File: main.go

package info (click to toggle)
golang-github-containerd-imgcrypt 1.1.11-4
  • links: PTS, VCS
  • area: main
  • in suites: forky, sid, trixie
  • size: 860 kB
  • sloc: sh: 1,369; makefile: 40
file content (115 lines) | stat: -rw-r--r-- 2,918 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
/*
   Copyright The containerd Authors.

   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at

       http://www.apache.org/licenses/LICENSE-2.0

   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
*/

package main

import (
	"fmt"
	"io"
	"os"

	"github.com/containerd/imgcrypt"
	"github.com/containerd/imgcrypt/images/encryption"
	"github.com/containerd/typeurl/v2"

	"github.com/gogo/protobuf/proto"
	"github.com/gogo/protobuf/types"
	"github.com/urfave/cli"
)

var (
	Usage = "ctd-decoder is used as a call-out from containerd content stream plugins"
)

func main() {
	app := cli.NewApp()
	app.Name = "ctd-decoder"
	app.Usage = Usage
	app.Action = run
	app.Flags = []cli.Flag{
		cli.StringFlag{
			Name:  "decryption-keys-path",
			Usage: "Path to load decryption keys from. (optional)",
		},
	}
	if err := app.Run(os.Args); err != nil {
		fmt.Fprintf(os.Stderr, "%s\n", err)
		os.Exit(1)
	}
}

func run(ctx *cli.Context) error {
	if err := decrypt(ctx); err != nil {
		fmt.Fprintf(os.Stderr, "%s\n", err)
		os.Exit(1)
		return err
	}
	return nil
}

func decrypt(ctx *cli.Context) error {
	payload, err := getPayload()
	if err != nil {
		return err
	}

	decCc := &payload.DecryptConfig

	// TODO: If decryption key path is set, get additional keys to augment payload keys
	if ctx.GlobalIsSet("decryption-keys-path") {
		keyPathCc, err := getDecryptionKeys(ctx.GlobalString("decryption-keys-path"))
		if err != nil {
			return fmt.Errorf("unable to get decryption keys in provided key path: %w", err)
		}
		decCc = combineDecryptionConfigs(keyPathCc.DecryptConfig, &payload.DecryptConfig)
	}

	_, r, _, err := encryption.DecryptLayer(decCc, os.Stdin, payload.Descriptor, false)
	if err != nil {
		return fmt.Errorf("call to DecryptLayer failed: %w", err)
	}

	for {
		_, err := io.CopyN(os.Stdout, r, 10*1024)
		if err != nil {
			if err == io.EOF {
				break
			}
			return fmt.Errorf("could not copy data: %w", err)
		}
	}
	return nil
}

func getPayload() (*imgcrypt.Payload, error) {
	data, err := readPayload()
	if err != nil {
		return nil, fmt.Errorf("read payload: %w", err)
	}
	var anything types.Any
	if err := proto.Unmarshal(data, &anything); err != nil {
		return nil, fmt.Errorf("could not proto.Unmarshal() decrypt data: %w", err)
	}
	v, err := typeurl.UnmarshalAny(&anything)
	if err != nil {
		return nil, fmt.Errorf("could not UnmarshalAny() the decrypt data: %w", err)
	}
	l, ok := v.(*imgcrypt.Payload)
	if !ok {
		return nil, fmt.Errorf("unknown payload type %s", anything.TypeUrl)
	}
	return l, nil
}