secrets.go 2.0 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687
  1. package secrets
  2. import (
  3. "sync"
  4. "github.com/docker/swarmkit/agent/exec"
  5. "github.com/docker/swarmkit/api"
  6. )
  7. // secrets is a map that keeps all the currently available secrets to the agent
  8. // mapped by secret ID.
  9. type secrets struct {
  10. mu sync.RWMutex
  11. m map[string]*api.Secret
  12. }
  13. // NewManager returns a place to store secrets.
  14. func NewManager() exec.SecretsManager {
  15. return &secrets{
  16. m: make(map[string]*api.Secret),
  17. }
  18. }
  19. // Get returns a secret by ID. If the secret doesn't exist, returns nil.
  20. func (s *secrets) Get(secretID string) *api.Secret {
  21. s.mu.RLock()
  22. defer s.mu.RUnlock()
  23. if s, ok := s.m[secretID]; ok {
  24. return s
  25. }
  26. return nil
  27. }
  28. // Add adds one or more secrets to the secret map.
  29. func (s *secrets) Add(secrets ...api.Secret) {
  30. s.mu.Lock()
  31. defer s.mu.Unlock()
  32. for _, secret := range secrets {
  33. s.m[secret.ID] = secret.Copy()
  34. }
  35. }
  36. // Remove removes one or more secrets by ID from the secret map. Succeeds
  37. // whether or not the given IDs are in the map.
  38. func (s *secrets) Remove(secrets []string) {
  39. s.mu.Lock()
  40. defer s.mu.Unlock()
  41. for _, secret := range secrets {
  42. delete(s.m, secret)
  43. }
  44. }
  45. // Reset removes all the secrets.
  46. func (s *secrets) Reset() {
  47. s.mu.Lock()
  48. defer s.mu.Unlock()
  49. s.m = make(map[string]*api.Secret)
  50. }
  51. // taskRestrictedSecretsProvider restricts the ids to the task.
  52. type taskRestrictedSecretsProvider struct {
  53. secrets exec.SecretGetter
  54. secretIDs map[string]struct{} // allow list of secret ids
  55. }
  56. func (sp *taskRestrictedSecretsProvider) Get(secretID string) *api.Secret {
  57. if _, ok := sp.secretIDs[secretID]; !ok {
  58. return nil
  59. }
  60. return sp.secrets.Get(secretID)
  61. }
  62. // Restrict provides a getter that only allows access to the secrets
  63. // referenced by the task.
  64. func Restrict(secrets exec.SecretGetter, t *api.Task) exec.SecretGetter {
  65. sids := map[string]struct{}{}
  66. container := t.Spec.GetContainer()
  67. if container != nil {
  68. for _, ref := range container.Secrets {
  69. sids[ref.SecretID] = struct{}{}
  70. }
  71. }
  72. return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids}
  73. }