Buckets: trustScoreBuckets,
 		},
 		[]string{"service", "posture"},
 	)
@@ -100,7 +112,7 @@ var (
 		prometheus.HistogramOpts{
 			Name:    "database_query_duration_seconds",
 			Help:    "Database query duration in seconds",
-			Buckets: []float64{0.001, 0.005, 0.01, 0.025, 0.05, 0.1, 0.25, 0.5, 1.0, 2.0},
+			Buckets: databaseQueryBuckets,
 		},
 		[]string{"service", "query_type"},
 	)
@@ -115,7 +127,7 @@ func RecordHTTPRequest(service, method, path, status string, duration time.Durat
 // RecordAuthzDecision records authorization decision metrics
 func RecordAuthzDecision(service, decision, reason string, duration time.Duration) {
 	AuthzDecisionsTotal.WithLabelValues(service, decision, reason).Inc()
-	OPAEvaluationDuration.WithLabelValues(service, "keep/allow").Observe(duration.Seconds())
+	OPAEvaluationDuration.WithLabelValues(service, keepAllowPolicy).Observe(duration.Seconds())
 }
 
 // RecordDeviceRegistration records device registration metrics
diff --git a/pkg/pki/ca_test.go b/pkg/pki/ca_test.go
@@ -95,10 +95,10 @@ func TestLoadCA(t *testing.T) {
 		keyPath := filepath.Join(tmpDir, "key.pem")
 
 		// Write invalid certificate
-		if err := os.WriteFile(certPath, []byte("invalid pem"), 0o600); err != nil {
+		if err := os.WriteFile(certPath, []byte("invalid pem"), defaultCertPerm); err != nil {
 			t.Fatalf("failed to write invalid certificate: %v", err)
 		}
-		if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), 0o600); err != nil {
+		if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), defaultKeyPerm); err != nil {
 			t.Fatalf("failed to write invalid key: %v", err)
 		}
 
@@ -123,7 +123,7 @@ func TestLoadCA(t *testing.T) {
 		}
 
 		// Now corrupt the key file
-		if err := os.WriteFile(keyPath, []byte("invalid key pem"), 0o600); err != nil {
+		if err := os.WriteFile(keyPath, []byte("invalid key pem"), defaultKeyPerm); err != nil {
 			t.Fatalf("failed to corrupt key file: %v", err)
 		}
 
diff --git a/pkg/pki/device_test.go b/pkg/pki/device_test.go
@@ -40,7 +40,7 @@ func TestGenerateSigningKey(t *testing.T) {
 			t.Fatalf("Key file not created: %v", err)
 		}
 
-		if fileInfo.Mode().Perm() != 0o600 {
+		if fileInfo.Mode().Perm() != defaultKeyPerm {
 			t.Errorf("Expected file permissions 0600, got %v", fileInfo.Mode().Perm())
 		}
 	})
@@ -152,7 +152,7 @@ func TestLoadSigningKey(t *testing.T) {
 
 	t.Run("fails with invalid PEM", func(t *testing.T) {
 		invalidPEMPath := filepath.Join(tmpDir, "invalid.key")
-		if err := os.WriteFile(invalidPEMPath, []byte("not a pem file"), 0o600); err != nil {
+		if err := os.WriteFile(invalidPEMPath, []byte("not a pem file"), defaultKeyPerm); err != nil {
 			t.Fatalf("Failed to write invalid PEM file: %v", err)
 		}
 
@@ -176,7 +176,7 @@ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKB
 wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh
 -----END PRIVATE KEY-----`)
 
-		if err := os.WriteFile(rsaKeyPath, keyData, 0o600); err != nil {
+		if err := os.WriteFile(rsaKeyPath, keyData, defaultKeyPerm); err != nil {
 			t.Fatalf("Failed to write RSA key: %v", err)
 		}
 
@@ -194,7 +194,7 @@ wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh
 invalidbase64data!!!
 -----END PRIVATE KEY-----`
 
-		if err := os.WriteFile(corruptPath, []byte(corruptPEM), 0o600); err != nil {
+		if err := os.WriteFile(corruptPath, []byte(corruptPEM), defaultKeyPerm); err != nil {
 			t.Fatalf("Failed to write corrupt PEM: %v", err)
 		}
 
@@ -363,7 +363,7 @@ c3QtY2VydDAeFw0yM...")
 		}
 
 		// Verify permissions
-		if fileInfo.Mode().Perm() != 0o600 {
+		if fileInfo.Mode().Perm() != defaultKeyPerm {
 			t.Errorf("Expected file permissions 0600, got %v", fileInfo.Mode().Perm())
 		}
 
diff --git a/services/mfa/server.go b/services/mfa/server.go
@@ -35,6 +35,20 @@ const (
 	writeTimeout          = 30 * time.Second
 	idleTimeout           = 60 * time.Second
 	requestTimeout        = 30 * time.Second
+	// Response fields
+	fieldChallenge = "challenge"
+	fieldCode      = "code"
+	fieldStatus    = "status"
+	fieldMessage   = "message"
+	fieldToken     = "token"
+	fieldAttempts  = "attempts"
+	// Status values
+	statusOK       = "ok"
+	statusVerified = "verified"
+	// Messages
+	msgMFASuccess = "MFA verification successful"
+	// URL params
+	paramSessionID = "sessionID"
 )
 
 // Server implements a basic MFA service for step-up authentication
@@ -171,10 +185,10 @@ func (s *Server) challengeHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set(headerContentType, contentTypeJSON)
 	response := map[string]interface{}{
-		"session_id": session.SessionID,
-		"challenge":  session.Challenge,
-		"expires_at": session.ExpiresAt,
-		"code":       code, // Only for PoC testing
+		"session_id":  session.SessionID,
+		fieldChallenge: session.Challenge,
+		"expires_at":  session.ExpiresAt,
+		fieldCode:     code, // Only for PoC testing
 	}
 	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Error().Err(err).Msg("failed to encode MFA challenge response")
@@ -238,9 +252,9 @@ func (s *Server) verifyHandler(w http.ResponseWriter, r *http.Request) {
 
 	w.Header().Set(headerContentType, contentTypeJSON)
 	response := map[string]interface{}{
-		"status":  "verified",
-		"message": "MFA verification successful",
-		"token":   generateMFAToken(session), // Short-lived MFA verification token
+		fieldStatus:  statusVerified,
+		fieldMessage: msgMFASuccess,
+		fieldToken:   generateMFAToken(session), // Short-lived MFA verification token
 	}
 	if err := json.NewEncoder(w).Encode(response); err != nil {
 		log.Error().Err(err).Msg("failed to encode MFA verify response")
@@ -249,7 +263,7 @@ func (s *Server) verifyHandler(w http.ResponseWriter, r *http.Request) {
 
 // statusHandler returns MFA session status
 func (s *Server) statusHandler(w http.ResponseWriter, r *http.Request) {
-	sessionID := chi.URLParam(r, "sessionID")
+	sessionID := chi.URLParam(r, paramSessionID)
 
 	s.mu.RLock()
 	session, exists := s.sessions[sessionID]
@@ -278,11 +292,11 @@ func (s *Server) healthHandler(w http.ResponseWriter, _ *http.Request) {
 	s.mu.RUnlock()
 
 	health := map[string]interface{}{
-		"status":          "ok",
+		fieldStatus:       statusOK,
 		"active_sessions": sessionCount,
 	}
 
-	w.Header().Set("Content-Type", "application/json")
+	w.Header().Set(headerContentType, contentTypeJSON)
 	if err := json.NewEncoder(w).Encode(health); err != nil {
 		log.Error().Err(err).Msg("failed to encode MFA health response")
 	}

Original file line number	Diff line number	Diff line change
`@@ -95,10 +95,10 @@ func TestLoadCA(t *testing.T) {`
`95`	`95`	`keyPath := filepath.Join(tmpDir, "key.pem")`
`96`	`96`
`97`	`97`	`// Write invalid certificate`
`98`		`- if err := os.WriteFile(certPath, []byte("invalid pem"), 0o600); err != nil {`
	`98`	`+ if err := os.WriteFile(certPath, []byte("invalid pem"), defaultCertPerm); err != nil {`
`99`	`99`	`t.Fatalf("failed to write invalid certificate: %v", err)`
`100`	`100`	`}`
`101`		`- if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), 0o600); err != nil {`
	`101`	`+ if err := os.WriteFile(keyPath, []byte("-----BEGIN PRIVATE KEY-----\nMIGHAgEAMBMGByqGSM49AgEGCCqGSM49AwEHBG0wawIBAQQg\n-----END PRIVATE KEY-----"), defaultKeyPerm); err != nil {`
`102`	`102`	`t.Fatalf("failed to write invalid key: %v", err)`
`103`	`103`	`}`
`104`	`104`
`@@ -123,7 +123,7 @@ func TestLoadCA(t *testing.T) {`
`123`	`123`	`}`
`124`	`124`
`125`	`125`	`// Now corrupt the key file`
`126`		`- if err := os.WriteFile(keyPath, []byte("invalid key pem"), 0o600); err != nil {`
	`126`	`+ if err := os.WriteFile(keyPath, []byte("invalid key pem"), defaultKeyPerm); err != nil {`
`127`	`127`	`t.Fatalf("failed to corrupt key file: %v", err)`
`128`	`128`	`}`
`129`	`129`
Original file line number	Diff line number	Diff line change
`@@ -40,7 +40,7 @@ func TestGenerateSigningKey(t *testing.T) {`
`40`	`40`	`t.Fatalf("Key file not created: %v", err)`
`41`	`41`	`}`
`42`	`42`
`43`		`- if fileInfo.Mode().Perm() != 0o600 {`
	`43`	`+ if fileInfo.Mode().Perm() != defaultKeyPerm {`
`44`	`44`	`t.Errorf("Expected file permissions 0600, got %v", fileInfo.Mode().Perm())`
`45`	`45`	`}`
`46`	`46`	`})`
`@@ -152,7 +152,7 @@ func TestLoadSigningKey(t *testing.T) {`
`152`	`152`
`153`	`153`	`t.Run("fails with invalid PEM", func(t *testing.T) {`
`154`	`154`	`invalidPEMPath := filepath.Join(tmpDir, "invalid.key")`
`155`		`- if err := os.WriteFile(invalidPEMPath, []byte("not a pem file"), 0o600); err != nil {`
	`155`	`+ if err := os.WriteFile(invalidPEMPath, []byte("not a pem file"), defaultKeyPerm); err != nil {`
`156`	`156`	`t.Fatalf("Failed to write invalid PEM file: %v", err)`
`157`	`157`	`}`
`158`	`158`
`@@ -176,7 +176,7 @@ MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQC7VJTUt9Us8cKB`
`176`	`176`	`wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh`
`177`	`177`	-----END PRIVATE KEY-----`)
`178`	`178`
`179`		`- if err := os.WriteFile(rsaKeyPath, keyData, 0o600); err != nil {`
	`179`	`+ if err := os.WriteFile(rsaKeyPath, keyData, defaultKeyPerm); err != nil {`
`180`	`180`	`t.Fatalf("Failed to write RSA key: %v", err)`
`181`	`181`	`}`
`182`	`182`
`@@ -194,7 +194,7 @@ wHVKYdZyLkmMdVNjJqLs2Nx7e62VQqTrqTqhqY+HVhMV7HjfRqNVM6pYsf3VrGQh`
`194`	`194`	`invalidbase64data!!!`
`195`	`195`	-----END PRIVATE KEY-----`
`196`	`196`
`197`		`- if err := os.WriteFile(corruptPath, []byte(corruptPEM), 0o600); err != nil {`
	`197`	`+ if err := os.WriteFile(corruptPath, []byte(corruptPEM), defaultKeyPerm); err != nil {`
`198`	`198`	`t.Fatalf("Failed to write corrupt PEM: %v", err)`
`199`	`199`	`}`
`200`	`200`
`@@ -363,7 +363,7 @@ c3QtY2VydDAeFw0yM...")`
`363`	`363`	`}`
`364`	`364`
`365`	`365`	`// Verify permissions`
`366`		`- if fileInfo.Mode().Perm() != 0o600 {`
	`366`	`+ if fileInfo.Mode().Perm() != defaultKeyPerm {`
`367`	`367`	`t.Errorf("Expected file permissions 0600, got %v", fileInfo.Mode().Perm())`
`368`	`368`	`}`
`369`	`369`