From 01149bf6876f229bae1908c56005ec8b7a014a27 Mon Sep 17 00:00:00 2001 From: William Yang Date: Wed, 17 Mar 2021 13:30:30 +0100 Subject: [PATCH] feat(compile): support debug_info encryption if EMQX_COMPILE_SECRET_FILE is set, debug_info of beam files would be encrypted. EMQX_COMPILE_SECRET_FILE contains secret string. --- rebar.config.erl | 27 ++++++++++++++++++++++----- 1 file changed, 22 insertions(+), 5 deletions(-) diff --git a/rebar.config.erl b/rebar.config.erl index 0f35b97b6..1479a9358 100644 --- a/rebar.config.erl +++ b/rebar.config.erl @@ -101,9 +101,20 @@ common_compile_opts() -> | [{d, 'EMQX_ENTERPRISE'} || is_enterprise()] ]. +prod_compile_opts(false) -> + prod_compile_opts(); +prod_compile_opts(SecretFile) -> + SecretText = get_compile_secret(SecretFile), + beam_lib:crypto_key_fun( + fun(init) -> ok; + (clear) -> ok; + ({debug_info, _Mode, _Module, _Filename}) -> SecretText + end + ), + [{debug_info_key, SecretText} | prod_compile_opts()]. + prod_compile_opts() -> [ compressed - , no_debug_info , warnings_as_errors | common_compile_opts() ]. @@ -115,16 +126,18 @@ test_compile_opts() -> profiles() -> Vsn = get_vsn(), - [ {'emqx', [ {erl_opts, prod_compile_opts()} + SecretFile = os:getenv("EMQX_COMPILE_SECRET_FILE"), + SecretFile =/= false andalso io:format("debug_info encryption enabled !~n"), + [ {'emqx', [ {erl_opts, prod_compile_opts(SecretFile)} , {relx, relx(Vsn, cloud, bin)} ]} - , {'emqx-pkg', [ {erl_opts, prod_compile_opts()} + , {'emqx-pkg', [ {erl_opts, prod_compile_opts(SecretFile)} , {relx, relx(Vsn, cloud, pkg)} ]} - , {'emqx-edge', [ {erl_opts, prod_compile_opts()} + , {'emqx-edge', [ {erl_opts, prod_compile_opts(SecretFile)} , {relx, relx(Vsn, edge, bin)} ]} - , {'emqx-edge-pkg', [ {erl_opts, prod_compile_opts()} + , {'emqx-edge-pkg', [ {erl_opts, prod_compile_opts(SecretFile)} , {relx, relx(Vsn, edge, pkg)} ]} , {check, [ {erl_opts, test_compile_opts()} @@ -457,6 +470,10 @@ list_dir(Dir) -> {ok, Names} = file:list_dir(Dir), [list_to_atom(Name) || Name <- Names, filelib:is_dir(filename:join([Dir, Name]))]. +get_compile_secret(SecretFile) -> + {ok, Secret} = file:read_file(SecretFile), + string:trim(binary_to_list(Secret)). + %% ==== Enterprise supports below ================================================================== ee_profiles(_Vsn) -> [].