add build tags to disable kms providers

2024-11-21 23:20:24 +00:00 · 2020-12-02 09:44:18 +01:00 · 2020-12-02 09:44:18 +01:00 · a67276ccc2
commit a67276ccc2
parent 87b51a6fd5
13 changed files with 132 additions and 35 deletions
--- a/docs/build-from-source.md
+++ b/docs/build-from-source.md
@ -1,14 +1,6 @@
 # Build SFTPGo from source

-You can install the package to your [\$GOPATH](https://github.com/golang/go/wiki/GOPATH "GOPATH") with the [go tool](https://golang.org/cmd/go/ "go command") from shell:
-
-```bash
-go get -u github.com/drakkan/sftpgo
-```
-
-Or you can download the sources and use `go build`.
-
-Make sure [Git](https://git-scm.com/downloads) is installed on your machine and in your system's `PATH`.
+Download the sources and use `go build`.

 The following build tags are available:

@ -21,6 +13,9 @@ The following build tags are available:
 - `nosqlite`, disable SQLite data provider, default enabled
 - `noportable`, disable portable mode, default enabled
 - `nometrics`, disable Prometheus metrics, default enabled
+- `novaultkms`, disable Vault transit secret engine, default enabled
+- `noawskms`, disable AWS KMS, default enabled
+- `nogcpkms`, disable GCP KMS, default enabled

 If no build tag is specified the build will include the default features.

--- a/httpd/httpd_test.go
+++ b/httpd/httpd_test.go
@ -1400,10 +1400,10 @@ func TestSecretObjectCompatibility(t *testing.T) {
 	localAsJSON, err := json.Marshal(s)
 	assert.NoError(t, err)

-	for _, provider := range []string{kms.SecretStatusRedacted} {
+	for _, secretStatus := range []string{kms.SecretStatusSecretBox} {
 		kmsConfig := config.GetKMSConfig()
 		assert.Empty(t, kmsConfig.Secrets.MasterKeyPath)
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			os.Setenv("VAULT_SERVER_URL", "http://127.0.0.1:8200")
 			os.Setenv("VAULT_SERVER_TOKEN", "s.9lYGq83MbgG5KR5kfebXVyhJ")
 			kmsConfig.Secrets.URL = "hashivault://mykey"
@ -1420,7 +1420,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		err = secretClone.Decrypt()
 		assert.NoError(t, err)
 		assert.Equal(t, testPayload, secretClone.GetPayload())
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			// decrypt the local secret now that the provider is vault
 			secretLocal := kms.NewEmptySecret()
 			err = json.Unmarshal(localAsJSON, secretLocal)
@ -1448,7 +1448,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 				MasterKeyPath: masterKeyPath,
 			},
 		}
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			config.Secrets.URL = "hashivault://mykey"
 		}
 		err = config.Initialize()
@ -1468,7 +1468,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		err = secret.Decrypt()
 		assert.NoError(t, err)
 		assert.Equal(t, testPayload, secret.GetPayload())
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			// decrypt the local secret encryped without a master key now that
 			// the provider is vault and a master key is set.
 			// The provider will not change, the master key will be used
@ -1491,7 +1491,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		assert.NoError(t, err)
 		err = os.Remove(masterKeyPath)
 		assert.NoError(t, err)
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			os.Unsetenv("VAULT_SERVER_URL")
 			os.Unsetenv("VAULT_SERVER_TOKEN")
 		}
--- a/kms/aws.go
+++ b/kms/aws.go
@ -1,13 +1,22 @@
+// +build !noawskms
+
 package kms

-const (
-	awsProviderName = "AWS"
+import (
+	// we import awskms here to be able to disable AWS KMS support using a build tag
+	_ "gocloud.dev/secrets/awskms"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type awsSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+awskms")
+}
+
 func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &awsSecret{
 		baseGCloudSecret{
--- a/kms/aws_disabled.go
+++ b/kms/aws_disabled.go
@ -0,0 +1,17 @@
+// +build noawskms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-awskms")
+}
+
+func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("AWS KMS disabled at build time"))
+}
--- a/kms/basegocloud.go
+++ b/kms/basegocloud.go
@ -6,12 +6,6 @@ import (
 	"time"

 	"gocloud.dev/secrets"
-	// import awskms package
-	_ "gocloud.dev/secrets/awskms"
-	// import gcpkms package
-	_ "gocloud.dev/secrets/gcpkms"
-	// import hashivault package
-	_ "gocloud.dev/secrets/hashivault"
 )

 type baseGCloudSecret struct {
--- a/kms/builtin.go
+++ b/kms/builtin.go
@ -10,10 +10,6 @@ import (
 	"github.com/minio/sha256-simd"
 )

-const (
-	builtinProviderName = "Builtin"
-)
-
 type builtinSecret struct {
 	baseSecret
 }
--- a/kms/disabled.go
+++ b/kms/disabled.go
@ -0,0 +1,29 @@
+package kms
+
+type disabledSecret struct {
+	baseSecret
+	err error
+}
+
+func newDisabledSecret(err error) SecretProvider {
+	return &disabledSecret{
+		baseSecret: baseSecret{},
+		err:        err,
+	}
+}
+
+func (s *disabledSecret) Name() string {
+	return disabledProviderName
+}
+
+func (s *disabledSecret) IsEncrypted() bool {
+	return false
+}
+
+func (s *disabledSecret) Encrypt() error {
+	return s.err
+}
+
+func (s *disabledSecret) Decrypt() error {
+	return s.err
+}
--- a/kms/gcp.go
+++ b/kms/gcp.go
@ -1,13 +1,22 @@
+// +build !nogcpkms
+
 package kms

-const (
-	gcpProviderName = "GCP"
+import (
+	// we import gcpkms here to be able to disable GCP KMS support using a build tag
+	_ "gocloud.dev/secrets/gcpkms"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type gcpSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+gcpkms")
+}
+
 func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &gcpSecret{
 		baseGCloudSecret{
--- a/kms/gcp_disabled.go
+++ b/kms/gcp_disabled.go
@ -0,0 +1,17 @@
+// +build nogcpkms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-gcpkms")
+}
+
+func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("GCP KMS disabled at build time"))
+}
--- a/kms/kms.go
+++ b/kms/kms.go
@ -50,6 +50,15 @@ const (
 	SecretStatusRedacted SecretStatus = "Redacted"
 )

+const (
+	localProviderName    = "Local"
+	builtinProviderName  = "Builtin"
+	awsProviderName      = "AWS"
+	gcpProviderName      = "GCP"
+	vaultProviderName    = "VaultTransit"
+	disabledProviderName = "Disabled"
+)
+
 // Configuration defines the KMS configuration
 type Configuration struct {
 	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
--- a/kms/local.go
+++ b/kms/local.go
@ -11,10 +11,6 @@ import (
 	"golang.org/x/crypto/hkdf"
 )

-const (
-	localProviderName = "Local"
-)
-
 type localSecret struct {
 	baseSecret
 	masterKey string
--- a/kms/vault.go
+++ b/kms/vault.go
@ -1,13 +1,22 @@
+// +build !novaultkms
+
 package kms

-const (
-	vaultProviderName = "VaultTransit"
+import (
+	// we import hashivault here to be able to disable Vault support using a build tag
+	_ "gocloud.dev/secrets/hashivault"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type vaultSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+vaultkms")
+}
+
 func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &vaultSecret{
 		baseGCloudSecret{
--- a/kms/vault_disabled.go
+++ b/kms/vault_disabled.go
@ -0,0 +1,17 @@
+// +build novaultkms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-vaultkms")
+}
+
+func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("Vault KMS disabled at build time"))
+}