diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index 80c4fbd..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,17 +0,0 @@ -version: 2 -updates: - - package-ecosystem: "gomod" - directory: "/" - schedule: - # Check for updates Wednesdays at 19:00 PST (03:00 UTC) - interval: "weekly" - day: "wednesday" - time: "03:00" - open-pull-requests-limit: 10 - allow: - - dependency-type: "direct" - # This is my project, might as well flat assign them all to myself. - assignees: - - "agargiulo" - reviewers: - - "schism-ssh/devops" diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml index 118a3f9..8108f07 100644 --- a/.gitlab-ci.yml +++ b/.gitlab-ci.yml @@ -1,12 +1,12 @@ default: - image: img.doom.fm/build/golang:latest-1.14.2-buster + image: reg.agarg.me/build/golang:latest-1.18.2-bullseye tags: - - shared-exec-docker + - agarg-public-projects stages: - test - build - - deploy + - release .global-vars: variables: @@ -19,9 +19,12 @@ fmt-vet-test: extends: - .global-vars before_script: + - go get ./... - go mod vendor script: - - go fmt ./... + - fmt_output=$(find -name vendor -prune -o -type f -name '*.go' -print0 | xargs -0 gofmt -l) + - echo "${fmt_output}" + - test -z "${fmt_output}" - go vet ./... - go test -cover -coverprofile cover.out ./... - go tool cover -func cover.out | awk '/total:/ {print $1" "$2" "$3}; /.go/{print $0}' @@ -38,6 +41,8 @@ compile: - go build -mod=vendor -ldflags "-extldflags '-static'" -o "${CI_PROJECT_DIR}/${SCHISM_BIN}" ./cmd... - zip "${SCHISM_BIN}".zip "${SCHISM_BIN}" artifacts: + name: "compile_to_publish-$CI_COMMIT_REF_SLUG" + expose_as: compile_to_publish paths: - ${SCHISM_BIN}.zip - .ci/publish @@ -46,7 +51,7 @@ compile: - fmt-vet-test release: - stage: deploy + stage: release extends: - .global-vars variables: diff --git a/cmd/schism-lambda/main.go b/cmd/schism-lambda/main.go index 6729bbc..afc26d4 100644 --- a/cmd/schism-lambda/main.go +++ b/cmd/schism-lambda/main.go @@ -9,14 +9,15 @@ import ( "golang.org/x/crypto/ssh" "github.com/aws/aws-lambda-go/lambda" + "github.com/aws/aws-sdk-go/service/s3/s3iface" "github.com/aws/aws-sdk-go/service/ssm/ssmiface" - "src.doom.fm/schism/commonLib" - "src.doom.fm/schism/commonLib/protocol" + "code.agarg.me/schism/commonLib" + "code.agarg.me/schism/commonLib/protocol" - "src.doom.fm/schism/lambda-function/internal" - "src.doom.fm/schism/lambda-function/internal/cloud" - "src.doom.fm/schism/lambda-function/internal/crypto" + "code.agarg.me/schism/lambda-function/internal" + "code.agarg.me/schism/lambda-function/internal/cloud" + "code.agarg.me/schism/lambda-function/internal/crypto" ) type caPairs map[string]*crypto.EncodedCaPair @@ -42,7 +43,7 @@ func init() { awsRegion = os.Getenv("AWS_REGION") } -func caKeysInit(ssmSvc ssmiface.SSMAPI) (err error) { +func caKeysInit(ssmSvc ssmiface.SSMAPI, s3Svc s3iface.S3API) (err error) { hostParamName := fmt.Sprintf("%s-%s", schismConfig.CaParamPrefix, protocol.HostCertificate) hostKeyPair, err := cloud.LoadCAFromSSM(ssmSvc, hostParamName) if err != nil { @@ -69,9 +70,8 @@ func caKeysInit(ssmSvc ssmiface.SSMAPI) (err error) { } func LambdaHandler(requestEvent protocol.RequestSSHCertLambdaPayload) (protocol.RequestSSHCertLambdaResponse, error) { - ssmClient := commonLib.SSMClient(awsRegion) - if err := caKeysInit(ssmClient); err != nil { - errLogger.Printf("Error initializing the CA keys: %v", err.Error()) + if err := caKeysInit(commonLib.SSMClient(awsRegion), commonLib.S3Client(awsRegion)); err != nil { + errLogger.Printf("Error initializing the CA keys: %s", err) } invokeCount = invokeCount + 1 @@ -99,7 +99,7 @@ func processEvent(event protocol.RequestSSHCertLambdaPayload, out *protocol.Requ if err != nil { errLogger.Panicf("%s\nerror parsing ssh.Signer from (%s)keyPair", err, event.CertificateType) } - out.LookupKey = string(protocol.GenerateLookupKey(event.Identity, event.Principals)) + out.LookupKey = protocol.GenerateLookupKey(event.Identity, event.Principals, event.CertificateType).String() signedCert := eventSignCertificates(event, certType, err, signer) err = eventUploadResults(event, signedCert) if err != nil { diff --git a/go.mod b/go.mod index 16ffcc1..bb64f29 100644 --- a/go.mod +++ b/go.mod @@ -1,11 +1,15 @@ -module src.doom.fm/schism/lambda-function +module code.agarg.me/schism/lambda-function -go 1.14 +go 1.18 require ( - github.com/aws/aws-lambda-go v1.17.0 - github.com/aws/aws-sdk-go v1.32.2 - golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 - golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 // indirect - src.doom.fm/schism/commonLib v0.5.1 + code.agarg.me/schism/commonLib v0.6.3 + github.com/aws/aws-lambda-go v1.32.0 + github.com/aws/aws-sdk-go v1.44.19 + golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 +) + +require ( + github.com/jmespath/go-jmespath v0.4.0 // indirect + golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a // indirect ) diff --git a/go.sum b/go.sum index 2a4f191..aa8fa4f 100644 --- a/go.sum +++ b/go.sum @@ -1,39 +1,34 @@ -github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU= -github.com/aws/aws-lambda-go v1.17.0 h1:Ogihmi8BnpmCNktKAGpNwSiILNNING1MiosnKUfU8m0= -github.com/aws/aws-lambda-go v1.17.0/go.mod h1:FEwgPLE6+8wcGBTe5cJN3JWurd1Ztm9zN4jsXsjzKKw= -github.com/aws/aws-sdk-go v1.32.2 h1:X5/tQ4cuqCCUZgeOh41WFh9Eq5xe32JzWe4PSE2i1ME= -github.com/aws/aws-sdk-go v1.32.2/go.mod h1:5zCpMtNQVjRREroY7sYe8lOMRSxkhG6MZveU8YkpAk0= -github.com/cpuguy83/go-md2man/v2 v2.0.0-20190314233015-f79a8a8ca69d/go.mod h1:maD7wRr/U5Z6m/iR4s+kqSMx2CaBsrgA7czyZG/E6dU= -github.com/davecgh/go-spew v1.1.0 h1:ZDRjVQ15GmhC3fiQ8ni8+OwkZQO4DARzQgrnXU1Liz8= +code.agarg.me/schism/commonLib v0.6.3 h1:Ei/v7ItIoLI1HD4Ss1YXFByPO29WJ8DO2/THinAxQtw= +code.agarg.me/schism/commonLib v0.6.3/go.mod h1:immdOq78aEdxP0ZeEBNQqL/sv5/qAOqMlU9bfmIlU9o= +github.com/aws/aws-lambda-go v1.32.0 h1:i8MflawW1hoyYp85GMH7LhvAs4cqzL7LOS6fSv8l2KM= +github.com/aws/aws-lambda-go v1.32.0/go.mod h1:IF5Q7wj4VyZyUFnZ54IQqeWtctHQ9tz+KhcbDenr220= +github.com/aws/aws-sdk-go v1.44.19 h1:dhI6p4l6kisnA7gBAM8sP5YIk0bZ9HNAj7yrK7kcfdU= +github.com/aws/aws-sdk-go v1.44.19/go.mod h1:y4AeaBuwd2Lk+GepC1E9v0qOiTws0MIWAX4oIKwKHZo= github.com/davecgh/go-spew v1.1.0/go.mod h1:J7Y8YcW2NihsgmVo/mv3lAwl/skON4iLHjSsI+c5H38= -github.com/go-sql-driver/mysql v1.5.0/go.mod h1:DCzpHaOWr8IXmIStZouvnhqoel9Qv2LBy8hT2VhHyBg= -github.com/jmespath/go-jmespath v0.3.0 h1:OS12ieG61fsCg5+qLJ+SsW9NicxNkg3b25OyT2yCeUc= -github.com/jmespath/go-jmespath v0.3.0/go.mod h1:9QtRXoHjLGCJ5IBSaohpXITPlowMeeYCZ7fLUTSywik= +github.com/davecgh/go-spew v1.1.1 h1:vj9j/u1bqnvCEfJOwUhtlOARqs3+rkHYY13jYWTU97c= +github.com/jmespath/go-jmespath v0.4.0 h1:BEgLn5cpjn8UN1mAw4NjwDrS35OdebyEtFe+9YPoQUg= +github.com/jmespath/go-jmespath v0.4.0/go.mod h1:T8mJZnbsbmF+m6zOOFylbeCJqk5+pHWvzYPziyZiYoo= +github.com/jmespath/go-jmespath/internal/testify v1.5.1 h1:shLQSRRSCCPj3f2gpwzGwWFoC7ycTf1rcQZHOlsJ6N8= +github.com/jmespath/go-jmespath/internal/testify v1.5.1/go.mod h1:L3OGu8Wl2/fWfCI6z80xFu9LTZmf1ZRjMHUOPmWr69U= github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0= github.com/pmezard/go-difflib v1.0.0 h1:4DBwDE0NGyQoBHbLQYPwSUPoCMWR5BEzIk/f1lZbAQM= github.com/pmezard/go-difflib v1.0.0/go.mod h1:iKH77koFhYxTK1pcRnkKkqfTogsbg7gZNVY4sRDYZ/4= -github.com/russross/blackfriday/v2 v2.0.1/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM= -github.com/shurcooL/sanitized_anchor_name v1.0.0/go.mod h1:1NzhyTcUVG4SuEtjjoZeVRXNmyL/1OwPU0+IJeTBvfc= github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= -github.com/stretchr/testify v1.4.0/go.mod h1:j7eGeouHqKxXV5pUuKE4zz7dFj8WfuZ+81PSLYec5m4= -github.com/stretchr/testify v1.5.1 h1:nOGnQDM7FYENwehXlg/kFVnos3rEvtKTjRvOWSzb6H4= -github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA= -github.com/urfave/cli/v2 v2.1.1/go.mod h1:SE9GqnLQmjVa0iPEY0f1w3ygNIYcIJ0OKPMoW2caLfQ= -golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= -golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9 h1:vEg9joUBmeBcK9iSJftGNf3coIG4HqZElCPehJsfAYM= -golang.org/x/crypto v0.0.0-20200604202706-70a84ac30bf9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= -golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2 h1:CCH4IOTTfewWjGOlSp+zGcjutRKlBEZQ6wTn8ozI/nI= -golang.org/x/net v0.0.0-20200202094626-16171245cfb2/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= -golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1 h1:ogLJMz+qpzav7lGMh10LMvAkM/fAoGlaiiHYiFYdm80= -golang.org/x/sys v0.0.0-20200615200032-f1bc736245b1/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= -golang.org/x/text v0.3.0 h1:g61tztE5qeGQ89tm6NTjjM9VPIm088od1l6aSorWRWg= -golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= -gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405 h1:yhCVgyC4o1eVCa2tZl7eS0r+SDo693bJlVdllGtEeKM= +github.com/stretchr/testify v1.6.1 h1:hDPOHmpOpP40lSULcqw7IrRb/u7w6RpDC9399XyoNd0= +golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898 h1:SLP7Q4Di66FONjDJbCYrCRrh97focO6sLogHO7/g8F0= +golang.org/x/crypto v0.0.0-20220518034528-6f7dac969898/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd h1:O7DYs+zxREGLKzKoMQrtrEacpb0ZVXA5rIwylE2Xchk= +golang.org/x/net v0.0.0-20220127200216-cd36cc0744dd/go.mod h1:CfG3xpIq0wQ8r1q4Su4UZFWDARRcnwPjda9FqA0JpMk= +golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a h1:dGzPydgVsqGcTRVwiLJ1jVbufYwmzD3LfVPLKsKg+0k= +golang.org/x/sys v0.0.0-20220520151302-bc2c85ada10a/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211 h1:JGgROgKl9N8DuW20oFS5gxc+lE67/N3FcwmBPMe7ArY= +golang.org/x/term v0.0.0-20210927222741-03fcf44c2211/go.mod h1:jbD1KX2456YbFQfuXm/mYQcufACuNUgVhRMnK/tPxf8= +golang.org/x/text v0.3.7 h1:olpwvP2KacW1ZWvsR7uQhoyTYvKAupfQrRGBFM352Gk= +golang.org/x/text v0.3.7/go.mod h1:u+2+/6zg+i71rQMx5EYifcz6MCKuco9NR6JIITiCfzQ= +golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0= -gopkg.in/yaml.v2 v2.2.2 h1:ZCJp+EgiOT7lHqUV2J862kp8Qj64Jo6az82+3Td9dZw= -gopkg.in/yaml.v2 v2.2.2/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= -src.doom.fm/schism/commonLib v0.5.1 h1:TLCR/32wpJrIexFG+69IsvBXcC/yoaOYmp3C4fjyxx8= -src.doom.fm/schism/commonLib v0.5.1/go.mod h1:viSOqbLGmB4HZgxFtK79b5wraqnEficNHYDnWCH/HCA= +gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10= +gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI= +gopkg.in/yaml.v3 v3.0.0-20200615113413-eeeca48fe776 h1:tQIYjPdBoyREyB9XMu+nnTclpTYkz2zFM+lzLJFO4gQ= diff --git a/internal/cloud/aws.go b/internal/cloud/aws.go index c6833f2..7504314 100644 --- a/internal/cloud/aws.go +++ b/internal/cloud/aws.go @@ -12,8 +12,8 @@ import ( "github.com/aws/aws-sdk-go/service/ssm" "github.com/aws/aws-sdk-go/service/ssm/ssmiface" - "src.doom.fm/schism/commonLib/protocol" - schismCrypt "src.doom.fm/schism/lambda-function/internal/crypto" + "code.agarg.me/schism/commonLib/protocol" + schismCrypt "code.agarg.me/schism/lambda-function/internal/crypto" ) func LoadCAFromSSM(ssmSvc ssmiface.SSMAPI, paramName string) (*schismCrypt.EncodedCaPair, error) { diff --git a/internal/cloud/aws_test.go b/internal/cloud/aws_test.go index f8a35d6..b2e9cef 100644 --- a/internal/cloud/aws_test.go +++ b/internal/cloud/aws_test.go @@ -13,8 +13,8 @@ import ( "github.com/aws/aws-sdk-go/service/ssm" "github.com/aws/aws-sdk-go/service/ssm/ssmiface" - "src.doom.fm/schism/commonLib/protocol" - "src.doom.fm/schism/lambda-function/internal/crypto" + "code.agarg.me/schism/commonLib/protocol" + "code.agarg.me/schism/lambda-function/internal/crypto" ) type mockSSMClient struct { @@ -61,7 +61,7 @@ type mockS3Client struct { } func (m *mockS3Client) PutObject(input *s3.PutObjectInput) (*s3.PutObjectOutput, error) { - if strings.Contains(*input.Key, "fails") { + if strings.Contains(*input.Key, "fail:") { return nil, fmt.Errorf("error saving object: %v", *input.Key) } return &s3.PutObjectOutput{}, nil @@ -195,7 +195,7 @@ func TestSaveS3Object(t *testing.T) { Principals: []string{"user1", "app_user"}, }, }, - want: "test/users/1d2206f7294dedac0c991bbf3656db48a7e93cc913c7e467c4c9d2d6149ab83c.json", + want: "test/Signed-Certs/user:1d2206f7294dedac0c991bbf3656db48a7e93cc913c7e467c4c9d2d6149ab83c.json", wantErr: false, }, { diff --git a/internal/cloud/support_test.go b/internal/cloud/support_test.go index aa4023b..f78c0e9 100644 --- a/internal/cloud/support_test.go +++ b/internal/cloud/support_test.go @@ -5,7 +5,7 @@ import ( "reflect" "testing" - "src.doom.fm/schism/lambda-function/internal/cloud" + "code.agarg.me/schism/lambda-function/internal/cloud" ) type fields struct { diff --git a/internal/crypto/ca_test.go b/internal/crypto/ca_test.go index 12cb146..6231c0d 100644 --- a/internal/crypto/ca_test.go +++ b/internal/crypto/ca_test.go @@ -10,16 +10,16 @@ import ( func TestCreateCA(t *testing.T) { tests := []struct { - name string - want *EncodedCaPair + name string + want *EncodedCaPair }{ { - name: "privateKey encoded PEM type PRIVATE KEY", - want: &EncodedCaPair{PrivateKey: []byte("-BEGIN PRIVATE KEY-")}, + name: "privateKey encoded PEM type PRIVATE KEY", + want: &EncodedCaPair{PrivateKey: []byte("-BEGIN PRIVATE KEY-")}, }, { - name: fmt.Sprintf("authorizedKey is of type %s", ssh.KeyAlgoED25519), - want: &EncodedCaPair{AuthorizedKey: []byte(ssh.KeyAlgoED25519)}, + name: fmt.Sprintf("authorizedKey is of type %s", ssh.KeyAlgoED25519), + want: &EncodedCaPair{AuthorizedKey: []byte(ssh.KeyAlgoED25519)}, }, } for _, tt := range tests { diff --git a/internal/crypto/signing_test.go b/internal/crypto/signing_test.go index 038c11d..0b4cd1e 100644 --- a/internal/crypto/signing_test.go +++ b/internal/crypto/signing_test.go @@ -1,8 +1,8 @@ package crypto_test import ( + "code.agarg.me/schism/lambda-function/internal/crypto" "golang.org/x/crypto/ssh" - "src.doom.fm/schism/lambda-function/internal/crypto" "strings" "testing" ) @@ -73,11 +73,11 @@ func TestSign(t *testing.T) { { name: "raises an error for an empty request", args: args{ - req: brokenTestReq, + req: brokenTestReq, caKey: testSigner, }, wantSignature: false, - wantErr: true, + wantErr: true, }, } for _, tt := range tests { diff --git a/internal/crypto/support_test.go b/internal/crypto/support_test.go index f8b9750..b0be53f 100644 --- a/internal/crypto/support_test.go +++ b/internal/crypto/support_test.go @@ -1,8 +1,8 @@ package crypto_test import ( + "code.agarg.me/schism/lambda-function/internal/crypto" "golang.org/x/crypto/ssh" - "src.doom.fm/schism/lambda-function/internal/crypto" "testing" )