docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Add pkcs11 build tags 

Add build tags and a check in Makefile to be sure you do not import
pkcs11 lib somewhere where it should not be. This will ensure docker
import and integration will continue to work.

Signed-off-by: Jessica Frazelle <acidburn@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>

Signed-off-by: Jessica Frazelle <acidburn@docker.com> (github: endophage)
This commit is contained in:
Jessica Frazelle 2015-10-30 20:53:10 -07:00 committed by David Lawrence
parent 913c5ef033
commit 5f21ebd185
7 changed files with 69 additions and 46 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
Makefile
View File

@ -8,17 +8,25 @@ NOTARY_VERSION := $(shell cat NOTARY_VERSION)
GITCOMMIT := $(shell git rev-parse --short HEAD) GITCOMMIT := $(shell git rev-parse --short HEAD)
GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no) GITUNTRACKEDCHANGES := $(shell git status --porcelain --untracked-files=no)
ifneq ($(GITUNTRACKEDCHANGES),) ifneq ($(GITUNTRACKEDCHANGES),)
GITCOMMIT := $(GITCOMMIT)-dirty GITCOMMIT := $(GITCOMMIT)-dirty
endif endif
CTIMEVAR=-X $(NOTARY_PKG)/version.GitCommit='$(GITCOMMIT)' -X $(NOTARY_PKG)/version.NotaryVersion='$(NOTARY_VERSION)' CTIMEVAR=-X $(NOTARY_PKG)/version.GitCommit='$(GITCOMMIT)' -X $(NOTARY_PKG)/version.NotaryVersion='$(NOTARY_VERSION)'
GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)" GO_LDFLAGS=-ldflags "-w $(CTIMEVAR)"
GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static" GO_LDFLAGS_STATIC=-ldflags "-w $(CTIMEVAR) -extldflags -static"
GOOSES = darwin freebsd linux GOOSES = darwin freebsd linux
GOARCHS = amd64 GOARCHS = amd64
NOTARY_BUILDFLAGS="pkcs11" NOTARY_BUILDTAGS="pkcs11"
GO_EXC = go GO_EXC = go
NOTARYDIR := /go/src/github.com/docker/notary NOTARYDIR := /go/src/github.com/docker/notary
# check to be sure pkcs11 lib is always imported with a build tag
GO_LIST_PKCS11 := $(shell go list -e -f '{{join .Deps "\n"}}' ./... | xargs go list -e -f '{{if not .Standard}}{{.ImportPath}}{{end}}' | grep -q pkcs11)
ifeq ($(GO_LIST_PKCS11),)
$(info pkcs11 import was not found anywhere without a build tag, yay)
else
$(error You are importing pkcs11 somewhere and not using a build tag)
endif
# go cover test variables # go cover test variables
COVERDIR=.cover COVERDIR=.cover
COVERPROFILE=$(COVERDIR)/cover.out COVERPROFILE=$(COVERDIR)/cover.out
@ -27,7 +35,7 @@ PKGS = $(shell go list ./... | tr '\n' ' ')
GO_VERSION = $(shell go version | awk '{print $$3}') GO_VERSION = $(shell go version | awk '{print $$3}')
.PHONY: clean all fmt vet lint build test binaries cross cover docker-images .PHONY: clean all fmt vet lint build test binaries cross cover docker-images notary-dockerfile
.DELETE_ON_ERROR: cover .DELETE_ON_ERROR: cover
.DEFAULT: default .DEFAULT: default
@ -50,15 +58,15 @@ version/version.go:
${PREFIX}/bin/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go') ${PREFIX}/bin/notary-server: NOTARY_VERSION $(shell find . -type f -name '*.go')
@echo "+ $@" @echo "+ $@"
@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server @godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-server
${PREFIX}/bin/notary: NOTARY_VERSION $(shell find . -type f -name '*.go') ${PREFIX}/bin/notary: NOTARY_VERSION $(shell find . -type f -name '*.go')
@echo "+ $@" @echo "+ $@"
@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary @godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary
${PREFIX}/bin/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go') ${PREFIX}/bin/notary-signer: NOTARY_VERSION $(shell find . -type f -name '*.go')
@echo "+ $@" @echo "+ $@"
@godep go build -tags ${NOTARY_BUILDFLAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer @godep go build -tags ${NOTARY_BUILDTAGS} -o $@ ${GO_LDFLAGS} ./cmd/notary-signer
vet: go_version vet: go_version
@echo "+ $@" @echo "+ $@"
@ -74,21 +82,20 @@ lint:
build: go_version build: go_version
@echo "+ $@" @echo "+ $@"
@go build -tags ${NOTARY_BUILDFLAGS} -v ${GO_LDFLAGS} ./... @go build -tags ${NOTARY_BUILDTAGS} -v ${GO_LDFLAGS} ./...
test: OPTS = test: OPTS =
test: go_version test: go_version
@echo "+ $@ $(OPTS)" @echo "+ $@ $(OPTS)"
go test -tags ${NOTARY_BUILDFLAGS} $(OPTS) ./... go test -tags ${NOTARY_BUILDTAGS} $(OPTS) ./...
test-full: vet lint test-full: vet lint
@echo "+ $@" @echo "+ $@"
go test -tags ${NOTARY_BUILDFLAGS} -v ./... go test -tags ${NOTARY_BUILDTAGS} -v ./...
protos: protos:
@protoc --go_out=plugins=grpc:. proto/*.proto @protoc --go_out=plugins=grpc:. proto/*.proto
# This allows coverage for a package to come from tests in different package. # This allows coverage for a package to come from tests in different package.
# Requires that the following: # Requires that the following:
# go get github.com/wadey/gocovmerge; go install github.com/wadey/gocovmerge # go get github.com/wadey/gocovmerge; go install github.com/wadey/gocovmerge
@ -112,7 +119,7 @@ cover: gen-cover
@go tool cover -html="$(COVERPROFILE)" @go tool cover -html="$(COVERPROFILE)"
# Codecov knows how to merge multiple coverage files # Codecov knows how to merge multiple coverage files
ci: OPTS = -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))" ci: OPTS = -tags ${NOTARY_BUILDTAGS} -race -coverpkg "$(shell ./coverpkg.sh $(1) $(NOTARY_PKG))"
GO_EXC := godep go GO_EXC := godep go
ci: gen-cover ci: gen-cover
@gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE) @gocovmerge $(shell ls -1 $(COVERDIR)/* | tr "\n" " ") > $(COVERPROFILE)

2
cmd/notary-signer/main.go
View File

@ -1,3 +1,5 @@
// +build pkcs11
package main package main
import ( import (

2
cmd/notary-signer/main_test.go
View File

@ -1,3 +1,5 @@
// +build pkcs11
package main package main
import ( import (

43
signer/api/api_pkcs11_test.go Normal file
View File

@ -0,0 +1,43 @@
// +build pkcs11
package api_test
import (
"os"
"testing"
"github.com/miekg/pkcs11"
)
func SetupHSMEnv(t *testing.T) (*pkcs11.Ctx, pkcs11.SessionHandle) {
var libPath = "/usr/local/lib/softhsm/libsofthsm2.so"
if _, err := os.Stat(libPath); err != nil {
t.Skipf("Skipping test. Library path: %s does not exist", libPath)
}
p := pkcs11.New(libPath)
if p == nil {
t.Fatalf("Failed to init library")
}
if err := p.Initialize(); err != nil {
t.Fatalf("Initialize error %s\n", err.Error())
}
slots, err := p.GetSlotList(true)
if err != nil {
t.Fatalf("Failed to list HSM slots %s", err)
}
session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
if err != nil {
t.Fatalf("Failed to Start Session with HSM %s", err)
}
if err = p.Login(session, pkcs11.CKU_USER, "1234"); err != nil {
t.Fatalf("User PIN %s\n", err.Error())
}
return p, session
}

35
signer/api/api_test.go
View File

@ -7,7 +7,6 @@ import (
"io/ioutil" "io/ioutil"
"net/http" "net/http"
"net/http/httptest" "net/http/httptest"
"os"
"strings" "strings"
"testing" "testing"
@ -16,7 +15,6 @@ import (
"github.com/docker/notary/signer/api" "github.com/docker/notary/signer/api"
"github.com/docker/notary/trustmanager" "github.com/docker/notary/trustmanager"
"github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/data"
"github.com/miekg/pkcs11"
"github.com/stretchr/testify/assert" "github.com/stretchr/testify/assert"
pb "github.com/docker/notary/proto" pb "github.com/docker/notary/proto"
@ -32,39 +30,6 @@ var (
passphraseRetriever = func(string, string, bool, int) (string, bool, error) { return "passphrase", false, nil } passphraseRetriever = func(string, string, bool, int) (string, bool, error) { return "passphrase", false, nil }
) )
func SetupHSMEnv(t *testing.T) (*pkcs11.Ctx, pkcs11.SessionHandle) {
var libPath = "/usr/local/lib/softhsm/libsofthsm2.so"
if _, err := os.Stat(libPath); err != nil {
t.Skipf("Skipping test. Library path: %s does not exist", libPath)
}
p := pkcs11.New(libPath)
if p == nil {
t.Fatalf("Failed to init library")
}
if err := p.Initialize(); err != nil {
t.Fatalf("Initialize error %s\n", err.Error())
}
slots, err := p.GetSlotList(true)
if err != nil {
t.Fatalf("Failed to list HSM slots %s", err)
}
session, err := p.OpenSession(slots[0], pkcs11.CKF_SERIAL_SESSION|pkcs11.CKF_RW_SESSION)
if err != nil {
t.Fatalf("Failed to Start Session with HSM %s", err)
}
if err = p.Login(session, pkcs11.CKU_USER, "1234"); err != nil {
t.Fatalf("User PIN %s\n", err.Error())
}
return p, session
}
func setup(cryptoServices signer.CryptoServiceIndex) { func setup(cryptoServices signer.CryptoServiceIndex) {
server = httptest.NewServer(api.Handlers(cryptoServices)) server = httptest.NewServer(api.Handlers(cryptoServices))
deleteKeyBaseURL = fmt.Sprintf("%s/delete", server.URL) deleteKeyBaseURL = fmt.Sprintf("%s/delete", server.URL)

2
signer/api/rsa_hardware_crypto_service.go
View File

@ -1,3 +1,5 @@
// +build pkcs11
package api package api
import ( import (

2
signer/keys/keys.go
View File

@ -1,3 +1,5 @@
// +build pkcs11
package keys package keys
import ( import (