beenull/sftpgo-mirror
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2024-11-21 15:10:23 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions 6

kms: add support for Oracle Key Vault

Browse source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2024-10-02 18:14:05 +02:00
parent 2ec6aecc5d
commit 424999dacd
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
8 changed files with 38 additions and 33 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
go.mod
View file

@ -52,7 +52,7 @@ require (
github.com/rs/cors v1.11.1 github.com/rs/cors v1.11.1
github.com/rs/xid v1.6.0 github.com/rs/xid v1.6.0
github.com/rs/zerolog v1.33.0 github.com/rs/zerolog v1.33.0
github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063 github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1
github.com/shirou/gopsutil/v3 v3.24.5 github.com/shirou/gopsutil/v3 v3.24.5
github.com/spf13/afero v1.11.0 github.com/spf13/afero v1.11.0
github.com/spf13/cobra v1.8.1 github.com/spf13/cobra v1.8.1

4
go.sum
View file

@ -345,8 +345,8 @@ github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4 h1:PT+ElG/UUFMfqy5HrxJ
github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4/go.mod h1:MnkX001NG75g3p8bhFycnyIjeQoOjGL6CEIsdE/nKSY= github.com/secsy/goftp v0.0.0-20200609142545-aa2de14babf4/go.mod h1:MnkX001NG75g3p8bhFycnyIjeQoOjGL6CEIsdE/nKSY=
github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys= github.com/segmentio/asm v1.2.0 h1:9BQrFxC+YOHJlTlHGkTrFWf59nbL3XnCoFLTwDCI7ys=
github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs= github.com/segmentio/asm v1.2.0/go.mod h1:BqMnlJP91P8d+4ibuonYZw9mfnzI9HfxselHZr5aAcs=
github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063 h1:r+XUT9mg/W97xiS6ZJ1BczLwTYiGKCRQ+Z69QZBnAZ8= github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1 h1:UR1rI03lk+rLbt/FmUszQoY+hE3XxVCEGSumjbMZx/I=
github.com/sftpgo/sdk v0.1.9-0.20240815080450-426add0ab063/go.mod h1:Isl0IEzS/Muvh8Fr4X+NWFsOS/fZQHRD4oPQpoY7C4g= github.com/sftpgo/sdk v0.1.9-0.20241002160417-3a2e25af00c1/go.mod h1:Isl0IEzS/Muvh8Fr4X+NWFsOS/fZQHRD4oPQpoY7C4g=
github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI= github.com/shirou/gopsutil/v3 v3.24.5 h1:i0t8kL+kQTvpAYToeuiVk3TgDeKOFioZO3Ztz/iZ9pI=
github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk= github.com/shirou/gopsutil/v3 v3.24.5/go.mod h1:bsoOS1aStSs9ErQ1WWfxllSeS1K5D+U30r2NfcubMVk=
github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM= github.com/shoenig/go-m1cpu v0.1.6 h1:nxdKQNcEB6vzgA2E2bvzKIYRuNj7XNJ4S/aRSwKzFtM=

8
internal/cmd/startsubsys.go
View file

@ -90,6 +90,10 @@ Command-line flags should be specified in the Subsystem declaration.
logger.Error(logSender, connectionID, "unable to initialize KMS: %v", err) logger.Error(logSender, connectionID, "unable to initialize KMS: %v", err)
os.Exit(1) os.Exit(1)
} }
if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
os.Exit(1)
}
mfaConfig := config.GetMFAConfig() mfaConfig := config.GetMFAConfig()
err = mfaConfig.Initialize() err = mfaConfig.Initialize()
if err != nil { if err != nil {
@ -109,10 +113,6 @@ Command-line flags should be specified in the Subsystem declaration.
logger.Error(logSender, connectionID, "unable to initialize the data provider: %v", err) logger.Error(logSender, connectionID, "unable to initialize the data provider: %v", err)
os.Exit(1) os.Exit(1)
} }
if err := plugin.Initialize(config.GetPluginsConfig(), logLevel); err != nil {
logger.Error(logSender, connectionID, "unable to initialize plugin system: %v", err)
os.Exit(1)
}
smtpConfig := config.GetSMTPConfig() smtpConfig := config.GetSMTPConfig()
err = smtpConfig.Initialize(configDir, false) err = smtpConfig.Initialize(configDir, false)
if err != nil { if err != nil {

35
internal/httpd/httpd_test.go
View file

@ -370,6 +370,24 @@ func TestMain(m *testing.M) {
os.Exit(1) os.Exit(1)
} }
kmsConfig := config.GetKMSConfig()
err = kmsConfig.Initialize()
if err != nil {
logger.ErrorToConsole("error initializing kms: %v", err)
os.Exit(1)
}
err = plugin.Initialize(pluginsConfig, "debug")
if err != nil {
logger.ErrorToConsole("error initializing plugin: %v", err)
os.Exit(1)
}
mfaConfig := config.GetMFAConfig()
err = mfaConfig.Initialize()
if err != nil {
logger.ErrorToConsole("error initializing MFA: %v", err)
os.Exit(1)
}
err = dataprovider.Initialize(providerConf, configDir, true) err = dataprovider.Initialize(providerConf, configDir, true)
if err != nil { if err != nil {
logger.WarnToConsole("error initializing data provider: %v", err) logger.WarnToConsole("error initializing data provider: %v", err)
@ -389,23 +407,6 @@ func TestMain(m *testing.M) {
httpConfig.RetryMax = 1 httpConfig.RetryMax = 1
httpConfig.Timeout = 5 httpConfig.Timeout = 5
httpConfig.Initialize(configDir) //nolint:errcheck httpConfig.Initialize(configDir) //nolint:errcheck
kmsConfig := config.GetKMSConfig()
err = kmsConfig.Initialize()
if err != nil {
logger.ErrorToConsole("error initializing kms: %v", err)
os.Exit(1)
}
mfaConfig := config.GetMFAConfig()
err = mfaConfig.Initialize()
if err != nil {
logger.ErrorToConsole("error initializing MFA: %v", err)
os.Exit(1)
}
err = plugin.Initialize(pluginsConfig, "debug")
if err != nil {
logger.ErrorToConsole("error initializing plugin: %v", err)
os.Exit(1)
}
httpdConf := config.GetHTTPDConfig() httpdConf := config.GetHTTPDConfig()

3
internal/kms/kms.go
View file

@ -73,7 +73,8 @@ var (
// ErrInvalidSecret defines the error to return if a secret is not valid // ErrInvalidSecret defines the error to return if a secret is not valid
ErrInvalidSecret = errors.New("invalid secret") ErrInvalidSecret = errors.New("invalid secret")
validSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox, validSecretStatuses = []string{sdkkms.SecretStatusPlain, sdkkms.SecretStatusAES256GCM, sdkkms.SecretStatusSecretBox,
sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusRedacted} sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, sdkkms.SecretStatusAzureKeyVault,
sdkkms.SecretStatusOracleKeyVault, sdkkms.SecretStatusRedacted}
config Configuration config Configuration
secretProviders = make(map[string]registeredSecretProvider) secretProviders = make(map[string]registeredSecretProvider)
) )

5
internal/plugin/kms.go
View file

@ -29,9 +29,10 @@ import (
) )
var ( var (
validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit, sdkkms.SchemeAzureKeyVault} validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit,
sdkkms.SchemeAzureKeyVault, sdkkms.SchemeOracleKeyVault}
validKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP, validKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP,
sdkkms.SecretStatusAzureKeyVault} sdkkms.SecretStatusAzureKeyVault, sdkkms.SecretStatusOracleKeyVault}
) )
// KMSConfig defines configuration parameters for kms plugins // KMSConfig defines configuration parameters for kms plugins

2
internal/plugin/plugin.go
View file

@ -228,7 +228,7 @@ func initializePlugins() error {
kmsID++ kmsID++
kms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus, kms.RegisterSecretProvider(config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus,
Handler.Configs[idx].newKMSPluginSecretProvider) Handler.Configs[idx].newKMSPluginSecretProvider)
logger.Info(logSender, "", "registered secret provider for scheme: %v, encrypted status: %v", logger.Info(logSender, "", "registered secret provider for scheme %q, encrypted status %q",
config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus) config.KMSOptions.Scheme, config.KMSOptions.EncryptedStatus)
case auth.PluginName: case auth.PluginName:
plugin, err := newAuthPlugin(config) plugin, err := newAuthPlugin(config)

12
internal/service/service.go
View file

@ -129,6 +129,13 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error {
logger.ErrorToConsole("unable to initialize KMS: %v", err) logger.ErrorToConsole("unable to initialize KMS: %v", err)
return err return err
} }
// We may have KMS plugins and their schema needs to be registered before
// initializing the data provider which may contain KMS secrets.
if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil {
logger.Error(logSender, "", "unable to initialize plugin system: %v", err)
logger.ErrorToConsole("unable to initialize plugin system: %v", err)
return err
}
mfaConfig := config.GetMFAConfig() mfaConfig := config.GetMFAConfig()
err = mfaConfig.Initialize() err = mfaConfig.Initialize()
if err != nil { if err != nil {
@ -142,11 +149,6 @@ func (s *Service) initializeServices(disableAWSInstallationCode bool) error {
logger.ErrorToConsole("error initializing data provider: %v", err) logger.ErrorToConsole("error initializing data provider: %v", err)
return err return err
} }
if err := plugin.Initialize(config.GetPluginsConfig(), s.LogLevel); err != nil {
logger.Error(logSender, "", "unable to initialize plugin system: %v", err)
logger.ErrorToConsole("unable to initialize plugin system: %v", err)
return err
}
smtpConfig := config.GetSMTPConfig() smtpConfig := config.GetSMTPConfig()
err = smtpConfig.Initialize(s.ConfigDir, s.PortableMode != 1) err = smtpConfig.Initialize(s.ConfigDir, s.PortableMode != 1)
if err != nil { if err != nil {