containers
/
podman
mirror of https://github.com/containers/podman.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Make most of pkg/trust package-private 

We now have only a few entrypoints that are called externally,
so make the rest private.  This will make it more obvious that
we are not breaking any external users.

Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač 2022-08-24 22:36:38 +02:00
parent 7723a1ea65
commit 35fa8c16a2
3 changed files with 44 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

51
pkg/trust/policy.go
View File

@ -17,14 +17,15 @@ import (
"github.com/sirupsen/logrus" "github.com/sirupsen/logrus"
) )
// PolicyContent struct for policy.json file // policyContent is the overall structure of a policy.json file (= c/image/v5/signature.Policy)
type PolicyContent struct { type policyContent struct {
Default []RepoContent `json:"default"` Default []repoContent `json:"default"`
Transports TransportsContent `json:"transports,omitempty"` Transports transportsContent `json:"transports,omitempty"`
} }
// RepoContent struct used under each repo // repoContent is a single policy requirement (one of possibly several for a scope), representing all of the individual alternatives in a single merged struct
type RepoContent struct { // (= c/image/v5/signature.{PolicyRequirement,pr*})
type repoContent struct {
Type string `json:"type"` Type string `json:"type"`
KeyType string `json:"keyType,omitempty"` KeyType string `json:"keyType,omitempty"`
KeyPath string `json:"keyPath,omitempty"` KeyPath string `json:"keyPath,omitempty"`
@ -32,11 +33,11 @@ type RepoContent struct {
SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"` SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
} }
// RepoMap map repo name to policycontent for each repo // repoMap maps a scope name to requirements that apply to that scope (= c/image/v5/signature.PolicyTransportScopes)
type RepoMap map[string][]RepoContent type repoMap map[string][]repoContent
// TransportsContent struct for content under "transports" // transportsContent contains policies for individual transports (= c/image/v5/signature.Policy.Transports)
type TransportsContent map[string]RepoMap type transportsContent map[string]repoMap
// DefaultPolicyPath returns a path to the default policy of the system. // DefaultPolicyPath returns a path to the default policy of the system.
func DefaultPolicyPath(sys *types.SystemContext) string { func DefaultPolicyPath(sys *types.SystemContext) string {
@ -66,8 +67,8 @@ func createTmpFile(dir, pattern string, content []byte) (string, error) {
return tmpfile.Name(), nil return tmpfile.Name(), nil
} }
// GetGPGIdFromKeyPath return user keyring from key path // getGPGIdFromKeyPath returns GPG key IDs of keys stored at the provided path.
func GetGPGIdFromKeyPath(path string) []string { func getGPGIdFromKeyPath(path string) []string {
cmd := exec.Command("gpg2", "--with-colons", path) cmd := exec.Command("gpg2", "--with-colons", path)
results, err := cmd.Output() results, err := cmd.Output()
if err != nil { if err != nil {
@ -77,8 +78,8 @@ func GetGPGIdFromKeyPath(path string) []string {
return parseUids(results) return parseUids(results)
} }
// GetGPGIdFromKeyData return user keyring from keydata // getGPGIdFromKeyData returns GPG key IDs of keys in the provided keyring.
func GetGPGIdFromKeyData(key string) []string { func getGPGIdFromKeyData(key string) []string {
decodeKey, err := base64.StdEncoding.DecodeString(key) decodeKey, err := base64.StdEncoding.DecodeString(key)
if err != nil { if err != nil {
logrus.Errorf("%s, error decoding key data", err) logrus.Errorf("%s, error decoding key data", err)
@ -89,7 +90,7 @@ func GetGPGIdFromKeyData(key string) []string {
logrus.Errorf("Creating key date temp file %s", err) logrus.Errorf("Creating key date temp file %s", err)
} }
defer os.Remove(tmpfileName) defer os.Remove(tmpfileName)
return GetGPGIdFromKeyPath(tmpfileName) return getGPGIdFromKeyPath(tmpfileName)
} }
func parseUids(colonDelimitKeys []byte) []string { func parseUids(colonDelimitKeys []byte) []string {
@ -112,9 +113,9 @@ func parseUids(colonDelimitKeys []byte) []string {
return parseduids return parseduids
} }
// GetPolicy parse policy.json into PolicyContent struct // getPolicy parses policy.json into policyContent.
func GetPolicy(policyPath string) (PolicyContent, error) { func getPolicy(policyPath string) (policyContent, error) {
var policyContentStruct PolicyContent var policyContentStruct policyContent
policyContent, err := ioutil.ReadFile(policyPath) policyContent, err := ioutil.ReadFile(policyPath)
if err != nil { if err != nil {
return policyContentStruct, fmt.Errorf("unable to read policy file: %w", err) return policyContentStruct, fmt.Errorf("unable to read policy file: %w", err)
@ -146,8 +147,8 @@ type AddPolicyEntriesInput struct {
// AddPolicyEntries adds one or more policy entries necessary to implement AddPolicyEntriesInput. // AddPolicyEntries adds one or more policy entries necessary to implement AddPolicyEntriesInput.
func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error { func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
var ( var (
policyContentStruct PolicyContent policyContentStruct policyContent
newReposContent []RepoContent newReposContent []repoContent
) )
trustType := input.Type trustType := input.Type
if trustType == "accept" { if trustType == "accept" {
@ -161,14 +162,14 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
if len(pubkeysfile) != 0 { if len(pubkeysfile) != 0 {
return fmt.Errorf("%d public keys unexpectedly provided for trust type %v", len(pubkeysfile), input.Type) return fmt.Errorf("%d public keys unexpectedly provided for trust type %v", len(pubkeysfile), input.Type)
} }
newReposContent = append(newReposContent, RepoContent{Type: trustType}) newReposContent = append(newReposContent, repoContent{Type: trustType})
case "signedBy": case "signedBy":
if len(pubkeysfile) == 0 { if len(pubkeysfile) == 0 {
return errors.New("at least one public key must be defined for type 'signedBy'") return errors.New("at least one public key must be defined for type 'signedBy'")
} }
for _, filepath := range pubkeysfile { for _, filepath := range pubkeysfile {
newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath}) newReposContent = append(newReposContent, repoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
} }
case "sigstoreSigned": case "sigstoreSigned":
@ -176,7 +177,7 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
return errors.New("at least one public key must be defined for type 'sigstoreSigned'") return errors.New("at least one public key must be defined for type 'sigstoreSigned'")
} }
for _, filepath := range pubkeysfile { for _, filepath := range pubkeysfile {
newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyPath: filepath}) newReposContent = append(newReposContent, repoContent{Type: trustType, KeyPath: filepath})
} }
default: default:
@ -209,10 +210,10 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
} }
if !registryExists { if !registryExists {
if policyContentStruct.Transports == nil { if policyContentStruct.Transports == nil {
policyContentStruct.Transports = make(map[string]RepoMap) policyContentStruct.Transports = make(map[string]repoMap)
} }
if policyContentStruct.Transports["docker"] == nil { if policyContentStruct.Transports["docker"] == nil {
policyContentStruct.Transports["docker"] = make(map[string][]RepoContent) policyContentStruct.Transports["docker"] = make(map[string][]repoContent)
} }
policyContentStruct.Transports["docker"][input.Scope] = append(policyContentStruct.Transports["docker"][input.Scope], newReposContent...) policyContentStruct.Transports["docker"][input.Scope] = append(policyContentStruct.Transports["docker"][input.Scope], newReposContent...)
} }

24
pkg/trust/registries.go
View File

@ -12,16 +12,16 @@ import (
"github.com/ghodss/yaml" "github.com/ghodss/yaml"
) )
// RegistryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all. // registryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all.
// NOTE: Keep this in sync with docs/registries.d.md! // NOTE: Keep this in sync with docs/registries.d.md!
type RegistryConfiguration struct { type registryConfiguration struct {
DefaultDocker *RegistryNamespace `json:"default-docker"` DefaultDocker *registryNamespace `json:"default-docker"`
// The key is a namespace, using fully-expanded Docker reference format or parent namespaces (per dockerReference.PolicyConfiguration*), // The key is a namespace, using fully-expanded Docker reference format or parent namespaces (per dockerReference.PolicyConfiguration*),
Docker map[string]RegistryNamespace `json:"docker"` Docker map[string]registryNamespace `json:"docker"`
} }
// RegistryNamespace defines lookaside locations for a single namespace. // registryNamespace defines lookaside locations for a single namespace.
type RegistryNamespace struct { type registryNamespace struct {
SigStore string `json:"sigstore"` // For reading, and if SigStoreStaging is not present, for writing. SigStore string `json:"sigstore"` // For reading, and if SigStoreStaging is not present, for writing.
SigStoreStaging string `json:"sigstore-staging"` // For writing only. SigStoreStaging string `json:"sigstore-staging"` // For writing only.
} }
@ -48,9 +48,9 @@ func RegistriesDirPath(sys *types.SystemContext) string {
return systemRegistriesDirPath return systemRegistriesDirPath
} }
// LoadAndMergeConfig loads configuration files in dirPath // loadAndMergeConfig loads registries.d configuration files in dirPath
func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) { func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
mergedConfig := RegistryConfiguration{Docker: map[string]RegistryNamespace{}} mergedConfig := registryConfiguration{Docker: map[string]registryNamespace{}}
dockerDefaultMergedFrom := "" dockerDefaultMergedFrom := ""
nsMergedFrom := map[string]string{} nsMergedFrom := map[string]string{}
@ -74,7 +74,7 @@ func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) {
if err != nil { if err != nil {
return nil, err return nil, err
} }
var config RegistryConfiguration var config registryConfiguration
err = yaml.Unmarshal(configBytes, &config) err = yaml.Unmarshal(configBytes, &config)
if err != nil { if err != nil {
return nil, fmt.Errorf("error parsing %s: %w", configPath, err) return nil, fmt.Errorf("error parsing %s: %w", configPath, err)
@ -99,8 +99,8 @@ func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) {
return &mergedConfig, nil return &mergedConfig, nil
} }
// HaveMatchRegistry checks if trust settings for the registry have been configured in yaml file // haveMatchRegistry returns configuration from registryConfigs that is configured for key.
func HaveMatchRegistry(key string, registryConfigs *RegistryConfiguration) *RegistryNamespace { func haveMatchRegistry(key string, registryConfigs *registryConfiguration) *registryNamespace {
searchKey := key searchKey := key
if !strings.Contains(searchKey, "/") { if !strings.Contains(searchKey, "/") {
val, exists := registryConfigs.Docker[searchKey] val, exists := registryConfigs.Docker[searchKey]

12
pkg/trust/trust.go
View File

@ -18,7 +18,7 @@ type Policy struct {
// PolicyDescription returns an user-focused description of the policy in policyPath and registries.d data from registriesDirPath. // PolicyDescription returns an user-focused description of the policy in policyPath and registries.d data from registriesDirPath.
func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error) { func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error) {
policyContentStruct, err := GetPolicy(policyPath) policyContentStruct, err := getPolicy(policyPath)
if err != nil { if err != nil {
return nil, fmt.Errorf("could not read trust policies: %w", err) return nil, fmt.Errorf("could not read trust policies: %w", err)
} }
@ -29,10 +29,10 @@ func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error)
return res, nil return res, nil
} }
func getPolicyShowOutput(policyContentStruct PolicyContent, systemRegistriesDirPath string) ([]*Policy, error) { func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirPath string) ([]*Policy, error) {
var output []*Policy var output []*Policy
registryConfigs, err := LoadAndMergeConfig(systemRegistriesDirPath) registryConfigs, err := loadAndMergeConfig(systemRegistriesDirPath)
if err != nil { if err != nil {
return nil, err return nil, err
} }
@ -61,15 +61,15 @@ func getPolicyShowOutput(policyContentStruct PolicyContent, systemRegistriesDirP
uids := []string{} uids := []string{}
for _, repoele := range repoval { for _, repoele := range repoval {
if len(repoele.KeyPath) > 0 { if len(repoele.KeyPath) > 0 {
uids = append(uids, GetGPGIdFromKeyPath(repoele.KeyPath)...) uids = append(uids, getGPGIdFromKeyPath(repoele.KeyPath)...)
} }
if len(repoele.KeyData) > 0 { if len(repoele.KeyData) > 0 {
uids = append(uids, GetGPGIdFromKeyData(repoele.KeyData)...) uids = append(uids, getGPGIdFromKeyData(repoele.KeyData)...)
} }
} }
tempTrustShowOutput.GPGId = strings.Join(uids, ", ") tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
registryNamespace := HaveMatchRegistry(repo, registryConfigs) registryNamespace := haveMatchRegistry(repo, registryConfigs)
if registryNamespace != nil { if registryNamespace != nil {
tempTrustShowOutput.SignatureStore = registryNamespace.SigStore tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
} }