make selection of packages configurable via GOPRIVATE

Carefully select a default that will do the right thing when inside a module, as well as when building ad-hoc packages. This means we no longer need to look at the compiler's -std flag, which is nice. Also replace foo.com/ with test/, as per golang/go#37641. Fixes #7.
5 years ago · 19e4c098cd
parent 04dea79b2d
commit 19e4c098cd
9 changed files with 108 additions and 65 deletions
--- a/README.md
+++ b/README.md
@ -38,6 +38,12 @@ It also wraps calls to the linker in order to:
 Finally, the tool requires the use of the `-trimpath` build flag, to ensure the
 binary doesn't include paths from the current filesystem.

+### Options
+
+By default, the tool garbles the packages under the current module. If not
+running in module mode, then only the main package is garbled. To specify what
+packages to garble, set `GOPRIVATE`, documented at `go help module-private`.
+
 ### Caveats

 Most of these can improve with time and effort. The purpose of this section is
@ -52,9 +58,6 @@ to document the current shortcomings of this tool.
 * Since no caching at all can take place right now (see the link above), fast
  incremental builds aren't possible. Large projects might be slow to build.

-* The standard library is never garbled when compiled, since the source is
-  always publicly available. See #7 for making this configurable.
-
 * Deciding what method names to garble is always going to be difficult, due to
  interfaces that could be implemented up or down the package import tree. At
  the moment, exported methods are never garbled.
--- a/gointernal.go
+++ b/gointernal.go
@ -0,0 +1,49 @@
+package main
+
+import (
+	"path"
+	"strings"
+)
+
+// All source code in this file is copied from the main Go repository, licensed
+// under the same license as this project, BSD-3-Clause.
+
+func GlobsMatchPath(globs, target string) bool {
+	for globs != "" {
+		// Extract next non-empty glob in comma-separated list.
+		var glob string
+		if i := strings.Index(globs, ","); i >= 0 {
+			glob, globs = globs[:i], globs[i+1:]
+		} else {
+			glob, globs = globs, ""
+		}
+		if glob == "" {
+			continue
+		}
+
+		// A glob with N+1 path elements (N slashes) needs to be matched
+		// against the first N+1 path elements of target,
+		// which end just before the N+1'th slash.
+		n := strings.Count(glob, "/")
+		prefix := target
+		// Walk target, counting slashes, truncating at the N+1'th slash.
+		for i := 0; i < len(target); i++ {
+			if target[i] == '/' {
+				if n == 0 {
+					prefix = target[:i]
+					break
+				}
+				n--
+			}
+		}
+		if n > 0 {
+			// Not enough prefix elements.
+			continue
+		}
+		matched, _ := path.Match(glob, prefix)
+		if matched {
+			return true
+		}
+	}
+	return false
+}
--- a/main.go
+++ b/main.go
@ -4,6 +4,7 @@
 package main

 import (
+	"bytes"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
@ -59,6 +60,9 @@ var (
 	garbledImporter = importer.ForCompiler(fset, "gc", func(path string) (io.ReadCloser, error) {
 		return os.Open(buildInfo.imports[path].packagefile)
 	}).(types.ImporterFrom)
+
+	envGarbleDir = os.Getenv("GARBLE_DIR")
+	envGoPrivate string // filled via 'go env' below to support 'go env -w'
 )

 // origLookup helps implement a types.Importer which finds the export data for
@ -67,11 +71,10 @@ var (
 // garble it.
 func origLookup(path string) (io.ReadCloser, error) {
 	cmd := exec.Command("go", "list", "-json", "-export", path)
-	dir := os.Getenv("GARBLE_DIR")
-	if dir == "" {
+	if envGarbleDir == "" {
 		return nil, fmt.Errorf("$GARBLE_DIR unset; did you run via 'garble build'?")
 	}
-	cmd.Dir = dir
+	cmd.Dir = envGarbleDir
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("go list error: %v: %s", err, out)
@ -93,11 +96,10 @@ func garbledImport(path string) (*types.Package, error) {
 	if ipkg.pkg != nil {
 		return ipkg.pkg, nil // cached
 	}
-	dir := os.Getenv("GARBLE_DIR")
-	if dir == "" {
+	if envGarbleDir == "" {
 		return nil, fmt.Errorf("$GARBLE_DIR unset; did you run via 'garble build'?")
 	}
-	pkg, err := garbledImporter.ImportFrom(path, dir, 0)
+	pkg, err := garbledImporter.ImportFrom(path, envGarbleDir, 0)
 	if err != nil {
 		return nil, err
 	}
@ -134,6 +136,12 @@ func main1() int {
 }

 func mainErr(args []string) error {
+	out, err := exec.Command("go", "env", "GOPRIVATE").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%v: %s", err, out)
+	}
+	envGoPrivate = string(bytes.TrimSpace(out))
+
 	// If we recognise an argument, we're not running within -toolexec.
 	switch cmd := args[0]; cmd {
 	case "build", "test":
@ -142,6 +150,17 @@ func mainErr(args []string) error {
 			return err
 		}
 		os.Setenv("GARBLE_DIR", wd)
+
+		// If GOPRIVATE isn't set and we're in a module, use its module
+		// path as a GOPRIVATE default. Include a _test variant too.
+		if envGoPrivate == "" {
+			modpath, err := exec.Command("go", "list", "-m").CombinedOutput()
+			if err == nil {
+				path := string(bytes.TrimSpace(modpath))
+				os.Setenv("GOPRIVATE", path+","+path+"_test")
+			}
+		}
+
 		execPath, err := os.Executable()
 		if err != nil {
 			return err
@ -230,6 +249,10 @@ func transformCompile(args []string) ([]string, error) {
 		// Nothing to transform; probably just ["-V=full"].
 		return args, nil
 	}
+	pkgPath := flagValue(flags, "-p")
+	if !isPrivate(pkgPath) {
+		return args, nil
+	}
 	for i, path := range paths {
 		if filepath.Base(path) == "_gomod_.go" {
 			// never include module info
@ -247,9 +270,6 @@ func transformCompile(args []string) ([]string, error) {
 	if !strings.Contains(trimpath, ";") {
 		return nil, fmt.Errorf("-toolexec=garble should be used alongside -trimpath")
 	}
-	if flagValue(flags, "-std") == "true" {
-		return args, nil
-	}
 	if err := readBuildIDs(flags); err != nil {
 		return nil, err
 	}
@ -267,7 +287,6 @@ func transformCompile(args []string) ([]string, error) {
 		Defs: make(map[*ast.Ident]types.Object),
 		Uses: make(map[*ast.Ident]types.Object),
 	}
-	pkgPath := flagValue(flags, "-p")
 	if _, err := origTypesConfig.Check(pkgPath, fset, files, info); err != nil {
 		return nil, fmt.Errorf("typecheck error: %v", err)
 	}
@ -316,6 +335,18 @@ func transformCompile(args []string) ([]string, error) {
 	return args, nil
 }

+// isPrivate checks if GOPRIVATE matches pkgPath.
+//
+// To allow using garble without GOPRIVATE for standalone main packages, it will
+// default to not matching standard library packages.
+func isPrivate(pkgPath string) bool {
+	if pkgPath == "main" {
+		// TODO: why don't we see the full package path for main packages?
+		return true
+	}
+	return GlobsMatchPath(envGoPrivate, pkgPath)
+}
+
 func readBuildIDs(flags []string) error {
 	buildInfo.buildID = flagValue(flags, "-buildid")
 	switch buildInfo.buildID {
@ -376,7 +407,7 @@ func buildidOf(path string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("%v: %s", err, out)
 	}
-	return trimBuildID(string(out)), nil
+	return trimBuildID(string(bytes.TrimSpace(out))), nil
 }

 func hashWith(salt, value string) string {
@ -464,8 +495,8 @@ func transformGo(file *ast.File, info *types.Info) *ast.File {
 					return true // universe scope
 				}
 				path := pkg.Path()
-				if isStandardLibrary(path) {
-					return true // std isn't transformed
+				if !isPrivate(path) {
+					return true // only private packages are transformed
 				}
 				if id := buildInfo.imports[path].buildID; id != "" {
 					garbledPkg, err := garbledImport(path)
@ -489,16 +520,6 @@ func transformGo(file *ast.File, info *types.Info) *ast.File {
 	return astutil.Apply(file, pre, nil).(*ast.File)
 }

-func isStandardLibrary(path string) bool {
-	switch path {
-	case "main":
-		// Main packages may not have fully qualified import paths, but
-		// they're not part of the standard library
-		return false
-	}
-	return !strings.Contains(path, ".")
-}
-
 // implementedOutsideGo returns whether a *types.Func does not have a body, for
 // example when it's implemented in assembly, or when one uses go:linkname.
 //
@ -558,34 +579,15 @@ func splitFlagsFromFiles(args []string, ext string) (flags, paths []string) {
 	return args, nil
 }

-// booleanFlag records which of the flags that we need are boolean. This
-// matters, because boolean flags never consume the following argument, while
-// non-boolean flags always do.
-//
-// For now, this stati
-func booleanFlag(name string) bool {
-	switch name {
-	case "-std":
-		return true
-	default:
-		return false
-	}
-}
-
 // flagValue retrieves the value of a flag such as "-foo", from strings in the
 // list of arguments like "-foo=bar" or "-foo" "bar".
 func flagValue(flags []string, name string) string {
-	isBool := booleanFlag(name)
 	for i, arg := range flags {
 		if val := strings.TrimPrefix(arg, name+"="); val != arg {
 			// -name=value
 			return val
 		}
 		if arg == name { // -name ...
-			if isBool {
-				// -name, equivalent to -name=true
-				return "true"
-			}
 			if i+1 < len(flags) {
 				// -name value
 				return flags[i+1]
@ -596,7 +598,6 @@ func flagValue(flags []string, name string) string {
 }

 func flagSetValue(flags []string, name, value string) []string {
-	isBool := booleanFlag(name)
 	for i, arg := range flags {
 		if strings.HasPrefix(arg, name+"=") {
 			// -name=value
@ -604,11 +605,6 @@ func flagSetValue(flags []string, name, value string) []string {
 			return flags
 		}
 		if arg == name { // -name ...
-			if isBool {
-				// -name, equivalent to -name=true
-				flags[i] = name + "=" + value
-				return flags
-			}
 			if i+1 < len(flags) {
 				// -name value
 				flags[i+1] = value
--- a/main_test.go
+++ b/main_test.go
@ -125,11 +125,6 @@ func TestFlagValue(t *testing.T) {
 		flagName string
 		want     string
 	}{
-		{"BoolAlone", []string{"-std"}, "-std", "true"},
-		{"BoolFollowed", []string{"-std", "-foo"}, "-std", "true"},
-		{"BoolFalse", []string{"-std=false"}, "-std", "false"},
-		{"BoolMissing", []string{"-foo"}, "-std", ""},
-		{"BoolEmpty", []string{"-std="}, "-std", ""},
 		{"StrSpace", []string{"-buildid", "bar"}, "-buildid", "bar"},
 		{"StrSpaceDash", []string{"-buildid", "-bar"}, "-buildid", "-bar"},
 		{"StrEqual", []string{"-buildid=bar"}, "-buildid", "bar"},
--- a/testdata/scripts/asm.txt
+++ b/testdata/scripts/asm.txt
@ -10,14 +10,14 @@ exec ./main
 cmp stdout main.stdout

 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main

 import (
 	"fmt"

-	"foo.com/main/imported"
+	"test/main/imported"
 )

 func privateAdd(x, y int64) int64
--- a/testdata/scripts/cgo.txt
+++ b/testdata/scripts/cgo.txt
@ -10,7 +10,7 @@ exec ./main
 cmp stdout main.stdout

 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main

--- a/testdata/scripts/imports.txt
+++ b/testdata/scripts/imports.txt
@ -17,7 +17,7 @@ exec ./main
 cmp stdout main.stdout

 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main

@ -25,7 +25,7 @@ import (
 	"fmt"
 	_ "unsafe"

-	"foo.com/main/imported"
+	"test/main/imported"

 	"rsc.io/quote"
 )
--- a/testdata/scripts/modinfo.txt
+++ b/testdata/scripts/modinfo.txt
@ -11,7 +11,7 @@ cmp stdout main.stdout-orig
 binsubstr main$exe '(devel)'

 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main

@ -24,6 +24,6 @@ func main() {
 	fmt.Println(debug.ReadBuildInfo())
 }
 -- main.stdout-orig --
-&{foo.com/main {foo.com/main (devel)  <nil>} []} true
+&{test/main {test/main (devel)  <nil>} []} true
 -- main.stdout --
 <nil> false
--- a/testdata/scripts/test.txt
+++ b/testdata/scripts/test.txt
@ -12,7 +12,7 @@ exec go test -v
 stdout 'PASS.*TestFoo'

 -- go.mod --
-module foo.com/bar
+module test/bar
 -- bar.go --
 package bar

@ -38,7 +38,7 @@ package bar_test
 import (
 	"testing"

-	"foo.com/bar"
+	"test/bar"
 )

 func TestSeparateFoo(t *testing.T) {