From 424999dacd51660d63bb7d92d18f728b474a47ad Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Wed, 2 Oct 2024 18:14:05 +0200 Subject: [PATCH] kms: add support for Oracle Key Vault Signed-off-by: Nicola Murino --- go.mod | 2 +- go.sum | 4 ++-- internal/cmd/startsubsys.go | 8 ++++---- internal/httpd/httpd_test.go | 35 ++++++++++++++++++----------------- internal/kms/kms.go | 3 ++- internal/plugin/kms.go | 5 +++-- internal/plugin/plugin.go | 2 +- internal/service/service.go | 12 +++++++----- 8 files changed, 38 insertions(+), 33 deletions(-) diff --git a/go.mod b/go.mod index 410bed4d..84fb5fe7 100644 --- a/go.mod +++ b/go.mod @@ -52,7 +52,7 @@ require ( github.com/rs/cors v1.11.1 github.com/rs/xid v1.6.0 github.com/rs/zerolog v1.33.0 - github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063 + github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1 github.com/shirou/gopsutil/v3 v3.24.5 github.com/spf13/afero v1.11.0 github.com/spf13/cobra v1.8.1 diff --git a/go.sum b/go.sum index f08e6423..aa1c12d4 100644 --- a/go.sum +++ b/go.sum @@ -345,8 +345,8 @@ github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJ github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4/go.mod h1:MnkX001NG75g3p8bhFycnyIjeQoOjGL6CEIsdE/nKSY= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= -github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063 h1:r+XUT9mg/W97xiS6ZJ1BczLwTYiGKCRQ+Z69QZBnAZ8= -github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063/go.mod h1:Isl0IEzS/Muvh8Fr4X+NWFsOS/fZQHRD4oPQpoY7C4g= +github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1 h1:UR1rI03lk+rLbt/FmUszQoY+hE3XxVCEGSumjbMZx/I= +github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1/go.mod h1:Isl0IEzS/Muvh8Fr4X+NWFsOS/fZQHRD4oPQpoY7C4g= github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI= github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= diff --git a/internal/cmd/startsubsys.go b/internal/cmd/startsubsys.go index 322a62e2..6f7c5751 100644 --- a/internal/cmd/startsubsys.go +++ b/internal/cmd/startsubsys.go @@ -90,6 +90,10 @@ Command-line flags should be specified in the Subsystem declaration. logger.Error(logSender, connectionID, "unable to initialize KMS: %v", err) os.Exit(1) } + if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil { + logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err) + os.Exit(1) + } mfaConfig := config.GetMFAConfig() err = mfaConfig.Initialize() if err != nil { @@ -109,10 +113,6 @@ Command-line flags should be specified in the Subsystem declaration. logger.Error(logSender, connectionID, "unable to initialize the data provider: %v", err) os.Exit(1) } - if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil { - logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err) - os.Exit(1) - } smtpConfig := config.GetSMTPConfig() err = smtpConfig.Initialize(configDir, false) if err != nil { diff --git a/internal/httpd/httpd_test.go b/internal/httpd/httpd_test.go index 3670d396..cdd0a79d 100644 --- a/internal/httpd/httpd_test.go +++ b/internal/httpd/httpd_test.go @@ -370,6 +370,24 @@ func TestMain(m *testing.M) { os.Exit(1) } + kmsConfig := config.GetKMSConfig() + err = kmsConfig.Initialize() + if err != nil { + logger.ErrorToConsole("error initializing kms: %v", err) + os.Exit(1) + } + err = plugin.Initialize(pluginsConfig, "debug") + if err != nil { + logger.ErrorToConsole("error initializing plugin: %v", err) + os.Exit(1) + } + mfaConfig := config.GetMFAConfig() + err = mfaConfig.Initialize() + if err != nil { + logger.ErrorToConsole("error initializing MFA: %v", err) + os.Exit(1) + } + err = dataprovider.Initialize(providerConf, configDir, true) if err != nil { logger.WarnToConsole("error initializing data provider: %v", err) @@ -389,23 +407,6 @@ func TestMain(m *testing.M) { httpConfig.RetryMax = 1 httpConfig.Timeout = 5 httpConfig.Initialize(configDir) //nolint:errcheck - kmsConfig := config.GetKMSConfig() - err = kmsConfig.Initialize() - if err != nil { - logger.ErrorToConsole("error initializing kms: %v", err) - os.Exit(1) - } - mfaConfig := config.GetMFAConfig() - err = mfaConfig.Initialize() - if err != nil { - logger.ErrorToConsole("error initializing MFA: %v", err) - os.Exit(1) - } - err = plugin.Initialize(pluginsConfig, "debug") - if err != nil { - logger.ErrorToConsole("error initializing plugin: %v", err) - os.Exit(1) - } httpdConf := config.GetHTTPDConfig() diff --git a/internal/kms/kms.go b/internal/kms/kms.go index acd9f84e..914af4ea 100644 --- a/internal/kms/kms.go +++ b/internal/kms/kms.go @@ -73,7 +73,8 @@ var ( // ErrInvalidSecret defines the error to return if a secret is not valid ErrInvalidSecret = errors.New("invalid secret") validSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox, - sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusRedacted} + sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusAzureKeyVault, + sdkkms.SecretStatusOracleKeyVault, sdkkms.SecretStatusRedacted} config Configuration secretProviders = make(map[string]registeredSecretProvider) ) diff --git a/internal/plugin/kms.go b/internal/plugin/kms.go index 6ab30e1f..b4ed5be1 100644 --- a/internal/plugin/kms.go +++ b/internal/plugin/kms.go @@ -29,9 +29,10 @@ import ( ) var ( - validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit, sdkkms.SchemeAzureKeyVault} + validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit, + sdkkms.SchemeAzureKeyVault, sdkkms.SchemeOracleKeyVault} validKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, - sdkkms.SecretStatusAzureKeyVault} + sdkkms.SecretStatusAzureKeyVault, sdkkms.SecretStatusOracleKeyVault} ) // KMSConfig defines configuration parameters for kms plugins diff --git a/internal/plugin/plugin.go b/internal/plugin/plugin.go index eb772033..fa2d69ba 100644 --- a/internal/plugin/plugin.go +++ b/internal/plugin/plugin.go @@ -228,7 +228,7 @@ func initializePlugins() error { kmsID++ kms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus, Handler.Configs[idx].newKMSPluginSecretProvider) - logger.Info(logSender, "", "registered secret provider for scheme: %v, encrypted status: %v", + logger.Info(logSender, "", "registered secret provider for scheme %q, encrypted status %q", config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus) case auth.PluginName: plugin, err := newAuthPlugin(config) diff --git a/internal/service/service.go b/internal/service/service.go index ba7e627a..3a8d5c81 100644 --- a/internal/service/service.go +++ b/internal/service/service.go @@ -129,6 +129,13 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error { logger.ErrorToConsole("unable to initialize KMS: %v", err) return err } + // We may have KMS plugins and their schema needs to be registered before + // initializing the data provider which may contain KMS secrets. + if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil { + logger.Error(logSender, "", "unable to initialize plugin system: %v", err) + logger.ErrorToConsole("unable to initialize plugin system: %v", err) + return err + } mfaConfig := config.GetMFAConfig() err = mfaConfig.Initialize() if err != nil { @@ -142,11 +149,6 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error { logger.ErrorToConsole("error initializing data provider: %v", err) return err } - if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil { - logger.Error(logSender, "", "unable to initialize plugin system: %v", err) - logger.ErrorToConsole("unable to initialize plugin system: %v", err) - return err - } smtpConfig := config.GetSMTPConfig() err = smtpConfig.Initialize(s.ConfigDir, s.PortableMode != 1) if err != nil {