moby
diff --git a/‎daemon/oci_windows.go‎
Lines changed: 103 additions & 82 deletions b/‎daemon/oci_windows.go‎
Lines changed: 103 additions & 82 deletions
@@ -1,6 +1,7 @@
 package daemon // import "github.com/docker/docker/daemon"
 
 import (
+	"encoding/base64"
 	"fmt"
 	"io/ioutil"
 	"path/filepath"
@@ -9,6 +10,7 @@ import (
 
 	containertypes "github.com/docker/docker/api/types/container"
 	"github.com/docker/docker/container"
+	"github.com/docker/docker/errdefs"
 	"github.com/docker/docker/oci"
 	"github.com/docker/docker/oci/caps"
 	"github.com/docker/docker/pkg/sysinfo"
@@ -253,68 +255,8 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
 	setResourcesInSpec(c, s, isHyperV)
 
 	// Read and add credentials from the security options if a credential spec has been provided.
-	if c.HostConfig.SecurityOpt != nil {
-		cs := ""
-		for _, sOpt := range c.HostConfig.SecurityOpt {
-			sOpt = strings.ToLower(sOpt)
-			if !strings.Contains(sOpt, "=") {
-				return fmt.Erro
10000
rf("invalid security option: no equals sign in supplied value %s", sOpt)
-			}
-			var splitsOpt []string
-			splitsOpt = strings.SplitN(sOpt, "=", 2)
-			if len(splitsOpt) != 2 {
-				return fmt.Errorf("invalid security option: %s", sOpt)
-			}
-			if splitsOpt[0] != "credentialspec" {
-				return fmt.Errorf("security option not supported: %s", splitsOpt[0])
-			}
-
-			var (
-				match   bool
-				csValue string
-				err     error
-			)
-			if match, csValue = getCredentialSpec("file://", splitsOpt[1]); match {
-				if csValue == "" {
-					return fmt.Errorf("no value supplied for file:// credential spec security option")
-				}
-				if cs, err = readCredentialSpecFile(c.ID, daemon.root, filepath.Clean(csValue)); err != nil {
-					return err
-				}
-			} else if match, csValue = getCredentialSpec("registry://", splitsOpt[1]); match {
-				if csValue == "" {
-					return fmt.Errorf("no value supplied for registry:// credential spec security option")
-				}
-				if cs, err = readCredentialSpecRegistry(c.ID, csValue); err != nil {
-					return err
-				}
-			} else if match, csValue = getCredentialSpec("config://", splitsOpt[1]); match {
-				// if the container does not have a DependencyStore, then it
-				// isn't swarmkit managed. In order to avoid creating any
-				// impression that `config://` is a valid API, return the same
-				// error as if you'd passed any other random word.
-				if c.DependencyStore == nil {
-					return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
-				}
-
-				// after this point, we can return regular swarmkit-relevant
-				// errors, because we'll know this container is managed.
-				if csValue == "" {
-					return fmt.Errorf("no value supplied for config:// credential spec security option")
-			
6D4E
	}
-
-				csConfig, err := c.DependencyStore.Configs().Get(csValue)
-				if err != nil {
-					return errors.Wrap(err, "error getting value from config store")
-				}
-				// stuff the resulting secret data into a string to use as the
-				// CredentialSpec
-				cs = string(csConfig.Spec.Data)
-			} else {
-				return fmt.Errorf("invalid credential spec security option - value must be prefixed file:// or registry:// followed by a value")
-			}
-		}
-		s.Windows.CredentialSpec = cs
+	if err := daemon.setWindowsCredentialSpec(c, s); err != nil {
+		return err
 	}
 
 	// Do we have any assigned devices?
@@ -344,6 +286,82 @@ func (daemon *Daemon) createSpecWindowsFields(c *container.Container, s *specs.S
 	return nil
 }
 
+var errInvalidCredentialSpecSecOpt = errdefs.InvalidParameter(fmt.Errorf("invalid credential spec security option - value must be prefixed by 'file://', 'registry://', or 'base64://' followed by a non-empty value"))
+
+// setWindowsCredentialSpec sets the spec's `Windows.CredentialSpec`
+// field if relevant
+func (daemon *Daemon) setWindowsCredentialSpec(c *container.Container, s *specs.Spec) error {
+	if c.HostConfig == nil || c.HostConfig.SecurityOpt == nil {
+		return nil
+	}
+
+	// TODO (jrouge/wk8): if provided with several security options, we silently ignore
+	// all but the last one (provided they're all valid, otherwise we do return an error);
+	// this doesn't seem like a great idea?
+	credentialSpec := ""
+
+	for _, secOpt := range c.HostConfig.SecurityOpt {
+		optSplits := strings.SplitN(secOpt, "=", 2)
+		if len(optSplits) != 2 {
+			return errdefs.InvalidParameter(fmt.Errorf("invalid security option: no equals sign in supplied value %s", secOpt))
+		}
+		if !strings.EqualFold(optSplits[0], "credentialspec") {
+			return errdefs.InvalidParameter(fmt.Errorf("security option not supported: %s", optSplits[0]))
+		}
+
+		credSpecSplits := strings.SplitN(optSplits[1], "://", 2)
+		value := credSpecSplits[1]
+		if len(credSpecSplits) != 2 || credSpecSplits[1] == "" {
+			return errInvalidCredentialSpecSecOpt
+		}
+
+		var err error
+		switch strings.ToLower(credSpecSplits[0]) {
+		case "file":
+			if credentialSpec, err = readCredentialSpecFile(c.ID, daemon.root, filepath.Clean(value)); err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+		case "registry":
+			if credentialSpec, err = readCredentialSpecRegistry(c.ID, value); err != nil {
+				return errdefs.InvalidParameter(err)
+			}
+		case "config":
+			// if the container does not have a DependencyStore, then it
+			// isn't swarmkit managed. In order to avoid creating any
+			// impression that `config://` is a valid API, return the same
+			// error as if you'd passed any other random word.
+			if c.DependencyStore == nil {
+				return errInvalidCredentialSpecSecOpt
+			}
+
+			csConfig, err := c.DependencyStore.Configs().Get(value)
+			if err != nil {
+				return errdefs.System(errors.Wrap(err, "error getting value from config store"))
+			}
+			// stuff the resulting secret data into a string to use as the
+			// CredentialSpec
+			credentialSpec = string(csConfig.Spec.Data)
+		case "base64":
+			credSpecBytes, err := base64.StdEncoding.DecodeString(value)
+			if err != nil {
+				return errdefs.InvalidParameter(fmt.Errorf("provided value %q is not a base64-encoded string", value))
+			}
+			credentialSpec = string(credSpecBytes)
+		default:
+			return errInvalidCredentialSpecSecOpt
+		}
+	}
+
+	if credentialSpec != "" {
+		if s.Windows == nil {
+			s.Windows = &specs.Windows{}
+		}
+		s.Windows.CredentialSpec = credentialSpec
+	}
+
+	return nil
+}
+
 // Sets the Linux-specific fields of the OCI spec
 // TODO: @jhowardmsft LCOW Support. We need to do a lot more pulling in what can
 // be pulled in from oci_linux.go.
@@ -427,34 +445,37 @@ func (daemon *Daemon) mergeUlimits(c *containertypes.HostConfig) {
 	return
 }
 
-// getCredentialSpec is a helper function to get the value of a credential spec supplied
-// on the CLI, stripping the prefix
-func getCredentialSpec(prefix, value string) (bool, string) {
-	if strings.HasPrefix(value, prefix) {
-		return true, strings.TrimPrefix(value, prefix)
-	}
-	return false, ""
+// registryKey is an interface wrapper around `registry.Key`,
+// listing only the methods we care about here.
+// It's mainly useful to easily allow mocking the registry in tests.
+type registryKey interface {
+	GetStringValue(name string) (val string, valtype uint32, err error)
+	Close() error
+}
+
+var registryOpenKeyFunc = func(baseKey registry.Key, path string, access uint32) (registryKey, error) {
+	return registry.OpenKey(baseKey, path, access)
 }
 
 // readCredentialSpecRegistry is a helper function to read a credential spec from
 // the registry. If not found, we return an empty string and warn in the log.
 // This allows for staging on machines which do not have the necessary components.
 func readCredentialSpecRegistry(id, name string) (string, error) {
-	var (
-		k   registry.Key
-		err error
-		val string
-	)
-	if k, err = registry.OpenKey(registry.LOCAL_MACHINE, credentialSpecRegistryLocation, registry.QUERY_VALUE); err != nil {
-		return "", fmt.Errorf("failed handling spec %q for container %s - %s could not be opened", name, id, credentialSpecRegistryLocation)
-	}
-	if val, _, err = k.GetStringValue(name); err != nil {
+	key, err := registryOpenKeyFunc(registry.LOCAL_MACHINE, credentialSpecRegistryLocation, registry.QUERY_VALUE)
+	if err != nil {
+		return "", errors.Wrapf(err, "failed handling spec %q for container %s - registry key %s could not be opened", name, id, credentialSpecRegistryLocation)
+	}
+	defer key.Close()
+
+	value, _, err := key.GetStringValue(name)
+	if err != nil {
 		if err == registry.ErrNotExist {
-			return "", fmt.Errorf("credential spec %q for container %s as it was not found", name, id)
+			return "", fmt.Errorf("registry credential spec %q for container %s was not found", name, id)
 		}
-		return "", fmt.Errorf("error %v reading credential spec %q from registry for container %s", err, name, id)
+		return "", errors.Wrapf(err, "error reading credential spec %q from registry for container %s", name, id)
 	}
-	return val, nil
+
+	return value, nil
 }
 
 // readCredentialSpecFile is a helper function to read a credential spec from
@@ -471,7 +492,7 @@ func readCredentialSpecFile(id, root, location string) (string, error) {
 	}
 	bcontents, err := ioutil.ReadFile(full)
 	if err != nil {
-		return "", fmt.Errorf("credential spec '%s' for container %s as the file could not be read: %q", full, id, err)
+		return "", errors.Wrapf(err, "credential spec for container %s could not be read from file %q", id, full)
 	}
 	return string(bcontents[:]), nil
 }