plugins: fix hash check

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino 2022-11-04 20:25:01 +01:00
parent 965d059400
commit 33bfd61a0c
No known key found for this signature in database
GPG key ID: 935D2952DEC4EECF
10 changed files with 51 additions and 44 deletions

4
go.mod
View file

@ -4,7 +4,7 @@ go 1.19
require ( require (
cloud.google.com/go/storage v1.27.0 cloud.google.com/go/storage v1.27.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1 github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962 github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387 github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
@ -155,7 +155,7 @@ require (
github.com/tklauser/numcpus v0.5.0 // indirect github.com/tklauser/numcpus v0.5.0 // indirect
github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
github.com/yusufpapurcu/wmi v1.2.2 // indirect github.com/yusufpapurcu/wmi v1.2.2 // indirect
go.opencensus.io v0.23.0 // indirect go.opencensus.io v0.24.0 // indirect
golang.org/x/mod v0.6.0 // indirect golang.org/x/mod v0.6.0 // indirect
golang.org/x/text v0.4.0 // indirect golang.org/x/text v0.4.0 // indirect
golang.org/x/tools v0.2.0 // indirect golang.org/x/tools v0.2.0 // indirect

7
go.sum
View file

@ -101,8 +101,8 @@ github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo
github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw= github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw=
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U= github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0= github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM=
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8= github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
@ -1635,8 +1635,9 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw= go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk= go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E= go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc= go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w= go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w=

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"errors" "errors"
"fmt" "fmt"
"os/exec" "os/exec"
@ -113,10 +112,9 @@ func (p *authPlugin) initialize() error {
return fmt.Errorf("invalid options for auth plugin %#v: %v", p.config.Cmd, err) return fmt.Errorf("invalid options for auth plugin %#v: %v", p.config.Cmd, err)
} }
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: auth.Handshake, HandshakeConfig: auth.Handshake,

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"fmt" "fmt"
"os/exec" "os/exec"
@ -54,10 +53,9 @@ func (p *ipFilterPlugin) cleanup() {
func (p *ipFilterPlugin) initialize() error { func (p *ipFilterPlugin) initialize() error {
logger.Debug(logSender, "", "create new IP filter plugin %#v", p.config.Cmd) logger.Debug(logSender, "", "create new IP filter plugin %#v", p.config.Cmd)
killProcess(p.config.Cmd) killProcess(p.config.Cmd)
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: ipfilter.Handshake, HandshakeConfig: ipfilter.Handshake,

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"fmt" "fmt"
"os/exec" "os/exec"
"path/filepath" "path/filepath"
@ -75,10 +74,9 @@ func (p *kmsPlugin) initialize() error {
if err := p.config.KMSOptions.validate(); err != nil { if err := p.config.KMSOptions.validate(); err != nil {
return fmt.Errorf("invalid options for kms plugin %#v: %v", p.config.Cmd, err) return fmt.Errorf("invalid options for kms plugin %#v: %v", p.config.Cmd, err)
} }
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: kmsplugin.Handshake, HandshakeConfig: kmsplugin.Handshake,

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"fmt" "fmt"
"os/exec" "os/exec"
@ -54,10 +53,9 @@ func (p *metadataPlugin) cleanup() {
func (p *metadataPlugin) initialize() error { func (p *metadataPlugin) initialize() error {
killProcess(p.config.Cmd) killProcess(p.config.Cmd)
logger.Debug(logSender, "", "create new metadata plugin %#v", p.config.Cmd) logger.Debug(logSender, "", "create new metadata plugin %#v", p.config.Cmd)
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: metadata.Handshake, HandshakeConfig: metadata.Handshake,

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"fmt" "fmt"
"os/exec" "os/exec"
"sync" "sync"
@ -138,10 +137,9 @@ func (p *notifierPlugin) initialize() error {
if !p.config.NotifierOptions.hasActions() { if !p.config.NotifierOptions.hasActions() {
return fmt.Errorf("no actions defined for the notifier plugin %#v", p.config.Cmd) return fmt.Errorf("no actions defined for the notifier plugin %#v", p.config.Cmd)
} }
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: notifier.Handshake, HandshakeConfig: notifier.Handshake,

View file

@ -16,7 +16,9 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"crypto/x509" "crypto/x509"
"encoding/hex"
"errors" "errors"
"fmt" "fmt"
"sync" "sync"
@ -24,6 +26,7 @@ import (
"time" "time"
"github.com/hashicorp/go-hclog" "github.com/hashicorp/go-hclog"
"github.com/hashicorp/go-plugin"
"github.com/sftpgo/sdk/plugin/auth" "github.com/sftpgo/sdk/plugin/auth"
"github.com/sftpgo/sdk/plugin/eventsearcher" "github.com/sftpgo/sdk/plugin/eventsearcher"
"github.com/sftpgo/sdk/plugin/ipfilter" "github.com/sftpgo/sdk/plugin/ipfilter"
@ -82,6 +85,20 @@ type Config struct {
kmsID int kmsID int
} }
func (c *Config) getSecureConfig() (*plugin.SecureConfig, error) {
if c.SHA256Sum != "" {
checksum, err := hex.DecodeString(c.SHA256Sum)
if err != nil {
return nil, fmt.Errorf("invalid sha256 hash %q: %w", c.SHA256Sum, err)
}
return &plugin.SecureConfig{
Checksum: checksum,
Hash: sha256.New(),
}, nil
}
return nil, nil
}
func (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider { func (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider {
return &kmsPluginSecretProvider{ return &kmsPluginSecretProvider{
BaseSecret: base, BaseSecret: base,
@ -774,16 +791,17 @@ func setLogLevel(logLevel string) {
func startCheckTicker() { func startCheckTicker() {
logger.Debug(logSender, "", "start plugins checker") logger.Debug(logSender, "", "start plugins checker")
checker := time.NewTicker(30 * time.Second)
go func() { go func() {
ticker := time.NewTicker(30 * time.Second)
defer ticker.Stop()
for { for {
select { select {
case <-Handler.done: case <-Handler.done:
logger.Debug(logSender, "", "handler done, stop plugins checker") logger.Debug(logSender, "", "handler done, stop plugins checker")
checker.Stop()
return return
case <-checker.C: case <-ticker.C:
Handler.checkCrashedPlugins() Handler.checkCrashedPlugins()
} }
} }

View file

@ -15,7 +15,6 @@
package plugin package plugin
import ( import (
"crypto/sha256"
"fmt" "fmt"
"os/exec" "os/exec"
@ -54,10 +53,9 @@ func (p *searcherPlugin) cleanup() {
func (p *searcherPlugin) initialize() error { func (p *searcherPlugin) initialize() error {
killProcess(p.config.Cmd) killProcess(p.config.Cmd)
logger.Debug(logSender, "", "create new searcher plugin %#v", p.config.Cmd) logger.Debug(logSender, "", "create new searcher plugin %#v", p.config.Cmd)
var secureConfig *plugin.SecureConfig secureConfig, err := p.config.getSecureConfig()
if p.config.SHA256Sum != "" { if err != nil {
secureConfig.Checksum = []byte(p.config.SHA256Sum) return err
secureConfig.Hash = sha256.New()
} }
client := plugin.NewClient(&plugin.ClientConfig{ client := plugin.NewClient(&plugin.ClientConfig{
HandshakeConfig: eventsearcher.Handshake, HandshakeConfig: eventsearcher.Handshake,

View file

@ -1016,17 +1016,18 @@ func (c *sftpConnection) getClient() (*sftp.Client, error) {
} }
func (c *sftpConnection) Wait() { func (c *sftpConnection) Wait() {
waitEnd := make(chan struct{}) done := make(chan struct{})
ticker := time.NewTicker(30 * time.Second)
go func() { go func() {
var watchdogInProgress atomic.Bool var watchdogInProgress atomic.Bool
ticker := time.NewTicker(30 * time.Second)
defer ticker.Stop()
for { for {
select { select {
case <-ticker.C: case <-ticker.C:
if watchdogInProgress.Load() { if watchdogInProgress.Load() {
logger.Error(c.logSender, "", "watchdog still in progress, closing hanging connection") logger.Error(c.logSender, "", "watchdog still in progress, closing hanging connection")
ticker.Stop()
c.sshClient.Close() c.sshClient.Close()
return return
} }
@ -1039,9 +1040,8 @@ func (c *sftpConnection) Wait() {
logger.Error(c.logSender, "", "watchdog error: %v", err) logger.Error(c.logSender, "", "watchdog error: %v", err)
} }
}() }()
case <-waitEnd: case <-done:
logger.Debug(c.logSender, "", "quitting watchdog") logger.Debug(c.logSender, "", "quitting watchdog")
ticker.Stop()
return return
} }
} }
@ -1051,7 +1051,7 @@ func (c *sftpConnection) Wait() {
// we don't detect the event. // we don't detect the event.
err := c.sftpClient.Wait() err := c.sftpClient.Wait()
logger.Log(logger.LevelDebug, c.logSender, "", "sftp channel closed: %v", err) logger.Log(logger.LevelDebug, c.logSender, "", "sftp channel closed: %v", err)
close(waitEnd) close(done)
c.mu.Lock() c.mu.Lock()
defer c.mu.Unlock() defer c.mu.Unlock()