From 8948c6af531a0564148358043c060586e7771ce3 Mon Sep 17 00:00:00 2001 From: Douglas Vought Date: Fri, 30 Aug 2024 04:42:13 -0400 Subject: [PATCH] Support modules with encrypted debug info Addresses #1928. - Add configuration options to support decrypting debug info - Update documentation with new options, examples, and advice - Update test helper so that debug info options are forwarded to the compiler - Add basic tests - Update changelog --- CHANGELOG.md | 1 + lib/ex_doc/config.ex | 36 ++++++++++++++ lib/ex_doc/retriever.ex | 21 +++++++- lib/mix/tasks/docs.ex | 72 +++++++++++++++++++++++++++ test/ex_doc/config_test.exs | 54 ++++++++++++++++++++ test/ex_doc/retriever/erlang_test.exs | 56 +++++++++++++++++++++ test/ex_doc/retriever_test.exs | 10 ++++ test/test_helper.exs | 16 ++++-- 8 files changed, 259 insertions(+), 7 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 88c04679b..4a4d2f573 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -6,6 +6,7 @@ * Improve warning when referencing type from a private module * Rename "Search HexDocs package" modal to "Go to package docs". Support built-in Erlang/OTP apps. + * Support modules with encrypted debug info * Bug fixes * Switch anchor `title` to `aria-label` diff --git a/lib/ex_doc/config.ex b/lib/ex_doc/config.ex index b20debced..cd6811354 100644 --- a/lib/ex_doc/config.ex +++ b/lib/ex_doc/config.ex @@ -21,6 +21,7 @@ defmodule ExDoc.Config do before_closing_head_tag: &__MODULE__.before_closing_head_tag/1, canonical: nil, cover: nil, + debug_info_fn: nil, deps: [], extra_section: nil, extras: [], @@ -50,6 +51,10 @@ defmodule ExDoc.Config do title: nil, version: nil + @typep debug_info_fn_arg :: :init | :clear | {:debug_info, atom(), module(), :file.filename()} + @typep debug_info_fn :: (debug_info_fn_arg -> + :ok | {:ok, (debug_info_fn_arg -> term())} | {:error, term()}) + @type t :: %__MODULE__{ annotations_for_docs: (map() -> list()), api_reference: boolean(), @@ -61,6 +66,7 @@ defmodule ExDoc.Config do before_closing_head_tag: (atom() -> String.t()) | mfa() | map(), canonical: nil | String.t(), cover: nil | Path.t(), + debug_info_fn: nil | debug_info_fn(), deps: [{ebin_path :: String.t(), doc_url :: String.t()}], extra_section: nil | String.t(), extras: list(), @@ -120,7 +126,23 @@ defmodule ExDoc.Config do guess_url(options[:source_url], options[:source_ref] || @default_source_ref) end) + {debug_info_key, options} = Keyword.pop(options, :debug_info_key) + + {debug_info_fn, options} = + case Keyword.pop(options, :debug_info_fn) do + {nil, options} -> Keyword.pop(options, :debug_info_fun) + {debug_info_fn, options} -> {debug_info_fn, options} + end + + debug_info_fn = + cond do + debug_info_fn != nil -> debug_info_fn + debug_info_key != nil -> default_debug_info_fn(debug_info_key) + true -> nil + end + preconfig = %__MODULE__{ + debug_info_fn: debug_info_fn, filter_modules: normalize_filter_modules(filter_modules), groups_for_modules: normalize_groups_for_modules(groups_for_modules), homepage_url: options[:homepage_url], @@ -224,4 +246,18 @@ defmodule ExDoc.Config do defp append_slash(url) do if :binary.last(url) == ?/, do: url, else: url <> "/" end + + defp default_debug_info_fn(key) do + key = + case key do + {_mode, key} -> to_charlist(key) + key -> to_charlist(key) + end + + fn + :init -> :ok + :clear -> :ok + {:debug_info, _mode, _module, _filename} -> key + end + end end diff --git a/lib/ex_doc/retriever.ex b/lib/ex_doc/retriever.ex index aaa30cfbf..64f87ecca 100644 --- a/lib/ex_doc/retriever.ex +++ b/lib/ex_doc/retriever.ex @@ -80,7 +80,7 @@ defmodule ExDoc.Retriever do end defp get_module(module, config) do - with {:docs_v1, _, language, _, _, _metadata, _} = docs_chunk <- docs_chunk(module), + with {:docs_v1, _, language, _, _, _metadata, _} = docs_chunk <- docs_chunk(module, config), {:ok, language} <- ExDoc.Language.get(language, module), %{} = module_data <- language.module_data(module, docs_chunk, config) do {:ok, generate_node(module, module_data, config)} @@ -90,7 +90,11 @@ defmodule ExDoc.Retriever do end end - defp docs_chunk(module) do + defp docs_chunk(module, config) do + if debug_info_fn = config.debug_info_fn do + set_crypto_key_fn(debug_info_fn) + end + result = Code.fetch_docs(module) Refs.insert_from_chunk(module, result) @@ -496,4 +500,17 @@ defmodule ExDoc.Retriever do defp source_link(source, line) do Utils.source_url_pattern(source.url, source.path |> Path.relative_to(File.cwd!()), line) end + + @doc false + def set_crypto_key_fn(crypto_key_fn) do + :beam_lib.clear_crypto_key_fun() + + case :beam_lib.crypto_key_fun(crypto_key_fn) do + {:error, reason} -> + raise Error, "failed to set crypto_key_fun: #{inspect(reason)}" + + other -> + other + end + end end diff --git a/lib/mix/tasks/docs.ex b/lib/mix/tasks/docs.ex index 250d037fb..ff0dfecd3 100644 --- a/lib/mix/tasks/docs.ex +++ b/lib/mix/tasks/docs.ex @@ -100,6 +100,16 @@ defmodule Mix.Tasks.Docs do the "assets" directory in the output path under the name "cover" and the appropriate extension. This option has no effect when using the "html" formatter. + * `:debug_info_key` - The key to be used to decrypt debug info that was encrypted during + compilation. This option will be ignored if `:debug_info_fn` or `:debug_info_fun` is provided. + See [Encrypted debug info](`m:Mix.Tasks.Docs#module-encrypted-debug-info`). + + * `:debug_info_fn` / `:debug_info_fun` - A function that will be provided to + `:beam_lib.crypto_key_fun/1` to decrypt debug info that was encrypted during compilation. If + both `:debug_info_fn` and `:debug_info_fun` are provided, `:debug_info_fun` will be ignored. + If this option is provided, `:debug_info_key` will be ignored. See + [Encrypted debug info](`m:Mix.Tasks.Docs#module-encrypted-debug-info`). + * `:deps` - A keyword list application names and their documentation URL. ExDoc will by default include all dependencies and assume they are hosted on HexDocs. This can be overridden by your own values. Example: `[plug: "https://myserver/plug/"]` @@ -200,6 +210,68 @@ defmodule Mix.Tasks.Docs do where path is either an relative path from the cwd, or an absolute path. The function must return the full URI as it should be placed in the documentation. + ## Encrypted debug info + + If a module is compiled with [encrypted debug info](`:compile.file/2`), ExDoc will not be able to + extract its documentation without first setting a decryption function or utilizing + `.erlang.crypt` as prescribed by `m::beam_lib#module-encrypted-debug-information`. Two + convenience options (see below) are provided to avoid having to call `:beam_lib.crypto_key_fun/1` + out-of-band and/or to avoid using `.erlang.crypt`. + + If you prefer to set the key out-of-band, follow the instructions provided in the + `m::beam_lib#module-encrypted-debug-information` module documentation. + + > ### Key exposure {: .warning} + > + > Avoid adding keys directly to your `mix.exs` file. Instead, use an environment variable, an + > external documentation config file, or a + > [closure](https://erlef.github.io/security-wg/secure_coding_and_deployment_hardening/sensitive_data#wrapping). + + ### `:debug_info_key` + + This option can be provided if you only have one key for all encrypted modules. A `t:charlist/0`, + `t:String.t/0`, or tuple of `{:des3_cbc, charlist() | String.t()}` can be used. + + ### `:debug_info_fn` / `:debug_info_fun` + + This option can be provided if you have multiple keys, want more control over key retrieval, or + would like to wrap your key(s) in a closure. `:debug_info_key` will be ignored if this option is + also present. `:debug_info_fun` will be ignored if `:debug_info_fn` is already present. + + While a module can be encrypted using a tuple key such as `{:des3_cbc, ~c"secret"}`, the function + that provides the key must return a regular charlist. In other words, the function should return + `~c"secret"`, not `{:des3_cbc, ~c"secret"}`. + + A basic function that provides the decryption key `SECRET`: + + + + ### Elixir + + ⚠️ The key returned must be a `t:charlist/0`! + + ```elixir + fn + :init -> :ok, + {:debug_info, _mode, _module, _filename} -> ~c"SECRET" + :clear -> :ok + end + ``` + + ### Erlang + + ```erlang + fun + (init) -> ok; + ({debug_info, _Mode, _Module, _Filename}) -> "SECRET"; + (clear) -> ok + end. + ``` + + + + See `:beam_lib.crypto_key_fun/1` for more information. + ## Groups ExDoc content can be organized in groups. This is done via the `:groups_for_extras` diff --git a/test/ex_doc/config_test.exs b/test/ex_doc/config_test.exs index fd348284c..3d2c79357 100644 --- a/test/ex_doc/config_test.exs +++ b/test/ex_doc/config_test.exs @@ -74,4 +74,58 @@ defmodule ExDoc.ConfigTest do assert config.skip_code_autolink_to.("ConfigTest.Hidden.bar/1") refute config.skip_code_autolink_to.("ConfigTest.NotHidden") end + + test "produces a function when a debug_info_key is provided" do + config = ExDoc.Config.build(@project, @version, debug_info_key: "Hunter2") + + assert config.debug_info_fn.(:init) == :ok + assert config.debug_info_fn.(:clear) == :ok + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"Hunter2" + + config = ExDoc.Config.build(@project, @version, debug_info_key: {:des3_cbc, "Hunter3"}) + + assert config.debug_info_fn.(:init) == :ok + assert config.debug_info_fn.(:clear) == :ok + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"Hunter3" + end + + test "ignores debug_info_key when debug_info_fn or debug_info_fun is provided" do + config = + ExDoc.Config.build(@project, @version, + debug_info_key: "Hunter2", + debug_info_fn: debug_info_fn(~c"foxtrot") + ) + + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"foxtrot" + + config = + ExDoc.Config.build(@project, @version, + debug_info_key: "Hunter2", + debug_info_fun: debug_info_fn(~c"tango") + ) + + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"tango" + end + + test "handles either debug_info_fn or debug_info_fun, but debug_info_fn takes precedence" do + config = + ExDoc.Config.build(@project, @version, + debug_info_fun: debug_info_fn(~c"fun"), + debug_info_fn: debug_info_fn(~c"fn") + ) + + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"fn" + + config = ExDoc.Config.build(@project, @version, debug_info_fun: debug_info_fn(~c"fun")) + + assert config.debug_info_fn.({:debug_info, nil, nil, nil}) == ~c"fun" + end + + defp debug_info_fn(key) do + fn + :init -> :ok + :clear -> :ok + {:debug_info, _mode, _module, _filename} -> key + end + end end diff --git a/test/ex_doc/retriever/erlang_test.exs b/test/ex_doc/retriever/erlang_test.exs index bcba5f3c6..a9d17c692 100644 --- a/test/ex_doc/retriever/erlang_test.exs +++ b/test/ex_doc/retriever/erlang_test.exs @@ -111,6 +111,62 @@ defmodule ExDoc.Retriever.ErlangTest do ~r'Equivalent to ]+>function2\(\[\{test, args\}\]\).*\.' end + test "with encrypted debug_info", c do + erlc( + c, + :debug_info_mod, + ~S""" + -module(debug_info_mod). + -moduledoc("mod docs."). + -export([function1/0]). + -export_type([foo/0]). + + -doc("foo/0 docs."). + -type foo() :: atom(). + + -doc("function1/0 docs."). + -spec function1() -> atom(). + function1() -> ok. + """, + debug_info_key: ~c"SECRET" + ) + + config = ExDoc.Config.build("debug_info_mod", 1, debug_info_key: ~c"SECRET") + + {[mod], []} = Retriever.docs_from_modules([:debug_info_mod], config) + + assert %ExDoc.ModuleNode{ + moduledoc_file: moduledoc_file, + docs: [function1], + id: "debug_info_mod", + module: :debug_info_mod, + title: "debug_info_mod", + typespecs: [foo] + } = mod + + assert DocAST.to_string(mod.doc) =~ "mod docs." + assert DocAST.to_string(function1.doc) =~ "function1/0 docs." + assert DocAST.to_string(foo.doc) =~ "foo/0 docs." + assert moduledoc_file =~ "debug_info_mod.erl" + end + + test "encrypted with tuple key", c do + erlc( + c, + :debug_info_mod2, + ~S""" + -module(debug_info_mod2). + -moduledoc("mod docs."). + """, + debug_info_key: {:des3_cbc, ~c"SECRET"} + ) + + config = ExDoc.Config.build("debug_info_mod2", 1, debug_info_key: {:des3_cbc, "SECRET"}) + + assert {[%ExDoc.ModuleNode{module: :debug_info_mod2}], []} = + Retriever.docs_from_modules([:debug_info_mod2], config) + end + test "module included files", c do erlc(c, :mod, ~S""" -file("module.hrl", 1). diff --git a/test/ex_doc/retriever_test.exs b/test/ex_doc/retriever_test.exs index 471c75fb0..f4553092d 100644 --- a/test/ex_doc/retriever_test.exs +++ b/test/ex_doc/retriever_test.exs @@ -307,4 +307,14 @@ defmodule ExDoc.RetrieverTest do %{docs: [%{signature: signature}]} = module_node assert signature == "callback_name(arg1, integer, %Date{}, term, t)" end + + test "set_crypto_key_fn/1 raises if it receives an error" do + assert_raise( + Retriever.Error, + "failed to set crypto_key_fun: :badfun", + fn -> + Retriever.set_crypto_key_fn(fn _ -> {:error, :badfun} end) + end + ) + end end diff --git a/test/test_helper.exs b/test/test_helper.exs index a555ba53f..95c991fcc 100644 --- a/test/test_helper.exs +++ b/test/test_helper.exs @@ -58,14 +58,20 @@ defmodule TestHelper do beam_docs = docstrings(docs, context) + # not to be confused with the regular :debug_info opt + debug_info_opts = + Enum.filter(opts, fn + {:debug_info, _debug_info} -> true + {:debug_info_key, _debug_info_key} -> true + :encrypt_debug_info -> true + _ -> false + end) + {:ok, module} = :compile.file( String.to_charlist(src_path), - [ - :return_errors, - :debug_info, - outdir: String.to_charlist(ebin_dir) - ] ++ beam_docs + [:return_errors, :debug_info, outdir: String.to_charlist(ebin_dir)] ++ + beam_docs ++ debug_info_opts ) true = Code.prepend_path(ebin_dir)