add build tags to disable kms providers

2025-12-06 14:20:55 +03:00 · 2020-12-02 09:44:18 +01:00
parent 87b51a6fd5
commit a67276ccc2
13 changed files with 132 additions and 35 deletions
--- a/kms/aws.go
+++ b/kms/aws.go
@@ -1,13 +1,22 @@
+// +build !noawskms
+
 package kms

-const (
-	awsProviderName = "AWS"
+import (
+	// we import awskms here to be able to disable AWS KMS support using a build tag
+	_ "gocloud.dev/secrets/awskms"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type awsSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+awskms")
+}
+
 func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &awsSecret{
 		baseGCloudSecret{
--- a/kms/aws_disabled.go
+++ b/kms/aws_disabled.go
@@ -0,0 +1,17 @@
+// +build noawskms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-awskms")
+}
+
+func newAWSSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("AWS KMS disabled at build time"))
+}
--- a/kms/basegocloud.go
+++ b/kms/basegocloud.go
@@ -6,12 +6,6 @@ import (
 	"time"

 	"gocloud.dev/secrets"
-	// import awskms package
-	_ "gocloud.dev/secrets/awskms"
-	// import gcpkms package
-	_ "gocloud.dev/secrets/gcpkms"
-	// import hashivault package
-	_ "gocloud.dev/secrets/hashivault"
 )

 type baseGCloudSecret struct {
--- a/kms/builtin.go
+++ b/kms/builtin.go
@@ -10,10 +10,6 @@ import (
 	"github.com/minio/sha256-simd"
 )

-const (
-	builtinProviderName = "Builtin"
-)
-
 type builtinSecret struct {
 	baseSecret
 }
--- a/kms/disabled.go
+++ b/kms/disabled.go
@@ -0,0 +1,29 @@
+package kms
+
+type disabledSecret struct {
+	baseSecret
+	err error
+}
+
+func newDisabledSecret(err error) SecretProvider {
+	return &disabledSecret{
+		baseSecret: baseSecret{},
+		err:        err,
+	}
+}
+
+func (s *disabledSecret) Name() string {
+	return disabledProviderName
+}
+
+func (s *disabledSecret) IsEncrypted() bool {
+	return false
+}
+
+func (s *disabledSecret) Encrypt() error {
+	return s.err
+}
+
+func (s *disabledSecret) Decrypt() error {
+	return s.err
+}
--- a/kms/gcp.go
+++ b/kms/gcp.go
@@ -1,13 +1,22 @@
+// +build !nogcpkms
+
 package kms

-const (
-	gcpProviderName = "GCP"
+import (
+	// we import gcpkms here to be able to disable GCP KMS support using a build tag
+	_ "gocloud.dev/secrets/gcpkms"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type gcpSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+gcpkms")
+}
+
 func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &gcpSecret{
 		baseGCloudSecret{
--- a/kms/gcp_disabled.go
+++ b/kms/gcp_disabled.go
@@ -0,0 +1,17 @@
+// +build nogcpkms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-gcpkms")
+}
+
+func newGCPSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("GCP KMS disabled at build time"))
+}
--- a/kms/kms.go
+++ b/kms/kms.go
@@ -50,6 +50,15 @@ const (
 	SecretStatusRedacted SecretStatus = "Redacted"
 )

+const (
+	localProviderName    = "Local"
+	builtinProviderName  = "Builtin"
+	awsProviderName      = "AWS"
+	gcpProviderName      = "GCP"
+	vaultProviderName    = "VaultTransit"
+	disabledProviderName = "Disabled"
+)
+
 // Configuration defines the KMS configuration
 type Configuration struct {
 	Secrets Secrets `json:"secrets" mapstructure:"secrets"`
--- a/kms/local.go
+++ b/kms/local.go
@@ -11,10 +11,6 @@ import (
 	"golang.org/x/crypto/hkdf"
 )

-const (
-	localProviderName = "Local"
-)
-
 type localSecret struct {
 	baseSecret
 	masterKey string
--- a/kms/vault.go
+++ b/kms/vault.go
@@ -1,13 +1,22 @@
+// +build !novaultkms
+
 package kms

-const (
-	vaultProviderName = "VaultTransit"
+import (
+	// we import hashivault here to be able to disable Vault support using a build tag
+	_ "gocloud.dev/secrets/hashivault"
+
+	"github.com/drakkan/sftpgo/version"
 )

 type vaultSecret struct {
 	baseGCloudSecret
 }

+func init() {
+	version.AddFeature("+vaultkms")
+}
+
 func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
 	return &vaultSecret{
 		baseGCloudSecret{
--- a/kms/vault_disabled.go
+++ b/kms/vault_disabled.go
@@ -0,0 +1,17 @@
+// +build novaultkms
+
+package kms
+
+import (
+	"errors"
+
+	"github.com/drakkan/sftpgo/version"
+)
+
+func init() {
+	version.AddFeature("-vaultkms")
+}
+
+func newVaultSecret(base baseSecret, url, masterKey string) SecretProvider {
+	return newDisabledSecret(errors.New("Vault KMS disabled at build time"))
+}