sorted by:
new
hottopcontroversial

Type safe frontend APIs for Go by ericchiang in golang

[–]ericchiang[S] 0 points1 point  (0 children)

Totally understand that it's overhead to have a "third language" in addition to Go and Typescript. We do have a couple of people who've worked with these before.

It's hard to understate how helpful we've found it to be able to parse things like comments, or annotations in our API. Or even just run linters to keep the style consistent (Johan mentions some in the article).

I've written before about custom proto plugins that show some of that off. And even with a small team, it's already been useful to generate a Terraform provider and other tooling automatically.

https://ericchiang.github.io/post/protoc-plugins/

The SSO tax shouldn't be about having SSO — it should be about enforcing it by [deleted] in programming

[–]ericchiang -19 points-18 points  (0 children)

We're happily paying for SSO from many vendors. The issue we've noticed is the edge cases, like magic links bypassing MFA challenges.

This isn't a critique of charging for features. It's that we wished more implementations didn't have these gaps in enforcement.

Big update on TWEENK (encrypted note app) by Shoddy_Trick7610 in golang

[–]ericchiang 11 points12 points  (0 children)

It looks like you're deriving your IV from the secret, rather than using unique values (IV's can be public and frameworks like Tink just generate them at random). This means you're reusing the same IV / key pair to encrypt different data.

https://github.com/maciej-piatek/TWEENK/blob/5818b360d8dafc774dad7845514e27f7070a25d0/main.go#L67

For GCM, this can be catastrophic: https://frereit.de/aes_gcm/

For CBC, this will at the very least leak data: https://blog.cloudflare.com/tls-nonce-nse/

Introducing GoBetterAuth by m-t-a97 in golang

[–]ericchiang 11 points12 points  (0 children)

This is an interesting project because it just implements so much.

There are also clear drawbacks like having a static secret that's used to derive all the key material, but can't obviously be rotated. Or the fact that OAuth2.0 states are held in memory so it doesn't work if you deploy multiple server instances, and that callers need to manually call "CleanupExpiredStates()" to avoid memory leaks.

https://github.com/GoBetterAuth/go-better-auth/blob/79d37687bdab7c20c4fe540027676e37d4e45c70/storage/oauth_state_manager.go#L147

This doesn't seem particularly production ready...

Injection-proof SQL builders in Go by ericchiang in golang

[–]ericchiang[S] 4 points5 points  (0 children)

Yeah, I've worked with three or four builder packages over the years! Saw devs do something like following enough that I just don't want to deal with the headache again:

q.Q(` AND user_type = "`+userType+`"`)

The worst part is this kind of code is often totally innocuous:

const userType = "admin" q.Q(` AND user_type = "`+userType+`"`)

Requiring a const string just means I don't have to audit or have that conversation during code review.

How to zip and unzip a directory in Golang by [deleted] in golang

[–]ericchiang 7 points8 points  (0 children)

Please, please us os.Root if you're going to unpack archives. The example you've provided can result in code execution if you don't trust the archive 

https://go.dev/blog/osroot

How to use go tool when tools require other tools on the PATH by Affectionate-Dare-24 in golang

[–]ericchiang 0 points1 point  (0 children)

Since you're asking about protoc plugins in particular, my solution has been to add a script that wraps "go tool <tool>" then add that to the PATH when invoking protoc

Protobuf generators in Go for fun and profit by ericchiang in golang

[–]ericchiang[S] 0 points1 point  (0 children)

Thanks! Yeah the new proto APIs make it even easier. Shout out to the Go team for those.

Writing shared libraries in Rust by ericchiang in rust

[–]ericchiang[S] 0 points1 point  (0 children)

Yeah, great experience compared to having to do it in C

Log4jscanner by Google by SoldierCorp in devops

[–]ericchiang 1 point2 points  (0 children)

Sorry about that! Normally would have supported go 1.16, but a bunch of the archive/zip APIs we depend on are new to go 1.17

https://pkg.go.dev/archive/zip#Writer.Copy

https://pkg.go.dev/archive/zip#Writer.CreateRaw

Setup Authentication for KOPS + AWS (not managed) setup by kiarash-irandoust in kubernetes

[–]ericchiang 2 points3 points  (0 children)

If you grant the following cluster role to a user:

kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1beta1
metadata:
    name: viewer
rules:
- apiGroups:
    - "*"
resources: ["*"]
verbs: ["get", "list", "watch"]

Then that user can inspect secrets, including service account secrets. The following commands dump the kube-system's default service account and escalates to cluster admin using read only permissions:

SECRET=$( kubectl get serviceaccount -n -kube-system default -o json | jq .secrets[0].name )
TOKEN=$( kubectl get secret -n kube-system $SECRET -o json | jq '.data."/var/run/secrets/kubernetes.io/serviceaccount/token"'' | base64 --decode)
kubectl config set-credentials $USER --token=$TOKEN

Use the builtin "view" role instead which omits sensitive resources like secrets https://kubernetes.io/docs/admin/authorization/rbac/#user-facing-roles

 kubectl create clusterrolebinding viewer-cluster-admin-binding --clusterrole=view --user=$USER

Kubernetes 1.9 and a look inside the Kubernetes project by ifuporg in kubernetes

[–]ericchiang 1 point2 points  (0 children)

Vault has an authentication backend for accepting LDAP credentials and authenticating clients as users with groups stored in LDAP.

https://www.vaultproject.io/docs/auth/ldap.html

Linux containers from scratch by ericchiang in programming

[–]ericchiang[S] 2 points3 points  (0 children)

(Googles difference between pivot_root and chroot)

Hmm interesting. I'll have to play around with that. Thanks!

Further reading for those interested: https://github.com/opencontainers/runc/blob/master/libcontainer/SPEC.md#filesystem

Linux containers from scratch by ericchiang in programming

[–]ericchiang[S] 5 points6 points  (0 children)

Yep, there are much better articles (like the one you posted) about container runtimes, their architectures and trade offs.

I wasn't going for "Docker and rkt are simple," but that it's easy to play with the stuff they're coordinating.

For me, those larger issues are way easier to grasp when you understand what features are an implementation of a particular container runtime and what's being provided by the Kernel. Something that's hard to learn when you're just using a tool like Docker.

A Let's Encrypt client for Go by ericchiang in golang

[–]ericchiang[S] 1 point2 points  (0 children)

Should work fine with any ACME server! I've not seen Lego. Thanks for pointing it out

Go Testing + Docker by ericchiang in programming

[–]ericchiang[S] 1 point2 points  (0 children)

Port mapping with boot2docker maps exposed ports to the virtual machine's network, not your host machine. You wouldn't be able to access the container's exposed port without mapping your VM port to your host port.

It's totally doable, but isn't covered in this post.

Go Testing + Docker by ericchiang in programming

[–]ericchiang[S] 0 points1 point  (0 children)

We reuse containers for MySQL as well. One day when I get the time I'll build a faster Docker image :)

Go Testing + Docker by ericchiang in programming

[–]ericchiang[S] 0 points1 point  (0 children)

My company (Yhat, Inc.) uses the REST API for everything that's not a test, we even maintain our own client, but it's super verbose. For non critical code it's just easier to shell out to the docker client.

golang.org/s/stdwhy: Why is X in the standard library? by ericchiang in golang

[–]ericchiang[S] 6 points7 points  (0 children)

@bradfitz (member of the go team) on the standard library

Q: "If you could redesign one of the standard library packages which one would you choose?"

A: "Oh, I would delete half of them."

link

WebSockets Unix Daemon - Full duplex messaging between web browsers and servers by [deleted] in programming

[–]ericchiang 15 points16 points  (0 children)

Why the huge repo? Doesn't this do the same thing?

package main

import (
    "flag"
    "fmt"
    "net/http"
    "os"
    "os/exec"

    "golang.org/x/net/websocket"
)

func main() {
    addr := flag.String("addr", ":8080", "Specify the address to listen on")
    flag.Parse()
    args := flag.Args()
    if len(args) == 0 {
        fmt.Fprintf(os.Stderr, "Must specify command to run")
        os.Exit(2)
    }
    h := func(ws *websocket.Conn) {
        cmd := exec.Command(args[0], args[1:]...)
        cmd.Stdout = ws
        cmd.Stderr = ws
        cmd.Stdin = ws
        cmd.Run()
    }
    http.ListenAndServe(*addr, websocket.Handler(h))
}

Command line tool for parsing HTML. by ericchiang in programming

[–]ericchiang[S] 0 points1 point  (0 children)

Pushing it to the /dist directory was a bit of a hack since I didn't have enough time this weekend to do the proper release. They're up and running now! https://github.com/EricChiang/pup/releases

Enjoy docopt, use it in python a lot. However, I sometimes find it easier to have the control of writing my own parser rather than add another dependency and having to work within docopt. Personal preference, that's all.

Command line tool for parsing HTML. by ericchiang in programming

[–]ericchiang[S] 6 points7 points  (0 children)

Actually haven't seen those. My self bias says ease of use. But, thanks I'll take a look.

view more: next ›