add build tags to disable kms providers

2024-11-22 07:30:25 +00:00 · 2020-12-02 09:44:18 +01:00 · 2020-12-02 09:44:18 +01:00 · a67276ccc2
commit a67276ccc2
parent 87b51a6fd5
13 changed files with 132 additions and 35 deletions
--- a/docs/build-from-source.md
+++ b/docs/build-from-source.md
@ -1,14 +1,6 @@
 # Build SFTPGo from source
-You can install the package to your [\$GOPATH](https://github.com/golang/go/wiki/GOPATH "GOPATH") with the [go tool](https://golang.org/cmd/go/ "go command") from shell:
+Download the sources and use `go build`.
 ```bash
 go get -u github.com/drakkan/sftpgo
 ```
 Or you can download the sources and use `go build`.
 Make sure [Git](https://git-scm.com/downloads) is installed on your machine and in your system's `PATH`.
 The following build tags are available:
@ -21,6 +13,9 @@ The following build tags are available:
 - `nosqlite`, disable SQLite data provider, default enabled
 - `noportable`, disable portable mode, default enabled
 - `nometrics`, disable Prometheus metrics, default enabled
 - `novaultkms`, disable Vault transit secret engine, default enabled
 - `noawskms`, disable AWS KMS, default enabled
 - `nogcpkms`, disable GCP KMS, default enabled
 If no build tag is specified the build will include the default features.
--- a/httpd/httpd_test.go
+++ b/httpd/httpd_test.go
@ -1400,10 +1400,10 @@ func TestSecretObjectCompatibility(t *testing.T) {
 	localAsJSON, err := json.Marshal(s)
 	assert.NoError(t, err)
-	for _, provider := range []string{kms.SecretStatusRedacted} {
+	for _, secretStatus := range []string{kms.SecretStatusSecretBox} {
 		kmsConfig := config.GetKMSConfig()
 		assert.Empty(t, kmsConfig.Secrets.MasterKeyPath)
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			os.Setenv("VAULT_SERVER_URL", "http://127.0.0.1:8200")
 			os.Setenv("VAULT_SERVER_TOKEN", "s.9lYGq83MbgG5KR5kfebXVyhJ")
 			kmsConfig.Secrets.URL = "hashivault://mykey"
@ -1420,7 +1420,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		err = secretClone.Decrypt()
 		assert.NoError(t, err)
 		assert.Equal(t, testPayload, secretClone.GetPayload())
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			// decrypt the local secret now that the provider is vault
 			secretLocal := kms.NewEmptySecret()
 			err = json.Unmarshal(localAsJSON, secretLocal)
@ -1448,7 +1448,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 				MasterKeyPath: masterKeyPath,
 			},
 		}
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			config.Secrets.URL = "hashivault://mykey"
 		}
 		err = config.Initialize()
@ -1468,7 +1468,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		err = secret.Decrypt()
 		assert.NoError(t, err)
 		assert.Equal(t, testPayload, secret.GetPayload())
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			// decrypt the local secret encryped without a master key now that
 			// the provider is vault and a master key is set.
 			// The provider will not change, the master key will be used
@ -1491,7 +1491,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
 		assert.NoError(t, err)
 		err = os.Remove(masterKeyPath)
 		assert.NoError(t, err)
-		if provider == kms.SecretStatusVaultTransit {
+		if secretStatus == kms.SecretStatusVaultTransit {
 			os.Unsetenv("VAULT_SERVER_URL")
 			os.Unsetenv("VAULT_SERVER_TOKEN")
 		}
--- a/kms/aws.go
+++ b/kms/aws.go
@ -1,13 +1,22 @@
 // +build !noawskms
 package kms
-const (
+import (
-	awsProviderName = "AWS"
+	// we import awskms here to be able to disable AWS KMS support using a build tag
 	_ "gocloud.dev/secrets/awskms"
 	"github.com/drakkan/sftpgo/version"
 )
 type awsSecret struct {
 	baseGCloudSecret
 }
 func init() {
 	version.AddFeature("+awskms")
 }
 func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &awsSecret{
 		baseGCloudSecret{
--- a/kms/aws_disabled.go
+++ b/kms/aws_disabled.go
@ -0,0 +1,17 @@
 // +build noawskms
 package kms
 import (
 	"errors"
 	"github.com/drakkan/sftpgo/version"
 )
 func init() {
 	version.AddFeature("-awskms")
 }
 func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return newDisabledSecret(errors.New("AWS KMS disabled at build time"))
 }
--- a/kms/basegocloud.go
+++ b/kms/basegocloud.go
@ -6,12 +6,6 @@ import (
 	"time"
 	"gocloud.dev/secrets"
 	// import awskms package
 	_ "gocloud.dev/secrets/awskms"
 	// import gcpkms package
 	_ "gocloud.dev/secrets/gcpkms"
 	// import hashivault package
 	_ "gocloud.dev/secrets/hashivault"
 )
 type baseGCloudSecret struct {
--- a/kms/builtin.go
+++ b/kms/builtin.go
@ -10,10 +10,6 @@ import (
 	"github.com/minio/sha256-simd"
 )
 const (
 	builtinProviderName = "Builtin"
 )
 type builtinSecret struct {
 	baseSecret
 }
--- a/kms/disabled.go
+++ b/kms/disabled.go
@ -0,0 +1,29 @@
 package kms
 type disabledSecret struct {
 	baseSecret
 	err error
 }
 func newDisabledSecret(err error) SecretProvider {
 	return &disabledSecret{
 		baseSecret: baseSecret{},
 		err:        err,
 	}
 }
 func (s *disabledSecret) Name() string {
 	return disabledProviderName
 }
 func (s *disabledSecret) IsEncrypted() bool {
 	return false
 }
 func (s *disabledSecret) Encrypt() error {
 	return s.err
 }
 func (s *disabledSecret) Decrypt() error {
 	return s.err
 }
--- a/kms/gcp.go
+++ b/kms/gcp.go
@ -1,13 +1,22 @@
 // +build !nogcpkms
 package kms
-const (
+import (
-	gcpProviderName = "GCP"
+	// we import gcpkms here to be able to disable GCP KMS support using a build tag
 	_ "gocloud.dev/secrets/gcpkms"
 	"github.com/drakkan/sftpgo/version"
 )
 type gcpSecret struct {
 	baseGCloudSecret
 }
 func init() {
 	version.AddFeature("+gcpkms")
 }
 func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &gcpSecret{
 		baseGCloudSecret{
--- a/kms/gcp_disabled.go
+++ b/kms/gcp_disabled.go
@ -0,0 +1,17 @@
 // +build nogcpkms
 package kms
 import (
 	"errors"
 	"github.com/drakkan/sftpgo/version"
 )
 func init() {
 	version.AddFeature("-gcpkms")
 }
 func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return newDisabledSecret(errors.New("GCP KMS disabled at build time"))
 }
--- a/kms/kms.go
+++ b/kms/kms.go
@ -50,6 +50,15 @@ const (
 	SecretStatusRedacted SecretStatus = "Redacted"
 )
 const (
 	localProviderName    = "Local"
 	builtinProviderName  = "Builtin"
 	awsProviderName      = "AWS"
 	gcpProviderName      = "GCP"
 	vaultProviderName    = "VaultTransit"
 	disabledProviderName = "Disabled"
 )
 // Configuration defines the KMS configuration
 type Configuration struct {
 	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
--- a/kms/local.go
+++ b/kms/local.go
@ -11,10 +11,6 @@ import (
 	"golang.org/x/crypto/hkdf"
 )
 const (
 	localProviderName = "Local"
 )
 type localSecret struct {
 	baseSecret
 	masterKey string
--- a/kms/vault.go
+++ b/kms/vault.go
@ -1,13 +1,22 @@
 // +build !novaultkms
 package kms
-const (
+import (
-	vaultProviderName = "VaultTransit"
+	// we import hashivault here to be able to disable Vault support using a build tag
 	_ "gocloud.dev/secrets/hashivault"
 	"github.com/drakkan/sftpgo/version"
 )
 type vaultSecret struct {
 	baseGCloudSecret
 }
 func init() {
 	version.AddFeature("+vaultkms")
 }
 func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &vaultSecret{
 		baseGCloudSecret{
--- a/kms/vault_disabled.go
+++ b/kms/vault_disabled.go
@ -0,0 +1,17 @@
 // +build novaultkms
 package kms
 import (
 	"errors"
 	"github.com/drakkan/sftpgo/version"
 )
 func init() {
 	version.AddFeature("-vaultkms")
 }
 func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return newDisabledSecret(errors.New("Vault KMS disabled at build time"))
 }