Fix incorrect usages of "it's"

build.assets/tooling/lib/logging/hashicorpLoggerAdapter.go

@@ -133,7 +133,7 @@ func (h *HCLogLogrusAdapter) Name() string {
 
 // Create a logger that will prepend the name string on the front of all messages.
 // If the logger already has a name, the new value will be appended to the current
-// name. That way, a major subsystem can use this to decorate all it's own logs
+// name. That way, a major subsystem can use this to decorate all its own logs
 // without losing context.
 func (h *HCLogLogrusAdapter) Named(name string) hclog.Logger {
 	if h.name != "" {

integration/kube_integration_test.go

@@ -656,7 +656,7 @@ func testKubeTrustedClustersClientCert(t *testing.T, suite *KubeSuite) {
 	auxRole, err := types.NewRole("aux-kube", types.RoleSpecV6{
 		Allow: types.RoleConditions{
 			Logins: []string{username},
-			// Note that main cluster can pass it's kubernetes groups
+			// Note that main cluster can pass its kubernetes groups
 			// to the remote cluster, and remote cluster
 			// can choose to use them by using special variable
 			KubeGroups: auxKubeGroups,
@@ -935,7 +935,7 @@ func testKubeTrustedClustersSNI(t *testing.T, suite *KubeSuite) {
 			KubernetesLabels: types.Labels{
 				types.Wildcard: []string{types.Wildcard},
 			},
-			// Note that main cluster can pass it's kubernetes groups
+			// Note that main cluster can pass its kubernetes groups
 			// to the remote cluster, and remote cluster
 			// can choose to use them by using special variable
 			KubeGroups: auxKubeGroups,

integration/proxy/proxy_tunnel_strategy_test.go

@@ -325,7 +325,7 @@ func (p *proxyTunnelStrategy) makeAuth(t *testing.T) {
 }
 
 // makeProxy bootstraps a new teleport proxy instance.
-// It's public address points to a load balancer.
+// Its public address points to a load balancer.
 func (p *proxyTunnelStrategy) makeProxy(t *testing.T) {
 	proxy := helpers.NewInstance(t, helpers.InstanceConfig{
 		ClusterName: p.cluster,

integrations/event-handler/README.md

@@ -9,7 +9,7 @@ See the [Export Events with FluentD Guide](https://goteleport.com/docs/managemen
 ## How it works
 
 * `teleport-event-handler` takes the Audit Log event stream from Teleport. It loads events in batches of 20 by default. Every event gets sent to fluentd.
-* Once event is successfully received by fluentd, it's ID is saved to the `teleport-event-handler` state. In case `teleport-event-handler` crashes, it will pick the stream up from a latest successful event.
+* Once event is successfully received by fluentd, its ID is saved to the `teleport-event-handler` state. In case `teleport-event-handler` crashes, it will pick the stream up from a latest successful event.
 * Once all events are sent, `teleport-event-handler` starts polling for new evetns. It happens every 5 seconds by default.
 * If storage directory gets lost, you may specify latest event id value. `teleport-event-handler` will pick streaming up from the next event after it.
 

integrations/event-handler/legacy_events_watcher.go

@@ -162,7 +162,7 @@ func (t *LegacyEventsWatcher) fetch(ctx context.Context) error {
 
 	pos := 0
 
-	// If last known id is not empty, let's try to find it's pos
+	// If last known id is not empty, let's try to find its pos
 	if t.id != "" {
 		for i, e := range t.batch {
 			if e.ID == t.id {

integrations/lib/http.go

@@ -44,7 +44,7 @@ type TLSConfig struct {
 }
 
 // HTTPConfig stores configuration of an HTTP service
-// including it's public address, listen host and port,
+// including its public address, listen host and port,
 // TLS certificate and key path, and extra TLS configuration
 // options, represented as TLSConfig.
 type HTTPConfig struct {

integrations/operator/crdgen/schemagen.go

@@ -322,7 +322,7 @@ func handleEmptyJSONTag(schema *Schema, message *Message, field *Field) bool {
 		return false
 	}
 
-	// Handle MaxAge as a special case. It's type is a message that is embedded.
+	// Handle MaxAge as a special case. Its type is a message that is embedded.
 	// Because the message is embedded, MaxAge itself explicitly sets its json
 	// name to an empty string, but the embedded message type has a single field
 	// with a json name, so use that instead.

lib/auth/auth_with_roles.go

@@ -520,7 +520,7 @@ func (a *ServerWithRoles) UpdateSessionTracker(ctx context.Context, req *proto.U
 // AuthenticateWebUser authenticates web user, creates and returns a web session
 // in case authentication is successful
 func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req authclient.AuthenticateUserRequest) (types.WebSession, error) {
-	// authentication request has it's own authentication, however this limits the requests
+	// authentication request has its own authentication, however this limits the requests
 	// types to proxies to make it harder to break
 	if !a.hasBuiltinRole(types.RoleProxy) {
 		return nil, trace.AccessDenied("this request can be only executed by a proxy")
@@ -531,7 +531,7 @@ func (a *ServerWithRoles) AuthenticateWebUser(ctx context.Context, req authclien
 // AuthenticateSSHUser authenticates SSH console user, creates and  returns a pair of signed TLS and SSH
 // short lived certificates as a result
 func (a *ServerWithRoles) AuthenticateSSHUser(ctx context.Context, req authclient.AuthenticateSSHRequest) (*authclient.SSHLoginResponse, error) {
-	// authentication request has it's own authentication, however this limits the requests
+	// authentication request has its own authentication, however this limits the requests
 	// types to proxies to make it harder to break
 	if !a.hasBuiltinRole(types.RoleProxy) {
 		return nil, trace.AccessDenied("this request can be only executed by a proxy")
@@ -3345,7 +3345,7 @@ func (a *ServerWithRoles) GetResetPasswordToken(ctx context.Context, tokenID str
 
 // ChangeUserAuthentication is implemented by AuthService.ChangeUserAuthentication.
 func (a *ServerWithRoles) ChangeUserAuthentication(ctx context.Context, req *proto.ChangeUserAuthenticationRequest) (*proto.ChangeUserAuthenticationResponse, error) {
-	// Token is it's own authentication, no need to double check.
+	// Token is its own authentication, no need to double check.
 	resp, err := a.authServer.ChangeUserAuthentication(ctx, req)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -3586,7 +3586,7 @@ func (a *ServerWithRoles) GetOIDCAuthRequest(ctx context.Context, id string) (*t
 }
 
 func (a *ServerWithRoles) ValidateOIDCAuthCallback(ctx context.Context, q url.Values) (*authclient.OIDCAuthResponse, error) {
-	// auth callback is it's own authz, no need to check extra permissions
+	// auth callback is its own authz, no need to check extra permissions
 	resp, err := a.authServer.ValidateOIDCAuthCallback(ctx, q)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -3741,7 +3741,7 @@ func (a *ServerWithRoles) ValidateSAMLResponse(ctx context.Context, samlResponse
 		clientIP = "" // We only trust IP information coming from the Proxy.
 	}
 
-	// auth callback is it's own authz, no need to check extra permissions
+	// auth callback is its own authz, no need to check extra permissions
 	resp, err := a.authServer.ValidateSAMLResponse(ctx, samlResponse, connectorID, clientIP)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -3958,7 +3958,7 @@ func (a *ServerWithRoles) GetGithubAuthRequest(ctx context.Context, stateToken s
 }
 
 func (a *ServerWithRoles) ValidateGithubAuthCallback(ctx context.Context, q url.Values) (*authclient.GithubAuthResponse, error) {
-	// auth callback is it's own authz, no need to check extra permissions
+	// auth callback is its own authz, no need to check extra permissions
 	resp, err := a.authServer.ValidateGithubAuthCallback(ctx, q)
 	if err != nil {
 		return nil, trace.Wrap(err)
@@ -4924,7 +4924,7 @@ func (a *ServerWithRoles) ValidateTrustedCluster(ctx context.Context, validateRe
 		return nil, trace.NotImplemented("leaf clusters cannot be added to cloud tenants")
 	}
 
-	// the token provides it's own authorization and authentication
+	// the token provides its own authorization and authentication
 	return a.authServer.validateTrustedCluster(ctx, validateRequest)
 }
 

lib/auth/session_access.go

@@ -209,7 +209,7 @@ func (e *SessionAccessEvaluator) CanJoin(user SessionAccessContext) []types.Sess
 
 	var modes []types.SessionParticipantMode
 
-	// Loop over every allow policy attached the participant and check it's applicability.
+	// Loop over every allow policy attached the participant and check its applicability.
 	// This code serves to merge the permissions of all applicable join policies.
 	for _, allowPolicy := range getAllowPolicies(user) {
 		// If the policy is applicable and allows joining the session, add the allowed modes to the list of modes.

lib/auth/sessions.go

@@ -477,7 +477,7 @@ func (a *Server) CreateAppSession(ctx context.Context, req *proto.CreateAppSessi
 			Roles:          roles,
 			Traits:         traits,
 			AccessRequests: identity.ActiveRequests,
-			// If the user's current identity is attested as a "web_session", it's secrets are only
+			// If the user's current identity is attested as a "web_session", its secrets are only
 			// available to the Proxy and Auth roles, meaning this request is coming from the Proxy
 			// service on behalf of the user's Web Session. We can safely attest this child app session
 			// as a "web_session" as a result.

lib/config/configuration.go

@@ -2360,7 +2360,7 @@ func Configure(clf *CommandLineFlags, cfg *servicecfg.Config, legacyAppFlags boo
 	// pass the value of --insecure flag to the runtime
 	lib.SetInsecureDevMode(clf.InsecureMode)
 
-	// load /etc/teleport.yaml and apply it's values:
+	// load /etc/teleport.yaml and apply its values:
 	fileConf, err := ReadConfigFile(clf.ConfigFile)
 	if err != nil {
 		return trace.Wrap(err)

lib/defaults/defaults.go

@@ -724,7 +724,7 @@ const (
 )
 
 // The following are cryptographic primitives Teleport does not support in
-// it's default configuration.
+// its default configuration.
 const (
 	DiffieHellmanGroup14SHA1 = "diffie-hellman-group14-sha1"
 	DiffieHellmanGroup1SHA1  = "diffie-hellman-group1-sha1"

lib/events/dynamoevents/dynamoevents.go

@@ -906,7 +906,7 @@ func getCheckpointFromStartKey(startKey string) (checkpointKey, error) {
 	if startKey == "" {
 		return checkpoint, nil
 	}
-	// If a checkpoint key is provided, unmarshal it so we can work with it's parts.
+	// If a checkpoint key is provided, unmarshal it so we can work with its parts.
 	if err := json.Unmarshal([]byte(startKey), &checkpoint); err != nil {
 		return checkpointKey{}, trace.Wrap(err)
 	}

lib/events/s3sessions/s3handler.go

@@ -335,7 +335,7 @@ func (h *Handler) getOldestVersion(ctx context.Context, bucket string, prefix st
 	return versions[0].ID, nil
 }
 
-// delete bucket deletes bucket and all it's contents and is used in tests
+// deleteBucket deletes the bucket and all its contents and is used in tests
 func (h *Handler) deleteBucket(ctx context.Context) error {
 	// first, list and delete all the objects in the bucket
 	paginator := s3.NewListObjectVersionsPaginator(h.client, &s3.ListObjectVersionsInput{

lib/kube/proxy/streamproto/proto.go

@@ -43,7 +43,7 @@ type metaMessage struct {
 	ServerHandshake *ServerHandshake            `json:"server_handshake,omitempty"`
 }
 
-// ClientHandshake is the first message sent by a client to inform a server of it's intentions.
+// ClientHandshake is the first message sent by a client to inform a server of its intentions.
 type ClientHandshake struct {
 	Mode types.SessionParticipantMode `json:"mode"`
 }

lib/pam/pam_test.go

@@ -57,7 +57,7 @@ func TestMain(m *testing.M) {
 // The PAM module used, pam_teleport.so is called from the policy file
 // teleport-acct-echo. The policy file instructs pam_teleport.so to echo the
 // contents of TELEPORT_* to stdout where this test can read, parse, and
-// validate it's output.
+// validate its output.
 func TestEcho(t *testing.T) {
 	t.Parallel()
 	checkTestModule(t, "teleport-acct-echo")

lib/proxy/peer/credentials.go

@@ -51,7 +51,7 @@ func newClientCredentials(peerID, peerAddr string, log *slog.Logger, creds crede
 }
 
 // ClientHandshake performs the TLS handshake and then verifies that the
-// server is a Proxy and that it's UUID matches the expected id of the peer.
+// server is a Proxy and that its UUID matches the expected id of the peer.
 func (c *clientCredentials) ClientHandshake(ctx context.Context, laddr string, conn net.Conn) (_ net.Conn, _ credentials.AuthInfo, err error) {
 	conn, authInfo, err := c.TransportCredentials.ClientHandshake(ctx, laddr, conn)
 	if err != nil {

lib/service/service_test.go

@@ -383,7 +383,7 @@ func TestServiceCheckPrincipals(t *testing.T) {
 			inDNS:         []string{},
 			outRegenerate: false,
 		},
-		// Don't regenerate certificate if the node does not know it's own address.
+		// Don't regenerate certificate if the node does not know its own address.
 		{
 			inPrincipals:  []string{"0.0.0.0"},
 			inDNS:         []string{},

lib/services/local/presence.go

@@ -498,7 +498,7 @@ func (s *PresenceService) GetReverseTunnels(ctx context.Context) ([]types.Revers
 	return tunnels, nil
 }
 
-// DeleteReverseTunnel deletes reverse tunnel by it's cluster name
+// DeleteReverseTunnel deletes reverse tunnel by its cluster name
 func (s *PresenceService) DeleteReverseTunnel(ctx context.Context, clusterName string) error {
 	err := s.Delete(ctx, backend.NewKey(reverseTunnelsPrefix, clusterName))
 	return trace.Wrap(err)

lib/services/local/users.go

@@ -661,7 +661,7 @@ func (s *IdentityService) upsertLocalAuthSecrets(ctx context.Context, user strin
 	return nil
 }
 
-// GetUserByOIDCIdentity returns a user by it's specified OIDC Identity, returns first
+// GetUserByOIDCIdentity returns a user by its specified OIDC Identity, returns first
 // user specified with this identity
 func (s *IdentityService) GetUserByOIDCIdentity(id types.ExternalIdentity) (types.User, error) {
 	users, err := s.GetUsers(context.TODO(), false)
@@ -678,7 +678,7 @@ func (s *IdentityService) GetUserByOIDCIdentity(id types.ExternalIdentity) (type
 	return nil, trace.NotFound("user with identity %q not found", &id)
 }
 
-// GetUserBySAMLIdentity returns a user by it's specified OIDC Identity, returns
+// GetUserBySAMLIdentity returns a user by its specified OIDC Identity, returns
 // first user specified with this identity.
 func (s *IdentityService) GetUserBySAMLIdentity(id types.ExternalIdentity) (types.User, error) {
 	users, err := s.GetUsers(context.TODO(), false)

lib/services/presence.go

@@ -117,7 +117,7 @@ type Presence interface {
 	// Deprecated: use ListReverseTunnels
 	GetReverseTunnels(ctx context.Context) ([]types.ReverseTunnel, error)
 
-	// DeleteReverseTunnel deletes reverse tunnel by it's domain name
+	// DeleteReverseTunnel deletes reverse tunnel by its domain name
 	DeleteReverseTunnel(ctx context.Context, domainName string) error
 
 	// DeleteAllReverseTunnels deletes all reverse tunnels

lib/session/session.go

@@ -149,7 +149,7 @@ func (s *Session) Participants() []string {
 	return participants
 }
 
-// RemoveParty helper allows to remove a party by it's ID from the
+// RemoveParty helper allows to remove a party by its ID from the
 // session's list. Returns 'false' if pid couldn't be found
 func (s *Session) RemoveParty(pid ID) bool {
 	for i := range s.Parties {

lib/srv/desktop/rdp/rdpclient/src/rdpdr/filesystem.rs

@@ -1695,7 +1695,7 @@ impl FileCacheObject {
 /// FileCacheObject is used as an iterator for the implementation of
 /// IRP_MJ_DIRECTORY_CONTROL, which requires that we iterate through
 /// all the files of a directory one by one. In this case, the directory
-/// is the FileCacheObject itself, with it's own fso field representing
+/// is the FileCacheObject itself, with its own fso field representing
 /// the directory, and its contents being represented by tdp::FileSystemObject's
 /// in its contents field.
 ///

lib/srv/exec_linux_test.go

@@ -129,7 +129,7 @@ func TestOSCommandPrep(t *testing.T) {
 	require.Equal(t, syscall.SIGKILL, cmd.SysProcAttr.Pdeathsig)
 
 	// Missing home directory - HOME should still be set to the given
-	// home dir, but the command should set it's CWD to root instead.
+	// home dir, but the command should set its CWD to root instead.
 	changeHomeDir(t, username, "/wrong/place")
 	usr.HomeDir = "/wrong/place"
 	root := string(os.PathSeparator)

lib/tbot/identity/artifact.go

@@ -44,7 +44,7 @@ type Artifact struct {
 }
 
 // Matches returns true if this artifact's Kind matches any one of the given
-// kinds or if it's kind is KindAlways
+// kinds or if its kind is KindAlways
 func (a *Artifact) Matches(kinds ...ArtifactKind) bool {
 	if a.Kind == KindAlways {
 		return true

lib/tbot/service_spiffe_workload_api_sds.go

@@ -391,7 +391,7 @@ func (s *spiffeSDSHandler) generateResponse(
 		// Now we need to filter the SVIDs down to those requested by the
 		// client.
 		// There's a special case here, if they've requested the default SVID,
-		// we want to ensure that the first SVID is returned and it's name
+		// we want to ensure that the first SVID is returned and its name
 		// overrridden.
 
 		switch {

lib/utils/broadcaster.go

@@ -31,13 +31,13 @@ func NewCloseBroadcaster() *CloseBroadcaster {
 
 // CloseBroadcaster is a helper struct
 // that implements io.Closer and uses channel
-// to broadcast it's closed state once called
+// to broadcast its closed state once called
 type CloseBroadcaster struct {
 	sync.Once
 	C chan struct{}
 }
 
-// Close closes channel (once) to start broadcasting it's closed state
+// Close closes channel (once) to start broadcasting its closed state
 func (b *CloseBroadcaster) Close() error {
 	b.Do(func() {
 		close(b.C)