Merge branch 'main' into add-bucket-fallback

Author: jfantinhardesty

.github/workflows/publish-release.yml

@@ -191,14 +191,11 @@ jobs:
       contents: write
 
     steps:
-      # libfuse-dev is required to build our command-line program
+      # libfuse-dev is required to build our command-line program and enable GoReleaser to build for ARM64
       - name: Install Libfuse
         run: |
-          sudo apt-get install -y libfuse-dev
-      # enable GoReleaser to build for ARM64
-      - name: Install ARM64 compilers
-        run: |
-          sudo apt-get install -y gcc-aarch64-linux-gnu
+          sudo apt-get update
+          sudo apt-get install -y gcc-aarch64-linux-gnu libfuse-dev
       # Get code and Go ready
       - name: Checkout code
         uses: actions/checkout@v4

CHANGELOG.md

@@ -1,5 +1,35 @@
 # Cloudfuse Changelog #
 
+## **1.9.1** ##
+
+March 6th 2025
+This version is based on [blobfuse2 2.3.2](https://github.com/Azure/azure-storage-fuse/releases/tag/blobfuse2-2.3.2) (upstream).
+
+### Bug Fixes ###
+
+- [#471](https://github.com/Seagate/cloudfuse/pull/471) Fix bug where passphrase for secure encryption was not properly decoded as base64
+
+## **1.9.0** ##
+
+March 4th 2025
+This version is based on [blobfuse2 2.3.2](https://github.com/Azure/azure-storage-fuse/releases/tag/blobfuse2-2.3.2) (upstream).
+
+### Changes ###
+
+- [#469](https://github.com/Seagate/cloudfuse/pull/469) Add enable-remount and disable-remount flags to CLI for Windows to better enable customizability on which mounts should remount on restart
+- [#467](https://github.com/Seagate/cloudfuse/pull/467) Fixed bug with creation of windows startup utility
+
+## **1.8.2** ##
+
+March 3rd 2025
+This version is based on [blobfuse2 2.3.2](https://github.com/Azure/azure-storage-fuse/releases/tag/blobfuse2-2.3.2) (upstream).
+
+### Changes ###
+
+- [#445](https://github.com/Seagate/cloudfuse/pull/462) Support custom SDDL strings on Windows to customize mount permissions
+- [#464](https://github.com/Seagate/cloudfuse/pull/464) No_gui installer now is able to restart mounts on restart if the user installs cloudfuse as a service
+- [#445](https://github.com/Seagate/cloudfuse/pull/450) GUI is able to mount as a drive letter on Windows
+
 ## **1.8.1** ##
 
 February 20th 2025
@@ -16,7 +46,6 @@ This version is based on [blobfuse2 2.3.2](https://github.com/Azure/azure-storag
 - [#444](https://github.com/Seagate/cloudfuse/pull/444) Fix issue when renaming directories
 - [#455](https://github.com/Seagate/cloudfuse/pull/455) Network share on Windows now correctly uses the hostname
 
-
 ## **1.8.0** ##
 
 February 4th 2025

WINDOWS.md

@@ -13,24 +13,71 @@ To run in foreground mode, you must pass the option `--foreground=true` when usi
 ## Running in background mode (recommended)
 
 Cloudfuse runs in the background by default. It uses the WinFSP launcher to run the mount in the background.
-Cloudfuse will also automatically restart existing mounts on user login.
 
         cloudfuse.exe mount <mount path> --config-file=<config file>
 
-To unmount a specific instance, use the unmount command. This will also prevent this mount from persisting on restarts.
+Cloudfuse can also automatically restart existing mounts on user login. To do so, pass the --enable-remount flag
+when mounting
+
+        cloudfuse.exe mount <mount path> --config-file=<config file> --enable-remount
+
+To unmount a specific instance, use the unmount command.
 
         cloudfuse.exe unmount <mount path>
 
+To unmount and also prevent this mount from persisting on restarts pass the --disable-remount flag.
+
+        cloudfuse.exe unmount <mount path> --disable-remount.
+
 Cloudfuse supports mounting any number of buckets.
 
-If the container is not automatically mounted on user login after a reboot, you may need to (re)install the Cloudfuse startup program:
+If the container is not automatically mounted on user login after a reboot, you may need to (re)install the Cloudfuse
+startup program:
 
         cloudfuse.exe service install
 
 To uninstall the Cloudfuse startup program use the uninstall command.
 
         cloudfuse.exe service uninstall
 
+## Windows Security and User Permissions
+
+By default, cloudfuse allows all users to read/write to the mounted directory. If you need specific permissions for your
+share you must provide them in your config file when you mount using cloudfuse. This requires you to generate and use
+Security Descriptor Definition Language (SDDL) strings to manage permissions. We provide a brief example for how to
+generate SDDL strings to change permissions.
+
+1. Ensure that you have WinFsp installed on your system:
+
+   If you used the standard cloudfuse installer on Windows, then WinFsp is already installed on your system.
+
+2. Find Your Account's SID and UID:
+
+   Use the fsptool utility to discover your account's SID and UID. Open a command prompt and run:
+
+        'C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe' id
+
+   This will output something like:
+
+        User=S-1-5-21-773277305-2169295204-1991566178-478888(user) (uid=21479625)
+        Owner=S-1-5-21-773277305-2169295204-1991566178-478888(user) (uid=21479625)
+        Group=S-1-5-21-773277305-2169295204-1991566178-478888(user) (gid=21479625)
+
+3. Generate SDDL for Specific Permissions: Use the fsptool to generate the SDDL string for your account's UID with
+specific permissions. For example, to generate an SDDL for rwx------ permissions:
+
+        'C:\Program Files (x86)\WinFsp\bin\fsptool-x64.exe' perm 21479625:0:700
+
+   This will output something like:
+
+        O:S-1-0-65534G:S-1-5-0D:P(A;;0x1f01bf;;;S-1-0-65534)(A;;0x120088;;;S-1-5-0)(A;;0x120088;;;WD) (perm=65534:0:0700)
+
+4. Edit your config file: Edit the libfuse section of the config.yaml file to include the windows-sddl entry. Add the
+SDDL string you generated in the previous step. For example:
+
+        libfuse:
+          windows-sddl: O:S-1-0-65534G:S-1-5-0D:P(A;;0x1f01bf;;;S-1-0-65534)(A;;0x120088;;;S-1-5-0)(A;;0x120088;;;WD)
+
 ## Filename Limitations
 
 As Cloudfuse supports both Windows and Linux as well as Azure and S3 storage, there are naming restrictions that must be

build/windows_installer_build.iss

@@ -3,7 +3,7 @@
 ; https://jrsoftware.org/ishelp/index.php
 
 #define MyAppName "Cloudfuse"
-#define MyAppVersion "1.8.1"
+#define MyAppVersion "1.9.1"
 #define MyAppPublisher "SEAGATE TECHNOLOGY LLC"
 #define MyAppURL "https://github.com/Seagate/cloudfuse"
 #define MyAppExeName "cloudfuseGUI.exe"

build/windows_installer_build_no_gui.iss

@@ -3,7 +3,7 @@
 ; https://jrsoftware.org/ishelp/index.php
 
 #define MyAppName "Cloudfuse"
-#define MyAppVersion "1.8.1"
+#define MyAppVersion "1.9.1"
 #define MyAppPublisher "SEAGATE TECHNOLOGY LLC"
 #define MyAppURL "https://github.com/Seagate/cloudfuse"
 #define MyAppExeCLIName "cloudfuse.exe"
@@ -44,6 +44,7 @@ Name: "{userappdata}\{#MyAppName}"; Flags: uninsalwaysuninstall
 [Files]
 Source: "..\cloudfuse.exe"; DestDir: "{app}"; Flags: ignoreversion
 Source: "..\cfusemon.exe"; DestDir: "{app}"; Flags: ignoreversion
+Source: "..\windows-startup.exe"; DestDir: "{app}"; Flags: ignoreversion
 Source: "..\NOTICE"; DestDir: "{app}"; Flags: ignoreversion
 Source: "..\LICENSE"; DestDir: "{app}"; Flags: ignoreversion
 Source: "..\README.md"; DestDir: "{app}"; Flags: ignoreversion
@@ -100,10 +101,10 @@ begin
       end;
     end;
 
-    // Add Cloudfuse registry
-    if not Exec(ExpandConstant('{app}\{#MyAppExeCLIName}'), 'service add-registry', '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
+    // Install the Cloudfuse Startup Tool
+    if not Exec(ExpandConstant('{app}\{#MyAppExeCLIName}'), 'service install', '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
     begin
-      SuppressibleMsgBox('Failed to add cloudfuse registry. This will prevent cloudfuse from starting.', mbError, MB_OK, IDOK);
+      SuppressibleMsgBox('Failed to install cloudfuse as a service. You may need to do this manually from the command line.', mbError, MB_OK, IDOK);
     end;
   end;
 end;
@@ -114,10 +115,10 @@ var
 begin
   if CurUninstallStep = usUninstall then
   begin
-    // Remove Cloudfuse registry
-    if not Exec(ExpandConstant('{app}\{#MyAppExeCLIName}'), 'service remove-registry', '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
+    // Install the Cloudfuse Startup Tool
+    if not Exec(ExpandConstant('{app}\{#MyAppExeCLIName}'), 'service uninstall', '', SW_HIDE, ewWaitUntilTerminated, ResultCode) then
     begin
-      SuppressibleMsgBox('Failed to remove cloudfuse registry.', mbError, MB_OK, IDOK);
+      SuppressibleMsgBox('Failed to remove cloudfuse as a service.', mbError, MB_OK, IDOK);
     end;
 
     // Ask the user if they would like to also uninstall WinFSP

cmd/config-gen.go

@@ -26,6 +26,8 @@
 package cmd
 
 import (
+	"encoding/base64"
+	"errors"
 	"fmt"
 	"os"
 	"regexp"
@@ -111,9 +113,11 @@ var generateConfig = &cobra.Command{
 	FlagErrorHandling: cobra.ExitOnError,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		var templateConfig []byte
-		var err error
 
-		encryptedPassphrase = memguard.NewEnclave([]byte(opts.passphrase))
+		err := validateGenConfigOptions()
+		if err != nil {
+			return fmt.Errorf("failed to validate options [%s]", err.Error())
+		}
 
 		templateConfig, err = os.ReadFile(opts.configFilePath)
 		if err != nil {
@@ -152,6 +156,24 @@ var generateConfig = &cobra.Command{
 	},
 }
 
+func validateGenConfigOptions() error {
+	if opts.passphrase == "" {
+		opts.passphrase = os.Getenv(SecureConfigEnvName)
+		if opts.passphrase == "" {
+			return errors.New("provide the passphrase as a cli parameter or configure the CLOUDFUSE_SECURE_CONFIG_PASSPHRASE environment variable")
+		}
+	}
+
+	_, err := base64.StdEncoding.DecodeString(string(opts.passphrase))
+	if err != nil {
+		return fmt.Errorf("passphrase is not valid base64 encoded [%s]", err.Error())
+	}
+
+	encryptedPassphrase = memguard.NewEnclave([]byte(opts.passphrase))
+
+	return nil
+}
+
 func init() {
 	rootCmd.AddCommand(generateTestConfig)
 	generateTestConfig.Flags().StringVar(&opts.configFilePath, "config-file", "", "Input config file.")

cmd/mount.go

@@ -82,6 +82,7 @@ type mountOptions struct {
 	MonitorOpt        monitorOptions `config:"health_monitor"`
 	WaitForMount      time.Duration  `config:"wait-for-mount"`
 	LazyWrite         bool           `config:"lazy-write"`
+	EnableRemount     bool
 
 	// v1 support
 	Streaming      bool     `config:"streaming"`
@@ -328,7 +329,7 @@ var mountCmd = &cobra.Command{
 				return errors.New("config file does not exist")
 			}
 			// mount using WinFSP, and persist on reboot
-			err = createMountInstance()
+			err = createMountInstance(options.EnableRemount)
 			if err != nil {
 				return fmt.Errorf("failed to mount instance [%s]", err.Error())
 			}
@@ -745,6 +746,11 @@ func init() {
 	config.BindPFlag("basic-remount-check", mountCmd.Flags().Lookup("basic-remount-check"))
 	mountCmd.Flags().Lookup("basic-remount-check").Hidden = true
 
+	if runtime.GOOS == "windows" {
+		mountCmd.Flags().BoolVar(&options.EnableRemount, "enable-remount", true, "Remount mount on server restart.")
+		config.BindPFlag("enable-remount", mountCmd.Flags().Lookup("enable-remount"))
+	}
+
 	mountCmd.PersistentFlags().StringSliceVarP(&options.LibfuseOptions, "o", "o", []string{}, "FUSE options.")
 	config.BindPFlag("libfuse-options", mountCmd.PersistentFlags().ShorthandLookup("o"))
 	mountCmd.PersistentFlags().ShorthandLookup("o").Hidden = true

cmd/mount_linux.go

@@ -131,6 +131,6 @@ func sigusrHandler(pipeline *internal.Pipeline, ctx context.Context) daemon.Sign
 }
 
 // stub for compilation
-func createMountInstance() error {
+func createMountInstance(bool) error {
 	return nil
 }

cmd/mount_windows.go

@@ -42,15 +42,17 @@ func createDaemon(pipeline *internal.Pipeline, ctx context.Context, pidFileName
 }
 
 // Use WinFSP to mount and if successful, add instance to persistent mount list
-func createMountInstance() error {
+func createMountInstance(enableRemount bool) error {
 	err := winservice.StartMount(options.MountPath, options.ConfigFile, encryptedPassphrase)
 	if err != nil {
 		return err
 	}
 	// Add the mount to the JSON file so it persists on restart.
-	err = winservice.AddMountJSON(options.MountPath, options.ConfigFile)
-	if err != nil {
-		return fmt.Errorf("failed to add entry to json file [%s]", err.Error())
+	if enableRemount {
+		err = winservice.AddMountJSON(options.MountPath, options.ConfigFile)
+		if err != nil {
+			return fmt.Errorf("failed to add entry to json file [%s]", err.Error())
+		}
 	}
 	return nil
 }

cmd/secure_test.go

@@ -130,6 +130,27 @@ func (suite *secureConfigTestSuite) TestSecureConfigEncrypt() {
 	suite.assert.NoFileExists(confFile.Name())
 }
 
+func (suite *secureConfigTestSuite) TestSecureConfigEncrypt2() {
+	defer suite.cleanupTest()
+	confFile, _ := os.CreateTemp("", "conf*.yaml")
+	outFile, _ := os.CreateTemp("", "conf*.yaml")
+	passphrase := "hvHlJUKlmZql3gLAcP6Ho41Js5rm8zUAKnwGb1lIffg="
+
+	defer os.Remove(confFile.Name())
+	defer os.Remove(outFile.Name())
+
+	_, err := confFile.WriteString(testPlainTextConfig)
+	suite.assert.NoError(err)
+
+	confFile.Close()
+
+	_, err = executeCommandSecure(rootCmd, "secure", "encrypt", fmt.Sprintf("--config-file=%s", confFile.Name()), fmt.Sprintf("--passphrase=%s", passphrase), fmt.Sprintf("--output-file=%s", outFile.Name()))
+	suite.assert.NoError(err)
+
+	// Config file should be deleted
+	suite.assert.NoFileExists(confFile.Name())
+}
+
 func (suite *secureConfigTestSuite) TestSecureConfigEncryptNoOutfile() {
 	defer suite.cleanupTest()
 	confFile, _ := os.CreateTemp("", "conf*.yaml")
@@ -237,6 +258,40 @@ func (suite *secureConfigTestSuite) TestSecureConfigDecrypt() {
 	os.Remove(confFile.Name() + "." + SecureConfigExtension)
 }
 
+func (suite *secureConfigTestSuite) TestSecureConfigDecrypt2() {
+	defer suite.cleanupTest()
+	confFile, _ := os.CreateTemp("", "conf*.yaml")
+	outFile, _ := os.CreateTemp("", "conf*.yaml")
+	passphrase := "hvHlJUKlmZql3gLAcP6Ho41Js5rm8zUAKnwGb1lIffg="
+	fmt.Println(passphrase)
+
+	defer os.Remove(confFile.Name())
+	defer os.Remove(outFile.Name())
+
+	_, err := confFile.WriteString(testPlainTextConfig)
+	suite.assert.NoError(err)
+
+	confFile.Close()
+	outFile.Close()
+
+	_, err = executeCommandSecure(rootCmd, "secure", "encrypt", fmt.Sprintf("--config-file=%s", confFile.Name()), fmt.Sprintf("--passphrase=%s", passphrase), fmt.Sprintf("--output-file=%s", outFile.Name()))
+	suite.assert.NoError(err)
+
+	// Config file should be deleted
+	suite.assert.NoFileExists(confFile.Name())
+
+	_, err = executeCommandSecure(rootCmd, "secure", "decrypt", fmt.Sprintf("--config-file=%s", outFile.Name()), fmt.Sprintf("--passphrase=%s", passphrase), fmt.Sprintf("--output-file=./tmp.yaml"))
+	suite.assert.NoError(err)
+
+	data, err := os.ReadFile("./tmp.yaml")
+	suite.assert.NoError(err)
+
+	suite.assert.Equal(testPlainTextConfig, string(data))
+
+	os.Remove("./tmp.yaml")
+	os.Remove(confFile.Name() + "." + SecureConfigExtension)
+}
+
 func (suite *secureConfigTestSuite) TestSecureConfigDecryptNoOutputFile() {
 	defer suite.cleanupTest()
 	confFile, _ := os.CreateTemp("", "conf*.yaml")

cmd/service_windows.go

@@ -70,13 +70,9 @@ var installCmd = &cobra.Command{
 	Example:           "cloudfuse service install",
 	FlagErrorHandling: cobra.ExitOnError,
 	RunE: func(cmd *cobra.Command, args []string) error {
-		dir, err := os.Getwd()
-		if err != nil {
-			return fmt.Errorf("unable to determine location of cloudfuse binary [%s]", err.Error())
-		}
-		programPath := filepath.Join(dir, "windows-startup.exe")
+		programPath := filepath.Join("C:", "Program Files", "Cloudfuse", "windows-startup.exe")
 		startupPath := filepath.Join(os.Getenv("APPDATA"), "Microsoft", "Windows", "Start Menu", "Programs", "Startup", StartupName)
-		err = makeLink(programPath, startupPath)
+		err := makeLink(programPath, startupPath)
 		if err != nil {
 			return fmt.Errorf("unable to create startup link [%s]", err.Error())
 		}