1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
|
package secret
import (
"encoding/base64"
"fmt"
"io/ioutil"
"sync"
)
const numSecretBytes = 32
type sec struct {
path string
bytes []byte
sync.RWMutex
}
var (
theSecret = &sec{}
)
func SetPath(path string) {
theSecret.Lock()
defer theSecret.Unlock()
theSecret.path = path
theSecret.bytes = nil
}
// Lazy access to the HMAC secret key. We must be lazy because if the key
// is not already there, it will be generated by gitlab-rails, and
// gitlab-rails is slow.
func Bytes() ([]byte, error) {
if bytes := getBytes(); bytes != nil {
return copyBytes(bytes), nil
}
return setBytes()
}
func getBytes() []byte {
theSecret.RLock()
defer theSecret.RUnlock()
return theSecret.bytes
}
func copyBytes(bytes []byte) []byte {
out := make([]byte, len(bytes))
copy(out, bytes)
return out
}
func setBytes() ([]byte, error) {
theSecret.Lock()
defer theSecret.Unlock()
if theSecret.bytes != nil {
return theSecret.bytes, nil
}
base64Bytes, err := ioutil.ReadFile(theSecret.path)
if err != nil {
return nil, fmt.Errorf("secret.setBytes: read %q: %v", theSecret.path, err)
}
secretBytes := make([]byte, base64.StdEncoding.DecodedLen(len(base64Bytes)))
n, err := base64.StdEncoding.Decode(secretBytes, base64Bytes)
if err != nil {
return nil, fmt.Errorf("secret.setBytes: decode secret: %v", err)
}
if n != numSecretBytes {
return nil, fmt.Errorf("secret.setBytes: expected %d secretBytes in %s, found %d", numSecretBytes, theSecret.path, n)
}
theSecret.bytes = secretBytes
return copyBytes(theSecret.bytes), nil
}
|