From 19e4c098cdfe190359a13d37330b8813bb8e42d1 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Daniel=20Mart=C3=AD?= <mvdan@mvdan.cc>
Date: Tue, 28 Apr 2020 21:42:39 +0100
Subject: [PATCH] make selection of packages configurable via GOPRIVATE

Carefully select a default that will do the right thing when inside a
module, as well as when building ad-hoc packages.

This means we no longer need to look at the compiler's -std flag, which
is nice.

Also replace foo.com/ with test/, as per golang/go#37641.

Fixes #7.
---
 README.md                    |  9 ++--
 gointernal.go                | 49 +++++++++++++++++++
 main.go                      | 92 +++++++++++++++++-------------------
 main_test.go                 |  5 --
 testdata/scripts/asm.txt     |  4 +-
 testdata/scripts/cgo.txt     |  2 +-
 testdata/scripts/imports.txt |  4 +-
 testdata/scripts/modinfo.txt |  4 +-
 testdata/scripts/test.txt    |  4 +-
 9 files changed, 108 insertions(+), 65 deletions(-)
 create mode 100644 gointernal.go

diff --git a/README.md b/README.md
index 9f5a8c3..9c25b96 100644
--- a/README.md
+++ b/README.md
@@ -38,6 +38,12 @@ It also wraps calls to the linker in order to:
 Finally, the tool requires the use of the `-trimpath` build flag, to ensure the
 binary doesn't include paths from the current filesystem.
 
+### Options
+
+By default, the tool garbles the packages under the current module. If not
+running in module mode, then only the main package is garbled. To specify what
+packages to garble, set `GOPRIVATE`, documented at `go help module-private`.
+
 ### Caveats
 
 Most of these can improve with time and effort. The purpose of this section is
@@ -52,9 +58,6 @@ to document the current shortcomings of this tool.
 * Since no caching at all can take place right now (see the link above), fast
   incremental builds aren't possible. Large projects might be slow to build.
 
-* The standard library is never garbled when compiled, since the source is
-  always publicly available. See #7 for making this configurable.
-
 * Deciding what method names to garble is always going to be difficult, due to
   interfaces that could be implemented up or down the package import tree. At
   the moment, exported methods are never garbled.
diff --git a/gointernal.go b/gointernal.go
new file mode 100644
index 0000000..47a854c
--- /dev/null
+++ b/gointernal.go
@@ -0,0 +1,49 @@
+package main
+
+import (
+	"path"
+	"strings"
+)
+
+// All source code in this file is copied from the main Go repository, licensed
+// under the same license as this project, BSD-3-Clause.
+
+func GlobsMatchPath(globs, target string) bool {
+	for globs != "" {
+		// Extract next non-empty glob in comma-separated list.
+		var glob string
+		if i := strings.Index(globs, ","); i >= 0 {
+			glob, globs = globs[:i], globs[i+1:]
+		} else {
+			glob, globs = globs, ""
+		}
+		if glob == "" {
+			continue
+		}
+
+		// A glob with N+1 path elements (N slashes) needs to be matched
+		// against the first N+1 path elements of target,
+		// which end just before the N+1'th slash.
+		n := strings.Count(glob, "/")
+		prefix := target
+		// Walk target, counting slashes, truncating at the N+1'th slash.
+		for i := 0; i < len(target); i++ {
+			if target[i] == '/' {
+				if n == 0 {
+					prefix = target[:i]
+					break
+				}
+				n--
+			}
+		}
+		if n > 0 {
+			// Not enough prefix elements.
+			continue
+		}
+		matched, _ := path.Match(glob, prefix)
+		if matched {
+			return true
+		}
+	}
+	return false
+}
diff --git a/main.go b/main.go
index 89b2c30..02f7ba8 100644
--- a/main.go
+++ b/main.go
@@ -4,6 +4,7 @@
 package main
 
 import (
+	"bytes"
 	"crypto/sha256"
 	"encoding/base64"
 	"encoding/json"
@@ -59,6 +60,9 @@ var (
 	garbledImporter = importer.ForCompiler(fset, "gc", func(path string) (io.ReadCloser, error) {
 		return os.Open(buildInfo.imports[path].packagefile)
 	}).(types.ImporterFrom)
+
+	envGarbleDir = os.Getenv("GARBLE_DIR")
+	envGoPrivate string // filled via 'go env' below to support 'go env -w'
 )
 
 // origLookup helps implement a types.Importer which finds the export data for
@@ -67,11 +71,10 @@ var (
 // garble it.
 func origLookup(path string) (io.ReadCloser, error) {
 	cmd := exec.Command("go", "list", "-json", "-export", path)
-	dir := os.Getenv("GARBLE_DIR")
-	if dir == "" {
+	if envGarbleDir == "" {
 		return nil, fmt.Errorf("$GARBLE_DIR unset; did you run via 'garble build'?")
 	}
-	cmd.Dir = dir
+	cmd.Dir = envGarbleDir
 	out, err := cmd.CombinedOutput()
 	if err != nil {
 		return nil, fmt.Errorf("go list error: %v: %s", err, out)
@@ -93,11 +96,10 @@ func garbledImport(path string) (*types.Package, error) {
 	if ipkg.pkg != nil {
 		return ipkg.pkg, nil // cached
 	}
-	dir := os.Getenv("GARBLE_DIR")
-	if dir == "" {
+	if envGarbleDir == "" {
 		return nil, fmt.Errorf("$GARBLE_DIR unset; did you run via 'garble build'?")
 	}
-	pkg, err := garbledImporter.ImportFrom(path, dir, 0)
+	pkg, err := garbledImporter.ImportFrom(path, envGarbleDir, 0)
 	if err != nil {
 		return nil, err
 	}
@@ -134,6 +136,12 @@ func main1() int {
 }
 
 func mainErr(args []string) error {
+	out, err := exec.Command("go", "env", "GOPRIVATE").CombinedOutput()
+	if err != nil {
+		return fmt.Errorf("%v: %s", err, out)
+	}
+	envGoPrivate = string(bytes.TrimSpace(out))
+
 	// If we recognise an argument, we're not running within -toolexec.
 	switch cmd := args[0]; cmd {
 	case "build", "test":
@@ -142,6 +150,17 @@ func mainErr(args []string) error {
 			return err
 		}
 		os.Setenv("GARBLE_DIR", wd)
+
+		// If GOPRIVATE isn't set and we're in a module, use its module
+		// path as a GOPRIVATE default. Include a _test variant too.
+		if envGoPrivate == "" {
+			modpath, err := exec.Command("go", "list", "-m").CombinedOutput()
+			if err == nil {
+				path := string(bytes.TrimSpace(modpath))
+				os.Setenv("GOPRIVATE", path+","+path+"_test")
+			}
+		}
+
 		execPath, err := os.Executable()
 		if err != nil {
 			return err
@@ -230,6 +249,10 @@ func transformCompile(args []string) ([]string, error) {
 		// Nothing to transform; probably just ["-V=full"].
 		return args, nil
 	}
+	pkgPath := flagValue(flags, "-p")
+	if !isPrivate(pkgPath) {
+		return args, nil
+	}
 	for i, path := range paths {
 		if filepath.Base(path) == "_gomod_.go" {
 			// never include module info
@@ -247,9 +270,6 @@ func transformCompile(args []string) ([]string, error) {
 	if !strings.Contains(trimpath, ";") {
 		return nil, fmt.Errorf("-toolexec=garble should be used alongside -trimpath")
 	}
-	if flagValue(flags, "-std") == "true" {
-		return args, nil
-	}
 	if err := readBuildIDs(flags); err != nil {
 		return nil, err
 	}
@@ -267,7 +287,6 @@ func transformCompile(args []string) ([]string, error) {
 		Defs: make(map[*ast.Ident]types.Object),
 		Uses: make(map[*ast.Ident]types.Object),
 	}
-	pkgPath := flagValue(flags, "-p")
 	if _, err := origTypesConfig.Check(pkgPath, fset, files, info); err != nil {
 		return nil, fmt.Errorf("typecheck error: %v", err)
 	}
@@ -316,6 +335,18 @@ func transformCompile(args []string) ([]string, error) {
 	return args, nil
 }
 
+// isPrivate checks if GOPRIVATE matches pkgPath.
+//
+// To allow using garble without GOPRIVATE for standalone main packages, it will
+// default to not matching standard library packages.
+func isPrivate(pkgPath string) bool {
+	if pkgPath == "main" {
+		// TODO: why don't we see the full package path for main packages?
+		return true
+	}
+	return GlobsMatchPath(envGoPrivate, pkgPath)
+}
+
 func readBuildIDs(flags []string) error {
 	buildInfo.buildID = flagValue(flags, "-buildid")
 	switch buildInfo.buildID {
@@ -376,7 +407,7 @@ func buildidOf(path string) (string, error) {
 	if err != nil {
 		return "", fmt.Errorf("%v: %s", err, out)
 	}
-	return trimBuildID(string(out)), nil
+	return trimBuildID(string(bytes.TrimSpace(out))), nil
 }
 
 func hashWith(salt, value string) string {
@@ -464,8 +495,8 @@ func transformGo(file *ast.File, info *types.Info) *ast.File {
 					return true // universe scope
 				}
 				path := pkg.Path()
-				if isStandardLibrary(path) {
-					return true // std isn't transformed
+				if !isPrivate(path) {
+					return true // only private packages are transformed
 				}
 				if id := buildInfo.imports[path].buildID; id != "" {
 					garbledPkg, err := garbledImport(path)
@@ -489,16 +520,6 @@ func transformGo(file *ast.File, info *types.Info) *ast.File {
 	return astutil.Apply(file, pre, nil).(*ast.File)
 }
 
-func isStandardLibrary(path string) bool {
-	switch path {
-	case "main":
-		// Main packages may not have fully qualified import paths, but
-		// they're not part of the standard library
-		return false
-	}
-	return !strings.Contains(path, ".")
-}
-
 // implementedOutsideGo returns whether a *types.Func does not have a body, for
 // example when it's implemented in assembly, or when one uses go:linkname.
 //
@@ -558,34 +579,15 @@ func splitFlagsFromFiles(args []string, ext string) (flags, paths []string) {
 	return args, nil
 }
 
-// booleanFlag records which of the flags that we need are boolean. This
-// matters, because boolean flags never consume the following argument, while
-// non-boolean flags always do.
-//
-// For now, this stati
-func booleanFlag(name string) bool {
-	switch name {
-	case "-std":
-		return true
-	default:
-		return false
-	}
-}
-
 // flagValue retrieves the value of a flag such as "-foo", from strings in the
 // list of arguments like "-foo=bar" or "-foo" "bar".
 func flagValue(flags []string, name string) string {
-	isBool := booleanFlag(name)
 	for i, arg := range flags {
 		if val := strings.TrimPrefix(arg, name+"="); val != arg {
 			// -name=value
 			return val
 		}
 		if arg == name { // -name ...
-			if isBool {
-				// -name, equivalent to -name=true
-				return "true"
-			}
 			if i+1 < len(flags) {
 				// -name value
 				return flags[i+1]
@@ -596,7 +598,6 @@ func flagValue(flags []string, name string) string {
 }
 
 func flagSetValue(flags []string, name, value string) []string {
-	isBool := booleanFlag(name)
 	for i, arg := range flags {
 		if strings.HasPrefix(arg, name+"=") {
 			// -name=value
@@ -604,11 +605,6 @@ func flagSetValue(flags []string, name, value string) []string {
 			return flags
 		}
 		if arg == name { // -name ...
-			if isBool {
-				// -name, equivalent to -name=true
-				flags[i] = name + "=" + value
-				return flags
-			}
 			if i+1 < len(flags) {
 				// -name value
 				flags[i+1] = value
diff --git a/main_test.go b/main_test.go
index 827d5fa..986b08f 100644
--- a/main_test.go
+++ b/main_test.go
@@ -125,11 +125,6 @@ func TestFlagValue(t *testing.T) {
 		flagName string
 		want     string
 	}{
-		{"BoolAlone", []string{"-std"}, "-std", "true"},
-		{"BoolFollowed", []string{"-std", "-foo"}, "-std", "true"},
-		{"BoolFalse", []string{"-std=false"}, "-std", "false"},
-		{"BoolMissing", []string{"-foo"}, "-std", ""},
-		{"BoolEmpty", []string{"-std="}, "-std", ""},
 		{"StrSpace", []string{"-buildid", "bar"}, "-buildid", "bar"},
 		{"StrSpaceDash", []string{"-buildid", "-bar"}, "-buildid", "-bar"},
 		{"StrEqual", []string{"-buildid=bar"}, "-buildid", "bar"},
diff --git a/testdata/scripts/asm.txt b/testdata/scripts/asm.txt
index f04140e..65ee650 100644
--- a/testdata/scripts/asm.txt
+++ b/testdata/scripts/asm.txt
@@ -10,14 +10,14 @@ exec ./main
 cmp stdout main.stdout
 
 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main
 
 import (
 	"fmt"
 
-	"foo.com/main/imported"
+	"test/main/imported"
 )
 
 func privateAdd(x, y int64) int64
diff --git a/testdata/scripts/cgo.txt b/testdata/scripts/cgo.txt
index 8279861..2d41ea2 100644
--- a/testdata/scripts/cgo.txt
+++ b/testdata/scripts/cgo.txt
@@ -10,7 +10,7 @@ exec ./main
 cmp stdout main.stdout
 
 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main
 
diff --git a/testdata/scripts/imports.txt b/testdata/scripts/imports.txt
index 6d48de5..04b82d4 100644
--- a/testdata/scripts/imports.txt
+++ b/testdata/scripts/imports.txt
@@ -17,7 +17,7 @@ exec ./main
 cmp stdout main.stdout
 
 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main
 
@@ -25,7 +25,7 @@ import (
 	"fmt"
 	_ "unsafe"
 
-	"foo.com/main/imported"
+	"test/main/imported"
 
 	"rsc.io/quote"
 )
diff --git a/testdata/scripts/modinfo.txt b/testdata/scripts/modinfo.txt
index c155c00..f99e963 100644
--- a/testdata/scripts/modinfo.txt
+++ b/testdata/scripts/modinfo.txt
@@ -11,7 +11,7 @@ cmp stdout main.stdout-orig
 binsubstr main$exe '(devel)'
 
 -- go.mod --
-module foo.com/main
+module test/main
 -- main.go --
 package main
 
@@ -24,6 +24,6 @@ func main() {
 	fmt.Println(debug.ReadBuildInfo())
 }
 -- main.stdout-orig --
-&{foo.com/main {foo.com/main (devel)  <nil>} []} true
+&{test/main {test/main (devel)  <nil>} []} true
 -- main.stdout --
 <nil> false
diff --git a/testdata/scripts/test.txt b/testdata/scripts/test.txt
index a5458d0..16cb5e8 100644
--- a/testdata/scripts/test.txt
+++ b/testdata/scripts/test.txt
@@ -12,7 +12,7 @@ exec go test -v
 stdout 'PASS.*TestFoo'
 
 -- go.mod --
-module foo.com/bar
+module test/bar
 -- bar.go --
 package bar
 
@@ -38,7 +38,7 @@ package bar_test
 import (
 	"testing"
 
-	"foo.com/bar"
+	"test/bar"
 )
 
 func TestSeparateFoo(t *testing.T) {