1 files changed, 77 insertions, 0 deletions

diff --git a/workhorse/internal/secret/secret.go b/workhorse/internal/secret/secret.go
new file mode 100644
index 00000000000..e8c7c25393c
--- /dev/null
+++ b/workhorse/internal/secret/secret.go
@@ -0,0 +1,77 @@
+package secret
+
+import (
+	"encoding/base64"
+	"fmt"
+	"io/ioutil"
+	"sync"
+)
+
+const numSecretBytes = 32
+
+type sec struct {
+	path  string
+	bytes []byte
+	sync.RWMutex
+}
+
+var (
+	theSecret = &sec{}
+)
+
+func SetPath(path string) {
+	theSecret.Lock()
+	defer theSecret.Unlock()
+	theSecret.path = path
+	theSecret.bytes = nil
+}
+
+// Lazy access to the HMAC secret key. We must be lazy because if the key
+// is not already there, it will be generated by gitlab-rails, and
+// gitlab-rails is slow.
+func Bytes() ([]byte, error) {
+	if bytes := getBytes(); bytes != nil {
+		return copyBytes(bytes), nil
+	}
+
+	return setBytes()
+}
+
+func getBytes() []byte {
+	theSecret.RLock()
+	defer theSecret.RUnlock()
+	return theSecret.bytes
+}
+
+func copyBytes(bytes []byte) []byte {
+	out := make([]byte, len(bytes))
+	copy(out, bytes)
+	return out
+}
+
+func setBytes() ([]byte, error) {
+	theSecret.Lock()
+	defer theSecret.Unlock()
+
+	if theSecret.bytes != nil {
+		return theSecret.bytes, nil
+	}
+
+	base64Bytes, err := ioutil.ReadFile(theSecret.path)
+	if err != nil {
+		return nil, fmt.Errorf("secret.setBytes: read %q: %v", theSecret.path, err)
+	}
+
+	secretBytes := make([]byte, base64.StdEncoding.DecodedLen(len(base64Bytes)))
+	n, err := base64.StdEncoding.Decode(secretBytes, base64Bytes)
+	if err != nil {
+		return nil, fmt.Errorf("secret.setBytes: decode secret: %v", err)
+	}
+
+	if n != numSecretBytes {
+		return nil, fmt.Errorf("secret.setBytes: expected %d secretBytes in %s, found %d", numSecretBytes, theSecret.path, n)
+	}
+
+	theSecret.bytes = secretBytes
+	return copyBytes(theSecret.bytes), nil
+}