Mirrors/sftpgo
1
0
Fork 0
mirror of https://github.com/drakkan/sftpgo.git synced 2025-12-06 22:30:56 +03:00
Code Issues Packages Projects Releases Wiki Activity

refactor for secrets management in API and private key handling in SFTPFs

Browse Source 
Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
This commit is contained in:
Nicola Murino
2024-04-26 16:17:24 +02:00
parent aa426016f2
commit 2bcf05ca45
5 changed files with 47 additions and 70 deletions
Download Patch File Download Diff File Expand all files Collapse all files

40
internal/vfs/sftpfs.go
View File

@@ -67,6 +67,27 @@ type SFTPFsConfig struct {
PrivateKey *kms.Secret `json:"private_key,omitempty"`
KeyPassphrase *kms.Secret `json:"key_passphrase,omitempty"`
forbiddenSelfUsernames []string `json:"-"`
signer ssh.Signer
}
func (c *SFTPFsConfig) populateSigner() error {
if c.PrivateKey.GetPayload() != "" {
signer, err := c.getSigner()
if err != nil {
return fmt.Errorf("sftpfs: unable to parse the private key: %w", err)
}
c.signer = signer
return nil
}
return nil
}
func (c *SFTPFsConfig) getSigner() (ssh.Signer, error) {
if c.KeyPassphrase.GetPayload() != "" {
return ssh.ParsePrivateKeyWithPassphrase([]byte(c.PrivateKey.GetPayload()),
[]byte(c.KeyPassphrase.GetPayload()))
}
return ssh.ParsePrivateKey([]byte(c.PrivateKey.GetPayload()))
}
// HideConfidentialData hides confidential data
@@ -331,6 +352,9 @@ func NewSFTPFs(connectionID, mountPath, localTempDir string, forbiddenSelfUserna
return nil, err
}
}
if err := config.populateSigner(); err != nil {
return nil, err
}
config.forbiddenSelfUsernames = forbiddenSelfUsernames
sftpFs := &SFTPFs{
connectionID: connectionID,
@@ -931,14 +955,6 @@ func (c *sftpConnection) OpenConnection() error {
return c.openConnNoLock()
}
func (c *sftpConnection) getSigner() (ssh.Signer, error) {
if c.config.KeyPassphrase.GetPayload() != "" {
return ssh.ParsePrivateKeyWithPassphrase([]byte(c.config.PrivateKey.GetPayload()),
[]byte(c.config.KeyPassphrase.GetPayload()))
}
return ssh.ParsePrivateKey([]byte(c.config.PrivateKey.GetPayload()))
}
func (c *sftpConnection) openConnNoLock() error {
if c.isConnected {
logger.Debug(c.logSender, "", "reusing connection")
@@ -976,12 +992,8 @@ func (c *sftpConnection) openConnNoLock() error {
Timeout: 10 * time.Second,
ClientVersion: fmt.Sprintf("SSH-2.0-SFTPGo_%v", version.Get().Version),
}
if c.config.PrivateKey.GetPayload() != "" {
signer, err := c.getSigner()
if err != nil {
return fmt.Errorf("sftpfs: unable to parse the private key: %w", err)
}
clientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(signer))
if c.config.signer != nil {
clientConfig.Auth = append(clientConfig.Auth, ssh.PublicKeys(c.config.signer))
}
if c.config.Password.GetPayload() != "" {
clientConfig.Auth = append(clientConfig.Auth, ssh.Password(c.config.Password.GetPayload()))