Merge pull request moby#1695 from stevvooe/secrets-decoupled

Aaron Lehmann · web-flow · commit 0ec7c6ee4b31 · 2016-10-25T21:43:52.000-07:00
secrets: decouple secrets from agent package
diff --git a/agent/agent_test.go b/agent/agent_test.go
@@ -26,7 +26,7 @@ func (e *NoopExecutor) Configure(ctx context.Context, node *api.Node) error {
 	return nil
 }
 
-func (e *NoopExecutor) Controller(t *api.Task, secrets exec.SecretProvider) (exec.Controller, error) {
+func (e *NoopExecutor) Controller(t *api.Task) (exec.Controller, error) {
 	return nil, exec.ErrRuntimeUnsupported
 }
 
diff --git a/agent/exec/container/adapter.go b/agent/exec/container/adapter.go
@@ -26,10 +26,10 @@ import (
 type containerAdapter struct {
 	client    engineapi.APIClient
 	container *containerConfig
-	secrets   exec.SecretProvider
+	secrets   exec.SecretGetter
 }
 
-func newContainerAdapter(client engineapi.APIClient, task *api.Task, secrets exec.SecretProvider) (*containerAdapter, error) {
+func newContainerAdapter(client engineapi.APIClient, task *api.Task, secrets exec.SecretGetter) (*containerAdapter, error) {
 	ctnr, err := newContainerConfig(task)
 	if err != nil {
 		return nil, err
diff --git a/agent/exec/container/controller.go b/agent/exec/container/controller.go
@@ -31,7 +31,7 @@ type controller struct {
 var _ exec.Controller = &controller{}
 
 // newController returns a docker exec controller for the provided task.
-func newController(client engineapi.APIClient, task *api.Task, secrets exec.SecretProvider) (exec.Controller, error) {
+func newController(client engineapi.APIClient, task *api.Task, secrets exec.SecretGetter) (exec.Controller, error) {
 	adapter, err := newContainerAdapter(client, task, secrets)
 	if err != nil {
 		return nil, err
diff --git a/agent/exec/container/executor.go b/agent/exec/container/executor.go
@@ -6,18 +6,21 @@ import (
 
 	engineapi "github.com/docker/docker/client"
 	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/agent/secrets"
 	"github.com/docker/swarmkit/api"
 	"golang.org/x/net/context"
 )
 
 type executor struct {
-	client engineapi.APIClient
+	client  engineapi.APIClient
+	secrets exec.SecretsManager
 }
 
 // NewExecutor returns an executor from the docker client.
 func NewExecutor(client engineapi.APIClient) exec.Executor {
 	return &executor{
-		client: client,
+		client:  client,
+		secrets: secrets.NewManager(),
 	}
 }
 
@@ -86,8 +89,8 @@ func (e *executor) Configure(ctx context.Context, node *api.Node) error {
 }
 
 // Controller returns a docker container controller.
-func (e *executor) Controller(t *api.Task, secrets exec.SecretProvider) (exec.Controller, error) {
-	ctlr, err := newController(e.client, t, secrets)
+func (e *executor) Controller(t *api.Task) (exec.Controller, error) {
+	ctlr, err := newController(e.client, t, secrets.Restrict(e.secrets, t))
 	if err != nil {
 		return nil, err
 	}
@@ -99,6 +102,10 @@ func (e *executor) SetNetworkBootstrapKeys([]*api.EncryptionKey) error {
 	return nil
 }
 
+func (e *executor) Secrets() exec.SecretsManager {
+	return e.secrets
+}
+
 type sortedPlugins []api.PluginDescription
 
 func (sp sortedPlugins) Len() int { return len(sp) }
diff --git a/agent/exec/controller.go b/agent/exec/controller.go
@@ -59,14 +59,14 @@ type ContainerStatuser interface {
 //
 // Unlike Do, if an error is returned, the status should still be reported. The
 // error merely reports the failure at getting the controller.
-func Resolve(ctx context.Context, task *api.Task, secrets SecretProvider, executor Executor) (Controller, *api.TaskStatus, error) {
+func Resolve(ctx context.Context, task *api.Task, executor Executor) (Controller, *api.TaskStatus, error) {
 	status := task.Status.Copy()
 
 	defer func() {
 		logStateChange(ctx, task.DesiredState, task.Status.State, status.State)
 	}()
 
-	ctlr, err := executor.Controller(task, secrets)
+	ctlr, err := executor.Controller(task)
 
 	// depending on the tasks state, a failed controller resolution has varying
 	// impact. The following expresses that impact.
diff --git a/agent/exec/controller_test.go b/agent/exec/controller_test.go
@@ -23,21 +23,21 @@ func TestResolve(t *testing.T) {
 		task     = newTestTask(t, api.TaskStateAssigned, api.TaskStateRunning)
 	)
 
-	_, status, err := Resolve(ctx, task, nil, executor)
+	_, status, err := Resolve(ctx, task, executor)
 	assert.NoError(t, err)
 	assert.Equal(t, api.TaskStateAccepted, status.State)
 	assert.Equal(t, "accepted", status.Message)
 
 	task.Status = *status
 	// now, we get no status update.
-	_, status, err = Resolve(ctx, task, nil, executor)
+	_, status, err = Resolve(ctx, task, executor)
 	assert.NoError(t, err)
 	assert.Equal(t, task.Status, *status)
 
 	// now test an error causing rejection
 	executor.err = errors.New("some error")
 	task = newTestTask(t, api.TaskStateAssigned, api.TaskStateRunning)
-	_, status, err = Resolve(ctx, task, nil, executor)
+	_, status, err = Resolve(ctx, task, executor)
 	assert.Equal(t, executor.err, err)
 	assert.Equal(t, api.TaskStateRejected, status.State)
 
@@ -46,7 +46,7 @@ func TestResolve(t *testing.T) {
 	// touched.
 	task.Status = *status
 	executor.err = nil
-	_, status, err = Resolve(ctx, task, nil, executor)
+	_, status, err = Resolve(ctx, task, executor)
 	assert.NoError(t, err)
 	assert.Equal(t, task.Status, *status)
 }
@@ -411,6 +411,6 @@ type mockExecutor struct {
 	err error
 }
 
-func (m *mockExecutor) Controller(t *api.Task, secrets SecretProvider) (Controller, error) {
+func (m *mockExecutor) Controller(t *api.Task) (Controller, error) {
 	return nil, m.err
 }
diff --git a/agent/exec/executor.go b/agent/exec/executor.go
@@ -15,16 +15,31 @@ type Executor interface {
 	Configure(ctx context.Context, node *api.Node) error
 
 	// Controller provides a controller for the given task.
-	Controller(t *api.Task, secrets SecretProvider) (Controller, error)
+	Controller(t *api.Task) (Controller, error)
 
 	// SetNetworkBootstrapKeys passes the symmetric keys from the
 	// manager to the executor.
 	SetNetworkBootstrapKeys([]*api.EncryptionKey) error
 }
 
-// SecretProvider contains secret data necessary for the Controller.
-type SecretProvider interface {
+// SecretsProvider is implemented by objects that can store secrets, typically
+// an executor.
+type SecretsProvider interface {
+	Secrets() SecretsManager
+}
+
+// SecretGetter contains secret data necessary for the Controller.
+type SecretGetter interface {
 	// Get returns the the secret with a specific secret ID, if available.
 	// When the secret is not available, the return will be nil.
 	Get(secretID string) *api.Secret
 }
+
+// SecretsManager is the interface for secret storage and updates.
+type SecretsManager interface {
+	SecretGetter
+
+	Add(secrets ...api.Secret) // add one or more secrets
+	Remove(secrets []string)   // remove the secrets by ID
+	Reset()                    // remove all secrets
+}
diff --git a/agent/secrets/secrets.go b/agent/secrets/secrets.go
@@ -1,4 +1,4 @@
-package agent
+package secrets
 
 import (
 	"sync"
@@ -14,7 +14,8 @@ type secrets struct {
 	m  map[string]*api.Secret
 }
 
-func newSecrets() *secrets {
+// NewManager returns a place to store secrets.
+func NewManager() exec.SecretsManager {
 	return &secrets{
 		m: make(map[string]*api.Secret),
 	}
@@ -31,7 +32,7 @@ func (s *secrets) Get(secretID string) *api.Secret {
 }
 
 // add adds one or more secrets to the secret map
-func (s *secrets) add(secrets ...api.Secret) {
+func (s *secrets) Add(secrets ...api.Secret) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for _, secret := range secrets {
@@ -41,7 +42,7 @@ func (s *secrets) add(secrets ...api.Secret) {
 
 // remove removes one or more secrets by ID from the secret map.  Succeeds
 // whether or not the given IDs are in the map.
-func (s *secrets) remove(secrets []string) {
+func (s *secrets) Remove(secrets []string) {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	for _, secret := range secrets {
@@ -50,46 +51,37 @@ func (s *secrets) remove(secrets []string) {
 }
 
 // reset removes all the secrets
-func (s *secrets) reset() {
+func (s *secrets) Reset() {
 	s.mu.Lock()
 	defer s.mu.Unlock()
 	s.m = make(map[string]*api.Secret)
 }
 
-func (s *secrets) filter(secretIDs []string) map[string]*api.Secret {
-	s.mu.RLock()
-	defer s.mu.RUnlock()
-	filteredSecrets := make(map[string]*api.Secret)
-
-	for _, secretID := range secretIDs {
-		if s, ok := s.m[secretID]; ok {
-			filteredSecrets[secretID] = s.Copy()
-		}
-	}
-
-	return filteredSecrets
+// taskRestrictedSecretsProvider restricts the ids to the task.
+type taskRestrictedSecretsProvider struct {
+	secrets   exec.SecretGetter
+	secretIDs map[string]struct{} // allow list of secret ids
 }
 
-// getStore returns ta Store with only the secrets corresponding to the IDs
-// that are passed in.
-func (s *secrets) getStore(secretIDs []string) exec.SecretProvider {
-	return &secrets{
-		m: s.filter(secretIDs),
+func (sp *taskRestrictedSecretsProvider) Get(secretID string) *api.Secret {
+	if _, ok := sp.secretIDs[secretID]; !ok {
+		return nil
 	}
+
+	return sp.secrets.Get(secretID)
 }
 
-// getStoreForTask returns only the secrets needed by a specific Task
-func (s *secrets) getStoreForTask(task *api.Task) exec.SecretProvider {
-	var secretIDs []string
+// Restrict provides a getter that only allows access to the secrets
+// referenced by the task.
+func Restrict(secrets exec.SecretGetter, t *api.Task) exec.SecretGetter {
+	sids := map[string]struct{}{}
 
-	container := task.Spec.GetContainer()
+	container := t.Spec.GetContainer()
 	if container != nil {
-		for _, secretRef := range container.Secrets {
-			secretIDs = append(secretIDs, secretRef.SecretID)
+		for _, ref := range container.Secrets {
+			sids[ref.SecretID] = struct{}{}
 		}
 	}
 
-	return &secrets{
-		m: s.filter(secretIDs),
-	}
+	return &taskRestrictedSecretsProvider{secrets: secrets, secretIDs: sids}
 }
diff --git a/agent/worker.go b/agent/worker.go
@@ -42,7 +42,6 @@ type worker struct {
 	db        *bolt.DB
 	executor  exec.Executor
 	listeners map[*statusReporterKey]struct{}
-	secrets   *secrets
 
 	taskManagers map[string]*taskManager
 	mu           sync.RWMutex
@@ -54,7 +53,6 @@ func newWorker(db *bolt.DB, executor exec.Executor) *worker {
 		executor:     executor,
 		listeners:    make(map[*statusReporterKey]struct{}),
 		taskManagers: make(map[string]*taskManager),
-		secrets:      newSecrets(),
 	}
 }
 
@@ -255,6 +253,15 @@ func reconcileTaskState(ctx context.Context, w *worker, assignments []*api.Assig
 }
 
 func reconcileSecrets(ctx context.Context, w *worker, assignments []*api.AssignmentChange, fullSnapshot bool) error {
+	var secrets exec.SecretsManager
+	provider, ok := w.executor.(exec.SecretsProvider)
+	if !ok {
+		log.G(ctx).Warn("secrets update ignored; executor does not support secrets")
+		return nil
+	}
+
+	secrets = provider.Secrets()
+
 	var (
 		updatedSecrets []api.Secret
 		removedSecrets []string
@@ -278,11 +285,11 @@ func reconcileSecrets(ctx context.Context, w *worker, assignments []*api.Assignm
 
 	// If this was a complete set of secrets, we're going to clear the secrets map and add all of them
 	if fullSnapshot {
-		w.secrets.reset()
+		secrets.Reset()
 	} else {
-		w.secrets.remove(removedSecrets)
+		secrets.Remove(removedSecrets)
 	}
-	w.secrets.add(updatedSecrets...)
+	secrets.Add(updatedSecrets...)
 
 	return nil
 }
@@ -337,9 +344,8 @@ func (w *worker) taskManager(ctx context.Context, tx *bolt.Tx, task *api.Task) (
 
 func (w *worker) newTaskManager(ctx context.Context, tx *bolt.Tx, task *api.Task) (*taskManager, error) {
 	ctx = log.WithLogger(ctx, log.G(ctx).WithField("task.id", task.ID))
-	secrets := w.secrets.getStoreForTask(task)
 
-	ctlr, status, err := exec.Resolve(ctx, task, secrets, w.executor)
+	ctlr, status, err := exec.Resolve(ctx, task, w.executor)
 	if err := w.updateTaskStatus(ctx, tx, task.ID, status); err != nil {
 		log.G(ctx).WithError(err).Error("error updating task status after controller resolution")
 	}
diff --git a/agent/worker_test.go b/agent/worker_test.go
@@ -6,6 +6,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/boltdb/bolt"
 	"github.com/docker/swarmkit/agent/exec"
+	"github.com/docker/swarmkit/agent/secrets"
 	"github.com/docker/swarmkit/api"
 	"github.com/docker/swarmkit/log"
 	"github.com/stretchr/testify/assert"
@@ -17,7 +18,7 @@ func TestWorkerAssign(t *testing.T) {
 	defer cleanup()
 
 	ctx := context.Background()
-	executor := &mockExecutor{t: t}
+	executor := &mockExecutor{t: t, secrets: secrets.NewManager()}
 	worker := newWorker(db, executor)
 	reporter := statusReporterFunc(func(ctx context.Context, taskID string, status *api.TaskStatus) error {
 		log.G(ctx).WithFields(logrus.Fields{"task.id": taskID, "status": status}).Info("status update received")
@@ -138,9 +139,8 @@ func TestWorkerAssign(t *testing.T) {
 
 		assert.Equal(t, testcase.expectedTasks, tasks)
 		assert.Equal(t, testcase.expectedAssigned, assigned)
-		assert.Len(t, worker.secrets.m, len(testcase.expectedSecrets))
 		for _, secret := range testcase.expectedSecrets {
-			assert.NotNil(t, worker.secrets.Get(secret.ID))
+			assert.NotNil(t, executor.secrets.Get(secret.ID))
 		}
 	}
 }
@@ -150,7 +150,7 @@ func TestWorkerUpdate(t *testing.T) {
 	defer cleanup()
 
 	ctx := context.Background()
-	executor := &mockExecutor{t: t}
+	executor := &mockExecutor{t: t, secrets: secrets.NewManager()}
 	worker := newWorker(db, executor)
 	reporter := statusReporterFunc(func(ctx context.Context, taskID string, status *api.TaskStatus) error {
 		log.G(ctx).WithFields(logrus.Fields{"task.id": taskID, "status": status}).Info("status update received")
@@ -350,9 +350,8 @@ func TestWorkerUpdate(t *testing.T) {
 
 		assert.Equal(t, testcase.expectedTasks, tasks)
 		assert.Equal(t, testcase.expectedAssigned, assigned)
-		assert.Len(t, worker.secrets.m, len(testcase.expectedSecrets))
 		for _, secret := range testcase.expectedSecrets {
-			assert.NotNil(t, worker.secrets.Get(secret.ID))
+			assert.NotNil(t, executor.secrets.Get(secret.ID))
 		}
 	}
 }
@@ -376,8 +375,13 @@ func (mtc *mockTaskController) Close() error {
 type mockExecutor struct {
 	t *testing.T
 	exec.Executor
+	secrets exec.SecretsManager
 }
 
-func (m *mockExecutor) Controller(task *api.Task, secrets exec.SecretProvider) (exec.Controller, error) {
+func (m *mockExecutor) Controller(task *api.Task) (exec.Controller, error) {
 	return &mockTaskController{t: m.t, task: task}, nil
 }
+
+func (m *mockExecutor) Secrets() exec.SecretsManager {
+	return m.secrets
+}
diff --git a/integration/exec.go b/integration/exec.go
@@ -26,7 +26,7 @@ func (e *TestExecutor) SetNetworkBootstrapKeys([]*api.EncryptionKey) error {
 }
 
 // Controller returns TestController.
-func (e *TestExecutor) Controller(t *api.Task, secrets exec.SecretProvider) (exec.Controller, error) {
+func (e *TestExecutor) Controller(t *api.Task) (exec.Controller, error) {
 	return &TestController{
 		ch: make(chan struct{}),
 	}, nil

Original file line number	Diff line number	Diff line change
`@@ -26,7 +26,7 @@ func (e NoopExecutor) Configure(ctx context.Context, node api.Node) error {`
`26`	`26`	`return nil`
`27`	`27`	`}`
`28`	`28`
`29`		`-func (e NoopExecutor) Controller(t api.Task, secrets exec.SecretProvider) (exec.Controller, error) {`
	`29`	`+func (e NoopExecutor) Controller(t api.Task) (exec.Controller, error) {`
`30`	`30`	`return nil, exec.ErrRuntimeUnsupported`
`31`	`31`	`}`
`32`	`32`
Original file line number	Diff line number	Diff line change
`@@ -6,18 +6,21 @@ import (`
`6`	`6`
`7`	`7`	`engineapi "github.com/docker/docker/client"`
`8`	`8`	`"github.com/docker/swarmkit/agent/exec"`
	`9`	`+ "github.com/docker/swarmkit/agent/secrets"`
`9`	`10`	`"github.com/docker/swarmkit/api"`
`10`	`11`	`"golang.org/x/net/context"`
`11`	`12`	`)`
`12`	`13`
`13`	`14`	`type executor struct {`
`14`		`- client engineapi.APIClient`
	`15`	`+ client engineapi.APIClient`
	`16`	`+ secrets exec.SecretsManager`
`15`	`17`	`}`
`16`	`18`
`17`	`19`	`// NewExecutor returns an executor from the docker client.`
`18`	`20`	`func NewExecutor(client engineapi.APIClient) exec.Executor {`
`19`	`21`	`return &executor{`
`20`		`- client: client,`
	`22`	`+ client: client,`
	`23`	`+ secrets: secrets.NewManager(),`
`21`	`24`	`}`
`22`	`25`	`}`
`23`	`26`
`@@ -86,8 +89,8 @@ func (e executor) Configure(ctx context.Context, node api.Node) error {`
`86`	`89`	`}`
`87`	`90`
`88`	`91`	`// Controller returns a docker container controller.`
`89`		`-func (e executor) Controller(t api.Task, secrets exec.SecretProvider) (exec.Controller, error) {`
`90`		`- ctlr, err := newController(e.client, t, secrets)`
	`92`	`+func (e executor) Controller(t api.Task) (exec.Controller, error) {`
	`93`	`+ ctlr, err := newController(e.client, t, secrets.Restrict(e.secrets, t))`
`91`	`94`	`if err != nil {`
`92`	`95`	`return nil, err`
`93`	`96`	`}`
`@@ -99,6 +102,10 @@ func (e executor) SetNetworkBootstrapKeys([]api.EncryptionKey) error {`
`99`	`102`	`return nil`
`100`	`103`	`}`
`101`	`104`
	`105`	`+func (e *executor) Secrets() exec.SecretsManager {`
	`106`	`+ return e.secrets`
	`107`	`+}`
	`108`	`+`
`102`	`109`	`type sortedPlugins []api.PluginDescription`
`103`	`110`
`104`	`111`	`func (sp sortedPlugins) Len() int { return len(sp) }`