Add pkcs11 build tags

Add build tags and a check in Makefile to be sure you do not import pkcs11 lib somewhere where it should not be. This will ensure docker import and integration will continue to work. Signed-off-by: Jessica Frazelle <acidburn@docker.com> Signed-off-by: David Lawrence <david.lawrence@docker.com> Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
2015-10-30 20:53:10 -07:00 · 2015-10-30 20:53:10 -07:00 · 5f21ebd185
parent 913c5ef033
commit 5f21ebd185
7 changed files with 69 additions and 46 deletions
--- a/29
+++ b/29
@ -8,17 +8,25 @@ NOTARY_VERSION := $(shell cat NOTARY_VERSION)
 GITCOMMIT := $(shell git rev-parse --short HEAD)
 GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no)
 ifneq ($(GITUNTRACKEDCHANGES),)
-	GITCOMMIT := $(GITCOMMIT)-dirty
+GITCOMMIT := $(GITCOMMIT)-dirty
 endif
 CTIMEVAR=-X $(NOTARY_PKG)/version.GitCommit='$(GITCOMMIT)' -X $(NOTARY_PKG)/version.NotaryVersion='$(NOTARY_VERSION)'
 GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"
 GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static"
 GOOSES = darwin freebsd linux
 GOARCHS = amd64
-NOTARY_BUILDFLAGS="pkcs11"
+NOTARY_BUILDTAGS="pkcs11"
 GO_EXC = go
 NOTARYDIR := /go/src/github.com/docker/notary

+# check to be sure pkcs11 lib is always imported with a build tag
+GO_LIST_PKCS11 := $(shell go list -e -f '{{join .Deps "\n"}}' ./... | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)
+ifeq ($(GO_LIST_PKCS11),)
+$(info pkcs11 import was not found anywhere without a build tag, yay)
+else
+$(error You are importing pkcs11 somewhere and not using a build tag)
+endif
+
 # go cover test variables
 COVERDIR=.cover
 COVERPROFILE=$(COVERDIR)/cover.out
@ -27,7 +35,7 @@ PKGS = $(shell go list ./... | tr '\n' ' ')

 GO_VERSION = $(shell go version | awk '{print $$3}')

-.PHONY: clean all fmt vet lint build test binaries cross cover docker-images
+.PHONY: clean all fmt vet lint build test binaries cross cover docker-images notary-dockerfile
 .DELETE_ON_ERROR: cover
 .DEFAULT: default

@ -50,15 +58,15 @@ version/version.go:

 ${PREFIX}/bin/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')
 	@echo "+ $@"
-	@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server
+	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server

 ${PREFIX}/bin/notary: NOTARY_VERSION $(shell find . -type f -name '*.go')
 	@echo "+ $@"
-	@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary
+	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary

 ${PREFIX}/bin/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')
 	@echo "+ $@"
-	@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer
+	@godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer

 vet: go_version
 	@echo "+ $@"
@ -74,21 +82,20 @@ lint:

 build: go_version
 	@echo "+ $@"
-	@go build -tags ${NOTARY_BUILDFLAGS} -v ${GO_LDFLAGS} ./...
+	@go build -tags ${NOTARY_BUILDTAGS} -v ${GO_LDFLAGS} ./...

 test: OPTS =
 test: go_version
 	@echo "+ $@ $(OPTS)"
-	go test -tags ${NOTARY_BUILDFLAGS} $(OPTS) ./...
+	go test -tags ${NOTARY_BUILDTAGS} $(OPTS) ./...

 test-full: vet lint
 	@echo "+ $@"
-	go test -tags ${NOTARY_BUILDFLAGS} -v ./...
+	go test -tags ${NOTARY_BUILDTAGS} -v ./...

 protos:
 	@protoc --go_out=plugins=grpc:. proto/*.proto

-
 # This allows coverage for a package to come from tests in different package.
 # Requires that the following:
 # go get github.com/wadey/gocovmerge; go install github.com/wadey/gocovmerge
@ -112,7 +119,7 @@ cover: gen-cover
 	@go tool cover -html="$(COVERPROFILE)"

 # Codecov knows how to merge multiple coverage files
-ci: OPTS = -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"
+ci: OPTS = -tags ${NOTARY_BUILDTAGS} -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"
    GO_EXC := godep go
 ci: gen-cover
 	@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE)
--- a/cmd/notary-signer/main.go
+++ b/cmd/notary-signer/main.go
@ -1,3 +1,5 @@
+// +build pkcs11
+
 package main

 import (
--- a/cmd/notary-signer/main_test.go
+++ b/cmd/notary-signer/main_test.go
@ -1,3 +1,5 @@
+// +build pkcs11
+
 package main

 import (
--- a/signer/api/api_pkcs11_test.go
+++ b/signer/api/api_pkcs11_test.go
@ -0,0 +1,43 @@
+// +build pkcs11
+
+package api_test
+
+import (
+	"os"
+	"testing"
+
+	"github.com/miekg/pkcs11"
+)
+
+func SetupHSMEnv(t *testing.T) (*pkcs11.Ctx, pkcs11.SessionHandle) {
+	var libPath = "/usr/local/lib/softhsm/libsofthsm2.so"
+	if _, err := os.Stat(libPath); err != nil {
+		t.Skipf("Skipping test. Library path: %s does not exist", libPath)
+	}
+
+	p := pkcs11.New(libPath)
+
+	if p == nil {
+		t.Fatalf("Failed to init library")
+	}
+
+	if err := p.Initialize(); err != nil {
+		t.Fatalf("Initialize error %s\n", err.Error())
+	}
+
+	slots, err := p.GetSlotList(true)
+	if err != nil {
+		t.Fatalf("Failed to list HSM slots %s", err)
+	}
+
+	session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
+	if err != nil {
+		t.Fatalf("Failed to Start Session with HSM %s", err)
+	}
+
+	if err = p.Login(session, pkcs11.CKU_USER, "1234"); err != nil {
+		t.Fatalf("User PIN %s\n", err.Error())
+	}
+
+	return p, session
+}
--- a/signer/api/api_test.go
+++ b/signer/api/api_test.go
@ -7,7 +7,6 @@ import (
 	"io/ioutil"
 	"net/http"
 	"net/http/httptest"
-	"os"
 	"strings"
 	"testing"

@ -16,7 +15,6 @@ import (
 	"github.com/docker/notary/signer/api"
 	"github.com/docker/notary/trustmanager"
 	"github.com/docker/notary/tuf/data"
-	"github.com/miekg/pkcs11"
 	"github.com/stretchr/testify/assert"

 	pb "github.com/docker/notary/proto"
@ -32,39 +30,6 @@ var (
 	passphraseRetriever = func(string, string, bool, int) (string, bool, error) { return "passphrase", false, nil }
 )

-func SetupHSMEnv(t *testing.T) (*pkcs11.Ctx, pkcs11.SessionHandle) {
-	var libPath = "/usr/local/lib/softhsm/libsofthsm2.so"
-	if _, err := os.Stat(libPath); err != nil {
-		t.Skipf("Skipping test. Library path: %s does not exist", libPath)
-	}
-
-	p := pkcs11.New(libPath)
-
-	if p == nil {
-		t.Fatalf("Failed to init library")
-	}
-
-	if err := p.Initialize(); err != nil {
-		t.Fatalf("Initialize error %s\n", err.Error())
-	}
-
-	slots, err := p.GetSlotList(true)
-	if err != nil {
-		t.Fatalf("Failed to list HSM slots %s", err)
-	}
-
-	session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
-	if err != nil {
-		t.Fatalf("Failed to Start Session with HSM %s", err)
-	}
-
-	if err = p.Login(session, pkcs11.CKU_USER, "1234"); err != nil {
-		t.Fatalf("User PIN %s\n", err.Error())
-	}
-
-	return p, session
-}
-
 func setup(cryptoServices signer.CryptoServiceIndex) {
 	server = httptest.NewServer(api.Handlers(cryptoServices))
 	deleteKeyBaseURL = fmt.Sprintf("%s/delete", server.URL)
--- a/signer/api/rsa_hardware_crypto_service.go
+++ b/signer/api/rsa_hardware_crypto_service.go
@ -1,3 +1,5 @@
+// +build pkcs11
+
 package api

 import (
--- a/signer/keys/keys.go
+++ b/signer/keys/keys.go
@ -1,3 +1,5 @@
+// +build pkcs11
+
 package keys

 import (