From f2ec72b5b6e615f59cead320a91f0cba17b52c8b Mon Sep 17 00:00:00 2001 From: David Lawrence Date: Tue, 22 Dec 2015 03:00:26 -0800 Subject: [PATCH] aliases removed from file names Signed-off-by: David Lawrence (github: endophage) --- cmd/notary/integration_test.go | 2 +- cryptoservice/import_export_test.go | 16 +++---- trustmanager/keyfilestore.go | 71 +++++++++++++++++++---------- trustmanager/keyfilestore_test.go | 9 ++-- 4 files changed, 59 insertions(+), 39 deletions(-) diff --git a/cmd/notary/integration_test.go b/cmd/notary/integration_test.go index aaefadeb6d..9392cd1c92 100644 --- a/cmd/notary/integration_test.go +++ b/cmd/notary/integration_test.go @@ -223,7 +223,7 @@ func assertNumKeys(t *testing.T, tempDir string, numRoot, numSigning int, assert.Len(t, signing, numSigning) for _, rootKeyID := range root { _, err := os.Stat(filepath.Join( - tempDir, "private", "root_keys", rootKeyID+"_root.key")) + tempDir, "private", "root_keys", rootKeyID+".key")) // os.IsExist checks to see if the error is because a file already // exist, and hence doesn't actually the right funciton to use here assert.Equal(t, rootOnDisk, !os.IsNotExist(err)) diff --git a/cryptoservice/import_export_test.go b/cryptoservice/import_export_test.go index 5b4399b5cc..98ab514d00 100644 --- a/cryptoservice/import_export_test.go +++ b/cryptoservice/import_export_test.go @@ -80,13 +80,13 @@ func TestImportExportZip(t *testing.T) { if alias == "root" { continue } - relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") + relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") passphraseByFile[relKeyPath] = exportPassphrase } // Add root key to the map. This will use the export passphrase because it // will be reencrypted. - relRootKey := filepath.Join("root_keys", rootKeyID+"_root.key") + relRootKey := filepath.Join("root_keys", rootKeyID+".key") passphraseByFile[relRootKey] = exportPassphrase // Iterate through the files in the archive, checking that the files @@ -145,7 +145,7 @@ func TestImportExportZip(t *testing.T) { if alias == "root" { continue } - relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") + relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath) _, err = os.Stat(privKeyFileName) assert.NoError(t, err, "missing private key for role %s: %s", alias, privKeyName) @@ -154,7 +154,7 @@ func TestImportExportZip(t *testing.T) { // Look for keys in root_keys // There should be a file named after the key ID of the root key we // passed in. - rootKeyFilename := rootKeyID + "_root.key" + rootKeyFilename := rootKeyID + ".key" _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) assert.NoError(t, err, "missing root key") } @@ -205,7 +205,7 @@ func TestImportExportGUN(t *testing.T) { if alias == "root" { continue } - relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") + relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") passphraseByFile[relKeyPath] = exportPassphrase } @@ -270,7 +270,7 @@ func TestImportExportGUN(t *testing.T) { if alias == "root" { continue } - relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") + relKeyPath := filepath.Join("tuf_keys", privKeyName+".key") privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath) _, err = os.Stat(privKeyFileName) assert.NoError(t, err) @@ -318,7 +318,7 @@ func TestImportExportRootKey(t *testing.T) { // Look for repo's root key in repo2 // There should be a file named after the key ID of the root key we // imported. - rootKeyFilename := rootKeyID + "_root.key" + rootKeyFilename := rootKeyID + ".key" _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) assert.NoError(t, err, "missing root key") @@ -386,7 +386,7 @@ func TestImportExportRootKeyReencrypt(t *testing.T) { // Look for repo's root key in repo2 // There should be a file named after the key ID of the root key we // imported. - rootKeyFilename := rootKeyID + "_root.key" + rootKeyFilename := rootKeyID + ".key" _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) assert.NoError(t, err, "missing root key") diff --git a/trustmanager/keyfilestore.go b/trustmanager/keyfilestore.go index bd9612a472..1eb6556c6d 100644 --- a/trustmanager/keyfilestore.go +++ b/trustmanager/keyfilestore.go @@ -1,11 +1,13 @@ package trustmanager import ( + "encoding/pem" "fmt" "path/filepath" "strings" "sync" + "github.com/Sirupsen/logrus" "github.com/docker/notary/passphrase" "github.com/docker/notary/tuf/data" ) @@ -179,14 +181,23 @@ func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached } func getKeyAlias(s LimitedFileStore, keyID string) (string, error) { - files := s.ListFiles() - name := strings.TrimSpace(strings.TrimSuffix(filepath.Base(keyID), filepath.Ext(keyID))) - for _, file := range files { + for _, file := range s.ListFiles() { filename := filepath.Base(file) if strings.HasPrefix(filename, name) { + d, err := s.Get(file) + if err != nil { + return "", err + } + block, _ := pem.Decode(d) + if block != nil { + if role, ok := block.Headers["role"]; ok { + return role, nil + } + } + aliasPlusDotKey := strings.TrimPrefix(filename, name+"_") retVal := strings.TrimSuffix(aliasPlusDotKey, "."+keyExtension) return retVal, nil @@ -208,14 +219,13 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached return nil, "", err } - var retErr error // See if the key is encrypted. If its encrypted we'll fail to parse the private key privKey, err := ParsePEMPrivateKey(keyBytes, "") if err != nil { - privKey, _, retErr = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias)) - } - if retErr != nil { - return nil, "", retErr + privKey, _, err = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias)) + if err != nil { + return nil, "", err + } } cachedKeys[name] = &cachedKey{alias: keyAlias, key: privKey} return privKey, keyAlias, nil @@ -228,26 +238,39 @@ func listKeys(s LimitedFileStore) map[string]string { for _, f := range s.ListFiles() { // Remove the prefix of the directory from the filename - if f[:len(rootKeysSubdir)] == rootKeysSubdir { - f = strings.TrimPrefix(f, rootKeysSubdir+"/") + var keyIDFull string + if strings.HasPrefix(f, rootKeysSubdir+"/") { + keyIDFull = strings.TrimPrefix(f, rootKeysSubdir+"/") } else { - f = strings.TrimPrefix(f, nonRootKeysSubdir+"/") + keyIDFull = strings.TrimPrefix(f, nonRootKeysSubdir+"/") } - keyIDFull := strings.TrimSpace(f) + keyIDFull = strings.TrimSpace(keyIDFull) // If the key does not have a _, it is malformed underscoreIndex := strings.LastIndex(keyIDFull, "_") if underscoreIndex == -1 { - continue + keyID := keyIDFull + d, err := s.Get(f) + if err != nil { + logrus.Error(err) + continue + } + block, _ := pem.Decode(d) + if block == nil { + continue + } + if role, ok := block.Headers["role"]; ok { + keyIDMap[keyID] = role + } + } else { + // The keyID is the first part of the keyname + // The KeyAlias is the second part of the keyname + // in a key named abcde_root, abcde is the keyID and root is the KeyAlias + keyID := keyIDFull[:underscoreIndex] + keyAlias := keyIDFull[underscoreIndex+1:] + keyIDMap[keyID] = keyAlias } - - // The keyID is the first part of the keyname - // The KeyAlias is the second part of the keyname - // in a key named abcde_root, abcde is the keyID and root is the KeyAlias - keyID := keyIDFull[:underscoreIndex] - keyAlias := keyIDFull[underscoreIndex+1:] - keyIDMap[keyID] = keyAlias } return keyIDMap } @@ -262,8 +285,7 @@ func removeKey(s LimitedFileStore, cachedKeys map[string]*cachedKey, name string delete(cachedKeys, name) // being in a subdirectory is for backwards compatibliity - filename := name + "_" + keyAlias - err = s.Remove(filepath.Join(getSubdir(keyAlias), filename)) + err = s.Remove(filepath.Join(getSubdir(keyAlias), name)) if err != nil { return err } @@ -286,9 +308,8 @@ func getRawKey(s LimitedFileStore, name string) ([]byte, string, error) { return nil, "", err } - filename := name + "_" + keyAlias var keyBytes []byte - keyBytes, err = s.Get(filepath.Join(getSubdir(keyAlias), filename)) + keyBytes, err = s.Get(filepath.Join(getSubdir(keyAlias), name)) if err != nil { return nil, "", err } @@ -351,7 +372,7 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]* } cachedKeys[name] = &cachedKey{alias: role, key: privKey} - return s.Add(filepath.Join(getSubdir(role), name+"_"+role), pemPrivKey) + return s.Add(filepath.Join(getSubdir(role), name), pemPrivKey) } func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error { diff --git a/trustmanager/keyfilestore_test.go b/trustmanager/keyfilestore_test.go index 87cf24dad3..fad34f3087 100644 --- a/trustmanager/keyfilestore_test.go +++ b/trustmanager/keyfilestore_test.go @@ -26,7 +26,6 @@ var passphraseRetriever = func(keyID string, alias string, createNew bool, numAt func TestAddKey(t *testing.T) { testName := "docker.com/notary/root" testExt := "key" - testAlias := "root" // Temporary directory where test files will be created tempBaseDir, err := ioutil.TempDir("", "notary-test-") @@ -34,7 +33,7 @@ func TestAddKey(t *testing.T) { defer os.RemoveAll(tempBaseDir) // Since we're generating this manually we need to add the extension '.' - expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"_"+testAlias+"."+testExt) + expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"."+testExt) // Create our store store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever) @@ -97,7 +96,7 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0= defer os.RemoveAll(tempBaseDir) // Since we're generating this manually we need to add the extension '.' - filePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"_"+testAlias+"."+testExt) + filePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"."+testExt) os.MkdirAll(filepath.Dir(filePath), perms) err = ioutil.WriteFile(filePath, testData, perms) @@ -215,7 +214,7 @@ func TestGetDecryptedWithTamperedCipherText(t *testing.T) { assert.NoError(t, err, "failed to add key to store") // Since we're generating this manually we need to add the extension '.' - expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, privKey.ID()+"_"+testAlias+"."+testExt) + expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, privKey.ID()+"."+testExt) // Get file description, open file fp, err := os.OpenFile(expectedFilePath, os.O_WRONLY, 0600) @@ -322,7 +321,7 @@ func TestRemoveKey(t *testing.T) { defer os.RemoveAll(tempBaseDir) // Since we're generating this manually we need to add the extension '.' - expectedFilePath := filepath.Join(tempBaseDir, privDir, nonRootKeysSubdir, testName+"_"+testAlias+"."+testExt) + expectedFilePath := filepath.Join(tempBaseDir, privDir, nonRootKeysSubdir, testName+"."+testExt) // Create our store store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)