mirror of
https://github.com/caddyserver/caddy.git
synced 2025-11-13 09:47:50 +08:00
ci: Use golangci's github action for linting (#3794)
* ci: Use golangci's github action for linting Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix most of the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the prealloc lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the misspell lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the varcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the errcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the bodyclose lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the deadcode lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the unused lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosec lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the gosimple lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the ineffassign lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Fix the staticcheck lint errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert the misspell change, use a neutral English Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove broken golangci-lint CI job Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Re-add errantly-removed weakrand initialization Signed-off-by: Dave Henderson <dhenderson@gmail.com> * don't break the loop and return * Removing extra handling for null rootKey * unignore RegisterModule/RegisterAdapter Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> * single-line log message Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Fix lint after a1808b0dbf209c615e438a496d257ce5e3acdce2 was merged Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Revert ticker change, ignore it instead Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Ignore some of the write errors Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Remove blank line Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Use lifetime Signed-off-by: Dave Henderson <dhenderson@gmail.com> * close immediately Co-authored-by: Matt Holt <mholt@users.noreply.github.com> * Preallocate configVals Signed-off-by: Dave Henderson <dhenderson@gmail.com> * Update modules/caddytls/distributedstek/distributedstek.go Co-authored-by: Mohammed Al Sahaf <msaa1990@gmail.com> Co-authored-by: Matt Holt <mholt@users.noreply.github.com>
This commit is contained in:
Dave Henderson
@@ -80,6 +80,7 @@ func (cp ConnectionPolicies) TLSConfig(ctx caddy.Context) *tls.Config {
|
||||
}
|
||||
|
||||
return &tls.Config{
|
||||
MinVersion: tls.VersionTLS12,
|
||||
GetConfigForClient: func(hello *tls.ClientHelloInfo) (*tls.Config, error) {
|
||||
// filter policies by SNI first, if possible, to speed things up
|
||||
// when there may be lots of policies
|
||||
|
||||
@@ -145,7 +145,12 @@ func (s *Provider) storeSTEK(dstek distributedSTEK) error {
|
||||
// current STEK is outdated (NextRotation time is in the past),
|
||||
// then it is rotated and persisted. The resulting STEK is returned.
|
||||
func (s *Provider) getSTEK() (distributedSTEK, error) {
|
||||
s.storage.Lock(s.ctx, stekLockName)
|
||||
err := s.storage.Lock(s.ctx, stekLockName)
|
||||
if err != nil {
|
||||
return distributedSTEK{}, fmt.Errorf("failed to acquire storage lock: %v", err)
|
||||
}
|
||||
|
||||
//nolint:errcheck
|
||||
defer s.storage.Unlock(stekLockName)
|
||||
|
||||
// load the current STEKs from storage
|
||||
|
||||
@@ -97,26 +97,38 @@ func x509CertFromCertAndKeyPEMFile(fpath string) (tls.Certificate, error) {
|
||||
|
||||
if derBlock.Type == "CERTIFICATE" {
|
||||
// Re-encode certificate as PEM, appending to certificate chain
|
||||
pem.Encode(certBuilder, derBlock)
|
||||
err = pem.Encode(certBuilder, derBlock)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, err
|
||||
}
|
||||
} else if derBlock.Type == "EC PARAMETERS" {
|
||||
// EC keys generated from openssl can be composed of two blocks:
|
||||
// parameters and key (parameter block should come first)
|
||||
if !foundKey {
|
||||
// Encode parameters
|
||||
pem.Encode(keyBuilder, derBlock)
|
||||
err = pem.Encode(keyBuilder, derBlock)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, err
|
||||
}
|
||||
|
||||
// Key must immediately follow
|
||||
derBlock, bundle = pem.Decode(bundle)
|
||||
if derBlock == nil || derBlock.Type != "EC PRIVATE KEY" {
|
||||
return tls.Certificate{}, fmt.Errorf("%s: expected elliptic private key to immediately follow EC parameters", fpath)
|
||||
}
|
||||
pem.Encode(keyBuilder, derBlock)
|
||||
err = pem.Encode(keyBuilder, derBlock)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, err
|
||||
}
|
||||
foundKey = true
|
||||
}
|
||||
} else if derBlock.Type == "PRIVATE KEY" || strings.HasSuffix(derBlock.Type, " PRIVATE KEY") {
|
||||
// RSA key
|
||||
if !foundKey {
|
||||
pem.Encode(keyBuilder, derBlock)
|
||||
err = pem.Encode(keyBuilder, derBlock)
|
||||
if err != nil {
|
||||
return tls.Certificate{}, err
|
||||
}
|
||||
foundKey = true
|
||||
}
|
||||
} else {
|
||||
|
||||
@@ -27,6 +27,7 @@ import (
|
||||
"github.com/caddyserver/caddy/v2/modules/caddypki"
|
||||
"github.com/caddyserver/certmagic"
|
||||
"github.com/smallstep/certificates/authority/provisioner"
|
||||
"go.uber.org/zap"
|
||||
)
|
||||
|
||||
func init() {
|
||||
@@ -51,7 +52,8 @@ type InternalIssuer struct {
|
||||
// validate certificate chains.
|
||||
SignWithRoot bool `json:"sign_with_root,omitempty"`
|
||||
|
||||
ca *caddypki.CA
|
||||
ca *caddypki.CA
|
||||
logger *zap.Logger
|
||||
}
|
||||
|
||||
// CaddyModule returns the Caddy module information.
|
||||
@@ -64,6 +66,8 @@ func (InternalIssuer) CaddyModule() caddy.ModuleInfo {
|
||||
|
||||
// Provision sets up the issuer.
|
||||
func (iss *InternalIssuer) Provision(ctx caddy.Context) error {
|
||||
iss.logger = ctx.Logger(iss)
|
||||
|
||||
// get a reference to the configured CA
|
||||
appModule, err := ctx.App("pki")
|
||||
if err != nil {
|
||||
@@ -115,11 +119,15 @@ func (iss InternalIssuer) Issue(ctx context.Context, csr *x509.CertificateReques
|
||||
// ensure issued certificate does not expire later than its issuer
|
||||
lifetime := time.Duration(iss.Lifetime)
|
||||
if time.Now().Add(lifetime).After(issuerCert.NotAfter) {
|
||||
// TODO: log this
|
||||
lifetime = issuerCert.NotAfter.Sub(time.Now())
|
||||
lifetime = time.Until(issuerCert.NotAfter)
|
||||
iss.logger.Warn("cert lifetime would exceed issuer NotAfter, clamping lifetime",
|
||||
zap.Duration("orig_lifetime", time.Duration(iss.Lifetime)),
|
||||
zap.Duration("lifetime", lifetime),
|
||||
zap.Time("not_after", issuerCert.NotAfter),
|
||||
)
|
||||
}
|
||||
|
||||
certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(iss.Lifetime))
|
||||
certChain, err := auth.Sign(csr, provisioner.SignOptions{}, customCertLifetime(caddy.Duration(lifetime)))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
@@ -498,8 +498,6 @@ var (
|
||||
storageCleanMu sync.Mutex
|
||||
)
|
||||
|
||||
const automateKey = "automate"
|
||||
|
||||
// Interface guards
|
||||
var (
|
||||
_ caddy.App = (*TLS)(nil)
|
||||
|
||||
@@ -122,6 +122,7 @@ var SupportedProtocols = map[string]uint16{
|
||||
// unsupportedProtocols is a map of unsupported protocols.
|
||||
// Used for logging only, not enforcement.
|
||||
var unsupportedProtocols = map[string]uint16{
|
||||
//nolint:staticcheck
|
||||
"ssl3.0": tls.VersionSSL30,
|
||||
"tls1.0": tls.VersionTLS10,
|
||||
"tls1.1": tls.VersionTLS11,
|
||||
|
||||
Reference in New Issue
Block a user