// Copyright 2019 Drone IO, Inc. // // Licensed under the Apache License, Version 2.0 (the "License"); // you may not use this file except in compliance with the License. // You may obtain a copy of the License at // // http://www.apache.org/licenses/LICENSE-2.0 // // Unless required by applicable law or agreed to in writing, software // distributed under the License is distributed on an "AS IS" BASIS, // WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. // See the License for the specific language governing permissions and // limitations under the License. package registry import ( "context" "crypto/aes" "crypto/cipher" "encoding/base64" "errors" "github.com/drone/drone-yaml/yaml" "github.com/drone/drone/core" "github.com/drone/drone/logger" "github.com/drone/drone/plugin/registry/auths" ) // Encrypted returns a new encrypted registry credentials // provider that sournces credentials from the encrypted strings // in the yaml file. func Encrypted() core.RegistryService { return new(encrypted) } type encrypted struct { } func (c *encrypted) List(ctx context.Context, in *core.RegistryArgs) ([]*core.Registry, error) { var results []*core.Registry for _, match := range in.Pipeline.PullSecrets { logger := logger.FromContext(ctx). WithField("name", match). WithField("kind", "secret") logger.Trace("image_pull_secrets: find encrypted secret") // lookup the named secret in the manifest. If the // secret does not exist, return a nil variable, // allowing the next secret controller in the chain // to be invoked. data, ok := getEncrypted(in.Conf, match) if !ok { logger.Trace("image_pull_secrets: no matching encrypted secret in yaml") return nil, nil } decoded, err := base64.StdEncoding.DecodeString(string(data)) if err != nil { logger.WithError(err).Trace("image_pull_secrets: cannot decode secret") return nil, err } decrypted, err := decrypt(decoded, []byte(in.Repo.Secret)) if err != nil { logger.WithError(err).Trace("image_pull_secrets: cannot decrypt secret") return nil, err } parsed, err := auths.ParseBytes(decrypted) if err != nil { logger.WithError(err).Trace("image_pull_secrets: cannot parse decrypted secret") return nil, err } logger.Trace("image_pull_secrets: found encrypted secret") results = append(results, parsed...) } return results, nil } func getEncrypted(manifest *yaml.Manifest, match string) (data string, ok bool) { for _, resource := range manifest.Resources { secret, ok := resource.(*yaml.Secret) if !ok { continue } if secret.Name != match { continue } if secret.Data == "" { continue } return secret.Data, true } return } func decrypt(ciphertext []byte, key []byte) (plaintext []byte, err error) { block, err := aes.NewCipher(key[:]) if err != nil { return nil, err } gcm, err := cipher.NewGCM(block) if err != nil { return nil, err } if len(ciphertext) < gcm.NonceSize() { return nil, errors.New("malformed ciphertext") } return gcm.Open(nil, ciphertext[:gcm.NonceSize()], ciphertext[gcm.NonceSize():], nil, ) }