github.com/influxdata/telegraf@v1.30.3/config/secret_protected.go

github.com/influxdata/telegraf@v1.30.3/config/secret_protected.go (about)

     1  package config
     2  
     3  import (
     4  	"fmt"
     5  
     6  	"github.com/awnumar/memguard"
     7  )
     8  
     9  type protectedSecretImpl struct{}
    10  
    11  func (*protectedSecretImpl) Container(secret []byte) secretContainer {
    12  	return &protectedSecretContainer{
    13  		enclave: memguard.NewEnclave(secret),
    14  	}
    15  }
    16  
    17  func (*protectedSecretImpl) EmptyBuffer() SecretBuffer {
    18  	return &lockedBuffer{}
    19  }
    20  
    21  func (*protectedSecretImpl) Wipe(secret []byte) {
    22  	memguard.WipeBytes(secret)
    23  }
    24  
    25  type lockedBuffer struct {
    26  	buf *memguard.LockedBuffer
    27  }
    28  
    29  func (lb *lockedBuffer) Size() int {
    30  	if lb.buf == nil {
    31  		return 0
    32  	}
    33  	return lb.buf.Size()
    34  }
    35  
    36  func (lb *lockedBuffer) Grow(capacity int) {
    37  	size := lb.Size()
    38  	if capacity <= size {
    39  		return
    40  	}
    41  
    42  	buf := memguard.NewBuffer(capacity)
    43  	if lb.buf != nil {
    44  		buf.Copy(lb.buf.Bytes())
    45  	}
    46  	lb.buf.Destroy()
    47  	lb.buf = buf
    48  }
    49  
    50  func (lb *lockedBuffer) Bytes() []byte {
    51  	if lb.buf == nil {
    52  		return nil
    53  	}
    54  	return lb.buf.Bytes()
    55  }
    56  
    57  func (lb *lockedBuffer) TemporaryString() string {
    58  	if lb.buf == nil {
    59  		return ""
    60  	}
    61  	return lb.buf.String()
    62  }
    63  
    64  func (lb *lockedBuffer) String() string {
    65  	if lb.buf == nil {
    66  		return ""
    67  	}
    68  	return string(lb.buf.Bytes())
    69  }
    70  
    71  func (lb *lockedBuffer) Destroy() {
    72  	if lb.buf == nil {
    73  		return
    74  	}
    75  	lb.buf.Destroy()
    76  	lb.buf = nil
    77  }
    78  
    79  type protectedSecretContainer struct {
    80  	enclave *memguard.Enclave
    81  }
    82  
    83  func (c *protectedSecretContainer) Destroy() {
    84  	if c.enclave == nil {
    85  		return
    86  	}
    87  
    88  	// Wipe the secret from memory
    89  	lockbuf, err := c.enclave.Open()
    90  	if err == nil {
    91  		lockbuf.Destroy()
    92  	}
    93  	c.enclave = nil
    94  }
    95  
    96  func (c *protectedSecretContainer) Equals(ref []byte) (bool, error) {
    97  	if c.enclave == nil {
    98  		return false, nil
    99  	}
   100  
   101  	// Get a locked-buffer of the secret to perform the comparison
   102  	lockbuf, err := c.enclave.Open()
   103  	if err != nil {
   104  		return false, fmt.Errorf("opening enclave failed: %w", err)
   105  	}
   106  	defer lockbuf.Destroy()
   107  
   108  	return lockbuf.EqualTo(ref), nil
   109  }
   110  
   111  func (c *protectedSecretContainer) Buffer() (SecretBuffer, error) {
   112  	if c.enclave == nil {
   113  		return &lockedBuffer{}, nil
   114  	}
   115  
   116  	// Get a locked-buffer of the secret to perform the comparison
   117  	lockbuf, err := c.enclave.Open()
   118  	if err != nil {
   119  		return nil, fmt.Errorf("opening enclave failed: %w", err)
   120  	}
   121  
   122  	return &lockedBuffer{lockbuf}, nil
   123  }
   124  
   125  func (c *protectedSecretContainer) AsBuffer(secret []byte) SecretBuffer {
   126  	return &lockedBuffer{memguard.NewBufferFromBytes(secret)}
   127  }
   128  
   129  func (c *protectedSecretContainer) Replace(secret []byte) {
   130  	c.enclave = memguard.NewEnclave(secret)
   131  }