mirror of
https://github.com/fnproject/fn.git
synced 2022-10-28 21:29:17 +03:00
d85fadb142
gosec severity=medium passes, all severity=low errors are from unhandled errors, we have 107 of them. tbh it doesn't look worth it to me, but maybe there are a few assholes even itchier than mine out there. medium has some good stuff in it, and of course high makes sense if we're gonna do this at all. this adds some nosec annotations for some things like sql sprintfs where we know it's clean (we're constructing the strings with variables in them). fixed up other spots where we were sprinting without need. some stuff like filepath.Clean when opening a file from a variable, and file permissions, easy stuff... I can't get the CI build to shut up, but I can locally get it to be pretty quiet about imports and it just outputs the gosec output. fortunately, it still works as expected even when it's noisy. I got it to shut up by unsetting some of the go mod flags locally, but that doesn't seem to quite do it in circle, printed the env out and don't see them, so idk... i give up, this works closes #1303
97 lines
2.2 KiB
Go
97 lines
2.2 KiB
Go
package common
|
|
|
|
import (
|
|
"crypto/tls"
|
|
"crypto/x509"
|
|
"errors"
|
|
"fmt"
|
|
"io/ioutil"
|
|
"os"
|
|
"path/filepath"
|
|
)
|
|
|
|
// NewTLSSimple creates a new tls config with the given cert and key file paths
|
|
func NewTLSSimple(certPath, keyPath string) (*tls.Config, error) {
|
|
|
|
err := checkFile(certPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
err = checkFile(keyPath)
|
|
if err != nil {
|
|
return nil, err
|
|
}
|
|
|
|
// Load the certificates from disk
|
|
certificate, err := tls.LoadX509KeyPair(certPath, keyPath)
|
|
if err != nil {
|
|
return nil, fmt.Errorf("Could not load server key pair: %s", err)
|
|
}
|
|
|
|
return &tls.Config{
|
|
Certificates: []tls.Certificate{certificate},
|
|
}, nil
|
|
}
|
|
|
|
// AddClientCA adds a client cert to the given tls config
|
|
func AddClientCA(tlsConf *tls.Config, clientCAPath string) error {
|
|
|
|
err := checkFile(clientCAPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
// Create a certificate pool from the certificate authority
|
|
authority, err := ioutil.ReadFile(filepath.Clean(clientCAPath))
|
|
if err != nil {
|
|
return fmt.Errorf("Could not read client CA (%s) certificate: %s", clientCAPath, err)
|
|
}
|
|
|
|
tlsConf.ClientAuth = tls.RequireAndVerifyClientCert
|
|
if tlsConf.ClientCAs == nil {
|
|
tlsConf.ClientCAs = x509.NewCertPool()
|
|
}
|
|
|
|
if ok := tlsConf.ClientCAs.AppendCertsFromPEM(authority); !ok {
|
|
return errors.New("Failed to append client certs")
|
|
}
|
|
return nil
|
|
}
|
|
|
|
// AddCA adds a ca cert to the given tls config
|
|
func AddCA(tlsConf *tls.Config, caPath string) error {
|
|
|
|
err := checkFile(caPath)
|
|
if err != nil {
|
|
return err
|
|
}
|
|
|
|
ca, err := ioutil.ReadFile(filepath.Clean(caPath))
|
|
if err != nil {
|
|
return fmt.Errorf("could not read ca (%s) certificate: %s", caPath, err)
|
|
}
|
|
|
|
if tlsConf.RootCAs == nil {
|
|
tlsConf.RootCAs = x509.NewCertPool()
|
|
}
|
|
|
|
// Append the certificates from the CA
|
|
if ok := tlsConf.RootCAs.AppendCertsFromPEM(ca); !ok {
|
|
return errors.New("failed to append ca certs")
|
|
}
|
|
|
|
return nil
|
|
}
|
|
|
|
func checkFile(path string) error {
|
|
absPath, err := filepath.Abs(path)
|
|
if err != nil {
|
|
return fmt.Errorf("Unable to resolve %v for TLS: please specify a valid and readable file", path)
|
|
}
|
|
_, err = os.Stat(absPath)
|
|
if err != nil {
|
|
return fmt.Errorf("Cannot stat %v for TLS: please specify a valid and readable file", absPath)
|
|
}
|
|
return nil
|
|
}
|