-
Notifications
You must be signed in to change notification settings - Fork 6
/
sec.go
93 lines (81 loc) · 1.86 KB
/
sec.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
package object
import (
"encoding/base64"
"encoding/json"
"fmt"
"strings"
"github.com/opensvc/om3/core/keywords"
"github.com/opensvc/om3/core/omcrypto"
"github.com/opensvc/om3/util/funcopt"
"github.com/opensvc/om3/util/key"
)
type (
sec struct {
keystore
}
//
// Sec is the sec-kind object.
//
// These objects are encrypted key-value store.
// Values can be binary or text.
//
// A Key can be installed as a file in a Vol, then exposed to apps
// and containers.
// A Key can be exposed as a environment variable for apps and
// containers.
// A Signal can be sent to consumer processes upon exposed key value
// changes.
//
Sec interface {
Keystore
SecureKeystore
}
)
// NewSec allocates a sec kind object.
func NewSec(p any, opts ...funcopt.O) (*sec, error) {
s := &sec{}
s.customEncode = secEncode
s.customDecode = secDecode
if err := s.init(s, p, opts...); err != nil {
return s, err
}
s.Config().RegisterPostCommit(s.postCommit)
return s, nil
}
func (t *sec) KeywordLookup(k key.T, sectionType string) keywords.Keyword {
return keywordLookup(keywordStore, k, t.path.Kind, sectionType)
}
func secEncode(b []byte) (string, error) {
m := omcrypto.NewMessage(b)
b, err := m.Encrypt()
if err != nil {
return "", err
}
return "crypt:" + base64.URLEncoding.Strict().EncodeToString(b), nil
}
func secDecode(s string) ([]byte, error) {
if !strings.HasPrefix(s, "crypt:") {
return []byte{}, fmt.Errorf("unsupported value (no crypt prefix)")
}
// decode base64
b, err := base64.URLEncoding.DecodeString(s[6:])
if err != nil {
return []byte{}, err
}
// remove the trailing \r
last := len(b) - 1
if b[last] == '\x00' {
b = b[:last]
}
// decrypt AES
m := omcrypto.NewMessage(b)
b, err = m.Decrypt()
if err != nil {
return []byte{}, err
}
err = json.Unmarshal(b, &s)
if err != nil {
return b, nil
}
return []byte(s), nil
}