This repository has been archived by the owner on Dec 26, 2023. It is now read-only.
/
secrets.go
117 lines (103 loc) · 2.79 KB
/
secrets.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
// SPDX-License-Identifier: GPL-3.0
package ipfs
import (
"context"
"errors"
"io"
"os"
"path"
tpcrypto "github.com/comrade-coop/trusted-pods/pkg/crypto"
pb "github.com/comrade-coop/trusted-pods/pkg/proto"
iface "github.com/ipfs/boxo/coreiface"
ifacepath "github.com/ipfs/boxo/coreiface/path"
"github.com/ipfs/boxo/files"
"github.com/ipfs/go-cid"
)
type SecretTransformation func(secret *pb.Volume_SecretConfig) error
func TransformSecrets(pod *pb.Pod, transformations ...SecretTransformation) error {
for _, volume := range pod.Volumes {
if volume.Type == pb.Volume_VOLUME_SECRET {
for _, transformation := range transformations {
err := transformation(volume.GetSecret())
if err != nil {
return err
}
}
}
}
return nil
}
func ReadSecret(basepath string, secret *pb.Volume_SecretConfig) ([]byte, error) {
if secret.File != "" {
secretPath := secret.File
if !path.IsAbs(secretPath) {
secretPath = path.Join(basepath, secretPath)
}
secretFile, err := os.Open(secretPath)
if err != nil {
return nil, err
}
defer secretFile.Close()
secretBytes, err := io.ReadAll(secretFile)
if err != nil {
return nil, err
}
return secretBytes, nil
}
if secret.ContentsString != "" {
return []byte(secret.ContentsString), nil
}
return nil, nil
}
func EncryptSecret(data []byte) (key *pb.Key, contents []byte, err error) {
key, err = tpcrypto.NewKey(tpcrypto.KeyTypeEncrypt)
if err != nil {
return
}
contents, err = tpcrypto.EncryptWithKey(key, data)
return
}
func UploadSecret(ctx context.Context, ipfs iface.CoreAPI, contents []byte) (cid []byte, err error) {
secretPath, err := ipfs.Unixfs().Add(ctx, files.NewBytesFile(contents))
if err != nil {
return nil, err
}
err = ipfs.Pin().Add(ctx, secretPath)
if err != nil {
return nil, err
}
return secretPath.Cid().Bytes(), nil
}
func RemoveSecret(ctx context.Context, ipfs iface.CoreAPI, cidBytes []byte) error {
secretCid, err := cid.Cast(cidBytes)
err = ipfs.Pin().Rm(ctx, ifacepath.IpfsPath(secretCid))
if err != nil {
return err
}
return nil
}
func DownloadSecret(ctx context.Context, ipfs iface.CoreAPI, secret *pb.Volume_SecretConfig) ([]byte, error) {
if secret.Contents != nil {
return secret.Contents, nil
}
secretCid, err := cid.Cast(secret.Cid)
if err != nil {
return nil, err
}
secretNode, err := ipfs.Unixfs().Get(ctx, ifacepath.IpfsPath(secretCid))
if err != nil {
return nil, err
}
defer secretNode.Close()
secretFile, ok := secretNode.(files.File)
if !ok {
return nil, errors.New("Supplied secret CID not a file") // TODO: Support encrypted folders
}
return io.ReadAll(secretFile)
}
func DecryptSecret(secret *pb.Volume_SecretConfig, contents []byte) ([]byte, error) {
if secret.Key == nil {
return contents, nil
}
return tpcrypto.DecryptWithKey(secret.Key, contents)
}