Add map command

4 months ago · 534e36651c
parent 515358b18d
commit 534e36651c
2 changed files with 325 additions and 163 deletions
--- a/main.go
+++ b/main.go
@ -431,6 +431,8 @@ func mainErr(args []string) error {
 		return nil
 	case "reverse":
 		return commandReverse(args)
+	case "map":
+		return commandMap(args)
 	case "build", "test", "run":
 		cmd, err := toolexecCmd(command, args)
 		defer func() {
@ -1867,52 +1869,15 @@ func (tf *transformer) useAllImports(file *ast.File) {
 	}
 }

-// transformGoFile obfuscates the provided Go syntax file.
-func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
-	// Only obfuscate the literals here if the flag is on
-	// and if the package in question is to be obfuscated.
-	//
-	// We can't obfuscate literals in the runtime and its dependencies,
-	// because obfuscated literals sometimes escape to heap,
-	// and that's not allowed in the runtime itself.
-	if flagLiterals && tf.curPkg.ToObfuscate {
-		file = literals.Obfuscate(tf.obfRand, file, tf.info, tf.linkerVariableStrings)
-
-		// some imported constants might not be needed anymore, remove unnecessary imports
-		tf.useAllImports(file)
+// obfuscateObjectName returns the obfuscated name of the given types.Object.
+// If the object should not be obfuscated, transformObject returns
+// the original name of the object.
+func (tf *transformer) obfuscateObjectName(obj types.Object) string {
+	name := obj.Name()
+	if name == "" || name == "_" {
+		return name // unnamed remains unnamed
 	}

-	pre := func(cursor *astutil.Cursor) bool {
-		node, ok := cursor.Node().(*ast.Ident)
-		if !ok {
-			return true
-		}
-		name := node.Name
-		if name == "_" {
-			return true // unnamed remains unnamed
-		}
-		obj := tf.info.ObjectOf(node)
-		if obj == nil {
-			_, isImplicit := tf.info.Defs[node]
-			_, parentIsFile := cursor.Parent().(*ast.File)
-			if !isImplicit || parentIsFile {
-				// We only care about nil objects in the switch scenario below.
-				return true
-			}
-			// In a type switch like "switch foo := bar.(type) {",
-			// "foo" is being declared as a symbolic variable,
-			// as it is only actually declared in each "case SomeType:".
-			//
-			// As such, the symbolic "foo" in the syntax tree has no object,
-			// but it is still recorded under Defs with a nil value.
-			// We still want to obfuscate that syntax tree identifier,
-			// so if we detect the case, create a dummy types.Var for it.
-			//
-			// Note that "package mypkg" also denotes a nil object in Defs,
-			// and we don't want to treat that "mypkg" as a variable,
-			// so avoid that case by checking the type of cursor.Parent.
-			obj = types.NewVar(node.Pos(), tf.pkg, name, nil)
-		}
 	pkg := obj.Pkg()
 	if vr, ok := obj.(*types.Var); ok && vr.Embedded() {
 		// The docs for ObjectOf say:
@ -1954,14 +1919,14 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 		} else {
 			tname := namedType(obj.Type())
 			if tname == nil {
-					return true // unnamed type (probably a basic type, e.g. int)
+				return name // unnamed type (probably a basic type, e.g. int)
 			}
 			obj = tname
 		}
 		pkg = obj.Pkg()
 	}
 	if pkg == nil {
-			return true // universe scope
+		return name // universe scope
 	}

 	// TODO: We match by object name here, which is actually imprecise.
@ -1972,19 +1937,19 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 	switch path {
 	case "sync/atomic", "runtime/internal/atomic":
 		if name == "align64" {
-				return true
+			return name
 		}
 	case "embed":
 		// FS is detected by the compiler for //go:embed.
 		if name == "FS" {
-				return true
+			return name
 		}
 	case "reflect":
 		switch name {
 		// Per the linker's deadcode.go docs,
 		// the Method and MethodByName methods are what drive the logic.
 		case "Method", "MethodByName":
-				return true
+			return name
 		}
 	case "crypto/x509/pkix":
 		// For better or worse, encoding/asn1 detects a "SET" suffix on slice type names
@ -1993,13 +1958,13 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 		// TODO: we can surely do better; ideally propose a non-string-based solution
 		// upstream, or as a fallback, obfuscate to a name ending with "SET".
 		if strings.HasSuffix(name, "SET") {
-				return true
+			return name
 		}
 	}

 	// The package that declared this object did not obfuscate it.
 	if usedForReflect(tf.curPkgCache, obj) {
-			return true
+		return name
 	}

 	lpkg, err := listPackage(tf.curPkg, path)
@ -2007,7 +1972,7 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 		panic(err) // shouldn't happen
 	}
 	if !lpkg.ToObfuscate {
-			return true // we're not obfuscating this package
+		return name // we're not obfuscating this package
 	}
 	hashToUse := lpkg.GarbleActionID
 	debugName := "variable"
@ -2038,17 +2003,17 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 		if strct == nil {
 			panic("could not find struct for field " + name)
 		}
-			node.Name = hashWithStruct(strct, obj)
+		obfuscated := hashWithStruct(strct, obj)
 		if flagDebug { // TODO(mvdan): remove once https://go.dev/issue/53465 if fixed
-				log.Printf("%s %q hashed with struct fields to %q", debugName, name, node.Name)
+			log.Printf("%s %q hashed with struct fields to %q", debugName, name, obfuscated)
 		}
-			return true
+		return obfuscated

 	case *types.TypeName:
 		debugName = "type"
 	case *types.Func:
 		if compilerIntrinsics[path][name] {
-				return true
+			return name
 		}

 		sign := obj.Type().(*types.Signature)
@ -2058,24 +2023,74 @@ func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
 			debugName = "method"
 		}
 		if obj.Exported() && sign.Recv() != nil {
-				return true // might implement an interface
+			return name // might implement an interface
 		}
 		switch name {
 		case "main", "init", "TestMain":
-				return true // don't break them
+			return name // don't break them
 		}
 		if strings.HasPrefix(name, "Test") && isTestSignature(sign) {
-				return true // don't break tests
+			return name // don't break tests
 		}
 	default:
-			return true // we only want to rename the above
+		return name // we only want to rename the above
 	}

-		node.Name = hashWithPackage(tf, lpkg, name)
+	obfuscated := hashWithPackage(tf, lpkg, name)
 	// TODO: probably move the debugf lines inside the hash funcs
 	if flagDebug { // TODO(mvdan): remove once https://go.dev/issue/53465 if fixed
-			log.Printf("%s %q hashed with %x… to %q", debugName, name, hashToUse[:4], node.Name)
+		log.Printf("%s %q hashed with %x… to %q", debugName, name, hashToUse[:4], obfuscated)
+	}
+	return obfuscated
+}
+
+// transformGoFile obfuscates the provided Go syntax file.
+func (tf *transformer) transformGoFile(file *ast.File) *ast.File {
+	// Only obfuscate the literals here if the flag is on
+	// and if the package in question is to be obfuscated.
+	//
+	// We can't obfuscate literals in the runtime and its dependencies,
+	// because obfuscated literals sometimes escape to heap,
+	// and that's not allowed in the runtime itself.
+	if flagLiterals && tf.curPkg.ToObfuscate {
+		file = literals.Obfuscate(tf.obfRand, file, tf.info, tf.linkerVariableStrings)
+
+		// some imported constants might not be needed anymore, remove unnecessary imports
+		tf.useAllImports(file)
+	}
+
+	pre := func(cursor *astutil.Cursor) bool {
+		node, ok := cursor.Node().(*ast.Ident)
+		if !ok {
+			return true
+		}
+		name := node.Name
+		if name == "_" {
+			return true // unnamed remains unnamed
+		}
+		obj := tf.info.ObjectOf(node)
+		if obj == nil {
+			_, isImplicit := tf.info.Defs[node]
+			_, parentIsFile := cursor.Parent().(*ast.File)
+			if !isImplicit || parentIsFile {
+				// We only care about nil objects in the switch scenario below.
+				return true
+			}
+			// In a type switch like "switch foo := bar.(type) {",
+			// "foo" is being declared as a symbolic variable,
+			// as it is only actually declared in each "case SomeType:".
+			//
+			// As such, the symbolic "foo" in the syntax tree has no object,
+			// but it is still recorded under Defs with a nil value.
+			// We still want to obfuscate that syntax tree identifier,
+			// so if we detect the case, create a dummy types.Var for it.
+			//
+			// Note that "package mypkg" also denotes a nil object in Defs,
+			// and we don't want to treat that "mypkg" as a variable,
+			// so avoid that case by checking the type of cursor.Parent.
+			obj = types.NewVar(node.Pos(), tf.pkg, name, nil)
 		}
+		node.Name = tf.obfuscateObjectName(obj)
 		return true
 	}
 	post := func(cursor *astutil.Cursor) bool {
--- a/map.go
+++ b/map.go
@ -0,0 +1,147 @@
+// Copyright (c) 2019, The Garble Authors.
+// See LICENSE for licensing information.
+
+package main
+
+import (
+	"encoding/json"
+	"flag"
+	"fmt"
+	"go/ast"
+	"go/types"
+	"os"
+
+	"golang.org/x/tools/go/types/objectpath"
+)
+
+// commandMap implements "garble map".
+func commandMap(args []string) error {
+	flags, pkgs := splitFlagsFromArgs(args)
+	if hasHelpFlag(flags) || len(args) == 0 {
+		fmt.Fprint(os.Stderr, `
+usage: garble [garble flags] map [build flags] packages...
+
+For example, after building an obfuscated program as follows:
+
+	garble -literals build -tags=mytag ./cmd/mycmd
+
+One can obtain an obfuscation map as follows:
+
+	garble -literals map -tags=mytag ./cmd/mycmd
+`[1:])
+		return errJustExit(2)
+	}
+
+	listArgs := []string{
+		"-json",
+		"-deps",
+		"-export",
+	}
+	listArgs = append(listArgs, flags...)
+	listArgs = append(listArgs, pkgs...)
+	// TODO: We most likely no longer need this "list -toolexec" call, since
+	// we use the original build IDs.
+	_, err := toolexecCmd("list", listArgs)
+	defer os.RemoveAll(os.Getenv("GARBLE_SHARED"))
+	if err != nil {
+		return err
+	}
+
+	// We don't actually run a main Go command with all flags,
+	// so if the user gave a non-build flag,
+	// we need this check to not silently ignore it.
+	if _, firstUnknown := filterForwardBuildFlags(flags); firstUnknown != "" {
+		// A bit of a hack to get a normal flag.Parse error.
+		// Longer term, "map" might have its own FlagSet.
+		return flag.NewFlagSet("", flag.ContinueOnError).Parse([]string{firstUnknown})
+	}
+
+	// A package's names are generally hashed with the action ID of its
+	// obfuscated build. We recorded those action IDs above.
+	// Note that we parse Go files directly to obtain the names, since the
+	// export data only exposes exported names. Parsing Go files is cheap,
+	// so it's unnecessary to try to avoid this cost.
+
+	type obfuscatedPackageInfo struct {
+		Path    string                     `json:"path"`
+		Objects map[objectpath.Path]string `json:"objects"`
+	}
+
+	result := make(map[string]obfuscatedPackageInfo, len(sharedCache.ListedPackages))
+
+	for _, lpkg := range sharedCache.ListedPackages {
+		if !lpkg.ToObfuscate {
+			continue
+		}
+
+		tf := transformer{
+			curPkg:       lpkg,
+			origImporter: importerForPkg(lpkg),
+		}
+
+		objectMap := make(map[objectpath.Path]string)
+		result[lpkg.ImportPath] = obfuscatedPackageInfo{
+			Path:    hashWithPackage(&tf, lpkg, lpkg.ImportPath),
+			Objects: objectMap,
+		}
+
+		files, err := parseFiles(lpkg.Dir, lpkg.CompiledGoFiles)
+		if err != nil {
+			return err
+		}
+
+		tf.pkg, tf.info, err = typecheck(lpkg.ImportPath, files, tf.origImporter)
+		if err != nil {
+			return err
+		}
+
+		tf.curPkgCache, err = loadPkgCache(lpkg, tf.pkg, files, tf.info, nil)
+		if err != nil {
+			return err
+		}
+
+		tf.fieldToStruct = computeFieldToStruct(tf.info)
+
+		var encoder objectpath.Encoder
+		visited := make(map[types.Object]bool) // Avoid duplicated work.
+
+		for _, file := range files {
+			ast.Inspect(file, func(node ast.Node) bool {
+				switch node := node.(type) {
+				case ast.Stmt:
+					// Skip statements as local objects have no object path.
+					return false
+
+				case *ast.Ident:
+					obj := tf.info.ObjectOf(node)
+					if obj == nil || obj.Pkg() != tf.pkg || visited[obj] {
+						return true
+					}
+
+					visited[obj] = true
+
+					obfuscated := tf.obfuscateObjectName(obj)
+					if obfuscated == obj.Name() {
+						return true
+					}
+
+					// This is probably costlier than obfuscation:
+					// run it only when necessary.
+					path, err := encoder.For(obj)
+					if err != nil {
+						return true
+					}
+
+					objectMap[path] = obfuscated
+
+				default:
+					return true
+				}
+
+				return true
+			})
+		}
+	}
+
+	return json.NewEncoder(os.Stdout).Encode(result)
+}