2024-01-01 10:31:45 +00:00
|
|
|
// Copyright (C) 2019 Nicola Murino
|
2022-07-17 18:16:00 +00:00
|
|
|
//
|
|
|
|
|
// This program is free software: you can redistribute it and/or modify
|
|
|
|
|
// it under the terms of the GNU Affero General Public License as published
|
|
|
|
|
// by the Free Software Foundation, version 3.
|
|
|
|
|
//
|
|
|
|
|
// This program is distributed in the hope that it will be useful,
|
|
|
|
|
// but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
|
|
|
// MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
|
|
|
// GNU Affero General Public License for more details.
|
|
|
|
|
//
|
|
|
|
|
// You should have received a copy of the GNU Affero General Public License
|
2023-01-03 09:18:30 +00:00
|
|
|
// along with this program. If not, see <https://www.gnu.org/licenses/>.
|
2022-07-17 18:16:00 +00:00
|
|
|
|
2021-07-16 16:22:42 +00:00
|
|
|
package plugin
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"path/filepath"
|
2024-07-24 16:27:13 +00:00
|
|
|
"slices"
|
2021-07-16 16:22:42 +00:00
|
|
|
|
|
|
|
|
"github.com/hashicorp/go-hclog"
|
|
|
|
|
"github.com/hashicorp/go-plugin"
|
2022-01-06 10:54:43 +00:00
|
|
|
sdkkms "github.com/sftpgo/sdk/kms"
|
|
|
|
|
kmsplugin "github.com/sftpgo/sdk/plugin/kms"
|
2021-07-16 16:22:42 +00:00
|
|
|
|
2022-07-24 14:18:54 +00:00
|
|
|
"github.com/drakkan/sftpgo/v2/internal/kms"
|
|
|
|
|
"github.com/drakkan/sftpgo/v2/internal/logger"
|
2021-07-16 16:22:42 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
var (
|
2022-01-06 09:11:47 +00:00
|
|
|
validKMSSchemes = []string{sdkkms.SchemeAWS, sdkkms.SchemeGCP, sdkkms.SchemeVaultTransit, sdkkms.SchemeAzureKeyVault}
|
|
|
|
|
validKMSEncryptedStatuses = []string{sdkkms.SecretStatusVaultTransit, sdkkms.SecretStatusAWS, sdkkms.SecretStatusGCP,
|
|
|
|
|
sdkkms.SecretStatusAzureKeyVault}
|
2021-07-16 16:22:42 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
// KMSConfig defines configuration parameters for kms plugins
|
|
|
|
|
type KMSConfig struct {
|
|
|
|
|
Scheme string `json:"scheme" mapstructure:"scheme"`
|
|
|
|
|
EncryptedStatus string `json:"encrypted_status" mapstructure:"encrypted_status"`
|
|
|
|
|
}
|
|
|
|
|
|
2021-08-08 15:09:48 +00:00
|
|
|
func (c *KMSConfig) validate() error {
|
2024-07-24 16:27:13 +00:00
|
|
|
if !slices.Contains(validKMSSchemes, c.Scheme) {
|
2021-07-16 16:22:42 +00:00
|
|
|
return fmt.Errorf("invalid kms scheme: %v", c.Scheme)
|
|
|
|
|
}
|
2024-07-24 16:27:13 +00:00
|
|
|
if !slices.Contains(validKMSEncryptedStatuses, c.EncryptedStatus) {
|
2021-07-16 16:22:42 +00:00
|
|
|
return fmt.Errorf("invalid kms encrypted status: %v", c.EncryptedStatus)
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type kmsPlugin struct {
|
|
|
|
|
config Config
|
|
|
|
|
service kmsplugin.Service
|
|
|
|
|
client *plugin.Client
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func newKMSPlugin(config Config) (*kmsPlugin, error) {
|
|
|
|
|
p := &kmsPlugin{
|
|
|
|
|
config: config,
|
|
|
|
|
}
|
|
|
|
|
if err := p.initialize(); err != nil {
|
|
|
|
|
logger.Warn(logSender, "", "unable to create kms plugin: %v, config %+v", err, config)
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
return p, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *kmsPlugin) initialize() error {
|
|
|
|
|
killProcess(p.config.Cmd)
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "create new kms plugin %q", p.config.Cmd)
|
2021-08-08 15:09:48 +00:00
|
|
|
if err := p.config.KMSOptions.validate(); err != nil {
|
2023-02-27 18:02:43 +00:00
|
|
|
return fmt.Errorf("invalid options for kms plugin %q: %v", p.config.Cmd, err)
|
2021-07-16 16:22:42 +00:00
|
|
|
}
|
2022-11-04 19:25:01 +00:00
|
|
|
secureConfig, err := p.config.getSecureConfig()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
2021-07-16 16:22:42 +00:00
|
|
|
}
|
|
|
|
|
client := plugin.NewClient(&plugin.ClientConfig{
|
|
|
|
|
HandshakeConfig: kmsplugin.Handshake,
|
|
|
|
|
Plugins: kmsplugin.PluginMap,
|
2023-10-29 14:19:30 +00:00
|
|
|
Cmd: p.config.getCommand(),
|
|
|
|
|
SkipHostEnv: true,
|
2021-07-16 16:22:42 +00:00
|
|
|
AllowedProtocols: []plugin.Protocol{
|
|
|
|
|
plugin.ProtocolGRPC,
|
|
|
|
|
},
|
|
|
|
|
AutoMTLS: p.config.AutoMTLS,
|
|
|
|
|
SecureConfig: secureConfig,
|
|
|
|
|
Managed: false,
|
|
|
|
|
Logger: &logger.HCLogAdapter{
|
|
|
|
|
Logger: hclog.New(&hclog.LoggerOptions{
|
2021-10-23 13:47:21 +00:00
|
|
|
Name: fmt.Sprintf("%v.%v", logSender, kmsplugin.PluginName),
|
2021-07-16 16:22:42 +00:00
|
|
|
Level: pluginsLogLevel,
|
|
|
|
|
DisableTime: true,
|
|
|
|
|
}),
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
rpcClient, err := client.Client()
|
|
|
|
|
if err != nil {
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "unable to get rpc client for kms plugin %q: %v", p.config.Cmd, err)
|
2021-07-16 16:22:42 +00:00
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
raw, err := rpcClient.Dispense(kmsplugin.PluginName)
|
|
|
|
|
if err != nil {
|
2023-02-27 18:02:43 +00:00
|
|
|
logger.Debug(logSender, "", "unable to get plugin %v from rpc client for command %q: %v",
|
2021-07-16 16:22:42 +00:00
|
|
|
kmsplugin.PluginName, p.config.Cmd, err)
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
p.client = client
|
|
|
|
|
p.service = raw.(kmsplugin.Service)
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *kmsPlugin) exited() bool {
|
|
|
|
|
return p.client.Exited()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *kmsPlugin) cleanup() {
|
|
|
|
|
p.client.Kill()
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *kmsPlugin) Encrypt(secret kms.BaseSecret, url string, masterKey string) (string, string, int32, error) {
|
|
|
|
|
return p.service.Encrypt(secret.Payload, secret.AdditionalData, url, masterKey)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (p *kmsPlugin) Decrypt(secret kms.BaseSecret, url string, masterKey string) (string, error) {
|
|
|
|
|
return p.service.Decrypt(secret.Payload, secret.Key, secret.AdditionalData, secret.Mode, url, masterKey)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
type kmsPluginSecretProvider struct {
|
|
|
|
|
kms.BaseSecret
|
|
|
|
|
URL string
|
|
|
|
|
MasterKey string
|
|
|
|
|
config *Config
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *kmsPluginSecretProvider) Name() string {
|
|
|
|
|
return fmt.Sprintf("KMSPlugin_%v_%v_%v", filepath.Base(s.config.Cmd), s.config.KMSOptions.Scheme, s.config.kmsID)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *kmsPluginSecretProvider) IsEncrypted() bool {
|
|
|
|
|
return s.Status == s.config.KMSOptions.EncryptedStatus
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *kmsPluginSecretProvider) Encrypt() error {
|
2022-01-06 09:11:47 +00:00
|
|
|
if s.Status != sdkkms.SecretStatusPlain {
|
2021-07-16 16:22:42 +00:00
|
|
|
return kms.ErrWrongSecretStatus
|
|
|
|
|
}
|
|
|
|
|
if s.Payload == "" {
|
|
|
|
|
return kms.ErrInvalidSecret
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
payload, key, mode, err := Handler.kmsEncrypt(s.BaseSecret, s.URL, s.MasterKey, s.config.kmsID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
s.Status = s.config.KMSOptions.EncryptedStatus
|
|
|
|
|
s.Payload = payload
|
|
|
|
|
s.Key = key
|
|
|
|
|
s.Mode = int(mode)
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *kmsPluginSecretProvider) Decrypt() error {
|
|
|
|
|
if !s.IsEncrypted() {
|
|
|
|
|
return kms.ErrWrongSecretStatus
|
|
|
|
|
}
|
|
|
|
|
payload, err := Handler.kmsDecrypt(s.BaseSecret, s.URL, s.MasterKey, s.config.kmsID)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
2022-01-06 09:11:47 +00:00
|
|
|
s.Status = sdkkms.SecretStatusPlain
|
2021-07-16 16:22:42 +00:00
|
|
|
s.Payload = payload
|
|
|
|
|
s.Key = ""
|
|
|
|
|
s.AdditionalData = ""
|
|
|
|
|
s.Mode = 0
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *kmsPluginSecretProvider) Clone() kms.SecretProvider {
|
|
|
|
|
baseSecret := kms.BaseSecret{
|
|
|
|
|
Status: s.Status,
|
|
|
|
|
Payload: s.Payload,
|
|
|
|
|
Key: s.Key,
|
|
|
|
|
AdditionalData: s.AdditionalData,
|
|
|
|
|
Mode: s.Mode,
|
|
|
|
|
}
|
|
|
|
|
return s.config.newKMSPluginSecretProvider(baseSecret, s.URL, s.MasterKey)
|
|
|
|
|
}
|
