-
Notifications
You must be signed in to change notification settings - Fork 67
/
secrets.go
74 lines (63 loc) · 1.9 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package secrets
import (
"context"
"fmt"
"github.com/armory/go-yaml-tools/pkg/secrets"
"os"
)
func init() {
secrets.Engines["k8s"] = NewKubernetesSecretDecrypter
}
// Decode decodes a potential value into a secret
func Decode(ctx context.Context, val string) (string, bool, error) {
if !secrets.IsEncryptedSecret(val) {
return val, false, nil
}
// Get decrypter
dec, err := secrets.NewDecrypter(ctx, val)
if err != nil {
return val, false, fmt.Errorf("Error creating decrypter for value '%s':\n %w", val, err)
}
var v string
c, err := FromContextWithError(ctx)
if err != nil {
return "", false, fmt.Errorf("Error creating secret context for value '%s':\n %w", val, err)
}
// Check if in cache
if v, ok := c.Cache[val]; ok {
return v, false, nil
}
// Check if in file cache
if v, ok := c.FileCache[val]; ok {
return v, true, nil
}
v, err = dec.Decrypt()
if err != nil {
return "", false, fmt.Errorf("Error decrypting secret value '%s':\n %w", val, err)
}
// If we could get the cache, update it
if dec.IsFile() {
c.FileCache[val] = v
} else {
c.Cache[val] = v
}
return v, dec.IsFile(), nil
}
// DecodeAsFile is decode with a check that the final value is a file that exists
func DecodeAsFile(ctx context.Context, val string) (string, error) {
// We ignore the isFile return value to support old style "encrypted:" file references
s, _, err := Decode(ctx, val)
if err != nil {
return "", fmt.Errorf("Error decoding string \"%s\":\n %w", val, err)
}
_, err = os.Stat(s)
if err != nil {
return s, fmt.Errorf("Error decoding string \"%s\" into a file:\n %w\nDid you use \"encrypted\" instead of \"encryptedFile\"?", val, err)
}
return s, err
}
// ShouldDecryptToValidate should we decrypt that value before sending to Halyard for validation?
// For now we decrypt everything so the operator has to be authorized to.
func ShouldDecryptToValidate(val string) bool {
return true
}