From 4d174dba226cc3a556fa2f158b209f4d54c64281 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 20:29:37 +0100 Subject: [PATCH 1/7] tlsconfig: drop support for go1.4 and older Signed-off-by: Sebastiaan van Stijn --- tlsconfig/config_client_ciphers.go | 3 --- tlsconfig/config_legacy_client_ciphers.go | 15 --------------- 2 files changed, 18 deletions(-) delete mode 100644 tlsconfig/config_legacy_client_ciphers.go diff --git a/tlsconfig/config_client_ciphers.go b/tlsconfig/config_client_ciphers.go index 6b4c6a7c0..a82f9fa52 100644 --- a/tlsconfig/config_client_ciphers.go +++ b/tlsconfig/config_client_ciphers.go @@ -1,7 +1,4 @@ -// +build go1.5 - // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers. -// package tlsconfig import ( diff --git a/tlsconfig/config_legacy_client_ciphers.go b/tlsconfig/config_legacy_client_ciphers.go deleted file mode 100644 index ee22df47c..000000000 --- a/tlsconfig/config_legacy_client_ciphers.go +++ /dev/null @@ -1,15 +0,0 @@ -// +build !go1.5 - -// Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers. -// -package tlsconfig - -import ( - "crypto/tls" -) - -// Client TLS cipher suites (dropping CBC ciphers for client preferred suite set) -var clientCipherSuites = []uint16{ - tls.TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, - tls.TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, -} From 21876c5afda7f3fe2b7505a72a04eb4a021b64f1 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 20:30:50 +0100 Subject: [PATCH 2/7] tlsconfig: drop support for go1.6 and older Signed-off-by: Sebastiaan van Stijn --- tlsconfig/{certpool_go17.go => certpool.go} | 2 -- tlsconfig/certpool_other.go | 13 ------------- 2 files changed, 15 deletions(-) rename tlsconfig/{certpool_go17.go => certpool.go} (95%) delete mode 100644 tlsconfig/certpool_other.go diff --git a/tlsconfig/certpool_go17.go b/tlsconfig/certpool.go similarity index 95% rename from tlsconfig/certpool_go17.go rename to tlsconfig/certpool.go index 1ca0965e0..f84c624ba 100644 --- a/tlsconfig/certpool_go17.go +++ b/tlsconfig/certpool.go @@ -1,5 +1,3 @@ -// +build go1.7 - package tlsconfig import ( diff --git a/tlsconfig/certpool_other.go b/tlsconfig/certpool_other.go deleted file mode 100644 index 1ff81c333..000000000 --- a/tlsconfig/certpool_other.go +++ /dev/null @@ -1,13 +0,0 @@ -// +build !go1.7 - -package tlsconfig - -import ( - "crypto/x509" -) - -// SystemCertPool returns an new empty cert pool, -// accessing system cert pool is supported in go 1.7 -func SystemCertPool() (*x509.CertPool, error) { - return x509.NewCertPool(), nil -} From dca283b66503865dfa3869d7976a925105b82211 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 20:32:15 +0100 Subject: [PATCH 3/7] tlsconfig: drop support for go1.12 and older Signed-off-by: Sebastiaan van Stijn --- tlsconfig/{versions_go113.go => versions.go} | 2 -- tlsconfig/versions_other.go | 15 --------------- 2 files changed, 17 deletions(-) rename tlsconfig/{versions_go113.go => versions.go} (94%) delete mode 100644 tlsconfig/versions_other.go diff --git a/tlsconfig/versions_go113.go b/tlsconfig/versions.go similarity index 94% rename from tlsconfig/versions_go113.go rename to tlsconfig/versions.go index d8215f8e7..d9496ff85 100644 --- a/tlsconfig/versions_go113.go +++ b/tlsconfig/versions.go @@ -1,5 +1,3 @@ -// +build go1.13 - package tlsconfig import ( diff --git a/tlsconfig/versions_other.go b/tlsconfig/versions_other.go deleted file mode 100644 index a5ba7f4a3..000000000 --- a/tlsconfig/versions_other.go +++ /dev/null @@ -1,15 +0,0 @@ -// +build !go1.13 - -package tlsconfig - -import ( - "crypto/tls" -) - -// allTLSVersions lists all the TLS versions and is used by the code that validates -// a uint16 value as a TLS version. -var allTLSVersions = map[uint16]struct{}{ - tls.VersionTLS10: {}, - tls.VersionTLS11: {}, - tls.VersionTLS12: {}, -} From 2cf423f0ad95e0e87577d9740c647015c00ed8fd Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 20:33:26 +0100 Subject: [PATCH 4/7] tlsconfig: move allTLSVersions var Signed-off-by: Sebastiaan van Stijn --- tlsconfig/config.go | 10 ++++++++++ tlsconfig/versions.go | 14 -------------- 2 files changed, 10 insertions(+), 14 deletions(-) delete mode 100644 tlsconfig/versions.go diff --git a/tlsconfig/config.go b/tlsconfig/config.go index 636c11522..f4c4b6024 100644 --- a/tlsconfig/config.go +++ b/tlsconfig/config.go @@ -1,6 +1,7 @@ // Package tlsconfig provides primitives to retrieve secure-enough TLS configurations for both clients and servers. // // As a reminder from https://golang.org/pkg/crypto/tls/#Config: +// // A Config structure is used to configure a TLS client or server. After one has been passed to a TLS function it must not be modified. // A Config may be reused; the tls package will also not modify it. package tlsconfig @@ -113,6 +114,15 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) { return certPool, nil } +// allTLSVersions lists all the TLS versions and is used by the code that validates +// a uint16 value as a TLS version. +var allTLSVersions = map[uint16]struct{}{ + tls.VersionTLS10: {}, + tls.VersionTLS11: {}, + tls.VersionTLS12: {}, + tls.VersionTLS13: {}, +} + // isValidMinVersion checks that the input value is a valid tls minimum version func isValidMinVersion(version uint16) bool { _, ok := allTLSVersions[version] diff --git a/tlsconfig/versions.go b/tlsconfig/versions.go deleted file mode 100644 index d9496ff85..000000000 --- a/tlsconfig/versions.go +++ /dev/null @@ -1,14 +0,0 @@ -package tlsconfig - -import ( - "crypto/tls" -) - -// allTLSVersions lists all the TLS versions and is used by the code that validates -// a uint16 value as a TLS version. -var allTLSVersions = map[uint16]struct{}{ - tls.VersionTLS10: {}, - tls.VersionTLS11: {}, - tls.VersionTLS12: {}, - tls.VersionTLS13: {}, -} From 7cbebcf931b3107a81a923ce6e1874380c65c436 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 21:28:56 +0100 Subject: [PATCH 5/7] gha: update actions Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 17 +++++++++++------ 1 file changed, 11 insertions(+), 6 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index ea87c0d05..5e08a7726 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -19,13 +19,13 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go ${{ matrix.go }} - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: ${{ matrix.go }} - name: Setup IPv6 run: sudo sysctl -w net.ipv6.conf.lo.disable_ipv6=0 net.ipv6.conf.default.disable_ipv6=0 net.ipv6.conf.all.disable_ipv6=0 - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Build for ${{ matrix.platform }} run: go build ./... - name: Test @@ -42,11 +42,11 @@ jobs: runs-on: ${{ matrix.platform }} steps: - name: Install Go ${{ matrix.go }} - uses: actions/setup-go@v2 + uses: actions/setup-go@v4 with: go-version: ${{ matrix.go }} - name: Checkout code - uses: actions/checkout@v2 + uses: actions/checkout@v4 - name: Build for ${{ matrix.platform }} run: go build ./... - name: Test @@ -61,8 +61,13 @@ jobs: platform: [ubuntu-20.04, windows-latest, macos-latest] runs-on: ${{ matrix.platform }} steps: - - uses: actions/checkout@v2 - - uses: golangci/golangci-lint-action@v2 + - uses: actions/checkout@v4 + - uses: actions/setup-go@v4 + with: + go-version: "1.21.x" + cache: false + - name: golangci-lint + uses: golangci/golangci-lint-action@v3 with: # must be specified without patch version version: v1.55 From c564c210e1404800194d27aad617dde3c4f4f831 Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 21:11:37 +0100 Subject: [PATCH 6/7] drop support for go1.17 and older Signed-off-by: Sebastiaan van Stijn --- .github/workflows/test.yml | 4 ++-- go.mod | 4 +++- go.sum | 3 ++- nat/nat_test.go | 1 - proxy/network_proxy_test.go | 6 ++++-- proxy/tcp_proxy.go | 2 +- sockets/sockets_unix.go | 2 +- sockets/unix_socket.go | 8 ++++---- sockets/unix_socket_test.go | 4 ++-- tlsconfig/config_test.go | 10 +++++----- 10 files changed, 24 insertions(+), 20 deletions(-) diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml index 5e08a7726..911db3874 100644 --- a/.github/workflows/test.yml +++ b/.github/workflows/test.yml @@ -14,7 +14,7 @@ jobs: strategy: fail-fast: false matrix: - go: ["1.13.x", "1.20.x", "1.21.x"] + go: ["1.18.x", "1.20.x", "1.21.x"] platform: [ubuntu-20.04] runs-on: ${{ matrix.platform }} steps: @@ -37,7 +37,7 @@ jobs: strategy: fail-fast: false matrix: - go: ["1.13.x", "1.20.x", "1.21.x"] + go: ["1.18.x", "1.20.x", "1.21.x"] platform: [windows-latest, macos-latest] runs-on: ${{ matrix.platform }} steps: diff --git a/go.mod b/go.mod index 038271ea5..f60c0b1fb 100644 --- a/go.mod +++ b/go.mod @@ -1,5 +1,7 @@ module github.com/docker/go-connections -go 1.13 +go 1.18 require github.com/Microsoft/go-winio v0.4.14 + +require golang.org/x/sys v0.1.0 // indirect diff --git a/go.sum b/go.sum index b888be749..24a66e517 100644 --- a/go.sum +++ b/go.sum @@ -8,5 +8,6 @@ github.com/sirupsen/logrus v1.4.1/go.mod h1:ni0Sbl8bgC9z8RoU9G6nDWqqs/fq4eDPysMB github.com/stretchr/objx v0.1.1/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME= github.com/stretchr/testify v1.2.2/go.mod h1:a8OnRcib4nhh0OaRAV+Yts87kKdq0PP7pXfy6kDkUVs= golang.org/x/sys v0.0.0-20180905080454-ebe1bf3edb33/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= -golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b h1:ag/x1USPSsqHud38I9BAC88qdNLDHHtQ4mlgQIZPPNA= golang.org/x/sys v0.0.0-20190507160741-ecd444e8653b/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.1.0 h1:kunALQeHf1/185U1i0GOB/fy1IPRDDpuoOOqRReG57U= +golang.org/x/sys v0.1.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg= diff --git a/nat/nat_test.go b/nat/nat_test.go index 78fff4859..e6099e0f5 100644 --- a/nat/nat_test.go +++ b/nat/nat_test.go @@ -94,7 +94,6 @@ func TestParsePortRangeToInt(t *testing.T) { func TestPort(t *testing.T) { p, err := NewPort("tcp", "1234") - if err != nil { t.Fatalf("tcp, 1234 had a parsing issue: %v", err) } diff --git a/proxy/network_proxy_test.go b/proxy/network_proxy_test.go index d16e8a8ec..93327ae38 100644 --- a/proxy/network_proxy_test.go +++ b/proxy/network_proxy_test.go @@ -11,8 +11,10 @@ import ( "time" ) -var testBuf = []byte("Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo") -var testBufSize = len(testBuf) +var ( + testBuf = []byte("Buffalo buffalo Buffalo buffalo buffalo buffalo Buffalo buffalo") + testBufSize = len(testBuf) +) type EchoServer interface { Run() diff --git a/proxy/tcp_proxy.go b/proxy/tcp_proxy.go index e3340deee..083bb94fb 100644 --- a/proxy/tcp_proxy.go +++ b/proxy/tcp_proxy.go @@ -46,7 +46,7 @@ func (proxy *TCPProxy) clientLoop(client *net.TCPConn, quit chan bool) { } event := make(chan int64) - var broker = func(to, from *net.TCPConn) { + broker := func(to, from *net.TCPConn) { written, err := io.Copy(to, from) if err != nil { // If the socket we are writing to is shutdown with diff --git a/sockets/sockets_unix.go b/sockets/sockets_unix.go index fdd401a89..78a34a980 100644 --- a/sockets/sockets_unix.go +++ b/sockets/sockets_unix.go @@ -1,4 +1,4 @@ -// +build !windows +//go:build !windows package sockets diff --git a/sockets/unix_socket.go b/sockets/unix_socket.go index f0436b8d4..b9233521e 100644 --- a/sockets/unix_socket.go +++ b/sockets/unix_socket.go @@ -1,9 +1,9 @@ -// +build !windows +//go:build !windows /* Package sockets is a simple unix domain socket wrapper. -Usage +# Usage For example: @@ -103,7 +103,7 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error // We don't use "defer" here, to reset the umask to its original value as soon // as possible. Ideally we'd be able to detect if WithChmod() was passed as // an option, and skip changing umask if default permissions are used. - origUmask := syscall.Umask(0777) + origUmask := syscall.Umask(0o777) l, err := net.Listen("unix", path) syscall.Umask(origUmask) if err != nil { @@ -122,5 +122,5 @@ func NewUnixSocketWithOpts(path string, opts ...SockOption) (net.Listener, error // NewUnixSocket creates a unix socket with the specified path and group. func NewUnixSocket(path string, gid int) (net.Listener, error) { - return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0660)) + return NewUnixSocketWithOpts(path, WithChown(0, gid), WithChmod(0o660)) } diff --git a/sockets/unix_socket_test.go b/sockets/unix_socket_test.go index 2fb6073fa..e4ae0e370 100644 --- a/sockets/unix_socket_test.go +++ b/sockets/unix_socket_test.go @@ -1,4 +1,4 @@ -// +build !windows +//go:build !windows package sockets @@ -53,7 +53,7 @@ func TestNewUnixSocket(t *testing.T) { func TestUnixSocketWithOpts(t *testing.T) { uid, gid := os.Getuid(), os.Getgid() - perms := os.FileMode(0660) + perms := os.FileMode(0o660) path := "/tmp/test.sock" echoStr := "hello" l, err := NewUnixSocketWithOpts(path, WithChown(uid, gid), WithChmod(perms)) diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go index 63dbacc57..e18473c56 100644 --- a/tlsconfig/config_test.go +++ b/tlsconfig/config_test.go @@ -127,7 +127,7 @@ func TestConfigServerTLSServerCertsOnly(t *testing.T) { if !reflect.DeepEqual(tlsConfig.CipherSuites, DefaultServerAcceptedCiphers) { t.Fatal("Unexpected server cipher suites") } - if !tlsConfig.PreferServerCipherSuites { + if !tlsConfig.PreferServerCipherSuites { //nolint:staticcheck // Ignore SA1019: tlsConfig.PreferServerCipherSuites has been deprecated since Go 1.18: PreferServerCipherSuites is ignored. t.Fatal("Expected server to prefer cipher suites") } if tlsConfig.MinVersion != tls.VersionTLS12 { @@ -158,7 +158,7 @@ func TestConfigServerTLSClientCANotSetIfClientAuthTooLow(t *testing.T) { if tlsConfig.ClientAuth != tls.RequestClientCert { t.Fatal("ClientAuth was not set to what was in the options") } - if tlsConfig.ClientCAs != nil { + if tlsConfig.ClientCAs != nil { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. t.Fatalf("Client CAs should never have been set") } } @@ -191,7 +191,7 @@ func TestConfigServerTLSClientCASet(t *testing.T) { basePool = x509.NewCertPool() } // because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots - if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { + if tlsConfig.ClientCAs == nil || len(tlsConfig.ClientCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. t.Fatalf("Client CAs were never set correctly") } } @@ -394,7 +394,7 @@ func TestConfigClientTLSNoVerify(t *testing.T) { t.Fatal("Unable to configure client TLS", err) } - if tlsConfig.RootCAs != nil { + if tlsConfig.RootCAs != nil { //nolint:staticcheck // Ignore SA1019: tlsConfig.RootCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. t.Fatal("Should not have set Root CAs", err) } @@ -449,7 +449,7 @@ func TestConfigClientTLSRootCAFileWithOneCert(t *testing.T) { basePool = x509.NewCertPool() } // because we are not enabling `ExclusiveRootPools`, any root pool will also contain the system roots - if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { + if tlsConfig.RootCAs == nil || len(tlsConfig.RootCAs.Subjects()) != len(basePool.Subjects())+2 { //nolint:staticcheck // Ignore SA1019: tlsConfig.ClientCAs.Subjects has been deprecated since Go 1.18: if s was returned by SystemCertPool, Subjects will not include the system roots. t.Fatal("Root CAs not set properly", err) } if tlsConfig.Certificates != nil { From 9548f9f7bdd4e95eb9d3a20c430517f69f5c62cf Mon Sep 17 00:00:00 2001 From: Sebastiaan van Stijn Date: Fri, 10 Nov 2023 21:06:58 +0100 Subject: [PATCH 7/7] tlsconfig: remove deprecated io/ioutil Signed-off-by: Sebastiaan van Stijn --- tlsconfig/config.go | 7 +++---- tlsconfig/config_test.go | 9 ++++----- 2 files changed, 7 insertions(+), 9 deletions(-) diff --git a/tlsconfig/config.go b/tlsconfig/config.go index f4c4b6024..606c98a38 100644 --- a/tlsconfig/config.go +++ b/tlsconfig/config.go @@ -12,7 +12,6 @@ import ( "encoding/pem" "errors" "fmt" - "io/ioutil" "os" ) @@ -104,7 +103,7 @@ func certPool(caFile string, exclusivePool bool) (*x509.CertPool, error) { return nil, fmt.Errorf("failed to read system certificates: %v", err) } } - pemData, err := ioutil.ReadFile(caFile) + pemData, err := os.ReadFile(caFile) if err != nil { return nil, fmt.Errorf("could not read CA certificate %q: %v", caFile, err) } @@ -186,12 +185,12 @@ func getCert(options Options) ([]tls.Certificate, error) { return nil, nil } - cert, err := ioutil.ReadFile(options.CertFile) + cert, err := os.ReadFile(options.CertFile) if err != nil { return nil, err } - prKeyBytes, err := ioutil.ReadFile(options.KeyFile) + prKeyBytes, err := os.ReadFile(options.KeyFile) if err != nil { return nil, err } diff --git a/tlsconfig/config_test.go b/tlsconfig/config_test.go index e18473c56..11b607dda 100644 --- a/tlsconfig/config_test.go +++ b/tlsconfig/config_test.go @@ -5,7 +5,6 @@ import ( "crypto/tls" "crypto/x509" "encoding/pem" - "io/ioutil" "os" "reflect" "runtime" @@ -69,7 +68,7 @@ func TestConfigServerTLSFailsIfUnableToLoadCerts(t *testing.T) { key, cert := getCertAndKey() ca := getMultiCert() - tempFile, err := ioutil.TempFile("", "cert-test") + tempFile, err := os.CreateTemp("", "cert-test") if err != nil { t.Fatal("Unable to create temporary empty file") } @@ -206,7 +205,7 @@ func TestConfigServerExclusiveRootPools(t *testing.T) { key, cert := getCertAndKey() ca := getMultiCert() - caBytes, err := ioutil.ReadFile(ca) + caBytes, err := os.ReadFile(ca) if err != nil { t.Fatal("Unable to read CA certs", err) } @@ -471,7 +470,7 @@ func TestConfigClientTLSNonexistentRootCAFile(t *testing.T) { func TestConfigClientTLSClientCertOrKeyInvalid(t *testing.T) { key, cert := getCertAndKey() - tempFile, err := ioutil.TempFile("", "cert-test") + tempFile, err := os.CreateTemp("", "cert-test") if err != nil { t.Fatal("Unable to create temporary empty file") } @@ -569,7 +568,7 @@ func TestConfigClientExclusiveRootPools(t *testing.T) { } ca := getMultiCert() - caBytes, err := ioutil.ReadFile(ca) + caBytes, err := os.ReadFile(ca) if err != nil { t.Fatal("Unable to read CA certs", err) }