TLS Diagnose Formatting Fixes (#11342)

Hridoy Roy · web-flow · commit 92c6a972dddf · 2021-04-12T10:55:33.000-07:00
* diagnose formatting fixes

* diagnose formatting fixes
diff --git a/vault/diagnose/tls_verification.go b/vault/diagnose/tls_verification.go
@@ -36,9 +36,8 @@ func ListenerChecks(listeners []listenerutil.Listener) error {
 			return fmt.Errorf(maxVersionError, l.TLSMaxVersion)
 		}
 
-		var err error
 		// Perform checks on the TLS Cryptographic Information.
-		if err = TLSFileChecks(l.TLSCertFile, l.TLSKeyFile); err != nil {
+		if err := TLSFileChecks(l.TLSCertFile, l.TLSKeyFile); err != nil {
 			return err
 		}
 	}
@@ -117,15 +116,10 @@ func TLSFileChecks(certFilePath, keyFilePath string) error {
 	// After verify passes, we need to check the values on the certificate itself.
 	// This is a separate check beyond the certificate expiry and chain checks.
 
-	cert, err := tls.LoadX509KeyPair(certFilePath, keyFilePath)
+	_, err = tls.LoadX509KeyPair(certFilePath, keyFilePath)
 	if err != nil {
 		return err
 	}
-	x509Cert, err := x509.ParseCertificate(cert.Certificate[0])
-	if err != nil {
-		return err
-	}
-	cert.Leaf = x509Cert
 
 	return nil
 }
diff --git a/vault/diagnose/tls_verification_test.go b/vault/diagnose/tls_verification_test.go
@@ -28,7 +28,7 @@ func TestTLSValidCert(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err != nil {
-		t.Error(err.Error())
+		t.Fatalf(err.Error())
 	}
 }
 
@@ -50,10 +50,10 @@ func TestTLSFakeCert(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if !strings.Contains(err.Error(), "could not decode cert") {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -78,10 +78,10 @@ func TestTLSTrailingData(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if !strings.Contains(err.Error(), "asn1: syntax error: trailing data") {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -104,10 +104,10 @@ func TestTLSExpiredCert(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if !strings.Contains(err.Error(), "certificate has expired or is not yet valid") {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -130,10 +130,10 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if err.Error() != "tls: private key type does not match public key type" {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 
 	listeners = []listenerutil.Listener{
@@ -153,10 +153,10 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {
 	}
 	err = ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if err.Error() != "tls: private key type does not match public key type" {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -179,10 +179,10 @@ func TestTLSMultiKeys(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if !strings.Contains(err.Error(), "pem block does not parse to a certificate") {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -204,10 +204,10 @@ func TestTLSMultiCerts(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if !strings.Contains(err.Error(), "found a certificate rather than a key in the PEM for the private key") {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -231,10 +231,10 @@ func TestTLSInvalidRoot(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if err.Error() != "failed to verify certificate: x509: certificate signed by unknown authority" {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -258,7 +258,7 @@ func TestTLSNoRoot(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err != nil {
-		t.Error("Server certificate without root certificate is insecure, but still valid.")
+		t.Fatalf("Server certificate without root certificate is insecure, but still valid.")
 	}
 }
 
@@ -282,10 +282,10 @@ func TestTLSInvalidMinVersion(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if err.Error() != fmt.Errorf(minVersionError, "0").Error() {
-		t.Errorf("Bad error message: %w", err)
+		t.Fatalf("Bad error message: %s", err)
 	}
 }
 
@@ -309,7 +309,7 @@ func TestTLSInvalidMaxVersion(t *testing.T) {
 	}
 	err := ListenerChecks(listeners)
 	if err == nil {
-		t.Error("TLS Config check on fake certificate should fail")
+		t.Fatalf("TLS Config check on fake certificate should fail")
 	}
 	if err.Error() != fmt.Errorf(maxVersionError, "0").Error() {
 		t.Errorf("Bad error message: %w", err)

Original file line number	Diff line number	Diff line change
`@@ -36,9 +36,8 @@ func ListenerChecks(listeners []listenerutil.Listener) error {`
`36`	`36`	`return fmt.Errorf(maxVersionError, l.TLSMaxVersion)`
`37`	`37`	`}`
`38`	`38`
`39`		`- var err error`
`40`	`39`	`// Perform checks on the TLS Cryptographic Information.`
`41`		`- if err = TLSFileChecks(l.TLSCertFile, l.TLSKeyFile); err != nil {`
	`40`	`+ if err := TLSFileChecks(l.TLSCertFile, l.TLSKeyFile); err != nil {`
`42`	`41`	`return err`
`43`	`42`	`}`
`44`	`43`	`}`
`@@ -117,15 +116,10 @@ func TLSFileChecks(certFilePath, keyFilePath string) error {`
`117`	`116`	`// After verify passes, we need to check the values on the certificate itself.`
`118`	`117`	`// This is a separate check beyond the certificate expiry and chain checks.`
`119`	`118`
`120`		`- cert, err := tls.LoadX509KeyPair(certFilePath, keyFilePath)`
	`119`	`+ _, err = tls.LoadX509KeyPair(certFilePath, keyFilePath)`
`121`	`120`	`if err != nil {`
`122`	`121`	`return err`
`123`	`122`	`}`
`124`		`- x509Cert, err := x509.ParseCertificate(cert.Certificate[0])`
`125`		`- if err != nil {`
`126`		`- return err`
`127`		`- }`
`128`		`- cert.Leaf = x509Cert`
`129`	`123`
`130`	`124`	`return nil`
`131`	`125`	`}`
Original file line number	Diff line number	Diff line change
`@@ -28,7 +28,7 @@ func TestTLSValidCert(t *testing.T) {`
`28`	`28`	`}`
`29`	`29`	`err := ListenerChecks(listeners)`
`30`	`30`	`if err != nil {`
`31`		`- t.Error(err.Error())`
	`31`	`+ t.Fatalf(err.Error())`
`32`	`32`	`}`
`33`	`33`	`}`
`34`	`34`
`@@ -50,10 +50,10 @@ func TestTLSFakeCert(t *testing.T) {`
`50`	`50`	`}`
`51`	`51`	`err := ListenerChecks(listeners)`
`52`	`52`	`if err == nil {`
`53`		`- t.Error("TLS Config check on fake certificate should fail")`
	`53`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`54`	`54`	`}`
`55`	`55`	`if !strings.Contains(err.Error(), "could not decode cert") {`
`56`		`- t.Errorf("Bad error message: %w", err)`
	`56`	`+ t.Fatalf("Bad error message: %s", err)`
`57`	`57`	`}`
`58`	`58`	`}`
`59`	`59`
`@@ -78,10 +78,10 @@ func TestTLSTrailingData(t *testing.T) {`
`78`	`78`	`}`
`79`	`79`	`err := ListenerChecks(listeners)`
`80`	`80`	`if err == nil {`
`81`		`- t.Error("TLS Config check on fake certificate should fail")`
	`81`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`82`	`82`	`}`
`83`	`83`	`if !strings.Contains(err.Error(), "asn1: syntax error: trailing data") {`
`84`		`- t.Errorf("Bad error message: %w", err)`
	`84`	`+ t.Fatalf("Bad error message: %s", err)`
`85`	`85`	`}`
`86`	`86`	`}`
`87`	`87`
`@@ -104,10 +104,10 @@ func TestTLSExpiredCert(t *testing.T) {`
`104`	`104`	`}`
`105`	`105`	`err := ListenerChecks(listeners)`
`106`	`106`	`if err == nil {`
`107`		`- t.Error("TLS Config check on fake certificate should fail")`
	`107`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`108`	`108`	`}`
`109`	`109`	`if !strings.Contains(err.Error(), "certificate has expired or is not yet valid") {`
`110`		`- t.Errorf("Bad error message: %w", err)`
	`110`	`+ t.Fatalf("Bad error message: %s", err)`
`111`	`111`	`}`
`112`	`112`	`}`
`113`	`113`
`@@ -130,10 +130,10 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {`
`130`	`130`	`}`
`131`	`131`	`err := ListenerChecks(listeners)`
`132`	`132`	`if err == nil {`
`133`		`- t.Error("TLS Config check on fake certificate should fail")`
	`133`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`134`	`134`	`}`
`135`	`135`	`if err.Error() != "tls: private key type does not match public key type" {`
`136`		`- t.Errorf("Bad error message: %w", err)`
	`136`	`+ t.Fatalf("Bad error message: %s", err)`
`137`	`137`	`}`
`138`	`138`
`139`	`139`	`listeners = []listenerutil.Listener{`
`@@ -153,10 +153,10 @@ func TestTLSMismatchedCryptographicInfo(t *testing.T) {`
`153`	`153`	`}`
`154`	`154`	`err = ListenerChecks(listeners)`
`155`	`155`	`if err == nil {`
`156`		`- t.Error("TLS Config check on fake certificate should fail")`
	`156`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`157`	`157`	`}`
`158`	`158`	`if err.Error() != "tls: private key type does not match public key type" {`
`159`		`- t.Errorf("Bad error message: %w", err)`
	`159`	`+ t.Fatalf("Bad error message: %s", err)`
`160`	`160`	`}`
`161`	`161`	`}`
`162`	`162`
`@@ -179,10 +179,10 @@ func TestTLSMultiKeys(t *testing.T) {`
`179`	`179`	`}`
`180`	`180`	`err := ListenerChecks(listeners)`
`181`	`181`	`if err == nil {`
`182`		`- t.Error("TLS Config check on fake certificate should fail")`
	`182`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`183`	`183`	`}`
`184`	`184`	`if !strings.Contains(err.Error(), "pem block does not parse to a certificate") {`
`185`		`- t.Errorf("Bad error message: %w", err)`
	`185`	`+ t.Fatalf("Bad error message: %s", err)`
`186`	`186`	`}`
`187`	`187`	`}`
`188`	`188`
`@@ -204,10 +204,10 @@ func TestTLSMultiCerts(t *testing.T) {`
`204`	`204`	`}`
`205`	`205`	`err := ListenerChecks(listeners)`
`206`	`206`	`if err == nil {`
`207`		`- t.Error("TLS Config check on fake certificate should fail")`
	`207`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`208`	`208`	`}`
`209`	`209`	`if !strings.Contains(err.Error(), "found a certificate rather than a key in the PEM for the private key") {`
`210`		`- t.Errorf("Bad error message: %w", err)`
	`210`	`+ t.Fatalf("Bad error message: %s", err)`
`211`	`211`	`}`
`212`	`212`	`}`
`213`	`213`
`@@ -231,10 +231,10 @@ func TestTLSInvalidRoot(t *testing.T) {`
`231`	`231`	`}`
`232`	`232`	`err := ListenerChecks(listeners)`
`233`	`233`	`if err == nil {`
`234`		`- t.Error("TLS Config check on fake certificate should fail")`
	`234`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`235`	`235`	`}`
`236`	`236`	`if err.Error() != "failed to verify certificate: x509: certificate signed by unknown authority" {`
`237`		`- t.Errorf("Bad error message: %w", err)`
	`237`	`+ t.Fatalf("Bad error message: %s", err)`
`238`	`238`	`}`
`239`	`239`	`}`
`240`	`240`
`@@ -258,7 +258,7 @@ func TestTLSNoRoot(t *testing.T) {`
`258`	`258`	`}`
`259`	`259`	`err := ListenerChecks(listeners)`
`260`	`260`	`if err != nil {`
`261`		`- t.Error("Server certificate without root certificate is insecure, but still valid.")`
	`261`	`+ t.Fatalf("Server certificate without root certificate is insecure, but still valid.")`
`262`	`262`	`}`
`263`	`263`	`}`
`264`	`264`
`@@ -282,10 +282,10 @@ func TestTLSInvalidMinVersion(t *testing.T) {`
`282`	`282`	`}`
`283`	`283`	`err := ListenerChecks(listeners)`
`284`	`284`	`if err == nil {`
`285`		`- t.Error("TLS Config check on fake certificate should fail")`
	`285`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`286`	`286`	`}`
`287`	`287`	`if err.Error() != fmt.Errorf(minVersionError, "0").Error() {`
`288`		`- t.Errorf("Bad error message: %w", err)`
	`288`	`+ t.Fatalf("Bad error message: %s", err)`
`289`	`289`	`}`
`290`	`290`	`}`
`291`	`291`
`@@ -309,7 +309,7 @@ func TestTLSInvalidMaxVersion(t *testing.T) {`
`309`	`309`	`}`
`310`	`310`	`err := ListenerChecks(listeners)`
`311`	`311`	`if err == nil {`
`312`		`- t.Error("TLS Config check on fake certificate should fail")`
	`312`	`+ t.Fatalf("TLS Config check on fake certificate should fail")`
`313`	`313`	`}`
`314`	`314`	`if err.Error() != fmt.Errorf(maxVersionError, "0").Error() {`
`315`	`315`	`t.Errorf("Bad error message: %w", err)`