plugin.go 7.6 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277
  1. // Package plugin provides support for the SFTPGo plugin system
  2. package plugin
  3. import (
  4. "fmt"
  5. "sync"
  6. "sync/atomic"
  7. "time"
  8. "github.com/hashicorp/go-hclog"
  9. "github.com/drakkan/sftpgo/v2/kms"
  10. "github.com/drakkan/sftpgo/v2/logger"
  11. kmsplugin "github.com/drakkan/sftpgo/v2/sdk/plugin/kms"
  12. "github.com/drakkan/sftpgo/v2/sdk/plugin/notifier"
  13. )
  14. const (
  15. logSender = "plugins"
  16. )
  17. var (
  18. // Handler defines the plugins manager
  19. Handler Manager
  20. pluginsLogLevel = hclog.Debug
  21. )
  22. // Renderer defines the interface for generic objects rendering
  23. type Renderer interface {
  24. RenderAsJSON(reload bool) ([]byte, error)
  25. }
  26. // Config defines a plugin configuration
  27. type Config struct {
  28. // Plugin type
  29. Type string `json:"type" mapstructure:"type"`
  30. // NotifierOptions defines options for notifiers plugins
  31. NotifierOptions NotifierConfig `json:"notifier_options" mapstructure:"notifier_options"`
  32. // KMSOptions defines options for a KMS plugin
  33. KMSOptions KMSConfig `json:"kms_options" mapstructure:"kms_options"`
  34. // Path to the plugin executable
  35. Cmd string `json:"cmd" mapstructure:"cmd"`
  36. // Args to pass to the plugin executable
  37. Args []string `json:"args" mapstructure:"args"`
  38. // SHA256 checksum for the plugin executable.
  39. // If not empty it will be used to verify the integrity of the executable
  40. SHA256Sum string `json:"sha256sum" mapstructure:"sha256sum"`
  41. // If enabled the client and the server automatically negotiate mTLS for
  42. // transport authentication. This ensures that only the original client will
  43. // be allowed to connect to the server, and all other connections will be
  44. // rejected. The client will also refuse to connect to any server that isn't
  45. // the original instance started by the client.
  46. AutoMTLS bool `json:"auto_mtls" mapstructure:"auto_mtls"`
  47. // unique identifier for kms plugins
  48. kmsID int
  49. }
  50. func (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider {
  51. return &kmsPluginSecretProvider{
  52. BaseSecret: base,
  53. URL: url,
  54. MasterKey: masterKey,
  55. config: c,
  56. }
  57. }
  58. // Manager handles enabled plugins
  59. type Manager struct {
  60. closed int32
  61. done chan bool
  62. // List of configured plugins
  63. Configs []Config `json:"plugins" mapstructure:"plugins"`
  64. notifLock sync.RWMutex
  65. notifiers []*notifierPlugin
  66. kmsLock sync.RWMutex
  67. kms []*kmsPlugin
  68. }
  69. // Initialize initializes the configured plugins
  70. func Initialize(configs []Config, logVerbose bool) error {
  71. Handler = Manager{
  72. Configs: configs,
  73. done: make(chan bool),
  74. closed: 0,
  75. }
  76. if len(configs) == 0 {
  77. return nil
  78. }
  79. if err := Handler.validateConfigs(); err != nil {
  80. return err
  81. }
  82. if logVerbose {
  83. pluginsLogLevel = hclog.Debug
  84. } else {
  85. pluginsLogLevel = hclog.Info
  86. }
  87. kmsID := 0
  88. for idx, config := range Handler.Configs {
  89. switch config.Type {
  90. case notifier.PluginName:
  91. plugin, err := newNotifierPlugin(config)
  92. if err != nil {
  93. return err
  94. }
  95. Handler.notifiers = append(Handler.notifiers, plugin)
  96. case kmsplugin.PluginName:
  97. plugin, err := newKMSPlugin(config)
  98. if err != nil {
  99. return err
  100. }
  101. Handler.kms = append(Handler.kms, plugin)
  102. Handler.Configs[idx].kmsID = kmsID
  103. kmsID++
  104. kms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus,
  105. Handler.Configs[idx].newKMSPluginSecretProvider)
  106. logger.Debug(logSender, "", "registered secret provider for scheme: %v, encrypted status: %v",
  107. config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus)
  108. default:
  109. return fmt.Errorf("unsupported plugin type: %v", config.Type)
  110. }
  111. }
  112. startCheckTicker()
  113. return nil
  114. }
  115. func (m *Manager) validateConfigs() error {
  116. kmsSchemes := make(map[string]bool)
  117. kmsEncryptions := make(map[string]bool)
  118. for _, config := range m.Configs {
  119. if config.Type == kmsplugin.PluginName {
  120. if _, ok := kmsSchemes[config.KMSOptions.Scheme]; ok {
  121. return fmt.Errorf("invalid KMS configuration, duplicated scheme %#v", config.KMSOptions.Scheme)
  122. }
  123. if _, ok := kmsEncryptions[config.KMSOptions.EncryptedStatus]; ok {
  124. return fmt.Errorf("invalid KMS configuration, duplicated encrypted status %#v", config.KMSOptions.EncryptedStatus)
  125. }
  126. kmsSchemes[config.KMSOptions.Scheme] = true
  127. kmsEncryptions[config.KMSOptions.EncryptedStatus] = true
  128. }
  129. }
  130. return nil
  131. }
  132. // NotifyFsEvent sends the fs event notifications using any defined notifier plugins
  133. func (m *Manager) NotifyFsEvent(timestamp time.Time, action, username, fsPath, fsTargetPath, sshCmd, protocol string,
  134. fileSize int64, err error) {
  135. m.notifLock.RLock()
  136. defer m.notifLock.RUnlock()
  137. for _, n := range m.notifiers {
  138. n.notifyFsAction(timestamp, action, username, fsPath, fsTargetPath, sshCmd, protocol, fileSize, err)
  139. }
  140. }
  141. // NotifyUserEvent sends the user event notifications using any defined notifier plugins
  142. func (m *Manager) NotifyUserEvent(timestamp time.Time, action string, user Renderer) {
  143. m.notifLock.RLock()
  144. defer m.notifLock.RUnlock()
  145. for _, n := range m.notifiers {
  146. n.notifyUserAction(timestamp, action, user)
  147. }
  148. }
  149. func (m *Manager) kmsEncrypt(secret kms.BaseSecret, url string, masterKey string, kmsID int) (string, string, int32, error) {
  150. m.kmsLock.RLock()
  151. plugin := m.kms[kmsID]
  152. m.kmsLock.RUnlock()
  153. return plugin.Encrypt(secret, url, masterKey)
  154. }
  155. func (m *Manager) kmsDecrypt(secret kms.BaseSecret, url string, masterKey string, kmsID int) (string, error) {
  156. m.kmsLock.RLock()
  157. plugin := m.kms[kmsID]
  158. m.kmsLock.RUnlock()
  159. return plugin.Decrypt(secret, url, masterKey)
  160. }
  161. func (m *Manager) checkCrashedPlugins() {
  162. m.notifLock.RLock()
  163. for idx, n := range m.notifiers {
  164. if n.exited() {
  165. defer func(cfg Config, index int) {
  166. Handler.restartNotifierPlugin(cfg, index)
  167. }(n.config, idx)
  168. } else {
  169. n.sendQueuedEvents()
  170. }
  171. }
  172. m.notifLock.RUnlock()
  173. m.kmsLock.RLock()
  174. for idx, k := range m.kms {
  175. if k.exited() {
  176. defer func(cfg Config, index int) {
  177. Handler.restartKMSPlugin(cfg, index)
  178. }(k.config, idx)
  179. }
  180. }
  181. m.kmsLock.RUnlock()
  182. }
  183. func (m *Manager) restartNotifierPlugin(config Config, idx int) {
  184. if atomic.LoadInt32(&m.closed) == 1 {
  185. return
  186. }
  187. logger.Info(logSender, "", "try to restart crashed notifier plugin %#v, idx: %v", config.Cmd, idx)
  188. plugin, err := newNotifierPlugin(config)
  189. if err != nil {
  190. logger.Warn(logSender, "", "unable to restart notifier plugin %#v, err: %v", config.Cmd, err)
  191. return
  192. }
  193. m.notifLock.Lock()
  194. plugin.queue = m.notifiers[idx].queue
  195. m.notifiers[idx] = plugin
  196. m.notifLock.Unlock()
  197. plugin.sendQueuedEvents()
  198. }
  199. func (m *Manager) restartKMSPlugin(config Config, idx int) {
  200. if atomic.LoadInt32(&m.closed) == 1 {
  201. return
  202. }
  203. logger.Info(logSender, "", "try to restart crashed kms plugin %#v, idx: %v", config.Cmd, idx)
  204. plugin, err := newKMSPlugin(config)
  205. if err != nil {
  206. logger.Warn(logSender, "", "unable to restart kms plugin %#v, err: %v", config.Cmd, err)
  207. return
  208. }
  209. m.kmsLock.Lock()
  210. m.kms[idx] = plugin
  211. m.kmsLock.Unlock()
  212. }
  213. // Cleanup releases all the active plugins
  214. func (m *Manager) Cleanup() {
  215. atomic.StoreInt32(&m.closed, 1)
  216. close(m.done)
  217. m.notifLock.Lock()
  218. for _, n := range m.notifiers {
  219. logger.Debug(logSender, "", "cleanup notifier plugin %v", n.config.Cmd)
  220. n.cleanup()
  221. }
  222. m.notifLock.Unlock()
  223. m.kmsLock.Lock()
  224. for _, k := range m.kms {
  225. logger.Debug(logSender, "", "cleanup kms plugin %v", k.config.Cmd)
  226. k.cleanup()
  227. }
  228. m.kmsLock.Unlock()
  229. }
  230. func startCheckTicker() {
  231. logger.Debug(logSender, "", "start plugins checker")
  232. checker := time.NewTicker(30 * time.Second)
  233. go func() {
  234. for {
  235. select {
  236. case <-Handler.done:
  237. logger.Debug(logSender, "", "handler done, stop plugins checker")
  238. checker.Stop()
  239. return
  240. case <-checker.C:
  241. Handler.checkCrashedPlugins()
  242. }
  243. }
  244. }()
  245. }