7 "github.com/docker/swarmkit/agent/exec"
8 "github.com/docker/swarmkit/api"
11 // secrets is a map that keeps all the currently available secrets to the agent
12 // mapped by secret ID.
15 m map[string]*api.Secret
18 // NewManager returns a place to store secrets.
19 func NewManager() exec.SecretsManager {
21 m: make(map[string]*api.Secret),
25 // Get returns a secret by ID. If the secret doesn't exist, returns nil.
26 func (s *secrets) Get(secretID string) (*api.Secret, error) {
29 if s, ok := s.m[secretID]; ok {
32 return nil, fmt.Errorf("secret %s not found", secretID)
35 // Add adds one or more secrets to the secret map.
36 func (s *secrets) Add(secrets ...api.Secret) {
39 for _, secret := range secrets {
40 s.m[secret.ID] = secret.Copy()
44 // Remove removes one or more secrets by ID from the secret map. Succeeds
45 // whether or not the given IDs are in the map.
46 func (s *secrets) Remove(secrets []string) {
49 for _, secret := range secrets {
54 // Reset removes all the secrets.
55 func (s *secrets) Reset() {
58 s.m = make(map[string]*api.Secret)
61 // taskRestrictedSecretsProvider restricts the ids to the task.
62 type taskRestrictedSecretsProvider struct {
63 secrets exec.SecretGetter
64 secretIDs map[string]struct{} // allow list of secret ids
67 func (sp *taskRestrictedSecretsProvider) Get(secretID string) (*api.Secret, error) {
68 if _, ok := sp.secretIDs[secretID]; !ok {
69 return nil, fmt.Errorf("task not authorized to access secret %s", secretID)
72 return sp.secrets.Get(secretID)
75 // Restrict provides a getter that only allows access to the secrets
76 // referenced by the task.
77 func Restrict(secrets exec.SecretGetter, t *api.Task) exec.SecretGetter {
78 sids := map[string]struct{}{}
80 container := t.Spec.GetContainer()
82 for _, ref := range container.Secrets {
83 sids[ref.SecretID] = struct{}{}
87 return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids}