From 62300d6154b74c66ad4898143ecd43e21f94e662 Mon Sep 17 00:00:00 2001 From: Thomas Tendyck Date: Fri, 15 Mar 2024 14:49:52 +0100 Subject: [PATCH] add golangci-lint --- .github/workflows/golangci-lint.yml | 35 +++++++++++++++++++++++ .golangci.yml | 6 ++++ eclient/doc.go | 3 ++ ecrypto/doc.go | 2 +- ecrypto/ecrypto.go | 2 ++ ecrypto/ecrypto_test.go | 2 ++ ego/cli/bundle.go | 6 ++-- ego/cli/elf_test.go | 7 ++--- ego/cli/install.go | 14 ++++++---- ego/cli/install_test.go | 43 +++++++++++++++-------------- ego/cmd/bundle/main.go | 2 +- ego/cmd/bundle/main_test.go | 5 ++-- ego/cmd/concurrency-test/main.go | 2 +- ego/cmd/marble-test/main.go | 3 +- enclave/doc.go | 3 +- enclave/ert.go | 8 +++--- internal/attestation/claim.go | 1 + internal/attestation/maa.go | 4 +-- internal/attestation/maa_test.go | 2 +- 19 files changed, 100 insertions(+), 50 deletions(-) create mode 100644 .github/workflows/golangci-lint.yml create mode 100644 .golangci.yml diff --git a/.github/workflows/golangci-lint.yml b/.github/workflows/golangci-lint.yml new file mode 100644 index 00000000..60138ee8 --- /dev/null +++ b/.github/workflows/golangci-lint.yml @@ -0,0 +1,35 @@ +name: golangci-lint +on: + push: + branches: + - master + - main + pull_request: + +permissions: + contents: read + # Optional: allow read access to pull request. Use with `only-new-issues` option. + # pull-requests: read + +jobs: + golangci: + name: lint + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v4 + + - uses: actions/setup-go@v5 + with: + go-version: "1.21" + cache: false + + - name: golangci-lint / + uses: golangci/golangci-lint-action@v4 + with: + version: v1.56 + + - name: golangci-lint /ego + uses: golangci/golangci-lint-action@v4 + with: + version: v1.56 + working-directory: ego diff --git a/.golangci.yml b/.golangci.yml new file mode 100644 index 00000000..59225156 --- /dev/null +++ b/.golangci.yml @@ -0,0 +1,6 @@ +run: + timeout: 10m + build-tags: [ego_mock_eclient] + +linters: + enable: [gofumpt] diff --git a/eclient/doc.go b/eclient/doc.go index 579241ed..5238ee6d 100644 --- a/eclient/doc.go +++ b/eclient/doc.go @@ -11,13 +11,16 @@ Use this package for programs that don't run in an enclave themselves but intera enclaved programs. Those non-enclaved programs are often called third parties or relying parties. This package requires libcrypto. On Ubuntu install it with: + sudo apt install libssl-dev This package requires the following environment variables to be set during build: + CGO_CFLAGS=-I/opt/ego/include CGO_LDFLAGS=-L/opt/ego/lib Or if using the EGo snap: + CGO_CFLAGS=-I/snap/ego-dev/current/opt/ego/include CGO_LDFLAGS=-L/snap/ego-dev/current/opt/ego/lib diff --git a/ecrypto/doc.go b/ecrypto/doc.go index 135dda93..e37f32a8 100644 --- a/ecrypto/doc.go +++ b/ecrypto/doc.go @@ -7,7 +7,7 @@ /* Package ecrypto provides convenience functions for cryptography inside an enclave. -Sealing +# Sealing Sealing is the process of encrypting data with a key derived from the enclave and the CPU it is running on. Sealed data can only be decrypted by the same enclave and CPU. Use it to persist data to disk. diff --git a/ecrypto/ecrypto.go b/ecrypto/ecrypto.go index d8c6f725..21340842 100644 --- a/ecrypto/ecrypto.go +++ b/ecrypto/ecrypto.go @@ -29,9 +29,11 @@ type enclaveSealer struct{} func (enclaveSealer) GetUniqueSealKey() (key, keyInfo []byte, err error) { return enclave.GetUniqueSealKey() } + func (enclaveSealer) GetProductSealKey() (key, keyInfo []byte, err error) { return enclave.GetProductSealKey() } + func (enclaveSealer) GetSealKey(keyInfo []byte) ([]byte, error) { return enclave.GetSealKey(keyInfo) } diff --git a/ecrypto/ecrypto_test.go b/ecrypto/ecrypto_test.go index 550e023b..ce7bcaa5 100644 --- a/ecrypto/ecrypto_test.go +++ b/ecrypto/ecrypto_test.go @@ -22,9 +22,11 @@ type stubSealer struct{} func (stubSealer) GetUniqueSealKey() (key, keyInfo []byte, err error) { return []byte("1234567890123456"), []byte("unique"), nil } + func (stubSealer) GetProductSealKey() (key, keyInfo []byte, err error) { return []byte("2345678901234567"), []byte("product"), nil } + func (stubSealer) GetSealKey(keyInfo []byte) ([]byte, error) { switch string(keyInfo) { case "unique": diff --git a/ego/cli/bundle.go b/ego/cli/bundle.go index 172f8f34..6f985921 100644 --- a/ego/cli/bundle.go +++ b/ego/cli/bundle.go @@ -39,7 +39,7 @@ func (c *Cli) Bundle(filename string, outputFilename string) (reterr error) { if err != nil { return err } - defer c.fs.Remove(tarFilename) + defer func() { _ = c.fs.Remove(tarFilename) }() if outputFilename == "" { outputFilename = filepath.Base(filename) + "-bundle" @@ -51,7 +51,7 @@ func (c *Cli) Bundle(filename string, outputFilename string) (reterr error) { } defer func() { if reterr != nil { - c.fs.Remove(outputFilename) + _ = c.fs.Remove(outputFilename) } }() @@ -125,7 +125,7 @@ func (c *Cli) buildImage(enclaveFilename string) (tempFileName string, reterr er } defer func() { if reterr != nil { - c.fs.Remove(tempFile.Name()) + _ = c.fs.Remove(tempFile.Name()) } }() defer tempFile.Close() diff --git a/ego/cli/elf_test.go b/ego/cli/elf_test.go index 9b9ecd41..a8dd6590 100644 --- a/ego/cli/elf_test.go +++ b/ego/cli/elf_test.go @@ -9,7 +9,6 @@ package cli import ( "debug/elf" "encoding/json" - "io/ioutil" "os" "os/exec" "path/filepath" @@ -31,7 +30,7 @@ var elfUnsigned = func() []byte { panic(err) } - dir, err := ioutil.TempDir("", "") + dir, err := os.MkdirTemp("", "") if err != nil { panic(err) } @@ -39,7 +38,7 @@ var elfUnsigned = func() []byte { // write minimal source file const src = `package main;import _"time";func main(){}` - if err := ioutil.WriteFile(filepath.Join(dir, srcFile), []byte(src), 0o400); err != nil { + if err := os.WriteFile(filepath.Join(dir, srcFile), []byte(src), 0o400); err != nil { panic(err) } @@ -54,7 +53,7 @@ var elfUnsigned = func() []byte { } // read resulting executable - data, err := ioutil.ReadFile(filepath.Join(dir, outFile)) + data, err := os.ReadFile(filepath.Join(dir, outFile)) if err != nil { panic(err) } diff --git a/ego/cli/install.go b/ego/cli/install.go index 18a87fb5..1b85bcaf 100644 --- a/ego/cli/install.go +++ b/ego/cli/install.go @@ -11,7 +11,7 @@ import ( "encoding/json" "errors" "fmt" - "io/ioutil" + "io" "net/http" "os" "os/exec" @@ -23,10 +23,12 @@ import ( const shellToUse = "bash" -var ErrTargetNotSupported = errors.New("component not found") -var ErrInstallUserQuit = errors.New("user denied installation") -var ErrExitCodeValue = errors.New("exit code not 0") -var ErrSysInfoFail = errors.New("could not determine necessary details about operating system") +var ( + ErrTargetNotSupported = errors.New("component not found") + ErrInstallUserQuit = errors.New("user denied installation") + ErrExitCodeValue = errors.New("exit code not 0") + ErrSysInfoFail = errors.New("could not determine necessary details about operating system") +) type installInfoV1 struct { Desc map[string]string @@ -184,7 +186,7 @@ func httpGet(url string) ([]byte, error) { if resp.StatusCode != http.StatusOK { return nil, fmt.Errorf("http response has status %v", resp.Status) } - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, err } diff --git a/ego/cli/install_test.go b/ego/cli/install_test.go index 21d4a4dd..29934d80 100644 --- a/ego/cli/install_test.go +++ b/ego/cli/install_test.go @@ -45,8 +45,10 @@ func (i *installerRunner) ClearRun() { i.run = make([]*exec.Cmd, 0) } -const ubuntu1804 = "ID=ubuntu\nVERSION_ID=18.04" -const ubuntu2004 = "ID=ubuntu\nVERSION_ID=20.04" +const ( + ubuntu1804 = "ID=ubuntu\nVERSION_ID=18.04" + ubuntu2004 = "ID=ubuntu\nVERSION_ID=20.04" +) var jsonData = ` { @@ -129,30 +131,31 @@ var jsonData = ` // Test whether getOsInfo can correctly determine details from os-release func TestInstallGetOsInfo(t *testing.T) { assert := assert.New(t) + require := require.New(t) runner := installerRunner{} fs := afero.NewMemMapFs() cli := NewCli(&runner, fs) - cli.fs.WriteFile("/etc/os-release", []byte("ID=\"ubuntu\"\nsome other infos\nVERSION_ID=\"20.04\""), 0) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte("ID=\"ubuntu\"\nsome other infos\nVERSION_ID=\"20.04\""), 0)) id, versionID, err := cli.getOsInfo() assert.Equal("ubuntu", id) assert.Equal("20.04", versionID) assert.Equal(nil, err) - cli.fs.WriteFile("/etc/os-release", []byte("ID=foo\nVERSION_ID=bar"), 0) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte("ID=foo\nVERSION_ID=bar"), 0)) id, versionID, err = cli.getOsInfo() assert.Equal("foo", id) assert.Equal("bar", versionID) assert.Equal(nil, err) - cli.fs.WriteFile("/etc/os-release", []byte("VERSION_ID=20.04"), 0) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte("VERSION_ID=20.04"), 0)) id, versionID, err = cli.getOsInfo() assert.Equal("", id) assert.Equal("", versionID) assert.NotEqual(nil, err) - cli.fs.WriteFile("/etc/os-release", []byte("IID=ubuntu\nVERSION_ID=20.04"), 0) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte("IID=ubuntu\nVERSION_ID=20.04"), 0)) id, versionID, err = cli.getOsInfo() assert.Equal("", id) assert.Equal("", versionID) @@ -162,12 +165,13 @@ func TestInstallGetOsInfo(t *testing.T) { // Run tests that should all pass the installation func TestInstallValidTests(t *testing.T) { assert := assert.New(t) + require := require.New(t) runner := installerRunner{} cli := NewCli(&runner, afero.NewMemMapFs()) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - io.WriteString(w, jsonData) + _, _ = io.WriteString(w, jsonData) })) askTrue := func(string) bool { return true } @@ -180,7 +184,7 @@ func TestInstallValidTests(t *testing.T) { fmt.Println("Valid nonflc tests:") fmt.Println("------------------------------------------------------------------------------------") for osReleaseData, testComponents := range validNonflcTests { - cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0o600)) for _, component := range testComponents { fmt.Print("\nStarting installation of \"", component, "\"\n") assert.Equal(nil, cli.install(askTrue, "nonflc", component, server.URL)) @@ -206,7 +210,7 @@ func TestInstallValidTests(t *testing.T) { fmt.Println("Valid flc tests:") fmt.Println("------------------------------------------------------------------------------------") for osReleaseData, testComponents := range validFlcTests { - cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0o600)) for _, component := range testComponents { fmt.Print("\nStarting installation of \"", component, "\"\n") assert.Equal(nil, cli.install(askTrue, "flc", component, server.URL)) @@ -224,7 +228,6 @@ func TestInstallValidTests(t *testing.T) { fmt.Println("------------------------------------------------------------------------------------") } } - } // Run tests that should all fail the installation process @@ -236,7 +239,7 @@ func TestInstallNotValidTests(t *testing.T) { cli := NewCli(&runner, afero.NewMemMapFs()) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - io.WriteString(w, jsonData) + _, _ = io.WriteString(w, jsonData) })) askTrue := func(string) bool { return true } @@ -249,7 +252,7 @@ func TestInstallNotValidTests(t *testing.T) { unvalidTests[ubuntu2004] = []string{"az-dcap-client", "echo abc", "?libsgx-launch", "! libsgx-launch", "|libsgx-launch", " . libsgx-launch"} for osReleaseData, testComponents := range unvalidTests { - cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(osReleaseData), 0o600)) for _, component := range testComponents { fmt.Print("\nStarting installation of \"", component, "\"\n") assert.NotEqual(nil, cli.install(askTrue, "nonflc", component, server.URL)) @@ -269,7 +272,7 @@ func TestExactCommand(t *testing.T) { cli := NewCli(&runner, afero.NewMemMapFs()) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - io.WriteString(w, jsonData) + _, _ = io.WriteString(w, jsonData) })) askTrue := func(string) bool { return true } @@ -277,7 +280,7 @@ func TestExactCommand(t *testing.T) { fmt.Println("\n\nExact Command Test") fmt.Println("------------------------------------------------------------------------------------") - cli.fs.WriteFile("/etc/os-release", []byte(ubuntu1804), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(ubuntu1804), 0o600)) assert.Equal(nil, cli.install(askTrue, "flc", "sgx-driver", server.URL)) cmds := runner.run fmt.Println(cmds[0].Dir) @@ -299,7 +302,7 @@ func TestInstallErrorCheck(t *testing.T) { cli := NewCli(&runner, afero.NewMemMapFs()) server := httptest.NewServer(http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) { - io.WriteString(w, jsonData) + _, _ = io.WriteString(w, jsonData) })) askTrue := func(string) bool { return true } @@ -308,31 +311,31 @@ func TestInstallErrorCheck(t *testing.T) { fmt.Println("\n\nTest Install Errors") // os-release file does not contain necessary information, but no error - cli.fs.WriteFile("/etc/os-release", []byte(""), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(""), 0o600)) assert.NotEqual(nil, cli.install(askTrue, "flc", "sgx-driver", server.URL)) runner.ClearRun() fmt.Println("------------------------------------------------------------------------------------") // os "foo" does not exist in json file - cli.fs.WriteFile("/etc/os-release", []byte("ID=foo\nVERSION_ID=bar"), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte("ID=foo\nVERSION_ID=bar"), 0o600)) assert.Equal(nil, cli.install(askTrue, "flc", "sgx-driver", server.URL)) runner.ClearRun() fmt.Println("------------------------------------------------------------------------------------") // no available components to install for nonsgx - cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0o600)) assert.Equal(nil, cli.install(askTrue, "nonsgx", "sgx-driver", server.URL)) runner.ClearRun() fmt.Println("------------------------------------------------------------------------------------") // component "foo" does not exist in json file - cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0o600)) assert.Equal(ErrTargetNotSupported, cli.install(askTrue, "nonflc", "foo", server.URL)) runner.ClearRun() fmt.Println("------------------------------------------------------------------------------------") // askFalse: user does not want to continue installation, so installation stops without error - cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0600) + require.NoError(cli.fs.WriteFile("/etc/os-release", []byte(ubuntu2004), 0o600)) assert.Equal(ErrInstallUserQuit, cli.install(askFalse, "nonflc", "sgx-driver", server.URL)) require.Len(runner.run, 0) runner.ClearRun() diff --git a/ego/cmd/bundle/main.go b/ego/cmd/bundle/main.go index d3005328..de98f8ee 100644 --- a/ego/cmd/bundle/main.go +++ b/ego/cmd/bundle/main.go @@ -66,7 +66,7 @@ func run(fs afero.Fs, selfElfFile *elf.File, runner launch.Runner) (int, error) if err != nil { return 1, err } - defer fs.RemoveAll(tempEGoRootPath) + defer func() { _ = fs.RemoveAll(tempEGoRootPath) }() // Register cleanup handler to clean-up on STRG+C cleanupHandler(tempEGoRootPath) diff --git a/ego/cmd/bundle/main_test.go b/ego/cmd/bundle/main_test.go index d72cfcdb..28b76d50 100644 --- a/ego/cmd/bundle/main_test.go +++ b/ego/cmd/bundle/main_test.go @@ -13,7 +13,6 @@ import ( "debug/elf" "fmt" "io" - "io/ioutil" "os" "os/exec" "path/filepath" @@ -34,7 +33,7 @@ var elfUnsigned = func() []byte { panic(err) } - dir, err := ioutil.TempDir("", "") + dir, err := os.MkdirTemp("", "") if err != nil { panic(err) } @@ -168,7 +167,7 @@ func TestUnpackBundledImage(t *testing.T) { fs := afero.NewMemMapFs() unpackingPath, err := afero.TempDir(fs, "", "ego-unittest") require.NoError(err) - defer fs.RemoveAll(unpackingPath) + defer func() { _ = fs.RemoveAll(unpackingPath) }() assert.NoError(unpackBundledImage(fs, unpackingPath, elfFile)) diff --git a/ego/cmd/concurrency-test/main.go b/ego/cmd/concurrency-test/main.go index c9d88f8e..cd659554 100644 --- a/ego/cmd/concurrency-test/main.go +++ b/ego/cmd/concurrency-test/main.go @@ -68,7 +68,7 @@ func work(in, out chan int) { out <- x // cgo call triggers specific scheduling logic - syscall.Nanosleep(&syscall.Timespec{Sec: 0, Nsec: 1_000}, nil) + _ = syscall.Nanosleep(&syscall.Timespec{Sec: 0, Nsec: 1_000}, nil) // triggers GC from time to time garbage = make([]byte, 1024) diff --git a/ego/cmd/marble-test/main.go b/ego/cmd/marble-test/main.go index c6c84d44..77fc25d7 100644 --- a/ego/cmd/marble-test/main.go +++ b/ego/cmd/marble-test/main.go @@ -13,7 +13,6 @@ import ( "crypto/tls" "crypto/x509" "crypto/x509/pkix" - "io/ioutil" "math/big" "net" "os" @@ -54,7 +53,7 @@ func main() { // Run the test marble. // - uuidDir, err := ioutil.TempDir("", "") + uuidDir, err := os.MkdirTemp("", "") require.NoError(err) defer os.RemoveAll(uuidDir) diff --git a/enclave/doc.go b/enclave/doc.go index 0806dc71..37eda379 100644 --- a/enclave/doc.go +++ b/enclave/doc.go @@ -7,7 +7,7 @@ /* Package enclave provides functionality for Go enclaves like remote attestation and sealing. -Using remote reports +# Using remote reports Remote reports are generated by an enclave platform to attest the integrity and confidentiality of an enclaved app instance. A remote report also attests that an app was @@ -55,6 +55,5 @@ party must additionally verify the content of the remote report: return errors.New("report data does not match the certificate's hash") } // we ensured the cert was generated by the enclave - */ package enclave diff --git a/enclave/ert.go b/enclave/ert.go index cf05a387..d968c5a5 100644 --- a/enclave/ert.go +++ b/enclave/ert.go @@ -65,7 +65,7 @@ func GetRemoteReport(reportData []byte) ([]byte, error) { } result := C.GoBytes(unsafe.Pointer(report), C.int(reportSize)) - syscall.Syscall(sysFreeReport, uintptr(unsafe.Pointer(report)), 0, 0) + _, _, _ = syscall.Syscall(sysFreeReport, uintptr(unsafe.Pointer(report)), 0, 0) return result, nil } @@ -100,7 +100,7 @@ func VerifyRemoteReport(reportBytes []byte) (attestation.Report, error) { verifyErr = attestation.ErrTCBLevelInvalid } - defer syscall.Syscall(sysFreeClaims, claims, claimsLength, 0) + defer func() { _, _, _ = syscall.Syscall(sysFreeClaims, claims, claimsLength, 0) }() report, err := internal.ParseClaims(claims, claimsLength) if err != nil { @@ -150,7 +150,7 @@ func GetLocalReport(reportData []byte, targetReport []byte) ([]byte, error) { } result := C.GoBytes(unsafe.Pointer(report), C.int(reportSize)) - syscall.Syscall(sysFreeReport, uintptr(unsafe.Pointer(report)), 0, 0) + _, _, _ = syscall.Syscall(sysFreeReport, uintptr(unsafe.Pointer(report)), 0, 0) return result, nil } @@ -231,7 +231,7 @@ func GetSealKey(keyInfo []byte) ([]byte, error) { } key := C.GoBytes(unsafe.Pointer(keyBuffer), C.int(keySize)) - syscall.Syscall(sysFreeSealKey, uintptr(unsafe.Pointer(keyBuffer)), 0, 0) + _, _, _ = syscall.Syscall(sysFreeSealKey, uintptr(unsafe.Pointer(keyBuffer)), 0, 0) return key, nil } diff --git a/internal/attestation/claim.go b/internal/attestation/claim.go index c78b80c7..a1ca0d5d 100644 --- a/internal/attestation/claim.go +++ b/internal/attestation/claim.go @@ -8,6 +8,7 @@ package attestation // #include "claim.h" import "C" + import ( "errors" "unsafe" diff --git a/internal/attestation/maa.go b/internal/attestation/maa.go index d3b1d5c5..5d592b02 100644 --- a/internal/attestation/maa.go +++ b/internal/attestation/maa.go @@ -16,7 +16,7 @@ import ( "encoding/json" "errors" "fmt" - "io/ioutil" + "io" "net/http" "net/url" "time" @@ -212,7 +212,7 @@ func httpGet(url string) ([]byte, error) { if resp.StatusCode != http.StatusOK { return nil, fmt.Errorf("http response has status %v", resp.Status) } - body, err := ioutil.ReadAll(resp.Body) + body, err := io.ReadAll(resp.Body) if err != nil { return nil, err } diff --git a/internal/attestation/maa_test.go b/internal/attestation/maa_test.go index 456c9137..828e308b 100644 --- a/internal/attestation/maa_test.go +++ b/internal/attestation/maa_test.go @@ -156,7 +156,7 @@ func TestVerifyAzureAttestationToken(t *testing.T) { http.Error(w, "could not marshal json keys", http.StatusInternalServerError) } w.Header().Set("Content-Type", "application/json") - w.Write(response) + _, _ = w.Write(response) } attestationProvider := httptest.NewServer(http.HandlerFunc(serveKeys)) defer attestationProvider.Close()