harness-drone/plugin/registry/encrypted.go

122 lines
3.1 KiB
Go
Raw Normal View History

2019-03-18 15:34:36 +00:00
// Copyright 2019 Drone IO, Inc.
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package registry
import (
"context"
"crypto/aes"
"crypto/cipher"
"encoding/base64"
"errors"
"github.com/drone/drone-yaml/yaml"
"github.com/drone/drone/core"
"github.com/drone/drone/logger"
"github.com/drone/drone/plugin/registry/auths"
)
// Encrypted returns a new encrypted registry credentials
2021-06-07 10:20:55 +00:00
// provider that sources credentials from the encrypted strings
2019-03-18 15:34:36 +00:00
// in the yaml file.
func Encrypted() core.RegistryService {
return new(encrypted)
}
type encrypted struct {
}
func (c *encrypted) List(ctx context.Context, in *core.RegistryArgs) ([]*core.Registry, error) {
var results []*core.Registry
for _, match := range in.Pipeline.PullSecrets {
logger := logger.FromContext(ctx).
WithField("name", match).
WithField("kind", "secret")
logger.Trace("image_pull_secrets: find encrypted secret")
// lookup the named secret in the manifest. If the
// secret does not exist, return a nil variable,
// allowing the next secret controller in the chain
// to be invoked.
data, ok := getEncrypted(in.Conf, match)
if !ok {
logger.Trace("image_pull_secrets: no matching encrypted secret in yaml")
return nil, nil
}
decoded, err := base64.StdEncoding.DecodeString(string(data))
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot decode secret")
return nil, err
}
decrypted, err := decrypt(decoded, []byte(in.Repo.Secret))
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot decrypt secret")
return nil, err
}
parsed, err := auths.ParseBytes(decrypted)
if err != nil {
logger.WithError(err).Trace("image_pull_secrets: cannot parse decrypted secret")
return nil, err
}
logger.Trace("image_pull_secrets: found encrypted secret")
results = append(results, parsed...)
}
return results, nil
}
func getEncrypted(manifest *yaml.Manifest, match string) (data string, ok bool) {
for _, resource := range manifest.Resources {
secret, ok := resource.(*yaml.Secret)
if !ok {
continue
}
if secret.Name != match {
continue
}
if secret.Data == "" {
continue
}
return secret.Data, true
}
return
}
func decrypt(ciphertext []byte, key []byte) (plaintext []byte, err error) {
block, err := aes.NewCipher(key)
2019-03-18 15:34:36 +00:00
if err != nil {
return nil, err
}
gcm, err := cipher.NewGCM(block)
if err != nil {
return nil, err
}
if len(ciphertext) < gcm.NonceSize() {
return nil, errors.New("malformed ciphertext")
}
return gcm.Open(nil,
ciphertext[:gcm.NonceSize()],
ciphertext[gcm.NonceSize():],
nil,
)
}