sdk: add a logger interface

we are now ready to make the sdk a separate module Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-06 14:20:55 +03:00 · 2022-01-04 16:07:41 +01:00
parent a6fe802370
commit 2912b2e92e
30 changed files with 225 additions and 134 deletions
--- a/kms/builtin.go
+++ b/kms/builtin.go
@@ -1,139 +0,0 @@
-package kms
-
-import (
-	"crypto/aes"
-	"crypto/cipher"
-	"crypto/rand"
-	"crypto/sha256"
-	"encoding/hex"
-	"errors"
-	"io"
-
-	sdkkms "github.com/drakkan/sftpgo/v2/sdk/kms"
-)
-
-var (
-	errMalformedCiphertext = errors.New("malformed ciphertext")
-)
-
-type builtinSecret struct {
-	sdkkms.BaseSecret
-}
-
-func init() {
-	sdkkms.RegisterSecretProvider(sdkkms.SchemeBuiltin, sdkkms.SecretStatusAES256GCM, newBuiltinSecret)
-}
-
-func newBuiltinSecret(base sdkkms.BaseSecret, url, masterKey string) sdkkms.SecretProvider {
-	return &builtinSecret{
-		BaseSecret: base,
-	}
-}
-
-func (s *builtinSecret) Name() string {
-	return "Builtin"
-}
-
-func (s *builtinSecret) IsEncrypted() bool {
-	return s.Status == sdkkms.SecretStatusAES256GCM
-}
-
-func (s *builtinSecret) deriveKey(key []byte) []byte {
-	var combined []byte
-	combined = append(combined, key...)
-	if s.AdditionalData != "" {
-		combined = append(combined, []byte(s.AdditionalData)...)
-	}
-	combined = append(combined, key...)
-	hash := sha256.Sum256(combined)
-	return hash[:]
-}
-
-func (s *builtinSecret) Encrypt() error {
-	if s.Payload == "" {
-		return sdkkms.ErrInvalidSecret
-	}
-	switch s.Status {
-	case sdkkms.SecretStatusPlain:
-		key := make([]byte, 32)
-		if _, err := io.ReadFull(rand.Reader, key); err != nil {
-			return err
-		}
-		block, err := aes.NewCipher(s.deriveKey(key))
-		if err != nil {
-			return err
-		}
-		gcm, err := cipher.NewGCM(block)
-		if err != nil {
-			return err
-		}
-		nonce := make([]byte, gcm.NonceSize())
-		if _, err = io.ReadFull(rand.Reader, nonce); err != nil {
-			return err
-		}
-		var aad []byte
-		if s.AdditionalData != "" {
-			aad = []byte(s.AdditionalData)
-		}
-		ciphertext := gcm.Seal(nonce, nonce, []byte(s.Payload), aad)
-		s.Key = hex.EncodeToString(key)
-		s.Payload = hex.EncodeToString(ciphertext)
-		s.Status = sdkkms.SecretStatusAES256GCM
-		return nil
-	default:
-		return sdkkms.ErrWrongSecretStatus
-	}
-}
-
-func (s *builtinSecret) Decrypt() error {
-	switch s.Status {
-	case sdkkms.SecretStatusAES256GCM:
-		encrypted, err := hex.DecodeString(s.Payload)
-		if err != nil {
-			return err
-		}
-		key, err := hex.DecodeString(s.Key)
-		if err != nil {
-			return err
-		}
-		block, err := aes.NewCipher(s.deriveKey(key))
-		if err != nil {
-			return err
-		}
-		gcm, err := cipher.NewGCM(block)
-		if err != nil {
-			return err
-		}
-		nonceSize := gcm.NonceSize()
-		if len(encrypted) < nonceSize {
-			return errMalformedCiphertext
-		}
-		nonce, ciphertext := encrypted[:nonceSize], encrypted[nonceSize:]
-		var aad []byte
-		if s.AdditionalData != "" {
-			aad = []byte(s.AdditionalData)
-		}
-		plaintext, err := gcm.Open(nil, nonce, ciphertext, aad)
-		if err != nil {
-			return err
-		}
-		s.Status = sdkkms.SecretStatusPlain
-		s.Payload = string(plaintext)
-		s.Key = ""
-		s.AdditionalData = ""
-		return nil
-	default:
-		return sdkkms.ErrWrongSecretStatus
-	}
-}
-
-func (s *builtinSecret) Clone() sdkkms.SecretProvider {
-	baseSecret := sdkkms.BaseSecret{
-		Status:         s.Status,
-		Payload:        s.Payload,
-		Key:            s.Key,
-		AdditionalData: s.AdditionalData,
-		Mode:           s.Mode,
-	}
-	return newBuiltinSecret(baseSecret, "", "")
-}
--- a/kms/kms.go
+++ b/kms/kms.go
@@ -1,2 +0,0 @@
-// Package kms provides built-in Key Management Services support
-package kms
--- a/kms/local.go
+++ b/kms/local.go
@@ -1,143 +0,0 @@
-package kms
-
-import (
-	"context"
-	"crypto/sha256"
-	"encoding/base64"
-	"encoding/hex"
-	"io"
-
-	"gocloud.dev/secrets/localsecrets"
-	"golang.org/x/crypto/hkdf"
-
-	sdkkms "github.com/drakkan/sftpgo/v2/sdk/kms"
-)
-
-func init() {
-	sdkkms.RegisterSecretProvider(sdkkms.SchemeLocal, sdkkms.SecretStatusSecretBox, NewLocalSecret)
-}
-
-type localSecret struct {
-	sdkkms.BaseSecret
-	masterKey string
-}
-
-// NewLocalSecret returns a SecretProvider that use a locally provided symmetric key
-func NewLocalSecret(base sdkkms.BaseSecret, url, masterKey string) sdkkms.SecretProvider {
-	return &localSecret{
-		BaseSecret: base,
-		masterKey:  masterKey,
-	}
-}
-
-func (s *localSecret) Name() string {
-	return "Local"
-}
-
-func (s *localSecret) IsEncrypted() bool {
-	return s.Status == sdkkms.SecretStatusSecretBox
-}
-
-func (s *localSecret) Encrypt() error {
-	if s.Status != sdkkms.SecretStatusPlain {
-		return sdkkms.ErrWrongSecretStatus
-	}
-	if s.Payload == "" {
-		return sdkkms.ErrInvalidSecret
-	}
-	secretKey, err := localsecrets.NewRandomKey()
-	if err != nil {
-		return err
-	}
-	key, err := s.deriveKey(secretKey[:], false)
-	if err != nil {
-		return err
-	}
-	keeper := localsecrets.NewKeeper(key)
-	defer keeper.Close()
-
-	ciphertext, err := keeper.Encrypt(context.Background(), []byte(s.Payload))
-	if err != nil {
-		return err
-	}
-	s.Key = hex.EncodeToString(secretKey[:])
-	s.Payload = base64.StdEncoding.EncodeToString(ciphertext)
-	s.Status = sdkkms.SecretStatusSecretBox
-	s.Mode = s.getEncryptionMode()
-	return nil
-}
-
-func (s *localSecret) Decrypt() error {
-	if !s.IsEncrypted() {
-		return sdkkms.ErrWrongSecretStatus
-	}
-	encrypted, err := base64.StdEncoding.DecodeString(s.Payload)
-	if err != nil {
-		return err
-	}
-	secretKey, err := hex.DecodeString(s.Key)
-	if err != nil {
-		return err
-	}
-	key, err := s.deriveKey(secretKey[:], true)
-	if err != nil {
-		return err
-	}
-	keeper := localsecrets.NewKeeper(key)
-	defer keeper.Close()
-
-	plaintext, err := keeper.Decrypt(context.Background(), encrypted)
-	if err != nil {
-		return err
-	}
-	s.Status = sdkkms.SecretStatusPlain
-	s.Payload = string(plaintext)
-	s.Key = ""
-	s.AdditionalData = ""
-	s.Mode = 0
-	return nil
-}
-
-func (s *localSecret) deriveKey(key []byte, isForDecryption bool) ([32]byte, error) {
-	var masterKey []byte
-	if s.masterKey == "" || (isForDecryption && s.Mode == 0) {
-		var combined []byte
-		combined = append(combined, key...)
-		if s.AdditionalData != "" {
-			combined = append(combined, []byte(s.AdditionalData)...)
-		}
-		combined = append(combined, key...)
-		hash := sha256.Sum256(combined)
-		masterKey = hash[:]
-	} else {
-		masterKey = []byte(s.masterKey)
-	}
-	var derivedKey [32]byte
-	var info []byte
-	if s.AdditionalData != "" {
-		info = []byte(s.AdditionalData)
-	}
-	kdf := hkdf.New(sha256.New, masterKey, key, info)
-	if _, err := io.ReadFull(kdf, derivedKey[:]); err != nil {
-		return derivedKey, err
-	}
-	return derivedKey, nil
-}
-
-func (s *localSecret) getEncryptionMode() int {
-	if s.masterKey == "" {
-		return 0
-	}
-	return 1
-}
-
-func (s *localSecret) Clone() sdkkms.SecretProvider {
-	baseSecret := sdkkms.BaseSecret{
-		Status:         s.Status,
-		Payload:        s.Payload,
-		Key:            s.Key,
-		AdditionalData: s.AdditionalData,
-		Mode:           s.Mode,
-	}
-	return NewLocalSecret(baseSecret, "", s.masterKey)
-}