ceems-dev · mahendrapaipuri · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025 · Dec 22, 2025
diff --git a/.github/workflows/step_tests-lint.yml b/.github/workflows/step_tests-lint.yml
@@ -28,5 +28,5 @@ jobs:
       - name: Lint
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.5.0
+          version: v2.7.2
           args: --timeout=5m
diff --git a/cmd/cacct/testflags.go b/cmd/cacct/testflags.go
@@ -1,5 +1,4 @@
 //go:build test
-// +build test
 
 package main
 

diff --git a/cmd/ceems_api_server/main.go b/cmd/ceems_api_server/main.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package main
 

diff --git a/cmd/ceems_lb/main.go b/cmd/ceems_lb/main.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package main
 

diff --git a/cmd/redfish_proxy/server_test.go b/cmd/redfish_proxy/server_test.go
@@ -208,11 +208,7 @@ func TestNewRedfishProxyServerWithWebConfig(t *testing.T) {
 
 	// Make concurrent requests to detect data races
 	for i := range 20 {
-		wg.Add(1)
-
-		go func() {
-			defer wg.Done()
-
+		wg.Go(func() {
 			req, err := http.NewRequest(http.MethodGet, fmt.Sprintf("http://localhost:%d/redfish/v1/", p), nil) //nolint:noctx
 			errs <- err
 
@@ -232,7 +228,7 @@ func TestNewRedfishProxyServerWithWebConfig(t *testing.T) {
 
 			// Check the body if it has same IP set
 			assert.Equal(t, strings.Join([]string{remoteIPs[tid]}, ","), string(bodyBytes))
-		}()
+		})
 	}
 
 	// Wait for all requests to finish

diff --git a/examples/mock_resource_manager/cmd/mock_ceems_server/main.go b/examples/mock_resource_manager/cmd/mock_ceems_server/main.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 // Boiler plate code to create a new instance of CEEMSServer entrypoint
 package main

diff --git a/examples/mock_updater/cmd/mock_ceems_server/main.go b/examples/mock_updater/cmd/mock_ceems_server/main.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 // Boiler plate code to create a new instance of usageStatsServerApp entrypoint
 package main

diff --git a/internal/common/helpers_test.go b/internal/common/helpers_test.go
@@ -529,6 +529,7 @@ func TestCheckHTTPClientConfigFiles(t *testing.T) {
 	tmpDir := t.TempDir()
 
 	testFiles := make(map[string]string)
+
 	for _, n := range []string{
 		"bearer_token_file",
 		"auth_credentials_file",

diff --git a/internal/security/manager.go b/internal/security/manager.go
@@ -88,6 +88,12 @@ func NewManager(c *Config, logger *slog.Logger) (*Manager, error) {
 	// we asked for 32 bits while conversion
 	runAsUserUID := uint32(val)
 
+	// Get all group IDs that runAsUser is part of
+	runAsUserGIDs, err := manager.runAsUser.GroupIds()
+	if err != nil {
+		logger.Warn("Failed to get runAsUser groups", "err", err)
+	}
+
 	// Calculate ACL entries for different paths
 	for _, p := range c.ReadPaths {
 		if p == "" {
@@ -116,10 +122,10 @@ func NewManager(c *Config, logger *slog.Logger) (*Manager, error) {
 		switch mode := fperms.Stat.Mode(); {
 		case mode.IsDir():
 			perms = 5
-			hasPerms = hasReadExecutable(fperms, manager.currentUser, manager.runAsUser)
+			hasPerms = hasReadExecutable(fperms, manager.currentUser, manager.runAsUser, runAsUserGIDs)
 		case mode.IsRegular():
 			perms = 4
-			hasPerms = hasRead(fperms, manager.currentUser, manager.runAsUser)
+			hasPerms = hasRead(fperms, manager.currentUser, manager.runAsUser, runAsUserGIDs)
 		}
 
 		// If the path is readable/executable by runAsUser, nothing to do here. Continue
@@ -159,10 +165,10 @@ func NewManager(c *Config, logger *slog.Logger) (*Manager, error) {
 		switch mode := fperms.Stat.Mode(); {
 		case mode.IsDir():
 			perms = 7
-			hasPerms = hasReadWriteExecutable(fperms, manager.currentUser, manager.runAsUser)
+			hasPerms = hasReadWriteExecutable(fperms, manager.currentUser, manager.runAsUser, runAsUserGIDs)
 		case mode.IsRegular():
 			perms = 6
-			hasPerms = hasReadWrite(fperms, manager.currentUser, manager.runAsUser)
+			hasPerms = hasReadWrite(fperms, manager.currentUser, manager.runAsUser, runAsUserGIDs)
 		}
 
 		// If the path is readable/executable by runAsUser, nothing to do here. Continue
@@ -419,61 +425,76 @@ func setCapabilities(caps []cap.Value, enableEffective bool) error {
 }
 
 // hasRead returns true if runAsUser has r permissions on path.
-func hasRead(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User) bool {
+func hasRead(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User, runAsUserGIDs []string) bool {
 	// If current user is runAsUser, check for user permissions
 	if currentUser.Uid == runAsUser.Uid {
 		return p.UserReadable()
 	}
 
-	// If not check, check for other permissions
-	if p.Stat.Mode().Perm()&fileperm.OsOthR != 0 {
-		return true
+	// File group owner
+	pGID := strconv.FormatUint(uint64(p.GID), 10)
+
+	// Check if runAsUser GIDs matches with file GID and in that case
+	// check for group permissions
+	if slices.Contains(runAsUserGIDs, pGID) {
+		return p.Stat.Mode().Perm()&fileperm.OsGroupR != 0
 	}
 
 	return false
 }
 
 // hasReadExecutable returns true if runAsUser has rx permissions on path.
-func hasReadExecutable(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User) bool {
+func hasReadExecutable(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User, runAsUserGIDs []string) bool {
 	// If current user is runAsUser, check for user permissions
 	if currentUser.Uid == runAsUser.Uid {
 		return p.UserReadExecutable()
 	}
 
-	// If not check, check for other permissions
-	if p.Stat.Mode().Perm()&fileperm.OsOthR != 0 && p.Stat.Mode().Perm()&fileperm.OsOthX != 0 {
-		return true
+	// File group owner
+	pGID := strconv.FormatUint(uint64(p.GID), 10)
+
+	// Check if runAsUser GIDs matches with file GID and in that case
+	// check for group permissions
+	if slices.Contains(runAsUserGIDs, pGID) {
+		return p.Stat.Mode().Perm()&fileperm.OsGroupR != 0 && p.Stat.Mode().Perm()&fileperm.OsGroupX != 0
 	}
 
 	return false
 }
 
 // hasReadWrite returns true if runAsUser has rw permissions on path.
-func hasReadWrite(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User) bool {
+func hasReadWrite(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User, runAsUserGIDs []string) bool {
 	// If current user is runAsUser, check for user permissions
 	if currentUser.Uid == runAsUser.Uid {
 		return p.UserWriteReadable()
 	}
 
-	// If not check, check for other permissions
-	if p.Stat.Mode().Perm()&fileperm.OsOthR != 0 && p.Stat.Mode().Perm()&fileperm.OsOthW != 0 {
-		return true
+	// File group owner
+	pGID := strconv.FormatUint(uint64(p.GID), 10)
+
+	// Check if runAsUser GIDs matches with file GID and in that case
+	// check for group permissions
+	if slices.Contains(runAsUserGIDs, pGID) {
+		return p.Stat.Mode().Perm()&fileperm.OsGroupR != 0 && p.Stat.Mode().Perm()&fileperm.OsGroupW != 0
 	}
 
 	return false
 }
 
 // hasReadWriteExecutable returns true if runAsUser has rwx permissions on path.
-func hasReadWriteExecutable(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User) bool {
+func hasReadWriteExecutable(p fileperm.PermUser, currentUser *user.User, runAsUser *user.User, runAsUserGIDs []string) bool {
 	// If current user is runAsUser, check for user permissions
 	if currentUser.Uid == runAsUser.Uid {
 		return p.UserWriteReadExecutable()
 	}
 
-	// If not check, check for other permissions
-	if p.Stat.Mode().Perm()&fileperm.OsOthR != 0 && p.Stat.Mode().Perm()&fileperm.OsOthW != 0 &&
-		p.Stat.Mode().Perm()&fileperm.OsOthX != 0 {
-		return true
+	// File group owner
+	pGID := strconv.FormatUint(uint64(p.GID), 10)
+
+	// Check if runAsUser GIDs matches with file GID and in that case
+	// check for group permissions
+	if slices.Contains(runAsUserGIDs, pGID) {
+		return p.Stat.Mode().Perm()&fileperm.OsGroupR != 0 && p.Stat.Mode().Perm()&fileperm.OsGroupW != 0 && p.Stat.Mode().Perm()&fileperm.OsGroupX != 0
 	}
 
 	return false

diff --git a/internal/security/manager_test.go b/internal/security/manager_test.go
@@ -81,7 +81,9 @@ func TestNewManager(t *testing.T) {
 
 	expectedEntries := []acl{
 		{path: filepath.Join(tmpDir, "l1", "l2", "l3"), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 5)},
+		{path: filepath.Join(tmpDir, "l1", "l2"), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 5)},
 		{path: filepath.Join(tmpDir, "l1"), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 5)},
+		{path: tmpDir, entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 5)},
 		{path: filepath.Dir(tmpDir), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 5)},
 		{path: filepath.Join(tmpDir, "l1", "l2", "l3", "testRead"), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 4)},
 		{path: filepath.Join(tmpDir, "l1", "l2", "l3", "testWrite"), entry: acls.NewEntry(acls.TAG_ACL_USER, 65534, 6)},

diff --git a/internal/structset/structset_test.go b/internal/structset/structset_test.go
@@ -41,9 +41,7 @@ func TestGetStructFieldTagMap(t *testing.T) {
 }
 
 func TestCachedFiledIndexes(t *testing.T) {
-	var value testStruct
-
-	indexes := CachedFieldIndexes(reflect.TypeOf(&value).Elem())
+	indexes := CachedFieldIndexes(reflect.TypeFor[testStruct]())
 
 	expected := map[string]int{"f1": 1, "f2": 2, "f3": 3, "f4": 4, "id": 0}
 	assert.Equal(t, expected, indexes)
@@ -60,6 +58,6 @@ func TestCachedFiledIndexes(t *testing.T) {
 	assert.Equal(t, 1, i)
 
 	// Now making second request should get value from cache
-	indexes = CachedFieldIndexes(reflect.TypeOf(&value).Elem())
+	indexes = CachedFieldIndexes(reflect.TypeFor[testStruct]())
 	assert.Equal(t, expected, indexes)
 }
diff --git a/pkg/api/cli/cli.go b/pkg/api/cli/cli.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 // Package cli implements the CLI of the CEEMS API server app
 package cli
@@ -417,11 +416,7 @@ func (b *CEEMSServer) Main() error {
 	// Initialize tickers. We will stop the ticker immediately after signal has received.
 	dbUpdateTicker = time.NewTicker(time.Duration(config.Server.Data.UpdateInterval))
 
-	wg.Add(1)
-
-	go func() {
-		defer wg.Done()
-
+	wg.Go(func() {
 		for {
 			// This will ensure that we will run the method as soon as go routine
 			// starts instead of waiting for ticker to tick.
@@ -441,18 +436,14 @@ func (b *CEEMSServer) Main() error {
 				return
 			}
 		}
-	}()
+	})
 
 	// Start backup go routine only backup path is provided in CLI.
 	if config.Server.Data.BackupPath != "" {
 		// Initialise ticker and increase waitgroup counter.
 		dbBackupTicker = time.NewTicker(time.Duration(config.Server.Data.BackupInterval))
 
-		wg.Add(1)
-
-		go func() {
-			defer wg.Done()
-
+		wg.Go(func() {
 			for {
 				select {
 				case <-dbBackupTicker.C:
@@ -471,7 +462,7 @@ func (b *CEEMSServer) Main() error {
 					return
 				}
 			}
-		}()
+		})
 	}
 
 	// Initializing the server in a goroutine so that

diff --git a/pkg/api/cli/cli_test.go b/pkg/api/cli/cli_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package cli
 

diff --git a/pkg/api/db/db.go b/pkg/api/db/db.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 // Package db creates DB tables, call resource manager interfaces and
 // populates the DB with compute units

diff --git a/pkg/api/db/db_test.go b/pkg/api/db/db_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package db
 

diff --git a/pkg/api/db/helpers.go b/pkg/api/db/helpers.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package db
 

diff --git a/pkg/api/db/helpers_test.go b/pkg/api/db/helpers_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package db
 

diff --git a/pkg/api/http/compress.go b/pkg/api/http/compress.go
@@ -69,8 +69,8 @@ func NewCompressor(level int, types ...string) *Compressor {
 				panic(fmt.Sprintf("middleware/compress: Unsupported content-type wildcard pattern '%s'. Only '/*' supported", t))
 			}
 
-			if strings.HasSuffix(t, "/*") {
-				allowedWildcards[strings.TrimSuffix(t, "/*")] = struct{}{}
+			if before, ok := strings.CutSuffix(t, "/*"); ok {
+				allowedWildcards[before] = struct{}{}
 			} else {
 				allowedTypes[t] = struct{}{}
 			}

diff --git a/pkg/api/http/error.go b/pkg/api/http/error.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/http/error_test.go b/pkg/api/http/error_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/http/middleware.go b/pkg/api/http/middleware.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/http/middleware_test.go b/pkg/api/http/middleware_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/http/querier.go b/pkg/api/http/querier.go
@@ -90,7 +90,7 @@ func scanRows[T any](rows *sql.Rows, numRows int) ([]T, error) {
 	rowIdx := 0
 
 	// Get indexes
-	indexes := structset.CachedFieldIndexes(reflect.TypeOf(&value).Elem())
+	indexes := structset.CachedFieldIndexes(reflect.TypeFor[T]())
 
 	// Get columns
 	columns, err = rows.Columns()

diff --git a/pkg/api/http/querier_test.go b/pkg/api/http/querier_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/http/server.go b/pkg/api/http/server.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 // Package http implements the HTTP server handlers for different resource endpoints
 package http

diff --git a/pkg/api/http/server_test.go b/pkg/api/http/server_test.go
@@ -1,5 +1,4 @@
 //go:build cgo
-// +build cgo
 
 package http
 

diff --git a/pkg/api/resource/openstack/types.go b/pkg/api/resource/openstack/types.go
@@ -189,10 +189,10 @@ type PowerState int
 const (
 	NOSTATE = iota
 	RUNNING
-	_UNUSED1 //nolint:stylecheck
+	_UNUSED1
 	PAUSED
 	SHUTDOWN
-	_UNUSED2 //nolint:stylecheck
+	_UNUSED2
 	CRASHED
 	SUSPENDED
 )

diff --git a/pkg/collector/cgroup_test.go b/pkg/collector/cgroup_test.go
@@ -1,5 +1,4 @@
 //go:build !noslurm
-// +build !noslurm
 
 package collector
 

diff --git a/pkg/collector/cpu.go b/pkg/collector/cpu.go
@@ -1,5 +1,4 @@
 //go:build !nocpu
-// +build !nocpu
 
 package collector