Home Explore Help
Register Sign In
Apq
/
sftpgo
mirror of https://github.com/drakkan/sftpgo.git
1
0
Fork 0
Files Issues 0 Wiki
Tree: 776dffcf12
Branches Tags
sftpgo
/
kms
/
kms.go

kms.go 11 KB
History Raw

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447 
  1. // Package kms provides Key Management Services support
    2. 

  2. package kms
    3. 

  3. 

  4. import (
    5. 

  5. 	"encoding/json"
    6. 

  6. 	"errors"
    7. 

  7. 	"os"
    8. 

  8. 	"strings"
    9. 

  9. 	"sync"
    10. 

  10. 

  11. 	"github.com/drakkan/sftpgo/v2/logger"
    12. 

  12. 	"github.com/drakkan/sftpgo/v2/util"
    13. 

  13. )
    14. 

  14. 

  15. // SecretProvider defines the interface for a KMS secrets provider
    16. 

  16. type SecretProvider interface {
    17. 

  17. 	Name() string
    18. 

  18. 	Encrypt() error
    19. 

  19. 	Decrypt() error
    20. 

  20. 	IsEncrypted() bool
    21. 

  21. 	GetStatus() SecretStatus
    22. 

  22. 	GetPayload() string
    23. 

  23. 	GetKey() string
    24. 

  24. 	GetAdditionalData() string
    25. 

  25. 	GetMode() int
    26. 

  26. 	SetKey(string)
    27. 

  27. 	SetAdditionalData(string)
    28. 

  28. 	SetStatus(SecretStatus)
    29. 

  29. 	Clone() SecretProvider
    30. 

  30. }
    31. 

  31. 

  32. const (
    33. 

  33. 	logSender = "kms"
    34. 

  34. )
    35. 

  35. 

  36. // SecretStatus defines the statuses of a Secret object
    37. 

  37. type SecretStatus = string
    38. 

  38. 

  39. const (
    40. 

  40. 	// SecretStatusPlain means the secret is in plain text and must be encrypted
    41. 

  41. 	SecretStatusPlain SecretStatus = "Plain"
    42. 

  42. 	// SecretStatusAES256GCM means the secret is encrypted using AES-256-GCM
    43. 

  43. 	SecretStatusAES256GCM SecretStatus = "AES-256-GCM"
    44. 

  44. 	// SecretStatusSecretBox means the secret is encrypted using a locally provided symmetric key
    45. 

  45. 	SecretStatusSecretBox SecretStatus = "Secretbox"
    46. 

  46. 	// SecretStatusGCP means we use keys from Google Cloud Platform’s Key Management Service
    47. 

  47. 	// (GCP KMS) to keep information secret
    48. 

  48. 	SecretStatusGCP SecretStatus = "GCP"
    49. 

  49. 	// SecretStatusAWS means we use customer master keys from Amazon Web Service’s
    50. 

  50. 	// Key Management Service (AWS KMS) to keep information secret
    51. 

  51. 	SecretStatusAWS SecretStatus = "AWS"
    52. 

  52. 	// SecretStatusVaultTransit means we use the transit secrets engine in Vault
    53. 

  53. 	// to keep information secret
    54. 

  54. 	SecretStatusVaultTransit SecretStatus = "VaultTransit"
    55. 

  55. 	// SecretStatusRedacted means the secret is redacted
    56. 

  56. 	SecretStatusRedacted SecretStatus = "Redacted"
    57. 

  57. )
    58. 

  58. 

  59. // Scheme defines the supported URL scheme
    60. 

  60. type Scheme = string
    61. 

  61. 

  62. // supported URL schemes
    63. 

  63. const (
    64. 

  64. 	SchemeLocal        Scheme = "local://"
    65. 

  65. 	SchemeBuiltin      Scheme = "builtin://"
    66. 

  66. 	SchemeAWS          Scheme = "awskms://"
    67. 

  67. 	SchemeGCP          Scheme = "gcpkms://"
    68. 

  68. 	SchemeVaultTransit Scheme = "hashivault://"
    69. 

  69. )
    70. 

  70. 

  71. // Configuration defines the KMS configuration
    72. 

  72. type Configuration struct {
    73. 

  73. 	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
    74. 

  74. }
    75. 

  75. 

  76. // Secrets define the KMS configuration for encryption/decryption
    77. 

  77. type Secrets struct {
    78. 

  78. 	URL           string `json:"url" mapstructure:"url"`
    79. 

  79. 	MasterKeyPath string `json:"master_key_path" mapstructure:"master_key_path"`
    80. 

  80. 	masterKey     string
    81. 

  81. }
    82. 

  82. 

  83. type registeredSecretProvider struct {
    84. 

  84. 	encryptedStatus SecretStatus
    85. 

  85. 	newFn           func(base BaseSecret, url, masterKey string) SecretProvider
    86. 

  86. }
    87. 

  87. 

  88. var (
    89. 

  89. 	// ErrWrongSecretStatus defines the error to return if the secret status is not appropriate
    90. 

  90. 	// for the request operation
    91. 

  91. 	ErrWrongSecretStatus = errors.New("wrong secret status")
    92. 

  92. 	// ErrInvalidSecret defines the error to return if a secret is not valid
    93. 

  93. 	ErrInvalidSecret       = errors.New("invalid secret")
    94. 

  94. 	errMalformedCiphertext = errors.New("malformed ciphertext")
    95. 

  95. 	validSecretStatuses    = []string{SecretStatusPlain, SecretStatusAES256GCM, SecretStatusSecretBox,
    96. 

  96. 		SecretStatusVaultTransit, SecretStatusAWS, SecretStatusGCP, SecretStatusRedacted}
    97. 

  97. 	config          Configuration
    98. 

  98. 	secretProviders = make(map[string]registeredSecretProvider)
    99. 

  99. )
    100. 

  100. 

  101. // RegisterSecretProvider register a new secret provider
    102. 

  102. func RegisterSecretProvider(scheme string, encryptedStatus SecretStatus, fn func(base BaseSecret, url, masterKey string) SecretProvider) {
    103. 

  103. 	secretProviders[scheme] = registeredSecretProvider{
    104. 

  104. 		encryptedStatus: encryptedStatus,
    105. 

  105. 		newFn:           fn,
    106. 

  106. 	}
    107. 

  107. }
    108. 

  108. 

  109. // NewSecret builds a new Secret using the provided arguments
    110. 

  110. func NewSecret(status SecretStatus, payload, key, data string) *Secret {
    111. 

  111. 	return config.newSecret(status, payload, key, data)
    112. 

  112. }
    113. 

  113. 

  114. // NewEmptySecret returns an empty secret
    115. 

  115. func NewEmptySecret() *Secret {
    116. 

  116. 	return NewSecret("", "", "", "")
    117. 

  117. }
    118. 

  118. 

  119. // NewPlainSecret stores the give payload in a plain text secret
    120. 

  120. func NewPlainSecret(payload string) *Secret {
    121. 

  121. 	return NewSecret(SecretStatusPlain, payload, "", "")
    122. 

  122. }
    123. 

  123. 

  124. // GetSecretFromCompatString returns a secret from the previous format
    125. 

  125. func GetSecretFromCompatString(secret string) (*Secret, error) {
    126. 

  126. 	plain, err := util.DecryptData(secret)
    127. 

  127. 	if err != nil {
    128. 

  128. 		return &Secret{}, errMalformedCiphertext
    129. 

  129. 	}
    130. 

  130. 	return NewSecret(SecretStatusPlain, plain, "", ""), nil
    131. 

  131. }
    132. 

  132. 

  133. // Initialize configures the KMS support
    134. 

  134. func (c *Configuration) Initialize() error {
    135. 

  135. 	if c.Secrets.MasterKeyPath != "" {
    136. 

  136. 		mKey, err := os.ReadFile(c.Secrets.MasterKeyPath)
    137. 

  137. 		if err != nil {
    138. 

  138. 			return err
    139. 

  139. 		}
    140. 

  140. 		c.Secrets.masterKey = strings.TrimSpace(string(mKey))
    141. 

  141. 	}
    142. 

  142. 	config = *c
    143. 

  143. 	if config.Secrets.URL == "" {
    144. 

  144. 		config.Secrets.URL = "local://"
    145. 

  145. 	}
    146. 

  146. 	for k, v := range secretProviders {
    147. 

  147. 		logger.Debug(logSender, "", "secret provider registered for scheme: %#v, encrypted status: %#v",
    148. 

  148. 			k, v.encryptedStatus)
    149. 

  149. 	}
    150. 

  150. 	return nil
    151. 

  151. }
    152. 

  152. 

  153. func (c *Configuration) newSecret(status SecretStatus, payload, key, data string) *Secret {
    154. 

  154. 	base := BaseSecret{
    155. 

  155. 		Status:         status,
    156. 

  156. 		Key:            key,
    157. 

  157. 		Payload:        payload,
    158. 

  158. 		AdditionalData: data,
    159. 

  159. 	}
    160. 

  160. 	return &Secret{
    161. 

  161. 		provider: c.getSecretProvider(base),
    162. 

  162. 	}
    163. 

  163. }
    164. 

  164. 

  165. func (c *Configuration) getSecretProvider(base BaseSecret) SecretProvider {
    166. 

  166. 	for k, v := range secretProviders {
    167. 

  167. 		if strings.HasPrefix(c.Secrets.URL, k) {
    168. 

  168. 			return v.newFn(base, c.Secrets.URL, c.Secrets.masterKey)
    169. 

  169. 		}
    170. 

  170. 	}
    171. 

  171. 	return NewLocalSecret(base, c.Secrets.URL, c.Secrets.masterKey)
    172. 

  172. }
    173. 

  173. 

  174. // Secret defines the struct used to store confidential data
    175. 

  175. type Secret struct {
    176. 

  176. 	sync.RWMutex
    177. 

  177. 	provider SecretProvider
    178. 

  178. }
    179. 

  179. 

  180. // MarshalJSON return the JSON encoding of the Secret object
    181. 

  181. func (s *Secret) MarshalJSON() ([]byte, error) {
    182. 

  182. 	s.RLock()
    183. 

  183. 	defer s.RUnlock()
    184. 

  184. 

  185. 	return json.Marshal(&BaseSecret{
    186. 

  186. 		Status:         s.provider.GetStatus(),
    187. 

  187. 		Payload:        s.provider.GetPayload(),
    188. 

  188. 		Key:            s.provider.GetKey(),
    189. 

  189. 		AdditionalData: s.provider.GetAdditionalData(),
    190. 

  190. 		Mode:           s.provider.GetMode(),
    191. 

  191. 	})
    192. 

  192. }
    193. 

  193. 

  194. // UnmarshalJSON parses the JSON-encoded data and stores the result
    195. 

  195. // in the Secret object
    196. 

  196. func (s *Secret) UnmarshalJSON(data []byte) error {
    197. 

  197. 	s.Lock()
    198. 

  198. 	defer s.Unlock()
    199. 

  199. 

  200. 	baseSecret := BaseSecret{}
    201. 

  201. 	err := json.Unmarshal(data, &baseSecret)
    202. 

  202. 	if err != nil {
    203. 

  203. 		return err
    204. 

  204. 	}
    205. 

  205. 	if baseSecret.isEmpty() {
    206. 

  206. 		s.provider = config.getSecretProvider(baseSecret)
    207. 

  207. 		return nil
    208. 

  208. 	}
    209. 

  209. 

  210. 	if baseSecret.Status == SecretStatusPlain || baseSecret.Status == SecretStatusRedacted {
    211. 

  211. 		s.provider = config.getSecretProvider(baseSecret)
    212. 

  212. 		return nil
    213. 

  213. 	}
    214. 

  214. 

  215. 	for _, v := range secretProviders {
    216. 

  216. 		if v.encryptedStatus == baseSecret.Status {
    217. 

  217. 			s.provider = v.newFn(baseSecret, config.Secrets.URL, config.Secrets.masterKey)
    218. 

  218. 			return nil
    219. 

  219. 		}
    220. 

  220. 	}
    221. 

  221. 	logger.Debug(logSender, "", "no provider registered for status %#v", baseSecret.Status)
    222. 

  222. 

  223. 	return ErrInvalidSecret
    224. 

  224. }
    225. 

  225. 

  226. // IsEqual returns true if all the secrets fields are equal
    227. 

  227. func (s *Secret) IsEqual(other *Secret) bool {
    228. 

  228. 	if s.GetStatus() != other.GetStatus() {
    229. 

  229. 		return false
    230. 

  230. 	}
    231. 

  231. 	if s.GetPayload() != other.GetPayload() {
    232. 

  232. 		return false
    233. 

  233. 	}
    234. 

  234. 	if s.GetKey() != other.GetKey() {
    235. 

  235. 		return false
    236. 

  236. 	}
    237. 

  237. 	if s.GetAdditionalData() != other.GetAdditionalData() {
    238. 

  238. 		return false
    239. 

  239. 	}
    240. 

  240. 	if s.GetMode() != other.GetMode() {
    241. 

  241. 		return false
    242. 

  242. 	}
    243. 

  243. 	return true
    244. 

  244. }
    245. 

  245. 

  246. // Clone returns a copy of the secret object
    247. 

  247. func (s *Secret) Clone() *Secret {
    248. 

  248. 	s.RLock()
    249. 

  249. 	defer s.RUnlock()
    250. 

  250. 

  251. 	return &Secret{
    252. 

  252. 		provider: s.provider.Clone(),
    253. 

  253. 	}
    254. 

  254. }
    255. 

  255. 

  256. // IsEncrypted returns true if the secret is encrypted
    257. 

  257. // This isn't a pointer receiver because we don't want to pass
    258. 

  258. // a pointer to html template
    259. 

  259. func (s *Secret) IsEncrypted() bool {
    260. 

  260. 	s.RLock()
    261. 

  261. 	defer s.RUnlock()
    262. 

  262. 

  263. 	return s.provider.IsEncrypted()
    264. 

  264. }
    265. 

  265. 

  266. // IsPlain returns true if the secret is in plain text
    267. 

  267. func (s *Secret) IsPlain() bool {
    268. 

  268. 	s.RLock()
    269. 

  269. 	defer s.RUnlock()
    270. 

  270. 

  271. 	return s.provider.GetStatus() == SecretStatusPlain
    272. 

  272. }
    273. 

  273. 

  274. // IsNotPlainAndNotEmpty returns true if the secret is not plain and not empty.
    275. 

  275. // This is an utility method, we update the secret for an existing user
    276. 

  276. // if it is empty or plain
    277. 

  277. func (s *Secret) IsNotPlainAndNotEmpty() bool {
    278. 

  278. 	s.RLock()
    279. 

  279. 	defer s.RUnlock()
    280. 

  280. 

  281. 	return !s.IsPlain() && !s.IsEmpty()
    282. 

  282. }
    283. 

  283. 

  284. // IsRedacted returns true if the secret is redacted
    285. 

  285. func (s *Secret) IsRedacted() bool {
    286. 

  286. 	s.RLock()
    287. 

  287. 	defer s.RUnlock()
    288. 

  288. 

  289. 	return s.provider.GetStatus() == SecretStatusRedacted
    290. 

  290. }
    291. 

  291. 

  292. // GetPayload returns the secret payload
    293. 

  293. func (s *Secret) GetPayload() string {
    294. 

  294. 	s.RLock()
    295. 

  295. 	defer s.RUnlock()
    296. 

  296. 

  297. 	return s.provider.GetPayload()
    298. 

  298. }
    299. 

  299. 

  300. // GetAdditionalData returns the secret additional data
    301. 

  301. func (s *Secret) GetAdditionalData() string {
    302. 

  302. 	s.RLock()
    303. 

  303. 	defer s.RUnlock()
    304. 

  304. 

  305. 	return s.provider.GetAdditionalData()
    306. 

  306. }
    307. 

  307. 

  308. // GetStatus returns the secret status
    309. 

  309. func (s *Secret) GetStatus() SecretStatus {
    310. 

  310. 	s.RLock()
    311. 

  311. 	defer s.RUnlock()
    312. 

  312. 

  313. 	return s.provider.GetStatus()
    314. 

  314. }
    315. 

  315. 

  316. // GetKey returns the secret key
    317. 

  317. func (s *Secret) GetKey() string {
    318. 

  318. 	s.RLock()
    319. 

  319. 	defer s.RUnlock()
    320. 

  320. 

  321. 	return s.provider.GetKey()
    322. 

  322. }
    323. 

  323. 

  324. // GetMode returns the secret mode
    325. 

  325. func (s *Secret) GetMode() int {
    326. 

  326. 	s.RLock()
    327. 

  327. 	defer s.RUnlock()
    328. 

  328. 

  329. 	return s.provider.GetMode()
    330. 

  330. }
    331. 

  331. 

  332. // SetAdditionalData sets the given additional data
    333. 

  333. func (s *Secret) SetAdditionalData(value string) {
    334. 

  334. 	s.Lock()
    335. 

  335. 	defer s.Unlock()
    336. 

  336. 

  337. 	s.provider.SetAdditionalData(value)
    338. 

  338. }
    339. 

  339. 

  340. // SetStatus sets the status for this secret
    341. 

  341. func (s *Secret) SetStatus(value SecretStatus) {
    342. 

  342. 	s.Lock()
    343. 

  343. 	defer s.Unlock()
    344. 

  344. 

  345. 	s.provider.SetStatus(value)
    346. 

  346. }
    347. 

  347. 

  348. // SetKey sets the key for this secret
    349. 

  349. func (s *Secret) SetKey(value string) {
    350. 

  350. 	s.Lock()
    351. 

  351. 	defer s.Unlock()
    352. 

  352. 

  353. 	s.provider.SetKey(value)
    354. 

  354. }
    355. 

  355. 

  356. // IsEmpty returns true if all fields are empty
    357. 

  357. func (s *Secret) IsEmpty() bool {
    358. 

  358. 	s.RLock()
    359. 

  359. 	defer s.RUnlock()
    360. 

  360. 

  361. 	if s.provider.GetStatus() != "" {
    362. 

  362. 		return false
    363. 

  363. 	}
    364. 

  364. 	if s.provider.GetPayload() != "" {
    365. 

  365. 		return false
    366. 

  366. 	}
    367. 

  367. 	if s.provider.GetKey() != "" {
    368. 

  368. 		return false
    369. 

  369. 	}
    370. 

  370. 	if s.provider.GetAdditionalData() != "" {
    371. 

  371. 		return false
    372. 

  372. 	}
    373. 

  373. 	return true
    374. 

  374. }
    375. 

  375. 

  376. // IsValid returns true if the secret is not empty and valid
    377. 

  377. func (s *Secret) IsValid() bool {
    378. 

  378. 	s.RLock()
    379. 

  379. 	defer s.RUnlock()
    380. 

  380. 

  381. 	if !s.IsValidInput() {
    382. 

  382. 		return false
    383. 

  383. 	}
    384. 

  384. 	switch s.provider.GetStatus() {
    385. 

  385. 	case SecretStatusAES256GCM, SecretStatusSecretBox:
    386. 

  386. 		if len(s.provider.GetKey()) != 64 {
    387. 

  387. 			return false
    388. 

  388. 		}
    389. 

  389. 	case SecretStatusAWS, SecretStatusGCP, SecretStatusVaultTransit:
    390. 

  390. 		key := s.provider.GetKey()
    391. 

  391. 		if key != "" && len(key) != 64 {
    392. 

  392. 			return false
    393. 

  393. 		}
    394. 

  394. 	}
    395. 

  395. 	return true
    396. 

  396. }
    397. 

  397. 

  398. // IsValidInput returns true if the secret is a valid user input
    399. 

  399. func (s *Secret) IsValidInput() bool {
    400. 

  400. 	s.RLock()
    401. 

  401. 	defer s.RUnlock()
    402. 

  402. 

  403. 	if !util.IsStringInSlice(s.provider.GetStatus(), validSecretStatuses) {
    404. 

  404. 		return false
    405. 

  405. 	}
    406. 

  406. 	if s.provider.GetPayload() == "" {
    407. 

  407. 		return false
    408. 

  408. 	}
    409. 

  409. 	return true
    410. 

  410. }
    411. 

  411. 

  412. // Hide hides info to decrypt data
    413. 

  413. func (s *Secret) Hide() {
    414. 

  414. 	s.Lock()
    415. 

  415. 	defer s.Unlock()
    416. 

  416. 

  417. 	s.provider.SetKey("")
    418. 

  418. 	s.provider.SetAdditionalData("")
    419. 

  419. }
    420. 

  420. 

  421. // Encrypt encrypts a plain text Secret object
    422. 

  422. func (s *Secret) Encrypt() error {
    423. 

  423. 	s.Lock()
    424. 

  424. 	defer s.Unlock()
    425. 

  425. 

  426. 	return s.provider.Encrypt()
    427. 

  427. }
    428. 

  428. 

  429. // Decrypt decrypts a Secret object
    430. 

  430. func (s *Secret) Decrypt() error {
    431. 

  431. 	s.Lock()
    432. 

  432. 	defer s.Unlock()
    433. 

  433. 

  434. 	return s.provider.Decrypt()
    435. 

  435. }
    436. 

  436. 

  437. // TryDecrypt decrypts a Secret object if encrypted.
    438. 

  438. // It returns a nil error if the object is not encrypted
    439. 

  439. func (s *Secret) TryDecrypt() error {
    440. 

  440. 	s.Lock()
    441. 

  441. 	defer s.Unlock()
    442. 

  442. 

  443. 	if s.provider.IsEncrypted() {
    444. 

  444. 		return s.provider.Decrypt()
    445. 

  445. 	}
    446. 

  446. 	return nil
    447. 

  447. }
    448.