From 2e310874c82f0c98411c32ce8245a608741e64df Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 5 Nov 2024 09:14:42 +0800 Subject: [PATCH 01/11] add CODEOWNERS [skip ci] --- .github/CODEOWNERS | 4 ++++ 1 file changed, 4 insertions(+) create mode 100644 .github/CODEOWNERS diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS new file mode 100644 index 0000000..bab1138 --- /dev/null +++ b/.github/CODEOWNERS @@ -0,0 +1,4 @@ +* @silinternational/developers +*.tf @silinternational/tf-devs +*.go @silinternational/go-devs +go.* @silinternational/go-devs From f56d3db31970175ebc317d9cd39b015de74ba0c8 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 7 Nov 2024 20:54:31 +0800 Subject: [PATCH 02/11] log debug info in FinishLogin --- user.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.go b/user.go index 7286ded..abf58cb 100644 --- a/user.go +++ b/user.go @@ -349,7 +349,11 @@ func (u *DynamoUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) br := fixEncoding(body) parsedResponse, err := protocol.ParseCredentialRequestResponseBody(br) if err != nil { - log.Printf("failed to parse credential request response body: %s", err) + var protocolError *protocol.Error + if errors.As(err, &protocolError) { + log.Printf("failed to parse credential request response body: %s", body) + log.Printf("ProtocolError: %s, DevInfo: %s", protocolError.Details, protocolError.DevInfo) + } return &webauthn.Credential{}, fmt.Errorf("failed to parse credential request response body: %s", err) } From 040b045043b1f198a9b8fde53abe1c6b00b18751 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Thu, 7 Nov 2024 22:13:57 +0800 Subject: [PATCH 03/11] log debug detail for ValidateLogin --- user.go | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/user.go b/user.go index abf58cb..b4eb1e8 100644 --- a/user.go +++ b/user.go @@ -382,7 +382,11 @@ func (u *DynamoUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) credential, err := u.WebAuthnClient.ValidateLogin(u, u.SessionData, parsedResponse) if err != nil { - log.Printf("failed to validate login: %s", err) + var protocolError *protocol.Error + if errors.As(err, &protocolError) { + log.Printf("failed to validate login, ProtocolError: %s, DevInfo: %s", + protocolError.Details, protocolError.DevInfo) + } return &webauthn.Credential{}, fmt.Errorf("failed to validate login: %s", err) } From 26267b26811c71cbe9258494b0a3b73179b70ee2 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:05:44 +0800 Subject: [PATCH 04/11] run golangci-lint and govulncheck in CI workflow --- .github/workflows/test-deploy-publish.yml | 20 ++++++++++++++++++++ .golangci.yaml | 19 +++++++++++++++++++ 2 files changed, 39 insertions(+) create mode 100644 .golangci.yaml diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 5b16de8..40a2747 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -23,6 +23,26 @@ jobs: - name: Test run: docker compose -f actions-services.yml run --rm test ./scripts/test.sh + lint: + name: Lint and Vulnerability Scan + runs-on: ubuntu-latest + timeout-minutes: ${{ fromJSON(vars.DEFAULT_JOB_TIMEOUT_MINUTES) }} + steps: + - uses: actions/checkout@v4 + - uses: actions/setup-go@v5 + with: + go-version-file: 'go.mod' + check-latest: true + - name: golangci-lint + uses: golangci/golangci-lint-action@v6 + with: + version: latest + working-directory: application + - name: govulncheck + run: | + go install golang.org/x/vuln/cmd/govulncheck@latest + govulncheck -C application ./... + deploy: name: Deploy to AWS Lambda needs: tests diff --git a/.golangci.yaml b/.golangci.yaml new file mode 100644 index 0000000..7cff435 --- /dev/null +++ b/.golangci.yaml @@ -0,0 +1,19 @@ +run: + timeout: 2m +linters: + disable-all: true + enable: +# - errcheck +# - gosimple +# - govet +# - ineffassign +# - staticcheck +# - unused + - bodyclose + - gocheckcompilerdirectives + - godox +# - gofmt +# - goimports +# - gosec +# - whitespace +# - usestdlibvars From db1d6ba1125ba57f9592b781afce345de5c45eab Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:08:26 +0800 Subject: [PATCH 05/11] remove working-directory from golangci-lint config --- .github/workflows/test-deploy-publish.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 40a2747..11eb198 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -37,7 +37,6 @@ jobs: uses: golangci/golangci-lint-action@v6 with: version: latest - working-directory: application - name: govulncheck run: | go install golang.org/x/vuln/cmd/govulncheck@latest From 1cf1411eb3fa092c52b04659161ad48400a0db60 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:08:37 +0800 Subject: [PATCH 06/11] require lint check --- .github/workflows/test-deploy-publish.yml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 11eb198..6ee1251 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -44,7 +44,7 @@ jobs: deploy: name: Deploy to AWS Lambda - needs: tests + needs: [ 'tests', 'lint' ] if: github.ref_name == 'main' || github.ref_name == 'develop' runs-on: ubuntu-latest strategy: @@ -71,7 +71,7 @@ jobs: build-and-publish: name: Build and Publish - needs: tests + needs: [ 'tests', 'lint' ] runs-on: ubuntu-latest steps: - name: Checkout code From 7f9a1c398b376045e22b6c21064b2a18f62e58ce Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 13:10:11 +0800 Subject: [PATCH 07/11] remove directory from govulncheck command --- .github/workflows/test-deploy-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 6ee1251..cc342cc 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -40,7 +40,7 @@ jobs: - name: govulncheck run: | go install golang.org/x/vuln/cmd/govulncheck@latest - govulncheck -C application ./... + govulncheck ./... deploy: name: Deploy to AWS Lambda From 4e558c38d8c4b58efd09f0dae81255d9b82c60d0 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 16:09:33 +0800 Subject: [PATCH 08/11] log protocol.Error in more places --- user.go | 25 +++++++++++-------------- 1 file changed, 11 insertions(+), 14 deletions(-) diff --git a/user.go b/user.go index b4eb1e8..2b48a28 100644 --- a/user.go +++ b/user.go @@ -284,20 +284,13 @@ func (u *DynamoUser) FinishRegistration(r *http.Request) (string, error) { br := fixEncoding(body) parsedResponse, err := protocol.ParseCredentialCreationResponseBody(br) if err != nil { - var protocolError *protocol.Error - if errors.As(err, &protocolError) { - log.Printf("unable to parse body: %s", body) - log.Printf("ProtocolError: %s, DevInfo: %s", protocolError.Details, protocolError.DevInfo) - } + logProtocolError("unable to parse body", err) return "", fmt.Errorf("unable to parse credential creation response body: %w", err) } credential, err := u.WebAuthnClient.CreateCredential(u, u.SessionData, parsedResponse) if err != nil { - var protocolError *protocol.Error - if errors.As(err, &protocolError) { - log.Printf("ProtocolError: %s, DevInfo: %s", protocolError.Details, protocolError.DevInfo) - } + logProtocolError("unable to create credential", err) return "", fmt.Errorf("unable to create credential: %w", err) } @@ -382,17 +375,21 @@ func (u *DynamoUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) credential, err := u.WebAuthnClient.ValidateLogin(u, u.SessionData, parsedResponse) if err != nil { - var protocolError *protocol.Error - if errors.As(err, &protocolError) { - log.Printf("failed to validate login, ProtocolError: %s, DevInfo: %s", - protocolError.Details, protocolError.DevInfo) - } + logProtocolError("failed to validate login", err) return &webauthn.Credential{}, fmt.Errorf("failed to validate login: %s", err) } return credential, nil } +// logProtocolError logs a message if the given error is an Error from go-webauthn/webauthn/protocol +func logProtocolError(msg string, err error) { + var protocolError *protocol.Error + if errors.As(err, &protocolError) { + log.Printf("%s, ProtocolError: %s, DevInfo: %s", msg, protocolError.Details, protocolError.DevInfo) + } +} + // User ID according to the Relying Party func (u *DynamoUser) WebAuthnID() []byte { return []byte(u.ID) From d6692e1fae3cbd7d3a801bfb828038fafaf9045f Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 16:12:43 +0800 Subject: [PATCH 09/11] one more place to use logProtocolError --- user.go | 6 +----- 1 file changed, 1 insertion(+), 5 deletions(-) diff --git a/user.go b/user.go index 2b48a28..5a0df13 100644 --- a/user.go +++ b/user.go @@ -342,11 +342,7 @@ func (u *DynamoUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) br := fixEncoding(body) parsedResponse, err := protocol.ParseCredentialRequestResponseBody(br) if err != nil { - var protocolError *protocol.Error - if errors.As(err, &protocolError) { - log.Printf("failed to parse credential request response body: %s", body) - log.Printf("ProtocolError: %s, DevInfo: %s", protocolError.Details, protocolError.DevInfo) - } + logProtocolError(fmt.Sprintf("failed to parse credential request response body: %s", body), err) return &webauthn.Credential{}, fmt.Errorf("failed to parse credential request response body: %s", err) } From f6e352b1938275cb1d0c038a162b46f20f5f78b9 Mon Sep 17 00:00:00 2001 From: briskt <3172830+briskt@users.noreply.github.com> Date: Tue, 12 Nov 2024 16:16:17 +0800 Subject: [PATCH 10/11] log a message even if the error isn't a protocol.Error --- user.go | 18 ++++++++++-------- 1 file changed, 10 insertions(+), 8 deletions(-) diff --git a/user.go b/user.go index 5a0df13..b2afa1e 100644 --- a/user.go +++ b/user.go @@ -378,14 +378,6 @@ func (u *DynamoUser) FinishLogin(r *http.Request) (*webauthn.Credential, error) return credential, nil } -// logProtocolError logs a message if the given error is an Error from go-webauthn/webauthn/protocol -func logProtocolError(msg string, err error) { - var protocolError *protocol.Error - if errors.As(err, &protocolError) { - log.Printf("%s, ProtocolError: %s, DevInfo: %s", msg, protocolError.Details, protocolError.DevInfo) - } -} - // User ID according to the Relying Party func (u *DynamoUser) WebAuthnID() []byte { return []byte(u.ID) @@ -489,3 +481,13 @@ func hashAndEncodeKeyHandle(id []byte) string { hash := sha256.Sum256(id) return base64.RawURLEncoding.EncodeToString(hash[:]) } + +// logProtocolError logs a detailed message if the given error is an Error from go-webauthn/webauthn/protocol +func logProtocolError(msg string, err error) { + var protocolError *protocol.Error + if errors.As(err, &protocolError) { + log.Printf("%s, ProtocolError: %s, DevInfo: %s", msg, protocolError.Details, protocolError.DevInfo) + } else { + log.Printf("%s, Error: %s", msg, err) + } +} From 880c26d75173308e8ae01a0706be1040413ae05f Mon Sep 17 00:00:00 2001 From: Praveen Date: Tue, 12 Nov 2024 17:12:51 +0530 Subject: [PATCH 11/11] Changing the package naming --- .github/workflows/test-deploy-publish.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/test-deploy-publish.yml b/.github/workflows/test-deploy-publish.yml index 92f8ba5..b597c61 100644 --- a/.github/workflows/test-deploy-publish.yml +++ b/.github/workflows/test-deploy-publish.yml @@ -84,7 +84,7 @@ jobs: with: images: | ${{ vars.IMAGE_NAME }} - ghcr.io/${{ github.repository_owner }}/${{ vars.IMAGE_NAME }} + ghcr.io/${{ github.repository }} tags: | type=ref,event=branch type=semver,pattern={{version}}