mirror of https://github.com/docker/docs.git
When initializing a repo, create local keys before getting remote keys.
Signed-off-by: Ying Li <ying.li@docker.com>
This commit is contained in:
Ying Li
parent
d0e789740a
commit
a924ca172f
|
|
@ -192,26 +192,33 @@ func (r *NotaryRepository) Initialize(rootKeyID string, serverManagedRoles ...st
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
|
|
||||||
for role, isManaged := range rolesAreManaged {
|
// we want to create all the local keys first so we don't have to
|
||||||
var key data.PublicKey
|
// make unnecessary network calls
|
||||||
if isManaged {
|
for _, isManaged := range []bool{false, true} {
|
||||||
// This key is generated by the remote server.
|
for role, shouldBeManaged := range rolesAreManaged {
|
||||||
key, err = getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
|
if isManaged != shouldBeManaged {
|
||||||
|
continue
|
||||||
|
}
|
||||||
|
var key data.PublicKey
|
||||||
|
if isManaged {
|
||||||
|
// This key is generated by the remote server.
|
||||||
|
key, err = getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
logrus.Debugf("got remote %s %s key with keyID: %s",
|
||||||
|
role, key.Algorithm(), key.ID())
|
||||||
|
} else {
|
||||||
|
// This is currently hardcoding the keys to ECDSA.
|
||||||
|
key, err = r.CryptoService.Create(role, data.ECDSAKey)
|
||||||
|
if err != nil {
|
||||||
|
return err
|
||||||
|
}
|
||||||
|
}
|
||||||
|
err = addKeyForRole(kdb, role, key)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return err
|
return err
|
||||||
}
|
}
|
||||||
logrus.Debugf("got remote %s %s key with keyID: %s",
|
|
||||||
role, key.Algorithm(), key.ID())
|
|
||||||
} else {
|
|
||||||
// This is currently hardcoding the keys to ECDSA.
|
|
||||||
key, err = r.CryptoService.Create(role, data.ECDSAKey)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
|
||||||
err = addKeyForRole(kdb, role, key)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -784,7 +784,6 @@ func testPublish(t *testing.T, rootType string, serverManagesSnapshot bool) {
|
||||||
// Temporary directory where test files will be created
|
// Temporary directory where test files will be created
|
||||||
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
||||||
defer os.RemoveAll(tempBaseDir)
|
defer os.RemoveAll(tempBaseDir)
|
||||||
|
|
||||||
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
||||||
|
|
||||||
gun := "docker.com/notary"
|
gun := "docker.com/notary"
|
||||||
|
|
@ -855,7 +854,6 @@ func testPublishAfterPullServerHasSnapshotKey(t *testing.T, rootType string) {
|
||||||
// Temporary directory where test files will be created
|
// Temporary directory where test files will be created
|
||||||
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
||||||
defer os.RemoveAll(tempBaseDir)
|
defer os.RemoveAll(tempBaseDir)
|
||||||
|
|
||||||
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
||||||
|
|
||||||
gun := "docker.com/notary"
|
gun := "docker.com/notary"
|
||||||
|
|
@ -904,7 +902,6 @@ func testPublishNoOneHasSnapshotKey(t *testing.T, rootType string) {
|
||||||
// Temporary directory where test files will be created
|
// Temporary directory where test files will be created
|
||||||
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
||||||
defer os.RemoveAll(tempBaseDir)
|
defer os.RemoveAll(tempBaseDir)
|
||||||
|
|
||||||
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
||||||
|
|
||||||
gun := "docker.com/notary"
|
gun := "docker.com/notary"
|
||||||
|
|
@ -932,17 +929,12 @@ func testPublishNoOneHasSnapshotKey(t *testing.T, rootType string) {
|
||||||
func TestPublishSnapshotCorrupt(t *testing.T) {
|
func TestPublishSnapshotCorrupt(t *testing.T) {
|
||||||
testPublishSnapshotCorrupt(t, data.ECDSAKey, true)
|
testPublishSnapshotCorrupt(t, data.ECDSAKey, true)
|
||||||
testPublishSnapshotCorrupt(t, data.ECDSAKey, false)
|
testPublishSnapshotCorrupt(t, data.ECDSAKey, false)
|
||||||
if !testing.Short() {
|
|
||||||
testPublishSnapshotCorrupt(t, data.RSAKey, true)
|
|
||||||
testPublishSnapshotCorrupt(t, data.RSAKey, false)
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
|
|
||||||
func testPublishSnapshotCorrupt(t *testing.T, rootType string, serverManagesSnapshot bool) {
|
func testPublishSnapshotCorrupt(t *testing.T, rootType string, serverManagesSnapshot bool) {
|
||||||
// Temporary directory where test files will be created
|
// Temporary directory where test files will be created
|
||||||
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
||||||
defer os.RemoveAll(tempBaseDir)
|
defer os.RemoveAll(tempBaseDir)
|
||||||
|
|
||||||
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
||||||
|
|
||||||
gun := "docker.com/notary"
|
gun := "docker.com/notary"
|
||||||
|
|
@ -958,6 +950,46 @@ func testPublishSnapshotCorrupt(t *testing.T, rootType string, serverManagesSnap
|
||||||
assert.Error(t, err)
|
assert.Error(t, err)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type cannotCreateKeys struct {
|
||||||
|
signed.CryptoService
|
||||||
|
}
|
||||||
|
|
||||||
|
func (cs cannotCreateKeys) Create(_, _ string) (data.PublicKey, error) {
|
||||||
|
return nil, fmt.Errorf("Oh no I cannot create keys")
|
||||||
|
}
|
||||||
|
|
||||||
|
// If there is an error creating the local keys, no call is made to get a
|
||||||
|
// remote key.
|
||||||
|
func TestPublishSnapshotLocalKeysCreatedFirst(t *testing.T) {
|
||||||
|
// Temporary directory where test files will be created
|
||||||
|
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
|
||||||
|
defer os.RemoveAll(tempBaseDir)
|
||||||
|
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
|
||||||
|
gun := "docker.com/notary"
|
||||||
|
|
||||||
|
requestMade := false
|
||||||
|
ts := httptest.NewServer(http.HandlerFunc(
|
||||||
|
func(http.ResponseWriter, *http.Request) { requestMade = true }))
|
||||||
|
defer ts.Close()
|
||||||
|
|
||||||
|
repo, err := NewNotaryRepository(
|
||||||
|
tempBaseDir, gun, ts.URL, http.DefaultTransport, passphraseRetriever)
|
||||||
|
assert.NoError(t, err, "error creating repo: %s", err)
|
||||||
|
|
||||||
|
cs := cryptoservice.NewCryptoService(gun,
|
||||||
|
trustmanager.NewKeyMemoryStore(passphraseRetriever))
|
||||||
|
|
||||||
|
rootPubKey, err := cs.Create(data.CanonicalRootRole, data.ECDSAKey)
|
||||||
|
assert.NoError(t, err, "error generating root key: %s", err)
|
||||||
|
|
||||||
|
repo.CryptoService = cannotCreateKeys{CryptoService: cs}
|
||||||
|
|
||||||
|
err = repo.Initialize(rootPubKey.ID(), data.CanonicalSnapshotRole)
|
||||||
|
assert.Error(t, err)
|
||||||
|
assert.Contains(t, err.Error(), "Oh no I cannot create keys")
|
||||||
|
assert.False(t, requestMade)
|
||||||
|
}
|
||||||
|
|
||||||
func TestRotate(t *testing.T) {
|
func TestRotate(t *testing.T) {
|
||||||
// Temporary directory where test files will be created
|
// Temporary directory where test files will be created
|
||||||
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
|
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue