From 89f250c25344aab24cea9ee7da28c1f4255f24b5 Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Mon, 11 Jan 2016 16:27:09 -0800 Subject: [PATCH] when doing getTransport readOnly needs to be false for a key rotation as write permissions are required to retrieve keys Signed-off-by: David Lawrence (github: endophage) --- cmd/notary/keys.go | 2 +- cmd/notary/tuf.go | 7 +++++++ 2 files changed, 8 insertions(+), 1 deletion(-) diff --git a/cmd/notary/keys.go b/cmd/notary/keys.go index ddaf53cdb1..542d48db62 100644 --- a/cmd/notary/keys.go +++ b/cmd/notary/keys.go @@ -371,7 +371,7 @@ func (k *keyCommander) keysRotate(cmd *cobra.Command, args []string) error { if k.rotateKeyServerManaged { // this does not actually push the changes, just creates the keys, but // it creates a key remotely so it needs a transport - rt = getTransport(config, gun, true) + rt = getTransport(config, gun, false) } nRepo, err := notaryclient.NewNotaryRepository( config.GetString("trust_dir"), gun, getRemoteTrustServer(config), diff --git a/cmd/notary/tuf.go b/cmd/notary/tuf.go index eb6310035e..9bafb8c565 100644 --- a/cmd/notary/tuf.go +++ b/cmd/notary/tuf.go @@ -354,6 +354,13 @@ func (ps passwordStore) Basic(u *url.URL) (string, string) { return username, password } +// getTransport returns an http.RoundTripper to be used for all http requests. +// It correctly handles the auth challenge/credentials required to interact +// with a notary server over both HTTP Basic Auth and the JWT auth implemented +// in the notary-server +// The readOnly flag indicates if the operation should be performed as an +// anonymous read only operation. If the command entered requires write +// permissions on the server, readOnly must be false func getTransport(config *viper.Viper, gun string, readOnly bool) http.RoundTripper { // Attempt to get a root CA from the config file. Nil is the host defaults. rootCAFile := config.GetString("remote_server.root_ca")