Skip to content
Permalink
master
Switch branches/tags

Name already in use

A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?

drone/plugin/registry/encrypted.go /
Jump to
Code definitions
Code navigation index up-to-date

Go to file
  • Go to file
  • Copy path
  • Copy permalink
 
 
Cannot retrieve contributors at this time
121 lines (103 sloc) 3.07 KB
Raw Blame
Open in GitHub Desktop
// Copyright 2019 Drone IO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package registry
import (
"context"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"errors"
"github.com/drone/drone-yaml/yaml"
"github.com/drone/drone/core"
"github.com/drone/drone/logger"
"github.com/drone/drone/plugin/registry/auths"
)
// Encrypted returns a new encrypted registry credentials
// provider that sources credentials from the encrypted strings
// in the yaml file.
func Encrypted() core.RegistryService {
return new(encrypted)
}
type encrypted struct {
}
func (c *encrypted) List(ctx context.Context, in *core.RegistryArgs) ([]*core.Registry, error) {
var results []*core.Registry
for _, match := range in.Pipeline.PullSecrets {
logger := logger.FromContext(ctx).
WithField("name", match).
WithField("kind", "secret")
logger.Trace("image_pull_secrets: find encrypted secret")
// lookup the named secret in the manifest. If the
// secret does not exist, return a nil variable,
// allowing the next secret controller in the chain
// to be invoked.
data, ok := getEncrypted(in.Conf, match)
if !ok {
logger.Trace("image_pull_secrets: no matching encrypted secret in yaml")
return nil, nil
}
decoded, err := base64.StdEncoding.DecodeString(string(data))
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot decode secret")
return nil, err
}
decrypted, err := decrypt(decoded, []byte(in.Repo.Secret))
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot decrypt secret")
return nil, err
}
parsed, err := auths.ParseBytes(decrypted)
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot parse decrypted secret")
return nil, err
}
logger.Trace("image_pull_secrets: found encrypted secret")
results = append(results, parsed...)
}
return results, nil
}
func getEncrypted(manifest *yaml.Manifest, match string) (data string, ok bool) {
for _, resource := range manifest.Resources {
secret, ok := resource.(*yaml.Secret)
if !ok {
continue
}
if secret.Name != match {
continue
}
if secret.Data == "" {
continue
}
return secret.Data, true
}
return
}
func decrypt(ciphertext []byte, key []byte) (plaintext []byte, err error) {
block, err := aes.NewCipher(key)
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return nil, err
}
if len(ciphertext) < gcm.NonceSize() {
return nil, errors.New("malformed ciphertext")
}
return gcm.Open(nil,
ciphertext[:gcm.NonceSize()],
ciphertext[gcm.NonceSize():],
nil,
)
}