mirror of https://github.com/containers/podman.git
Make most of pkg/trust package-private
We now have only a few entrypoints that are called externally, so make the rest private. This will make it more obvious that we are not breaking any external users. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
This commit is contained in:
Miloslav Trmač
parent
7723a1ea65
commit
35fa8c16a2
|
|
@ -17,14 +17,15 @@ import (
|
|||
"github.com/sirupsen/logrus"
|
||||
)
|
||||
|
||||
// PolicyContent struct for policy.json file
|
||||
type PolicyContent struct {
|
||||
Default []RepoContent `json:"default"`
|
||||
Transports TransportsContent `json:"transports,omitempty"`
|
||||
// policyContent is the overall structure of a policy.json file (= c/image/v5/signature.Policy)
|
||||
type policyContent struct {
|
||||
Default []repoContent `json:"default"`
|
||||
Transports transportsContent `json:"transports,omitempty"`
|
||||
}
|
||||
|
||||
// RepoContent struct used under each repo
|
||||
type RepoContent struct {
|
||||
// repoContent is a single policy requirement (one of possibly several for a scope), representing all of the individual alternatives in a single merged struct
|
||||
// (= c/image/v5/signature.{PolicyRequirement,pr*})
|
||||
type repoContent struct {
|
||||
Type string `json:"type"`
|
||||
KeyType string `json:"keyType,omitempty"`
|
||||
KeyPath string `json:"keyPath,omitempty"`
|
||||
|
|
@ -32,11 +33,11 @@ type RepoContent struct {
|
|||
SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
|
||||
}
|
||||
|
||||
// RepoMap map repo name to policycontent for each repo
|
||||
type RepoMap map[string][]RepoContent
|
||||
// repoMap maps a scope name to requirements that apply to that scope (= c/image/v5/signature.PolicyTransportScopes)
|
||||
type repoMap map[string][]repoContent
|
||||
|
||||
// TransportsContent struct for content under "transports"
|
||||
type TransportsContent map[string]RepoMap
|
||||
// transportsContent contains policies for individual transports (= c/image/v5/signature.Policy.Transports)
|
||||
type transportsContent map[string]repoMap
|
||||
|
||||
// DefaultPolicyPath returns a path to the default policy of the system.
|
||||
func DefaultPolicyPath(sys *types.SystemContext) string {
|
||||
|
|
@ -66,8 +67,8 @@ func createTmpFile(dir, pattern string, content []byte) (string, error) {
|
|||
return tmpfile.Name(), nil
|
||||
}
|
||||
|
||||
// GetGPGIdFromKeyPath return user keyring from key path
|
||||
func GetGPGIdFromKeyPath(path string) []string {
|
||||
// getGPGIdFromKeyPath returns GPG key IDs of keys stored at the provided path.
|
||||
func getGPGIdFromKeyPath(path string) []string {
|
||||
cmd := exec.Command("gpg2", "--with-colons", path)
|
||||
results, err := cmd.Output()
|
||||
if err != nil {
|
||||
|
|
@ -77,8 +78,8 @@ func GetGPGIdFromKeyPath(path string) []string {
|
|||
return parseUids(results)
|
||||
}
|
||||
|
||||
// GetGPGIdFromKeyData return user keyring from keydata
|
||||
func GetGPGIdFromKeyData(key string) []string {
|
||||
// getGPGIdFromKeyData returns GPG key IDs of keys in the provided keyring.
|
||||
func getGPGIdFromKeyData(key string) []string {
|
||||
decodeKey, err := base64.StdEncoding.DecodeString(key)
|
||||
if err != nil {
|
||||
logrus.Errorf("%s, error decoding key data", err)
|
||||
|
|
@ -89,7 +90,7 @@ func GetGPGIdFromKeyData(key string) []string {
|
|||
logrus.Errorf("Creating key date temp file %s", err)
|
||||
}
|
||||
defer os.Remove(tmpfileName)
|
||||
return GetGPGIdFromKeyPath(tmpfileName)
|
||||
return getGPGIdFromKeyPath(tmpfileName)
|
||||
}
|
||||
|
||||
func parseUids(colonDelimitKeys []byte) []string {
|
||||
|
|
@ -112,9 +113,9 @@ func parseUids(colonDelimitKeys []byte) []string {
|
|||
return parseduids
|
||||
}
|
||||
|
||||
// GetPolicy parse policy.json into PolicyContent struct
|
||||
func GetPolicy(policyPath string) (PolicyContent, error) {
|
||||
var policyContentStruct PolicyContent
|
||||
// getPolicy parses policy.json into policyContent.
|
||||
func getPolicy(policyPath string) (policyContent, error) {
|
||||
var policyContentStruct policyContent
|
||||
policyContent, err := ioutil.ReadFile(policyPath)
|
||||
if err != nil {
|
||||
return policyContentStruct, fmt.Errorf("unable to read policy file: %w", err)
|
||||
|
|
@ -146,8 +147,8 @@ type AddPolicyEntriesInput struct {
|
|||
// AddPolicyEntries adds one or more policy entries necessary to implement AddPolicyEntriesInput.
|
||||
func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
|
||||
var (
|
||||
policyContentStruct PolicyContent
|
||||
newReposContent []RepoContent
|
||||
policyContentStruct policyContent
|
||||
newReposContent []repoContent
|
||||
)
|
||||
trustType := input.Type
|
||||
if trustType == "accept" {
|
||||
|
|
@ -161,14 +162,14 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
|
|||
if len(pubkeysfile) != 0 {
|
||||
return fmt.Errorf("%d public keys unexpectedly provided for trust type %v", len(pubkeysfile), input.Type)
|
||||
}
|
||||
newReposContent = append(newReposContent, RepoContent{Type: trustType})
|
||||
newReposContent = append(newReposContent, repoContent{Type: trustType})
|
||||
|
||||
case "signedBy":
|
||||
if len(pubkeysfile) == 0 {
|
||||
return errors.New("at least one public key must be defined for type 'signedBy'")
|
||||
}
|
||||
for _, filepath := range pubkeysfile {
|
||||
newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
|
||||
newReposContent = append(newReposContent, repoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
|
||||
}
|
||||
|
||||
case "sigstoreSigned":
|
||||
|
|
@ -176,7 +177,7 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
|
|||
return errors.New("at least one public key must be defined for type 'sigstoreSigned'")
|
||||
}
|
||||
for _, filepath := range pubkeysfile {
|
||||
newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyPath: filepath})
|
||||
newReposContent = append(newReposContent, repoContent{Type: trustType, KeyPath: filepath})
|
||||
}
|
||||
|
||||
default:
|
||||
|
|
@ -209,10 +210,10 @@ func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
|
|||
}
|
||||
if !registryExists {
|
||||
if policyContentStruct.Transports == nil {
|
||||
policyContentStruct.Transports = make(map[string]RepoMap)
|
||||
policyContentStruct.Transports = make(map[string]repoMap)
|
||||
}
|
||||
if policyContentStruct.Transports["docker"] == nil {
|
||||
policyContentStruct.Transports["docker"] = make(map[string][]RepoContent)
|
||||
policyContentStruct.Transports["docker"] = make(map[string][]repoContent)
|
||||
}
|
||||
policyContentStruct.Transports["docker"][input.Scope] = append(policyContentStruct.Transports["docker"][input.Scope], newReposContent...)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -12,16 +12,16 @@ import (
|
|||
"github.com/ghodss/yaml"
|
||||
)
|
||||
|
||||
// RegistryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all.
|
||||
// registryConfiguration is one of the files in registriesDirPath configuring lookaside locations, or the result of merging them all.
|
||||
// NOTE: Keep this in sync with docs/registries.d.md!
|
||||
type RegistryConfiguration struct {
|
||||
DefaultDocker *RegistryNamespace `json:"default-docker"`
|
||||
type registryConfiguration struct {
|
||||
DefaultDocker *registryNamespace `json:"default-docker"`
|
||||
// The key is a namespace, using fully-expanded Docker reference format or parent namespaces (per dockerReference.PolicyConfiguration*),
|
||||
Docker map[string]RegistryNamespace `json:"docker"`
|
||||
Docker map[string]registryNamespace `json:"docker"`
|
||||
}
|
||||
|
||||
// RegistryNamespace defines lookaside locations for a single namespace.
|
||||
type RegistryNamespace struct {
|
||||
// registryNamespace defines lookaside locations for a single namespace.
|
||||
type registryNamespace struct {
|
||||
SigStore string `json:"sigstore"` // For reading, and if SigStoreStaging is not present, for writing.
|
||||
SigStoreStaging string `json:"sigstore-staging"` // For writing only.
|
||||
}
|
||||
|
|
@ -48,9 +48,9 @@ func RegistriesDirPath(sys *types.SystemContext) string {
|
|||
return systemRegistriesDirPath
|
||||
}
|
||||
|
||||
// LoadAndMergeConfig loads configuration files in dirPath
|
||||
func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) {
|
||||
mergedConfig := RegistryConfiguration{Docker: map[string]RegistryNamespace{}}
|
||||
// loadAndMergeConfig loads registries.d configuration files in dirPath
|
||||
func loadAndMergeConfig(dirPath string) (*registryConfiguration, error) {
|
||||
mergedConfig := registryConfiguration{Docker: map[string]registryNamespace{}}
|
||||
dockerDefaultMergedFrom := ""
|
||||
nsMergedFrom := map[string]string{}
|
||||
|
||||
|
|
@ -74,7 +74,7 @@ func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) {
|
|||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
var config RegistryConfiguration
|
||||
var config registryConfiguration
|
||||
err = yaml.Unmarshal(configBytes, &config)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("error parsing %s: %w", configPath, err)
|
||||
|
|
@ -99,8 +99,8 @@ func LoadAndMergeConfig(dirPath string) (*RegistryConfiguration, error) {
|
|||
return &mergedConfig, nil
|
||||
}
|
||||
|
||||
// HaveMatchRegistry checks if trust settings for the registry have been configured in yaml file
|
||||
func HaveMatchRegistry(key string, registryConfigs *RegistryConfiguration) *RegistryNamespace {
|
||||
// haveMatchRegistry returns configuration from registryConfigs that is configured for key.
|
||||
func haveMatchRegistry(key string, registryConfigs *registryConfiguration) *registryNamespace {
|
||||
searchKey := key
|
||||
if !strings.Contains(searchKey, "/") {
|
||||
val, exists := registryConfigs.Docker[searchKey]
|
||||
|
|
|
|||
|
|
@ -18,7 +18,7 @@ type Policy struct {
|
|||
|
||||
// PolicyDescription returns an user-focused description of the policy in policyPath and registries.d data from registriesDirPath.
|
||||
func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error) {
|
||||
policyContentStruct, err := GetPolicy(policyPath)
|
||||
policyContentStruct, err := getPolicy(policyPath)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("could not read trust policies: %w", err)
|
||||
}
|
||||
|
|
@ -29,10 +29,10 @@ func PolicyDescription(policyPath, registriesDirPath string) ([]*Policy, error)
|
|||
return res, nil
|
||||
}
|
||||
|
||||
func getPolicyShowOutput(policyContentStruct PolicyContent, systemRegistriesDirPath string) ([]*Policy, error) {
|
||||
func getPolicyShowOutput(policyContentStruct policyContent, systemRegistriesDirPath string) ([]*Policy, error) {
|
||||
var output []*Policy
|
||||
|
||||
registryConfigs, err := LoadAndMergeConfig(systemRegistriesDirPath)
|
||||
registryConfigs, err := loadAndMergeConfig(systemRegistriesDirPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
|
@ -61,15 +61,15 @@ func getPolicyShowOutput(policyContentStruct PolicyContent, systemRegistriesDirP
|
|||
uids := []string{}
|
||||
for _, repoele := range repoval {
|
||||
if len(repoele.KeyPath) > 0 {
|
||||
uids = append(uids, GetGPGIdFromKeyPath(repoele.KeyPath)...)
|
||||
uids = append(uids, getGPGIdFromKeyPath(repoele.KeyPath)...)
|
||||
}
|
||||
if len(repoele.KeyData) > 0 {
|
||||
uids = append(uids, GetGPGIdFromKeyData(repoele.KeyData)...)
|
||||
uids = append(uids, getGPGIdFromKeyData(repoele.KeyData)...)
|
||||
}
|
||||
}
|
||||
tempTrustShowOutput.GPGId = strings.Join(uids, ", ")
|
||||
|
||||
registryNamespace := HaveMatchRegistry(repo, registryConfigs)
|
||||
registryNamespace := haveMatchRegistry(repo, registryConfigs)
|
||||
if registryNamespace != nil {
|
||||
tempTrustShowOutput.SignatureStore = registryNamespace.SigStore
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue