fixing integrations tests for new list keys layout

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

cmd/notary/integration_test.go

@@ -23,6 +23,7 @@ import (
 	"github.com/docker/notary/server"
 	"github.com/docker/notary/server/storage"
 	"github.com/docker/notary/trustmanager"
+	"github.com/docker/notary/tuf/data"
 	"github.com/spf13/cobra"
 	"github.com/stretchr/testify/assert"
 	"golang.org/x/net/context"
@@ -50,10 +51,7 @@ func setupServer() *httptest.Server {
 	ctx := context.WithValue(
 		context.Background(), "metaStore", storage.NewMemStorage())
 
-	// Do not pass one of the const KeyAlgorithms here as the value! Passing a
-	// string is in itself good test that we are handling it correctly as we
-	// will be receiving a string from the configuration.
-	ctx = context.WithValue(ctx, "keyAlgorithm", "ecdsa")
+	ctx = context.WithValue(ctx, "keyAlgorithm", data.ECDSAKey)
 
 	// Eat the logs instead of spewing them out
 	var b bytes.Buffer
@@ -181,19 +179,24 @@ func GetKeys(t *testing.T, tempDir string) ([]string, []string) {
 func assertNumKeys(t *testing.T, tempDir string, numRoot, numSigning int,
 	rootOnDisk bool) ([]string, []string) {
 
+	uniqueKeys := make(map[string]struct{})
 	root, signing := GetKeys(t, tempDir)
-	assert.Len(t, root, numRoot)
 	assert.Len(t, signing, numSigning)
-	for _, rootKeyID := range root {
+	for i, rootKeyLine := range root {
+		keyID := strings.Split(rootKeyLine, "-")[0]
+		keyID = strings.TrimSpace(keyID)
+		root[i] = keyID
+		uniqueKeys[keyID] = struct{}{}
 		_, err := os.Stat(filepath.Join(
-			tempDir, "private", "root_keys", rootKeyID+"_root.key"))
+			tempDir, "private", "root_keys", keyID+"_root.key"))
 		// os.IsExist checks to see if the error is because a file already
 		// exist, and hence doesn't actually the right funciton to use here
 		assert.Equal(t, rootOnDisk, !os.IsNotExist(err))
 
 		// this function is declared is in the build-tagged setup files
-		verifyRootKeyOnHardware(t, rootKeyID)
+		verifyRootKeyOnHardware(t, keyID)
 	}
+	assert.Len(t, uniqueKeys, numRoot)
 	return root, signing
 }
 
@@ -245,7 +248,7 @@ func TestClientKeyGenerationRotation(t *testing.T) {
 	assertNumKeys(t, tempDir, 0, 0, true)
 
 	// generate root key produces a single root key and no other keys
-	_, err = runCommand(t, tempDir, "key", "generate", "ecdsa")
+	_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
 	assert.NoError(t, err)
 	assertNumKeys(t, tempDir, 1, 0, true)
 
@@ -345,7 +348,7 @@ func TestClientKeyImportExportRootAndSigning(t *testing.T) {
 
 	_, err = runCommand(t, dirs[1], "key", "import", zipfile)
 	assert.NoError(t, err)
-	assertNumKeys(t, dirs[1], 1, 4, true) // all keys should be there
+	assertNumKeys(t, dirs[1], 1, 4, !rootOnHardware()) // all keys should be there
 
 	// can list and publish to both repos using imported keys
 	for _, gun := range []string{"gun1", "gun2"} {
@@ -383,7 +386,7 @@ func exportRoot(t *testing.T, exportTo string) string {
 	defer os.RemoveAll(tempDir)
 
 	// generate root key produces a single root key and no other keys
-	_, err = runCommand(t, tempDir, "key", "generate", "ecdsa")
+	_, err = runCommand(t, tempDir, "key", "generate", data.ECDSAKey)
 	assert.NoError(t, err)
 	oldRoot, _ := assertNumKeys(t, tempDir, 1, 0, true)
 
@@ -505,7 +508,6 @@ func TestClientCertInteraction(t *testing.T) {
 	_, err = runCommand(t, tempDir, "cert", "remove", certID, "-y", "-g", "")
 	assert.NoError(t, err)
 	assertNumCerts(t, tempDir, 0)
-
 }
 
 func TestMain(m *testing.M) {

cmd/notary/keys_nonpkcs11.go

@@ -3,6 +3,8 @@
 package main
 
 import (
+	"errors"
+
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/trustmanager"
 )

cmd/notary/keys_pkcs11.go

@@ -8,9 +8,5 @@ import (
 )
 
 func getYubiKeyStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) {
-	yubiStore, err := trustmanager.NewYubiKeyStore(fileKeyStore, ret)
-	if err != nil {
-		return nil, err
-	}
-	return yubiStore, nil
+	return trustmanager.NewYubiKeyStore(fileKeyStore, ret)
 }

cryptoservice/import_export.go

@@ -197,11 +197,20 @@ func (cs *CryptoService) ImportKeysZip(zipReader zip.Reader) error {
 		if keyName[len(keyName)-5:] == "_root" {
 			keyName = "root"
 		}
+		// try to import the key to all key stores. As long as one of them
+		// succeeds, consider it a success
+		var tmpErr error
 		for _, ks := range cs.keyStores {
 			if err := ks.ImportKey(pemBytes, keyName); err != nil {
-				return err
+				tmpErr = err
+			} else {
+				tmpErr = nil
+				break
 			}
 		}
+		if tmpErr != nil {
+			return tmpErr
+		}
 	}
 
 	return nil

trustmanager/x509utils.go

@@ -398,12 +398,12 @@ func ED25519ToPrivateKey(privKeyBytes []byte) (data.PrivateKey, error) {
 }
 
 func blockType(k data.PrivateKey) (string, error) {
-	switch k.(type) {
-	case *data.RSAPrivateKey:
+	switch k.Algorithm() {
+	case data.RSAKey, data.RSAx509Key:
 		return "RSA PRIVATE KEY", nil
-	case *data.ECDSAPrivateKey:
+	case data.ECDSAKey, data.ECDSAx509Key:
 		return "EC PRIVATE KEY", nil
-	case *data.ED25519PrivateKey:
+	case data.ED25519Key:
 		return "ED25519 PRIVATE KEY", nil
 	default:
 		return "", fmt.Errorf("algorithm %s not supported", k.Algorithm())

trustmanager/yubikeystore.go

@@ -707,13 +707,16 @@ func (s *YubiKeyStore) ExportKey(keyID string) ([]byte, error) {
 }
 
 // ImportKey imports a root key into a Yubikey
-func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyID string) error {
-	logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", keyID)
+func (s *YubiKeyStore) ImportKey(pemBytes []byte, keyPath string) error {
+	logrus.Debugf("Attempting to import: %s key inside of YubiKeyStore", keyPath)
 	privKey, _, err := GetPasswdDecryptBytes(
 		s.passRetriever, pemBytes, "", "imported root")
 	if err != nil {
 		return err
 	}
+	if keyPath != data.CanonicalRootRole {
+		return fmt.Errorf("yubikey only supports storing root keys")
+	}
 	return s.addKey(privKey.ID(), "root", privKey, false)
 }
 

trustmanager/yubikeystore_test.go

@@ -129,7 +129,7 @@ func TestImportKey(t *testing.T) {
 	pemBytes, err := EncryptPrivateKey(privKey, "passphrase")
 	assert.NoError(t, err)
 
-	err = store.ImportKey(pemBytes, privKey.ID())
+	err = store.ImportKey(pemBytes, "root")
 	assert.NoError(t, err)
 
 	// key is not in backup store