debian-mirror-gitlab/workhorse/internal/secret/secret.go

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

78 lines
1.5 KiB
Go
Raw Normal View History

2021-02-22 17:27:13 +05:30
package secret
import (
"encoding/base64"
"fmt"
2022-07-23 23:45:48 +05:30
"os"
2021-02-22 17:27:13 +05:30
"sync"
)
const numSecretBytes = 32
type sec struct {
path string
bytes []byte
sync.RWMutex
}
var (
theSecret = &sec{}
)
func SetPath(path string) {
theSecret.Lock()
defer theSecret.Unlock()
theSecret.path = path
theSecret.bytes = nil
}
// Lazy access to the HMAC secret key. We must be lazy because if the key
// is not already there, it will be generated by gitlab-rails, and
// gitlab-rails is slow.
func Bytes() ([]byte, error) {
if bytes := getBytes(); bytes != nil {
return copyBytes(bytes), nil
}
return setBytes()
}
func getBytes() []byte {
theSecret.RLock()
defer theSecret.RUnlock()
return theSecret.bytes
}
func copyBytes(bytes []byte) []byte {
out := make([]byte, len(bytes))
copy(out, bytes)
return out
}
func setBytes() ([]byte, error) {
theSecret.Lock()
defer theSecret.Unlock()
if theSecret.bytes != nil {
return theSecret.bytes, nil
}
2022-07-23 23:45:48 +05:30
base64Bytes, err := os.ReadFile(theSecret.path)
2021-02-22 17:27:13 +05:30
if err != nil {
return nil, fmt.Errorf("secret.setBytes: read %q: %v", theSecret.path, err)
}
secretBytes := make([]byte, base64.StdEncoding.DecodedLen(len(base64Bytes)))
n, err := base64.StdEncoding.Decode(secretBytes, base64Bytes)
if err != nil {
return nil, fmt.Errorf("secret.setBytes: decode secret: %v", err)
}
if n != numSecretBytes {
return nil, fmt.Errorf("secret.setBytes: expected %d secretBytes in %s, found %d", numSecretBytes, theSecret.path, n)
}
theSecret.bytes = secretBytes
return copyBytes(theSecret.bytes), nil
}