func()

in pkg/tasks/container/seal.go [54:167]

• 80 lines of code
• 22 McCabe index (conditional complexity)

func (t *SealTask) Run(ctx context.Context) error {
	// Check arguments
	if types.IsNil(t.ContainerReader) {
		return errors.New("unable to run task with a nil containerReader provider")
	}
	if types.IsNil(t.SealedContainerWriter) {
		return errors.New("unable to run task with a nil sealedContainerWriter provider")
	}
	if types.IsNil(t.OutputWriter) {
		return errors.New("unable to run task with a nil outputWriter provider")
	}
	if len(t.PeerPublicKeys) == 0 {
		return errors.New("at least one public key must be provided for recovery")
	}

	// Create input reader
	reader, err := t.ContainerReader(ctx)
	if err != nil {
		return fmt.Errorf("unable to open input reader: %w", err)
	}

	// Load input container
	in, err := container.Load(reader)
	if err != nil {
		return fmt.Errorf("unable to read input container: %w", err)
	}

	var containerKey string
	if !t.DisableContainerIdentity {
		opts := []seal.GenerateOption{}

		// Check container sealing master key usage
		if t.DCKDMasterKey != "" {
			// Process target
			if t.DCKDTarget == "" {
				return errors.New("target flag (string) is mandatory for key derivation")
			}

			// Decode master key
			masterKeyRaw, errDecode := base64.RawURLEncoding.DecodeString(t.DCKDMasterKey)
			if errDecode != nil {
				return fmt.Errorf("unable to decode master key: %w", errDecode)
			}

			// Enable deterministic container key generation
			opts = append(opts, seal.WithDeterministicKey(memguard.NewBufferFromBytes(masterKeyRaw), t.DCKDTarget))
		}

		// Initialize seal strategy
		var ss seal.Strategy
		switch t.SealVersion {
		case 1:
			ss = sealv1.New()
		case 2:
			ss = sealv2.New()
		default:
			ss = sealv1.New()
		}

		// Generate container key
		containerPublicKey, containerSecretKey, errGenerate := ss.GenerateKey(opts...)
		if errGenerate != nil {
			return fmt.Errorf("unable to generate container key: %w", errGenerate)
		}

		// Append to identities
		t.PeerPublicKeys = append(t.PeerPublicKeys, containerPublicKey)

		// Assign container key
		containerKey = containerSecretKey
	}

	// Seal the container
	sealedContainer, err := container.Seal(rand.Reader, in, t.PeerPublicKeys...)
	if err != nil {
		return fmt.Errorf("unable to seal container: %w", err)
	}

	// Open output file
	writer, err := t.SealedContainerWriter(ctx)
	if err != nil {
		return fmt.Errorf("unable to create output bundle: %w", err)
	}

	// Dump to writer
	if err = container.Dump(writer, sealedContainer); err != nil {
		return fmt.Errorf("unable to write sealed container: %w", err)
	}

	if !t.DisableContainerIdentity {
		// Get output writer
		outputWriter, err := t.OutputWriter(ctx)
		if err != nil {
			return fmt.Errorf("unable to retrieve output writer: %w", err)
		}

		// Display as json
		if t.JSONOutput {
			if err := json.NewEncoder(outputWriter).Encode(map[string]interface{}{
				"container_key": containerKey,
			}); err != nil {
				return fmt.Errorf("unable to display as json: %w", err)
			}
		} else {
			// Display container key
			if _, err := fmt.Fprintf(outputWriter, "Container key : %s\n", containerKey); err != nil {
				return fmt.Errorf("unable to display result: %w", err)
			}
		}
	}

	// No error
	return nil
}