mc/metacrypt
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix gosec, govet, and errorlint linter errors

Browse Source 
Co-authored-by: Junie <junie@jetbrains.com>
This commit is contained in:
Kyle Isom
2026-03-15 10:04:12 -07:00
parent dd31e440e6
commit fbaf79a8a0
35 changed files with 236 additions and 232 deletions
Download Patch File Download Diff File Expand all files Collapse all files

20
internal/engine/ca/ca.go
View File

@@ -42,13 +42,13 @@ type issuerState struct {
// CAEngine implements the CA (PKI) engine.
type CAEngine struct {
mu sync.RWMutex
barrier barrier.Barrier
mountPath string
rootKey crypto.PrivateKey
config *CAConfig
rootCert *x509.Certificate
rootKey crypto.PrivateKey
issuers map[string]*issuerState
mountPath string
mu sync.RWMutex
}
// NewCAEngine creates a new CA engine instance.
@@ -788,13 +788,13 @@ func (e *CAEngine) handleIssue(ctx context.Context, req *engine.Request) (*engin
return &engine.Response{
Data: map[string]interface{}{
"serial": serial,
"cert_pem": string(leafCertPEM),
"key_pem": string(leafKeyPEM),
"chain_pem": string(chainPEM),
"cn": cn,
"sans": allSANs,
"issued_by": req.CallerInfo.Username,
"serial": serial,
"cert_pem": string(leafCertPEM),
"key_pem": string(leafKeyPEM),
"chain_pem": string(chainPEM),
"cn": cn,
"sans": allSANs,
"issued_by": req.CallerInfo.Username,
"expires_at": leafCert.NotAfter,
},
}, nil

17
internal/engine/ca/ca_test.go
View File

@@ -4,6 +4,7 @@ import (
"context"
"crypto/x509"
"encoding/pem"
"errors"
"strings"
"sync"
"testing"
@@ -15,8 +16,8 @@ import (
// memBarrier is an in-memory barrier for testing.
type memBarrier struct {
mu sync.RWMutex
data map[string][]byte
mu sync.RWMutex
}
func newMemBarrier() *memBarrier {
@@ -82,7 +83,7 @@ func setupEngine(t *testing.T) (*CAEngine, *memBarrier) {
ctx := context.Background()
config := map[string]interface{}{
"organization": "TestOrg",
"organization": "TestOrg",
"key_algorithm": "ecdsa",
"key_size": float64(256),
"root_expiry": "87600h",
@@ -133,7 +134,7 @@ func TestInitializeWithImportedRoot(t *testing.T) {
ctx := context.Background()
config := map[string]interface{}{
"organization": "ImportOrg",
"organization": "ImportOrg",
"root_cert_pem": string(rootPEM),
"root_key_pem": string(srcKeyPEM),
}
@@ -272,7 +273,7 @@ func TestCreateIssuerRejectsNonAdmin(t *testing.T) {
if err == nil {
t.Fatal("expected error for non-admin create-issuer")
}
if err != ErrForbidden {
if !errors.Is(err, ErrForbidden) {
t.Errorf("expected ErrForbidden, got: %v", err)
}
}
@@ -289,7 +290,7 @@ func TestCreateIssuerRejectsNilCallerInfo(t *testing.T) {
}
_, err := eng.HandleRequest(ctx, req)
if err != ErrUnauthorized {
if !errors.Is(err, ErrUnauthorized) {
t.Errorf("expected ErrUnauthorized, got: %v", err)
}
}
@@ -427,7 +428,7 @@ func TestIssueRejectsNilCallerInfo(t *testing.T) {
"common_name": "test.example.com",
},
})
if err != ErrUnauthorized {
if !errors.Is(err, ErrUnauthorized) {
t.Errorf("expected ErrUnauthorized, got: %v", err)
}
}
@@ -746,7 +747,7 @@ func TestImportRootRequiresAdmin(t *testing.T) {
"key_pem": "fake",
},
})
if err != ErrForbidden {
if !errors.Is(err, ErrForbidden) {
t.Errorf("expected ErrForbidden, got: %v", err)
}
}
@@ -798,7 +799,7 @@ func TestPublicMethods(t *testing.T) {
// Test nonexistent issuer.
_, err = eng.GetIssuerCertPEM("nonexistent")
if err != ErrIssuerNotFound {
if !errors.Is(err, ErrIssuerNotFound) {
t.Errorf("expected ErrIssuerNotFound, got: %v", err)
}
}

20
internal/engine/ca/types.go
View File

@@ -6,32 +6,32 @@ import "time"
type CAConfig struct {
Organization string `json:"organization"`
Country string `json:"country,omitempty"`
KeyAlgorithm string `json:"key_algorithm"` // "ecdsa", "rsa", "ed25519"
KeySize int `json:"key_size"` // e.g. 384 for ECDSA, 4096 for RSA
RootExpiry string `json:"root_expiry"` // e.g. "87600h" (10 years)
KeyAlgorithm string `json:"key_algorithm"`
RootExpiry string `json:"root_expiry"`
KeySize int `json:"key_size"`
}
// IssuerConfig is per-issuer configuration stored in the barrier.
type IssuerConfig struct {
CreatedAt time.Time `json:"created_at"`
Name string `json:"name"`
KeyAlgorithm string `json:"key_algorithm"`
KeySize int `json:"key_size"`
Expiry string `json:"expiry"` // issuer cert expiry, e.g. "26280h" (3 years)
MaxTTL string `json:"max_ttl"` // max leaf cert TTL, e.g. "8760h" (1 year)
Expiry string `json:"expiry"`
MaxTTL string `json:"max_ttl"`
CreatedBy string `json:"created_by"`
CreatedAt time.Time `json:"created_at"`
KeySize int `json:"key_size"`
}
// CertRecord is metadata for an issued certificate, stored in the barrier.
// The private key is NOT stored.
type CertRecord struct {
IssuedAt time.Time `json:"issued_at"`
ExpiresAt time.Time `json:"expires_at"`
Serial string `json:"serial"`
Issuer string `json:"issuer"`
CN string `json:"cn"`
SANs []string `json:"sans,omitempty"`
Profile string `json:"profile"`
CertPEM string `json:"cert_pem"`
IssuedBy string `json:"issued_by"`
IssuedAt time.Time `json:"issued_at"`
ExpiresAt time.Time `json:"expires_at"`
SANs []string `json:"sans,omitempty"`
}

10
internal/engine/engine.go
View File

@@ -39,10 +39,10 @@ type CallerInfo struct {
// Request is a request to an engine.
type Request struct {
Operation string
Path string
Data map[string]interface{}
CallerInfo *CallerInfo
Operation string
Path string
}
// Response is a response from an engine.
@@ -69,19 +69,19 @@ type Factory func() Engine
// Mount represents a mounted engine instance.
type Mount struct {
Engine Engine `json:"-"`
Name string `json:"name"`
Type EngineType `json:"type"`
MountPath string `json:"mount_path"`
Engine Engine `json:"-"`
}
// Registry manages mounted engine instances.
type Registry struct {
mu sync.RWMutex
barrier barrier.Barrier
mounts map[string]*Mount
factories map[EngineType]Factory
barrier barrier.Barrier
logger *slog.Logger
mu sync.RWMutex
}
// NewRegistry creates a new engine registry.

17
internal/engine/engine_test.go
View File

@@ -2,6 +2,7 @@ package engine
import (
"context"
"errors"
"log/slog"
"testing"
@@ -31,10 +32,12 @@ func (m *mockEngine) HandleRequest(_ context.Context, _ *Request) (*Response, er
type mockBarrier struct{}
func (m *mockBarrier) Unseal(_ []byte) error { return nil }
func (m *mockBarrier) Seal() error { return nil }
func (m *mockBarrier) IsSealed() bool { return false }
func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error) { return nil, barrier.ErrNotFound }
func (m *mockBarrier) Unseal(_ []byte) error { return nil }
func (m *mockBarrier) Seal() error { return nil }
func (m *mockBarrier) IsSealed() bool { return false }
func (m *mockBarrier) Get(_ context.Context, _ string) ([]byte, error) {
return nil, barrier.ErrNotFound
}
func (m *mockBarrier) Put(_ context.Context, _ string, _ []byte) error { return nil }
func (m *mockBarrier) Delete(_ context.Context, _ string) error { return nil }
func (m *mockBarrier) List(_ context.Context, _ string) ([]string, error) { return nil, nil }
@@ -59,7 +62,7 @@ func TestRegistryMountUnmount(t *testing.T) {
}
// Duplicate mount should fail.
if err := reg.Mount(ctx, "default", EngineTypeTransit, nil); err != ErrMountExists {
if err := reg.Mount(ctx, "default", EngineTypeTransit, nil); !errors.Is(err, ErrMountExists) {
t.Fatalf("expected ErrMountExists, got: %v", err)
}
@@ -75,7 +78,7 @@ func TestRegistryMountUnmount(t *testing.T) {
func TestRegistryUnmountNotFound(t *testing.T) {
reg := NewRegistry(&mockBarrier{}, slog.Default())
if err := reg.Unmount(context.Background(), "nonexistent"); err != ErrMountNotFound {
if err := reg.Unmount(context.Background(), "nonexistent"); !errors.Is(err, ErrMountNotFound) {
t.Fatalf("expected ErrMountNotFound, got: %v", err)
}
}
@@ -106,7 +109,7 @@ func TestRegistryHandleRequest(t *testing.T) {
}
_, err = reg.HandleRequest(ctx, "nonexistent", &Request{})
if err != ErrMountNotFound {
if !errors.Is(err, ErrMountNotFound) {
t.Fatalf("expected ErrMountNotFound, got: %v", err)
}
}