feat: Gate ECP logs behind ENABLE_ENTERPRISE_CERTIFICATE_LOGS environment variable. (#57)upstream/v0.2.1

6 files changed, 80 insertions, 0 deletions

diff --git a/README.md b/README.md
index 3f24f36..55c851d 100644
--- a/README.md
+++ b/README.md
@@ -126,6 +126,18 @@ ECP relies on the `certificate_config.json` file to read all the metadata inform
 }
 ```
 
+### Logging
+
+To enable logging set the "ENABLE_ENTERPRISE_CERTIFICATE_LOGS" environment
+variable.
+
+#### Example
+
+```
+export ENABLE_ENTERPRISE_CERTIFICATE_LOGS=1 # Now the
+enterprise-certificate-proxy will output logs to stdout.
+```
+
 ## Build binaries
 
 For amd64 MacOS, run `./build/scripts/darwin_amd64.sh`. The binaries will be placed in `build/bin/darwin_amd64` folder.
diff --git a/client/client.go b/client/client.go
index 0d22a2c..aecaff5 100644
--- a/client/client.go
+++ b/client/client.go
@@ -15,6 +15,8 @@ import (
 	"encoding/gob"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net/rpc"
 	"os"
 	"os/exec"
@@ -42,6 +44,17 @@ func (c *Connection) Close() error {
 	return werr
 }
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(&rsa.PSSOptions{})
@@ -105,6 +118,7 @@ func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed [
 //
 // The config file also specifies which certificate the signer should use.
 func Cred(configFilePath string) (*Key, error) {
+	enableECPLogging()
 	if configFilePath == "" {
 		configFilePath = util.GetDefaultConfigFilePath()
 	}
diff --git a/cshared/main.go b/cshared/main.go
index cf88b13..d0e7f2b 100644
--- a/cshared/main.go
+++ b/cshared/main.go
@@ -18,12 +18,25 @@ import (
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"encoding/pem"
+	"io/ioutil"
 	"log"
+	"os"
 	"unsafe"
 
 	"github.com/googleapis/enterprise-certificate-proxy/client"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func getCertPem(configFilePath string) []byte {
 	key, err := client.Cred(configFilePath)
 	if err != nil {
@@ -54,6 +67,7 @@ func getCertPem(configFilePath string) []byte {
 //
 //export GetCertPemForPython
 func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen int) int {
+	enableECPLogging()
 	pemBytes := getCertPem(C.GoString(configFilePath))
 	if certHolder != nil {
 		cert := unsafe.Slice(certHolder, certHolderLen)
@@ -68,6 +82,7 @@ func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen
 //export SignForPython
 func SignForPython(configFilePath *C.char, digest *byte, digestLen int, sigHolder *byte, sigHolderLen int) int {
 	// First create a handle around the specified certificate and private key.
+	enableECPLogging()
 	key, err := client.Cred(C.GoString(configFilePath))
 	if err != nil {
 		log.Printf("Could not create client using config %s: %v", C.GoString(configFilePath), err)
diff --git a/internal/signer/darwin/signer.go b/internal/signer/darwin/signer.go
index 7ed31df..b30bae7 100644
--- a/internal/signer/darwin/signer.go
+++ b/internal/signer/darwin/signer.go
@@ -14,6 +14,7 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
@@ -22,6 +23,17 @@ import (
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}
diff --git a/internal/signer/linux/signer.go b/internal/signer/linux/signer.go
index fe75cd9..d032523 100644
--- a/internal/signer/linux/signer.go
+++ b/internal/signer/linux/signer.go
@@ -15,6 +15,7 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
@@ -22,6 +23,17 @@ import (
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}
diff --git a/internal/signer/windows/signer.go b/internal/signer/windows/signer.go
index ffa1977..3244047 100644
--- a/internal/signer/windows/signer.go
+++ b/internal/signer/windows/signer.go
@@ -14,6 +14,7 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
@@ -22,6 +23,17 @@ import (
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}