in pkg/bundle/encryption.go [157:234]
func UnLock(ctx context.Context, b *bundlev1.Bundle, transformers []value.Transformer, skipNotDecryptable bool) error {
// Check bundle
if b == nil {
return fmt.Errorf("unable to process nil bundle")
}
if len(transformers) == 0 {
return fmt.Errorf("unable to process empty transformer list")
}
// For each packages
for _, p := range b.Packages {
// Skip not locked package
if p.Secrets.Locked == nil {
continue
}
if len(p.Secrets.Locked.Value) == 0 {
continue
}
// Try all transformers
var (
out []byte
errTransform error
)
LOOP:
for _, t := range transformers {
// Apply transformation
out, errTransform = t.From(ctx, p.Secrets.Locked.Value)
switch {
case errTransform != nil:
// Try next transformer
continue
default:
break LOOP
}
}
if errTransform != nil {
if skipNotDecryptable {
// Skip not decrypted secrets.
continue
}
return fmt.Errorf("unable to transform '%s': %w", p.Name, errTransform)
}
// Unpack secrets
raw := map[string]interface{}{}
if err := json.Unmarshal(out, &raw); err != nil {
return fmt.Errorf("unable to unpack locked secret: %w", err)
}
// Prepare secrets collection
secrets := []*bundlev1.KV{}
for key, value := range raw {
// Pack secret value
s, err := secret.Pack(value)
if err != nil {
return fmt.Errorf("unable to pack as secret bundle: %w", err)
}
// Add to secret collection
secrets = append(secrets, &bundlev1.KV{
Key: key,
Type: fmt.Sprintf("%T", value),
Value: s,
})
}
// Cleanup
memguard.WipeBytes(p.Secrets.Locked.Value)
p.Secrets.Locked = nil
// Assign unlocked secrets
p.Secrets.Data = secrets
}
// No error
return nil
}