From 80592736477602cc7992372d4280f819dc7e4cbf Mon Sep 17 00:00:00 2001 From: Carl Lundin <108372512+clundin25@users.noreply.github.com> Date: Wed, 7 Dec 2022 03:49:14 +0000 Subject: [PATCH] feat: Gate ECP logs behind ENABLE_ENTERPRISE_CERTIFICATE_LOGS environment variable. (#57) --- README.md | 12 ++++++++++++ client/client.go | 14 ++++++++++++++ cshared/main.go | 15 +++++++++++++++ internal/signer/darwin/signer.go | 13 +++++++++++++ internal/signer/linux/signer.go | 13 +++++++++++++ internal/signer/windows/signer.go | 13 +++++++++++++ 6 files changed, 80 insertions(+) diff --git a/README.md b/README.md index 3f24f36..55c851d 100644 --- a/README.md +++ b/README.md @@ -126,6 +126,18 @@ ECP relies on the `certificate_config.json` file to read all the metadata inform } ``` +### Logging + +To enable logging set the "ENABLE_ENTERPRISE_CERTIFICATE_LOGS" environment +variable. + +#### Example + +``` +export ENABLE_ENTERPRISE_CERTIFICATE_LOGS=1 # Now the +enterprise-certificate-proxy will output logs to stdout. +``` + ## Build binaries For amd64 MacOS, run `./build/scripts/darwin_amd64.sh`. The binaries will be placed in `build/bin/darwin_amd64` folder. diff --git a/client/client.go b/client/client.go index 0d22a2c..aecaff5 100644 --- a/client/client.go +++ b/client/client.go @@ -15,6 +15,8 @@ import ( "encoding/gob" "fmt" "io" + "io/ioutil" + "log" "net/rpc" "os" "os/exec" @@ -42,6 +44,17 @@ func (c *Connection) Close() error { return werr } +// If ECP Logging is enabled return true +// Otherwise return false +func enableECPLogging() bool { + if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" { + return true + } + + log.SetOutput(ioutil.Discard) + return false +} + func init() { gob.Register(crypto.SHA256) gob.Register(&rsa.PSSOptions{}) @@ -105,6 +118,7 @@ func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed [ // // The config file also specifies which certificate the signer should use. func Cred(configFilePath string) (*Key, error) { + enableECPLogging() if configFilePath == "" { configFilePath = util.GetDefaultConfigFilePath() } diff --git a/cshared/main.go b/cshared/main.go index cf88b13..d0e7f2b 100644 --- a/cshared/main.go +++ b/cshared/main.go @@ -18,12 +18,25 @@ import ( "crypto/ecdsa" "crypto/rsa" "encoding/pem" + "io/ioutil" "log" + "os" "unsafe" "github.com/googleapis/enterprise-certificate-proxy/client" ) +// If ECP Logging is enabled return true +// Otherwise return false +func enableECPLogging() bool { + if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" { + return true + } + + log.SetOutput(ioutil.Discard) + return false +} + func getCertPem(configFilePath string) []byte { key, err := client.Cred(configFilePath) if err != nil { @@ -54,6 +67,7 @@ func getCertPem(configFilePath string) []byte { // //export GetCertPemForPython func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen int) int { + enableECPLogging() pemBytes := getCertPem(C.GoString(configFilePath)) if certHolder != nil { cert := unsafe.Slice(certHolder, certHolderLen) @@ -68,6 +82,7 @@ func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen //export SignForPython func SignForPython(configFilePath *C.char, digest *byte, digestLen int, sigHolder *byte, sigHolderLen int) int { // First create a handle around the specified certificate and private key. + enableECPLogging() key, err := client.Cred(C.GoString(configFilePath)) if err != nil { log.Printf("Could not create client using config %s: %v", C.GoString(configFilePath), err) diff --git a/internal/signer/darwin/signer.go b/internal/signer/darwin/signer.go index 7ed31df..b30bae7 100644 --- a/internal/signer/darwin/signer.go +++ b/internal/signer/darwin/signer.go @@ -14,6 +14,7 @@ import ( "crypto/x509" "encoding/gob" "io" + "io/ioutil" "log" "net/rpc" "os" @@ -22,6 +23,17 @@ import ( "time" ) +// If ECP Logging is enabled return true +// Otherwise return false +func enableECPLogging() bool { + if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" { + return true + } + + log.SetOutput(ioutil.Discard) + return false +} + func init() { gob.Register(crypto.SHA256) gob.Register(crypto.SHA384) @@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) { } func main() { + enableECPLogging() if len(os.Args) != 2 { log.Fatalln("Signer is not meant to be invoked manually, exiting...") } diff --git a/internal/signer/linux/signer.go b/internal/signer/linux/signer.go index fe75cd9..d032523 100644 --- a/internal/signer/linux/signer.go +++ b/internal/signer/linux/signer.go @@ -15,6 +15,7 @@ import ( "crypto/x509" "encoding/gob" "io" + "io/ioutil" "log" "net/rpc" "os" @@ -22,6 +23,17 @@ import ( "time" ) +// If ECP Logging is enabled return true +// Otherwise return false +func enableECPLogging() bool { + if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" { + return true + } + + log.SetOutput(ioutil.Discard) + return false +} + func init() { gob.Register(crypto.SHA256) gob.Register(crypto.SHA384) @@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) { } func main() { + enableECPLogging() if len(os.Args) != 2 { log.Fatalln("Signer is not meant to be invoked manually, exiting...") } diff --git a/internal/signer/windows/signer.go b/internal/signer/windows/signer.go index ffa1977..3244047 100644 --- a/internal/signer/windows/signer.go +++ b/internal/signer/windows/signer.go @@ -14,6 +14,7 @@ import ( "crypto/x509" "encoding/gob" "io" + "io/ioutil" "log" "net/rpc" "os" @@ -22,6 +23,17 @@ import ( "time" ) +// If ECP Logging is enabled return true +// Otherwise return false +func enableECPLogging() bool { + if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" { + return true + } + + log.SetOutput(ioutil.Discard) + return false +} + func init() { gob.Register(crypto.SHA256) gob.Register(crypto.SHA384) @@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) { } func main() { + enableECPLogging() if len(os.Args) != 2 { log.Fatalln("Signer is not meant to be invoked manually, exiting...") }