func getBundle()

in server/pkg/server/storage/backends/container/registry.go [193:272]

• 59 lines of code
• 14 McCabe index (conditional complexity)

func getBundle(ctx context.Context, br io.Reader, containerID, psk string) (*bundlev1.Bundle, error) {
	// Check container key usage
	var (
		b   *bundlev1.Bundle
		err error
	)

	if containerID != "" {
		// Load container
		sealed, errLoad := container.Load(br)
		if errLoad != nil {
			return nil, fmt.Errorf("unable to load secret container: %w", errLoad)
		}

		// Append given key, and keyring
		containerKeys := append([]string{}, containerID)
		containerKeys = append(containerKeys, containerKeyring...)

		var (
			unsealed  *containerv1.Container
			errUnseal error
		)
		for _, containerKeyRaw := range containerKeys {
			// Decode private key
			containerKey, errDecode := base64.RawURLEncoding.DecodeString(containerKeyRaw)
			if errDecode != nil {
				log.For(ctx).Warn("Invalid key, ignored for encoding error", zap.Error(err))
				continue
			}

			// Unseal container
			unsealed, errUnseal = container.Unseal(sealed, memguard.NewBufferFromBytes(containerKey))
			if errUnseal != nil {
				log.For(ctx).Warn("Unable to unseal container with given key, key is ignored", zap.Error(errUnseal))
				continue
			}

			// Break if container is unsealed
			if unsealed != nil {
				break
			}
		}
		if errUnseal != nil {
			return nil, fmt.Errorf("unable to unseal container: %w", errUnseal)
		}
		if unsealed == nil {
			return nil, fmt.Errorf("unable to unseal container: no key match")
		}

		// Extract bundle
		b, err = bundle.FromContainer(unsealed)
		if err != nil {
			return nil, fmt.Errorf("unable to extract Bundle from sealed container: %w", err)
		}
	} else {
		// No container key assume unsealed container.
		b, err = bundle.FromContainerReader(br)
		if err != nil {
			return nil, fmt.Errorf("unable to extract Bundle from unsealed container: %w", err)
		}
	}

	// Decrypt encrypted bundle using PSK
	if psk != "" {
		// Initialize a transformer from key
		t, err := encryption.FromKey(psk)
		if err != nil {
			return nil, fmt.Errorf("unbale to initialize encryption transformer to unlock bundle: %w", err)
		}

		// Unlock the bundle
		err = bundle.UnLock(ctx, b, []sdkvalue.Transformer{t}, true)
		if err != nil {
			return nil, fmt.Errorf("unable to unlock bundle: %w", err)
		}
	}

	// Return result bundle
	return b, nil
}