Fix linting issues

2022-03-24 13:10:49 +01:00 · 2022-03-24 13:10:49 +01:00 · 613c99f00f
commit 613c99f00f
parent dc23fd23bf
11 changed files with 37 additions and 122 deletions
--- a/api/utils.go
+++ b/api/utils.go
@ -83,13 +83,13 @@ func ReadProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message)
 			Status:  http.StatusBadRequest,
 			Message: err.Error(),
 		}
-		data, err := json.Marshal(wrapper) // TODO(hs): handle err; even though it's very unlikely to fail
+		errData, err := json.Marshal(wrapper)
 		if err != nil {
 			panic(err)
 		}
 		w.Header().Set("Content-Type", "application/json")
 		w.WriteHeader(http.StatusBadRequest)
-		w.Write(data)
+		w.Write(errData)
 		return false
 	}
 	if err := protojson.Unmarshal(data, m); err != nil {
@ -99,13 +99,13 @@ func ReadProtoJSONWithCheck(w http.ResponseWriter, r io.Reader, m proto.Message)
 			}{
 				Message: err.Error(),
 			}
-			data, err := json.Marshal(wrapper) // TODO(hs): handle err; even though it's very unlikely to fail
+			errData, err := json.Marshal(wrapper)
 			if err != nil {
 				panic(err)
 			}
 			w.Header().Set("Content-Type", "application/json")
 			w.WriteHeader(http.StatusBadRequest)
-			w.Write(data)
+			w.Write(errData)
 			return false
 		}

--- a/authority/admin/api/admin_test.go
+++ b/authority/admin/api/admin_test.go
@ -141,11 +141,11 @@ func (m *mockAdminAuthority) GetAuthorityPolicy(ctx context.Context) (*linkedca.
 	return nil, errors.New("not implemented yet")
 }

-func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, admin *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
+func (m *mockAdminAuthority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
 	return nil, errors.New("not implemented yet")
 }

-func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, admin *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
+func (m *mockAdminAuthority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
 	return nil, errors.New("not implemented yet")
 }

--- a/authority/admin/api/middleware.go
+++ b/authority/admin/api/middleware.go
@ -1,7 +1,6 @@
 package api

 import (
-	"context"
 	"net/http"

 	"go.step.sm/linkedca"
@ -70,13 +69,3 @@ func (h *Handler) checkAction(next nextHTTP, supportedInStandalone bool) nextHTT
 		next(w, r)
 	}
 }
-
-// adminFromContext searches the context for a *linkedca.Admin.
-// Returns the admin or an error.
-func adminFromContext(ctx context.Context) (*linkedca.Admin, error) {
-	val, ok := ctx.Value(admin.AdminContextKey).(*linkedca.Admin)
-	if !ok || val == nil {
-		return nil, admin.NewError(admin.ErrorBadRequestType, "admin not in context")
-	}
-	return val, nil
-}
--- a/authority/admin/api/middleware_test.go
+++ b/authority/admin/api/middleware_test.go
@ -169,12 +169,7 @@ func TestHandler_extractAuthorizeTokenAdmin(t *testing.T) {
 			}
 			next := func(w http.ResponseWriter, r *http.Request) {
 				ctx := r.Context()
-				a := ctx.Value(admin.AdminContextKey) // verifying that the context now has a linkedca.Admin
-				adm, ok := a.(*linkedca.Admin)
-				if !ok {
-					t.Errorf("expected *linkedca.Admin; got %T", a)
-					return
-				}
+				adm := linkedca.AdminFromContext(ctx) // verifying that the context now has a linkedca.Admin
 				opts := []cmp.Option{cmpopts.IgnoreUnexported(linkedca.Admin{}, timestamppb.Timestamp{})}
 				if !cmp.Equal(adm, adm, opts...) {
 					t.Errorf("linkedca.Admin diff =\n%s", cmp.Diff(adm, adm, opts...))
--- a/authority/admin/api/policy.go
+++ b/authority/admin/api/policy.go
@ -8,6 +8,7 @@ import (
 	"go.step.sm/linkedca"

 	"github.com/smallstep/certificates/api"
+	"github.com/smallstep/certificates/api/read"
 	"github.com/smallstep/certificates/authority/admin"
 	"github.com/smallstep/certificates/authority/provisioner"
 )
@ -121,7 +122,7 @@ func (par *PolicyAdminResponder) UpdateAuthorityPolicy(w http.ResponseWriter, r
 	}

 	var newPolicy = new(linkedca.Policy)
-	if err := api.ReadProtoJSON(r.Body, newPolicy); err != nil {
+	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
 		api.WriteError(w, err)
 		return
 	}
@ -220,7 +221,7 @@ func (par *PolicyAdminResponder) CreateProvisionerPolicy(w http.ResponseWriter,
 	}

 	var newPolicy = new(linkedca.Policy)
-	if err := api.ReadProtoJSON(r.Body, newPolicy); err != nil {
+	if err := read.ProtoJSON(r.Body, newPolicy); err != nil {
 		api.WriteError(w, err)
 		return
 	}
@ -256,7 +257,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 	}

 	var policy = new(linkedca.Policy)
-	if err := api.ReadProtoJSON(r.Body, policy); err != nil {
+	if err := read.ProtoJSON(r.Body, policy); err != nil {
 		api.WriteError(w, err)
 		return
 	}
@ -271,7 +272,7 @@ func (par *PolicyAdminResponder) UpdateProvisionerPolicy(w http.ResponseWriter,
 	api.ProtoJSONStatus(w, policy, http.StatusOK)
 }

-// DeleteProvisionerPolicy ...
+// DeleteProvisionerPolicy handles the DELETE /admin/provisioners/{name}/policy request
 func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter, r *http.Request) {

 	ctx := r.Context()
@ -308,7 +309,6 @@ func (par *PolicyAdminResponder) DeleteProvisionerPolicy(w http.ResponseWriter,
 	api.JSON(w, &DeleteResponse{Status: "ok"})
 }

-// GetACMEAccountPolicy ...
 func (par *PolicyAdminResponder) GetACMEAccountPolicy(w http.ResponseWriter, r *http.Request) {
 	api.JSON(w, "ok")
 }
--- a/authority/admin/db/nosql/policy.go
+++ b/authority/admin/db/nosql/policy.go
@ -63,13 +63,13 @@ func (db *DB) getDBAuthorityPolicy(ctx context.Context, authorityID string) (*db
 	return dbap, nil
 }

-func (db *DB) unmarshalAuthorityPolicy(data []byte, authorityID string) (*linkedca.Policy, error) {
-	dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID)
-	if err != nil {
-		return nil, err
-	}
-	return dbap.convert(), nil
-}
+// func (db *DB) unmarshalAuthorityPolicy(data []byte, authorityID string) (*linkedca.Policy, error) {
+// 	dbap, err := db.unmarshalDBAuthorityPolicy(data, authorityID)
+// 	if err != nil {
+// 		return nil, err
+// 	}
+// 	return dbap.convert(), nil
+// }

 func (db *DB) CreateAuthorityPolicy(ctx context.Context, policy *linkedca.Policy) error {

--- a/authority/policy.go
+++ b/authority/policy.go
@ -17,23 +17,23 @@ func (a *Authority) GetAuthorityPolicy(ctx context.Context) (*linkedca.Policy, e
 	a.adminMutex.Lock()
 	defer a.adminMutex.Unlock()

-	policy, err := a.adminDB.GetAuthorityPolicy(ctx)
+	p, err := a.adminDB.GetAuthorityPolicy(ctx)
 	if err != nil {
 		return nil, err
 	}

-	return policy, nil
+	return p, nil
 }

-func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
+func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error) {
 	a.adminMutex.Lock()
 	defer a.adminMutex.Unlock()

-	if err := a.checkPolicy(ctx, adm, policy); err != nil {
+	if err := a.checkPolicy(ctx, adm, p); err != nil {
 		return nil, err
 	}

-	if err := a.adminDB.CreateAuthorityPolicy(ctx, policy); err != nil {
+	if err := a.adminDB.CreateAuthorityPolicy(ctx, p); err != nil {
 		return nil, err
 	}

@ -41,18 +41,18 @@ func (a *Authority) CreateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
 		return nil, admin.WrapErrorISE(err, "error reloading policy engines when creating authority policy")
 	}

-	return policy, nil // TODO: return the newly stored policy
+	return p, nil // TODO: return the newly stored policy
 }

-func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, policy *linkedca.Policy) (*linkedca.Policy, error) {
+func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Admin, p *linkedca.Policy) (*linkedca.Policy, error) {
 	a.adminMutex.Lock()
 	defer a.adminMutex.Unlock()

-	if err := a.checkPolicy(ctx, adm, policy); err != nil {
+	if err := a.checkPolicy(ctx, adm, p); err != nil {
 		return nil, err
 	}

-	if err := a.adminDB.UpdateAuthorityPolicy(ctx, policy); err != nil {
+	if err := a.adminDB.UpdateAuthorityPolicy(ctx, p); err != nil {
 		return nil, err
 	}

@ -60,7 +60,7 @@ func (a *Authority) UpdateAuthorityPolicy(ctx context.Context, adm *linkedca.Adm
 		return nil, admin.WrapErrorISE(err, "error reloading policy engines when updating authority policy")
 	}

-	return policy, nil // TODO: return the updated stored policy
+	return p, nil // TODO: return the updated stored policy
 }

 func (a *Authority) RemoveAuthorityPolicy(ctx context.Context) error {
@ -111,11 +111,10 @@ func isAllowed(engine authPolicy.X509Policy, sans []string) error {
 	)
 	if allowed, err = engine.AreSANsAllowed(sans); err != nil {
 		var policyErr *policy.NamePolicyError
-		if errors.As(err, &policyErr); policyErr.Reason == policy.NotAuthorizedForThisName {
+		if isPolicyErr := errors.As(err, &policyErr); isPolicyErr && policyErr.Reason == policy.NotAuthorizedForThisName {
 			return fmt.Errorf("the provided policy would lock out %s from the CA. Please update your policy to include %s as an allowed name", sans, sans)
-		} else {
-			return err
 		}
+		return err
 	}

 	if !allowed {
--- a/authority/provisioner/aws.go
+++ b/authority/provisioner/aws.go
@ -266,7 +266,6 @@ type AWS struct {
 	Claims                 *Claims  `json:"claims,omitempty"`
 	Options                *Options `json:"options,omitempty"`
 	config                 *awsConfig
-	audiences              Audiences
 	ctl                    *Controller
 	x509Policy             policy.X509Policy
 	sshHostPolicy          policy.HostPolicy
@ -557,7 +556,7 @@ func (p *AWS) readURL(url string) ([]byte, error) {
 	if err != nil {
 		return nil, err
 	}
-	return nil, fmt.Errorf("Request for metadata returned non-successful status code %d",
+	return nil, fmt.Errorf("request for metadata returned non-successful status code %d",
 		resp.StatusCode)
 }

@ -590,7 +589,7 @@ func (p *AWS) readURLv2(url string) (*http.Response, error) {
 	}
 	defer resp.Body.Close()
 	if resp.StatusCode >= 400 {
-		return nil, fmt.Errorf("Request for API token returned non-successful status code %d", resp.StatusCode)
+		return nil, fmt.Errorf("request for API token returned non-successful status code %d", resp.StatusCode)
 	}
 	token, err := io.ReadAll(resp.Body)
 	if err != nil {
--- a/authority/provisioner/sign_options.go
+++ b/authority/provisioner/sign_options.go
@ -6,7 +6,6 @@ import (
 	"crypto/rsa"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"encoding/asn1"
 	"encoding/json"
 	"net"
 	"net/http"
@ -427,10 +426,10 @@ func (v *x509NamePolicyValidator) Valid(cert *x509.Certificate, _ SignOptions) e
 	return err
 }

-var (
-	stepOIDRoot        = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}
-	stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...)
-)
+// var (
+// 	stepOIDRoot = asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64}
+// 	stepOIDProvisioner = append(asn1.ObjectIdentifier(nil), append(stepOIDRoot, 1)...)
+// )

 // type stepProvisionerASN1 struct {
 // 	Type          int
--- a/authority/tls.go
+++ b/authority/tls.go
@ -237,14 +237,6 @@ func (a *Authority) Sign(csr *x509.CertificateRequest, signOpts provisioner.Sign
 // the cert to see if the CA is allowed to sign it.
 func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {

-	// // check if certificate is an admin identity token certificate and the admin subject exists
-	// b := isAdminIdentityTokenCertificate(cert)
-	// _ = b
-
-	// if isAdminIdentityTokenCertificate(cert) && a.admins.HasSubject(cert.Subject.CommonName) {
-	// 	return true, nil
-	// }
-
 	// if no policy is configured, the cert is implicitly allowed
 	if a.x509Policy == nil {
 		return true, nil
@ -253,38 +245,6 @@ func (a *Authority) isAllowedToSign(cert *x509.Certificate) (bool, error) {
 	return a.x509Policy.AreCertificateNamesAllowed(cert)
 }

-func isAdminIdentityTokenCertificate(cert *x509.Certificate) bool {
-
-	// TODO: remove this check
-
-	if cert.Issuer.CommonName != "" {
-		return false
-	}
-
-	subject := cert.Subject.CommonName
-	if subject == "" {
-		return false
-	}
-
-	dnsNames := cert.DNSNames
-	if len(dnsNames) != 1 {
-		return false
-	}
-
-	if dnsNames[0] != subject {
-		return false
-	}
-
-	extras := cert.ExtraExtensions
-	if len(extras) != 1 {
-		return false
-	}
-
-	extra := extras[0]
-
-	return extra.Id.Equal(asn1.ObjectIdentifier{1, 3, 6, 1, 4, 1, 37476, 9000, 64, 1})
-}
-
 // Renew creates a new Certificate identical to the old certificate, except
 // with a validity window that begins 'now'.
 func (a *Authority) Renew(oldCert *x509.Certificate) ([]*x509.Certificate, error) {
--- a/policy/engine.go
+++ b/policy/engine.go
@ -4,9 +4,7 @@ import (
 	"bytes"
 	"crypto/x509"
 	"crypto/x509/pkix"
-	"errors"
 	"fmt"
-	"io"
 	"net"
 	"net/url"
 	"reflect"
@ -42,30 +40,6 @@ type NamePolicyError struct {
 	Detail string
 }

-type NameError struct {
-	error
-	Reason NamePolicyReason
-}
-
-func a() {
-	err := io.EOF
-	var ne *NameError
-	errors.As(err, ne)
-	errors.Is(err, ne)
-}
-
-func newPolicyError(reason NamePolicyReason, err error) error {
-	return &NameError{
-		error:  err,
-		Reason: reason,
-	}
-}
-
-func newPolicyErrorf(reason NamePolicyReason, format string, args ...interface{}) error {
-	err := fmt.Errorf(format, args...)
-	return newPolicyError(reason, err)
-}
-
 func (e *NamePolicyError) Error() string {
 	switch e.Reason {
 	case NotAuthorizedForThisName: