From 99ce13a4eaf27f2bfc3fc084be1cac863181f376 Mon Sep 17 00:00:00 2001 From: max furman Date: Mon, 20 May 2024 11:06:53 -0700 Subject: [PATCH] Fix linter warnings --- authority/linkedca.go | 17 +++++----------- authority/provisioner/claims.go | 24 +++++++++++------------ authority/provisioner/sign_options.go | 4 ++-- authority/provisioner/sign_ssh_options.go | 18 ++++++++--------- authority/provisioners.go | 24 +++++++++++------------ cas/cloudcas/cloudcas_test.go | 3 ++- 6 files changed, 42 insertions(+), 48 deletions(-) diff --git a/authority/linkedca.go b/authority/linkedca.go index 3eaa76c9..aa8de3a8 100644 --- a/authority/linkedca.go +++ b/authority/linkedca.go @@ -110,7 +110,7 @@ func newLinkedCAClient(token string) (*linkedCaClient, error) { tlsConfig.GetClientCertificate = renewer.GetClientCertificate // Start mTLS client - conn, err := grpc.Dial(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) + conn, err := grpc.NewClient(u.Host, grpc.WithTransportCredentials(credentials.NewTLS(tlsConfig))) if err != nil { return nil, errors.Wrapf(err, "error connecting %s", u.Host) } @@ -478,10 +478,7 @@ func getAuthority(sans []string) (string, error) { // getRootCertificate creates an insecure majordomo client and returns the // verified root certificate. func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) { - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ + conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ //nolint:gosec // used in bootstrap protocol InsecureSkipVerify: true, // lgtm[go/disabled-certificate-check] }))) @@ -489,7 +486,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) return nil, errors.Wrapf(err, "error connecting %s", endpoint) } - ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) defer cancel() client := linkedca.NewMajordomoClient(conn) @@ -531,11 +528,7 @@ func getRootCertificate(endpoint, fingerprint string) (*x509.Certificate, error) // login creates a new majordomo client with just the root ca pool and returns // the signed certificate and tls configuration. func login(authority, token string, csr *x509.CertificateRequest, signer crypto.PrivateKey, endpoint string, rootCAs *x509.CertPool) (*tls.Certificate, *tls.Config, error) { - // Connect to majordomo - ctx, cancel := context.WithCancel(context.Background()) - defer cancel() - - conn, err := grpc.DialContext(ctx, endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ + conn, err := grpc.NewClient(endpoint, grpc.WithTransportCredentials(credentials.NewTLS(&tls.Config{ MinVersion: tls.VersionTLS12, RootCAs: rootCAs, }))) @@ -544,7 +537,7 @@ func login(authority, token string, csr *x509.CertificateRequest, signer crypto. } // Login to get the signed certificate - ctx, cancel = context.WithTimeout(context.Background(), 15*time.Second) + ctx, cancel := context.WithTimeout(context.Background(), 15*time.Second) defer cancel() client := linkedca.NewMajordomoClient(conn) diff --git a/authority/provisioner/claims.go b/authority/provisioner/claims.go index dcf679b3..993bf498 100644 --- a/authority/provisioner/claims.go +++ b/authority/provisioner/claims.go @@ -234,24 +234,24 @@ func (c *Claimer) IsSSHCAEnabled() bool { // Validate validates and modifies the Claims with default values. func (c *Claimer) Validate() error { var ( - min = c.MinTLSCertDuration() - max = c.MaxTLSCertDuration() - def = c.DefaultTLSCertDuration() + minDur = c.MinTLSCertDuration() + maxDur = c.MaxTLSCertDuration() + defDur = c.DefaultTLSCertDuration() ) switch { - case min <= 0: + case minDur <= 0: return errors.Errorf("claims: MinTLSCertDuration must be greater than 0") - case max <= 0: + case maxDur <= 0: return errors.Errorf("claims: MaxTLSCertDuration must be greater than 0") - case def <= 0: + case defDur <= 0: return errors.Errorf("claims: DefaultTLSCertDuration must be greater than 0") - case max < min: + case maxDur < minDur: return errors.Errorf("claims: MaxCertDuration cannot be less "+ - "than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", max, min) - case def < min: - return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", def, min) - case max < def: - return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", max, def) + "than MinCertDuration: MaxCertDuration - %v, MinCertDuration - %v", maxDur, minDur) + case defDur < minDur: + return errors.Errorf("claims: DefaultCertDuration cannot be less than MinCertDuration: DefaultCertDuration - %v, MinCertDuration - %v", defDur, minDur) + case maxDur < defDur: + return errors.Errorf("claims: MaxCertDuration cannot be less than DefaultCertDuration: MaxCertDuration - %v, DefaultCertDuration - %v", maxDur, defDur) default: return nil } diff --git a/authority/provisioner/sign_options.go b/authority/provisioner/sign_options.go index fec9b9f6..cde2078d 100644 --- a/authority/provisioner/sign_options.go +++ b/authority/provisioner/sign_options.go @@ -369,8 +369,8 @@ type validityValidator struct { } // newValidityValidator return a new validity validator. -func newValidityValidator(min, max time.Duration) *validityValidator { - return &validityValidator{min: min, max: max} +func newValidityValidator(minDur, maxDur time.Duration) *validityValidator { + return &validityValidator{min: minDur, max: maxDur} } // Valid validates the certificate validity settings (notBefore/notAfter) and diff --git a/authority/provisioner/sign_ssh_options.go b/authority/provisioner/sign_ssh_options.go index ee74ded3..404b16ae 100644 --- a/authority/provisioner/sign_ssh_options.go +++ b/authority/provisioner/sign_ssh_options.go @@ -276,14 +276,14 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti return errs.BadRequest("ssh certificate validBefore cannot be before validAfter") } - var min, max time.Duration + var minDur, maxDur time.Duration switch cert.CertType { case ssh.UserCert: - min = v.MinUserSSHCertDuration() - max = v.MaxUserSSHCertDuration() + minDur = v.MinUserSSHCertDuration() + maxDur = v.MaxUserSSHCertDuration() case ssh.HostCert: - min = v.MinHostSSHCertDuration() - max = v.MaxHostSSHCertDuration() + minDur = v.MinHostSSHCertDuration() + maxDur = v.MaxHostSSHCertDuration() case 0: return errs.BadRequest("ssh certificate type has not been set") default: @@ -295,10 +295,10 @@ func (v *sshCertValidityValidator) Valid(cert *ssh.Certificate, opts SignSSHOpti dur := time.Duration(cert.ValidBefore-cert.ValidAfter) * time.Second switch { - case dur < min: - return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, min) - case dur > max+opts.Backdate: - return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, max+opts.Backdate) + case dur < minDur: + return errs.Forbidden("requested duration of %s is less than minimum accepted duration for selected provisioner of %s", dur, minDur) + case dur > maxDur+opts.Backdate: + return errs.Forbidden("requested duration of %s is greater than maximum accepted duration for selected provisioner of %s", dur, maxDur+opts.Backdate) default: return nil } diff --git a/authority/provisioners.go b/authority/provisioners.go index 1502ea2b..bfb96989 100644 --- a/authority/provisioners.go +++ b/authority/provisioners.go @@ -426,25 +426,25 @@ func ValidateClaims(c *linkedca.Claims) error { // ValidateDurations validates the Durations type. func ValidateDurations(d *linkedca.Durations) error { var ( - err error - min, max, def *provisioner.Duration + err error + minDur, maxDur, def *provisioner.Duration ) if d.Min != "" { - min, err = provisioner.NewDuration(d.Min) + minDur, err = provisioner.NewDuration(d.Min) if err != nil { return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' is invalid", d.Min) } - if min.Value() < 0 { + if minDur.Value() < 0 { return admin.WrapError(admin.ErrorBadRequestType, err, "min duration '%s' cannot be less than 0", d.Min) } } if d.Max != "" { - max, err = provisioner.NewDuration(d.Max) + maxDur, err = provisioner.NewDuration(d.Max) if err != nil { return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' is invalid", d.Max) } - if max.Value() < 0 { + if maxDur.Value() < 0 { return admin.WrapError(admin.ErrorBadRequestType, err, "max duration '%s' cannot be less than 0", d.Max) } } @@ -457,15 +457,15 @@ func ValidateDurations(d *linkedca.Durations) error { return admin.WrapError(admin.ErrorBadRequestType, err, "default duration '%s' cannot be less than 0", d.Default) } } - if d.Min != "" && d.Max != "" && min.Value() > max.Value() { + if d.Min != "" && d.Max != "" && minDur.Value() > maxDur.Value() { return admin.NewError(admin.ErrorBadRequestType, "min duration '%s' cannot be greater than max duration '%s'", d.Min, d.Max) } - if d.Min != "" && d.Default != "" && min.Value() > def.Value() { + if d.Min != "" && d.Default != "" && minDur.Value() > def.Value() { return admin.NewError(admin.ErrorBadRequestType, "min duration '%s' cannot be greater than default duration '%s'", d.Min, d.Default) } - if d.Default != "" && d.Max != "" && min.Value() > def.Value() { + if d.Default != "" && d.Max != "" && minDur.Value() > def.Value() { return admin.NewError(admin.ErrorBadRequestType, "default duration '%s' cannot be greater than max duration '%s'", d.Default, d.Max) } @@ -608,15 +608,15 @@ func provisionerWebhookToLinkedca(pwh *provisioner.Webhook) *linkedca.Webhook { return lwh } -func durationsToCertificates(d *linkedca.Durations) (min, max, def *provisioner.Duration, err error) { +func durationsToCertificates(d *linkedca.Durations) (minDur, maxDur, def *provisioner.Duration, err error) { if d.Min != "" { - min, err = provisioner.NewDuration(d.Min) + minDur, err = provisioner.NewDuration(d.Min) if err != nil { return nil, nil, nil, admin.WrapErrorISE(err, "error parsing minimum duration '%s'", d.Min) } } if d.Max != "" { - max, err = provisioner.NewDuration(d.Max) + maxDur, err = provisioner.NewDuration(d.Max) if err != nil { return nil, nil, nil, admin.WrapErrorISE(err, "error parsing maximum duration '%s'", d.Max) } diff --git a/cas/cloudcas/cloudcas_test.go b/cas/cloudcas/cloudcas_test.go index 6e5d2133..6db5d75d 100644 --- a/cas/cloudcas/cloudcas_test.go +++ b/cas/cloudcas/cloudcas_test.go @@ -248,6 +248,7 @@ func mustParseECKey(t *testing.T, pemKey string) *ecdsa.PrivateKey { block, _ := pem.Decode([]byte(pemKey)) if block == nil { t.Fatal("failed to parse key") + return nil } key, err := x509.ParseECPrivateKey(block.Bytes) if err != nil { @@ -882,7 +883,7 @@ func TestCloudCAS_CreateCertificateAuthority(t *testing.T) { defer srv.Stop() // Create fake privateca client - conn, err := grpc.DialContext(context.Background(), "", grpc.WithTransportCredentials(insecure.NewCredentials()), + conn, err := grpc.NewClient("localhost", grpc.WithTransportCredentials(insecure.NewCredentials()), grpc.WithContextDialer(func(context.Context, string) (net.Conn, error) { return lis.Dial() }))