Fix linter errors
This commit is contained in:
Mariano Cano
parent
161a4b28be
commit
5ab79f53be
7 changed files with 30 additions and 7 deletions
|
|
@ -100,6 +100,7 @@ func (p *X5C) Init(config Config) (err error) {
|
||||||
var (
|
var (
|
||||||
block *pem.Block
|
block *pem.Block
|
||||||
rest = p.Roots
|
rest = p.Roots
|
||||||
|
count int
|
||||||
)
|
)
|
||||||
for rest != nil {
|
for rest != nil {
|
||||||
block, rest = pem.Decode(rest)
|
block, rest = pem.Decode(rest)
|
||||||
|
|
@ -110,11 +111,12 @@ func (p *X5C) Init(config Config) (err error) {
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return errors.Wrap(err, "error parsing x509 certificate from PEM block")
|
return errors.Wrap(err, "error parsing x509 certificate from PEM block")
|
||||||
}
|
}
|
||||||
|
count++
|
||||||
p.rootPool.AddCert(cert)
|
p.rootPool.AddCert(cert)
|
||||||
}
|
}
|
||||||
|
|
||||||
// Verify that at least one root was found.
|
// Verify that at least one root was found.
|
||||||
if len(p.rootPool.Subjects()) == 0 {
|
if count == 0 {
|
||||||
return errors.Errorf("no x509 certificates found in roots attribute for provisioner '%s'", p.GetName())
|
return errors.Errorf("no x509 certificates found in roots attribute for provisioner '%s'", p.GetName())
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -118,6 +118,8 @@ M46l92gdOozT
|
||||||
return ProvisionerValidateTest{
|
return ProvisionerValidateTest{
|
||||||
p: p,
|
p: p,
|
||||||
extraValid: func(p *X5C) error {
|
extraValid: func(p *X5C) error {
|
||||||
|
// nolint:staticcheck // We don't have a different way to
|
||||||
|
// check the number of certificates in the pool.
|
||||||
numCerts := len(p.rootPool.Subjects())
|
numCerts := len(p.rootPool.Subjects())
|
||||||
if numCerts != 2 {
|
if numCerts != 2 {
|
||||||
return errors.Errorf("unexpected number of certs: want 2, but got %d", numCerts)
|
return errors.Errorf("unexpected number of certs: want 2, but got %d", numCerts)
|
||||||
|
|
|
||||||
3
ca/ca.go
3
ca/ca.go
|
|
@ -450,9 +450,6 @@ func (ca *CA) getTLSConfig(auth *authority.Authority) (*tls.Config, error) {
|
||||||
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
|
tlsConfig.ClientAuth = tls.VerifyClientCertIfGiven
|
||||||
tlsConfig.ClientCAs = certPool
|
tlsConfig.ClientCAs = certPool
|
||||||
|
|
||||||
// Use server's most preferred ciphersuite
|
|
||||||
tlsConfig.PreferServerCipherSuites = true
|
|
||||||
|
|
||||||
return tlsConfig, nil
|
return tlsConfig, nil
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -8,6 +8,7 @@ import (
|
||||||
"net/url"
|
"net/url"
|
||||||
"os"
|
"os"
|
||||||
"reflect"
|
"reflect"
|
||||||
|
"sort"
|
||||||
"testing"
|
"testing"
|
||||||
)
|
)
|
||||||
|
|
||||||
|
|
@ -196,7 +197,7 @@ func TestLoadClient(t *testing.T) {
|
||||||
switch {
|
switch {
|
||||||
case gotTransport.TLSClientConfig.GetClientCertificate == nil:
|
case gotTransport.TLSClientConfig.GetClientCertificate == nil:
|
||||||
t.Error("LoadClient() transport does not define GetClientCertificate")
|
t.Error("LoadClient() transport does not define GetClientCertificate")
|
||||||
case !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !reflect.DeepEqual(gotTransport.TLSClientConfig.RootCAs.Subjects(), wantTransport.TLSClientConfig.RootCAs.Subjects()):
|
case !reflect.DeepEqual(got.CaURL, tt.want.CaURL) || !equalPools(gotTransport.TLSClientConfig.RootCAs, wantTransport.TLSClientConfig.RootCAs):
|
||||||
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
t.Errorf("LoadClient() = %#v, want %#v", got, tt.want)
|
||||||
default:
|
default:
|
||||||
crt, err := gotTransport.TLSClientConfig.GetClientCertificate(nil)
|
crt, err := gotTransport.TLSClientConfig.GetClientCertificate(nil)
|
||||||
|
|
@ -238,3 +239,23 @@ func Test_defaultsConfig_Validate(t *testing.T) {
|
||||||
})
|
})
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// nolint:staticcheck,gocritic
|
||||||
|
func equalPools(a, b *x509.CertPool) bool {
|
||||||
|
if reflect.DeepEqual(a, b) {
|
||||||
|
return true
|
||||||
|
}
|
||||||
|
subjects := a.Subjects()
|
||||||
|
sA := make([]string, len(subjects))
|
||||||
|
for i := range subjects {
|
||||||
|
sA[i] = string(subjects[i])
|
||||||
|
}
|
||||||
|
subjects = b.Subjects()
|
||||||
|
sB := make([]string, len(subjects))
|
||||||
|
for i := range subjects {
|
||||||
|
sB[i] = string(subjects[i])
|
||||||
|
}
|
||||||
|
sort.Strings(sA)
|
||||||
|
sort.Strings(sB)
|
||||||
|
return reflect.DeepEqual(sA, sB)
|
||||||
|
}
|
||||||
|
|
|
||||||
|
|
@ -346,6 +346,8 @@ func TestIdentity_GetCertPool(t *testing.T) {
|
||||||
return
|
return
|
||||||
}
|
}
|
||||||
if got != nil {
|
if got != nil {
|
||||||
|
// nolint:staticcheck // we don't have a different way to check
|
||||||
|
// the certificates in the pool.
|
||||||
subjects := got.Subjects()
|
subjects := got.Subjects()
|
||||||
if !reflect.DeepEqual(subjects, tt.wantSubjects) {
|
if !reflect.DeepEqual(subjects, tt.wantSubjects) {
|
||||||
t.Errorf("Identity.GetCertPool() = %x, want %x", subjects, tt.wantSubjects)
|
t.Errorf("Identity.GetCertPool() = %x, want %x", subjects, tt.wantSubjects)
|
||||||
|
|
|
||||||
|
|
@ -95,7 +95,6 @@ func (c *Client) getClientTLSConfig(ctx context.Context, sign *api.SignResponse,
|
||||||
// Note that with GetClientCertificate tlsConfig.Certificates is not used.
|
// Note that with GetClientCertificate tlsConfig.Certificates is not used.
|
||||||
// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
|
// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
|
||||||
tlsConfig.GetClientCertificate = renewer.GetClientCertificate
|
tlsConfig.GetClientCertificate = renewer.GetClientCertificate
|
||||||
tlsConfig.PreferServerCipherSuites = true
|
|
||||||
|
|
||||||
// Apply options and initialize mutable tls.Config
|
// Apply options and initialize mutable tls.Config
|
||||||
tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
|
tlsCtx := newTLSOptionCtx(c, tlsConfig, sign)
|
||||||
|
|
@ -137,7 +136,6 @@ func (c *Client) GetServerTLSConfig(ctx context.Context, sign *api.SignResponse,
|
||||||
// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
|
// Without tlsConfig.Certificates there's not need to use tlsConfig.BuildNameToCertificate()
|
||||||
tlsConfig.GetCertificate = renewer.GetCertificate
|
tlsConfig.GetCertificate = renewer.GetCertificate
|
||||||
tlsConfig.GetClientCertificate = renewer.GetClientCertificate
|
tlsConfig.GetClientCertificate = renewer.GetClientCertificate
|
||||||
tlsConfig.PreferServerCipherSuites = true
|
|
||||||
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
tlsConfig.ClientAuth = tls.RequireAndVerifyClientCert
|
||||||
|
|
||||||
// Apply options and initialize mutable tls.Config
|
// Apply options and initialize mutable tls.Config
|
||||||
|
|
|
||||||
|
|
@ -542,6 +542,7 @@ func TestAddFederationToCAs(t *testing.T) {
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
// nolint:staticcheck,gocritic
|
||||||
func equalPools(a, b *x509.CertPool) bool {
|
func equalPools(a, b *x509.CertPool) bool {
|
||||||
if reflect.DeepEqual(a, b) {
|
if reflect.DeepEqual(a, b) {
|
||||||
return true
|
return true
|
||||||
|
|
|
||||||
Loading…
Reference in a new issue