github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/agent/configs/configs.go

github.com/kaisenlinux/docker.io@v0.0.0-20230510090727-ea55db55fac7/swarmkit/agent/configs/configs.go (about)

     1  package configs
     2  
     3  import (
     4  	"fmt"
     5  	"sync"
     6  
     7  	"github.com/docker/swarmkit/agent/exec"
     8  	"github.com/docker/swarmkit/api"
     9  )
    10  
    11  // configs is a map that keeps all the currently available configs to the agent
    12  // mapped by config ID.
    13  type configs struct {
    14  	mu sync.RWMutex
    15  	m  map[string]*api.Config
    16  }
    17  
    18  // NewManager returns a place to store configs.
    19  func NewManager() exec.ConfigsManager {
    20  	return &configs{
    21  		m: make(map[string]*api.Config),
    22  	}
    23  }
    24  
    25  // Get returns a config by ID.  If the config doesn't exist, returns nil.
    26  func (r *configs) Get(configID string) (*api.Config, error) {
    27  	r.mu.RLock()
    28  	defer r.mu.RUnlock()
    29  	if r, ok := r.m[configID]; ok {
    30  		return r, nil
    31  	}
    32  	return nil, fmt.Errorf("config %s not found", configID)
    33  }
    34  
    35  // Add adds one or more configs to the config map.
    36  func (r *configs) Add(configs ...api.Config) {
    37  	r.mu.Lock()
    38  	defer r.mu.Unlock()
    39  	for _, config := range configs {
    40  		r.m[config.ID] = config.Copy()
    41  	}
    42  }
    43  
    44  // Remove removes one or more configs by ID from the config map. Succeeds
    45  // whether or not the given IDs are in the map.
    46  func (r *configs) Remove(configs []string) {
    47  	r.mu.Lock()
    48  	defer r.mu.Unlock()
    49  	for _, config := range configs {
    50  		delete(r.m, config)
    51  	}
    52  }
    53  
    54  // Reset removes all the configs.
    55  func (r *configs) Reset() {
    56  	r.mu.Lock()
    57  	defer r.mu.Unlock()
    58  	r.m = make(map[string]*api.Config)
    59  }
    60  
    61  // taskRestrictedConfigsProvider restricts the ids to the task.
    62  type taskRestrictedConfigsProvider struct {
    63  	configs   exec.ConfigGetter
    64  	configIDs map[string]struct{} // allow list of config ids
    65  }
    66  
    67  func (sp *taskRestrictedConfigsProvider) Get(configID string) (*api.Config, error) {
    68  	if _, ok := sp.configIDs[configID]; !ok {
    69  		return nil, fmt.Errorf("task not authorized to access config %s", configID)
    70  	}
    71  
    72  	return sp.configs.Get(configID)
    73  }
    74  
    75  // Restrict provides a getter that only allows access to the configs
    76  // referenced by the task.
    77  func Restrict(configs exec.ConfigGetter, t *api.Task) exec.ConfigGetter {
    78  	cids := map[string]struct{}{}
    79  
    80  	container := t.Spec.GetContainer()
    81  	if container != nil {
    82  		for _, configRef := range container.Configs {
    83  			cids[configRef.ConfigID] = struct{}{}
    84  		}
    85  	}
    86  
    87  	return &taskRestrictedConfigsProvider{configs: configs, configIDs: cids}
    88  }