Fix golangci-lint errors (#10196)
* Fix golangci-lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix dupl errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Fix errcheck lint errors Signed-off-by: z1cheng <imchench@gmail.com> * Fix assert in e2e test Signed-off-by: z1cheng <imchench@gmail.com> * Not interrupt the waitForPodsReady Signed-off-by: z1cheng <imchench@gmail.com> * Replace string with constant Signed-off-by: z1cheng <imchench@gmail.com> * Fix comments Signed-off-by: z1cheng <imchench@gmail.com> * Revert write file permision Signed-off-by: z1cheng <imchench@gmail.com> --------- Signed-off-by: z1cheng <imchench@gmail.com>
This commit is contained in:
Chen Chen
GitHub
parent
46d87d3462
commit
b3060bfbd0
253 changed files with 2434 additions and 2113 deletions
|
|
@ -52,17 +52,15 @@ import (
|
|||
// certificate generated by the ingress controller
|
||||
var FakeSSLCertificateUID = "00000000-0000-0000-0000-000000000000"
|
||||
|
||||
var (
|
||||
oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
|
||||
)
|
||||
var oidExtensionSubjectAltName = asn1.ObjectIdentifier{2, 5, 29, 17}
|
||||
|
||||
const (
|
||||
fakeCertificateName = "default-fake-certificate"
|
||||
)
|
||||
|
||||
// getPemFileName returns absolute file path and file name of pem cert related to given fullSecretName
|
||||
func getPemFileName(fullSecretName string) (string, string) {
|
||||
pemName := fmt.Sprintf("%v.pem", fullSecretName)
|
||||
func getPemFileName(fullSecretName string) (filePath, pemName string) {
|
||||
pemName = fmt.Sprintf("%v.pem", fullSecretName)
|
||||
return fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, pemName), pemName
|
||||
}
|
||||
|
||||
|
|
@ -192,7 +190,7 @@ func StoreSSLCertOnDisk(name string, sslCert *ingress.SSLCert) (string, error) {
|
|||
|
||||
// ConfigureCACertWithCertAndKey appends ca into existing PEM file consisting of cert and key
|
||||
// and sets relevant fields in sslCert object
|
||||
func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLCert) error {
|
||||
func ConfigureCACertWithCertAndKey(_ string, ca []byte, sslCert *ingress.SSLCert) error {
|
||||
var buffer bytes.Buffer
|
||||
|
||||
_, err := buffer.WriteString(sslCert.PemCertKey)
|
||||
|
|
@ -210,12 +208,12 @@ func ConfigureCACertWithCertAndKey(name string, ca []byte, sslCert *ingress.SSLC
|
|||
return fmt.Errorf("could not write ca data to cert file %v: %v", sslCert.CAFileName, err)
|
||||
}
|
||||
|
||||
return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0644)
|
||||
//nolint:gosec // Not change permission to avoid possible issues
|
||||
return os.WriteFile(sslCert.CAFileName, buffer.Bytes(), 0o644)
|
||||
}
|
||||
|
||||
// ConfigureCRL creates a CRL file and append it into the SSLCert
|
||||
func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error {
|
||||
|
||||
crlName := fmt.Sprintf("crl-%v.pem", name)
|
||||
crlFileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, crlName)
|
||||
|
||||
|
|
@ -230,10 +228,11 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error {
|
|||
|
||||
_, err := x509.ParseRevocationList(pemCRLBlock.Bytes)
|
||||
if err != nil {
|
||||
return fmt.Errorf(err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
err = os.WriteFile(crlFileName, crl, 0644)
|
||||
//nolint:gosec // Not change permission to avoid possible issues
|
||||
err = os.WriteFile(crlFileName, crl, 0o644)
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not write CRL file %v: %v", crlFileName, err)
|
||||
}
|
||||
|
|
@ -242,7 +241,6 @@ func ConfigureCRL(name string, crl []byte, sslCert *ingress.SSLCert) error {
|
|||
sslCert.CRLSHA = file.SHA1(crlFileName)
|
||||
|
||||
return nil
|
||||
|
||||
}
|
||||
|
||||
// ConfigureCACert is similar to ConfigureCACertWithCertAndKey but it creates a separate file
|
||||
|
|
@ -251,7 +249,8 @@ func ConfigureCACert(name string, ca []byte, sslCert *ingress.SSLCert) error {
|
|||
caName := fmt.Sprintf("ca-%v.pem", name)
|
||||
fileName := fmt.Sprintf("%v/%v", file.DefaultSSLDirectory, caName)
|
||||
|
||||
err := os.WriteFile(fileName, ca, 0644)
|
||||
//nolint:gosec // Not change permission to avoid possible issues
|
||||
err := os.WriteFile(fileName, ca, 0o644)
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not write CA file %v: %v", fileName, err)
|
||||
}
|
||||
|
|
@ -293,14 +292,14 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre
|
|||
var seq asn1.RawValue
|
||||
var rest []byte
|
||||
if rest, err = asn1.Unmarshal(value, &seq); err != nil {
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
} else if len(rest) != 0 {
|
||||
err = errors.New("x509: trailing data after X.509 extension")
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
}
|
||||
if !seq.IsCompound || seq.Tag != 16 || seq.Class != 0 {
|
||||
err = asn1.StructuralError{Msg: "bad SAN sequence"}
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
}
|
||||
|
||||
rest = seq.Bytes
|
||||
|
|
@ -308,7 +307,7 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre
|
|||
var v asn1.RawValue
|
||||
rest, err = asn1.Unmarshal(rest, &v)
|
||||
if err != nil {
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
}
|
||||
switch v.Tag {
|
||||
case 1:
|
||||
|
|
@ -321,12 +320,12 @@ func parseSANExtension(value []byte) (dnsNames, emailAddresses []string, ipAddre
|
|||
ipAddresses = append(ipAddresses, v.Bytes)
|
||||
default:
|
||||
err = errors.New("x509: certificate contained IP address of length " + strconv.Itoa(len(v.Bytes)))
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
return
|
||||
return dnsNames, emailAddresses, ipAddresses, err
|
||||
}
|
||||
|
||||
// AddOrUpdateDHParam creates a dh parameters file with the specified name
|
||||
|
|
@ -396,7 +395,7 @@ func GetFakeSSLCert() *ingress.SSLCert {
|
|||
return sslCert
|
||||
}
|
||||
|
||||
func getFakeHostSSLCert(host string) ([]byte, []byte) {
|
||||
func getFakeHostSSLCert(host string) (cert, key []byte) {
|
||||
var priv interface{}
|
||||
var err error
|
||||
|
||||
|
|
@ -412,7 +411,6 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) {
|
|||
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
|
||||
if err != nil {
|
||||
klog.Fatalf("failed to generate fake serial number: %v", err)
|
||||
}
|
||||
|
|
@ -436,9 +434,9 @@ func getFakeHostSSLCert(host string) ([]byte, []byte) {
|
|||
klog.Fatalf("Failed to create fake certificate: %v", err)
|
||||
}
|
||||
|
||||
cert := pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
||||
cert = pem.EncodeToMemory(&pem.Block{Type: "CERTIFICATE", Bytes: derBytes})
|
||||
|
||||
key := pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
|
||||
key = pem.EncodeToMemory(&pem.Block{Type: "RSA PRIVATE KEY", Bytes: x509.MarshalPKCS1PrivateKey(priv.(*rsa.PrivateKey))})
|
||||
|
||||
return cert, key
|
||||
}
|
||||
|
|
@ -508,9 +506,14 @@ func NewTLSListener(certificate, key string) *TLSListener {
|
|||
|
||||
l.load()
|
||||
|
||||
_, _ = file.NewFileWatcher(certificate, l.load)
|
||||
_, _ = file.NewFileWatcher(key, l.load)
|
||||
|
||||
_, err := file.NewFileWatcher(certificate, l.load)
|
||||
if err != nil {
|
||||
klog.Errorf("unexpected error: %v", err)
|
||||
}
|
||||
_, err = file.NewFileWatcher(key, l.load)
|
||||
if err != nil {
|
||||
klog.Errorf("unexpected error: %v", err)
|
||||
}
|
||||
return &l
|
||||
}
|
||||
|
||||
|
|
|
|||
|
|
@ -42,7 +42,7 @@ import (
|
|||
)
|
||||
|
||||
// generateRSACerts generates a self signed certificate using a self generated ca
|
||||
func generateRSACerts(host string) (*keyPair, *keyPair, error) {
|
||||
func generateRSACerts(host string) (newCert, newCa *keyPair, err error) {
|
||||
ca, err := newCA("self-sign-ca")
|
||||
if err != nil {
|
||||
return nil, nil, err
|
||||
|
|
@ -57,7 +57,7 @@ func generateRSACerts(host string) (*keyPair, *keyPair, error) {
|
|||
CommonName: host,
|
||||
Usages: []x509.ExtKeyUsage{x509.ExtKeyUsageAny},
|
||||
}
|
||||
cert, err := newSignedCert(config, key, ca.Cert, ca.Key)
|
||||
cert, err := newSignedCert(&config, key, ca.Cert, ca.Key)
|
||||
if err != nil {
|
||||
return nil, nil, fmt.Errorf("unable to sign the server certificate: %v", err)
|
||||
}
|
||||
|
|
@ -139,11 +139,11 @@ func TestCACert(t *testing.T) {
|
|||
func TestGetFakeSSLCert(t *testing.T) {
|
||||
sslCert := GetFakeSSLCert()
|
||||
|
||||
if len(sslCert.PemCertKey) == 0 {
|
||||
if sslCert.PemCertKey == "" {
|
||||
t.Fatalf("expected PemCertKey to not be empty")
|
||||
}
|
||||
|
||||
if len(sslCert.PemFileName) == 0 {
|
||||
if sslCert.PemFileName == "" {
|
||||
t.Fatalf("expected PemFileName to not be empty")
|
||||
}
|
||||
|
||||
|
|
@ -195,7 +195,7 @@ func TestConfigureCRL(t *testing.T) {
|
|||
// Demo CRL from https://csrc.nist.gov/projects/pki-testing/sample-certificates-and-crls
|
||||
// Converted to PEM to be tested
|
||||
// SHA: ef21f9c97ec2ef84ba3b2ab007c858a6f760d813
|
||||
var crl = []byte(`-----BEGIN X509 CRL-----
|
||||
crl := []byte(`-----BEGIN X509 CRL-----
|
||||
MIIBYDCBygIBATANBgkqhkiG9w0BAQUFADBDMRMwEQYKCZImiZPyLGQBGRYDY29t
|
||||
MRcwFQYKCZImiZPyLGQBGRYHZXhhbXBsZTETMBEGA1UEAxMKRXhhbXBsZSBDQRcN
|
||||
MDUwMjA1MTIwMDAwWhcNMDUwMjA2MTIwMDAwWjAiMCACARIXDTA0MTExOTE1NTcw
|
||||
|
|
@ -237,6 +237,7 @@ fUNCdMGmr8FVF6IzTNYGmCuk/C4=
|
|||
t.Fatalf("the expected CRL SHA wasn't found")
|
||||
}
|
||||
}
|
||||
|
||||
func TestCreateSSLCert(t *testing.T) {
|
||||
cert, _, err := generateRSACerts("echoheaders")
|
||||
if err != nil {
|
||||
|
|
@ -339,12 +340,12 @@ func newPrivateKey() (*rsa.PrivateKey, error) {
|
|||
}
|
||||
|
||||
// newSignedCert creates a signed certificate using the given CA certificate and key
|
||||
func newSignedCert(cfg certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
|
||||
func newSignedCert(cfg *certutil.Config, key crypto.Signer, caCert *x509.Certificate, caKey crypto.Signer) (*x509.Certificate, error) {
|
||||
serial, err := rand.Int(rand.Reader, new(big.Int).SetInt64(math.MaxInt64))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if len(cfg.CommonName) == 0 {
|
||||
if cfg.CommonName == "" {
|
||||
return nil, errors.New("must specify a CommonName")
|
||||
}
|
||||
if len(cfg.Usages) == 0 {
|
||||
|
|
@ -389,7 +390,7 @@ func encodeCertPEM(cert *x509.Certificate) []byte {
|
|||
return pem.EncodeToMemory(&block)
|
||||
}
|
||||
|
||||
func newFakeCertificate(t *testing.T) ([]byte, string, string) {
|
||||
func newFakeCertificate(t *testing.T) (sslCert []byte, certFileName, keyFileName string) {
|
||||
cert, key := getFakeHostSSLCert("localhost")
|
||||
|
||||
certFile, err := os.CreateTemp("", "crt-")
|
||||
|
|
@ -423,10 +424,9 @@ func dialTestServer(port string, rootCertificates ...[]byte) error {
|
|||
return fmt.Errorf("failed to add root certificate")
|
||||
}
|
||||
}
|
||||
resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{
|
||||
resp, err := tls.Dial("tcp", "localhost:"+port, &tls.Config{ //nolint:gosec // Ignore the gosec error in testing
|
||||
RootCAs: roots,
|
||||
})
|
||||
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
|
@ -473,15 +473,14 @@ func TestTLSKeyReloader(t *testing.T) {
|
|||
}
|
||||
})
|
||||
|
||||
//TODO: fix
|
||||
/*
|
||||
// simulate watch.NewFileWatcher to call the load function
|
||||
watcher.load()
|
||||
t.Run("when the certificate is reloaded", func(t *testing.T) {
|
||||
if err := dialTestServer(port, cert); err != nil {
|
||||
t.Errorf("TLS dial should succeed, got error: %v", err)
|
||||
}
|
||||
})
|
||||
/*TODO: fix
|
||||
// simulate watch.NewFileWatcher to call the load function
|
||||
watcher.load()
|
||||
t.Run("when the certificate is reloaded", func(t *testing.T) {
|
||||
if err := dialTestServer(port, cert); err != nil {
|
||||
t.Errorf("TLS dial should succeed, got error: %v", err)
|
||||
}
|
||||
})
|
||||
*/
|
||||
})
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue