From bd17eb205d6ac464c64eb888a6f4b57445b6c59c Mon Sep 17 00:00:00 2001 From: Dave Henderson Date: Sun, 22 Nov 2020 16:50:29 -0500 Subject: ci: Use golangci's github action for linting (#3794) * ci: Use golangci's github action for linting Signed-off-by: Dave Henderson * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson * Fix the prealloc lint errors Signed-off-by: Dave Henderson * Fix the misspell lint errors Signed-off-by: Dave Henderson * Fix the varcheck lint errors Signed-off-by: Dave Henderson * Fix the errcheck lint errors Signed-off-by: Dave Henderson * Fix the bodyclose lint errors Signed-off-by: Dave Henderson * Fix the deadcode lint errors Signed-off-by: Dave Henderson * Fix the unused lint errors Signed-off-by: Dave Henderson * Fix the gosec lint errors Signed-off-by: Dave Henderson * Fix the gosimple lint errors Signed-off-by: Dave Henderson * Fix the ineffassign lint errors Signed-off-by: Dave Henderson * Fix the staticcheck lint errors Signed-off-by: Dave Henderson * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf * single-line log message Co-authored-by: Matt Holt * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson * Ignore some of the write errors Signed-off-by: Dave Henderson * Remove blank line Signed-off-by: Dave Henderson * Use lifetime Signed-off-by: Dave Henderson * close immediately Co-authored-by: Matt Holt * Preallocate configVals Signed-off-by: Dave Henderson * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf Co-authored-by: Matt Holt --- modules/caddytls/connpolicy.go | 1 + modules/caddytls/distributedstek/distributedstek.go | 7 ++++++- modules/caddytls/folderloader.go | 20 ++++++++++++++++---- modules/caddytls/internalissuer.go | 16 ++++++++++++---- modules/caddytls/tls.go | 2 -- modules/caddytls/values.go | 1 + 6 files changed, 36 insertions(+), 11 deletions(-) (limited to 'modules/caddytls') diff --git a/modules/caddytls/connpolicy.go b/modules/caddytls/connpolicy.go index 7eda002..de929cc 100644 --- a/modules/caddytls/connpolicy.go +++ b/modules/caddytls/connpolicy.go @@ -80,6 +80,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config { } return &tls.Config{ + MinVersion: tls.VersionTLS12, GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) { // filter policies by SNI first, if possible, to speed things up // when there may be lots of policies diff --git a/modules/caddytls/distributedstek/distributedstek.go b/modules/caddytls/distributedstek/distributedstek.go index f29db29..e76fc47 100644 --- a/modules/caddytls/distributedstek/distributedstek.go +++ b/modules/caddytls/distributedstek/distributedstek.go @@ -145,7 +145,12 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error { // current STEK is outdated (NextRotation time is in the past), // then it is rotated and persisted. The resulting STEK is returned. func (s *Provider) getSTEK() (distributedSTEK, error) { - s.storage.Lock(s.ctx, stekLockName) + err := s.storage.Lock(s.ctx, stekLockName) + if err != nil { + return distributedSTEK{}, fmt.Errorf("failed to acquire storage lock: %v", err) + } + + //nolint:errcheck defer s.storage.Unlock(stekLockName) // load the current STEKs from storage diff --git a/modules/caddytls/folderloader.go b/modules/caddytls/folderloader.go index f1a742d..10b017e 100644 --- a/modules/caddytls/folderloader.go +++ b/modules/caddytls/folderloader.go @@ -97,26 +97,38 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) { if derBlock.Type == "CERTIFICATE" { // Re-encode certificate as PEM, appending to certificate chain - pem.Encode(certBuilder, derBlock) + err = pem.Encode(certBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } } else if derBlock.Type == "EC PARAMETERS" { // EC keys generated from openssl can be composed of two blocks: // parameters and key (parameter block should come first) if !foundKey { // Encode parameters - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } // Key must immediately follow derBlock, bundle = pem.Decode(bundle) if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" { return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath) } - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } foundKey = true } } else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") { // RSA key if !foundKey { - pem.Encode(keyBuilder, derBlock) + err = pem.Encode(keyBuilder, derBlock) + if err != nil { + return tls.Certificate{}, err + } foundKey = true } } else { diff --git a/modules/caddytls/internalissuer.go b/modules/caddytls/internalissuer.go index 6f228ea..416369f 100644 --- a/modules/caddytls/internalissuer.go +++ b/modules/caddytls/internalissuer.go @@ -27,6 +27,7 @@ import ( "github.com/caddyserver/caddy/v2/modules/caddypki" "github.com/caddyserver/certmagic" "github.com/smallstep/certificates/authority/provisioner" + "go.uber.org/zap" ) func init() { @@ -51,7 +52,8 @@ type InternalIssuer struct { // validate certificate chains. SignWithRoot bool `json:"sign_with_root,omitempty"` - ca *caddypki.CA + ca *caddypki.CA + logger *zap.Logger } // CaddyModule returns the Caddy module information. @@ -64,6 +66,8 @@ func (InternalIssuer) CaddyModule() caddy.ModuleInfo { // Provision sets up the issuer. func (iss *InternalIssuer) Provision(ctx caddy.Context) error { + iss.logger = ctx.Logger(iss) + // get a reference to the configured CA appModule, err := ctx.App("pki") if err != nil { @@ -115,11 +119,15 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques // ensure issued certificate does not expire later than its issuer lifetime := time.Duration(iss.Lifetime) if time.Now().Add(lifetime).After(issuerCert.NotAfter) { - // TODO: log this - lifetime = issuerCert.NotAfter.Sub(time.Now()) + lifetime = time.Until(issuerCert.NotAfter) + iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime", + zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)), + zap.Duration("lifetime", lifetime), + zap.Time("not_after", issuerCert.NotAfter), + ) } - certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime)) + certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime))) if err != nil { return nil, err } diff --git a/modules/caddytls/tls.go b/modules/caddytls/tls.go index 146eed4..fd3473e 100644 --- a/modules/caddytls/tls.go +++ b/modules/caddytls/tls.go @@ -498,8 +498,6 @@ var ( storageCleanMu sync.Mutex ) -const automateKey = "automate" - // Interface guards var ( _ caddy.App = (*TLS)(nil) diff --git a/modules/caddytls/values.go b/modules/caddytls/values.go index f0944a3..dea0013 100644 --- a/modules/caddytls/values.go +++ b/modules/caddytls/values.go @@ -122,6 +122,7 @@ var SupportedProtocols = map[string]uint16{ // unsupportedProtocols is a map of unsupported protocols. // Used for logging only, not enforcement. var unsupportedProtocols = map[string]uint16{ + //nolint:staticcheck "ssl3.0": tls.VersionSSL30, "tls1.0": tls.VersionTLS10, "tls1.1": tls.VersionTLS11, -- cgit v1.2.3