From bd17eb205d6ac464c64eb888a6f4b57445b6c59c Mon Sep 17 00:00:00 2001
From: Dave Henderson <dhenderson@gmail.com>
Date: Sun, 22 Nov 2020 16:50:29 -0500
Subject: ci: Use golangci's github action for linting (#3794)

* ci: Use golangci's github action for linting

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix most of the staticcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the prealloc lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the misspell lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the varcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the errcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the bodyclose lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the deadcode lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the unused lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the gosec lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the gosimple lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the ineffassign lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Fix the staticcheck lint errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Revert the misspell change, use a neutral English

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Remove broken golangci-lint CI job

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Re-add errantly-removed weakrand initialization

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* don't break the loop and return

* Removing extra handling for null rootKey

* unignore RegisterModule/RegisterAdapter

Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>

* single-line log message

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Revert ticker change, ignore it instead

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Ignore some of the write errors

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Remove blank line

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Use lifetime

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* close immediately

Co-authored-by: Matt Holt <mholt@users.noreply.github.com>

* Preallocate configVals

Signed-off-by: Dave Henderson <dhenderson@gmail.com>

* Update modules/caddytls/distributedstek/distributedstek.go

Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com>
Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
---
 modules/caddytls/connpolicy.go                      |  1 +
 modules/caddytls/distributedstek/distributedstek.go |  7 ++++++-
 modules/caddytls/folderloader.go                    | 20 ++++++++++++++++----
 modules/caddytls/internalissuer.go                  | 16 ++++++++++++----
 modules/caddytls/tls.go                             |  2 --
 modules/caddytls/values.go                          |  1 +
 6 files changed, 36 insertions(+), 11 deletions(-)

(limited to 'modules/caddytls')

diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go
index 7eda002..de929cc 100644
--- a/modules/caddytls/connpolicy.go
+++ b/modules/caddytls/connpolicy.go
@@ -80,6 +80,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
 	}
 
 	return &tls.Config{
+		MinVersion: tls.VersionTLS12,
 		GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
 			// filter policies by SNI first, if possible, to speed things up
 			// when there may be lots of policies
diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go
index f29db29..e76fc47 100644
--- a/modules/caddytls/distributedstek/distributedstek.go
+++ b/modules/caddytls/distributedstek/distributedstek.go
@@ -145,7 +145,12 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error {
 // current STEK is outdated (NextRotation time is in the past),
 // then it is rotated and persisted. The resulting STEK is returned.
 func (s *Provider) getSTEK() (distributedSTEK, error) {
-	s.storage.Lock(s.ctx, stekLockName)
+	err := s.storage.Lock(s.ctx, stekLockName)
+	if err != nil {
+		return distributedSTEK{}, fmt.Errorf("failed to acquire storage lock: %v", err)
+	}
+
+	//nolint:errcheck
 	defer s.storage.Unlock(stekLockName)
 
 	// load the current STEKs from storage
diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go
index f1a742d..10b017e 100644
--- a/modules/caddytls/folderloader.go
+++ b/modules/caddytls/folderloader.go
@@ -97,26 +97,38 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
 
 		if derBlock.Type == "CERTIFICATE" {
 			// Re-encode certificate as PEM, appending to certificate chain
-			pem.Encode(certBuilder, derBlock)
+			err = pem.Encode(certBuilder, derBlock)
+			if err != nil {
+				return tls.Certificate{}, err
+			}
 		} else if derBlock.Type == "EC PARAMETERS" {
 			// EC keys generated from openssl can be composed of two blocks:
 			// parameters and key (parameter block should come first)
 			if !foundKey {
 				// Encode parameters
-				pem.Encode(keyBuilder, derBlock)
+				err = pem.Encode(keyBuilder, derBlock)
+				if err != nil {
+					return tls.Certificate{}, err
+				}
 
 				// Key must immediately follow
 				derBlock, bundle = pem.Decode(bundle)
 				if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" {
 					return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath)
 				}
-				pem.Encode(keyBuilder, derBlock)
+				err = pem.Encode(keyBuilder, derBlock)
+				if err != nil {
+					return tls.Certificate{}, err
+				}
 				foundKey = true
 			}
 		} else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") {
 			// RSA key
 			if !foundKey {
-				pem.Encode(keyBuilder, derBlock)
+				err = pem.Encode(keyBuilder, derBlock)
+				if err != nil {
+					return tls.Certificate{}, err
+				}
 				foundKey = true
 			}
 		} else {
diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go
index 6f228ea..416369f 100644
--- a/modules/caddytls/internalissuer.go
+++ b/modules/caddytls/internalissuer.go
@@ -27,6 +27,7 @@ import (
 	"github.com/caddyserver/caddy/v2/modules/caddypki"
 	"github.com/caddyserver/certmagic"
 	"github.com/smallstep/certificates/authority/provisioner"
+	"go.uber.org/zap"
 )
 
 func init() {
@@ -51,7 +52,8 @@ type InternalIssuer struct {
 	// validate certificate chains.
 	SignWithRoot bool `json:"sign_with_root,omitempty"`
 
-	ca *caddypki.CA
+	ca     *caddypki.CA
+	logger *zap.Logger
 }
 
 // CaddyModule returns the Caddy module information.
@@ -64,6 +66,8 @@ func (InternalIssuer) CaddyModule() caddy.ModuleInfo {
 
 // Provision sets up the issuer.
 func (iss *InternalIssuer) Provision(ctx caddy.Context) error {
+	iss.logger = ctx.Logger(iss)
+
 	// get a reference to the configured CA
 	appModule, err := ctx.App("pki")
 	if err != nil {
@@ -115,11 +119,15 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques
 	// ensure issued certificate does not expire later than its issuer
 	lifetime := time.Duration(iss.Lifetime)
 	if time.Now().Add(lifetime).After(issuerCert.NotAfter) {
-		// TODO: log this
-		lifetime = issuerCert.NotAfter.Sub(time.Now())
+		lifetime = time.Until(issuerCert.NotAfter)
+		iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime",
+			zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)),
+			zap.Duration("lifetime", lifetime),
+			zap.Time("not_after", issuerCert.NotAfter),
+		)
 	}
 
-	certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime))
+	certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime)))
 	if err != nil {
 		return nil, err
 	}
diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go
index 146eed4..fd3473e 100644
--- a/modules/caddytls/tls.go
+++ b/modules/caddytls/tls.go
@@ -498,8 +498,6 @@ var (
 	storageCleanMu sync.Mutex
 )
 
-const automateKey = "automate"
-
 // Interface guards
 var (
 	_ caddy.App          = (*TLS)(nil)
diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go
index f0944a3..dea0013 100644
--- a/modules/caddytls/values.go
+++ b/modules/caddytls/values.go
@@ -122,6 +122,7 @@ var SupportedProtocols = map[string]uint16{
 // unsupportedProtocols is a map of unsupported protocols.
 // Used for logging only, not enforcement.
 var unsupportedProtocols = map[string]uint16{
+	//nolint:staticcheck
 	"ssl3.0": tls.VersionSSL30,
 	"tls1.0": tls.VersionTLS10,
 	"tls1.1": tls.VersionTLS11,
-- 
cgit v1.2.3