plugins: fix hash check

Signed-off-by: Nicola Murino <[email protected]>

go.mod

@@ -4,7 +4,7 @@ go 1.19
 
 require (
 	cloud.google.com/go/storage v1.27.0
-	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4
+	github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0
 	github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v0.5.1
 	github.com/GehirnInc/crypt v0.0.0-20200316065508-bb7000b8a962
 	github.com/alexedwards/argon2id v0.0.0-20211130144151-3585854a6387
@@ -155,7 +155,7 @@ require (
 	github.com/tklauser/numcpus v0.5.0 // indirect
 	github.com/toorop/go-dkim v0.0.0-20201103131630-e1cd1a0a5208 // indirect
 	github.com/yusufpapurcu/wmi v1.2.2 // indirect
-	go.opencensus.io v0.23.0 // indirect
+	go.opencensus.io v0.24.0 // indirect
 	golang.org/x/mod v0.6.0 // indirect
 	golang.org/x/text v0.4.0 // indirect
 	golang.org/x/tools v0.2.0 // indirect

go.sum

@@ -101,8 +101,8 @@ github.com/Azure/azure-sdk-for-go v66.0.0+incompatible/go.mod h1:9XXNKU+eRnpl9mo
 github.com/Azure/azure-sdk-for-go/sdk/azcore v0.19.0/go.mod h1:h6H6c8enJmmocHUbLiiGY6sx7f9i+X3m1CHdd5c6Rdw=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.0.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
 github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.1/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4 h1:pqrAR74b6EoR4kcxF7L7Wg2B8Jgil9UUZtMvxhEFqWo=
-github.com/Azure/azure-sdk-for-go/sdk/azcore v1.1.4/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0 h1:sVW/AFBTGyJxDaMYlq0ct3jUXTtj12tQ6zE2GZUgVQw=
+github.com/Azure/azure-sdk-for-go/sdk/azcore v1.2.0/go.mod h1:uGG2W01BaETf0Ozp+QxxKJdMBNRWPdstHG0Fmdwn1/U=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v0.11.0/go.mod h1:HcM1YX14R7CJcghJGOYCgdezslRSVzqwLf/q+4Y2r/0=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.0.0/go.mod h1:+6sju8gk8FRmSajX3Oz4G5Gm7P+mbqE9FVaXXFYTkCM=
 github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.1.0 h1:QkAcEIAKbNL4KoFr4SathZPhDhF4mVwpBMFlYjyAqy8=
@@ -1635,8 +1635,9 @@ go.opencensus.io v0.22.2/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.3/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.4/go.mod h1:yxeiOL68Rb0Xd1ddK5vPZ/oVn4vY4Ynel7k9FzqtOIw=
 go.opencensus.io v0.22.5/go.mod h1:5pWMHQbX5EPX2/62yrJeAkowc+lfs/XD7Uxpq3pI6kk=
-go.opencensus.io v0.23.0 h1:gqCw0LfLxScz8irSi8exQc7fyQ0fKQU/qnC/X8+V/1M=
 go.opencensus.io v0.23.0/go.mod h1:XItmlyltB5F7CS4xOC1DcqMoFqwtC6OG2xF7mCv7P7E=
+go.opencensus.io v0.24.0 h1:y73uSU6J157QMP2kn2r30vwW1A2W2WFwSCGnAVxeaD0=
+go.opencensus.io v0.24.0/go.mod h1:vNK8G9p7aAivkbmorf4v+7Hgx+Zs0yY+0fOtgBfjQKo=
 go.opentelemetry.io/contrib v0.20.0/go.mod h1:G/EtFaa6qaN7+LxqfIAT3GiZa7Wv5DTBUzl5H4LY0Kc=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.20.0/go.mod h1:oVGt1LRbBOBq1A5BQLlUg9UaU/54aiHw8cgjV3aWZ/E=
 go.opentelemetry.io/contrib/instrumentation/google.golang.org/grpc/otelgrpc v0.28.0/go.mod h1:vEhqr0m4eTc+DWxfsXoXue2GBgV2uUwVznkGIHW/e5w=

internal/plugin/auth.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"os/exec"
@@ -113,10 +112,9 @@ func (p *authPlugin) initialize() error {
 		return fmt.Errorf("invalid options for auth plugin %#v: %v", p.config.Cmd, err)
 	}
 
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: auth.Handshake,

internal/plugin/ipfilter.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 
@@ -54,10 +53,9 @@ func (p *ipFilterPlugin) cleanup() {
 func (p *ipFilterPlugin) initialize() error {
 	logger.Debug(logSender, "", "create new IP filter plugin %#v", p.config.Cmd)
 	killProcess(p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: ipfilter.Handshake,

internal/plugin/kms.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 	"path/filepath"
@@ -75,10 +74,9 @@ func (p *kmsPlugin) initialize() error {
 	if err := p.config.KMSOptions.validate(); err != nil {
 		return fmt.Errorf("invalid options for kms plugin %#v: %v", p.config.Cmd, err)
 	}
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: kmsplugin.Handshake,

internal/plugin/metadata.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 
@@ -54,10 +53,9 @@ func (p *metadataPlugin) cleanup() {
 func (p *metadataPlugin) initialize() error {
 	killProcess(p.config.Cmd)
 	logger.Debug(logSender, "", "create new metadata plugin %#v", p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: metadata.Handshake,

internal/plugin/notifier.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 	"sync"
@@ -138,10 +137,9 @@ func (p *notifierPlugin) initialize() error {
 	if !p.config.NotifierOptions.hasActions() {
 		return fmt.Errorf("no actions defined for the notifier plugin %#v", p.config.Cmd)
 	}
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: notifier.Handshake,

internal/plugin/plugin.go

@@ -16,7 +16,9 @@
 package plugin
 
 import (
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"sync"
@@ -24,6 +26,7 @@ import (
 	"time"
 
 	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-plugin"
 	"github.com/sftpgo/sdk/plugin/auth"
 	"github.com/sftpgo/sdk/plugin/eventsearcher"
 	"github.com/sftpgo/sdk/plugin/ipfilter"
@@ -82,6 +85,20 @@ type Config struct {
 	kmsID int
 }
 
+func (c *Config) getSecureConfig() (*plugin.SecureConfig, error) {
+	if c.SHA256Sum != "" {
+		checksum, err := hex.DecodeString(c.SHA256Sum)
+		if err != nil {
+			return nil, fmt.Errorf("invalid sha256 hash %q: %w", c.SHA256Sum, err)
+		}
+		return &plugin.SecureConfig{
+			Checksum: checksum,
+			Hash:     sha256.New(),
+		}, nil
+	}
+	return nil, nil
+}
+
 func (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider {
 	return &kmsPluginSecretProvider{
 		BaseSecret: base,
@@ -774,16 +791,17 @@ func setLogLevel(logLevel string) {
 
 func startCheckTicker() {
 	logger.Debug(logSender, "", "start plugins checker")
-	checker := time.NewTicker(30 * time.Second)
 
 	go func() {
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+
 		for {
 			select {
 			case <-Handler.done:
 				logger.Debug(logSender, "", "handler done, stop plugins checker")
-				checker.Stop()
 				return
-			case <-checker.C:
+			case <-ticker.C:
 				Handler.checkCrashedPlugins()
 			}
 		}

internal/plugin/searcher.go

@@ -15,7 +15,6 @@
 package plugin
 
 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 
@@ -54,10 +53,9 @@ func (p *searcherPlugin) cleanup() {
 func (p *searcherPlugin) initialize() error {
 	killProcess(p.config.Cmd)
 	logger.Debug(logSender, "", "create new searcher plugin %#v", p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: eventsearcher.Handshake,

internal/vfs/sftpfs.go

@@ -1016,17 +1016,18 @@ func (c *sftpConnection) getClient() (*sftp.Client, error) {
 }
 
 func (c *sftpConnection) Wait() {
-	waitEnd := make(chan struct{})
-	ticker := time.NewTicker(30 * time.Second)
+	done := make(chan struct{})
 
 	go func() {
 		var watchdogInProgress atomic.Bool
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+
 		for {
 			select {
 			case <-ticker.C:
 				if watchdogInProgress.Load() {
 					logger.Error(c.logSender, "", "watchdog still in progress, closing hanging connection")
-					ticker.Stop()
 					c.sshClient.Close()
 					return
 				}
@@ -1039,9 +1040,8 @@ func (c *sftpConnection) Wait() {
 						logger.Error(c.logSender, "", "watchdog error: %v", err)
 					}
 				}()
-			case <-waitEnd:
+			case <-done:
 				logger.Debug(c.logSender, "", "quitting watchdog")
-				ticker.Stop()
 				return
 			}
 		}
@@ -1051,7 +1051,7 @@ func (c *sftpConnection) Wait() {
 	// we don't detect the event.
 	err := c.sftpClient.Wait()
 	logger.Log(logger.LevelDebug, c.logSender, "", "sftp channel closed: %v", err)
-	close(waitEnd)
+	close(done)
 
 	c.mu.Lock()
 	defer c.mu.Unlock()