docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

aliases removed from file names 

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
This commit is contained in:
David Lawrence 2015-12-22 03:00:26 -08:00 committed by Ying Li
parent 6d5b8ff54a
commit f2ec72b5b6
4 changed files with 59 additions and 39 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
cmd/notary/integration_test.go
View File

@ -223,7 +223,7 @@ func assertNumKeys(t *testing.T, tempDir string, numRoot, numSigning int,
assert.Len(t, signing, numSigning) assert.Len(t, signing, numSigning)
for _, rootKeyID := range root { for _, rootKeyID := range root {
_, err := os.Stat(filepath.Join( _, err := os.Stat(filepath.Join(
tempDir, "private", "root_keys", rootKeyID+"_root.key")) tempDir, "private", "root_keys", rootKeyID+".key"))
// os.IsExist checks to see if the error is because a file already // os.IsExist checks to see if the error is because a file already
// exist, and hence doesn't actually the right funciton to use here // exist, and hence doesn't actually the right funciton to use here
assert.Equal(t, rootOnDisk, !os.IsNotExist(err)) assert.Equal(t, rootOnDisk, !os.IsNotExist(err))

16
cryptoservice/import_export_test.go
View File

@ -80,13 +80,13 @@ func TestImportExportZip(t *testing.T) {
if alias == "root" { if alias == "root" {
continue continue
} }
relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") relKeyPath := filepath.Join("tuf_keys", privKeyName+".key")
passphraseByFile[relKeyPath] = exportPassphrase passphraseByFile[relKeyPath] = exportPassphrase
} }
// Add root key to the map. This will use the export passphrase because it // Add root key to the map. This will use the export passphrase because it
// will be reencrypted. // will be reencrypted.
relRootKey := filepath.Join("root_keys", rootKeyID+"_root.key") relRootKey := filepath.Join("root_keys", rootKeyID+".key")
passphraseByFile[relRootKey] = exportPassphrase passphraseByFile[relRootKey] = exportPassphrase
// Iterate through the files in the archive, checking that the files // Iterate through the files in the archive, checking that the files
@ -145,7 +145,7 @@ func TestImportExportZip(t *testing.T) {
if alias == "root" { if alias == "root" {
continue continue
} }
relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") relKeyPath := filepath.Join("tuf_keys", privKeyName+".key")
privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath) privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath)
_, err = os.Stat(privKeyFileName) _, err = os.Stat(privKeyFileName)
assert.NoError(t, err, "missing private key for role %s: %s", alias, privKeyName) assert.NoError(t, err, "missing private key for role %s: %s", alias, privKeyName)
@ -154,7 +154,7 @@ func TestImportExportZip(t *testing.T) {
// Look for keys in root_keys // Look for keys in root_keys
// There should be a file named after the key ID of the root key we // There should be a file named after the key ID of the root key we
// passed in. // passed in.
rootKeyFilename := rootKeyID + "_root.key" rootKeyFilename := rootKeyID + ".key"
_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
assert.NoError(t, err, "missing root key") assert.NoError(t, err, "missing root key")
} }
@ -205,7 +205,7 @@ func TestImportExportGUN(t *testing.T) {
if alias == "root" { if alias == "root" {
continue continue
} }
relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") relKeyPath := filepath.Join("tuf_keys", privKeyName+".key")
passphraseByFile[relKeyPath] = exportPassphrase passphraseByFile[relKeyPath] = exportPassphrase
} }
@ -270,7 +270,7 @@ func TestImportExportGUN(t *testing.T) {
if alias == "root" { if alias == "root" {
continue continue
} }
relKeyPath := filepath.Join("tuf_keys", privKeyName+"_"+alias+".key") relKeyPath := filepath.Join("tuf_keys", privKeyName+".key")
privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath) privKeyFileName := filepath.Join(tempBaseDir2, "private", relKeyPath)
_, err = os.Stat(privKeyFileName) _, err = os.Stat(privKeyFileName)
assert.NoError(t, err) assert.NoError(t, err)
@ -318,7 +318,7 @@ func TestImportExportRootKey(t *testing.T) {
// Look for repo's root key in repo2 // Look for repo's root key in repo2
// There should be a file named after the key ID of the root key we // There should be a file named after the key ID of the root key we
// imported. // imported.
rootKeyFilename := rootKeyID + "_root.key" rootKeyFilename := rootKeyID + ".key"
_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
assert.NoError(t, err, "missing root key") assert.NoError(t, err, "missing root key")
@ -386,7 +386,7 @@ func TestImportExportRootKeyReencrypt(t *testing.T) {
// Look for repo's root key in repo2 // Look for repo's root key in repo2
// There should be a file named after the key ID of the root key we // There should be a file named after the key ID of the root key we
// imported. // imported.
rootKeyFilename := rootKeyID + "_root.key" rootKeyFilename := rootKeyID + ".key"
_, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename)) _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
assert.NoError(t, err, "missing root key") assert.NoError(t, err, "missing root key")

55
trustmanager/keyfilestore.go
View File

@ -1,11 +1,13 @@
package trustmanager package trustmanager
import ( import (
"encoding/pem"
"fmt" "fmt"
"path/filepath" "path/filepath"
"strings" "strings"
"sync" "sync"
"github.com/Sirupsen/logrus"
"github.com/docker/notary/passphrase" "github.com/docker/notary/passphrase"
"github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/data"
) )
@ -179,14 +181,23 @@ func addKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached
} }
func getKeyAlias(s LimitedFileStore, keyID string) (string, error) { func getKeyAlias(s LimitedFileStore, keyID string) (string, error) {
files := s.ListFiles()
name := strings.TrimSpace(strings.TrimSuffix(filepath.Base(keyID), filepath.Ext(keyID))) name := strings.TrimSpace(strings.TrimSuffix(filepath.Base(keyID), filepath.Ext(keyID)))
for _, file := range files { for _, file := range s.ListFiles() {
filename := filepath.Base(file) filename := filepath.Base(file)
if strings.HasPrefix(filename, name) { if strings.HasPrefix(filename, name) {
d, err := s.Get(file)
if err != nil {
return "", err
}
block, _ := pem.Decode(d)
if block != nil {
if role, ok := block.Headers["role"]; ok {
return role, nil
}
}
aliasPlusDotKey := strings.TrimPrefix(filename, name+"_") aliasPlusDotKey := strings.TrimPrefix(filename, name+"_")
retVal := strings.TrimSuffix(aliasPlusDotKey, "."+keyExtension) retVal := strings.TrimSuffix(aliasPlusDotKey, "."+keyExtension)
return retVal, nil return retVal, nil
@ -208,14 +219,13 @@ func getKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cached
return nil, "", err return nil, "", err
} }
var retErr error
// See if the key is encrypted. If its encrypted we'll fail to parse the private key // See if the key is encrypted. If its encrypted we'll fail to parse the private key
privKey, err := ParsePEMPrivateKey(keyBytes, "") privKey, err := ParsePEMPrivateKey(keyBytes, "")
if err != nil { if err != nil {
privKey, _, retErr = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias)) privKey, _, err = GetPasswdDecryptBytes(passphraseRetriever, keyBytes, name, string(keyAlias))
if err != nil {
return nil, "", err
} }
if retErr != nil {
return nil, "", retErr
} }
cachedKeys[name] = &cachedKey{alias: keyAlias, key: privKey} cachedKeys[name] = &cachedKey{alias: keyAlias, key: privKey}
return privKey, keyAlias, nil return privKey, keyAlias, nil
@ -228,20 +238,32 @@ func listKeys(s LimitedFileStore) map[string]string {
for _, f := range s.ListFiles() { for _, f := range s.ListFiles() {
// Remove the prefix of the directory from the filename // Remove the prefix of the directory from the filename
if f[:len(rootKeysSubdir)] == rootKeysSubdir { var keyIDFull string
f = strings.TrimPrefix(f, rootKeysSubdir+"/") if strings.HasPrefix(f, rootKeysSubdir+"/") {
keyIDFull = strings.TrimPrefix(f, rootKeysSubdir+"/")
} else { } else {
f = strings.TrimPrefix(f, nonRootKeysSubdir+"/") keyIDFull = strings.TrimPrefix(f, nonRootKeysSubdir+"/")
} }
keyIDFull := strings.TrimSpace(f) keyIDFull = strings.TrimSpace(keyIDFull)
// If the key does not have a _, it is malformed // If the key does not have a _, it is malformed
underscoreIndex := strings.LastIndex(keyIDFull, "_") underscoreIndex := strings.LastIndex(keyIDFull, "_")
if underscoreIndex == -1 { if underscoreIndex == -1 {
keyID := keyIDFull
d, err := s.Get(f)
if err != nil {
logrus.Error(err)
continue continue
} }
block, _ := pem.Decode(d)
if block == nil {
continue
}
if role, ok := block.Headers["role"]; ok {
keyIDMap[keyID] = role
}
} else {
// The keyID is the first part of the keyname // The keyID is the first part of the keyname
// The KeyAlias is the second part of the keyname // The KeyAlias is the second part of the keyname
// in a key named abcde_root, abcde is the keyID and root is the KeyAlias // in a key named abcde_root, abcde is the keyID and root is the KeyAlias
@ -249,6 +271,7 @@ func listKeys(s LimitedFileStore) map[string]string {
keyAlias := keyIDFull[underscoreIndex+1:] keyAlias := keyIDFull[underscoreIndex+1:]
keyIDMap[keyID] = keyAlias keyIDMap[keyID] = keyAlias
} }
}
return keyIDMap return keyIDMap
} }
@ -262,8 +285,7 @@ func removeKey(s LimitedFileStore, cachedKeys map[string]*cachedKey, name string
delete(cachedKeys, name) delete(cachedKeys, name)
// being in a subdirectory is for backwards compatibliity // being in a subdirectory is for backwards compatibliity
filename := name + "_" + keyAlias err = s.Remove(filepath.Join(getSubdir(keyAlias), name))
err = s.Remove(filepath.Join(getSubdir(keyAlias), filename))
if err != nil { if err != nil {
return err return err
} }
@ -286,9 +308,8 @@ func getRawKey(s LimitedFileStore, name string) ([]byte, string, error) {
return nil, "", err return nil, "", err
} }
filename := name + "_" + keyAlias
var keyBytes []byte var keyBytes []byte
keyBytes, err = s.Get(filepath.Join(getSubdir(keyAlias), filename)) keyBytes, err = s.Get(filepath.Join(getSubdir(keyAlias), name))
if err != nil { if err != nil {
return nil, "", err return nil, "", err
} }
@ -351,7 +372,7 @@ func encryptAndAddKey(s LimitedFileStore, passwd string, cachedKeys map[string]*
} }
cachedKeys[name] = &cachedKey{alias: role, key: privKey} cachedKeys[name] = &cachedKey{alias: role, key: privKey}
return s.Add(filepath.Join(getSubdir(role), name+"_"+role), pemPrivKey) return s.Add(filepath.Join(getSubdir(role), name), pemPrivKey)
} }
func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error { func importKey(s LimitedFileStore, passphraseRetriever passphrase.Retriever, cachedKeys map[string]*cachedKey, alias string, pemBytes []byte) error {

9
trustmanager/keyfilestore_test.go
View File

@ -26,7 +26,6 @@ var passphraseRetriever = func(keyID string, alias string, createNew bool, numAt
func TestAddKey(t *testing.T) { func TestAddKey(t *testing.T) {
testName := "docker.com/notary/root" testName := "docker.com/notary/root"
testExt := "key" testExt := "key"
testAlias := "root"
// Temporary directory where test files will be created // Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-") tempBaseDir, err := ioutil.TempDir("", "notary-test-")
@ -34,7 +33,7 @@ func TestAddKey(t *testing.T) {
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.' // Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"_"+testAlias+"."+testExt) expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"."+testExt)
// Create our store // Create our store
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever) store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)
@ -97,7 +96,7 @@ EMl3eFOJXjIch/wIesRSN+2dGOsl7neercjMh1i9RvpCwHDx/E0=
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.' // Since we're generating this manually we need to add the extension '.'
filePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"_"+testAlias+"."+testExt) filePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, testName+"."+testExt)
os.MkdirAll(filepath.Dir(filePath), perms) os.MkdirAll(filepath.Dir(filePath), perms)
err = ioutil.WriteFile(filePath, testData, perms) err = ioutil.WriteFile(filePath, testData, perms)
@ -215,7 +214,7 @@ func TestGetDecryptedWithTamperedCipherText(t *testing.T) {
assert.NoError(t, err, "failed to add key to store") assert.NoError(t, err, "failed to add key to store")
// Since we're generating this manually we need to add the extension '.' // Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, privKey.ID()+"_"+testAlias+"."+testExt) expectedFilePath := filepath.Join(tempBaseDir, privDir, rootKeysSubdir, privKey.ID()+"."+testExt)
// Get file description, open file // Get file description, open file
fp, err := os.OpenFile(expectedFilePath, os.O_WRONLY, 0600) fp, err := os.OpenFile(expectedFilePath, os.O_WRONLY, 0600)
@ -322,7 +321,7 @@ func TestRemoveKey(t *testing.T) {
defer os.RemoveAll(tempBaseDir) defer os.RemoveAll(tempBaseDir)
// Since we're generating this manually we need to add the extension '.' // Since we're generating this manually we need to add the extension '.'
expectedFilePath := filepath.Join(tempBaseDir, privDir, nonRootKeysSubdir, testName+"_"+testAlias+"."+testExt) expectedFilePath := filepath.Join(tempBaseDir, privDir, nonRootKeysSubdir, testName+"."+testExt)
// Create our store // Create our store
store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever) store, err := NewKeyFileStore(tempBaseDir, passphraseRetriever)