move Filesystem config validation to vfs

2025-12-07 14:50:55 +03:00 · 2021-06-19 12:24:43 +02:00
parent f2f612b450
commit f19937b715
10 changed files with 234 additions and 206 deletions
--- a/vfs/filesystem.go
+++ b/vfs/filesystem.go
@@ -1,6 +1,11 @@
 package vfs

-import "github.com/drakkan/sftpgo/kms"
+import (
+	"fmt"
+
+	"github.com/drakkan/sftpgo/kms"
+	"github.com/drakkan/sftpgo/utils"
+)

 // FilesystemProvider defines the supported storage filesystems
 type FilesystemProvider int
@@ -15,6 +20,13 @@ const (
 	SFTPFilesystemProvider                                // SFTP
 )

+// ValidatorHelper implements methods we need for Filesystem.ValidateConfig.
+// It is implemented by vfs.Folder and dataprovider.User
+type ValidatorHelper interface {
+	GetGCSCredentialsFilePath() string
+	GetEncryptionAdditionalData() string
+}
+
 // Filesystem defines cloud storage filesystem details
 type Filesystem struct {
 	RedactedSecret string             `json:"-"`
@@ -99,6 +111,128 @@ func (f *Filesystem) IsEqual(other *Filesystem) bool {
 	}
 }

+// Validate verifies the FsConfig matching the configured provider and sets all other
+// Filesystem.*Config to their zero value if successful
+func (f *Filesystem) Validate(helper ValidatorHelper) error {
+	switch f.Provider {
+	case S3FilesystemProvider:
+		if err := f.S3Config.Validate(); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not validate s3config: %v", err))
+		}
+		if err := f.S3Config.EncryptCredentials(helper.GetEncryptionAdditionalData()); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not encrypt s3 access secret: %v", err))
+		}
+		f.GCSConfig = GCSFsConfig{}
+		f.AzBlobConfig = AzBlobFsConfig{}
+		f.CryptConfig = CryptFsConfig{}
+		f.SFTPConfig = SFTPFsConfig{}
+		return nil
+	case GCSFilesystemProvider:
+		if err := f.GCSConfig.Validate(helper.GetGCSCredentialsFilePath()); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not validate GCS config: %v", err))
+		}
+		f.S3Config = S3FsConfig{}
+		f.AzBlobConfig = AzBlobFsConfig{}
+		f.CryptConfig = CryptFsConfig{}
+		f.SFTPConfig = SFTPFsConfig{}
+		return nil
+	case AzureBlobFilesystemProvider:
+		if err := f.AzBlobConfig.Validate(); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not validate Azure Blob config: %v", err))
+		}
+		if err := f.AzBlobConfig.EncryptCredentials(helper.GetEncryptionAdditionalData()); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not encrypt Azure blob account key: %v", err))
+		}
+		f.S3Config = S3FsConfig{}
+		f.GCSConfig = GCSFsConfig{}
+		f.CryptConfig = CryptFsConfig{}
+		f.SFTPConfig = SFTPFsConfig{}
+		return nil
+	case CryptedFilesystemProvider:
+		if err := f.CryptConfig.Validate(); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not validate Crypt fs config: %v", err))
+		}
+		if err := f.CryptConfig.EncryptCredentials(helper.GetEncryptionAdditionalData()); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not encrypt Crypt fs passphrase: %v", err))
+		}
+		f.S3Config = S3FsConfig{}
+		f.GCSConfig = GCSFsConfig{}
+		f.AzBlobConfig = AzBlobFsConfig{}
+		f.SFTPConfig = SFTPFsConfig{}
+		return nil
+	case SFTPFilesystemProvider:
+		if err := f.SFTPConfig.Validate(); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not validate SFTP fs config: %v", err))
+		}
+		if err := f.SFTPConfig.EncryptCredentials(helper.GetEncryptionAdditionalData()); err != nil {
+			return utils.NewValidationError(fmt.Sprintf("could not encrypt SFTP fs credentials: %v", err))
+		}
+		f.S3Config = S3FsConfig{}
+		f.GCSConfig = GCSFsConfig{}
+		f.AzBlobConfig = AzBlobFsConfig{}
+		f.CryptConfig = CryptFsConfig{}
+		return nil
+	default:
+		f.Provider = LocalFilesystemProvider
+		f.S3Config = S3FsConfig{}
+		f.GCSConfig = GCSFsConfig{}
+		f.AzBlobConfig = AzBlobFsConfig{}
+		f.CryptConfig = CryptFsConfig{}
+		f.SFTPConfig = SFTPFsConfig{}
+		return nil
+	}
+}
+
+// HasRedactedSecret returns true if configured the filesystem configuration has a redacted secret
+func (f *Filesystem) HasRedactedSecret() bool {
+	// TODO move vfs specific code into each *FsConfig struct
+	switch f.Provider {
+	case S3FilesystemProvider:
+		if f.S3Config.AccessSecret.IsRedacted() {
+			return true
+		}
+	case GCSFilesystemProvider:
+		if f.GCSConfig.Credentials.IsRedacted() {
+			return true
+		}
+	case AzureBlobFilesystemProvider:
+		if f.AzBlobConfig.AccountKey.IsRedacted() {
+			return true
+		}
+	case CryptedFilesystemProvider:
+		if f.CryptConfig.Passphrase.IsRedacted() {
+			return true
+		}
+	case SFTPFilesystemProvider:
+		if f.SFTPConfig.Password.IsRedacted() {
+			return true
+		}
+		if f.SFTPConfig.PrivateKey.IsRedacted() {
+			return true
+		}
+	}
+
+	return false
+}
+
+// HideConfidentialData hides filesystem confidential data
+func (f *Filesystem) HideConfidentialData() {
+	switch f.Provider {
+	case S3FilesystemProvider:
+		f.S3Config.AccessSecret.Hide()
+	case GCSFilesystemProvider:
+		f.GCSConfig.Credentials.Hide()
+	case AzureBlobFilesystemProvider:
+		f.AzBlobConfig.AccountKey.Hide()
+		f.AzBlobConfig.SASURL.Hide()
+	case CryptedFilesystemProvider:
+		f.CryptConfig.Passphrase.Hide()
+	case SFTPFilesystemProvider:
+		f.SFTPConfig.Password.Hide()
+		f.SFTPConfig.PrivateKey.Hide()
+	}
+}
+
 // GetACopy returns a copy
 func (f *Filesystem) GetACopy() Filesystem {
 	f.SetEmptySecretsIfNil()