setWindowsCredentialSpec sets the spec's `Windows.CredentialSpec` field if relevant
(c *container.Container, s *specs.Spec)
| 350 | // setWindowsCredentialSpec sets the spec's `Windows.CredentialSpec` |
| 351 | // field if relevant |
| 352 | func (daemon *Daemon) setWindowsCredentialSpec(c *container.Container, s *specs.Spec) error { |
| 353 | if c.HostConfig == nil || c.HostConfig.SecurityOpt == nil { |
| 354 | return nil |
| 355 | } |
| 356 | |
| 357 | // TODO (jrouge/wk8): if provided with several security options, we silently ignore |
| 358 | // all but the last one (provided they're all valid, otherwise we do return an error); |
| 359 | // this doesn't seem like a great idea? |
| 360 | credentialSpec := "" |
| 361 | |
| 362 | // TODO(thaJeztah): extract validating and parsing SecurityOpt to a reusable function. |
| 363 | for _, secOpt := range c.HostConfig.SecurityOpt { |
| 364 | k, v, ok := strings.Cut(secOpt, "=") |
| 365 | if !ok { |
| 366 | return errdefs.InvalidParameter(fmt.Errorf("invalid security option: no equals sign in supplied value %s", secOpt)) |
| 367 | } |
| 368 | // FIXME(thaJeztah): options should not be case-insensitive |
| 369 | if !strings.EqualFold(k, "credentialspec") { |
| 370 | return errdefs.InvalidParameter(fmt.Errorf("security option not supported: %s", k)) |
| 371 | } |
| 372 | |
| 373 | scheme, value, ok := strings.Cut(v, "://") |
| 374 | if !ok || value == "" { |
| 375 | return errInvalidCredentialSpecSecOpt |
| 376 | } |
| 377 | var err error |
| 378 | switch strings.ToLower(scheme) { |
| 379 | case "file": |
| 380 | credentialSpec, err = readCredentialSpecFile(c.ID, daemon.root, filepath.Clean(value)) |
| 381 | if err != nil { |
| 382 | return errdefs.InvalidParameter(err) |
| 383 | } |
| 384 | case "registry": |
| 385 | credentialSpec, err = readCredentialSpecRegistry(c.ID, value) |
| 386 | if err != nil { |
| 387 | return errdefs.InvalidParameter(err) |
| 388 | } |
| 389 | case "config": |
| 390 | // if the container does not have a DependencyStore, then it |
| 391 | // isn't swarmkit managed. In order to avoid creating any |
| 392 | // impression that `config://` is a valid API, return the same |
| 393 | // error as if you'd passed any other random word. |
| 394 | if c.DependencyStore == nil { |
| 395 | return errInvalidCredentialSpecSecOpt |
| 396 | } |
| 397 | |
| 398 | csConfig, err := c.DependencyStore.Configs().Get(value) |
| 399 | if err != nil { |
| 400 | return errdefs.System(errors.Wrap(err, "error getting value from config store")) |
| 401 | } |
| 402 | // stuff the resulting secret data into a string to use as the |
| 403 | // CredentialSpec |
| 404 | credentialSpec = string(csConfig.Spec.Data) |
| 405 | case "raw": |
| 406 | credentialSpec = value |
| 407 | default: |
| 408 | return errInvalidCredentialSpecSecOpt |
| 409 | } |