[ci skip] more codex 5.3 improvements
This commit is contained in:
27
internal/secrets/secrets_test.go
Normal file
27
internal/secrets/secrets_test.go
Normal file
@@ -0,0 +1,27 @@
|
||||
package secrets
|
||||
|
||||
import (
|
||||
"encoding/base64"
|
||||
"io"
|
||||
"log/slog"
|
||||
"strings"
|
||||
"testing"
|
||||
)
|
||||
|
||||
func testLogger() *slog.Logger {
|
||||
return slog.New(slog.NewTextHandler(io.Discard, nil))
|
||||
}
|
||||
|
||||
func TestDecryptRejectsShortCiphertext(t *testing.T) {
|
||||
key := []byte("0123456789abcdef0123456789abcdef")
|
||||
s := New(testLogger(), key)
|
||||
|
||||
encoded := base64.StdEncoding.EncodeToString([]byte{1, 2, 3})
|
||||
_, err := s.Decrypt(encoded)
|
||||
if err == nil {
|
||||
t.Fatal("expected error for short ciphertext, got nil")
|
||||
}
|
||||
if !strings.Contains(err.Error(), "ciphertext is too short") {
|
||||
t.Fatalf("unexpected error: %v", err)
|
||||
}
|
||||
}
|
||||
@@ -6,6 +6,7 @@ import (
|
||||
"crypto/x509"
|
||||
"crypto/x509/pkix"
|
||||
"encoding/pem"
|
||||
"fmt"
|
||||
"log"
|
||||
"math/big"
|
||||
"net"
|
||||
@@ -14,7 +15,7 @@ import (
|
||||
"time"
|
||||
)
|
||||
|
||||
func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
func GenerateCerts(tlsCert string, tlsKey string) error {
|
||||
// @see https://shaneutt.com/blog/golang-ca-and-signed-cert-go/
|
||||
// @see https://golang.org/src/crypto/tls/generate_cert.go
|
||||
validFrom := ""
|
||||
@@ -24,7 +25,7 @@ func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
// Get the hostname
|
||||
hostname, err := os.Hostname()
|
||||
if err != nil {
|
||||
panic(err)
|
||||
return fmt.Errorf("failed to lookup hostname: %w", err)
|
||||
}
|
||||
|
||||
// Check that the directory exists
|
||||
@@ -33,13 +34,15 @@ func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
_, err = os.Stat(relativePath)
|
||||
if os.IsNotExist(err) {
|
||||
log.Printf("Certificate path does not exist, creating %s before generating certificate\n", relativePath)
|
||||
os.MkdirAll(relativePath, os.ModePerm)
|
||||
if mkErr := os.MkdirAll(relativePath, os.ModePerm); mkErr != nil {
|
||||
return fmt.Errorf("failed to create certificate directory %s: %w", relativePath, mkErr)
|
||||
}
|
||||
}
|
||||
|
||||
// Generate a private key
|
||||
priv, err := rsa.GenerateKey(rand.Reader, rsaBits)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to generate private key: %v", err)
|
||||
return fmt.Errorf("failed to generate private key: %w", err)
|
||||
}
|
||||
|
||||
var notBefore time.Time
|
||||
@@ -48,7 +51,7 @@ func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
} else {
|
||||
notBefore, err = time.Parse("Jan 2 15:04:05 2006", validFrom)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to parse creation date: %v", err)
|
||||
return fmt.Errorf("failed to parse creation date: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
@@ -57,7 +60,7 @@ func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), 128)
|
||||
serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to generate serial number: %v", err)
|
||||
return fmt.Errorf("failed to generate serial number: %w", err)
|
||||
}
|
||||
|
||||
template := x509.Certificate{
|
||||
@@ -105,35 +108,38 @@ func GenerateCerts(tlsCert string, tlsKey string) {
|
||||
|
||||
derBytes, err := x509.CreateCertificate(rand.Reader, &template, &template, &priv.PublicKey, priv)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to create certificate: %v", err)
|
||||
return fmt.Errorf("failed to create certificate: %w", err)
|
||||
}
|
||||
|
||||
certOut, err := os.Create(tlsCert)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to open %s for writing: %v", tlsCert, err)
|
||||
return fmt.Errorf("failed to open %s for writing: %w", tlsCert, err)
|
||||
}
|
||||
if err := pem.Encode(certOut, &pem.Block{Type: "CERTIFICATE", Bytes: derBytes}); err != nil {
|
||||
log.Fatalf("Failed to write data to %s: %v", tlsCert, err)
|
||||
_ = certOut.Close()
|
||||
return fmt.Errorf("failed to write certificate data to %s: %w", tlsCert, err)
|
||||
}
|
||||
if err := certOut.Close(); err != nil {
|
||||
log.Fatalf("Error closing %s: %v", tlsCert, err)
|
||||
return fmt.Errorf("failed to close certificate file %s: %w", tlsCert, err)
|
||||
}
|
||||
log.Printf("wrote %s\n", tlsCert)
|
||||
|
||||
keyOut, err := os.OpenFile(tlsKey, os.O_WRONLY|os.O_CREATE|os.O_TRUNC, 0600)
|
||||
if err != nil {
|
||||
log.Fatalf("Failed to open %s for writing: %v", tlsKey, err)
|
||||
return
|
||||
return fmt.Errorf("failed to open %s for writing: %w", tlsKey, err)
|
||||
}
|
||||
privBytes, err := x509.MarshalPKCS8PrivateKey(priv)
|
||||
if err != nil {
|
||||
log.Fatalf("Unable to marshal private key: %v", err)
|
||||
_ = keyOut.Close()
|
||||
return fmt.Errorf("unable to marshal private key: %w", err)
|
||||
}
|
||||
if err := pem.Encode(keyOut, &pem.Block{Type: "PRIVATE KEY", Bytes: privBytes}); err != nil {
|
||||
log.Fatalf("Failed to write data to %s: %v", tlsKey, err)
|
||||
_ = keyOut.Close()
|
||||
return fmt.Errorf("failed to write private key data to %s: %w", tlsKey, err)
|
||||
}
|
||||
if err := keyOut.Close(); err != nil {
|
||||
log.Fatalf("Error closing %s: %v", tlsKey, err)
|
||||
return fmt.Errorf("failed to close private key file %s: %w", tlsKey, err)
|
||||
}
|
||||
log.Printf("wrote %s\n", tlsKey)
|
||||
return nil
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user