1
2
3
4 package credentials
5
6 import (
7 "context"
8 "encoding/json"
9 "errors"
10 "fmt"
11
12 "github.com/Microsoft/hcsshim/internal/hcs"
13 hcsschema "github.com/Microsoft/hcsshim/internal/hcs/schema2"
14 "github.com/Microsoft/hcsshim/internal/log"
15 )
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32 type CCGResource struct {
33
34 id string
35 }
36
37
38
39
40
41 func (ccgResource *CCGResource) Release(ctx context.Context) error {
42 if err := removeCredentialGuard(ctx, ccgResource.id); err != nil {
43 return fmt.Errorf("failed to remove container credential guard instance: %s", err)
44 }
45 return nil
46 }
47
48
49
50 func CreateCredentialGuard(ctx context.Context, id, credSpec string, hypervisorIsolated bool) (*hcsschema.ContainerCredentialGuardInstance, *CCGResource, error) {
51 log.G(ctx).WithField("containerID", id).Debug("creating container credential guard instance")
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71 transport := "LRPC"
72 if hypervisorIsolated {
73 transport = "HvSocket"
74 }
75 req := hcsschema.ModificationRequest{
76 PropertyType: hcsschema.PTContainerCredentialGuard,
77 Settings: &hcsschema.ContainerCredentialGuardOperationRequest{
78 Operation: hcsschema.AddInstance,
79 OperationDetails: &hcsschema.ContainerCredentialGuardAddInstanceRequest{
80 Id: id,
81 CredentialSpec: credSpec,
82 Transport: transport,
83 },
84 },
85 }
86 if err := hcs.ModifyServiceSettings(ctx, req); err != nil {
87 return nil, nil, fmt.Errorf("failed to generate container credential guard instance: %s", err)
88 }
89
90 q := hcsschema.PropertyQuery{
91 PropertyTypes: []hcsschema.PropertyType{hcsschema.PTContainerCredentialGuard},
92 }
93 serviceProps, err := hcs.GetServiceProperties(ctx, q)
94 if err != nil {
95 return nil, nil, fmt.Errorf("failed to retrieve container credential guard instances: %s", err)
96 }
97 if len(serviceProps.Properties) != 1 {
98 return nil, nil, errors.New("wrong number of service properties present")
99 }
100
101 ccgSysInfo := &hcsschema.ContainerCredentialGuardSystemInfo{}
102 if err := json.Unmarshal(serviceProps.Properties[0], ccgSysInfo); err != nil {
103 return nil, nil, fmt.Errorf("failed to unmarshal container credential guard instances: %s", err)
104 }
105 for _, ccgInstance := range ccgSysInfo.Instances {
106 if ccgInstance.Id == id {
107 ccgResource := &CCGResource{
108 id,
109 }
110 return &ccgInstance, ccgResource, nil
111 }
112 }
113 return nil, nil, fmt.Errorf("failed to find credential guard instance with container ID %s", id)
114 }
115
116
117 func removeCredentialGuard(ctx context.Context, id string) error {
118 log.G(ctx).WithField("containerID", id).Debug("removing container credential guard")
119
120 req := hcsschema.ModificationRequest{
121 PropertyType: hcsschema.PTContainerCredentialGuard,
122 Settings: &hcsschema.ContainerCredentialGuardOperationRequest{
123 Operation: hcsschema.RemoveInstance,
124 OperationDetails: &hcsschema.ContainerCredentialGuardRemoveInstanceRequest{
125 Id: id,
126 },
127 },
128 }
129 return hcs.ModifyServiceSettings(ctx, req)
130 }
131
View as plain text