lint

.golangci.yml

@@ -467,10 +467,6 @@ issues:
       path: pkg/hubtest/hubtest_item.go
       text: "cyclomatic: .*RunWithLogFile"
 
-    - linters:
-        - canonicalheader
-      path: pkg/apiserver/middlewares/v1/tls_auth.go
-
     # tolerate complex functions in tests for now
     - linters:
         - maintidx

pkg/apiserver/middlewares/v1/cache.go

@@ -1,11 +1,10 @@
 package v1
 
 import (
+	"crypto/x509"
 	"sync"
 	"time"
 
-	"crypto/x509"
-
 	log "github.com/sirupsen/logrus"
 )
 
@@ -88,7 +87,7 @@ func (rc *RevocationCache) Set(cert *x509.Certificate, err error) {
 	defer rc.mu.Unlock()
 
 	rc.cache[key] = cacheEntry{
-		err:   err,
+		err:       err,
 		timestamp: time.Now(),
 	}
 }

pkg/apiserver/middlewares/v1/crl.go

@@ -36,7 +36,7 @@ func NewCRLChecker(crlPath string, onLoad func(), logger *log.Entry) (*CRLChecke
 	return cc, nil
 }
 
-func (*CRLChecker) decodeCRLs(content []byte, logger *log.Entry) ([]*x509.RevocationList, error) {
+func (*CRLChecker) decodeCRLs(content []byte) ([]*x509.RevocationList, error) {
 	var crls []*x509.RevocationList
 
 	for {
@@ -87,14 +87,13 @@ func (cc *CRLChecker) refresh() error {
 		return fmt.Errorf("could not read CRL file: %w", err)
 	}
 
-	cc.crls, err = cc.decodeCRLs(crlContent, cc.logger)
+	cc.crls, err = cc.decodeCRLs(crlContent)
 	if err != nil {
 		return err
 	}
+
 	cc.fileInfo = fileInfo
 	cc.lastLoad = time.Now()
-
-	cc.logger.Debugf("loaded %d CRLs", len(cc.crls))
 	cc.onLoad()
 
 	return nil

pkg/apiserver/middlewares/v1/jwt.go

@@ -60,6 +60,7 @@ func (j *JWT) authTLS(c *gin.Context) (*authInput, error) {
 	if j.TlsAuth == nil {
 		err := errors.New("tls authentication required")
 		log.Warn(err)
+
 		return nil, err
 	}
 

pkg/apiserver/middlewares/v1/ocsp.go

@@ -43,7 +43,7 @@ func (oc *OCSPChecker) query(server string, cert *x509.Certificate, issuer *x509
 
 	httpRequest.Header.Add("Content-Type", "application/ocsp-request")
 	httpRequest.Header.Add("Accept", "application/ocsp-response")
-	httpRequest.Header.Add("host", ocspURL.Host)
+	httpRequest.Header.Add("Host", ocspURL.Host)
 
 	httpClient := &http.Client{}
 

pkg/apiserver/middlewares/v1/tls_auth.go

@@ -48,14 +48,16 @@ func (ta *TLSAuth) checkRevocationPath(chain []*x509.Certificate) (error, bool)
 
 		revokedByOCSP, checkedByOCSP := ta.ocspChecker.isRevokedBy(cert, issuer)
 		couldCheck = couldCheck && checkedByOCSP
+
 		if revokedByOCSP && checkedByOCSP {
-			return fmt.Errorf("certificate revoked by OCSP"), couldCheck
+			return errors.New("certificate revoked by OCSP"), couldCheck
 		}
 
 		revokedByCRL, checkedByCRL := ta.crlChecker.isRevokedBy(cert, issuer)
 		couldCheck = couldCheck && checkedByCRL
+
 		if revokedByCRL && checkedByCRL {
-			return fmt.Errorf("certificate revoked by CRL"), couldCheck
+			return errors.New("certificate revoked by CRL"), couldCheck
 		}
 	}
 
@@ -115,13 +117,14 @@ func (ta *TLSAuth) ValidateCert(c *gin.Context) (string, error) {
 	}
 
 	if ta.isExpired(leaf) {
-		return "", fmt.Errorf("client certificate is expired")
+		return "", errors.New("client certificate is expired")
 	}
 
 	if validErr, cached := ta.revocationCache.Get(leaf); cached {
 		if validErr != nil {
 			return "", fmt.Errorf("(cache) %w", validErr)
 		}
+
 		return leaf.Subject.CommonName, nil
 	}
 
@@ -134,6 +137,7 @@ func (ta *TLSAuth) ValidateCert(c *gin.Context) (string, error) {
 	for _, chain := range c.Request.TLS.VerifiedChains {
 		validErr, couldCheck = ta.checkRevocationPath(chain)
 		okToCache = okToCache && couldCheck
+
 		if validErr != nil {
 			break
 		}