From c4d4c9c4e4a34f365bf25113cdb2634ba22d9230 Mon Sep 17 00:00:00 2001
From: Kristoffer Dalby <kradalby@kradalby.no>
Date: Mon, 15 Nov 2021 18:31:52 +0000
Subject: [PATCH] Add and fix gosec

---
 .golangci.yaml                  |  1 -
 app.go                          | 10 ++++++----
 cmd/headscale/headscale_test.go |  2 +-
 namespaces.go                   |  2 +-
 preauth_keys.go                 |  4 ++--
 5 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/.golangci.yaml b/.golangci.yaml
index 4902810c..476c1c24 100644
--- a/.golangci.yaml
+++ b/.golangci.yaml
@@ -32,7 +32,6 @@ linters:
     - wrapcheck
     - goerr113
     - forcetypeassert
-    - gosec
     - forbidigo
     - dupl
     - makezero
diff --git a/app.go b/app.go
index 17677d4c..d4dc8e71 100644
--- a/app.go
+++ b/app.go
@@ -638,10 +638,12 @@ func (h *Headscale) getTLSSettings() (*tls.Config, error) {
 		if !strings.HasPrefix(h.cfg.ServerURL, "https://") {
 			log.Warn().Msg("Listening with TLS but ServerURL does not start with https://")
 		}
-		tlsConfig := &tls.Config{}
-		tlsConfig.ClientAuth = tls.RequireAnyClientCert
-		tlsConfig.NextProtos = []string{"http/1.1"}
-		tlsConfig.Certificates = make([]tls.Certificate, 1)
+		tlsConfig := &tls.Config{
+			ClientAuth:   tls.RequireAnyClientCert,
+			NextProtos:   []string{"http/1.1"},
+			Certificates: make([]tls.Certificate, 1),
+			MinVersion:   tls.VersionTLS12,
+		}
 		tlsConfig.Certificates[0], err = tls.LoadX509KeyPair(h.cfg.TLSCertPath, h.cfg.TLSKeyPath)
 
 		return tlsConfig, err
diff --git a/cmd/headscale/headscale_test.go b/cmd/headscale/headscale_test.go
index ceee3e44..0d1b9a13 100644
--- a/cmd/headscale/headscale_test.go
+++ b/cmd/headscale/headscale_test.go
@@ -100,7 +100,7 @@ func (*Suite) TestDNSConfigLoading(c *check.C) {
 func writeConfig(c *check.C, tmpDir string, configYaml []byte) {
 	// Populate a custom config file
 	configFile := filepath.Join(tmpDir, "config.yaml")
-	err := ioutil.WriteFile(configFile, configYaml, 0o644)
+	err := ioutil.WriteFile(configFile, configYaml, 0o600)
 	if err != nil {
 		c.Fatalf("Couldn't write file %s", configFile)
 	}
diff --git a/namespaces.go b/namespaces.go
index bb58c000..e512068d 100644
--- a/namespaces.go
+++ b/namespaces.go
@@ -70,7 +70,7 @@ func (h *Headscale) DestroyNamespace(name string) error {
 		return err
 	}
 	for _, key := range keys {
-		err = h.DestroyPreAuthKey(&key)
+		err = h.DestroyPreAuthKey(key)
 		if err != nil {
 			return err
 		}
diff --git a/preauth_keys.go b/preauth_keys.go
index 9ba70da3..2d242c55 100644
--- a/preauth_keys.go
+++ b/preauth_keys.go
@@ -95,8 +95,8 @@ func (h *Headscale) GetPreAuthKey(namespace string, key string) (*PreAuthKey, er
 
 // DestroyPreAuthKey destroys a preauthkey. Returns error if the PreAuthKey
 // does not exist.
-func (h *Headscale) DestroyPreAuthKey(pak *PreAuthKey) error {
-	if result := h.db.Unscoped().Delete(&pak); result.Error != nil {
+func (h *Headscale) DestroyPreAuthKey(pak PreAuthKey) error {
+	if result := h.db.Unscoped().Delete(pak); result.Error != nil {
 		return result.Error
 	}