diff --git a/.golangci.yml b/.golangci.yml index ce2b5230d..09e5c468c 100644 --- a/.golangci.yml +++ b/.golangci.yml @@ -44,6 +44,8 @@ linters: # - dupl - errcheck - funlen + - gochecknoinits + # - goconst # - gocritic - gocyclo - gofmt @@ -53,11 +55,10 @@ linters: # - gosimple - govet # - ineffassign - - interfacer # - misspell # - nakedret # - scopelint - # - staticcheck + - staticcheck - structcheck # - stylecheck - typecheck @@ -65,13 +66,9 @@ linters: - unused - varcheck - whitespace - # - goconst - - gochecknoinits issues: exclude: - - consider giving a name to these results - - include an explanation for nolint directive - - Potential Integer overflow made by strconv.Atoi result conversion to int16/32 - - Use of weak random number generator - - TLS MinVersion too low + - "G404: Use of weak random number generator" + # maximum count of issues with the same text. set to 0 for unlimited. default is 3. + max-same-issues: 0 diff --git a/broker.go b/broker.go index 4ecca6c52..4fc425f3a 100644 --- a/broker.go +++ b/broker.go @@ -1426,7 +1426,9 @@ func (b *Broker) registerCounter(name string) metrics.Counter { func validServerNameTLS(addr string, cfg *tls.Config) *tls.Config { if cfg == nil { - cfg = &tls.Config{} + cfg = &tls.Config{ + MinVersion: tls.VersionTLS12, + } } if cfg.ServerName != "" { return cfg diff --git a/client_test.go b/client_test.go index 272ae8430..d54230881 100644 --- a/client_test.go +++ b/client_test.go @@ -101,7 +101,7 @@ func TestClientDoesntCachePartitionsForTopicsWithErrors(t *testing.T) { } // Should still use the cache of a known topic - partitions, err = client.Partitions("my_topic") + _, err = client.Partitions("my_topic") if err != nil { t.Errorf("Expected no error, found %v", err) } @@ -606,7 +606,7 @@ func TestClientGetBroker(t *testing.T) { if err := client.RefreshMetadata(); err != nil { t.Error(err) } - broker, err = client.Broker(leader.BrokerID()) + _, err = client.Broker(leader.BrokerID()) if err != ErrBrokerNotFound { t.Errorf("Expected Broker(brokerID) to return %v found %v", ErrBrokerNotFound, err) } diff --git a/client_tls_test.go b/client_tls_test.go index 489b67f85..7c6e5cd31 100644 --- a/client_tls_test.go +++ b/client_tls_test.go @@ -91,6 +91,7 @@ func TestTLS(t *testing.T) { }}, ClientAuth: tls.RequireAndVerifyClientCert, ClientCAs: pool, + MinVersion: tls.VersionTLS12, } for _, tc := range []struct { @@ -108,6 +109,7 @@ func TestTLS(t *testing.T) { Certificate: [][]byte{clientDer}, PrivateKey: clientkey, }}, + MinVersion: tls.VersionTLS12, }, }, { @@ -120,6 +122,7 @@ func TestTLS(t *testing.T) { Certificate: [][]byte{clientDer}, PrivateKey: hostkey, }}, + MinVersion: tls.VersionTLS12, }, }, { @@ -132,6 +135,7 @@ func TestTLS(t *testing.T) { Certificate: [][]byte{hostDer}, PrivateKey: clientkey, }}, + MinVersion: tls.VersionTLS12, }, }, { @@ -143,6 +147,7 @@ func TestTLS(t *testing.T) { Certificate: [][]byte{clientDer}, PrivateKey: clientkey, }}, + MinVersion: tls.VersionTLS12, }, }, { @@ -150,7 +155,8 @@ func TestTLS(t *testing.T) { Succeed: false, Server: serverTLSConfig, Client: &tls.Config{ - RootCAs: pool, + RootCAs: pool, + MinVersion: tls.VersionTLS12, }, }, { @@ -163,6 +169,7 @@ func TestTLS(t *testing.T) { Certificate: [][]byte{clientDer}, PrivateKey: clientkey, }}, + MinVersion: tls.VersionTLS12, }, }, } { @@ -213,11 +220,11 @@ func TestSetServerName(t *testing.T) { t.Fatal("Expected kafka-server.domain.com as tls.ServerName when tls config is nil") } - if validServerNameTLS("kafka-server.domain.com:9093", &tls.Config{}).ServerName != "kafka-server.domain.com" { + if validServerNameTLS("kafka-server.domain.com:9093", &tls.Config{MinVersion: tls.VersionTLS12}).ServerName != "kafka-server.domain.com" { t.Fatal("Expected kafka-server.domain.com as tls.ServerName when tls config ServerName is not provided") } - c := &tls.Config{ServerName: "kafka-server-other.domain.com"} + c := &tls.Config{ServerName: "kafka-server-other.domain.com", MinVersion: tls.VersionTLS12} if validServerNameTLS("", c).ServerName != "kafka-server-other.domain.com" { t.Fatal("Expected kafka-server-other.domain.com as tls.ServerName when tls config ServerName is provided") } diff --git a/examples/consumergroup/go.sum b/examples/consumergroup/go.sum index 406cc5a0b..575672ea4 100644 --- a/examples/consumergroup/go.sum +++ b/examples/consumergroup/go.sum @@ -16,6 +16,8 @@ github.com/frankban/quicktest v1.11.3 h1:8sXhOn0uLys67V8EsXLc6eszDs8VXWxL3iRvebP github.com/frankban/quicktest v1.11.3/go.mod h1:wRf/ReqHper53s+kmmSZizM8NamnL3IM0I9ntUbOk+k= github.com/golang/snappy v0.0.2 h1:aeE13tS0IiQgFjYdoL8qN3K1N2bXXtI6Vi51/y7BpMw= github.com/golang/snappy v0.0.2/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= +github.com/golang/snappy v0.0.3 h1:fHPg5GQYlCeLIPB9BZqMVR5nR9A+IM5zcgeTdjMYmLA= +github.com/golang/snappy v0.0.3/go.mod h1:/XxbfmMg8lxefKM7IXC3fBNl/7bRcc72aCRzEWrmP2Q= github.com/google/go-cmp v0.5.4 h1:L8R9j+yAqZuZjsqh/z+F1NCffTKKLShY6zXTItVIZ8M= github.com/google/go-cmp v0.5.4/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE= github.com/gorilla/securecookie v1.1.1/go.mod h1:ra0sb63/xPlUeL+yeDciTfxMRAA+MP+HVt/4epWDjd4= @@ -36,6 +38,8 @@ github.com/jcmturner/rpc/v2 v2.0.3 h1:7FXXj8Ti1IaVFpSAziCZWNzbNuZmnvw/i6CqLNdWfZ github.com/jcmturner/rpc/v2 v2.0.3/go.mod h1:VUJYCIDm3PVOEHw8sgt091/20OJjskO/YJki3ELg/Hc= github.com/klauspost/compress v1.11.7 h1:0hzRabrMN4tSTvMfnL3SCv1ZGeAP23ynzodBgaHeMeg= github.com/klauspost/compress v1.11.7/go.mod h1:aoV0uJVorq1K+umq18yTdKaF57EivdYsUV+/s2qKfXs= +github.com/klauspost/compress v1.12.2 h1:2KCfW3I9M7nSc5wOqXAlW2v2U6v+w6cbjvbfp+OykW8= +github.com/klauspost/compress v1.12.2/go.mod h1:8dP1Hq4DHOhN9w426knH3Rhby4rFm6D8eO+e+Dq5Gzg= github.com/kr/pretty v0.2.1 h1:Fmg33tUaq4/8ym9TJN1x7sLJnHVwhP33CNkpYV/7rwI= github.com/kr/pretty v0.2.1/go.mod h1:ipq/a2n7PKx3OHsz4KJII5eveXtPO4qwEXGdVfWzfnI= github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ= @@ -54,24 +58,33 @@ github.com/stretchr/testify v1.6.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/ github.com/stretchr/testify v1.7.0 h1:nwc3DEeHmmLAfoZucVR881uASk0Mfjw8xYJ99tb5CcY= github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg= github.com/xdg/scram v0.0.0-20180814205039-7eeb5667e42c/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= +github.com/xdg/scram v1.0.3/go.mod h1:lB8K/P019DLNhemzwFU4jHLhdvlE6uDZjXFejJXr49I= github.com/xdg/stringprep v1.0.0/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= +github.com/xdg/stringprep v1.0.3/go.mod h1:Jhud4/sHMO4oL310DaZAKk9ZaJ08SJfe+sJh0HrGL1Y= golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACkg1iLfiJU5Ep61QUkGW8qpdssI0+w= golang.org/x/crypto v0.0.0-20201112155050-0c6587e931a9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83 h1:/ZScEX8SfEmUGRHs0gxpqteO5nfNW6axyZbBdw9A12g= golang.org/x/crypto v0.0.0-20210220033148-5ea612d1eb83/go.mod h1:jdWPYTVW3xRLrWPugEBEK3UY2ZEsg3UU495nc5E+M+I= +golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b h1:7mWr3k41Qtv8XlltBkDkl8LoP3mpSgBW8BUoxtEdbXg= +golang.org/x/crypto v0.0.0-20210421170649-83a5a9bb288b/go.mod h1:T9bdIzuCu7OtxOm1hfPfRQxPLYneinmdGuTeoZ9dtd4= golang.org/x/net v0.0.0-20190404232315-eb5bcb51f2a3/go.mod h1:t9HGtf8HONx5eT2rtn7q6eTqICYqUVnKs3thJo3Qplg= golang.org/x/net v0.0.0-20200114155413-6afb5195e5aa/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s= golang.org/x/net v0.0.0-20210222171744-9060382bd457 h1:hMm9lBjyNLe/c9C6bElQxp4wsrleaJn1vXMZIQkNN44= golang.org/x/net v0.0.0-20210222171744-9060382bd457/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210226172049-e18ecbb05110/go.mod h1:m0MpNAwzfU5UDzcl9v0D8zg8gWTRqZa9RBIspLL5mdg= +golang.org/x/net v0.0.0-20210427231257-85d9c07bbe3a h1:njMmldwFTyDLqonHMagNXKBWptTBeDZOdblgaDsNEGQ= +golang.org/x/net v0.0.0-20210427231257-85d9c07bbe3a/go.mod h1:OJAsFXCWl8Ukc7SiCT/9KSuxbyM7479/AVlXFRxuMCk= golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY= golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20191026070338-33540a1f6037/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= +golang.org/x/sys v0.0.0-20210423082822-04245dca01da/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs= golang.org/x/term v0.0.0-20201117132131-f5c789dd3221/go.mod h1:Nr5EML6q2oocZ2LXRh80K7BxOlk5/8JxuGnuhpl+muw= golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo= golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ= golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/text v0.3.5/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= +golang.org/x/text v0.3.6/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ= golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ= golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0= golang.org/x/xerrors v0.0.0-20200804184101-5ec99f83aff1 h1:go1bK/D/BFZV2I8cIQd1NKEZ+0owSTG1fDTci4IqFcE= diff --git a/tools/tls/config.go b/tools/tls/config.go index 68db6e199..6cc078bc4 100644 --- a/tools/tls/config.go +++ b/tools/tls/config.go @@ -3,7 +3,9 @@ package tls import "crypto/tls" func NewConfig(clientCert, clientKey string) (*tls.Config, error) { - tlsConfig := tls.Config{} + tlsConfig := tls.Config{ + MinVersion: tls.VersionTLS12, + } if clientCert != "" && clientKey != "" { cert, err := tls.LoadX509KeyPair(clientCert, clientKey)