Merge pull request #186 from secrethub/release/v0.28.0

Release v0.28.0

.circleci/config.yml

@@ -1,5 +1,11 @@
 version: 2
 jobs:
+  lint:
+    docker:
+      - image: golangci/golangci-lint:v1.23.8-alpine
+    steps:
+      - checkout
+      - run: golangci-lint run
   test:
     docker:
       - image: circleci/golang:1.13
@@ -32,6 +38,7 @@ workflows:
   version: 2
   pipeline:
     jobs:
+      - lint
       - test
       - verify-version:
           filters:

.github/workflows/bump-version.yml

@@ -0,0 +1,18 @@
+on:
+  push:
+    branches:
+      - release/v*
+
+jobs:
+  bump-version:
+    name: Bump secrethub.ClientVersion
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v2
+      - name: Bump version
+        uses: florisvdg/[email protected]
+        with:
+          sed: 's/^\(const ClientVersion = "v\).*\("\)$/\1$VERSION\2/g'
+          file: pkg/secrethub/client_version.go
+          author_email: [email protected]

Makefile

@@ -14,8 +14,10 @@ tools: format-tools lint-tools
 format-tools:
 	@go get -u golang.org/x/tools/cmd/goimports
 
+GOLANGCI_VERSION=v1.23.8
+
 lint-tools:
-	@curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin v1.15.0
+	@curl -sfL https://install.goreleaser.com/github.com/golangci/golangci-lint.sh | sh -s -- -b $(go env GOPATH)/bin ${GOLANGCI_VERSION}
 
 check-version:
 	./scripts/check-version/check-version.sh

README.md

@@ -9,7 +9,6 @@
 
 [![GoDoc](http://img.shields.io/badge/godoc-reference-blue.svg)][godoc]
 [![CircleCI](https://circleci.com/gh/secrethub/secrethub-go.svg?style=shield)][circle-ci]
-[![GolangCI](https://golangci.com/badges/github.com/secrethub/secrethub-go.svg)][golang-ci]
 [![Go Report Card](https://goreportcard.com/badge/github.com/secrethub/secrethub-go)][goreportcard]
 [![Version]( https://img.shields.io/github/release/secrethub/secrethub-go.svg)][latest-version]
 [![Discord](https://img.shields.io/badge/chat-on%20discord-7289da.svg?logo=discord)][discord]
@@ -150,7 +149,6 @@ If you get stuck or just want advice, come chat with the engineers on [Discord][
 [issues]: https://github.com/secrethub/secrethub-go/issues/new
 [pulls]: https://github.com/secrethub/secrethub-go/pulls
 [godoc]: http://godoc.org/github.com/secrethub/secrethub-go
-[golang-ci]: https://golangci.com/r/github.com/secrethub/secrethub-go
 [goreportcard]: https://goreportcard.com/report/github.com/secrethub/secrethub-go
 [circle-ci]: https://circleci.com/gh/secrethub/secrethub-go
 [discord]: https://discord.gg/EQcE87s

internals/aws/errors.go

@@ -15,7 +15,7 @@ var (
 	ErrAWSAccessDenied      = awsErr.Code("access_denied")
 )
 
-func handleError(err error) error {
+func HandleError(err error) error {
 	errAWS, ok := err.(awserr.Error)
 	if ok {
 		switch errAWS.Code() {

internals/aws/kms_decrypter.go

@@ -19,7 +19,7 @@ type KMSDecrypter struct {
 func NewKMSDecrypter(cfgs ...*aws.Config) (*KMSDecrypter, error) {
 	sess, err := session.NewSession(cfgs...)
 	if err != nil {
-		return nil, handleError(err)
+		return nil, HandleError(err)
 	}
 
 	return &KMSDecrypter{
@@ -45,7 +45,7 @@ func (d KMSDecrypter) Unwrap(ciphertext *api.EncryptedData) ([]byte, error) {
 		CiphertextBlob: ciphertext.Ciphertext,
 	})
 	if err != nil {
-		return nil, handleError(err)
+		return nil, HandleError(err)
 	}
 	return resp.Plaintext, nil
 }

internals/aws/service_creator.go

@@ -34,14 +34,14 @@ type CredentialCreator struct {
 func NewCredentialCreator(keyID, role string, cfgs ...*aws.Config) (*CredentialCreator, map[string]string, error) {
 	sess, err := session.NewSession(cfgs...)
 	if err != nil {
-		return nil, nil, handleError(err)
+		return nil, nil, HandleError(err)
 	}
 
 	stsSvc := sts.New(sess)
 
 	identity, err := stsSvc.GetCallerIdentity(&sts.GetCallerIdentityInput{})
 	if err != nil {
-		return nil, nil, handleError(err)
+		return nil, nil, HandleError(err)
 	}
 	accountID := aws.StringValue(identity.Account)
 
@@ -98,7 +98,7 @@ func (c CredentialCreator) Wrap(plaintext []byte) (*api.EncryptedData, error) {
 		KeyId:     aws.String(c.keyID),
 	})
 	if err != nil {
-		return nil, handleError(err)
+		return nil, HandleError(err)
 	}
 	return api.NewEncryptedDataAWSKMS(resp.CiphertextBlob, api.NewEncryptionKeyAWS(aws.StringValue(resp.KeyId))), nil
 }
@@ -112,13 +112,13 @@ func GetEncryptRequest(plaintext string, keyID string, kmsSvc kmsiface.KMSAPI) (
 
 	err := encryptReq.Sign()
 	if err != nil {
-		return nil, handleError(err)
+		return nil, HandleError(err)
 	}
 
 	var buf bytes.Buffer
 	err = encryptReq.HTTPRequest.Write(&buf)
 	if err != nil {
-		return nil, handleError(err)
+		return nil, HandleError(err)
 	}
 	return buf.Bytes(), nil
 }

pkg/randchar/example_test.go

@@ -1,8 +1,9 @@
 package randchar_test
 
 import (
-	"github.com/secrethub/secrethub-go/pkg/randchar"
 	"log"
+
+	"github.com/secrethub/secrethub-go/pkg/randchar"
 )
 
 // Generate a random slice of 30 alphanumeric characters.

pkg/secrethub/client.go

@@ -4,6 +4,7 @@ package secrethub
 
 import (
 	"os"
+	"regexp"
 	"runtime"
 	"strings"
 
@@ -52,6 +53,13 @@ type ClientInterface interface {
 
 var (
 	errClient = errio.Namespace("client")
+
+	whitelistAppInfoName = regexp.MustCompile("^[a-zA-Z0-9_-]{2,50}$")
+)
+
+// Errors
+var (
+	ErrInvalidAppInfoName = errClient.Code("invalid_app_info_name").Error("name must be 2-50 characters long, only alphanumeric, underscore (_), and dash (-)")
 )
 
 // Client is a client for the SecretHub HTTP API.
@@ -72,7 +80,7 @@ type Client struct {
 	// These are cached
 	repoIndexKeys map[api.RepoPath]*crypto.SymmetricKey
 
-	appInfo   *AppInfo
+	appInfo   []*AppInfo
 	ConfigDir *configdir.Dir
 }
 
@@ -83,14 +91,23 @@ type AppInfo struct {
 	Version string
 }
 
-func (i AppInfo) userAgentSuffix() string {
+func (i AppInfo) userAgentComponent() string {
 	res := i.Name
 	if i.Version != "" {
 		res += "/" + strings.TrimPrefix(i.Version, "v")
 	}
 	return res
 }
 
+// ValidateName returns an error if the provided app name is not set or doesn't match alphanumeric, underscore (_), and dash (-) characters, or length of 2-50 characters.
+func (i AppInfo) ValidateName() error {
+	if i.Name == "" || !whitelistAppInfoName.MatchString(i.Name) {
+		return ErrInvalidAppInfoName
+	}
+
+	return nil
+}
+
 // NewClient creates a new SecretHub client. Provided options are applied to the client.
 //
 // If no WithCredentials() option is provided, the client tries to find a key credential at the following locations (in order):
@@ -102,6 +119,7 @@ func NewClient(with ...ClientOption) (*Client, error) {
 	client := &Client{
 		httpClient:    http.NewClient(),
 		repoIndexKeys: make(map[api.RepoPath]*crypto.SymmetricKey),
+		appInfo:       []*AppInfo{},
 	}
 	err := client.with(with...)
 	if err != nil {
@@ -139,6 +157,19 @@ func NewClient(with ...ClientOption) (*Client, error) {
 		}
 	}
 
+	appName := os.Getenv("SECRETHUB_APP_INFO_NAME")
+	if appName != "" {
+		appVersion := os.Getenv("SECRETHUB_APP_INFO_VERSION")
+		topLevelAppInfo := &AppInfo{
+			Name:    appName,
+			Version: appVersion,
+		}
+		// Ignore app info from environment variable if name is invalid
+		if err = topLevelAppInfo.ValidateName(); err == nil {
+			client.appInfo = append(client.appInfo, topLevelAppInfo)
+		}
+	}
+
 	userAgent := client.userAgent()
 
 	client.httpClient.Options(http.WithUserAgent(userAgent))
@@ -235,8 +266,8 @@ func (c *Client) DefaultCredential() credentials.Reader {
 
 func (c *Client) userAgent() string {
 	userAgent := userAgentPrefix
-	if c.appInfo != nil {
-		userAgent += " " + c.appInfo.userAgentSuffix()
+	for _, info := range c.appInfo {
+		userAgent += " " + info.userAgentComponent()
 	}
 	osName, err := operatingsystem.GetOperatingSystem()
 	if err != nil {

pkg/secrethub/client_options.go

@@ -1,7 +1,6 @@
 package secrethub
 
 import (
-	"errors"
 	"net/http"
 	"net/url"
 	"time"
@@ -51,10 +50,10 @@ func WithTransport(transport http.RoundTripper) ClientOption {
 // WithAppInfo sets the AppInfo to be used for identifying the application that is using the SecretHub Client.
 func WithAppInfo(appInfo *AppInfo) ClientOption {
 	return func(c *Client) error {
-		if appInfo.Name == "" {
-			return errors.New("name must be set for AppInfo")
+		if err := appInfo.ValidateName(); err != nil {
+			return err
 		}
-		c.appInfo = appInfo
+		c.appInfo = append(c.appInfo, appInfo)
 		return nil
 	}
 }

pkg/secrethub/client_test.go

@@ -0,0 +1,80 @@
+package secrethub
+
+import (
+	"os"
+	"regexp"
+	"testing"
+
+	"github.com/secrethub/secrethub-go/internals/assert"
+)
+
+func TestClient_userAgent(t *testing.T) {
+	cases := map[string]struct {
+		appInfo       []*AppInfo
+		envAppName    string
+		envAppVersion string
+		expected      string
+		err           error
+	}{
+		"default": {},
+		"multiple app info layers": {
+			appInfo: []*AppInfo{
+				{Name: "secrethub-xgo", Version: "0.1.0"},
+				{Name: "secrethub-java", Version: "0.2.0"},
+			},
+			expected: "secrethub-xgo/0.1.0 secrethub-java/0.2.0",
+		},
+		"no version number": {
+			appInfo: []*AppInfo{
+				{Name: "terraform-provider-secrethub"},
+			},
+			expected: "terraform-provider-secrethub",
+		},
+		"top level app info from environment": {
+			appInfo: []*AppInfo{
+				{Name: "secrethub-cli", Version: "0.37.0"},
+			},
+			envAppName:    "secrethub-circleci-orb",
+			envAppVersion: "1.0.0",
+			expected:      "secrethub-cli/0.37.0 secrethub-circleci-orb/1.0.0",
+		},
+		"invalid app name": {
+			appInfo: []*AppInfo{
+				{Name: "illegal-name*%!@", Version: "0.1.0"},
+			},
+			err: ErrInvalidAppInfoName,
+		},
+		"ignore faulty environment variable": {
+			appInfo: []*AppInfo{
+				{Name: "secrethub-cli", Version: "0.37.0"},
+			},
+			envAppName: "illegal-name*%!@",
+			expected:   "secrethub-cli/0.37.0",
+		},
+	}
+
+	for name, tc := range cases {
+		t.Run(name, func(t *testing.T) {
+			os.Setenv("SECRETHUB_APP_INFO_NAME", tc.envAppName)
+			os.Setenv("SECRETHUB_APP_INFO_VERSION", tc.envAppVersion)
+
+			var opts []ClientOption
+			for _, info := range tc.appInfo {
+				opts = append(opts, WithAppInfo(info))
+			}
+			client, err := NewClient(opts...)
+			assert.Equal(t, err, tc.err)
+			if err != nil {
+				return
+			}
+
+			userAgent := client.userAgent()
+			pattern := tc.expected + " \\(.*\\)"
+			matched, err := regexp.MatchString(pattern, userAgent)
+			assert.OK(t, err)
+			if !matched {
+				t.Errorf("user agent '%s' doesn't match pattern '%s'", userAgent, pattern)
+			}
+		})
+	}
+}

pkg/secrethub/client_version.go

@@ -2,4 +2,4 @@ package secrethub
 
 // ClientVersion is the current version of the client
 // Do not edit this unless you know what you're doing.
-const ClientVersion = "v0.27.0"
+const ClientVersion = "v0.28.0"

pkg/secrethub/credentials/sessions/session_aws.go

@@ -2,9 +2,9 @@ package sessions
 
 import (
 	"bytes"
-	"fmt"
 
 	"github.com/secrethub/secrethub-go/internals/api"
+	shaws "github.com/secrethub/secrethub-go/internals/aws"
 	"github.com/secrethub/secrethub-go/pkg/secrethub/internals/http"
 
 	"github.com/aws/aws-sdk-go/aws"
@@ -61,7 +61,7 @@ func getCallerIdentityRequest(region string, awsCfg ...*aws.Config) ([]byte, err
 	cfg := aws.NewConfig().WithRegion(region).WithEndpoint("sts." + region + ".amazonaws.com")
 	awsSession, err := session.NewSession(append(awsCfg, cfg)...)
 	if err != nil {
-		return nil, fmt.Errorf("could not get AWS session: %v", err)
+		return nil, shaws.HandleError(err)
 	}
 
 	svc := sts.New(awsSession, cfg)
@@ -70,7 +70,7 @@ func getCallerIdentityRequest(region string, awsCfg ...*aws.Config) ([]byte, err
 	// Sign the CallerIdentityRequest with the AWS access key
 	err = identityRequest.Sign()
 	if err != nil {
-		return nil, fmt.Errorf("could not sign STS request: %v", err)
+		return nil, shaws.HandleError(err)
 	}
 
 	var buf bytes.Buffer

pkg/secrethub/example_test.go

@@ -2,9 +2,10 @@ package secrethub_test
 
 import (
 	"fmt"
-	"github.com/secrethub/secrethub-go/pkg/secrethub"
 	"log"
 
+	"github.com/secrethub/secrethub-go/pkg/secrethub"
+
 	"github.com/secrethub/secrethub-go/pkg/secrethub/credentials"
 
 	"github.com/secrethub/secrethub-go/pkg/secrethub/iterator"