Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 338301955f
Branches Tags
sftpgo
/
kms
/
kms.go

kms.go 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451 
  1. // Package kms provides Key Management Services support
    2. 

  2. package kms
    3. 

  3. 

  4. import (
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"os"
    8. 

  8. 	"strings"
    9. 

  9. 	"sync"
    10. 

  10. 

  11. 	"github.com/drakkan/sftpgo/v2/logger"
    12. 

  12. 	"github.com/drakkan/sftpgo/v2/util"
    13. 

  13. )
    14. 

  14. 

  15. // SecretProvider defines the interface for a KMS secrets provider
    16. 

  16. type SecretProvider interface {
    17. 

  17. 	Name() string
    18. 

  18. 	Encrypt() error
    19. 

  19. 	Decrypt() error
    20. 

  20. 	IsEncrypted() bool
    21. 

  21. 	GetStatus() SecretStatus
    22. 

  22. 	GetPayload() string
    23. 

  23. 	GetKey() string
    24. 

  24. 	GetAdditionalData() string
    25. 

  25. 	GetMode() int
    26. 

  26. 	SetKey(string)
    27. 

  27. 	SetAdditionalData(string)
    28. 

  28. 	SetStatus(SecretStatus)
    29. 

  29. 	Clone() SecretProvider
    30. 

  30. }
    31. 

  31. 

  32. const (
    33. 

  33. 	logSender = "kms"
    34. 

  34. )
    35. 

  35. 

  36. // SecretStatus defines the statuses of a Secret object
    37. 

  37. type SecretStatus = string
    38. 

  38. 

  39. const (
    40. 

  40. 	// SecretStatusPlain means the secret is in plain text and must be encrypted
    41. 

  41. 	SecretStatusPlain SecretStatus = "Plain"
    42. 

  42. 	// SecretStatusAES256GCM means the secret is encrypted using AES-256-GCM
    43. 

  43. 	SecretStatusAES256GCM SecretStatus = "AES-256-GCM"
    44. 

  44. 	// SecretStatusSecretBox means the secret is encrypted using a locally provided symmetric key
    45. 

  45. 	SecretStatusSecretBox SecretStatus = "Secretbox"
    46. 

  46. 	// SecretStatusGCP means we use keys from Google Cloud Platform’s Key Management Service
    47. 

  47. 	// (GCP KMS) to keep information secret
    48. 

  48. 	SecretStatusGCP SecretStatus = "GCP"
    49. 

  49. 	// SecretStatusAWS means we use customer master keys from Amazon Web Service’s
    50. 

  50. 	// Key Management Service (AWS KMS) to keep information secret
    51. 

  51. 	SecretStatusAWS SecretStatus = "AWS"
    52. 

  52. 	// SecretStatusVaultTransit means we use the transit secrets engine in Vault
    53. 

  53. 	// to keep information secret
    54. 

  54. 	SecretStatusVaultTransit SecretStatus = "VaultTransit"
    55. 

  55. 	// SecretStatusAzureKeyVault means we use Azure KeyVault to keep information secret
    56. 

  56. 	SecretStatusAzureKeyVault SecretStatus = "AzureKeyVault"
    57. 

  57. 	// SecretStatusRedacted means the secret is redacted
    58. 

  58. 	SecretStatusRedacted SecretStatus = "Redacted"
    59. 

  59. )
    60. 

  60. 

  61. // Scheme defines the supported URL scheme
    62. 

  62. type Scheme = string
    63. 

  63. 

  64. // supported URL schemes
    65. 

  65. const (
    66. 

  66. 	SchemeLocal         Scheme = "local"
    67. 

  67. 	SchemeBuiltin       Scheme = "builtin"
    68. 

  68. 	SchemeAWS           Scheme = "awskms"
    69. 

  69. 	SchemeGCP           Scheme = "gcpkms"
    70. 

  70. 	SchemeVaultTransit  Scheme = "hashivault"
    71. 

  71. 	SchemeAzureKeyVault Scheme = "azurekeyvault"
    72. 

  72. )
    73. 

  73. 

  74. // Configuration defines the KMS configuration
    75. 

  75. type Configuration struct {
    76. 

  76. 	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
    77. 

  77. }
    78. 

  78. 

  79. // Secrets define the KMS configuration for encryption/decryption
    80. 

  80. type Secrets struct {
    81. 

  81. 	URL           string `json:"url" mapstructure:"url"`
    82. 

  82. 	MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
    83. 

  83. 	masterKey     string
    84. 

  84. }
    85. 

  85. 

  86. type registeredSecretProvider struct {
    87. 

  87. 	encryptedStatus SecretStatus
    88. 

  88. 	newFn           func(base BaseSecret, url, masterKey string) SecretProvider
    89. 

  89. }
    90. 

  90. 

  91. var (
    92. 

  92. 	// ErrWrongSecretStatus defines the error to return if the secret status is not appropriate
    93. 

  93. 	// for the request operation
    94. 

  94. 	ErrWrongSecretStatus = errors.New("wrong secret status")
    95. 

  95. 	// ErrInvalidSecret defines the error to return if a secret is not valid
    96. 

  96. 	ErrInvalidSecret       = errors.New("invalid secret")
    97. 

  97. 	errMalformedCiphertext = errors.New("malformed ciphertext")
    98. 

  98. 	validSecretStatuses    = []string{SecretStatusPlain, SecretStatusAES256GCM, SecretStatusSecretBox,
    99. 

  99. 		SecretStatusVaultTransit, SecretStatusAWS, SecretStatusGCP, SecretStatusRedacted}
    100. 

  100. 	config          Configuration
    101. 

  101. 	secretProviders = make(map[string]registeredSecretProvider)
    102. 

  102. )
    103. 

  103. 

  104. // RegisterSecretProvider register a new secret provider
    105. 

  105. func RegisterSecretProvider(scheme string, encryptedStatus SecretStatus, fn func(base BaseSecret, url, masterKey string) SecretProvider) {
    106. 

  106. 	secretProviders[scheme] = registeredSecretProvider{
    107. 

  107. 		encryptedStatus: encryptedStatus,
    108. 

  108. 		newFn:           fn,
    109. 

  109. 	}
    110. 

  110. }
    111. 

  111. 

  112. // NewSecret builds a new Secret using the provided arguments
    113. 

  113. func NewSecret(status SecretStatus, payload, key, data string) *Secret {
    114. 

  114. 	return config.newSecret(status, payload, key, data)
    115. 

  115. }
    116. 

  116. 

  117. // NewEmptySecret returns an empty secret
    118. 

  118. func NewEmptySecret() *Secret {
    119. 

  119. 	return NewSecret("", "", "", "")
    120. 

  120. }
    121. 

  121. 

  122. // NewPlainSecret stores the give payload in a plain text secret
    123. 

  123. func NewPlainSecret(payload string) *Secret {
    124. 

  124. 	return NewSecret(SecretStatusPlain, payload, "", "")
    125. 

  125. }
    126. 

  126. 

  127. // GetSecretFromCompatString returns a secret from the previous format
    128. 

  128. func GetSecretFromCompatString(secret string) (*Secret, error) {
    129. 

  129. 	plain, err := util.DecryptData(secret)
    130. 

  130. 	if err != nil {
    131. 

  131. 		return &Secret{}, errMalformedCiphertext
    132. 

  132. 	}
    133. 

  133. 	return NewSecret(SecretStatusPlain, plain, "", ""), nil
    134. 

  134. }
    135. 

  135. 

  136. // Initialize configures the KMS support
    137. 

  137. func (c *Configuration) Initialize() error {
    138. 

  138. 	if c.Secrets.MasterKeyPath != "" {
    139. 

  139. 		mKey, err := os.ReadFile(c.Secrets.MasterKeyPath)
    140. 

  140. 		if err != nil {
    141. 

  141. 			return err
    142. 

  142. 		}
    143. 

  143. 		c.Secrets.masterKey = strings.TrimSpace(string(mKey))
    144. 

  144. 	}
    145. 

  145. 	config = *c
    146. 

  146. 	if config.Secrets.URL == "" {
    147. 

  147. 		config.Secrets.URL = SchemeLocal + "://"
    148. 

  148. 	}
    149. 

  149. 	for k, v := range secretProviders {
    150. 

  150. 		logger.Debug(logSender, "", "secret provider registered for scheme: %#v, encrypted status: %#v",
    151. 

  151. 			k, v.encryptedStatus)
    152. 

  152. 	}
    153. 

  153. 	return nil
    154. 

  154. }
    155. 

  155. 

  156. func (c *Configuration) newSecret(status SecretStatus, payload, key, data string) *Secret {
    157. 

  157. 	base := BaseSecret{
    158. 

  158. 		Status:         status,
    159. 

  159. 		Key:            key,
    160. 

  160. 		Payload:        payload,
    161. 

  161. 		AdditionalData: data,
    162. 

  162. 	}
    163. 

  163. 	return &Secret{
    164. 

  164. 		provider: c.getSecretProvider(base),
    165. 

  165. 	}
    166. 

  166. }
    167. 

  167. 

  168. func (c *Configuration) getSecretProvider(base BaseSecret) SecretProvider {
    169. 

  169. 	for k, v := range secretProviders {
    170. 

  170. 		if strings.HasPrefix(c.Secrets.URL, k) {
    171. 

  171. 			return v.newFn(base, c.Secrets.URL, c.Secrets.masterKey)
    172. 

  172. 		}
    173. 

  173. 	}
    174. 

  174. 	logger.Warn(logSender, "", "no secret provider registered for URL %v, fallback to local provider", c.Secrets.URL)
    175. 

  175. 	return NewLocalSecret(base, c.Secrets.URL, c.Secrets.masterKey)
    176. 

  176. }
    177. 

  177. 

  178. // Secret defines the struct used to store confidential data
    179. 

  179. type Secret struct {
    180. 

  180. 	sync.RWMutex
    181. 

  181. 	provider SecretProvider
    182. 

  182. }
    183. 

  183. 

  184. // MarshalJSON return the JSON encoding of the Secret object
    185. 

  185. func (s *Secret) MarshalJSON() ([]byte, error) {
    186. 

  186. 	s.RLock()
    187. 

  187. 	defer s.RUnlock()
    188. 

  188. 

  189. 	return json.Marshal(&BaseSecret{
    190. 

  190. 		Status:         s.provider.GetStatus(),
    191. 

  191. 		Payload:        s.provider.GetPayload(),
    192. 

  192. 		Key:            s.provider.GetKey(),
    193. 

  193. 		AdditionalData: s.provider.GetAdditionalData(),
    194. 

  194. 		Mode:           s.provider.GetMode(),
    195. 

  195. 	})
    196. 

  196. }
    197. 

  197. 

  198. // UnmarshalJSON parses the JSON-encoded data and stores the result
    199. 

  199. // in the Secret object
    200. 

  200. func (s *Secret) UnmarshalJSON(data []byte) error {
    201. 

  201. 	s.Lock()
    202. 

  202. 	defer s.Unlock()
    203. 

  203. 

  204. 	baseSecret := BaseSecret{}
    205. 

  205. 	err := json.Unmarshal(data, &baseSecret)
    206. 

  206. 	if err != nil {
    207. 

  207. 		return err
    208. 

  208. 	}
    209. 

  209. 	if baseSecret.isEmpty() {
    210. 

  210. 		s.provider = config.getSecretProvider(baseSecret)
    211. 

  211. 		return nil
    212. 

  212. 	}
    213. 

  213. 

  214. 	if baseSecret.Status == SecretStatusPlain || baseSecret.Status == SecretStatusRedacted {
    215. 

  215. 		s.provider = config.getSecretProvider(baseSecret)
    216. 

  216. 		return nil
    217. 

  217. 	}
    218. 

  218. 

  219. 	for _, v := range secretProviders {
    220. 

  220. 		if v.encryptedStatus == baseSecret.Status {
    221. 

  221. 			s.provider = v.newFn(baseSecret, config.Secrets.URL, config.Secrets.masterKey)
    222. 

  222. 			return nil
    223. 

  223. 		}
    224. 

  224. 	}
    225. 

  225. 	logger.Debug(logSender, "", "no provider registered for status %#v", baseSecret.Status)
    226. 

  226. 

  227. 	return ErrInvalidSecret
    228. 

  228. }
    229. 

  229. 

  230. // IsEqual returns true if all the secrets fields are equal
    231. 

  231. func (s *Secret) IsEqual(other *Secret) bool {
    232. 

  232. 	if s.GetStatus() != other.GetStatus() {
    233. 

  233. 		return false
    234. 

  234. 	}
    235. 

  235. 	if s.GetPayload() != other.GetPayload() {
    236. 

  236. 		return false
    237. 

  237. 	}
    238. 

  238. 	if s.GetKey() != other.GetKey() {
    239. 

  239. 		return false
    240. 

  240. 	}
    241. 

  241. 	if s.GetAdditionalData() != other.GetAdditionalData() {
    242. 

  242. 		return false
    243. 

  243. 	}
    244. 

  244. 	if s.GetMode() != other.GetMode() {
    245. 

  245. 		return false
    246. 

  246. 	}
    247. 

  247. 	return true
    248. 

  248. }
    249. 

  249. 

  250. // Clone returns a copy of the secret object
    251. 

  251. func (s *Secret) Clone() *Secret {
    252. 

  252. 	s.RLock()
    253. 

  253. 	defer s.RUnlock()
    254. 

  254. 

  255. 	return &Secret{
    256. 

  256. 		provider: s.provider.Clone(),
    257. 

  257. 	}
    258. 

  258. }
    259. 

  259. 

  260. // IsEncrypted returns true if the secret is encrypted
    261. 

  261. // This isn't a pointer receiver because we don't want to pass
    262. 

  262. // a pointer to html template
    263. 

  263. func (s *Secret) IsEncrypted() bool {
    264. 

  264. 	s.RLock()
    265. 

  265. 	defer s.RUnlock()
    266. 

  266. 

  267. 	return s.provider.IsEncrypted()
    268. 

  268. }
    269. 

  269. 

  270. // IsPlain returns true if the secret is in plain text
    271. 

  271. func (s *Secret) IsPlain() bool {
    272. 

  272. 	s.RLock()
    273. 

  273. 	defer s.RUnlock()
    274. 

  274. 

  275. 	return s.provider.GetStatus() == SecretStatusPlain
    276. 

  276. }
    277. 

  277. 

  278. // IsNotPlainAndNotEmpty returns true if the secret is not plain and not empty.
    279. 

  279. // This is an utility method, we update the secret for an existing user
    280. 

  280. // if it is empty or plain
    281. 

  281. func (s *Secret) IsNotPlainAndNotEmpty() bool {
    282. 

  282. 	s.RLock()
    283. 

  283. 	defer s.RUnlock()
    284. 

  284. 

  285. 	return !s.IsPlain() && !s.IsEmpty()
    286. 

  286. }
    287. 

  287. 

  288. // IsRedacted returns true if the secret is redacted
    289. 

  289. func (s *Secret) IsRedacted() bool {
    290. 

  290. 	s.RLock()
    291. 

  291. 	defer s.RUnlock()
    292. 

  292. 

  293. 	return s.provider.GetStatus() == SecretStatusRedacted
    294. 

  294. }
    295. 

  295. 

  296. // GetPayload returns the secret payload
    297. 

  297. func (s *Secret) GetPayload() string {
    298. 

  298. 	s.RLock()
    299. 

  299. 	defer s.RUnlock()
    300. 

  300. 

  301. 	return s.provider.GetPayload()
    302. 

  302. }
    303. 

  303. 

  304. // GetAdditionalData returns the secret additional data
    305. 

  305. func (s *Secret) GetAdditionalData() string {
    306. 

  306. 	s.RLock()
    307. 

  307. 	defer s.RUnlock()
    308. 

  308. 

  309. 	return s.provider.GetAdditionalData()
    310. 

  310. }
    311. 

  311. 

  312. // GetStatus returns the secret status
    313. 

  313. func (s *Secret) GetStatus() SecretStatus {
    314. 

  314. 	s.RLock()
    315. 

  315. 	defer s.RUnlock()
    316. 

  316. 

  317. 	return s.provider.GetStatus()
    318. 

  318. }
    319. 

  319. 

  320. // GetKey returns the secret key
    321. 

  321. func (s *Secret) GetKey() string {
    322. 

  322. 	s.RLock()
    323. 

  323. 	defer s.RUnlock()
    324. 

  324. 

  325. 	return s.provider.GetKey()
    326. 

  326. }
    327. 

  327. 

  328. // GetMode returns the secret mode
    329. 

  329. func (s *Secret) GetMode() int {
    330. 

  330. 	s.RLock()
    331. 

  331. 	defer s.RUnlock()
    332. 

  332. 

  333. 	return s.provider.GetMode()
    334. 

  334. }
    335. 

  335. 

  336. // SetAdditionalData sets the given additional data
    337. 

  337. func (s *Secret) SetAdditionalData(value string) {
    338. 

  338. 	s.Lock()
    339. 

  339. 	defer s.Unlock()
    340. 

  340. 

  341. 	s.provider.SetAdditionalData(value)
    342. 

  342. }
    343. 

  343. 

  344. // SetStatus sets the status for this secret
    345. 

  345. func (s *Secret) SetStatus(value SecretStatus) {
    346. 

  346. 	s.Lock()
    347. 

  347. 	defer s.Unlock()
    348. 

  348. 

  349. 	s.provider.SetStatus(value)
    350. 

  350. }
    351. 

  351. 

  352. // SetKey sets the key for this secret
    353. 

  353. func (s *Secret) SetKey(value string) {
    354. 

  354. 	s.Lock()
    355. 

  355. 	defer s.Unlock()
    356. 

  356. 

  357. 	s.provider.SetKey(value)
    358. 

  358. }
    359. 

  359. 

  360. // IsEmpty returns true if all fields are empty
    361. 

  361. func (s *Secret) IsEmpty() bool {
    362. 

  362. 	s.RLock()
    363. 

  363. 	defer s.RUnlock()
    364. 

  364. 

  365. 	if s.provider.GetStatus() != "" {
    366. 

  366. 		return false
    367. 

  367. 	}
    368. 

  368. 	if s.provider.GetPayload() != "" {
    369. 

  369. 		return false
    370. 

  370. 	}
    371. 

  371. 	if s.provider.GetKey() != "" {
    372. 

  372. 		return false
    373. 

  373. 	}
    374. 

  374. 	if s.provider.GetAdditionalData() != "" {
    375. 

  375. 		return false
    376. 

  376. 	}
    377. 

  377. 	return true
    378. 

  378. }
    379. 

  379. 

  380. // IsValid returns true if the secret is not empty and valid
    381. 

  381. func (s *Secret) IsValid() bool {
    382. 

  382. 	s.RLock()
    383. 

  383. 	defer s.RUnlock()
    384. 

  384. 

  385. 	if !s.IsValidInput() {
    386. 

  386. 		return false
    387. 

  387. 	}
    388. 

  388. 	switch s.provider.GetStatus() {
    389. 

  389. 	case SecretStatusAES256GCM, SecretStatusSecretBox:
    390. 

  390. 		if len(s.provider.GetKey()) != 64 {
    391. 

  391. 			return false
    392. 

  392. 		}
    393. 

  393. 	case SecretStatusAWS, SecretStatusGCP, SecretStatusVaultTransit:
    394. 

  394. 		key := s.provider.GetKey()
    395. 

  395. 		if key != "" && len(key) != 64 {
    396. 

  396. 			return false
    397. 

  397. 		}
    398. 

  398. 	}
    399. 

  399. 	return true
    400. 

  400. }
    401. 

  401. 

  402. // IsValidInput returns true if the secret is a valid user input
    403. 

  403. func (s *Secret) IsValidInput() bool {
    404. 

  404. 	s.RLock()
    405. 

  405. 	defer s.RUnlock()
    406. 

  406. 

  407. 	if !util.IsStringInSlice(s.provider.GetStatus(), validSecretStatuses) {
    408. 

  408. 		return false
    409. 

  409. 	}
    410. 

  410. 	if s.provider.GetPayload() == "" {
    411. 

  411. 		return false
    412. 

  412. 	}
    413. 

  413. 	return true
    414. 

  414. }
    415. 

  415. 

  416. // Hide hides info to decrypt data
    417. 

  417. func (s *Secret) Hide() {
    418. 

  418. 	s.Lock()
    419. 

  419. 	defer s.Unlock()
    420. 

  420. 

  421. 	s.provider.SetKey("")
    422. 

  422. 	s.provider.SetAdditionalData("")
    423. 

  423. }
    424. 

  424. 

  425. // Encrypt encrypts a plain text Secret object
    426. 

  426. func (s *Secret) Encrypt() error {
    427. 

  427. 	s.Lock()
    428. 

  428. 	defer s.Unlock()
    429. 

  429. 

  430. 	return s.provider.Encrypt()
    431. 

  431. }
    432. 

  432. 

  433. // Decrypt decrypts a Secret object
    434. 

  434. func (s *Secret) Decrypt() error {
    435. 

  435. 	s.Lock()
    436. 

  436. 	defer s.Unlock()
    437. 

  437. 

  438. 	return s.provider.Decrypt()
    439. 

  439. }
    440. 

  440. 

  441. // TryDecrypt decrypts a Secret object if encrypted.
    442. 

  442. // It returns a nil error if the object is not encrypted
    443. 

  443. func (s *Secret) TryDecrypt() error {
    444. 

  444. 	s.Lock()
    445. 

  445. 	defer s.Unlock()
    446. 

  446. 

  447. 	if s.provider.IsEncrypted() {
    448. 

  448. 		return s.provider.Decrypt()
    449. 

  449. 	}
    450. 

  450. 	return nil
    451. 

  451. }
    452.