chore: reformat with gofumpt (#109)

* Reformat with gofumpt

* Suppress issue about laxer perms than 0600

---------

Co-authored-by: Joel Kamp <joel.kamp@docker.com>

internal/embed/root.go

@@ -16,11 +16,13 @@ var prodRoot []byte
 
 var defaultRoot = prodRoot
 
-type RootName string
-type EmbeddedRoot struct {
-	Data []byte
-	Name RootName
-}
+type (
+	RootName     string
+	EmbeddedRoot struct {
+		Data []byte
+		Name RootName
+	}
+)
 
 var (
 	RootDev     = EmbeddedRoot{Data: devRoot, Name: "dev"}

internal/test/mocks.go

@@ -34,7 +34,6 @@ func (r MockResolver) ImageDescriptor(ctx context.Context) (*v1.Descriptor, erro
 		Size:      1234,
 		MediaType: "application/vnd.oci.image.manifest.v1+json",
 	}, nil
-
 }
 
 func (r MockResolver) ImagePlatform(ctx context.Context) (*v1.Platform, error) {

internal/test/test.go

@@ -124,10 +124,10 @@ func ExtractStatementsFromIndex(idx v1.ImageIndex, mediaType string) ([]*Annotat
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
 			}
 			defer r.Close()
-			var intotoStatement = new(intoto.Statement)
+			intotoStatement := new(intoto.Statement)
 			var desc *v1.Descriptor
 			if strings.HasSuffix(string(mt), "+dsse") {
-				var env = new(attestation.Envelope)
+				env := new(attestation.Envelope)
 				err = json.NewDecoder(r).Decode(env)
 				if err != nil {
 					return nil, fmt.Errorf("failed to decode env: %w", err)

internal/test/test_test.go

@@ -8,9 +8,7 @@ import (
 	"github.com/stretchr/testify/assert"
 )
 
-var (
-	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
-)
+var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
 
 const (
 	ExpectedStatements = 4

pkg/attest/verify_test.go

@@ -21,9 +21,7 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var (
-	ExampleAttestation = filepath.Join("..", "..", "test", "testdata", "example_attestation.json")
-)
+var ExampleAttestation = filepath.Join("..", "..", "test", "testdata", "example_attestation.json")
 
 const (
 	LinuxAMD64 = "linux/amd64"
@@ -33,7 +31,7 @@ func TestVerifyAttestations(t *testing.T) {
 	ex, err := os.ReadFile(ExampleAttestation)
 	assert.NoError(t, err)
 
-	var env = new(attestation.Envelope)
+	env := new(attestation.Envelope)
 	err = json.Unmarshal(ex, env)
 	assert.NoError(t, err)
 	resolver := &test.MockResolver{
@@ -51,7 +49,6 @@ func TestVerifyAttestations(t *testing.T) {
 
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
-
 			mockPE := policy.MockPolicyEvaluator{
 				EvaluateFunc: func(ctx context.Context, resolver oci.AttestationResolver, pctx *policy.Policy, input *policy.PolicyInput) (*policy.Result, error) {
 					return policy.AllowedResult(), tc.policyEvaluationError

pkg/attestation/attestation.go

@@ -47,7 +47,8 @@ func GetAttestationManifestsFromIndex(index v1.ImageIndex) ([]*AttestationManife
 				&AttestationManifest{
 					OriginalDescriptor: &desc,
 					SubjectDescriptor:  subject,
-					OriginalLayers:     attestationLayers})
+					OriginalLayers:     attestationLayers,
+				})
 		}
 	}
 	return attestationManifests, nil
@@ -78,7 +79,7 @@ func GetAttestationsFromImage(image v1.Image) ([]*AttestationLayer, error) {
 		// copy original annotations
 		ann := maps.Clone(layerDesc.Annotations)
 		// only decode intoto statements
-		var stmt = new(intoto.Statement)
+		stmt := new(intoto.Statement)
 		if mt == types.MediaType(intoto.PayloadType) {
 			err = json.NewDecoder(r).Decode(&stmt)
 			if err != nil {
@@ -139,9 +140,9 @@ func SignInTotoStatement(ctx context.Context, statement *intoto.Statement, signe
 func UpdateIndexImage(
 	idx v1.ImageIndex,
 	manifest *AttestationManifest,
-	options ...func(*AttestationManifestImageOptions) error) (v1.ImageIndex, error) {
+	options ...func(*AttestationManifestImageOptions) error,
+) (v1.ImageIndex, error) {
 	image, err := manifest.BuildAttestationImage(options...)
-
 	if err != nil {
 		return nil, fmt.Errorf("failed to build image: %w", err)
 	}
@@ -218,7 +219,7 @@ func (manifest *AttestationManifest) BuildAttestationImage(options ...func(*Atte
 				break
 			}
 		}
-		//add existing layers if they've not been signed or we're not replacing them
+		// add existing layers if they've not been signed or we're not replacing them
 		if !found || !opts.replaceLayers {
 			resultLayers = append(resultLayers, existingLayer)
 		}
@@ -254,7 +255,7 @@ func buildImage(layers []*AttestationLayer, manifest *v1.Descriptor, subject *v1
 		return nil, fmt.Errorf("no layers supplied to build image")
 	}
 	// NB: if we add the subject before the layers, it does not end up being computed/serialised in the output for some reason
-	//TODO - recreate this bug and push upstream
+	// TODO - recreate this bug and push upstream
 	for _, layer := range layers {
 		add := mutate.Addendum{
 			Layer:       layer.Layer,

pkg/attestation/referrers_test.go

@@ -57,7 +57,7 @@ func TestAttestationReferenceTypes(t *testing.T) {
 		{
 			name:              "attached attestations, referrers repo (mismatched args)",
 			server:            httptest.NewServer(registry.New(registry.WithReferrersSupport(true))),
-			expectFailure:     true, //mismatched args
+			expectFailure:     true, // mismatched args
 			attestationSource: config.AttestationStyleAttached,
 			referrersRepo:     "referrers",
 		},
@@ -261,7 +261,7 @@ func TestReferencesInDifferentRepo(t *testing.T) {
 			mfs2, err := attIdx.Index.IndexManifest()
 			require.NoError(t, err)
 			for _, mf := range mfs2.Manifests {
-				//skip signed/unsigned attestations
+				// skip signed/unsigned attestations
 				if mf.Annotations[attestation.DockerReferenceType] == attestation.AttestationManifestType {
 					continue
 				}

pkg/attestation/verify.go

@@ -27,8 +27,10 @@ type KeyMetadata struct {
 	Distrust      bool       `json:"distrust,omitempty"`
 }
 
-type Keys []KeyMetadata
-type KeysMap map[string]KeyMetadata
+type (
+	Keys    []KeyMetadata
+	KeysMap map[string]KeyMetadata
+)
 
 func VerifyDSSE(ctx context.Context, env *Envelope, opts *VerifyOptions) ([]byte, error) {
 	// enforce payload type

pkg/attestation/vsa.go

@@ -35,7 +35,7 @@ type VSAInputAttestation struct {
 }
 
 func ToVSAResourceURI(sub intoto.Subject) (string, error) {
-	//parse purl
+	// parse purl
 	purl, err := packageurl.FromString(sub.Name)
 	if err != nil {
 		return "", fmt.Errorf("failed to parse package url: %w", err)

pkg/mirror/mirror.go

@@ -137,7 +137,7 @@ func SaveReferrers(manifest *attestation.AttestationManifest, outputs []*oci.Ima
 		if err != nil {
 			return err
 		}
-		//otherwise we end up with the detected platform, though I'm not sure it matters
+		// otherwise we end up with the detected platform, though I'm not sure it matters
 		attOut.Platform = &v1.Platform{
 			OS:           "unknown",
 			Architecture: "unknown",

pkg/mirror/mirror_test.go

@@ -43,7 +43,6 @@ func TestSavingIndex(t *testing.T) {
 }
 
 func TestSavingImage(t *testing.T) {
-
 	outputLayout := test.CreateTempDir(t, "", "mirror-test")
 
 	img := empty.Image

pkg/oci/layout.go

@@ -55,10 +55,9 @@ func (r *OCILayoutResolver) Attestations(ctx context.Context, predicateType stri
 		if mts != dsseMediaType {
 			continue
 		}
-		var env = new(att.Envelope)
+		env := new(att.Envelope)
 		// parse layer blob as json
 		r, err := attestationLayer.Layer.Uncompressed()
-
 		if err != nil {
 			return nil, fmt.Errorf("failed to get layer contents: %w", err)
 		}

pkg/oci/oci.go

@@ -63,7 +63,7 @@ func ExtractEnvelopes(manifest *attestation.AttestationManifest, predicateType s
 				return nil, fmt.Errorf("failed to get layer contents: %w", err)
 			}
 			defer reader.Close()
-			var env = new(att.Envelope)
+			env := new(att.Envelope)
 			err = json.NewDecoder(reader).Decode(&env)
 			if err != nil {
 				return nil, fmt.Errorf("failed to decode envelope: %w", err)

pkg/oci/oci_test.go

@@ -54,9 +54,7 @@ func TestRefToPurl(t *testing.T) {
 	assert.True(t, canonical)
 }
 
-var (
-	UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
-)
+var UnsignedTestImage = filepath.Join("..", "..", "test", "testdata", "unsigned-test-image")
 
 // Test fix for https://github.com/docker/secure-artifacts-team-issues/issues/202
 func TestImageDigestForPlatform(t *testing.T) {

pkg/oci/referrers.go

@@ -35,8 +35,7 @@ func WithReferrersRepo(repo string) func(*ReferrersResolver) error {
 	}
 }
 
-func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest,
-	error) {
+func (r *ReferrersResolver) resolveAttestations(ctx context.Context, predicateType string) ([]*attestation.AttestationManifest, error) {
 	dsseMediaType, err := attestation.DSSEMediaType(predicateType)
 	if err != nil {
 		return nil, fmt.Errorf("failed to get DSSE media type for predicate '%s': %w", predicateType, err)

pkg/oci/types.go

@@ -18,11 +18,13 @@ const (
 	Docker             SourceType = "Docker"
 )
 
-type SourceType string
-type NamedIndex struct {
-	Index v1.ImageIndex
-	Name  string
-}
+type (
+	SourceType string
+	NamedIndex struct {
+		Index v1.ImageIndex
+		Name  string
+	}
+)
 
 type AttestationOptions struct {
 	NoReferrers   bool

pkg/policy/policy_test.go

@@ -22,7 +22,7 @@ func loadAttestation(t *testing.T, path string) *attestation.Envelope {
 		t.Fatal(err)
 	}
 
-	var env = new(attestation.Envelope)
+	env := new(attestation.Envelope)
 	err = json.Unmarshal(ex, env)
 	if err != nil {
 		t.Fatal(err)
@@ -103,7 +103,6 @@ func TestRegoEvaluator_Evaluate(t *testing.T) {
 			}
 		})
 	}
-
 }
 
 func TestLoadingMappings(t *testing.T) {

pkg/policy/rego.go

@@ -140,6 +140,7 @@ var verifyDecl = &ast.Builtin{
 	Decl:             types.NewFunction(types.Args(dynamicObj, dynamicObj), dynamicObj),
 	Nondeterministic: true,
 }
+
 var attestDecl = &ast.Builtin{
 	Name:             "attest.fetch",
 	Decl:             types.NewFunction(types.Args(types.S), dynamicObj),

pkg/tuf/mock.go

@@ -38,7 +38,7 @@ func (dc *mockTufClient) DownloadTarget(target string, filePath string) (actualF
 		dstFilePath = filePath
 	}
 
-	err = os.MkdirAll(filepath.Dir(dstFilePath), 0755)
+	err = os.MkdirAll(filepath.Dir(dstFilePath), os.ModePerm)
 	if err != nil {
 		return "", nil, err
 	}

pkg/tuf/tuf.go

@@ -56,20 +56,19 @@ func NewTufClient(initialRoot []byte, tufPath, metadataSource, targetsSource str
 
 	// create a directory for each initial root.json
 	metadataPath := filepath.Join(tufPath, tufRootDigest)
-	err := os.MkdirAll(metadataPath, 0755)
+	err := os.MkdirAll(metadataPath, os.ModePerm)
 	if err != nil {
 		return nil, fmt.Errorf("failed to create directory '%s': %w", metadataPath, err)
 	}
 	rootFile := filepath.Join(metadataPath, "root.json")
 	var rootBytes []byte
 	rootBytes, err = os.ReadFile(rootFile)
-
 	if err != nil {
 		if !errors.Is(err, fs.ErrNotExist) {
 			return nil, fmt.Errorf("failed to read root.json: %w", err)
 		}
 		// write the root.json file to the metadata directory
-		err = os.WriteFile(rootFile, initialRoot, 0644)
+		err = os.WriteFile(rootFile, initialRoot, 0o666) // #nosec G306
 		if err != nil {
 			return nil, fmt.Errorf("Failed to write root.json %w", err)
 		}
@@ -131,7 +130,7 @@ func (t *TufClient) DownloadTarget(target string, filePath string) (actualFilePa
 
 	// check if filePath exists and create the directory if it doesn't
 	if _, err := os.Stat(filepath.Dir(filePath)); os.IsNotExist(err) {
-		err = os.MkdirAll(filepath.Dir(filePath), 0755)
+		err = os.MkdirAll(filepath.Dir(filePath), os.ModePerm)
 		if err != nil {
 			return "", nil, fmt.Errorf("failed to create target download directory '%s': %w", filepath.Dir(filePath), err)
 		}