all: gofmt for Go 1.19

Updates #5210

Change-Id: Ib02cd5e43d0a8db60c1f09755a8ac7b140b670be
Signed-off-by: Brad Fitzpatrick <bradfitz@tailscale.com>

cmd/tailscale/cli/up.go

@@ -178,15 +178,16 @@ var upArgs upArgsT
 // JSON block will be output. The AuthURL and QR fields will not be present, the
 // BackendState and Error fields will give the result of the authentication.
 // Ex:
+//
 //	{
 //	   "AuthURL": "https://login.tailscale.com/a/0123456789abcdef",
 //	   "QR": "data:image/png;base64,0123...cdef"
 //	   "BackendState": "NeedsLogin"
 //	}
+//
 //	{
 //	   "BackendState": "Running"
 //	}
-//
 type upOutputJSON struct {
 	AuthURL      string `json:",omitempty"` // Authentication URL of the form https://login.tailscale.com/a/0123456789
 	QR           string `json:",omitempty"` // a DataURL (base64) PNG of a QR code AuthURL

cmd/viewer/viewer.go

@@ -342,8 +342,7 @@ func main() {
 	it := codegen.NewImportTracker(pkg.Types)
 
 	buf := new(bytes.Buffer)
-	fmt.Fprintf(buf, `//go:generate go run tailscale.com/cmd/cloner  %s`, strings.Join(flagArgs, " "))
-	fmt.Fprintln(buf)
+	fmt.Fprintf(buf, "//go:generate go run tailscale.com/cmd/cloner  %s\n\n", strings.Join(flagArgs, " "))
 	runCloner := false
 	for _, typeName := range typeNames {
 		typ, ok := namedTypes[typeName]

derp/derp.go

@@ -40,8 +40,8 @@ const (
 )
 
 // ProtocolVersion is bumped whenever there's a wire-incompatible change.
-//   * version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
-//   * version 2: received packets have src addrs in frameRecvPacket at beginning
+//   - version 1 (zero on wire): consistent box headers, in use by employee dev nodes a bit
+//   - version 2: received packets have src addrs in frameRecvPacket at beginning
 const ProtocolVersion = 2
 
 // frameType is the one byte frame type at the beginning of the frame

disco/disco.go

@@ -7,6 +7,7 @@
 // A discovery message is:
 //
 // Header:
+//
 //	magic          [6]byte  // “TS💬” (0x54 53 f0 9f 92 ac)
 //	senderDiscoPub [32]byte // nacl public key
 //	nonce          [24]byte

ipn/backend.go

@@ -162,12 +162,12 @@ type PartialFile struct {
 //
 // Various platforms currently set StateKey in different ways:
 //
-// * the macOS/iOS GUI apps set it to "ipn-go-bridge"
-// * the Android app sets it to "ipn-android"
-// * on Windows, it's the empty string (in client mode) or, via
+//   - the macOS/iOS GUI apps set it to "ipn-go-bridge"
+//   - the Android app sets it to "ipn-android"
+//   - on Windows, it's the empty string (in client mode) or, via
 //     LocalBackend.userID, a string like "user-$USER_ID" (used in
 //     server mode).
-// * on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
+//   - on Linux/etc, it's always "_daemon" (ipn.GlobalDaemonStateKey)
 type StateKey string
 
 type Options struct {

ipn/ipnlocal/local.go

@@ -883,11 +883,11 @@ func (b *LocalBackend) getNewControlClientFunc() clientGen {
 // startIsNoopLocked reports whether a Start call on this LocalBackend
 // with the provided Start Options would be a useless no-op.
 //
-// TODO(apenwarr): we shouldn't need this.
-//  The state machine is now nearly clean enough where it can accept a new
-//  connection while in any state, not just Running, and on any platform.
-//  We'd want to add a few more tests to state_test.go to ensure this continues
-//  to work as expected.
+// TODO(apenwarr): we shouldn't need this. The state machine is now
+// nearly clean enough where it can accept a new connection while in
+// any state, not just Running, and on any platform.  We'd want to add
+// a few more tests to state_test.go to ensure this continues to work
+// as expected.
 //
 // b.mu must be held.
 func (b *LocalBackend) startIsNoopLocked(opts ipn.Options) bool {

ipn/localapi/localapi.go

@@ -545,7 +545,7 @@ func (h *Handler) serveFileTargets(w http.ResponseWriter, r *http.Request) {
 //
 // URL format:
 //
-//    * PUT /localapi/v0/file-put/:stableID/:escaped-filename
+//   - PUT /localapi/v0/file-put/:stableID/:escaped-filename
 func (h *Handler) serveFilePut(w http.ResponseWriter, r *http.Request) {
 	if !h.PermitWrite {
 		http.Error(w, "file access denied", http.StatusForbidden)

ipn/message.go

@@ -305,8 +305,8 @@ func (bc *BackendClient) RequestStatus() {
 // MaxMessageSize is the maximum message size, in bytes.
 const MaxMessageSize = 10 << 20
 
-// TODO(apenwarr): incremental json decode?
-//  That would let us avoid storing the whole byte array uselessly in RAM.
+// TODO(apenwarr): incremental json decode? That would let us avoid
+// storing the whole byte array uselessly in RAM.
 func ReadMsg(r io.Reader) ([]byte, error) {
 	cb := make([]byte, 4)
 	_, err := io.ReadFull(r, cb)
@@ -328,10 +328,11 @@ func ReadMsg(r io.Reader) ([]byte, error) {
 	return b, nil
 }
 
-// TODO(apenwarr): incremental json encode?
-//  That would save RAM, at the expense of having to encode once so that
-//  we can produce the initial byte count.
 func WriteMsg(w io.Writer, b []byte) error {
+	// TODO(apenwarr): incremental json encode? That would save RAM, at the
+	// expense of having to encode once so that we can produce the initial byte
+	// count.
+
 	// TODO(bradfitz): this does two writes to w, which likely
 	// does two writes on the wire, two frame generations, etc. We
 	// should take a concrete buffered type, or use a sync.Pool to

ipn/store/stores.go

@@ -49,13 +49,13 @@ var knownStores map[string]Provider
 //
 // By default the following stores are registered:
 //
-//   * if the string begins with "mem:", the suffix
+//   - if the string begins with "mem:", the suffix
 //     is ignored and an in-memory store is used.
-//   * (Linux-only) if the string begins with "arn:",
+//   - (Linux-only) if the string begins with "arn:",
 //     the suffix an AWS ARN for an SSM.
-//   * (Linux-only) if the string begins with "kube:",
+//   - (Linux-only) if the string begins with "kube:",
 //     the suffix is a Kubernetes secret name
-//   * In all other cases, the path is treated as a filepath.
+//   - In all other cases, the path is treated as a filepath.
 func New(logf logger.Logf, path string) (ipn.StateStore, error) {
 	regOnce.Do(registerDefaultStores)
 	for prefix, sf := range knownStores {

net/dns/resolved.go

@@ -31,7 +31,9 @@ import (
 // In other cases, resolved may be managing the system DNS configuration directly.
 // Then the nameserver list will be a concatenation of those for all
 // the interfaces that register their interest in being a default resolver with
+//
 //	SetLinkDomains([]{{"~.", true}, ...})
+//
 // which includes at least the interface with the default route, i.e. not us.
 // This does not work for us: there is a possibility of getting NXDOMAIN
 // from the other nameservers before we are asked or get a chance to respond.

net/dns/resolver/tsdns.go

@@ -1063,8 +1063,11 @@ func rawNameToLower(name []byte) string {
 // ptrNameToIPv4 transforms a PTR name representing an IPv4 address to said address.
 // Such names are IPv4 labels in reverse order followed by .in-addr.arpa.
 // For example,
+//
 //	4.3.2.1.in-addr.arpa
+//
 // is transformed to
+//
 //	1.2.3.4
 func rdnsNameToIPv4(name dnsname.FQDN) (ip netip.Addr, ok bool) {
 	s := strings.TrimSuffix(name.WithTrailingDot(), rdnsv4Suffix)
@@ -1082,8 +1085,11 @@ func rdnsNameToIPv4(name dnsname.FQDN) (ip netip.Addr, ok bool) {
 // ptrNameToIPv6 transforms a PTR name representing an IPv6 address to said address.
 // Such names are dot-separated nibbles in reverse order followed by .ip6.arpa.
 // For example,
+//
 //	b.a.9.8.7.6.5.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.8.b.d.0.1.0.0.2.ip6.arpa.
+//
 // is transformed to
+//
 //	2001:db8::567:89ab
 func rdnsNameToIPv6(name dnsname.FQDN) (ip netip.Addr, ok bool) {
 	var b [32]byte

net/interfaces/interfaces_darwin_test.go

@@ -39,7 +39,6 @@ default            link#14            UCSI         utun2
 10/16              link#4             UCS            en0      !
 10.0.0.1/32        link#4             UCS            en0      !
 ...
-
 */
 func likelyHomeRouterIPDarwinExec() (ret netip.Addr, ok bool) {
 	if version.IsMobile() {

net/packet/tsmp.go

@@ -25,12 +25,12 @@ import (
 // TCP RST, this includes a reason.
 //
 // On the wire, after the IP header, it's currently 7 or 8 bytes:
-//     * '!'
-//     * IPProto byte (IANA protocol number: TCP or UDP)
-//     * 'A' or 'S' (RejectedDueToACLs, RejectedDueToShieldsUp)
-//     * srcPort big endian uint16
-//     * dstPort big endian uint16
-//     * [optional] byte of flag bits:
+//   - '!'
+//   - IPProto byte (IANA protocol number: TCP or UDP)
+//   - 'A' or 'S' (RejectedDueToACLs, RejectedDueToShieldsUp)
+//   - srcPort big endian uint16
+//   - dstPort big endian uint16
+//   - [optional] byte of flag bits:
 //     lowest bit (0x1): MaybeBroken
 //
 // In the future it might also accept 16 byte IP flow src/dst IPs
@@ -205,8 +205,8 @@ func (pp *Parsed) AsTailscaleRejectedHeader() (h TailscaleRejectedHeader, ok boo
 // TSMPPingRequest is a TSMP message that's like an ICMP ping request.
 //
 // On the wire, after the IP header, it's currently 9 bytes:
-//     * 'p' (TSMPTypePing)
-//     * 8 opaque ping bytes to copy back in the response
+//   - 'p' (TSMPTypePing)
+//   - 8 opaque ping bytes to copy back in the response
 type TSMPPingRequest struct {
 	Data [8]byte
 }

net/tlsdial/tlsdial.go

@@ -164,6 +164,7 @@ func SetConfigExpectedCert(c *tls.Config, certDNSName string) {
 letsEncryptX1 is the LetsEncrypt X1 root:
 
 Certificate:
+
 	Data:
 	    Version: 3 (0x2)
 	    Serial Number:
@@ -189,7 +190,6 @@ $ sudo update-ca-certificates
 
 Then restart tailscaled. To also test dnsfallback's use of it, nuke
 your /etc/resolv.conf and it should still start & run fine.
-
 */
 const letsEncryptX1 = `
 -----BEGIN CERTIFICATE-----

paths/paths_windows.go

@@ -18,10 +18,13 @@ import (
 // Owner: The user for the current process;
 // Primary Group: The primary group for the current process;
 // DACL: Full control to the current user and to the Administrators group.
+//
 //	(We include Administrators so that admin users may still access logs;
 //	 granting access exclusively to LocalSystem would require admins to use
 //	 special tools to access the Log directory)
+//
 // Inheritance: The directory does not inherit the ACL from its parent.
+//
 //	However, any directories and/or files created within this
 //	directory *do* inherit the ACL that we are setting.
 func ensureStateDirPerms(dirPath string) error {

safesocket/pipe_windows.go

@@ -27,6 +27,7 @@ func setFlags(network, address string, c syscall.RawConn) error {
 }
 
 // TODO(apenwarr): use named pipes instead of sockets?
+//
 //	I tried to use winio.ListenPipe() here, but that code is a disaster,
 //	built on top of an API that's a disaster. So for now we'll hack it by
 //	just always using a TCP session on a fixed port on localhost. As a

safesocket/safesocket_darwin.go

@@ -26,6 +26,7 @@ func init() {
 // from /Library/Tailscale.
 //
 // In that case the files are:
+//
 //	/Library/Tailscale/ipnport => $port (symlink with localhost port number target)
 //	/Library/Tailscale/sameuserproof-$port is a file with auth
 func localTCPPortAndTokenMacsys() (port int, token string, err error) {

safesocket/unixsocket.go

@@ -118,11 +118,11 @@ func socketPermissionsForOS() os.FileMode {
 // homebrew or go install). This little dance to connect a regular user binary
 // to the sandboxed network extension is:
 //
-//   * the sandboxed IPNExtension picks a random localhost:0 TCP port
+//   - the sandboxed IPNExtension picks a random localhost:0 TCP port
 //     to listen on
-//   * it also picks a random hex string that acts as an auth token
-//   * the CLI looks on disk for that TCP port + auth token (see localTCPPortAndTokenDarwin)
-//   * we send it upon TCP connect to prove to the Tailscale daemon that
+//   - it also picks a random hex string that acts as an auth token
+//   - the CLI looks on disk for that TCP port + auth token (see localTCPPortAndTokenDarwin)
+//   - we send it upon TCP connect to prove to the Tailscale daemon that
 //     we're a suitably privileged user to have access the files on disk
 //     which the Network/App Extension wrote.
 func connectMacOSAppSandbox() (net.Conn, error) {

tailcfg/tailcfg.go

@@ -37,6 +37,7 @@ type CapabilityVersion int
 // CurrentCapabilityVersion is the current capability version of the codebase.
 //
 // History of versions:
+//
 //	 3: implicit compression, keep-alives
 //	 4: opt-in keep-alives via KeepAlive field, opt-in compression via Compress
 //	 5: 2020-10-19, implies IncludeIPv6, delta Peers/UserProfiles, supports MagicDNS
@@ -746,6 +747,7 @@ func (st SignatureType) String() string {
 // RegisterRequest is sent by a client to register the key for a node.
 // It is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
 // using the local machine key, and sent to:
+//
 //	https://login.tailscale.com/machine/<mkey hex>
 type RegisterRequest struct {
 	_ structs.Incomparable
@@ -864,6 +866,7 @@ type Endpoint struct {
 //
 // The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
 // using the local machine key, and sent to:
+//
 //	https://login.tailscale.com/machine/<mkey hex>/map
 type MapRequest struct {
 	// Version is incremented whenever the client code changes enough that
@@ -1514,6 +1517,7 @@ const (
 //
 // The request is encoded to JSON, encrypted with golang.org/x/crypto/nacl/box,
 // using the local machine key, and sent to:
+//
 //	https://login.tailscale.com/machine/<mkey hex>/set-dns
 type SetDNSRequest struct {
 	// Version is the client's capabilities

tsweb/tsweb.go

@@ -586,13 +586,13 @@ func writePromExpVar(w io.Writer, prefix string, kv expvar.KeyValue) {
 //
 // It makes the following assumptions:
 //
-//   * *expvar.Int are counters (unless marked as a gauge_; see below)
-//   * a *tailscale/metrics.Set is descended into, joining keys with
+//   - *expvar.Int are counters (unless marked as a gauge_; see below)
+//   - a *tailscale/metrics.Set is descended into, joining keys with
 //     underscores. So use underscores as your metric names.
-//   * an expvar named starting with "gauge_" or "counter_" is of that
+//   - an expvar named starting with "gauge_" or "counter_" is of that
 //     Prometheus type, and has that prefix stripped.
-//   * anything else is untyped and thus not exported.
-//   * expvar.Func can return an int or int64 (for now) and anything else
+//   - anything else is untyped and thus not exported.
+//   - expvar.Func can return an int or int64 (for now) and anything else
 //     is not exported.
 //
 // This will evolve over time, or perhaps be replaced.

types/logger/tokenbucket.go

@@ -16,6 +16,7 @@ import (
 //     need for implementing hysteresis;
 //   - It doesn't let us provide our own time function, which we need for
 //     implementing proper unit tests.
+//
 // rate.Limiter is also much more complex than necessary, but that wouldn't
 // be enough to disqualify it on its own.
 //

util/clientmetric/clientmetric.go

@@ -216,11 +216,11 @@ const (
 // without further escaping.
 //
 // The current encoding is:
-//   * name immediately following metric:
+//   - name immediately following metric:
 //     'N' + hex(varint(len(name))) + name
-//   * set value of a metric:
+//   - set value of a metric:
 //     'S' + hex(varint(wireid)) + hex(varint(value))
-//   * increment a metric: (decrements if negative)
+//   - increment a metric: (decrements if negative)
 //     'I' + hex(varint(wireid)) + hex(varint(value))
 func EncodeLogTailMetricsDelta() string {
 	mu.Lock()

util/deephash/deephash.go

@@ -9,9 +9,9 @@
 // Hash(x) == Hash(y) is an appropriate replacement for x == y.
 //
 // The definition of equality is identical to reflect.DeepEqual except:
-//	* Floating-point values are compared based on the raw bits,
+//   - Floating-point values are compared based on the raw bits,
 //     which means that NaNs (with the same bit pattern) are treated as equal.
-//	* Types which implement interface { AppendTo([]byte) []byte } use
+//   - Types which implement interface { AppendTo([]byte) []byte } use
 //     the AppendTo method to produce a textual representation of the value.
 //     Thus, two values are equal if AppendTo produces the same bytes.
 //

util/multierr/multierr.go

@@ -34,8 +34,9 @@ func (e Error) Errors() []error {
 
 // New returns an error composed from errs.
 // Some errors in errs get special treatment:
-//   * nil errors are discarded
-//   * errors of type Error are expanded into the top level
+//   - nil errors are discarded
+//   - errors of type Error are expanded into the top level
+//
 // If the resulting slice has length 0, New returns nil.
 // If the resulting slice has length 1, New returns that error.
 // If the resulting slice has length > 1, New returns that slice as an Error.

util/singleflight/singleflight.go

@@ -12,9 +12,9 @@
 // This is a Tailscale fork of Go's singleflight package which has had several
 // homes in the past:
 //
-//    * https://github.com/golang/go/commit/61d3b2db6292581fc07a3767ec23ec94ad6100d1
-//    * https://github.com/golang/groupcache/tree/master/singleflight
-//    * https://pkg.go.dev/golang.org/x/sync/singleflight
+//   - https://github.com/golang/go/commit/61d3b2db6292581fc07a3767ec23ec94ad6100d1
+//   - https://github.com/golang/groupcache/tree/master/singleflight
+//   - https://pkg.go.dev/golang.org/x/sync/singleflight
 //
 // This fork adds generics.
 package singleflight // import "tailscale.com/util/singleflight"

wgengine/filter/tailcfg.go

@@ -102,10 +102,10 @@ var (
 
 // parseIPSet parses arg as one:
 //
-//     * an IP address (IPv4 or IPv6)
-//     * the string "*" to match everything (both IPv4 & IPv6)
-//     * a CIDR (e.g. "192.168.0.0/16")
-//     * a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
+//   - an IP address (IPv4 or IPv6)
+//   - the string "*" to match everything (both IPv4 & IPv6)
+//   - a CIDR (e.g. "192.168.0.0/16")
+//   - a range of two IPs, inclusive, separated by hyphen ("2eff::1-2eff::0800")
 //
 // bits, if non-nil, is the legacy SrcBits CIDR length to make a IP
 // address (without a slash) treated as a CIDR of *bits length.

wgengine/magicsock/magicsock.go

@@ -1833,10 +1833,10 @@ func (c *Conn) sendDiscoMessage(dst netip.AddrPort, dstKey key.NodePublic, dstDi
 //
 // A discovery message has the form:
 //
-//  * magic             [6]byte
-//  * senderDiscoPubKey [32]byte
-//  * nonce             [24]byte
-//  * naclbox of payload (see tailscale.com/disco package for inner payload format)
+//   - magic             [6]byte
+//   - senderDiscoPubKey [32]byte
+//   - nonce             [24]byte
+//   - naclbox of payload (see tailscale.com/disco package for inner payload format)
 //
 // For messages received over DERP, the src.Addr() will be derpMagicIP (with
 // src.Port() being the region ID) and the derpNodeSrc will be the node key

wgengine/userspace.go

@@ -517,8 +517,8 @@ func (e *userspaceEngine) handleLocalPackets(p *packet.Parsed, t *tstun.Wrapper)
 
 // pollResolver reads packets from the DNS resolver and injects them inbound.
 //
-// TODO(tom): Remove this fallback path (via NextPacket()) once
-//            all platforms use netstack.
+// TODO(tom): Remove this fallback path (via NextPacket()) once all
+// platforms use netstack.
 func (e *userspaceEngine) pollResolver() {
 	for {
 		bs, err := e.dns.NextPacket()
@@ -1503,7 +1503,6 @@ func (e *userspaceEngine) WhoIsIPPort(ipport netip.AddrPort) (tsIP netip.Addr, o
 // If none is found in the wireguard config but one is found in
 // the netmap, it's described in an error.
 //
-//
 // peerForIP acquires both e.mu and e.wgLock, but neither at the same
 // time.
 func (e *userspaceEngine) PeerForIP(ip netip.Addr) (ret PeerForIP, ok bool) {