plugins: fix hash check

Signed-off-by: Nicola Murino <nicola.murino@gmail.com>
2025-12-07 14:50:55 +03:00 · 2022-11-04 20:25:01 +01:00
parent 0ac2120532
commit 7bd71474ef
10 changed files with 51 additions and 44 deletions
--- a/internal/plugin/auth.go
+++ b/internal/plugin/auth.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"errors"
 	"fmt"
 	"os/exec"
@@ -113,10 +112,9 @@ func (p *authPlugin) initialize() error {
 		return fmt.Errorf("invalid options for auth plugin %#v: %v", p.config.Cmd, err)
 	}

-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: auth.Handshake,
--- a/internal/plugin/ipfilter.go
+++ b/internal/plugin/ipfilter.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"

@@ -54,10 +53,9 @@ func (p *ipFilterPlugin) cleanup() {
 func (p *ipFilterPlugin) initialize() error {
 	logger.Debug(logSender, "", "create new IP filter plugin %#v", p.config.Cmd)
 	killProcess(p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: ipfilter.Handshake,
--- a/internal/plugin/kms.go
+++ b/internal/plugin/kms.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 	"path/filepath"
@@ -75,10 +74,9 @@ func (p *kmsPlugin) initialize() error {
 	if err := p.config.KMSOptions.validate(); err != nil {
 		return fmt.Errorf("invalid options for kms plugin %#v: %v", p.config.Cmd, err)
 	}
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: kmsplugin.Handshake,
--- a/internal/plugin/metadata.go
+++ b/internal/plugin/metadata.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"

@@ -54,10 +53,9 @@ func (p *metadataPlugin) cleanup() {
 func (p *metadataPlugin) initialize() error {
 	killProcess(p.config.Cmd)
 	logger.Debug(logSender, "", "create new metadata plugin %#v", p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: metadata.Handshake,
--- a/internal/plugin/notifier.go
+++ b/internal/plugin/notifier.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"
 	"sync"
@@ -138,10 +137,9 @@ func (p *notifierPlugin) initialize() error {
 	if !p.config.NotifierOptions.hasActions() {
 		return fmt.Errorf("no actions defined for the notifier plugin %#v", p.config.Cmd)
 	}
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: notifier.Handshake,
--- a/internal/plugin/plugin.go
+++ b/internal/plugin/plugin.go
@@ -16,7 +16,9 @@
 package plugin

 import (
+	"crypto/sha256"
 	"crypto/x509"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"sync"
@@ -24,6 +26,7 @@ import (
 	"time"

 	"github.com/hashicorp/go-hclog"
+	"github.com/hashicorp/go-plugin"
 	"github.com/sftpgo/sdk/plugin/auth"
 	"github.com/sftpgo/sdk/plugin/eventsearcher"
 	"github.com/sftpgo/sdk/plugin/ipfilter"
@@ -82,6 +85,20 @@ type Config struct {
 	kmsID int
 }

+func (c *Config) getSecureConfig() (*plugin.SecureConfig, error) {
+	if c.SHA256Sum != "" {
+		checksum, err := hex.DecodeString(c.SHA256Sum)
+		if err != nil {
+			return nil, fmt.Errorf("invalid sha256 hash %q: %w", c.SHA256Sum, err)
+		}
+		return &plugin.SecureConfig{
+			Checksum: checksum,
+			Hash:     sha256.New(),
+		}, nil
+	}
+	return nil, nil
+}
+
 func (c *Config) newKMSPluginSecretProvider(base kms.BaseSecret, url, masterKey string) kms.SecretProvider {
 	return &kmsPluginSecretProvider{
 		BaseSecret: base,
@@ -774,16 +791,17 @@ func setLogLevel(logLevel string) {

 func startCheckTicker() {
 	logger.Debug(logSender, "", "start plugins checker")
-	checker := time.NewTicker(30 * time.Second)

 	go func() {
+		ticker := time.NewTicker(30 * time.Second)
+		defer ticker.Stop()
+
 		for {
 			select {
 			case <-Handler.done:
 				logger.Debug(logSender, "", "handler done, stop plugins checker")
-				checker.Stop()
 				return
-			case <-checker.C:
+			case <-ticker.C:
 				Handler.checkCrashedPlugins()
 			}
 		}
--- a/internal/plugin/searcher.go
+++ b/internal/plugin/searcher.go
@@ -15,7 +15,6 @@
 package plugin

 import (
-	"crypto/sha256"
 	"fmt"
 	"os/exec"

@@ -54,10 +53,9 @@ func (p *searcherPlugin) cleanup() {
 func (p *searcherPlugin) initialize() error {
 	killProcess(p.config.Cmd)
 	logger.Debug(logSender, "", "create new searcher plugin %#v", p.config.Cmd)
-	var secureConfig *plugin.SecureConfig
-	if p.config.SHA256Sum != "" {
-		secureConfig.Checksum = []byte(p.config.SHA256Sum)
-		secureConfig.Hash = sha256.New()
+	secureConfig, err := p.config.getSecureConfig()
+	if err != nil {
+		return err
 	}
 	client := plugin.NewClient(&plugin.ClientConfig{
 		HandshakeConfig: eventsearcher.Handshake,