Testing for TLS package (#65)

* test: unit tests for TLS package

* fix: typo in configuration

* ci: added secrets scanner

* ci: attempt at fixing osv-scan warning

Author: MadsRC

.github/workflows/osv-scanner-schedule.yaml

@@ -13,5 +13,5 @@ permissions:
   contents: read
 
 jobs:
-  scan-scheduled:
+  osv-scan:
     uses: "google/osv-scanner-action/.github/workflows/osv-scanner-reusable.yml@75532bf0bf75464b047d80414dbce04449498365" # v1.7.3

.golangci.yaml

@@ -33,3 +33,5 @@ linters:
 linters-settings:
   goimports:
     local-prefixes: github.com/madsrc/sophrosyne
+  errorlint:
+    errorf: false

.pre-commit-config.yaml

@@ -1,4 +1,8 @@
 repos:
+  - repo: https://github.com/gitleaks/gitleaks
+    rev: v8.16.1
+    hooks:
+      - id: gitleaks
   - repo: https://github.com/google/osv-scanner/
     rev: 645d5b0bb9c14741b2147a5305b684e4abc039e0 # v1.7.3
     hooks:
@@ -21,7 +25,6 @@ repos:
       - id: destroyed-symlinks
       - id: check-case-conflict
       - id: mixed-line-ending
-      - id: detect-private-key
       - id: pretty-format-json
         args: ['--autofix']
 ci:

config.go

@@ -78,6 +78,7 @@ var DefaultConfig = map[string]interface{}{
 	"services.checks.pageSize":        2,
 	"services.checks.cacheTTL":        100,
 	"server.maxBodySize":              20 * megabyte,
+	"server.advertisedHost":           "localhost",
 }
 
 const megabyte int64 = 1048576
@@ -105,10 +106,7 @@ type Config struct {
 		Port     int    `key:"port" validate:"required,min=1,max=65535"`
 		Name     string `key:"name" validate:"required"`
 	} `key:"database"`
-	Server struct {
-		Port        int   `key:"port" validate:"required,min=1,max=65535"`
-		MaxBodySize int64 `key:"maxBodySize" validate:"required,min=1"` // in bytes
-	} `key:"server"`
+	Server  ServerConfig `key:"server"`
 	Logging struct {
 		Enabled bool      `key:"enabled"`
 		Level   LogLevel  `key:"level" validate:"required,oneof=debug info"`
@@ -126,16 +124,7 @@ type Config struct {
 		Interval int        `key:"interval"`
 		Output   OtelOutput `key:"output" validate:"required,oneof=stdout http"`
 	} `key:"metrics"`
-	Security struct {
-		SiteKey []byte `key:"siteKey" validate:"required,min=64,max=64"`
-		Salt    []byte `key:"salt" validate:"required,min=32,max=32"`
-		TLS     struct {
-			KeyType            string `key:"keyType" validate:"required,oneof=RSA-4096 EC-P224 EC-P256 EC-P384 EC-P521 ED25519"`
-			CertificatePath    string `key:"certificatePath"`
-			KeyPath            string `key:"keyPath"`
-			InsecureSkipVerify bool   `key:"insecureSkipVerify"`
-		} `key:"tls" validate:"required"`
-	} `key:"security" validate:"required"`
+	Security SecurityConfig `key:"security" validate:"required"`
 	Services struct {
 		Users struct {
 			PageSize int   `key:"pageSize" validate:"required,min=2"`
@@ -155,6 +144,25 @@ type Config struct {
 	} `key:"development"`
 }
 
+type TLSConfig struct {
+	KeyType            string `key:"keyType" validate:"required,oneof=RSA-4096 EC-P224 EC-P256 EC-P384 EC-P521 ED25519"`
+	CertificatePath    string `key:"certificatePath"`
+	KeyPath            string `key:"keyPath"`
+	InsecureSkipVerify bool   `key:"insecureSkipVerify"`
+}
+
+type SecurityConfig struct {
+	SiteKey []byte    `key:"siteKey" validate:"required,min=64,max=64"`
+	Salt    []byte    `key:"salt" validate:"required,min=32,max=32"`
+	TLS     TLSConfig `key:"tls" validate:"required"`
+}
+
+type ServerConfig struct {
+	Port           int    `key:"port" validate:"required,min=1,max=65535"`
+	MaxBodySize    int64  `key:"maxBodySize" validate:"required,min=1"` // in bytes
+	AdvertisedHost string `key:"advertisedHost" validate:"required"`
+}
+
 // ConfigEnvironmentPrefix is the prefix used to identify the environment
 // variables that are used to configure the application.
 var ConfigEnvironmentPrefix = "SOPH_"

internal/tls/testdata/certKeyBundle_1/cert.pem

@@ -0,0 +1,13 @@
+-----BEGIN CERTIFICATE-----
+MIIB4DCCAYWgAwIBAgIUfzHs33pDVo02ZD5LSdz99ahkjw8wCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTIxNzU5NDBaFw0zNDA1MTAx
+NzU5NDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAASPO99XmpgeloFlVhaAu//McNpmt0pn705GW89iENlumJlWIOvspqw9
+tMguMSvCpEUMqwIBuElZb2dXi7QnJPcGo1MwUTAdBgNVHQ4EFgQUGFThkxd34nXB
+6d0K999LZC0nFDowHwYDVR0jBBgwFoAUGFThkxd34nXB6d0K999LZC0nFDowDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEA1tkc7NjK1pZ76kG+28TM
+JKyDmHzhjXIsMt1C0U1LHncCIQClbXy7/XG36mGoMNaV3IWUnWLjoQe2+uZHUpBP
+bSeqfQ==
+-----END CERTIFICATE-----

internal/tls/testdata/certKeyBundle_1/ec_key.pem

@@ -0,0 +1,5 @@
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIO0gnXY2J3PGASVpqZ768ZumKJq19d8VYwVnz5GKls6SoAoGCCqGSM49
+AwEHoUQDQgAEjzvfV5qYHpaBZVYWgLv/zHDaZrdKZ+9ORlvPYhDZbpiZViDr7Kas
+PbTILjErwqRFDKsCAbhJWW9nV4u0JyT3Bg==
+-----END EC PRIVATE KEY-----

internal/tls/testdata/certKeyBundle_1/ec_key_with_params.key

@@ -0,0 +1,8 @@
+-----BEGIN EC PARAMETERS-----
+BggqhkjOPQMBBw==
+-----END EC PARAMETERS-----
+-----BEGIN EC PRIVATE KEY-----
+MHcCAQEEIO0gnXY2J3PGASVpqZ768ZumKJq19d8VYwVnz5GKls6SoAoGCCqGSM49
+AwEHoUQDQgAEjzvfV5qYHpaBZVYWgLv/zHDaZrdKZ+9ORlvPYhDZbpiZViDr7Kas
+PbTILjErwqRFDKsCAbhJWW9nV4u0JyT3Bg==
+-----END EC PRIVATE KEY-----

internal/tls/testdata/invalid_key.pem

@@ -0,0 +1,13 @@
+-----BEGIN PRIVATE KEY-----
+MIIB4DCCAYWgAwIBAgIUfzHs33pDVo02ZD5LSdz99ahkjw8wCgYIKoZIzj0EAwIw
+RTELMAkGA1UEBhMCQVUxEzARBgNVBAgMClNvbWUtU3RhdGUxITAfBgNVBAoMGElu
+dGVybmV0IFdpZGdpdHMgUHR5IEx0ZDAeFw0yNDA1MTIxNzU5NDBaFw0zNDA1MTAx
+NzU5NDBaMEUxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYD
+VQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQwWTATBgcqhkjOPQIBBggqhkjO
+PQMBBwNCAASPO99XmpgeloFlVhaAu//McNpmt0pn705GW89iENlumJlWIOvspqw9
+tMguMSvCpEUMqwIBuElZb2dXi7QnJPcGo1MwUTAdBgNVHQ4EFgQUGFThkxd34nXB
+6d0K999LZC0nFDowHwYDVR0jBBgwFoAUGFThkxd34nXB6d0K999LZC0nFDowDwYD
+VR0TAQH/BAUwAwEB/zAKBggqhkjOPQQDAgNJADBGAiEA1tkc7NjK1pZ76kG+28TM
+JKyDmHzhjXIsMt1C0U1LHncCIQClbXy7/XG36mGoMNaV3IWUnWLjoQe2+uZHUpBP
+bSeqfQ==
+-----END PRIVATE KEY-----

internal/tls/testdata/rsa2048_key.pem

@@ -0,0 +1,28 @@
+-----BEGIN PRIVATE KEY-----
+MIIEvAIBADANBgkqhkiG9w0BAQEFAASCBKYwggSiAgEAAoIBAQCoyr6JFb3KmanF
+rOPPsr+GYHCm2uoY+5R8+fwN9pAc+MTYvla75CdDq1aVlcAnq36e1wPuvUzuhmlW
+0KcVwHKVLIYOodBo6mq4INbpvyTr2lYtUZvOCUidX56n6/l/0qRkXeM8/5xvXyrZ
+Qs19SP9fCDl/tWKzOKstsw2cACBkxrhl3y548M0Ffnxd3lJZWKC0qOqaHBABiJkv
+d0vpXFTrb4yao6PTZYJOg+hTwnJZbGH+zvBpVzaM4/q15eNpevgYZLht6ttXIVYi
++2YsYHsYpdMWloBmAjFbKiW5zGSfEqrhvDaG+MilBkxazkJ2z42vnvbOqGYtCKvm
+L6V+s3STAgMBAAECggEASpNVTqUD900gJN3nwz7y/vCCJT5omsQgzXz3n8W1048Y
+Dbk/AgHiVTQQ68M/pGdRaOWP773EjUhmpzxF7kbaeU00J6fXuFsF7rdXrOvOaMRN
+OfWqFISmiB2UsBWC5TZQeqW+vhcja1ONT3OD7dxANCEiommmI5AglW7cTvYBWfR4
+4Ljr+T0CwN6D8FPob0OOPvlNqIzmJHdvclRZ42vXA+SIT+vSu4ByQ4l72PeFqWRu
++TNCTzpiixzxDPh2tNfV87S1OY8ATlPS2WCAX+evOxfnSfARIfXDzqQq928o30v4
+Y0ZYD0kc42Cmcvk047+hubJfLCOtRAYfRbZ4kYAchQKBgQDaWVm/sU3CWNaInB1x
+gu+6er5WigtVLfjFxUMwukRlFB42O8cRnRkeq6mhHhFC1guB9J/b+l0Ye000cOl6
+umx4BtMZAUtNu5i5VDv/Z6EE+hsBdl/ExGp4L8QjwN8vfrjnwZaYxV7p08S7jXTC
+zFMXoZk980F/PYAtXSSe+3V99QKBgQDF5cfzq3b1tEv/Pi5FnujVy3D2dQ2Llt3a
+rO8V9xv7dfH8+B8t1MmpXK7CNDC2sxkC0vkoVKRVcf4263gbvI6EfkYZCnU7VDF3
+2GvUBh+PIgUjIkJ0p3o0a6JTVQl6lBQLLcYF0eTOc9g2KVuswZjFUBQCs+IipaTs
+wCb5aQtLZwKBgB4FmQx9YXauZlkENhwsZ6/ZPqCBfItqtcDjnZhulAbd3EWStI1c
+b17DNaCclLz+1zg4HV7Orsw17+ic+c1RIqbiMVZH0kXO3HHm/hTg98fKZ7osv4A7
+jXQXBT3xP/60ytG60W0R/jniTzOGgJ5kH6ypIHvfHYtUNnKGUwm1A3OdAoGACdyz
+pD8NRJ1hlCzDHZEXxV/IF2Ap9qTkFXu8xnl0GYn9L0AmPaB3FEucIe175/7w5iUh
+aZMeRWvS4WXGrIsvBwdL8v+EbBp8BJ7ycLSFahql6uRQL4QRIP+kLUb1m/g5L31u
+eufE4U0An2JcQTW8qUieVqwkPtnGaE4DIzbK600CgYAbcr/oX3AGAzZqakvx7XIT
+fqL1VYXyVFi42Uy3jTNeIsAQusiW+nGZ7UBgeE3rdfmxHkhjLcae9wGFu0vBwX7/
+GoTUt0ESciGb9YEp6F9z/3lZA877XuRo0nTwrsv6wKLN2CMduvjxCKCnH0xbeGoY
+8MoDZwvNsPYQ1rB9pvRqIQ==
+-----END PRIVATE KEY-----