func unmarshalProtectedSettings()

in internal/settings/settings_linux.go [127:162]

• 26 lines of code
• 6 McCabe index (conditional complexity)

func unmarshalProtectedSettings(configFolder string, hs handlerSettings, v interface{}) error {
	if hs.ProtectedSettingsBase64 == "" {
		return nil
	}
	if hs.SettingsCertThumbprint == "" {
		return errorhelper.AddStackToError(fmt.Errorf("handlerSettings has protected settings but no cert thumbprint"))
	}

	decoded, err := base64.StdEncoding.DecodeString(hs.ProtectedSettingsBase64)
	if err != nil {
		return errorhelper.AddStackToError(fmt.Errorf("failed to decode base64: %v", err))
	}

	// go two levels up where certs are placed (/var/lib/waagent)
	crt := filepath.Join(configFolder, "..", "..", fmt.Sprintf("%s.crt", hs.SettingsCertThumbprint))
	prv := filepath.Join(configFolder, "..", "..", fmt.Sprintf("%s.prv", hs.SettingsCertThumbprint))

	// we use os/exec instead of azure-docker-extension/pkg/executil here as
	// other extension handlers depend on this package for parsing handler
	// settings.
	cmd := exec.Command("openssl", "smime", "-inform", "DER", "-decrypt", "-recip", crt, "-inkey", prv)
	var bOut, bErr bytes.Buffer
	cmd.Stdin = bytes.NewReader(decoded)
	cmd.Stdout = &bOut
	cmd.Stderr = &bErr

	if err := cmd.Run(); err != nil {
		return errorhelper.AddStackToError(fmt.Errorf("decrypting protected settings failed: error=%v stderr=%s", err, string(bErr.Bytes())))
	}

	// decrypted: json object for protected settings
	if err := json.Unmarshal(bOut.Bytes(), &v); err != nil {
		return errorhelper.AddStackToError(fmt.Errorf("failed to unmarshal decrypted settings json: %v", err))
	}
	return nil
}