archive-gh-me/gitpod
1
0
Fork 0
mirror of https://github.com/gitpod-io/gitpod.git synced 2025-12-08 17:36:30 +00:00
Code Issues Projects Releases Wiki Activity
gitpod/components/content-service-api/go/initializer.go
Christian Weichel 04b9a64024 [ws-manager] Limit max secret length 
to introduce a benign failure mode compared to the
Kubernetes provided message.
2022-07-06 19:22:53 +05:30

133 lines
3.7 KiB
Go
Raw Blame History

// Copyright (c) 2022 Gitpod GmbH. All rights reserved.
// Licensed under the GNU Affero General Public License (AGPL).
// See License-AGPL.txt in the project root for license information.
package api
import (
"fmt"
"strconv"
"strings"
"golang.org/x/xerrors"
)
// GetCheckoutLocationsFromInitializer returns a list of all checkout locations from the initializer
func GetCheckoutLocationsFromInitializer(init *WorkspaceInitializer) []string {
var res []string
_ = WalkInitializer(nil, init, func(path []string, init *WorkspaceInitializer) error {
switch spec := init.Spec.(type) {
case *WorkspaceInitializer_Git:
res = append(res, spec.Git.CheckoutLocation)
case *WorkspaceInitializer_Backup:
res = append(res, spec.Backup.CheckoutLocation)
case *WorkspaceInitializer_Prebuild:
// walkInitializer will visit the Git initializer
}
return nil
})
return res
}
const extractedSecretPrefix = "extracted-secret/"
// ExtractSecretsFromInitializer removes secrets to the initializer.
// This is the counterpart of InjectSecretsToInitializer.
func ExtractSecretsFromInitializer(init *WorkspaceInitializer) map[string]string {
res := make(map[string]string)
_ = WalkInitializer([]string{"initializer"}, init, func(path []string, init *WorkspaceInitializer) error {
git, ok := init.Spec.(*WorkspaceInitializer_Git)
if !ok {
return nil
}
pwd := git.Git.Config.AuthPassword
if pwd == "" || strings.HasPrefix(pwd, extractedSecretPrefix) {
return nil
}
name := strings.Join(path, ".")
res[name] = pwd
git.Git.Config.AuthPassword = extractedSecretPrefix + name
return nil
})
return res
}
// InjectSecretsToInitializer injects secrets to the initializer. This is the counterpart of ExtractSecretsFromInitializer.
func InjectSecretsToInitializer(init *WorkspaceInitializer, secrets map[string][]byte) error {
return WalkInitializer([]string{"initializer"}, init, func(path []string, init *WorkspaceInitializer) error {
git, ok := init.Spec.(*WorkspaceInitializer_Git)
if !ok {
return nil
}
pwd := git.Git.Config.AuthPassword
if !strings.HasPrefix(pwd, extractedSecretPrefix) {
return nil
}
name := strings.TrimPrefix(pwd, extractedSecretPrefix)
val, ok := secrets[name]
if !ok {
return xerrors.Errorf("secret %s not found", name)
}
git.Git.Config.AuthPassword = string(val)
return nil
})
}
// WalkInitializer walks the initializer structure
func WalkInitializer(path []string, init *WorkspaceInitializer, visitor func(path []string, init *WorkspaceInitializer) error) error {
if init == nil {
return nil
}
switch spec := init.Spec.(type) {
case *WorkspaceInitializer_Backup:
return visitor(append(path, "backup"), init)
case *WorkspaceInitializer_Composite:
path = append(path, "composite")
err := visitor(path, init)
if err != nil {
return err
}
for i, p := range spec.Composite.Initializer {
err := WalkInitializer(append(path, strconv.Itoa(i)), p, visitor)
if err != nil {
return err
}
}
return nil
case *WorkspaceInitializer_Download:
return visitor(append(path, "download"), init)
case *WorkspaceInitializer_Empty:
return visitor(append(path, "empty"), init)
case *WorkspaceInitializer_Git:
return visitor(append(path, "git"), init)
case *WorkspaceInitializer_Prebuild:
child := append(path, "prebuild")
err := visitor(child, init)
if err != nil {
return err
}
for i, g := range spec.Prebuild.Git {
err = WalkInitializer(append(child, strconv.Itoa(i)), &WorkspaceInitializer{Spec: &WorkspaceInitializer_Git{Git: g}}, visitor)
if err != nil {
return err
}
}
return nil
default:
return fmt.Errorf("unsupported workspace initializer in walkInitializer - this is a bug in Gitpod")
}
}
Reference in New Issue View Git Blame Copy Permalink