github.com/influxdata/telegraf@v1.30.3/config/secret_protected.go (about) 1 package config 2 3 import ( 4 "fmt" 5 6 "github.com/awnumar/memguard" 7 ) 8 9 type protectedSecretImpl struct{} 10 11 func (*protectedSecretImpl) Container(secret []byte) secretContainer { 12 return &protectedSecretContainer{ 13 enclave: memguard.NewEnclave(secret), 14 } 15 } 16 17 func (*protectedSecretImpl) EmptyBuffer() SecretBuffer { 18 return &lockedBuffer{} 19 } 20 21 func (*protectedSecretImpl) Wipe(secret []byte) { 22 memguard.WipeBytes(secret) 23 } 24 25 type lockedBuffer struct { 26 buf *memguard.LockedBuffer 27 } 28 29 func (lb *lockedBuffer) Size() int { 30 if lb.buf == nil { 31 return 0 32 } 33 return lb.buf.Size() 34 } 35 36 func (lb *lockedBuffer) Grow(capacity int) { 37 size := lb.Size() 38 if capacity <= size { 39 return 40 } 41 42 buf := memguard.NewBuffer(capacity) 43 if lb.buf != nil { 44 buf.Copy(lb.buf.Bytes()) 45 } 46 lb.buf.Destroy() 47 lb.buf = buf 48 } 49 50 func (lb *lockedBuffer) Bytes() []byte { 51 if lb.buf == nil { 52 return nil 53 } 54 return lb.buf.Bytes() 55 } 56 57 func (lb *lockedBuffer) TemporaryString() string { 58 if lb.buf == nil { 59 return "" 60 } 61 return lb.buf.String() 62 } 63 64 func (lb *lockedBuffer) String() string { 65 if lb.buf == nil { 66 return "" 67 } 68 return string(lb.buf.Bytes()) 69 } 70 71 func (lb *lockedBuffer) Destroy() { 72 if lb.buf == nil { 73 return 74 } 75 lb.buf.Destroy() 76 lb.buf = nil 77 } 78 79 type protectedSecretContainer struct { 80 enclave *memguard.Enclave 81 } 82 83 func (c *protectedSecretContainer) Destroy() { 84 if c.enclave == nil { 85 return 86 } 87 88 // Wipe the secret from memory 89 lockbuf, err := c.enclave.Open() 90 if err == nil { 91 lockbuf.Destroy() 92 } 93 c.enclave = nil 94 } 95 96 func (c *protectedSecretContainer) Equals(ref []byte) (bool, error) { 97 if c.enclave == nil { 98 return false, nil 99 } 100 101 // Get a locked-buffer of the secret to perform the comparison 102 lockbuf, err := c.enclave.Open() 103 if err != nil { 104 return false, fmt.Errorf("opening enclave failed: %w", err) 105 } 106 defer lockbuf.Destroy() 107 108 return lockbuf.EqualTo(ref), nil 109 } 110 111 func (c *protectedSecretContainer) Buffer() (SecretBuffer, error) { 112 if c.enclave == nil { 113 return &lockedBuffer{}, nil 114 } 115 116 // Get a locked-buffer of the secret to perform the comparison 117 lockbuf, err := c.enclave.Open() 118 if err != nil { 119 return nil, fmt.Errorf("opening enclave failed: %w", err) 120 } 121 122 return &lockedBuffer{lockbuf}, nil 123 } 124 125 func (c *protectedSecretContainer) AsBuffer(secret []byte) SecretBuffer { 126 return &lockedBuffer{memguard.NewBufferFromBytes(secret)} 127 } 128 129 func (c *protectedSecretContainer) Replace(secret []byte) { 130 c.enclave = memguard.NewEnclave(secret) 131 }