ade366544e
We now encrypt secrets at rest based on a key derived from a user suplied passphrase. The system is designed in a way such that we should be able to have a different decrypter (either using a local key or some remote service in the Pulumi.com case in the future). Care is taken to ensure that we do not leak decrypted secrets into the "info" section of the checkpoint file (since we currently store the config there). In addtion, secrets are "pay for play", a passphrase is only needed when dealing with a value that's encrypted. If secure config values are not used, `pulumi` will never prompt you for a passphrase. Otherwise, we only prompt if we know we are going to need to decrypt the value. For example, `pulumi config <key>` only prompts if `<key>` is encrypted and `pulumi deploy` and friends only prompt if you are targeting a stack that has secure configuration assoicated with it. Secure values show up as unecrypted config values inside the language hosts and providers.
73 lines
1.9 KiB
Go
73 lines
1.9 KiB
Go
// Copyright 2016-2017, Pulumi Corporation. All rights reserved.
|
|
|
|
package resource
|
|
|
|
import (
|
|
cryptorand "crypto/rand"
|
|
"crypto/sha1"
|
|
"encoding/hex"
|
|
|
|
"github.com/pulumi/pulumi/pkg/util/contract"
|
|
)
|
|
|
|
// ID is a unique resource identifier; it is managed by the provider and is mostly opaque to Lumi.
|
|
type ID string
|
|
|
|
// String converts a resource ID into a string.
|
|
func (id ID) String() string {
|
|
return string(id)
|
|
}
|
|
|
|
// StringPtr converts an optional ID into an optional string.
|
|
func (id *ID) StringPtr() *string {
|
|
if id == nil {
|
|
return nil
|
|
}
|
|
ids := (*id).String()
|
|
return &ids
|
|
}
|
|
|
|
// IDStrings turns an array of resource IDs into an array of strings.
|
|
func IDStrings(ids []ID) []string {
|
|
ss := make([]string, len(ids))
|
|
for i, id := range ids {
|
|
ss[i] = id.String()
|
|
}
|
|
return ss
|
|
}
|
|
|
|
// MaybeID turns an optional string into an optional resource ID.
|
|
func MaybeID(s *string) *ID {
|
|
var ret *ID
|
|
if s != nil {
|
|
id := ID(*s)
|
|
ret = &id
|
|
}
|
|
return ret
|
|
}
|
|
|
|
// NewUniqueHex generates a new "random" hex string for use by resource providers. It has the given optional prefix and
|
|
// the total length is capped to the maxlen. Note that capping to maxlen necessarily increases the risk of collisions.
|
|
func NewUniqueHex(prefix string, maxlen, randlen int) string {
|
|
if randlen == -1 {
|
|
randlen = sha1.Size // default to SHA1 size.
|
|
}
|
|
|
|
bs := make([]byte, randlen)
|
|
n, err := cryptorand.Read(bs)
|
|
contract.Assert(err == nil)
|
|
contract.Assert(n == len(bs))
|
|
|
|
str := prefix + hex.EncodeToString(bs)
|
|
if maxlen != -1 && len(str) > maxlen {
|
|
str = str[:maxlen]
|
|
}
|
|
return str
|
|
}
|
|
|
|
// NewUniqueHexID generates a new "random" hex ID for use by resource providers. It has the given optional prefix and
|
|
// the total length is capped to the maxlen. Note that capping to maxlen necessarily increases the risk of collisions.
|
|
func NewUniqueHexID(prefix string, maxlen, randlen int) ID {
|
|
return ID(NewUniqueHex(prefix, maxlen, randlen))
|
|
}
|