keystore caching

Signed-off-by: Nathan McCauley <nathan.mccauley@docker.com>
2015-07-20 01:40:55 -07:00 · 2015-07-20 01:40:55 -07:00 · 1421f47258
parent ff2e583439
commit 1421f47258
2 changed files with 97 additions and 10 deletions
--- a/trustmanager/keyfilestore.go
+++ b/trustmanager/keyfilestore.go
@ -29,13 +29,15 @@ type KeyStore interface {
 // KeyFileStore persists and manages private keys on disk
 type KeyFileStore struct {
 	SimpleFileStore
-	PassphraseRetriever passphrase.Retriever
+	PassphraseRetriever
+	cachedKeys map[string]data.PrivateKey
 }

 // KeyMemoryStore manages private keys in memory
 type KeyMemoryStore struct {
 	MemoryFileStore
-	PassphraseRetriever passphrase.Retriever
+	PassphraseRetriever
+	cachedKeys map[string]data.PrivateKey
 }

 // NewKeyFileStore returns a new KeyFileStore creating a private directory to
@ -45,18 +47,19 @@ func NewKeyFileStore(baseDir string, passphraseRetriever passphrase.Retriever) (
 	if err != nil {
 		return nil, err
 	}
+	cachedKeys := make(map[string]data.PrivateKey)

-	return &KeyFileStore{*fileStore, passphraseRetriever}, nil
+	return &KeyFileStore{*fileStore, passphraseRetriever, cachedKeys}, nil
 }

 // AddKey stores the contents of a PEM-encoded private key as a PEM block
 func (s *KeyFileStore) AddKey(name, alias string, privKey data.PrivateKey) error {
-	return addKey(s, s.PassphraseRetriever, name, alias, privKey)
+	return addKey(s, s.PassphraseRetriever, s.cachedKeys, name, alias, privKey)
 }

 // GetKey returns the PrivateKey given a KeyID
 func (s *KeyFileStore) GetKey(name string) (data.PrivateKey, error) {
-	return getKey(s, s.PassphraseRetriever, name)
+	return getKey(s, s.PassphraseRetriever, s.cachedKeys, name)
 }

 // GetKeyAlias returns the PrivateKey's alias given a KeyID
@ -79,18 +82,19 @@ func (s *KeyFileStore) RemoveKey(name string) error {
 // NewKeyMemoryStore returns a new KeyMemoryStore which holds keys in memory
 func NewKeyMemoryStore(passphraseRetriever passphrase.Retriever) *KeyMemoryStore {
 	memStore := NewMemoryFileStore()
+	cachedKeys := make(map[string]data.PrivateKey)

-	return &KeyMemoryStore{*memStore, passphraseRetriever}
+	return &KeyMemoryStore{*memStore, passphraseRetriever, cachedKeys}
 }

 // AddKey stores the contents of a PEM-encoded private key as a PEM block
 func (s *KeyMemoryStore) AddKey(name, alias string, privKey data.PrivateKey) error {
-	return addKey(s, s.PassphraseRetriever, name, alias, privKey)
+	return addKey(s, s.PassphraseRetriever, s.cachedKeys, name, alias, privKey)
 }

 // GetKey returns the PrivateKey given a KeyID
 func (s *KeyMemoryStore) GetKey(name string) (data.PrivateKey, error) {
-	return getKey(s, s.PassphraseRetriever, name)
+	return getKey(s, s.PassphraseRetriever, s.cachedKeys, name)
 }

 // GetKeyAlias returns the PrivateKey's alias given a KeyID
@ -110,7 +114,7 @@ func (s *KeyMemoryStore) RemoveKey(name string) error {
 	return removeKey(s, name)
 }

-func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, name, alias string, privKey data.PrivateKey) error {
+func addKey(s LimitedFileStore, passphraseRetriever PassphraseRetriever, cachedKeys map[string]data.PrivateKey, name, alias string, privKey data.PrivateKey) error {
 	pemPrivKey, err := KeyToPEM(privKey)
 	if err != nil {
 		return err
@ -141,6 +145,7 @@ func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, name,
 		}
 	}

+	cachedKeys[name] = privKey
 	return s.Add(name+"_"+alias, pemPrivKey)
 }

@ -162,7 +167,11 @@ func getKeyAlias(s LimitedFileStore, keyID string) (string, error) {
 }

 // GetKey returns the PrivateKey given a KeyID
-func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, name string) (data.PrivateKey, error) {
+func getKey(s LimitedFileStore, passphraseRetriever PassphraseRetriever, cachedKeys map[string]data.PrivateKey, name string) (data.PrivateKey, error) {
+	cachedKey, ok := cachedKeys[name]
+	if ok {
+		return cachedKey, nil
+	}
 	keyAlias, err := getKeyAlias(s, name)
 	if err != nil {
 		return nil, err
@ -195,6 +204,7 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, name s
 			}
 		}
 	}
+	cachedKeys[name] = privKey
 	return privKey, nil
 }

--- a/trustmanager/keyfilestore_test.go
+++ b/trustmanager/keyfilestore_test.go
@ -9,6 +9,7 @@ import (
 	"path/filepath"
 	"strings"
 	"testing"
+	"github.com/docker/notary/Godeps/_workspace/src/github.com/stretchr/testify/assert"
 )

 var passphraseRetriever = func(keyID string, alias string, createNew bool, numAttempts int) (string, bool, error) {
@ -364,3 +365,79 @@ func TestRemoveKey(t *testing.T) {
 		t.Fatalf("file should not exist %s", expectedFilePath)
 	}
 }
+
+func TestKeysAreCached(t *testing.T) {
+	testName := "docker.com/notary/root"
+	testAlias := "alias"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	if err != nil {
+		t.Fatalf("failed to create a temporary directory: %v", err)
+	}
+	defer os.RemoveAll(tempBaseDir)
+
+
+	var countingPassphraseRetriever PassphraseRetriever
+
+	numTimesCalled := 0
+	countingPassphraseRetriever = func(keyId, alias string, createNew bool, attempts int) (passphrase string, giveup bool, err error) {
+		numTimesCalled++
+		return "password", false, nil
+	}
+
+	// Create our store
+	store, err := NewKeyFileStore(tempBaseDir, countingPassphraseRetriever)
+	if err != nil {
+		t.Fatalf("failed to create new key filestore: %v", err)
+	}
+
+	privKey, err := GenerateRSAKey(rand.Reader, 512)
+	if err != nil {
+		t.Fatalf("could not generate private key: %v", err)
+	}
+
+	// Call the AddKey function
+	err = store.AddKey(testName, testAlias, privKey)
+	if err != nil {
+		t.Fatalf("failed to add file to store: %v", err)
+	}
+
+	assert.Equal(t, 1, numTimesCalled, "numTimesCalled should have been 1")
+
+	// Call the AddKey function
+	privKey2, err := store.GetKey(testName)
+	if err != nil {
+		t.Fatalf("failed to add file to store: %v", err)
+	}
+
+	assert.Equal(t, privKey.Public(), privKey2.Public(), "cachedPrivKey should be the same as the added privKey")
+	assert.Equal(t, privKey.Private(), privKey2.Private(), "cachedPrivKey should be the same as the added privKey")
+	assert.Equal(t, 1, numTimesCalled, "numTimesCalled should be 1 -- no additional call to passphraseRetriever")
+
+
+	// Create a new store
+	store2, err := NewKeyFileStore(tempBaseDir, countingPassphraseRetriever)
+	if err != nil {
+		t.Fatalf("failed to create new key filestore: %v", err)
+	}
+
+	// Call the AddKey function
+	privKey3, err := store2.GetKey(testName)
+	if err != nil {
+		t.Fatalf("failed to add file to store: %v", err)
+	}
+
+	assert.Equal(t, privKey2.Private(), privKey3.Private(), "privkey from store1 should be the same as privkey from store2")
+	assert.Equal(t, privKey2.Public(), privKey3.Public(), "privkey from store1 should be the same as privkey from store2")
+	assert.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- one additional call to passphraseRetriever")
+
+	// Call the GetKey function a bunch of times
+	for i := 0; i < 10; i++ {
+		_, err := store2.GetKey(testName)
+		if err != nil {
+			t.Fatalf("failed to add file to store: %v", err)
+		}
+	}
+	assert.Equal(t, 2, numTimesCalled, "numTimesCalled should be 2 -- no additional call to passphraseRetriever")
+}