From 68c3d506c58f4c2f6d02deabd0a3d4ec94af7c52 Mon Sep 17 00:00:00 2001 From: Jim Date: Sun, 1 Oct 2023 10:35:56 -0400 Subject: [PATCH] chore: add workflows to check for fmt and copywrite deltas --- .github/workflows/make-gen-delta.yml | 42 ++++++++ Makefile | 12 +++ jwt/docs.go | 26 ++--- jwt/keyset.go | 1 - ldap/client_test.go | 1 - ldap/conn_test.go | 2 +- oidc/access_token.go | 2 +- oidc/callback/authcode_test.go | 1 - oidc/config_test.go | 1 - oidc/docs.go | 6 +- oidc/examples/spa/request_cache.go | 2 - oidc/internal/base62/base62.go | 6 +- oidc/options_test.go | 1 - oidc/pkce_verifier.go | 1 - oidc/provider.go | 3 +- oidc/request_test.go | 1 - oidc/testing_provider.go | 117 +++++++++++----------- saml/models/metadata/entity_descriptor.go | 11 +- saml/response_test.go | 1 - saml/sp_test.go | 2 +- util/util.go | 2 +- 21 files changed, 141 insertions(+), 100 deletions(-) create mode 100644 .github/workflows/make-gen-delta.yml create mode 100644 Makefile diff --git a/.github/workflows/make-gen-delta.yml b/.github/workflows/make-gen-delta.yml new file mode 100644 index 0000000..d69af34 --- /dev/null +++ b/.github/workflows/make-gen-delta.yml @@ -0,0 +1,42 @@ +name: "make-gen-delta" +on: + - workflow_dispatch + - push + - workflow_call + +permissions: + contents: read + +jobs: + make-gen-delta: + name: "Check for uncommitted changes from make gen" + runs-on: ${{ fromJSON(vars.RUNNER) }} + steps: + - uses: actions/checkout@c85c95e3d7251135ab7dc9ce3241c5835cc595a9 # v3.5.3 + with: + fetch-depth: '0' + - name: Determine Go version + id: get-go-version + # We use .go-version as our source of truth for current Go + # version, because "goenv" can react to it automatically. + run: | + echo "Building with Go $(cat .go-version)" + echo "go-version=$(cat .go-version)" >> "$GITHUB_OUTPUT" + - name: Set up Go + uses: actions/setup-go@93397bea11091df50f3d7e59dc26a7711a8bcfbe # v4.1.0 + with: + go-version: "${{ steps.get-go-version.outputs.go-version }}" + - name: Running go mod tidy + run: | + go mod tidy + - name: Install Dependencies + run: | + make tools + - name: Running make gen + run: | + make gen + - name: Check for changes + run: | + git diff --exit-code + git status --porcelain + test -z "$(git status --porcelain)" diff --git a/Makefile b/Makefile new file mode 100644 index 0000000..4c44116 --- /dev/null +++ b/Makefile @@ -0,0 +1,12 @@ +# Format Go files, ignoring files marked as generated through the header defined at +# https://pkg.go.dev/cmd/go#hdr-Generate_Go_files_by_processing_source +.PHONY: fmt +fmt: + find . -name \*.go | xargs gofumpt -w + +.PHONY: gen +gen: fmt copywrite + +.PHONY: copywrite +copywrite: + copywrite headers \ No newline at end of file diff --git a/jwt/docs.go b/jwt/docs.go index a5d5b7e..8b0c485 100644 --- a/jwt/docs.go +++ b/jwt/docs.go @@ -13,22 +13,22 @@ JOSE header validation provided by the the package includes the option to valida JWT signature verification is supported by providing keys from the following sources: - - JSON Web Key Set (JWKS) URL - - OIDC Discovery mechanism - - Local public keys + - JSON Web Key Set (JWKS) URL + - OIDC Discovery mechanism + - Local public keys JWT signature verification supports the following asymmetric algorithms as defined in https://www.rfc-editor.org/rfc/rfc7518.html#section-3.1: - - RS256: RSASSA-PKCS1-v1_5 using SHA-256 - - RS384: RSASSA-PKCS1-v1_5 using SHA-384 - - RS512: RSASSA-PKCS1-v1_5 using SHA-512 - - ES256: ECDSA using P-256 and SHA-256 - - ES384: ECDSA using P-384 and SHA-384 - - ES512: ECDSA using P-521 and SHA-512 - - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 - - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 - - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 - - EdDSA: Ed25519 using SHA-512 + - RS256: RSASSA-PKCS1-v1_5 using SHA-256 + - RS384: RSASSA-PKCS1-v1_5 using SHA-384 + - RS512: RSASSA-PKCS1-v1_5 using SHA-512 + - ES256: ECDSA using P-256 and SHA-256 + - ES384: ECDSA using P-384 and SHA-384 + - ES512: ECDSA using P-521 and SHA-512 + - PS256: RSASSA-PSS using SHA-256 and MGF1 with SHA-256 + - PS384: RSASSA-PSS using SHA-384 and MGF1 with SHA-384 + - PS512: RSASSA-PSS using SHA-512 and MGF1 with SHA-512 + - EdDSA: Ed25519 using SHA-512 */ package jwt diff --git a/jwt/keyset.go b/jwt/keyset.go index cfb3a02..253c09a 100644 --- a/jwt/keyset.go +++ b/jwt/keyset.go @@ -28,7 +28,6 @@ import ( // KeySet represents a set of keys that can be used to verify the signatures of JWTs. // A KeySet is expected to be backed by a set of local or remote keys. type KeySet interface { - // VerifySignature parses the given JWT, verifies its signature, and returns the claims in its payload. // The given JWT must be of the JWS compact serialization form. VerifySignature(ctx context.Context, token string) (claims map[string]interface{}, err error) diff --git a/ldap/client_test.go b/ldap/client_test.go index b85c7e5..e4007b7 100644 --- a/ldap/client_test.go +++ b/ldap/client_test.go @@ -79,7 +79,6 @@ func TestClient_renderUserSearchFilter(t *testing.T) { assert.Equal(tc.want, f) }) } - } func TestClient_NewClient(t *testing.T) { diff --git a/ldap/conn_test.go b/ldap/conn_test.go index ad73923..e22be8a 100644 --- a/ldap/conn_test.go +++ b/ldap/conn_test.go @@ -35,7 +35,7 @@ func Test_EscapeValue(t *testing.T) { // Fuzz_EscapeValue is only focused on finding panics func Fuzz_EscapeValue(f *testing.F) { - for tc, _ := range testcases { + for tc := range testcases { f.Add(tc) } f.Fuzz(func(t *testing.T, s string) { diff --git a/oidc/access_token.go b/oidc/access_token.go index 9375983..bb01703 100644 --- a/oidc/access_token.go +++ b/oidc/access_token.go @@ -5,7 +5,7 @@ package oidc import "encoding/json" -// AccessToken is an oauth access_token. +// AccessToken is an oauth access_token. type AccessToken string // RedactedAccessToken is the redacted string or json for an oauth access_token. diff --git a/oidc/callback/authcode_test.go b/oidc/callback/authcode_test.go index f5805ee..e18afb9 100644 --- a/oidc/callback/authcode_test.go +++ b/oidc/callback/authcode_test.go @@ -182,7 +182,6 @@ func Test_AuthCodeResponses(t *testing.T) { return } assert.Equal("login successful", string(contents)) - }) } } diff --git a/oidc/config_test.go b/oidc/config_test.go index 43f37e5..4dd3b00 100644 --- a/oidc/config_test.go +++ b/oidc/config_test.go @@ -852,7 +852,6 @@ func TestConfig_Hash(t *testing.T) { default: assert.NotEqual(got1, got2) } - }) } } diff --git a/oidc/docs.go b/oidc/docs.go index e7edca0..d768105 100644 --- a/oidc/docs.go +++ b/oidc/docs.go @@ -5,7 +5,6 @@ oidc is a package for writing clients that integrate with OIDC Providers using OIDC flows. - Primary types provided by the package: * Request: represents one OIDC authentication flow for a user. It contains the @@ -26,13 +25,13 @@ signing algorithms, additional scopes requested, etc) capabilities like: generating an auth URL, exchanging codes for tokens, verifying tokens, making user info requests, etc. -The oidc.callback package +# The oidc.callback package The callback package includes handlers (http.HandlerFunc) which can be used for the callback leg an OIDC flow. Callback handlers for both the authorization code flow (with optional PKCE) and the implicit flow are provided. -Example apps +# Example apps Complete concise example solutions: @@ -41,6 +40,5 @@ https://github.com/hashicorp/cap/tree/main/oidc/examples/cli/ * OIDC authentication SPA: https://github.com/hashicorp/cap/tree/main/oidc/examples/spa/ - */ package oidc diff --git a/oidc/examples/spa/request_cache.go b/oidc/examples/spa/request_cache.go index eb58234..4c2169e 100644 --- a/oidc/examples/spa/request_cache.go +++ b/oidc/examples/spa/request_cache.go @@ -25,7 +25,6 @@ func newRequestCache() *requestCache { return &requestCache{ c: map[string]extendedRequest{}, } - } // Read implements the callback.StateReader interface and will delete the state @@ -63,7 +62,6 @@ func (rc *requestCache) SetToken(id string, t oidc.Token) error { return nil } return fmt.Errorf("%s: %s not found", op, id) - } func (rc *requestCache) Delete(id string) { diff --git a/oidc/internal/base62/base62.go b/oidc/internal/base62/base62.go index 9f8c20d..348a040 100644 --- a/oidc/internal/base62/base62.go +++ b/oidc/internal/base62/base62.go @@ -12,8 +12,10 @@ import ( uuid "github.com/hashicorp/go-uuid" ) -const charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" -const csLen = byte(len(charset)) +const ( + charset = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789" + csLen = byte(len(charset)) +) // Random generates a random string using base-62 characters. // Resulting entropy is ~5.95 bits/character. diff --git a/oidc/options_test.go b/oidc/options_test.go index 7df8f0b..3308fab 100644 --- a/oidc/options_test.go +++ b/oidc/options_test.go @@ -33,7 +33,6 @@ func Test_WithNow(t *testing.T) { testOpts := tokenDefaults() testOpts.withNowFunc = testNow testAssertEqualFunc(t, opts.withNowFunc, testNow, "now = %p,want %p", opts.withNowFunc, testNow) - }) t.Run("reqOptions", func(t *testing.T) { opts := getReqOpts(WithNow(testNow)) diff --git a/oidc/pkce_verifier.go b/oidc/pkce_verifier.go index aa31b53..04d3490 100644 --- a/oidc/pkce_verifier.go +++ b/oidc/pkce_verifier.go @@ -26,7 +26,6 @@ const ( // // See: https://tools.ietf.org/html/rfc7636#section-4.1 type CodeVerifier interface { - // Verifier returns the code verifier (see: // https://tools.ietf.org/html/rfc7636#section-4.1) Verifier() string diff --git a/oidc/provider.go b/oidc/provider.go index 6f559d5..0917b92 100644 --- a/oidc/provider.go +++ b/oidc/provider.go @@ -295,7 +295,7 @@ func (p *Provider) Exchange(ctx context.Context, oidcRequest Request, authorizat } // Add the "openid" scope, which is a required scope for oidc flows scopes = append([]string{oidc.ScopeOpenID}, scopes...) - var oauth2Config = oauth2.Config{ + oauth2Config := oauth2.Config{ ClientID: p.config.ClientID, ClientSecret: string(p.config.ClientSecret), RedirectURL: oidcRequest.RedirectURL(), @@ -664,7 +664,6 @@ func (p *Provider) HTTPClientContext(ctx context.Context) (context.Context, erro c, err := p.HTTPClient() if err != nil { return nil, fmt.Errorf("%s: %w", op, err) - } // simple to implement as a wrapper for the coreos package return oidc.ClientContext(ctx, c), nil diff --git a/oidc/request_test.go b/oidc/request_test.go index 291391f..1119b87 100644 --- a/oidc/request_test.go +++ b/oidc/request_test.go @@ -108,7 +108,6 @@ func TestRequest_IsExpired(t *testing.T) { require.NoError(err) assert.True(oidcRequest.IsExpired()) }) - } func Test_WithImplicit(t *testing.T) { diff --git a/oidc/testing_provider.go b/oidc/testing_provider.go index 086aa1a..a8c7e5c 100644 --- a/oidc/testing_provider.go +++ b/oidc/testing_provider.go @@ -56,88 +56,91 @@ var ( // Once you've started a TestProvider http server with StartTestProvider(...), // the following test endpoints are supported: // -// * GET /.well-known/openid-configuration OIDC Discovery +// - GET /.well-known/openid-configuration OIDC Discovery // -// * GET or POST /authorize OIDC authorization supporting both -// the authorization code flow (with -// optional PKCE) and the implicit -// flow with form_post. +// - GET or POST /authorize OIDC authorization supporting both +// the authorization code flow (with +// optional PKCE) and the implicit +// flow with form_post. // -// * POST /token OIDC token +// - POST /token OIDC token // -// * GET /userinfo OAuth UserInfo +// - GET /userinfo OAuth UserInfo // -// * GET /.well-known/jwks.json JWKs used to verify issued JWT tokens +// - GET /.well-known/jwks.json JWKs used to verify issued JWT tokens // -// Making requests to these endpoints are facilitated by -// * TestProvider.HTTPClient which returns an http.Client for making requests. -// * TestProvider.CACert which the pem-encoded CA certificate used by the HTTPS server. +// Making requests to these endpoints are facilitated by +// +// - TestProvider.HTTPClient which returns an http.Client for making requests. +// +// - TestProvider.CACert which the pem-encoded CA certificate used by the HTTPS server. // // Runtime Configuration: -// * Issuer: Addr() returns the the current base URL for the test provider's -// running webserver, which can be used as an OIDC Issuer for discovery and -// is also used for the iss claim when issuing JWTs. // -// * Relying Party ClientID/ClientSecret: SetClientCreds(...) updates the -// creds and they are empty by default. +// - Issuer: Addr() returns the the current base URL for the test provider's +// running web server, which can be used as an OIDC Issuer for discovery and +// is also used for the iss claim when issuing JWTs. +// +// - Relying Party ClientID/ClientSecret: SetClientCreds(...) updates the +// creds and they are empty by default. // -// * Now: SetNowFunc(...) updates the provider's "now" function and time.Now -// is the default. +// - Now: SetNowFunc(...) updates the provider's "now" function and time.Now +// is the default. // -// * Subject: SetExpectedSubject(sub string) configures the expected subject for -// any JWTs issued by the provider (the default is "alice@example.com") +// - Subject: SetExpectedSubject(sub string) configures the expected subject for +// any JWTs issued by the provider (the default is "alice@example.com") // -// * Subject Passwords: SetSubjectInfo(...) configures a subject/password -// dictionary. If configured, then an interactive Login form is presented by -// the /authorize endpoint and the TestProvider becomes an interactive test -// provider using the provided subject/password dictionary. +// - Subject Passwords: SetSubjectInfo(...) configures a subject/password +// dictionary. If configured, then an interactive Login form is presented by +// the /authorize endpoint and the TestProvider becomes an interactive test +// provider using the provided subject/password dictionary. // -// * Expiry: SetExpectedExpiry(exp time.Duration) updates the expiry and -// now + 5 * time.Second is the default. +// - Expiry: SetExpectedExpiry(exp time.Duration) updates the expiry and +// now + 5 * time.Second is the default. // -// * Signing keys: SetSigningKeys(...) updates the keys and a ECDSA P-256 pair -// of priv/pub keys are the default with a signing algorithm of ES256 +// - Signing keys: SetSigningKeys(...) updates the keys and a ECDSA P-256 pair +// of priv/pub keys are the default with a signing algorithm of ES256 // -// * Authorization Code: SetExpectedAuthCode(...) updates the auth code -// required by the /authorize endpoint and the code is empty by default. +// - Authorization Code: SetExpectedAuthCode(...) updates the auth code +// required by the /authorize endpoint and the code is empty by default. // -// * Authorization Nonce: SetExpectedAuthNonce(...) updates the nonce required -// by the /authorize endpont and the nonce is empty by default. +// - Authorization Nonce: SetExpectedAuthNonce(...) updates the nonce required +// by the /authorize endpoint and the nonce is empty by default. // -// * Allowed RedirectURIs: SetAllowedRedirectURIs(...) updates the allowed -// redirect URIs and "https://example.com" is the default. +// - Allowed RedirectURIs: SetAllowedRedirectURIs(...) updates the allowed +// redirect URIs and "https://example.com" is the default. // -// * Custom Claims: SetCustomClaims(...) updates custom claims added to JWTs issued -// and the custom claims are empty by default. +// - Custom Claims: SetCustomClaims(...) updates custom claims added to JWTs issued +// and the custom claims are empty by default. // -// * Audiences: SetCustomAudience(...) updates the audience claim of JWTs issued -// and the ClientID is the default. +// - Audiences: SetCustomAudience(...) updates the audience claim of JWTs issued +// and the ClientID is the default. // -// * Authentication Time (auth_time): SetOmitAuthTimeClaim(...) allows you to -// turn off/on the inclusion of an auth_time claim in issued JWTs and the claim -// is included by default. +// - Authentication Time (auth_time): SetOmitAuthTimeClaim(...) allows you to +// turn off/on the inclusion of an auth_time claim in issued JWTs and the claim +// is included by default. // -// * Issuing id_tokens: SetOmitIDTokens(...) allows you to turn off/on the issuing of -// id_tokens from the /token endpoint. id_tokens are issued by default. +// - Issuing id_tokens: SetOmitIDTokens(...) allows you to turn off/on the issuing of +// id_tokens from the /token endpoint. id_tokens are issued by default. // -// * Issuing access_tokens: SetOmitAccessTokens(...) allows you to turn off/on -// the issuing of access_tokens from the /token endpoint. access_tokens are issued -// by default. +// - Issuing access_tokens: SetOmitAccessTokens(...) allows you to turn off/on +// the issuing of access_tokens from the /token endpoint. access_tokens are issued +// by default. // -// * Authorization State: SetExpectedState sets the value for the state parameter -// returned from the /authorized endpoint +// - Authorization State: SetExpectedState sets the value for the state parameter +// returned from the /authorized endpoint // -// * Token Responses: SetDisableToken disables the /token endpoint, causing -// it to return a 401 http status. +// - Token Responses: SetDisableToken disables the /token endpoint, causing +// it to return a 401 http status. // -// * Implicit Flow Responses: SetDisableImplicit disables implicit flow responses, -// causing them to return a 401 http status. +// - Implicit Flow Responses: SetDisableImplicit disables implicit flow responses, +// causing them to return a 401 http status. // -// * PKCE verifier: SetPKCEVerifier(oidc.CodeVerifier) sets the PKCE code_verifier -// and PKCEVerifier() returns the current verifier. +// - PKCE verifier: SetPKCEVerifier(oidc.CodeVerifier) sets the PKCE code_verifier +// and PKCEVerifier() returns the current verifier. // -// * UserInfo: SetUserInfoReply sets the UserInfo endpoint response and -// UserInfoReply() returns the current response. +// - UserInfo: SetUserInfoReply sets the UserInfo endpoint response and +// UserInfoReply() returns the current response. type TestProvider struct { httpServer *httptest.Server caCert string @@ -351,7 +354,6 @@ func getTestProviderOpts(t TestingT, opt ...Option) testProviderOptions { } // withTestSubject provides the option to provide a subject -// func withTestSubject(s string) Option { return func(o interface{}) { if o, ok := o.(*testProviderOptions); ok { @@ -361,7 +363,6 @@ func withTestSubject(s string) Option { } // withTestNonce provides the option to provide a nonce -// func withTestNonce(n string) Option { return func(o interface{}) { if o, ok := o.(*testProviderOptions); ok { diff --git a/saml/models/metadata/entity_descriptor.go b/saml/models/metadata/entity_descriptor.go index 63fc555..dc1fe2c 100644 --- a/saml/models/metadata/entity_descriptor.go +++ b/saml/models/metadata/entity_descriptor.go @@ -152,20 +152,17 @@ type AuthnAuthorityDescriptor struct { NameIDFormats []core.NameIDFormat } -type PDPDescriptor struct { -} +type PDPDescriptor struct{} // AttributeAuthorityDescriptor is a compatibiity requirement // for supporting legacy or other SPs that rely on queries for // attributes. -type AttributeAuthorityDescriptor struct { -} +type AttributeAuthorityDescriptor struct{} // AffiliationDescriptor represents a group of other -// entitites, such as related service providers that +// entities, such as related service providers that // share a persistent NameID. -type AffiliationDescriptor struct { -} +type AffiliationDescriptor struct{} // X509Data contains one ore more identifiers of keys or X509 certifactes. // See https://www.w3.org/TR/xmldsig-core1/#sec-X509Data diff --git a/saml/response_test.go b/saml/response_test.go index 38ebc19..574b38b 100644 --- a/saml/response_test.go +++ b/saml/response_test.go @@ -269,7 +269,6 @@ func TestServiceProvider_ParseResponseCustomACS(t *testing.T) { require.ErrorContains(t, err, c.err) }) } - } // From https://www.samltool.com/generic_sso_res.php diff --git a/saml/sp_test.go b/saml/sp_test.go index 9370fa3..77aabb4 100644 --- a/saml/sp_test.go +++ b/saml/sp_test.go @@ -221,7 +221,7 @@ func Test_ServiceProvider_FetchMetadata_Cache(t *testing.T) { if tt.expectErrorOnRefresh { r.Error(err) return - } + } r.NoError(err) r.NotNil(got2) diff --git a/util/util.go b/util/util.go index f2b5f03..0097e50 100644 --- a/util/util.go +++ b/util/util.go @@ -31,7 +31,7 @@ func IsWSL() (bool, error) { isDocker := strings.Contains(strings.ToLower(string(cgroupData)), "/docker/") isLxc := strings.Contains(strings.ToLower(string(cgroupData)), "/lxc/") isMsLinux := strings.Contains(strings.ToLower(string(procData)), "microsoft") - + return isMsLinux && !(isDocker || isLxc), nil }