MCPcopy
hub / github.com/moby/moby / setWindowsCredentialSpec

Method setWindowsCredentialSpec

daemon/oci_windows.go:352–420  ·  view source on GitHub ↗

setWindowsCredentialSpec sets the spec's `Windows.CredentialSpec` field if relevant

(c *container.Container, s *specs.Spec)

Source from the content-addressed store, hash-verified

350// setWindowsCredentialSpec sets the spec's `Windows.CredentialSpec`
351// field if relevant
352func (daemon *Daemon) setWindowsCredentialSpec(c *container.Container, s *specs.Spec) error {
353 if c.HostConfig == nil || c.HostConfig.SecurityOpt == nil {
354 return nil
355 }
356
357 // TODO (jrouge/wk8): if provided with several security options, we silently ignore
358 // all but the last one (provided they're all valid, otherwise we do return an error);
359 // this doesn't seem like a great idea?
360 credentialSpec := ""
361
362 // TODO(thaJeztah): extract validating and parsing SecurityOpt to a reusable function.
363 for _, secOpt := range c.HostConfig.SecurityOpt {
364 k, v, ok := strings.Cut(secOpt, "=")
365 if !ok {
366 return errdefs.InvalidParameter(fmt.Errorf("invalid security option: no equals sign in supplied value %s", secOpt))
367 }
368 // FIXME(thaJeztah): options should not be case-insensitive
369 if !strings.EqualFold(k, "credentialspec") {
370 return errdefs.InvalidParameter(fmt.Errorf("security option not supported: %s", k))
371 }
372
373 scheme, value, ok := strings.Cut(v, "://")
374 if !ok || value == "" {
375 return errInvalidCredentialSpecSecOpt
376 }
377 var err error
378 switch strings.ToLower(scheme) {
379 case "file":
380 credentialSpec, err = readCredentialSpecFile(c.ID, daemon.root, filepath.Clean(value))
381 if err != nil {
382 return errdefs.InvalidParameter(err)
383 }
384 case "registry":
385 credentialSpec, err = readCredentialSpecRegistry(c.ID, value)
386 if err != nil {
387 return errdefs.InvalidParameter(err)
388 }
389 case "config":
390 // if the container does not have a DependencyStore, then it
391 // isn't swarmkit managed. In order to avoid creating any
392 // impression that `config://` is a valid API, return the same
393 // error as if you'd passed any other random word.
394 if c.DependencyStore == nil {
395 return errInvalidCredentialSpecSecOpt
396 }
397
398 csConfig, err := c.DependencyStore.Configs().Get(value)
399 if err != nil {
400 return errdefs.System(errors.Wrap(err, "error getting value from config store"))
401 }
402 // stuff the resulting secret data into a string to use as the
403 // CredentialSpec
404 credentialSpec = string(csConfig.Spec.Data)
405 case "raw":
406 credentialSpec = value
407 default:
408 return errInvalidCredentialSpecSecOpt
409 }

Callers 2

Calls 8

InvalidParameterFunction · 0.92
SystemFunction · 0.92
readCredentialSpecFileFunction · 0.85
ErrorfMethod · 0.80
ConfigsMethod · 0.80
GetMethod · 0.65
CleanMethod · 0.45

Tested by 1