Merge pull request #147 from docker/import-export-cli

Import export cli
2015-07-28 15:26:17 -07:00 · 2015-07-28 15:26:17 -07:00 · e0e574f9ff
parent 659dd2a047 c3cf6c4083
commit e0e574f9ff
4 changed files with 310 additions and 12 deletions
--- a/cmd/notary/keys.go
+++ b/cmd/notary/keys.go
@ -1,6 +1,7 @@
 package main

 import (
+	"archive/zip"
 	"crypto/x509"
 	"fmt"
 	"math"
@ -10,37 +11,84 @@ import (
 	"time"

 	"github.com/docker/notary/keystoremanager"
+	"github.com/docker/notary/pkg/passphrase"
 	"github.com/docker/notary/trustmanager"

 	"github.com/spf13/cobra"
 )

 func init() {
-	cmdKeys.AddCommand(cmdKeysRemoveRootKey)
-	cmdKeys.AddCommand(cmdKeysGenerateRootKey)
+	cmdKey.AddCommand(cmdKeyList)
+	cmdKey.AddCommand(cmdKeyRemoveRootKey)
+	cmdKey.AddCommand(cmdKeyGenerateRootKey)
+
+	cmdKeyExport.Flags().StringVarP(&keysExportGUN, "gun", "g", "", "Globally unique name to export keys for.")
+	cmdKey.AddCommand(cmdKeyExport)
+	cmdKey.AddCommand(cmdKeyExportRoot)
+	cmdKeyExportRoot.Flags().BoolVarP(&keysExportRootChangePassphrase, "change-passphrase", "c", false, "set a new passphrase for the key being exported")
+	cmdKey.AddCommand(cmdKeyImport)
+	cmdKey.AddCommand(cmdKeyImportRoot)
 }

-var cmdKeys = &cobra.Command{
-	Use:   "keys",
-	Short: "Operates on root keys.",
-	Long:  "operations on private root keys.",
+var cmdKey = &cobra.Command{
+	Use:   "key",
+	Short: "Operates on keys.",
+	Long:  "operations on private keys.",
+}
+
+var cmdKeyList = &cobra.Command{
+	Use:   "list",
+	Short: "Lists keys.",
+	Long:  "lists keys known to notary.",
 	Run:   keysList,
 }

-var cmdKeysRemoveRootKey = &cobra.Command{
+var cmdKeyRemoveRootKey = &cobra.Command{
 	Use:   "remove [ keyID ]",
 	Short: "Removes the root key with the given keyID.",
 	Long:  "remove the root key with the given keyID from the local host.",
 	Run:   keysRemoveRootKey,
 }

-var cmdKeysGenerateRootKey = &cobra.Command{
+var cmdKeyGenerateRootKey = &cobra.Command{
 	Use:   "generate [ algorithm ]",
 	Short: "Generates a new root key with a given algorithm.",
 	Long:  "generates a new root key with a given algorithm.",
 	Run:   keysGenerateRootKey,
 }

+var keysExportGUN string
+
+var cmdKeyExport = &cobra.Command{
+	Use:   "export [ filename ]",
+	Short: "Exports keys to a ZIP file.",
+	Long:  "exports a collection of keys. The keys are reencrypted with a new passphrase. The output is a ZIP file.",
+	Run:   keysExport,
+}
+
+var keysExportRootChangePassphrase bool
+
+var cmdKeyExportRoot = &cobra.Command{
+	Use:   "export-root [ keyID ] [ filename ]",
+	Short: "Exports given root key to a file.",
+	Long:  "exports a root key, without reencrypting. The output is a PEM file.",
+	Run:   keysExportRoot,
+}
+
+var cmdKeyImport = &cobra.Command{
+	Use:   "import [ filename ]",
+	Short: "Imports keys from a ZIP file.",
+	Long:  "imports one or more keys from a ZIP file.",
+	Run:   keysImport,
+}
+
+var cmdKeyImportRoot = &cobra.Command{
+	Use:   "import-root [ keyID ] [ filename ]",
+	Short: "Imports root key.",
+	Long:  "imports a root key from a PEM file.",
+	Run:   keysImportRoot,
+}
+
 // keysRemoveRootKey deletes a root private key based on ID
 func keysRemoveRootKey(cmd *cobra.Command, args []string) {
 	if len(args) < 1 {
@ -141,6 +189,147 @@ func keysGenerateRootKey(cmd *cobra.Command, args []string) {
 	fmt.Printf("Generated new %s key with keyID: %s\n", algorithm, keyID)
 }

+// keysExport exports a collection of keys to a ZIP file
+func keysExport(cmd *cobra.Command, args []string) {
+	if len(args) < 1 {
+		cmd.Usage()
+		fatalf("must specify output filename for export")
+	}
+
+	exportFilename := args[0]
+
+	parseConfig()
+
+	keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
+	if err != nil {
+		fatalf("failed to create a new truststore manager with directory: %s", trustDir)
+	}
+
+	exportFile, err := os.Create(exportFilename)
+	if err != nil {
+		fatalf("error creating output file: %v", err)
+	}
+
+	// Must use a different passphrase retriever to avoid caching the
+	// unlocking passphrase and reusing that.
+	exportRetriever := passphrase.PromptRetriever()
+	if keysExportGUN != "" {
+		err = keyStoreManager.ExportKeysByGUN(exportFile, keysExportGUN, exportRetriever)
+	} else {
+		err = keyStoreManager.ExportAllKeys(exportFile, exportRetriever)
+	}
+
+	exportFile.Close()
+
+	if err != nil {
+		fatalf("error exporting keys: %v", err)
+		os.Remove(exportFilename)
+	}
+}
+
+// keysExportRoot exports a root key by ID to a PEM file
+func keysExportRoot(cmd *cobra.Command, args []string) {
+	if len(args) < 2 {
+		cmd.Usage()
+		fatalf("must specify key ID and output filename for export")
+	}
+
+	keyID := args[0]
+	exportFilename := args[1]
+
+	if len(keyID) != 64 {
+		fatalf("please specify a valid root key ID")
+	}
+
+	parseConfig()
+
+	keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
+	if err != nil {
+		fatalf("failed to create a new truststore manager with directory: %s", trustDir)
+	}
+
+	exportFile, err := os.Create(exportFilename)
+	if err != nil {
+		fatalf("error creating output file: %v", err)
+	}
+	if keysExportRootChangePassphrase {
+		// Must use a different passphrase retriever to avoid caching the
+		// unlocking passphrase and reusing that.
+		exportRetriever := passphrase.PromptRetriever()
+		err = keyStoreManager.ExportRootKeyReencrypt(exportFile, keyID, exportRetriever)
+	} else {
+		err = keyStoreManager.ExportRootKey(exportFile, keyID)
+	}
+	exportFile.Close()
+	if err != nil {
+		fatalf("error exporting root key: %v", err)
+		os.Remove(exportFilename)
+	}
+}
+
+// keysImport imports keys from a ZIP file
+func keysImport(cmd *cobra.Command, args []string) {
+	if len(args) < 1 {
+		cmd.Usage()
+		fatalf("must specify input filename for import")
+	}
+
+	importFilename := args[0]
+
+	parseConfig()
+
+	keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
+	if err != nil {
+		fatalf("failed to create a new truststore manager with directory: %s", trustDir)
+	}
+
+	zipReader, err := zip.OpenReader(importFilename)
+	if err != nil {
+		fatalf("opening file for import: %v", err)
+	}
+	defer zipReader.Close()
+
+	err = keyStoreManager.ImportKeysZip(zipReader.Reader)
+
+	if err != nil {
+		fatalf("error importing keys: %v", err)
+	}
+}
+
+// keysImportRoot imports a root key from a PEM file
+func keysImportRoot(cmd *cobra.Command, args []string) {
+	if len(args) < 2 {
+		cmd.Usage()
+		fatalf("must specify key ID and input filename for import")
+	}
+
+	keyID := args[0]
+	importFilename := args[1]
+
+	if len(keyID) != 64 {
+		fatalf("please specify a valid root key ID")
+	}
+
+	parseConfig()
+
+	keyStoreManager, err := keystoremanager.NewKeyStoreManager(trustDir, retriever)
+	if err != nil {
+		fatalf("failed to create a new truststore manager with directory: %s", trustDir)
+	}
+
+	importFile, err := os.Open(importFilename)
+	if err != nil {
+		fatalf("opening file for import: %v", err)
+	}
+	defer importFile.Close()
+
+	err = keyStoreManager.ImportRootKey(importFile, keyID)
+
+	if err != nil {
+		fatalf("error importing root key: %v", err)
+	}
+}
+
 func printCert(cert *x509.Certificate) {
 	timeDifference := cert.NotAfter.Sub(time.Now())
 	certID, err := trustmanager.FingerprintCert(cert)
--- a/cmd/notary/main.go
+++ b/cmd/notary/main.go
@ -78,7 +78,7 @@ func main() {
 	NotaryCmd.PersistentFlags().StringVarP(&trustDir, "trustdir", "d", "", "directory where the trust data is persisted to")
 	NotaryCmd.PersistentFlags().BoolVarP(&verbose, "verbose", "v", false, "verbose output")

-	NotaryCmd.AddCommand(cmdKeys)
+	NotaryCmd.AddCommand(cmdKey)
 	NotaryCmd.AddCommand(cmdTufInit)
 	cmdTufInit.Flags().StringVarP(&remoteTrustServer, "server", "s", defaultServerURL, "Remote trust server location")
 	NotaryCmd.AddCommand(cmdTufList)
--- a/keystoremanager/import_export.go
+++ b/keystoremanager/import_export.go
@ -42,6 +42,39 @@ func (km *KeyStoreManager) ExportRootKey(dest io.Writer, keyID string) error {
 	return err
 }

+// ExportRootKeyReencrypt exports the specified root key to an io.Writer in
+// PEM format. The key is reencrypted with a new passphrase.
+func (km *KeyStoreManager) ExportRootKeyReencrypt(dest io.Writer, keyID string, newPassphraseRetriever passphrase.Retriever) error {
+	privateKey, alias, err := km.rootKeyStore.GetKey(keyID)
+	if err != nil {
+		return err
+	}
+
+	// Create temporary keystore to use as a staging area
+	tempBaseDir, err := ioutil.TempDir("", "notary-key-export-")
+	defer os.RemoveAll(tempBaseDir)
+
+	privRootKeysSubdir := filepath.Join(privDir, rootKeysSubdir)
+	tempRootKeysPath := filepath.Join(tempBaseDir, privRootKeysSubdir)
+	tempRootKeyStore, err := trustmanager.NewKeyFileStore(tempRootKeysPath, newPassphraseRetriever)
+	if err != nil {
+		return err
+	}
+
+	err = tempRootKeyStore.AddKey(keyID, alias, privateKey)
+	if err != nil {
+		return err
+	}
+
+	pemBytes, err := tempRootKeyStore.Get(keyID + "_" + alias)
+	if err != nil {
+		return err
+	}
+
+	_, err = dest.Write(pemBytes)
+	return err
+}
+
 // checkRootKeyIsEncrypted makes sure the root key is encrypted. We have
 // internal assumptions that depend on this.
 func checkRootKeyIsEncrypted(pemBytes []byte) error {
@ -81,12 +114,12 @@ func (km *KeyStoreManager) ImportRootKey(source io.Reader, keyID string) error {
 func moveKeys(oldKeyStore, newKeyStore *trustmanager.KeyFileStore) error {
 	// List all files but no symlinks
 	for _, f := range oldKeyStore.ListKeys() {
-		pemBytes, alias, err := oldKeyStore.GetKey(f)
+		privateKey, alias, err := oldKeyStore.GetKey(f)
 		if err != nil {
 			return err
 		}

-		err = newKeyStore.AddKey(f, alias, pemBytes)
+		err = newKeyStore.AddKey(f, alias, privateKey)

 		if err != nil {
 			return err
--- a/keystoremanager/import_export_test.go
+++ b/keystoremanager/import_export_test.go
@ -350,7 +350,6 @@ func TestImportExportRootKey(t *testing.T) {
 	err = repo2.Initialize(rootCryptoService2)
 	assert.NoError(t, err, "error creating repository: %s", err)

-	// Check the contents of the zip file
 	keyReader, err := os.Open(tempKeyFilePath)
 	assert.NoError(t, err, "could not open key file")

@ -380,4 +379,81 @@ func TestImportExportRootKey(t *testing.T) {
 	// Try to import garbage and make sure it doesn't succeed
 	err = repo2.KeyStoreManager.ImportRootKey(strings.NewReader("this is not PEM"), rootKeyID)
 	assert.EqualError(t, err, keystoremanager.ErrNoValidPrivateKey.Error())
+
+	// Should be able to unlock the root key with the old password
+	key, alias, err := repo2.KeyStoreManager.RootKeyStore().GetKey(rootKeyID)
+	assert.NoError(t, err, "could not unlock root key")
+	assert.Equal(t, "root", alias)
+	assert.Equal(t, rootKeyID, key.ID())
+}
+
+func TestImportExportRootKeyReencrypt(t *testing.T) {
+	gun := "docker.com/notary"
+
+	// Temporary directory where test files will be created
+	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir)
+
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	ts, _ := createTestServer(t)
+	defer ts.Close()
+
+	repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
+	assert.NoError(t, err, "error creating repo: %s", err)
+
+	rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey.String())
+	assert.NoError(t, err, "error generating root key: %s", err)
+
+	rootCryptoService, err := repo.KeyStoreManager.GetRootCryptoService(rootKeyID)
+	assert.NoError(t, err, "error retrieving root key: %s", err)
+
+	err = repo.Initialize(rootCryptoService)
+	assert.NoError(t, err, "error creating repository: %s", err)
+
+	tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
+	tempKeyFilePath := tempKeyFile.Name()
+	defer os.Remove(tempKeyFilePath)
+
+	err = repo.KeyStoreManager.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
+	assert.NoError(t, err)
+	tempKeyFile.Close()
+
+	// Create new repo to test import
+	tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
+	defer os.RemoveAll(tempBaseDir2)
+
+	assert.NoError(t, err, "failed to create a temporary directory: %s", err)
+
+	repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
+	assert.NoError(t, err, "error creating repo: %s", err)
+
+	rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey.String())
+	assert.NoError(t, err, "error generating root key: %s", err)
+
+	rootCryptoService2, err := repo2.KeyStoreManager.GetRootCryptoService(rootKeyID2)
+	assert.NoError(t, err, "error retrieving root key: %s", err)
+
+	err = repo2.Initialize(rootCryptoService2)
+	assert.NoError(t, err, "error creating repository: %s", err)
+
+	keyReader, err := os.Open(tempKeyFilePath)
+	assert.NoError(t, err, "could not open key file")
+
+	err = repo2.KeyStoreManager.ImportRootKey(keyReader, rootKeyID)
+	assert.NoError(t, err)
+	keyReader.Close()
+
+	// Look for repo's root key in repo2
+	// There should be a file named after the key ID of the root key we
+	// imported.
+	rootKeyFilename := rootKeyID + "_root.key"
+	_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
+	assert.NoError(t, err, "missing root key")
+
+	// Should be able to unlock the root key with the new password
+	key, alias, err := repo2.KeyStoreManager.RootKeyStore().GetKey(rootKeyID)
+	assert.NoError(t, err, "could not unlock root key")
+	assert.Equal(t, "root", alias)
+	assert.Equal(t, rootKeyID, key.ID())
 }