mirror of https://github.com/docker/docs.git
Merge pull request #114 from docker/invalid_password_err
better error handling for invalid password
This commit is contained in:
Diogo Mónica
commit
21a9b99e94
|
|
@ -211,7 +211,9 @@ func (r *NotaryRepository) Initialize(uCryptoService *cryptoservice.UnlockedCryp
|
|||
err = r.tufRepo.InitRoot(false)
|
||||
if err != nil {
|
||||
logrus.Debug("Error on InitRoot: ", err.Error())
|
||||
if _, ok := err.(tuferrors.ErrInsufficientSignatures); !ok {
|
||||
switch err.(type) {
|
||||
case tuferrors.ErrInsufficientSignatures, trustmanager.ErrPasswordInvalid:
|
||||
default:
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
|
@ -226,12 +228,7 @@ func (r *NotaryRepository) Initialize(uCryptoService *cryptoservice.UnlockedCryp
|
|||
return err
|
||||
}
|
||||
|
||||
if err := r.saveMetadata(uCryptoService.CryptoService); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// Creates an empty snapshot
|
||||
return r.snapshot()
|
||||
return r.saveMetadata(uCryptoService.CryptoService)
|
||||
}
|
||||
|
||||
// AddTarget adds a new target to the repository, forcing a timestamps check from TUF
|
||||
|
|
@ -258,7 +255,6 @@ func (r *NotaryRepository) AddTarget(target *Target) error {
|
|||
|
||||
// ListTargets lists all targets for the current repository
|
||||
func (r *NotaryRepository) ListTargets() ([]*Target, error) {
|
||||
|
||||
c, err := r.bootstrapClient()
|
||||
if err != nil {
|
||||
return nil, err
|
||||
|
|
@ -463,34 +459,48 @@ func (r *NotaryRepository) bootstrapRepo() error {
|
|||
}
|
||||
|
||||
func (r *NotaryRepository) saveMetadata(rootCryptoService signed.CryptoService) error {
|
||||
logrus.Debugf("Saving changes to Trusted Collection.")
|
||||
signedRoot, err := r.tufRepo.SignRoot(data.DefaultExpires("root"), rootCryptoService)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
rootJSON, err := json.Marshal(signedRoot)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
rootJSON, _ := json.Marshal(signedRoot)
|
||||
return r.fileStore.SetMeta("root", rootJSON)
|
||||
}
|
||||
|
||||
func (r *NotaryRepository) snapshot() error {
|
||||
logrus.Debugf("Saving changes to Trusted Collection.")
|
||||
|
||||
targetsToSave := make(map[string][]byte)
|
||||
for t := range r.tufRepo.Targets {
|
||||
signedTargets, err := r.tufRepo.SignTargets(t, data.DefaultExpires("targets"), nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
targetsJSON, _ := json.Marshal(signedTargets)
|
||||
parentDir := filepath.Dir(t)
|
||||
os.MkdirAll(parentDir, 0755)
|
||||
r.fileStore.SetMeta(t, targetsJSON)
|
||||
targetsJSON, err := json.Marshal(signedTargets)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
targetsToSave[t] = targetsJSON
|
||||
}
|
||||
|
||||
signedSnapshot, err := r.tufRepo.SignSnapshot(data.DefaultExpires("snapshot"), nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
snapshotJSON, _ := json.Marshal(signedSnapshot)
|
||||
snapshotJSON, err := json.Marshal(signedSnapshot)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
err = r.fileStore.SetMeta("root", rootJSON)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
for role, blob := range targetsToSave {
|
||||
parentDir := filepath.Dir(role)
|
||||
os.MkdirAll(parentDir, 0755)
|
||||
r.fileStore.SetMeta(role, blob)
|
||||
}
|
||||
|
||||
return r.fileStore.SetMeta("snapshot", snapshotJSON)
|
||||
}
|
||||
|
|
|
|||
|
|
@ -99,7 +99,7 @@ func (ccs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signatur
|
|||
// the root keys. Continuing here is safe because we
|
||||
// end up not returning any signatures.
|
||||
logrus.Debugf("ignoring error attempting to retrieve key ID: %s, %v", keyid, err)
|
||||
continue
|
||||
return nil, err
|
||||
}
|
||||
|
||||
algorithm := privKey.Algorithm()
|
||||
|
|
@ -120,7 +120,7 @@ func (ccs *CryptoService) Sign(keyIDs []string, payload []byte) ([]data.Signatur
|
|||
}
|
||||
if err != nil {
|
||||
logrus.Debugf("ignoring error attempting to %s sign with keyID: %s, %v", algorithm, keyid, err)
|
||||
continue
|
||||
return nil, err
|
||||
}
|
||||
|
||||
logrus.Debugf("appending %s signature with Key ID: %s", algorithm, keyid)
|
||||
|
|
|
|||
|
|
@ -16,6 +16,16 @@ const (
|
|||
keyExtension = "key"
|
||||
)
|
||||
|
||||
// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
|
||||
// key file was corrupted, but we have no way to distinguish.
|
||||
type ErrPasswordInvalid struct{}
|
||||
|
||||
// ErrPasswordInvalid is returned when signing fails. It could also mean the signing
|
||||
// key file was corrupted, but we have no way to distinguish.
|
||||
func (err ErrPasswordInvalid) Error() string {
|
||||
return "Password Invalid, operation has failed."
|
||||
}
|
||||
|
||||
// KeyStore is a generic interface for private key storage
|
||||
type KeyStore interface {
|
||||
LimitedFileStore
|
||||
|
|
@ -201,6 +211,7 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached
|
|||
return nil, "", err
|
||||
}
|
||||
|
||||
var retErr error
|
||||
// See if the key is encrypted. If its encrypted we'll fail to parse the private key
|
||||
privKey, err := ParsePEMPrivateKey(keyBytes, "")
|
||||
if err != nil {
|
||||
|
|
@ -217,12 +228,18 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached
|
|||
|
||||
// Try to convert PEM encoded bytes back to a PrivateKey using the passphrase
|
||||
privKey, err = ParsePEMPrivateKey(keyBytes, passphrase)
|
||||
if err == nil {
|
||||
if err != nil {
|
||||
retErr = ErrPasswordInvalid{}
|
||||
} else {
|
||||
// We managed to parse the PrivateKey. We've succeeded!
|
||||
retErr = nil
|
||||
break
|
||||
}
|
||||
}
|
||||
}
|
||||
if retErr != nil {
|
||||
return nil, "", retErr
|
||||
}
|
||||
cachedKeys[name] = &cachedKey{alias: keyAlias, key: privKey}
|
||||
return privKey, keyAlias, nil
|
||||
}
|
||||
|
|
|
|||
Loading…
Reference in New Issue