1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
|
package secrets
import (
"errors"
"fmt"
"maps"
"os"
"path/filepath"
"slices"
"strings"
"time"
"github.com/containers/common/pkg/secrets/define"
"github.com/containers/common/pkg/secrets/filedriver"
"github.com/containers/common/pkg/secrets/passdriver"
"github.com/containers/common/pkg/secrets/shelldriver"
"github.com/containers/storage/pkg/lockfile"
"github.com/containers/storage/pkg/stringid"
)
// maxSecretSize is the max size for secret data - 512kB
const maxSecretSize = 512000
// secretIDLength is the character length of a secret ID - 25
const secretIDLength = 25
// errInvalidPath indicates that the secrets path is invalid
var errInvalidPath = errors.New("invalid secrets path")
// ErrNoSuchSecret indicates that the secret does not exist
var ErrNoSuchSecret = define.ErrNoSuchSecret
// errSecretNameInUse indicates that the secret name is already in use
var errSecretNameInUse = errors.New("secret name in use")
// errInvalidSecretName indicates that the secret name is invalid
var errInvalidSecretName = errors.New("invalid secret name")
// errInvalidDriver indicates that the driver type is invalid
var errInvalidDriver = errors.New("invalid driver")
// errInvalidDriverOpt indicates that a driver option is invalid
var errInvalidDriverOpt = errors.New("invalid driver option")
// errAmbiguous indicates that a secret is ambiguous
var errAmbiguous = errors.New("secret is ambiguous")
// errDataSize indicates that the secret data is too large or too small
var errDataSize = errors.New("secret data must be larger than 0 and less than 512000 bytes")
// errIgnoreIfExistsAndReplace indicates that ignoreIfExists and replace cannot be used together.
var errIgnoreIfExistsAndReplace = errors.New("ignoreIfExists and replace cannot be used together")
// secretsFile is the name of the file that the secrets database will be stored in
var secretsFile = "secrets.json"
// SecretsManager holds information on handling secrets
//
// revive does not like the name because the package is already called secrets
//
//nolint:revive
type SecretsManager struct {
// secretsPath is the path to the db file where secrets are stored
secretsDBPath string
// lockfile is the locker for the secrets file
lockfile *lockfile.LockFile
// db is an in-memory cache of the database of secrets
db *db
}
// Secret defines a secret
type Secret struct {
// Name is the name of the secret
Name string `json:"name"`
// ID is the unique secret ID
ID string `json:"id"`
// Labels are labels on the secret
Labels map[string]string `json:"labels,omitempty"`
// Metadata stores other metadata on the secret
Metadata map[string]string `json:"metadata,omitempty"`
// CreatedAt is when the secret was created
CreatedAt time.Time `json:"createdAt"`
// UpdatedAt is when the secret was updated
UpdatedAt time.Time `json:"updatedAt"`
// Driver is the driver used to store secret data
Driver string `json:"driver"`
// DriverOptions are extra options used to run this driver
DriverOptions map[string]string `json:"driverOptions"`
}
// SecretsDriver interfaces with the secrets data store.
// The driver stores the actual bytes of secret data, as opposed to
// the secret metadata.
// Currently only the unencrypted filedriver is implemented.
//
// revive does not like the name because the package is already called secrets
//
//nolint:revive
type SecretsDriver interface {
// List lists all secret ids in the secrets data store
List() ([]string, error)
// Lookup gets the secret's data bytes
Lookup(id string) ([]byte, error)
// Store stores the secret's data bytes
Store(id string, data []byte) error
// Delete deletes a secret's data from the driver
Delete(id string) error
}
// StoreOptions are optional metadata fields that can be set when storing a new secret
type StoreOptions struct {
// DriverOptions are extra options used to run this driver
DriverOpts map[string]string
// Metadata stores extra metadata on the secret
Metadata map[string]string
// Labels are labels on the secret
Labels map[string]string
// Replace existing secret
Replace bool
// Ignore if already exists
IgnoreIfExists bool
}
// NewManager creates a new secrets manager
// rootPath is the directory where the secrets data file resides
func NewManager(rootPath string) (*SecretsManager, error) {
manager := new(SecretsManager)
if !filepath.IsAbs(rootPath) {
return nil, fmt.Errorf("path must be absolute: %s: %w", rootPath, errInvalidPath)
}
// the lockfile functions require that the rootPath dir is executable
if err := os.MkdirAll(rootPath, 0o700); err != nil {
return nil, err
}
lock, err := lockfile.GetLockFile(filepath.Join(rootPath, "secrets.lock"))
if err != nil {
return nil, err
}
manager.lockfile = lock
manager.secretsDBPath = filepath.Join(rootPath, secretsFile)
manager.db = new(db)
manager.db.Secrets = make(map[string]Secret)
manager.db.NameToID = make(map[string]string)
manager.db.IDToName = make(map[string]string)
return manager, nil
}
func (s *SecretsManager) newID() (string, error) {
for {
newID := stringid.GenerateNonCryptoID()
// GenerateNonCryptoID() gives 64 characters, so we truncate to correct length
newID = newID[0:secretIDLength]
_, err := s.lookupSecret(newID)
if err != nil {
if errors.Is(err, define.ErrNoSuchSecret) {
return newID, nil
}
return "", err
}
}
}
// Store takes a name, creates a secret and stores the secret metadata and the secret payload.
// It returns a generated ID that is associated with the secret.
// The max size for secret data is 512kB.
func (s *SecretsManager) Store(name string, data []byte, driverType string, options StoreOptions) (string, error) {
err := validateSecretName(name)
if err != nil {
return "", err
}
if len(data) == 0 || len(data) >= maxSecretSize {
return "", errDataSize
}
if options.IgnoreIfExists && options.Replace {
return "", errIgnoreIfExistsAndReplace
}
var secr *Secret
s.lockfile.Lock()
defer s.lockfile.Unlock()
exist, err := s.exactSecretExists(name)
if err != nil {
return "", err
}
if exist {
if !options.Replace && !options.IgnoreIfExists {
return "", fmt.Errorf("%s: %w", name, errSecretNameInUse)
}
secr, err = s.lookupSecret(name)
if err != nil {
return "", err
}
if options.IgnoreIfExists {
return secr.ID, nil
}
secr.UpdatedAt = time.Now()
} else {
secr = new(Secret)
secr.Name = name
secr.CreatedAt = time.Now()
secr.UpdatedAt = secr.CreatedAt
}
if options.Metadata == nil {
options.Metadata = make(map[string]string)
}
if options.Labels == nil {
options.Labels = make(map[string]string)
}
if options.DriverOpts == nil {
options.DriverOpts = make(map[string]string)
}
secr.Driver = driverType
secr.Metadata = options.Metadata
secr.DriverOptions = options.DriverOpts
secr.Labels = options.Labels
driver, err := getDriver(driverType, options.DriverOpts)
if err != nil {
return "", err
}
if options.Replace {
err := driver.Delete(secr.ID)
if err != nil {
if !errors.Is(err, define.ErrNoSuchSecret) {
return "", fmt.Errorf("deleting driver secret %s: %w", secr.ID, err)
}
} else {
if err := s.delete(secr.ID); err != nil && !errors.Is(err, define.ErrNoSuchSecret) {
return "", fmt.Errorf("deleting secret %s: %w", secr.ID, err)
}
}
}
secr.ID, err = s.newID()
if err != nil {
return "", err
}
err = driver.Store(secr.ID, data)
if err != nil {
return "", fmt.Errorf("creating secret %s: %w", name, err)
}
err = s.store(secr)
if err != nil {
return "", fmt.Errorf("creating secret %s: %w", name, err)
}
return secr.ID, nil
}
// Delete removes all secret metadata and secret data associated with the specified secret.
// Delete takes a name, ID, or partial ID.
func (s *SecretsManager) Delete(nameOrID string) (string, error) {
s.lockfile.Lock()
defer s.lockfile.Unlock()
secret, err := s.lookupSecret(nameOrID)
if err != nil {
return "", err
}
secretID := secret.ID
driver, err := getDriver(secret.Driver, secret.DriverOptions)
if err != nil {
return "", err
}
err = driver.Delete(secretID)
if err != nil {
return "", fmt.Errorf("deleting secret %s: %w", nameOrID, err)
}
err = s.delete(secretID)
if err != nil {
return "", fmt.Errorf("deleting secret %s: %w", nameOrID, err)
}
return secretID, nil
}
// Lookup gives a secret's metadata given its name, ID, or partial ID.
func (s *SecretsManager) Lookup(nameOrID string) (*Secret, error) {
s.lockfile.Lock()
defer s.lockfile.Unlock()
return s.lookupSecret(nameOrID)
}
// List lists all secrets.
func (s *SecretsManager) List() ([]Secret, error) {
s.lockfile.Lock()
defer s.lockfile.Unlock()
secrets, err := s.lookupAll()
if err != nil {
return nil, err
}
return slices.Collect(maps.Values(secrets)), nil
}
// LookupSecretData returns secret metadata as well as secret data in bytes.
// The secret data can be looked up using its name, ID, or partial ID.
func (s *SecretsManager) LookupSecretData(nameOrID string) (*Secret, []byte, error) {
s.lockfile.Lock()
defer s.lockfile.Unlock()
secret, err := s.lookupSecret(nameOrID)
if err != nil {
return nil, nil, err
}
driver, err := getDriver(secret.Driver, secret.DriverOptions)
if err != nil {
return nil, nil, err
}
data, err := driver.Lookup(secret.ID)
if err != nil {
return nil, nil, err
}
return secret, data, nil
}
// validateSecretName checks if the secret name is valid.
func validateSecretName(name string) error {
if len(name) == 0 || len(name) > 253 || strings.ContainsAny(name, ",/=\000") {
return fmt.Errorf("secret name %q can not include '=', '/', ',', or the '\\0' (NULL) and be between 1 and 253 characters: %w", name, errInvalidSecretName)
}
return nil
}
// getDriver creates a new driver.
func getDriver(name string, opts map[string]string) (SecretsDriver, error) {
switch name {
case "file":
if path, ok := opts["path"]; ok {
return filedriver.NewDriver(path)
}
return nil, fmt.Errorf("need path for filedriver: %w", errInvalidDriverOpt)
case "pass":
return passdriver.NewDriver(opts)
case "shell":
return shelldriver.NewDriver(opts)
}
return nil, errInvalidDriver
}
|
