From a67276ccc22efe91eaba40f6c8cf3d3457d5e25e Mon Sep 17 00:00:00 2001 From: Nicola Murino Date: Wed, 2 Dec 2020 09:44:18 +0100 Subject: [PATCH] add build tags to disable kms providers --- docs/build-from-source.md | 13 ++++--------- httpd/httpd_test.go | 12 ++++++------ kms/aws.go | 13 +++++++++++-- kms/aws_disabled.go | 17 +++++++++++++++++ kms/basegocloud.go | 6 ------ kms/builtin.go | 4 ---- kms/disabled.go | 29 +++++++++++++++++++++++++++++ kms/gcp.go | 13 +++++++++++-- kms/gcp_disabled.go | 17 +++++++++++++++++ kms/kms.go | 9 +++++++++ kms/local.go | 4 ---- kms/vault.go | 13 +++++++++++-- kms/vault_disabled.go | 17 +++++++++++++++++ 13 files changed, 132 insertions(+), 35 deletions(-) create mode 100644 kms/aws_disabled.go create mode 100644 kms/disabled.go create mode 100644 kms/gcp_disabled.go create mode 100644 kms/vault_disabled.go diff --git a/docs/build-from-source.md b/docs/build-from-source.md index ddbde318..004501bf 100644 --- a/docs/build-from-source.md +++ b/docs/build-from-source.md @@ -1,14 +1,6 @@ # Build SFTPGo from source -You can install the package to your [\$GOPATH](https://github.com/golang/go/wiki/GOPATH "GOPATH") with the [go tool](https://golang.org/cmd/go/ "go command") from shell: - -```bash -go get -u github.com/drakkan/sftpgo -``` - -Or you can download the sources and use `go build`. - -Make sure [Git](https://git-scm.com/downloads) is installed on your machine and in your system's `PATH`. +Download the sources and use `go build`. The following build tags are available: @@ -21,6 +13,9 @@ The following build tags are available: - `nosqlite`, disable SQLite data provider, default enabled - `noportable`, disable portable mode, default enabled - `nometrics`, disable Prometheus metrics, default enabled +- `novaultkms`, disable Vault transit secret engine, default enabled +- `noawskms`, disable AWS KMS, default enabled +- `nogcpkms`, disable GCP KMS, default enabled If no build tag is specified the build will include the default features. diff --git a/httpd/httpd_test.go b/httpd/httpd_test.go index 21bea07e..25b5a44d 100644 --- a/httpd/httpd_test.go +++ b/httpd/httpd_test.go @@ -1400,10 +1400,10 @@ func TestSecretObjectCompatibility(t *testing.T) { localAsJSON, err := json.Marshal(s) assert.NoError(t, err) - for _, provider := range []string{kms.SecretStatusRedacted} { + for _, secretStatus := range []string{kms.SecretStatusSecretBox} { kmsConfig := config.GetKMSConfig() assert.Empty(t, kmsConfig.Secrets.MasterKeyPath) - if provider == kms.SecretStatusVaultTransit { + if secretStatus == kms.SecretStatusVaultTransit { os.Setenv("VAULT_SERVER_URL", "http://127.0.0.1:8200") os.Setenv("VAULT_SERVER_TOKEN", "s.9lYGq83MbgG5KR5kfebXVyhJ") kmsConfig.Secrets.URL = "hashivault://mykey" @@ -1420,7 +1420,7 @@ func TestSecretObjectCompatibility(t *testing.T) { err = secretClone.Decrypt() assert.NoError(t, err) assert.Equal(t, testPayload, secretClone.GetPayload()) - if provider == kms.SecretStatusVaultTransit { + if secretStatus == kms.SecretStatusVaultTransit { // decrypt the local secret now that the provider is vault secretLocal := kms.NewEmptySecret() err = json.Unmarshal(localAsJSON, secretLocal) @@ -1448,7 +1448,7 @@ func TestSecretObjectCompatibility(t *testing.T) { MasterKeyPath: masterKeyPath, }, } - if provider == kms.SecretStatusVaultTransit { + if secretStatus == kms.SecretStatusVaultTransit { config.Secrets.URL = "hashivault://mykey" } err = config.Initialize() @@ -1468,7 +1468,7 @@ func TestSecretObjectCompatibility(t *testing.T) { err = secret.Decrypt() assert.NoError(t, err) assert.Equal(t, testPayload, secret.GetPayload()) - if provider == kms.SecretStatusVaultTransit { + if secretStatus == kms.SecretStatusVaultTransit { // decrypt the local secret encryped without a master key now that // the provider is vault and a master key is set. // The provider will not change, the master key will be used @@ -1491,7 +1491,7 @@ func TestSecretObjectCompatibility(t *testing.T) { assert.NoError(t, err) err = os.Remove(masterKeyPath) assert.NoError(t, err) - if provider == kms.SecretStatusVaultTransit { + if secretStatus == kms.SecretStatusVaultTransit { os.Unsetenv("VAULT_SERVER_URL") os.Unsetenv("VAULT_SERVER_TOKEN") } diff --git a/kms/aws.go b/kms/aws.go index 6f83ad3c..d656bee6 100644 --- a/kms/aws.go +++ b/kms/aws.go @@ -1,13 +1,22 @@ +// +build !noawskms + package kms -const ( - awsProviderName = "AWS" +import ( + // we import awskms here to be able to disable AWS KMS support using a build tag + _ "gocloud.dev/secrets/awskms" + + "github.com/drakkan/sftpgo/version" ) type awsSecret struct { baseGCloudSecret } +func init() { + version.AddFeature("+awskms") +} + func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider { return &awsSecret{ baseGCloudSecret{ diff --git a/kms/aws_disabled.go b/kms/aws_disabled.go new file mode 100644 index 00000000..fadea93f --- /dev/null +++ b/kms/aws_disabled.go @@ -0,0 +1,17 @@ +// +build noawskms + +package kms + +import ( + "errors" + + "github.com/drakkan/sftpgo/version" +) + +func init() { + version.AddFeature("-awskms") +} + +func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider { + return newDisabledSecret(errors.New("AWS KMS disabled at build time")) +} diff --git a/kms/basegocloud.go b/kms/basegocloud.go index 4a4930cb..b0af907d 100644 --- a/kms/basegocloud.go +++ b/kms/basegocloud.go @@ -6,12 +6,6 @@ import ( "time" "gocloud.dev/secrets" - // import awskms package - _ "gocloud.dev/secrets/awskms" - // import gcpkms package - _ "gocloud.dev/secrets/gcpkms" - // import hashivault package - _ "gocloud.dev/secrets/hashivault" ) type baseGCloudSecret struct { diff --git a/kms/builtin.go b/kms/builtin.go index 1ac584b9..47d30125 100644 --- a/kms/builtin.go +++ b/kms/builtin.go @@ -10,10 +10,6 @@ import ( "github.com/minio/sha256-simd" ) -const ( - builtinProviderName = "Builtin" -) - type builtinSecret struct { baseSecret } diff --git a/kms/disabled.go b/kms/disabled.go new file mode 100644 index 00000000..dbcad7e1 --- /dev/null +++ b/kms/disabled.go @@ -0,0 +1,29 @@ +package kms + +type disabledSecret struct { + baseSecret + err error +} + +func newDisabledSecret(err error) SecretProvider { + return &disabledSecret{ + baseSecret: baseSecret{}, + err: err, + } +} + +func (s *disabledSecret) Name() string { + return disabledProviderName +} + +func (s *disabledSecret) IsEncrypted() bool { + return false +} + +func (s *disabledSecret) Encrypt() error { + return s.err +} + +func (s *disabledSecret) Decrypt() error { + return s.err +} diff --git a/kms/gcp.go b/kms/gcp.go index 158cce8a..c58ba54d 100644 --- a/kms/gcp.go +++ b/kms/gcp.go @@ -1,13 +1,22 @@ +// +build !nogcpkms + package kms -const ( - gcpProviderName = "GCP" +import ( + // we import gcpkms here to be able to disable GCP KMS support using a build tag + _ "gocloud.dev/secrets/gcpkms" + + "github.com/drakkan/sftpgo/version" ) type gcpSecret struct { baseGCloudSecret } +func init() { + version.AddFeature("+gcpkms") +} + func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider { return &gcpSecret{ baseGCloudSecret{ diff --git a/kms/gcp_disabled.go b/kms/gcp_disabled.go new file mode 100644 index 00000000..5cbe505f --- /dev/null +++ b/kms/gcp_disabled.go @@ -0,0 +1,17 @@ +// +build nogcpkms + +package kms + +import ( + "errors" + + "github.com/drakkan/sftpgo/version" +) + +func init() { + version.AddFeature("-gcpkms") +} + +func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider { + return newDisabledSecret(errors.New("GCP KMS disabled at build time")) +} diff --git a/kms/kms.go b/kms/kms.go index b150c100..fd6d796d 100644 --- a/kms/kms.go +++ b/kms/kms.go @@ -50,6 +50,15 @@ const ( SecretStatusRedacted SecretStatus = "Redacted" ) +const ( + localProviderName = "Local" + builtinProviderName = "Builtin" + awsProviderName = "AWS" + gcpProviderName = "GCP" + vaultProviderName = "VaultTransit" + disabledProviderName = "Disabled" +) + // Configuration defines the KMS configuration type Configuration struct { Secrets Secrets `json:"secrets" mapstructure:"secrets"` diff --git a/kms/local.go b/kms/local.go index ceef4e81..ef80dc7a 100644 --- a/kms/local.go +++ b/kms/local.go @@ -11,10 +11,6 @@ import ( "golang.org/x/crypto/hkdf" ) -const ( - localProviderName = "Local" -) - type localSecret struct { baseSecret masterKey string diff --git a/kms/vault.go b/kms/vault.go index af549992..6d19b66d 100644 --- a/kms/vault.go +++ b/kms/vault.go @@ -1,13 +1,22 @@ +// +build !novaultkms + package kms -const ( - vaultProviderName = "VaultTransit" +import ( + // we import hashivault here to be able to disable Vault support using a build tag + _ "gocloud.dev/secrets/hashivault" + + "github.com/drakkan/sftpgo/version" ) type vaultSecret struct { baseGCloudSecret } +func init() { + version.AddFeature("+vaultkms") +} + func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider { return &vaultSecret{ baseGCloudSecret{ diff --git a/kms/vault_disabled.go b/kms/vault_disabled.go new file mode 100644 index 00000000..55d36851 --- /dev/null +++ b/kms/vault_disabled.go @@ -0,0 +1,17 @@ +// +build novaultkms + +package kms + +import ( + "errors" + + "github.com/drakkan/sftpgo/version" +) + +func init() { + version.AddFeature("-vaultkms") +} + +func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider { + return newDisabledSecret(errors.New("Vault KMS disabled at build time")) +}