Update to go1.17, and bring up linter, and deps (#209)

Resolves CVE-2022-41717 and CVE-2022-32149 and general housekeeping Signed-off-by: Bryon Nevis <[email protected]> Signed-off-by: Andrew Harding <[email protected]> Co-authored-by: Andrew Harding <[email protected]>
spiffe · Jan 9, 2023 · 4c8771f · 4c8771f
1 parent 40399ac
commit 4c8771f
Show file tree

Hide file tree

Showing 33 changed files with 1,251 additions and 192 deletions.
diff --git a/.github/workflows/pr_build.yaml b/.github/workflows/pr_build.yaml
@@ -3,7 +3,7 @@ on:
   pull_request: {}
   workflow_dispatch: {}
 env:
-  GO_VERSION: 1.13
+  GO_VERSION: 1.17
 jobs:
   lint-linux:
     runs-on: ubuntu-latest

diff --git a/Makefile b/Makefile
@@ -70,7 +70,7 @@ protoc_gen_go_grpc_base_dir := $(build_dir)/protoc-gen-go-grpc
 protoc_gen_go_grpc_dir := $(protoc_gen_go_grpc_base_dir)/$(protoc_gen_go_grpc_version)-go$(go_version)
 protoc_gen_go_grpc_bin := $(protoc_gen_go_grpc_dir)/protoc-gen-go-grpc
 
-golangci_lint_version = v1.24.0
+golangci_lint_version = v1.50.1
 golangci_lint_dir = $(build_dir)/golangci_lint/$(golangci_lint_version)
 golangci_lint_bin = $(golangci_lint_dir)/golangci-lint
 
@@ -81,7 +81,7 @@ apiprotos := \
 # Toolchain
 #############################################################################
 
-go_version_full := 1.13.15
+go_version_full := 1.17.13
 go_version := $(go_version_full:.0=)
 go_dir := $(build_dir)/go/$(go_version)
 
@@ -127,6 +127,14 @@ $(golangci_lint_bin):
 	@mkdir -p $(golangci_lint_dir)
 	@curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s -- -b $(golangci_lint_dir) $(golangci_lint_version)
 
+#############################################################################
+# Tidy
+#############################################################################
+
+.PHONY: test
+tidy: | go-check
+	@cd ./v2; $(go_path) go mod tidy
+
 #############################################################################
 # Testing
 #############################################################################
@@ -166,14 +174,13 @@ $(protoc_gen_go_bin): | go-check
 	@echo "Installing protoc-gen-go $(protoc_gen_go_version)..."
 	@rm -rf $(protoc_gen_go_base_dir)
 	@mkdir -p $(protoc_gen_go_dir)
-	@$(go_path) go build -o $(protoc_gen_go_bin) google.golang.org/protobuf/cmd/protoc-gen-go
+	@GOBIN="$(protoc_gen_go_dir)" $(go_path) go install google.golang.org/protobuf/cmd/protoc-gen-go@$(protoc_gen_go_version)
 
 $(protoc_gen_go_grpc_bin): | go-check
 	@echo "Installing protoc-gen-go-grpc $(protoc_gen_go_grpc_version)..."
 	@rm -rf $(protoc_gen_go_grpc_base_dir)
 	@mkdir -p $(protoc_gen_go_grpc_dir)
-	@echo "module tools" > $(protoc_gen_go_grpc_dir)/go.mod
-	@cd $(protoc_gen_go_grpc_dir) && GOBIN=$(protoc_gen_go_grpc_dir) $(go_path) go get google.golang.org/grpc/cmd/protoc-gen-go-grpc@$(protoc_gen_go_grpc_version)
+	@GOBIN=$(protoc_gen_go_grpc_dir) $(go_path) go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@$(protoc_gen_go_grpc_version)
 
 #############################################################################
 # Code Generation Checks

diff --git a/v2/.golangci.yml b/v2/.golangci.yml
@@ -17,11 +17,11 @@ linters:
     - bodyclose
     - depguard
     - goimports
-    - golint
+    - revive
     - gosec
     - misspell
     - nakedret
-    - scopelint
+    - exportloopref
     - unconvert
     - unparam
     - whitespace

diff --git a/v2/bundle/jwtbundle/doc.go b/v2/bundle/jwtbundle/doc.go
@@ -4,34 +4,40 @@
 // are used to authenticate SPIFFE JWT-SVIDs.
 //
 // You can create a new bundle for a specific trust domain:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := jwtbundle.New(td)
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := jwtbundle.New(td)
 //
 // Or you can load it from disk:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := jwtbundle.Load(td, "bundle.jwks")
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := jwtbundle.Load(td, "bundle.jwks")
 //
 // The bundle can be initialized with JWT authorities:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  var jwtAuthorities map[string]crypto.PublicKey = ...
-//  bundle := jwtbundle.FromJWTAuthorities(td, jwtAuthorities)
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	var jwtAuthorities map[string]crypto.PublicKey = ...
+//	bundle := jwtbundle.FromJWTAuthorities(td, jwtAuthorities)
 //
 // In addition, you can add JWT authorities to the bundle:
-//  var keyID string = ...
-//  var publicKey crypto.PublicKey = ...
-//  bundle.AddJWTAuthority(keyID, publicKey)
+//
+//	var keyID string = ...
+//	var publicKey crypto.PublicKey = ...
+//	bundle.AddJWTAuthority(keyID, publicKey)
 //
 // Bundles can be organized into a set, keyed by trust domain:
-//  set := jwtbundle.NewSet()
-//  set.Add(bundle)
+//
+//	set := jwtbundle.NewSet()
+//	set.Add(bundle)
 //
 // A Source is source of JWT bundles for a trust domain. Both the Bundle
 // and Set types implement Source:
-//  // Initialize the source from a bundle or set
-//  var source jwtbundle.Source = bundle
-//  // ... or ...
-//  var source jwtbundle.Source = set
 //
-//  // Use the source to query for bundles by trust domain
-//  bundle, err := source.GetJWTBundleForTrustDomain(td)
+//	// Initialize the source from a bundle or set
+//	var source jwtbundle.Source = bundle
+//	// ... or ...
+//	var source jwtbundle.Source = set
+//
+//	// Use the source to query for bundles by trust domain
+//	bundle, err := source.GetJWTBundleForTrustDomain(td)
 package jwtbundle
diff --git a/v2/bundle/spiffebundle/doc.go b/v2/bundle/spiffebundle/doc.go
@@ -4,50 +4,56 @@
 // authenticating SVIDs.
 //
 // You can create a new bundle for a specific trust domain:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := spiffebundle.New(td)
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := spiffebundle.New(td)
 //
 // Or you can load it from disk:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := spiffebundle.Load(td, "bundle.json")
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := spiffebundle.Load(td, "bundle.json")
 //
 // The bundle can be initialized with X.509 or JWT authorities:
-//  td := spiffeid.RequireTrustDomain("example.org")
 //
-//  var x509Authorities []*x509.Certificate = ...
-//  bundle := spiffebundle.FromX509Authorities(td, x509Authorities)
-//  // ... or ...
-//  var jwtAuthorities map[string]crypto.PublicKey = ...
-//  bundle := spiffebundle.FromJWTAuthorities(td, jwtAuthorities)
+//	td := spiffeid.RequireTrustDomain("example.org")
+//
+//	var x509Authorities []*x509.Certificate = ...
+//	bundle := spiffebundle.FromX509Authorities(td, x509Authorities)
+//	// ... or ...
+//	var jwtAuthorities map[string]crypto.PublicKey = ...
+//	bundle := spiffebundle.FromJWTAuthorities(td, jwtAuthorities)
 //
 // In addition, you can add authorities to the bundle:
-//  var x509CA *x509.Certificate = ...
-//  bundle.AddX509Authority(x509CA)
-//  var keyID string = ...
-//  var publicKey crypto.PublicKey = ...
-//  bundle.AddJWTAuthority(keyID, publicKey)
+//
+//	var x509CA *x509.Certificate = ...
+//	bundle.AddX509Authority(x509CA)
+//	var keyID string = ...
+//	var publicKey crypto.PublicKey = ...
+//	bundle.AddJWTAuthority(keyID, publicKey)
 //
 // Bundles can be organized into a set, keyed by trust domain:
-//  set := spiffebundle.NewSet()
-//  set.Add(bundle)
+//
+//	set := spiffebundle.NewSet()
+//	set.Add(bundle)
 //
 // A Source is source of bundles for a trust domain. Both the
 // Bundle and Set types implement Source:
-//  // Initialize the source from a bundle or set
-//  var source spiffebundle.Source = bundle
-//  // ... or ...
-//  var source spiffebundle.Source = set
 //
-//  // Use the source to query for X.509 bundles by trust domain
-//  bundle, err := source.GetBundleForTrustDomain(td)
+//	// Initialize the source from a bundle or set
+//	var source spiffebundle.Source = bundle
+//	// ... or ...
+//	var source spiffebundle.Source = set
+//
+//	// Use the source to query for X.509 bundles by trust domain
+//	bundle, err := source.GetBundleForTrustDomain(td)
 //
 // Additionally the Bundle and Set types also implement the x509bundle.Source and jwtbundle.Source interfaces:
 //
-//  // As an x509bundle.Source...
-//  var source x509bundle.Source = bundle // or set
-//  x509Bundle, err := source.GetX509BundleForTrustDomain(td)
+//	// As an x509bundle.Source...
+//	var source x509bundle.Source = bundle // or set
+//	x509Bundle, err := source.GetX509BundleForTrustDomain(td)
 //
-//  // As a jwtbundle.Source...
-//  var source jwtbundle.Source = bundle // or set
-//  jwtBundle, err := source.GetJWTBundleForTrustDomain(td)
+//	// As a jwtbundle.Source...
+//	var source jwtbundle.Source = bundle // or set
+//	jwtBundle, err := source.GetJWTBundleForTrustDomain(td)
 package spiffebundle
diff --git a/v2/bundle/x509bundle/bundle.go b/v2/bundle/x509bundle/bundle.go
@@ -127,7 +127,7 @@ func (b *Bundle) RemoveX509Authority(x509Authority *x509.Certificate) {
 
 	for i, r := range b.x509Authorities {
 		if r.Equal(x509Authority) {
-			//remove element from slice
+			// remove element from slice
 			b.x509Authorities = append(b.x509Authorities[:i], b.x509Authorities[i+1:]...)
 			return
 		}

diff --git a/v2/bundle/x509bundle/bundle_test.go b/v2/bundle/x509bundle/bundle_test.go
@@ -232,7 +232,7 @@ func TestMarshal(t *testing.T) {
 	expBytes, err := ioutil.ReadFile("testdata/certs.pem")
 	require.NoError(t, err)
 
-	//Assert the marshalled bundle is equal to the one loaded
+	// Assert the marshalled bundle is equal to the one loaded
 	assert.Equal(t, expBytes, pemBytes)
 }
 

diff --git a/v2/bundle/x509bundle/doc.go b/v2/bundle/x509bundle/doc.go
@@ -4,33 +4,39 @@
 // are used to authenticate SPIFFE X509-SVIDs.
 //
 // You can create a new bundle for a specific trust domain:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := x509bundle.New(td)
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := x509bundle.New(td)
 //
 // Or you can load it from disk:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  bundle := x509bundle.Load(td, "bundle.pem")
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	bundle := x509bundle.Load(td, "bundle.pem")
 //
 // The bundle can be initialized with X.509 authorities:
-//  td := spiffeid.RequireTrustDomain("example.org")
-//  var x509Authorities []*x509.Certificate = ...
-//  bundle := x509bundle.FromX509Authorities(td, x509Authorities)
+//
+//	td := spiffeid.RequireTrustDomain("example.org")
+//	var x509Authorities []*x509.Certificate = ...
+//	bundle := x509bundle.FromX509Authorities(td, x509Authorities)
 //
 // In addition, you can add X.509 authorities to the bundle:
-//  var x509CA *x509.Certificate = ...
-//  bundle.AddX509Authority(x509CA)
+//
+//	var x509CA *x509.Certificate = ...
+//	bundle.AddX509Authority(x509CA)
 //
 // Bundles can be organized into a set, keyed by trust domain:
-//  set := x509bundle.NewSet()
-//  set.Add(bundle)
+//
+//	set := x509bundle.NewSet()
+//	set.Add(bundle)
 //
 // A Source is source of X.509 bundles for a trust domain. Both the Bundle
 // and Set types implement Source:
-//  // Initialize the source from a bundle or set
-//  var source x509bundle.Source = bundle
-//  // ... or ...
-//  var source x509bundle.Source = set
 //
-//  // Use the source to query for bundles by trust domain
-//  bundle, err := source.GetX509BundleForTrustDomain(td)
+//	// Initialize the source from a bundle or set
+//	var source x509bundle.Source = bundle
+//	// ... or ...
+//	var source x509bundle.Source = set
+//
+//	// Use the source to query for bundles by trust domain
+//	bundle, err := source.GetX509BundleForTrustDomain(td)
 package x509bundle
diff --git a/v2/examples/spiffe-grpc/client/main.go b/v2/examples/spiffe-grpc/client/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"log"
 
 	"github.com/spiffe/go-spiffe/v2/spiffegrpc/grpccredentials"
@@ -16,14 +17,17 @@ import (
 const socketPath = "unix:///tmp/agent.sock"
 
 func main() {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	if err := run(context.Background()); err != nil {
+		log.Fatal(err)
+	}
+}
 
+func run(ctx context.Context) error {
 	// Create a `workloadapi.X509Source`, it will connect to Workload API using provided socket path
 	// If socket path is not defined using `workloadapi.SourceOption`, value from environment variable `SPIFFE_ENDPOINT_SOCKET` is used.
 	source, err := workloadapi.NewX509Source(ctx, workloadapi.WithClientOptions(workloadapi.WithAddr(socketPath)))
 	if err != nil {
-		log.Fatalf("Unable to create X509Source: %v", err)
+		return fmt.Errorf("unable to create X509Source: %w", err)
 	}
 	defer source.Close()
 
@@ -35,14 +39,15 @@ func main() {
 		grpccredentials.MTLSClientCredentials(source, source, tlsconfig.AuthorizeID(serverID)),
 	))
 	if err != nil {
-		log.Fatalf("Error creating dial: %v", err)
+		return fmt.Errorf("failed to dial: %w", err)
 	}
 
 	client := pb.NewGreeterClient(conn)
 	reply, err := client.SayHello(ctx, &pb.HelloRequest{Name: "world"})
 	if err != nil {
-		log.Fatalf("Error connecting to server %v", err)
+		return fmt.Errorf("failed issuing RPC to server: %w", err)
 	}
 
 	log.Print(reply.Message)
+	return nil
 }
diff --git a/v2/examples/spiffe-grpc/server/main.go b/v2/examples/spiffe-grpc/server/main.go
@@ -2,6 +2,7 @@ package main
 
 import (
 	"context"
+	"fmt"
 	"log"
 	"net"
 
@@ -27,14 +28,17 @@ func (s *server) SayHello(ctx context.Context, in *pb.HelloRequest) (*pb.HelloRe
 }
 
 func main() {
-	ctx, cancel := context.WithCancel(context.Background())
-	defer cancel()
+	if err := run(context.Background()); err != nil {
+		log.Fatal(err)
+	}
+}
 
+func run(ctx context.Context) error {
 	// Create a `workloadapi.X509Source`, it will connect to Workload API using provided socket path
 	// If socket path is not defined using `workloadapi.SourceOption`, value from environment variable `SPIFFE_ENDPOINT_SOCKET` is used.
 	source, err := workloadapi.NewX509Source(ctx, workloadapi.WithClientOptions(workloadapi.WithAddr(socketPath)))
 	if err != nil {
-		log.Fatalf("Unable to create X509Source: %v", err)
+		return fmt.Errorf("unable to create X509Source: %w", err)
 	}
 	defer source.Close()
 
@@ -48,12 +52,13 @@ func main() {
 
 	lis, err := net.Listen("tcp", "127.0.0.1:50051")
 	if err != nil {
-		log.Fatalf("Error creating listener: %v", err)
+		return fmt.Errorf("error creating listener: %w", err)
 	}
 
 	pb.RegisterGreeterServer(s, &server{})
 
 	if err := s.Serve(lis); err != nil {
-		log.Fatal(err)
+		return fmt.Errorf("failed to serve: %w", err)
 	}
+	return nil
 }