Address Sonar findings and move noise to direct dependency

client/vnc/server/input_darwin.go

@@ -465,23 +465,26 @@ func postFnFlagsChanged(src uintptr, fnOn bool) {
 	cfRelease(event)
 }
 
+// fnShiftedKeycodes are the Apple navigation/edit keys that hardware produces
+// with the Fn modifier held.
+var fnShiftedKeycodes = map[uint16]struct{}{
+	0x72: {}, // Help / Insert
+	0x73: {}, // Home
+	0x74: {}, // PageUp
+	0x75: {}, // ForwardDelete
+	0x77: {}, // End
+	0x79: {}, // PageDown
+	0x7B: {}, // Left
+	0x7C: {}, // Right
+	0x7D: {}, // Down
+	0x7E: {}, // Up
+}
+
 // isFnShiftedKeycode reports whether keycode is one of the Apple
 // navigation/edit keys that hardware produces with the Fn modifier held.
 func isFnShiftedKeycode(keycode uint16) bool {
-	switch keycode {
-	case 0x72, // Help / Insert
-		0x73, // Home
-		0x74, // PageUp
-		0x75, // ForwardDelete
-		0x77, // End
-		0x79, // PageDown
-		0x7B, // Left
-		0x7C, // Right
-		0x7D, // Down
-		0x7E: // Up
-		return true
-	}
-	return false
+	_, ok := fnShiftedKeycodes[keycode]
+	return ok
 }
 
 // InjectPointer simulates mouse movement and button events.

client/vnc/server/server.go

@@ -1038,7 +1038,7 @@ func (s *Server) acquireAttachSession() (ScreenCapturer, func()) {
 		cc.ClientConnect()
 		return s.capturer, cc.ClientDisconnect
 	}
-	return s.capturer, func() {}
+	return s.capturer, func() { /* capturer has no per-client disconnect hook */ }
 }
 
 // modeString returns a human-readable session mode name.

go.mod

@@ -51,6 +51,7 @@ require (
 	github.com/eko/gocache/lib/v4 v4.2.0
 	github.com/eko/gocache/store/go_cache/v4 v4.2.2
 	github.com/eko/gocache/store/redis/v4 v4.2.2
+	github.com/flynn/noise v1.1.0
 	github.com/fsnotify/fsnotify v1.9.0
 	github.com/gliderlabs/ssh v0.3.8
 	github.com/go-jose/go-jose/v4 v4.1.4
@@ -185,7 +186,6 @@ require (
 	github.com/docker/go-connections v0.6.0 // indirect
 	github.com/docker/go-units v0.5.0 // indirect
 	github.com/felixge/httpsnoop v1.0.4 // indirect
-	github.com/flynn/noise v1.1.0 // indirect
 	github.com/fredbi/uri v1.1.1 // indirect
 	github.com/fxamacker/cbor/v2 v2.9.1 // indirect
 	github.com/fyne-io/gl-js v0.2.0 // indirect

management/server/types/policy_authorized_users.go

@@ -64,17 +64,7 @@ func applyResolvedRuleToState(
 		state.sshEnabled = true
 		cb.collectSSHUsers(rule, state.authorizedUsers)
 	case rule.Protocol == PolicyRuleProtocolNetbirdVNC:
-		// VNC bidirectional rules grant access in both directions.
-		if !peerInDestinations && !(rule.Bidirectional && peerInSources) {
-			return
-		}
-		cb.collectVNCUsers(rule, state.vncAuthorizedUsers)
-		if rule.SessionPubKey != "" && rule.AuthorizedUser != "" {
-			state.vncSessionPubKeys = append(state.vncSessionPubKeys, VNCSessionPubKey{
-				PubKey: rule.SessionPubKey,
-				UserID: rule.AuthorizedUser,
-			})
-		}
+		cb.handleVNCRule(rule, peerInSources, peerInDestinations, state)
 	case policyRuleImpliesLegacySSH(rule) && targetPeerSSHEnabled:
 		if !peerInDestinations {
 			return
@@ -84,6 +74,21 @@ func applyResolvedRuleToState(
 	}
 }
 
+// handleVNCRule collects VNC authorized users and session pubkeys for a VNC
+// policy rule. Bidirectional rules grant access in both directions.
+func (cb ruleAuthCallbacks) handleVNCRule(rule *PolicyRule, peerInSources, peerInDestinations bool, state *peerConnResolveState) {
+	if !peerInDestinations && !(rule.Bidirectional && peerInSources) {
+		return
+	}
+	cb.collectVNCUsers(rule, state.vncAuthorizedUsers)
+	if rule.SessionPubKey != "" && rule.AuthorizedUser != "" {
+		state.vncSessionPubKeys = append(state.vncSessionPubKeys, VNCSessionPubKey{
+			PubKey: rule.SessionPubKey,
+			UserID: rule.AuthorizedUser,
+		})
+	}
+}
+
 func mergeWildcardUsers(dst map[string]map[string]struct{}, users map[string]struct{}) {
 	if dst[auth.Wildcard] == nil {
 		dst[auth.Wildcard] = make(map[string]struct{})