chore: Add unwrap and panic lints

Author: Techassi

Cargo.toml

@@ -84,6 +84,11 @@ url = { version = "2.5.2", features = ["serde"] }
 x509-cert = { version = "0.2.5", features = ["builder"] }
 zeroize = "1.8.1"
 
+[workspace.lints.clippy]
+unwrap_in_result = "deny"
+unwrap_used = "deny"
+panic = "deny"
+
 # Use O3 in tests to improve the RSA key generation speed in the stackable-certs crate
 [profile.test.package]
 stackable-certs.opt-level = 3

clippy.toml

@@ -0,0 +1,2 @@
+allow-unwrap-in-tests = true
+allow-panic-in-tests = true

crates/k8s-version/Cargo.toml

@@ -23,3 +23,6 @@ quote.workspace = true
 proc-macro2.workspace = true
 serde_yaml.workspace = true
 syn.workspace = true
+
+[lints]
+workspace = true

crates/k8s-version/src/level/mod.rs

@@ -47,6 +47,14 @@ pub enum Level {
 impl FromStr for Level {
     type Err = ParseLevelError;
 
+    // SAFETY: We purposefully allow the `clippy::unwrap_in_result` lint below in this function.
+    // We can use expect here, because the correct match labels must be used.
+    //
+    // FIXME (@Techassi): This attribute can be used on individual unwrap and expect calls since
+    // Rust 1.91.0. We should move this attribute to not contaminate an unnecessarily large scope
+    // once we bump the toolchain to 1.91.0.
+    // See https://github.com/rust-lang/rust-clippy/pull/15445
+    #[allow(clippy::unwrap_in_result)]
     fn from_str(input: &str) -> Result<Self, Self::Err> {
         let captures = LEVEL_REGEX.captures(input).context(InvalidFormatSnafu)?;
 

crates/k8s-version/src/version/mod.rs

@@ -53,6 +53,14 @@ pub struct Version {
 impl FromStr for Version {
     type Err = ParseVersionError;
 
+    // SAFETY: We purposefully allow the `clippy::unwrap_in_result` lint below in this function.
+    // We can use expect here, because the correct match label must be used.
+    //
+    // FIXME (@Techassi): This attribute can be used on individual unwrap and expect calls since
+    // Rust 1.91.0. We should move this attribute to not contaminate an unnecessarily large scope
+    // once we bump the toolchain to 1.91.0.
+    // See https://github.com/rust-lang/rust-clippy/pull/15445
+    #[allow(clippy::unwrap_in_result)]
     fn from_str(input: &str) -> Result<Self, Self::Err> {
         let captures = VERSION_REGEX.captures(input).context(InvalidFormatSnafu)?;
 
@@ -141,6 +149,7 @@ mod test {
     #[case("v1gamma12", ParseVersionError::ParseLevel { source: ParseLevelError::UnknownIdentifier })]
     #[case("v1betä1", ParseVersionError::InvalidFormat)]
     #[case("1beta1", ParseVersionError::InvalidFormat)]
+    #[case("v", ParseVersionError::InvalidFormat)]
     #[case("", ParseVersionError::InvalidFormat)]
     fn invalid_version(#[case] input: &str, #[case] error: ParseVersionError) {
         let err = Version::from_str(input).expect_err("invalid Kubernetes version");

crates/stackable-certs/Cargo.toml

@@ -29,3 +29,6 @@ tokio.workspace = true
 tracing.workspace = true
 x509-cert.workspace = true
 zeroize.workspace = true
+
+[lints]
+workspace = true

crates/stackable-certs/src/ca/mod.rs

@@ -110,7 +110,7 @@ impl PartialEq for Error {
                     x509_cert::builder::Error::Signature(_),
                     x509_cert::builder::Error::Signature(_),
                 ) => panic!(
-                    "it is impossible to compare the opaque Error contained witin signature::error::Error"
+                    "it is impossible to compare the opaque Error contained within signature::error::Error"
                 ),
                 _ => false,
             },
@@ -205,6 +205,16 @@ where
     /// validity, this function offers complete control over these parameters.
     /// If this level of control is not needed, use [`CertificateAuthority::new`]
     /// instead.
+    //
+    // SAFETY: We purposefully allow the `clippy::unwrap_in_result` lint below in this function.
+    // We can use expect here, because the subject name is defined as a constant which must be able
+    // to be parsed.
+    //
+    // FIXME (@Techassi): This attribute can be used on individual unwrap and expect calls since
+    // Rust 1.91.0. We should move this attribute to not contaminate an unnecessarily large scope
+    // once we bump the toolchain to 1.91.0.
+    // See https://github.com/rust-lang/rust-clippy/pull/15445
+    #[allow(clippy::unwrap_in_result)]
     #[instrument(name = "create_certificate_authority_with", skip(signing_key_pair))]
     pub fn new_with(signing_key_pair: S, serial_number: u64, validity: Duration) -> Result<Self> {
         let serial_number = SerialNumber::from(serial_number);
@@ -214,7 +224,7 @@ where
         // created by us should contain the same subject consisting a common set
         // of distinguished names (DNs).
         let subject = Name::from_str(SDP_ROOT_CA_SUBJECT)
-            .expect("the SDP_ROOT_CA_SUBJECT must be a valid subject");
+            .expect("the constant SDP_ROOT_CA_SUBJECT must be a valid subject");
 
         let spki_pem = signing_key_pair
             .verifying_key()
@@ -511,7 +521,7 @@ mod tests {
 
     #[tokio::test]
     async fn rsa_key_generation() {
-        let mut ca = CertificateAuthority::new_rsa().unwrap();
+        let mut ca = CertificateAuthority::new_rsa().expect("must be able to create RSA-based CA");
         let cert = ca
             .generate_rsa_leaf_certificate("Product", "pod", [TEST_SAN], TEST_CERT_LIFETIME)
             .expect(
@@ -523,7 +533,9 @@ mod tests {
 
     #[tokio::test]
     async fn ecdsa_key_generation() {
-        let mut ca = CertificateAuthority::new_ecdsa().unwrap();
+        let mut ca =
+            CertificateAuthority::new_ecdsa().expect("must be able to create ECDSA-based CA");
+
         let cert = ca
             .generate_ecdsa_leaf_certificate("Product", "pod", [TEST_SAN], TEST_CERT_LIFETIME)
             .expect(
@@ -535,11 +547,11 @@ mod tests {
 
     fn assert_cert_attributes(cert: &Certificate) {
         let cert = &cert.tbs_certificate;
+        let expected_subject = Name::from_str("CN=Product Certificate for pod")
+            .expect("constant subject must be valid");
+
         // Test subject
-        assert_eq!(
-            cert.subject,
-            Name::from_str("CN=Product Certificate for pod").unwrap()
-        );
+        assert_eq!(cert.subject, expected_subject);
 
         // Test SAN extension is present
         let extensions = cert.extensions.as_ref().expect("cert must have extensions");

crates/stackable-operator-derive/Cargo.toml

@@ -21,3 +21,6 @@ syn.workspace = true
 
 [dev-dependencies]
 stackable-operator = { path = "../stackable-operator" }
+
+[lints]
+workspace = true

crates/stackable-operator/Cargo.toml

@@ -57,3 +57,6 @@ url.workspace = true
 [dev-dependencies]
 rstest.workspace = true
 tempfile.workspace = true
+
+[lints]
+workspace = true

crates/stackable-operator/src/logging/k8s_events.rs

@@ -1,6 +1,6 @@
 //! Utilities for publishing Kubernetes events
 
-use std::error::Error;
+use std::{error::Error, fmt::Write};
 
 use kube::runtime::{
     controller,
@@ -12,25 +12,20 @@ use super::controller::ReconcilerError;
 /// Converts an [`Error`] into a publishable Kubernetes [`Event`]
 fn error_to_event<E: ReconcilerError>(err: &E) -> Event {
     // Walk the whole error chain, so that we get all the full reason for the error
-    let mut full_msg = {
-        use std::fmt::Write;
-        let mut buf = err.to_string();
-        let mut err: &dyn Error = err;
-        loop {
-            err = match err.source() {
-                Some(err) => {
-                    write!(buf, ": {err}").unwrap();
-                    err
-                }
-                None => break buf,
-            }
-        }
-    };
-    message::truncate_with_ellipsis(&mut full_msg, 1024);
+    let mut error = err.to_string();
+    let mut source = err.source();
+
+    while let Some(err) = source {
+        write!(error, ": {err}").expect("must be able to concat errors");
+        source = err.source();
+    }
+
+    message::truncate_with_ellipsis(&mut error, 1024);
+
     Event {
         type_: EventType::Warning,
         reason: err.category().to_string(),
-        note: Some(full_msg),
+        note: Some(error),
         action: "Reconcile".to_string(),
         secondary: err.secondary_object().map(|secondary| secondary.into()),
     }
@@ -70,8 +65,7 @@ mod message {
     pub fn truncate_with_ellipsis(msg: &mut String, max_len: usize) {
         const ELLIPSIS: char = '…';
         const ELLIPSIS_LEN: usize = ELLIPSIS.len_utf8();
-        let len = msg.len();
-        if len > max_len {
+        if msg.len() > max_len {
             let start_of_trunc_char = find_start_of_char(msg, max_len.saturating_sub(ELLIPSIS_LEN));
             msg.truncate(start_of_trunc_char);
             if ELLIPSIS_LEN <= max_len {