refactor: normalize secrets and pki constants

haasonsaas · haasonsaas · commit 89fb78e6f8bf · 2025-10-18T22:49:15.000-07:00
diff --git a/agent/internal/service/service.go b/agent/internal/service/service.go
@@ -22,12 +22,14 @@ import (
 )
 
 const (
-	defaultComponent      = "attestor-service"
-	statusHealthy         = "healthy"
-	slash                 = "/"
-	defaultHTTPTimeout    = 10 * time.Second
-	defaultSignalCapacity = 1
-	statusCodeThreshold   = 400
+	defaultComponent       = "attestor-service"
+	statusHealthy          = "healthy"
+	slash                  = "/"
+	defaultHTTPTimeout     = 10 * time.Second
+	defaultSignalCapacity  = 1
+	statusCodeThreshold    = 400
+	permOwnerReadWrite     = 0o600
+	permOwnerReadWriteExec = 0o700
 )
 
 // Config holds the service configuration
@@ -389,7 +391,7 @@ func (s *Service) httpClientOrDefault() *http.Client {
 	if s.httpClient != nil {
 		return s.httpClient
 	}
-	return newHTTPClient()
+	return &http.Client{Timeout: defaultHTTPTimeout}
 }
 
 func (s *Service) postJSON(endpoint string, payload []byte) (*http.Response, error) {
diff --git a/pkg/pki/ca.go b/pkg/pki/ca.go
@@ -15,20 +15,30 @@ import (
 	"time"
 )
 
+const (
+	defaultCAValidity      = 10 * 365 * 24 * time.Hour
+	defaultCertificateTTL  = 8 * time.Hour
+	defaultClockSkew       = 5 * time.Minute
+	permOwnerReadWrite     = 0o600
+	permOwnerReadWriteExec = 0o750
+	permOwnerReadGroupRead = 0o640
+	maxSerialShift         = 128
+)
+
 type CertificateAuthority struct {
-    cert     *x509.Certificate
-    key      *ecdsa.PrivateKey
-    certPath string
-    keyPath  string
+	cert     *x509.Certificate
+	key      *ecdsa.PrivateKey
+	certPath string
+	keyPath  string
 }
 
 func LoadOrCreateCA(certPath, keyPath, commonName string, validFor time.Duration) (*CertificateAuthority, error) {
-    if err := os.MkdirAll(filepath.Dir(certPath), dirPermPrivate); err != nil {
-        return nil, err
-    }
-    if err := os.MkdirAll(filepath.Dir(keyPath), dirPermPrivate); err != nil {
-        return nil, err
-    }
+	if err := os.MkdirAll(filepath.Dir(certPath), permOwnerReadWriteExec); err != nil {
+		return nil, err
+	}
+	if err := os.MkdirAll(filepath.Dir(keyPath), permOwnerReadWriteExec); err != nil {
+		return nil, err
+	}
 
 	if _, err := os.Stat(certPath); err == nil {
 		return LoadCA(certPath, keyPath)
@@ -43,7 +53,7 @@ func LoadOrCreateCA(certPath, keyPath, commonName string, validFor time.Duration
 		return nil, err
 	}
 
-	serialNumberLimit := maxSerialNumber
+	serialNumberLimit := new(big.Int).Lsh(big.NewInt(1), maxSerialShift)
 	serialNumber, err := rand.Int(rand.Reader, serialNumberLimit)
 	if err != nil {
 		return nil, err
@@ -55,7 +65,7 @@ func LoadOrCreateCA(certPath, keyPath, commonName string, validFor time.Duration
 			CommonName:   commonName,
 			Organization: []string{"keep"},
 		},
-        NotBefore:             time.Now().Add(-defaultClockSkew),
+		NotBefore:             time.Now().Add(-defaultClockSkew),
 		NotAfter:              time.Now().Add(validFor),
 		KeyUsage:              x509.KeyUsageCertSign | x509.KeyUsageDigitalSignature | x509.KeyUsageCRLSign,
 		BasicConstraintsValid: true,
diff --git a/pkg/pki/device_test.go b/pkg/pki/device_test.go
@@ -14,8 +14,8 @@ import (
 )
 
 func TestGenerateSigningKey(t *testing.T) {
-    tmpDir := t.TempDir()
-    keyPath := filepath.Join(tmpDir, testKeyName)
+	tmpDir := t.TempDir()
+	keyPath := filepath.Join(tmpDir, testKeyName)
 
 	t.Run("generates valid ECDSA key", func(t *testing.T) {
 		priv, err := GenerateSigningKey(keyPath)
@@ -106,7 +106,7 @@ func TestGenerateSigningKey(t *testing.T) {
 
 func TestLoadSigningKey(t *testing.T) {
 	tmpDir := t.TempDir()
-    keyPath := filepath.Join(tmpDir, testKeyName)
+	keyPath := filepath.Join(tmpDir, testKeyName)
 
 	t.Run("loads valid key", func(t *testing.T) {
 		// Generate a key first
@@ -201,13 +201,13 @@ invalidbase64data!!!
 
 func TestPublicKeyPEM(t *testing.T) {
 	tmpDir := t.TempDir()
-    keyPath := filepath.Join(tmpDir, testKeyName)
+	keyPath := filepath.Join(tmpDir, testKeyName)
 
 	t.Run("converts to valid public key PEM", func(t *testing.T) {
-        priv, err := GenerateSigningKey(keyPath)
-        if err != nil {
-            t.Fatalf(msgGenerateKeyFail, err)
-        }
+		priv, err := GenerateSigningKey(keyPath)
+		if err != nil {
+			t.Fatalf(msgGenerateKeyFail, err)
+		}
 
 		pubPEM, err := PublicKeyPEM(priv)
 		if err != nil {
@@ -246,10 +246,10 @@ func TestCreateCSR(t *testing.T) {
 	tmpDir := t.TempDir()
 	keyPath := filepath.Join(tmpDir, "test.key")
 
-    priv, err := GenerateSigningKey(keyPath)
-    if err != nil {
-        t.Fatalf(msgGenerateKeyFail, err)
-    }
+	priv, err := GenerateSigningKey(keyPath)
+	if err != nil {
+		t.Fatalf(msgGenerateKeyFail, err)
+	}
 
 	t.Run("creates valid CSR", func(t *testing.T) {
 		deviceID := "test-device-123"
@@ -482,45 +482,45 @@ invalid certificate data
 
 // Benchmark tests
 func BenchmarkGenerateSigningKey(b *testing.B) {
-    tmpDir := b.TempDir()
-
-    b.ResetTimer()
-    for i := 0; i < b.N; i++ {
-        keyPath := filepath.Join(tmpDir, benchKeyName)
-        _, err := GenerateSigningKey(keyPath)
-        if err != nil {
-            b.Fatalf("GenerateSigningKey failed: %v", err)
-        }
-        os.Remove(keyPath) // Clean up
-    }
+	tmpDir := b.TempDir()
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		keyPath := filepath.Join(tmpDir, benchKeyName)
+		_, err := GenerateSigningKey(keyPath)
+		if err != nil {
+			b.Fatalf("GenerateSigningKey failed: %v", err)
+		}
+		os.Remove(keyPath) // Clean up
+	}
 }
 
 func BenchmarkCreateCSR(b *testing.B) {
-    tmpDir := b.TempDir()
-        keyPath := filepath.Join(tmpDir, benchKeyName)
-
-    priv, err := GenerateSigningKey(keyPath)
-    if err != nil {
-        b.Fatalf(msgGenerateKeyFail, err)
-    }
-
-    b.ResetTimer()
-    for i := 0; i < b.N; i++ {
-        _, err := CreateCSR(priv, "bench-device")
-        if err != nil {
-            b.Fatalf("CreateCSR failed: %v", err)
-        }
-    }
+	tmpDir := b.TempDir()
+	keyPath := filepath.Join(tmpDir, benchKeyName)
+
+	priv, err := GenerateSigningKey(keyPath)
+	if err != nil {
+		b.Fatalf(msgGenerateKeyFail, err)
+	}
+
+	b.ResetTimer()
+	for i := 0; i < b.N; i++ {
+		_, err := CreateCSR(priv, "bench-device")
+		if err != nil {
+			b.Fatalf("CreateCSR failed: %v", err)
+		}
+	}
 }
 
 func BenchmarkPublicKeyPEM(b *testing.B) {
 	tmpDir := b.TempDir()
-    keyPath := filepath.Join(tmpDir, benchKeyName)
+	keyPath := filepath.Join(tmpDir, benchKeyName)
 
-    priv, err := GenerateSigningKey(keyPath)
-    if err != nil {
-        b.Fatalf(msgGenerateKeyFail, err)
-    }
+	priv, err := GenerateSigningKey(keyPath)
+	if err != nil {
+		b.Fatalf(msgGenerateKeyFail, err)
+	}
 
 	b.ResetTimer()
 	for i := 0; i < b.N; i++ {
diff --git a/pkg/secrets/vault.go b/pkg/secrets/vault.go
@@ -12,7 +12,6 @@ import (
 
 // VaultManager implements secret management using HashiCorp Vault
 const (
-	slash              = "/"
 	valueKey           = "value"
 	dataKey            = "data"
 	vaultAddrKey       = "VAULT_ADDR"
