feat: Gate ECP logs behind ENABLE_ENTERPRISE_CERTIFICATE_LOGS environment variable.

README.md

@@ -126,6 +126,18 @@ ECP relies on the `certificate_config.json` file to read all the metadata inform
 }
 ```
 
+### Logging
+
+To enable logging set the "ENABLE_ENTERPRISE_CERTIFICATE_LOGS" environment
+variable.
+
+#### Example
+
+```
+export ENABLE_ENTERPRISE_CERTIFICATE_LOGS=1 # Now the
+enterprise-certificate-proxy will output logs to stdout.
+```
+
 ## Build binaries
 
 For amd64 MacOS, run `./build/scripts/darwin_amd64.sh`. The binaries will be placed in `build/bin/darwin_amd64` folder.

client/client.go

@@ -15,6 +15,8 @@ import (
 	"encoding/gob"
 	"fmt"
 	"io"
+	"io/ioutil"
+	"log"
 	"net/rpc"
 	"os"
 	"os/exec"
@@ -42,6 +44,17 @@ func (c *Connection) Close() error {
 	return werr
 }
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(&rsa.PSSOptions{})
@@ -105,6 +118,7 @@ func (k *Key) Sign(_ io.Reader, digest []byte, opts crypto.SignerOpts) (signed [
 //
 // The config file also specifies which certificate the signer should use.
 func Cred(configFilePath string) (*Key, error) {
+	enableECPLogging()
 	if configFilePath == "" {
 		configFilePath = util.GetDefaultConfigFilePath()
 	}

cshared/main.go

@@ -18,12 +18,25 @@ import (
 	"crypto/ecdsa"
 	"crypto/rsa"
 	"encoding/pem"
+	"io/ioutil"
 	"log"
+	"os"
 	"unsafe"
 
 	"github.com/googleapis/enterprise-certificate-proxy/client"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func getCertPem(configFilePath string) []byte {
 	key, err := client.Cred(configFilePath)
 	if err != nil {
@@ -54,6 +67,7 @@ func getCertPem(configFilePath string) []byte {
 //
 //export GetCertPemForPython
 func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen int) int {
+	enableECPLogging()
 	pemBytes := getCertPem(C.GoString(configFilePath))
 	if certHolder != nil {
 		cert := unsafe.Slice(certHolder, certHolderLen)
@@ -68,6 +82,7 @@ func GetCertPemForPython(configFilePath *C.char, certHolder *byte, certHolderLen
 //export SignForPython
 func SignForPython(configFilePath *C.char, digest *byte, digestLen int, sigHolder *byte, sigHolderLen int) int {
 	// First create a handle around the specified certificate and private key.
+	enableECPLogging()
 	key, err := client.Cred(C.GoString(configFilePath))
 	if err != nil {
 		log.Printf("Could not create client using config %s: %v", C.GoString(configFilePath), err)

internal/signer/darwin/signer.go

@@ -14,6 +14,7 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
@@ -22,6 +23,17 @@ import (
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}

internal/signer/linux/signer.go

@@ -15,13 +15,25 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
 	"signer/util"
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}

internal/signer/windows/signer.go

@@ -14,6 +14,7 @@ import (
 	"crypto/x509"
 	"encoding/gob"
 	"io"
+	"io/ioutil"
 	"log"
 	"net/rpc"
 	"os"
@@ -22,6 +23,17 @@ import (
 	"time"
 )
 
+// If ECP Logging is enabled return true
+// Otherwise return false
+func enableECPLogging() bool {
+	if os.Getenv("ENABLE_ENTERPRISE_CERTIFICATE_LOGS") != "" {
+		return true
+	}
+
+	log.SetOutput(ioutil.Discard)
+	return false
+}
+
 func init() {
 	gob.Register(crypto.SHA256)
 	gob.Register(crypto.SHA384)
@@ -76,6 +88,7 @@ func (k *EnterpriseCertSigner) Sign(args SignArgs, resp *[]byte) (err error) {
 }
 
 func main() {
+	enableECPLogging()
 	if len(os.Args) != 2 {
 		log.Fatalln("Signer is not meant to be invoked manually, exiting...")
 	}