We use cookies to ensure you get the best experience on our website
Sākums Izpētīt Palīdzība
Reģistrēties Pierakstīties
0ct0pu5
/
moby
1
0
Atdalīts 0
Faili Problēmas 0 Izmaiņu pieprasījumi 0 Vikivietne
Koks: 56da020e6b
Atzari Tagi
moby
/
vendor
/
github.com
/
docker
/
swarmkit
/
agent
/
secrets
/
secrets.go

secrets.go 2.0 KB
Vēsture Neapstrādāts

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687 
  1. package secrets
    2. 

  2. 

  3. import (
    4. 

  4. 	"sync"
    5. 

  5. 

  6. 	"github.com/docker/swarmkit/agent/exec"
    7. 

  7. 	"github.com/docker/swarmkit/api"
    8. 

  8. )
    9. 

  9. 

  10. // secrets is a map that keeps all the currently available secrets to the agent
    11. 

  11. // mapped by secret ID.
    12. 

  12. type secrets struct {
    13. 

  13. 	mu sync.RWMutex
    14. 

  14. 	m  map[string]*api.Secret
    15. 

  15. }
    16. 

  16. 

  17. // NewManager returns a place to store secrets.
    18. 

  18. func NewManager() exec.SecretsManager {
    19. 

  19. 	return &secrets{
    20. 

  20. 		m: make(map[string]*api.Secret),
    21. 

  21. 	}
    22. 

  22. }
    23. 

  23. 

  24. // Get returns a secret by ID.  If the secret doesn't exist, returns nil.
    25. 

  25. func (s *secrets) Get(secretID string) *api.Secret {
    26. 

  26. 	s.mu.RLock()
    27. 

  27. 	defer s.mu.RUnlock()
    28. 

  28. 	if s, ok := s.m[secretID]; ok {
    29. 

  29. 		return s
    30. 

  30. 	}
    31. 

  31. 	return nil
    32. 

  32. }
    33. 

  33. 

  34. // Add adds one or more secrets to the secret map.
    35. 

  35. func (s *secrets) Add(secrets ...api.Secret) {
    36. 

  36. 	s.mu.Lock()
    37. 

  37. 	defer s.mu.Unlock()
    38. 

  38. 	for _, secret := range secrets {
    39. 

  39. 		s.m[secret.ID] = secret.Copy()
    40. 

  40. 	}
    41. 

  41. }
    42. 

  42. 

  43. // Remove removes one or more secrets by ID from the secret map.  Succeeds
    44. 

  44. // whether or not the given IDs are in the map.
    45. 

  45. func (s *secrets) Remove(secrets []string) {
    46. 

  46. 	s.mu.Lock()
    47. 

  47. 	defer s.mu.Unlock()
    48. 

  48. 	for _, secret := range secrets {
    49. 

  49. 		delete(s.m, secret)
    50. 

  50. 	}
    51. 

  51. }
    52. 

  52. 

  53. // Reset removes all the secrets.
    54. 

  54. func (s *secrets) Reset() {
    55. 

  55. 	s.mu.Lock()
    56. 

  56. 	defer s.mu.Unlock()
    57. 

  57. 	s.m = make(map[string]*api.Secret)
    58. 

  58. }
    59. 

  59. 

  60. // taskRestrictedSecretsProvider restricts the ids to the task.
    61. 

  61. type taskRestrictedSecretsProvider struct {
    62. 

  62. 	secrets   exec.SecretGetter
    63. 

  63. 	secretIDs map[string]struct{} // allow list of secret ids
    64. 

  64. }
    65. 

  65. 

  66. func (sp *taskRestrictedSecretsProvider) Get(secretID string) *api.Secret {
    67. 

  67. 	if _, ok := sp.secretIDs[secretID]; !ok {
    68. 

  68. 		return nil
    69. 

  69. 	}
    70. 

  70. 

  71. 	return sp.secrets.Get(secretID)
    72. 

  72. }
    73. 

  73. 

  74. // Restrict provides a getter that only allows access to the secrets
    75. 

  75. // referenced by the task.
    76. 

  76. func Restrict(secrets exec.SecretGetter, t *api.Task) exec.SecretGetter {
    77. 

  77. 	sids := map[string]struct{}{}
    78. 

  78. 

  79. 	container := t.Spec.GetContainer()
    80. 

  80. 	if container != nil {
    81. 

  81. 		for _, ref := range container.Secrets {
    82. 

  82. 			sids[ref.SecretID] = struct{}{}
    83. 

  83. 		}
    84. 

  84. 	}
    85. 

  85. 

  86. 	return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids}
    87. 

  87. }
    88.

Contact | Legal | Takedown | Status
Self-hosted public services - About
NibbleSpot by 0ct0pu5