add build tags to disable kms providers
This commit is contained in:
parent
87b51a6fd5
commit
a67276ccc2
13 changed files with 132 additions and 35 deletions
|
@ -1,14 +1,6 @@
|
|||
# Build SFTPGo from source
|
||||
|
||||
You can install the package to your [\$GOPATH](https://github.com/golang/go/wiki/GOPATH "GOPATH") with the [go tool](https://golang.org/cmd/go/ "go command") from shell:
|
||||
|
||||
```bash
|
||||
go get -u github.com/drakkan/sftpgo
|
||||
```
|
||||
|
||||
Or you can download the sources and use `go build`.
|
||||
|
||||
Make sure [Git](https://git-scm.com/downloads) is installed on your machine and in your system's `PATH`.
|
||||
Download the sources and use `go build`.
|
||||
|
||||
The following build tags are available:
|
||||
|
||||
|
@ -21,6 +13,9 @@ The following build tags are available:
|
|||
- `nosqlite`, disable SQLite data provider, default enabled
|
||||
- `noportable`, disable portable mode, default enabled
|
||||
- `nometrics`, disable Prometheus metrics, default enabled
|
||||
- `novaultkms`, disable Vault transit secret engine, default enabled
|
||||
- `noawskms`, disable AWS KMS, default enabled
|
||||
- `nogcpkms`, disable GCP KMS, default enabled
|
||||
|
||||
If no build tag is specified the build will include the default features.
|
||||
|
||||
|
|
|
@ -1400,10 +1400,10 @@ func TestSecretObjectCompatibility(t *testing.T) {
|
|||
localAsJSON, err := json.Marshal(s)
|
||||
assert.NoError(t, err)
|
||||
|
||||
for _, provider := range []string{kms.SecretStatusRedacted} {
|
||||
for _, secretStatus := range []string{kms.SecretStatusSecretBox} {
|
||||
kmsConfig := config.GetKMSConfig()
|
||||
assert.Empty(t, kmsConfig.Secrets.MasterKeyPath)
|
||||
if provider == kms.SecretStatusVaultTransit {
|
||||
if secretStatus == kms.SecretStatusVaultTransit {
|
||||
os.Setenv("VAULT_SERVER_URL", "http://127.0.0.1:8200")
|
||||
os.Setenv("VAULT_SERVER_TOKEN", "s.9lYGq83MbgG5KR5kfebXVyhJ")
|
||||
kmsConfig.Secrets.URL = "hashivault://mykey"
|
||||
|
@ -1420,7 +1420,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
|
|||
err = secretClone.Decrypt()
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, testPayload, secretClone.GetPayload())
|
||||
if provider == kms.SecretStatusVaultTransit {
|
||||
if secretStatus == kms.SecretStatusVaultTransit {
|
||||
// decrypt the local secret now that the provider is vault
|
||||
secretLocal := kms.NewEmptySecret()
|
||||
err = json.Unmarshal(localAsJSON, secretLocal)
|
||||
|
@ -1448,7 +1448,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
|
|||
MasterKeyPath: masterKeyPath,
|
||||
},
|
||||
}
|
||||
if provider == kms.SecretStatusVaultTransit {
|
||||
if secretStatus == kms.SecretStatusVaultTransit {
|
||||
config.Secrets.URL = "hashivault://mykey"
|
||||
}
|
||||
err = config.Initialize()
|
||||
|
@ -1468,7 +1468,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
|
|||
err = secret.Decrypt()
|
||||
assert.NoError(t, err)
|
||||
assert.Equal(t, testPayload, secret.GetPayload())
|
||||
if provider == kms.SecretStatusVaultTransit {
|
||||
if secretStatus == kms.SecretStatusVaultTransit {
|
||||
// decrypt the local secret encryped without a master key now that
|
||||
// the provider is vault and a master key is set.
|
||||
// The provider will not change, the master key will be used
|
||||
|
@ -1491,7 +1491,7 @@ func TestSecretObjectCompatibility(t *testing.T) {
|
|||
assert.NoError(t, err)
|
||||
err = os.Remove(masterKeyPath)
|
||||
assert.NoError(t, err)
|
||||
if provider == kms.SecretStatusVaultTransit {
|
||||
if secretStatus == kms.SecretStatusVaultTransit {
|
||||
os.Unsetenv("VAULT_SERVER_URL")
|
||||
os.Unsetenv("VAULT_SERVER_TOKEN")
|
||||
}
|
||||
|
|
13
kms/aws.go
13
kms/aws.go
|
@ -1,13 +1,22 @@
|
|||
// +build !noawskms
|
||||
|
||||
package kms
|
||||
|
||||
const (
|
||||
awsProviderName = "AWS"
|
||||
import (
|
||||
// we import awskms here to be able to disable AWS KMS support using a build tag
|
||||
_ "gocloud.dev/secrets/awskms"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
type awsSecret struct {
|
||||
baseGCloudSecret
|
||||
}
|
||||
|
||||
func init() {
|
||||
version.AddFeature("+awskms")
|
||||
}
|
||||
|
||||
func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return &awsSecret{
|
||||
baseGCloudSecret{
|
||||
|
|
17
kms/aws_disabled.go
Normal file
17
kms/aws_disabled.go
Normal file
|
@ -0,0 +1,17 @@
|
|||
// +build noawskms
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
func init() {
|
||||
version.AddFeature("-awskms")
|
||||
}
|
||||
|
||||
func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return newDisabledSecret(errors.New("AWS KMS disabled at build time"))
|
||||
}
|
|
@ -6,12 +6,6 @@ import (
|
|||
"time"
|
||||
|
||||
"gocloud.dev/secrets"
|
||||
// import awskms package
|
||||
_ "gocloud.dev/secrets/awskms"
|
||||
// import gcpkms package
|
||||
_ "gocloud.dev/secrets/gcpkms"
|
||||
// import hashivault package
|
||||
_ "gocloud.dev/secrets/hashivault"
|
||||
)
|
||||
|
||||
type baseGCloudSecret struct {
|
||||
|
|
|
@ -10,10 +10,6 @@ import (
|
|||
"github.com/minio/sha256-simd"
|
||||
)
|
||||
|
||||
const (
|
||||
builtinProviderName = "Builtin"
|
||||
)
|
||||
|
||||
type builtinSecret struct {
|
||||
baseSecret
|
||||
}
|
||||
|
|
29
kms/disabled.go
Normal file
29
kms/disabled.go
Normal file
|
@ -0,0 +1,29 @@
|
|||
package kms
|
||||
|
||||
type disabledSecret struct {
|
||||
baseSecret
|
||||
err error
|
||||
}
|
||||
|
||||
func newDisabledSecret(err error) SecretProvider {
|
||||
return &disabledSecret{
|
||||
baseSecret: baseSecret{},
|
||||
err: err,
|
||||
}
|
||||
}
|
||||
|
||||
func (s *disabledSecret) Name() string {
|
||||
return disabledProviderName
|
||||
}
|
||||
|
||||
func (s *disabledSecret) IsEncrypted() bool {
|
||||
return false
|
||||
}
|
||||
|
||||
func (s *disabledSecret) Encrypt() error {
|
||||
return s.err
|
||||
}
|
||||
|
||||
func (s *disabledSecret) Decrypt() error {
|
||||
return s.err
|
||||
}
|
13
kms/gcp.go
13
kms/gcp.go
|
@ -1,13 +1,22 @@
|
|||
// +build !nogcpkms
|
||||
|
||||
package kms
|
||||
|
||||
const (
|
||||
gcpProviderName = "GCP"
|
||||
import (
|
||||
// we import gcpkms here to be able to disable GCP KMS support using a build tag
|
||||
_ "gocloud.dev/secrets/gcpkms"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
type gcpSecret struct {
|
||||
baseGCloudSecret
|
||||
}
|
||||
|
||||
func init() {
|
||||
version.AddFeature("+gcpkms")
|
||||
}
|
||||
|
||||
func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return &gcpSecret{
|
||||
baseGCloudSecret{
|
||||
|
|
17
kms/gcp_disabled.go
Normal file
17
kms/gcp_disabled.go
Normal file
|
@ -0,0 +1,17 @@
|
|||
// +build nogcpkms
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
func init() {
|
||||
version.AddFeature("-gcpkms")
|
||||
}
|
||||
|
||||
func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return newDisabledSecret(errors.New("GCP KMS disabled at build time"))
|
||||
}
|
|
@ -50,6 +50,15 @@ const (
|
|||
SecretStatusRedacted SecretStatus = "Redacted"
|
||||
)
|
||||
|
||||
const (
|
||||
localProviderName = "Local"
|
||||
builtinProviderName = "Builtin"
|
||||
awsProviderName = "AWS"
|
||||
gcpProviderName = "GCP"
|
||||
vaultProviderName = "VaultTransit"
|
||||
disabledProviderName = "Disabled"
|
||||
)
|
||||
|
||||
// Configuration defines the KMS configuration
|
||||
type Configuration struct {
|
||||
Secrets Secrets `json:"secrets" mapstructure:"secrets"`
|
||||
|
|
|
@ -11,10 +11,6 @@ import (
|
|||
"golang.org/x/crypto/hkdf"
|
||||
)
|
||||
|
||||
const (
|
||||
localProviderName = "Local"
|
||||
)
|
||||
|
||||
type localSecret struct {
|
||||
baseSecret
|
||||
masterKey string
|
||||
|
|
13
kms/vault.go
13
kms/vault.go
|
@ -1,13 +1,22 @@
|
|||
// +build !novaultkms
|
||||
|
||||
package kms
|
||||
|
||||
const (
|
||||
vaultProviderName = "VaultTransit"
|
||||
import (
|
||||
// we import hashivault here to be able to disable Vault support using a build tag
|
||||
_ "gocloud.dev/secrets/hashivault"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
type vaultSecret struct {
|
||||
baseGCloudSecret
|
||||
}
|
||||
|
||||
func init() {
|
||||
version.AddFeature("+vaultkms")
|
||||
}
|
||||
|
||||
func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return &vaultSecret{
|
||||
baseGCloudSecret{
|
||||
|
|
17
kms/vault_disabled.go
Normal file
17
kms/vault_disabled.go
Normal file
|
@ -0,0 +1,17 @@
|
|||
// +build novaultkms
|
||||
|
||||
package kms
|
||||
|
||||
import (
|
||||
"errors"
|
||||
|
||||
"github.com/drakkan/sftpgo/version"
|
||||
)
|
||||
|
||||
func init() {
|
||||
version.AddFeature("-vaultkms")
|
||||
}
|
||||
|
||||
func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
|
||||
return newDisabledSecret(errors.New("Vault KMS disabled at build time"))
|
||||
}
|
Loading…
Reference in a new issue