The server already supported a memory backend, but now it must be
specified, rather than just being a fallback if no storage is
specified. This also adds a signer backend to signer, which
previously required a MySQL backend.
Thanks @endophage for the excellent suggestion!
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, if a relative path was provided, it was relative to the
current working directory to wherever the binaries were run. Now
it is relative to whatever config file was used.
Signed-off-by: Ying Li <ying.li@docker.com>
This changes the 'addr' parameter of notary-server's config to
'http_addr', so we can add a GRPC server to notary-server if
necessary. This also allows environment variables to override
the notary-server config file entries, as notary-signer already
does.
The bugsnag configuration has also been changed so that the
bugsnag parameters are under the "bugsnag" key.
Signed-off-by: Ying Li <ying.li@docker.com>
Also add bugsnag support to notary-signer.
This also changes the 'server.cert_file' and 'server.key_file'
parameters to 'server.tls_cert_file' and 'server.tls_key_file',
respectively, to match notary-server.
Previously, the default alias, which was under the environment
variable NOTARY_SERVER_DEFAULT_ALIAS is now also available in
the config file in storage.default_alias. The password has
not changed.
Finally, this removes some of the HSM references in notary-signer.
Signed-off-by: Ying Li <ying.li@docker.com>
Also support parameterized allowed backends when parsing for
storage backends, so that a DB backend can be tested.
Signed-off-by: Ying Li <ying.li@docker.com>
This is because the server handles the timestamp key and timestamp signing.
So there can only ever be 1 key. Thanks @mtrmac for pointing this out.
This change also refactors some of the test code somewhat.
Signed-off-by: Ying Li <ying.li@docker.com>
Previously it was "fatal: Unable to reach trust server at this time: 400."
and now it is "fatal: Trust server rejected operation."
Signed-off-by: Ying Li <ying.li@docker.com>
If the client sends a root.json with an invalid timestamp key ID,
possibly because they are pushing an existing repo to a new server,
then the server should reject the update.
Signed-off-by: Ying Li <ying.li@docker.com>
Since if they are generic test helpers that should be exported,
they should probably go into their own package. If they are used
during testing, they should end in _test.
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, because it's a CryptoService wrapper around a remote signer
service, it returned nil all the time. Now, because signing is done
via private key more than CryptoService, it has to return a PrivateKey.
The key doesn't have private bytes, but can be used for signing.
Signed-off-by: Ying Li <ying.li@docker.com>
This lists any matching keys, and requires the user to pick which one
to choose, if there is more than 1 matching key. Also requires the
user to confirm before deleting.
Signed-off-by: Ying Li <ying.li@docker.com>
Log whether a pkcs11 library was found and if it was loadable.
This unfortunately prints out every time any operation is done on the Yubikey, producing a lot of log output, but perhaps that is better because an operation might fail at any given time.
Output if no Yubikey:
DEBU[0000] Failed to initialize PKCS11 environment: loaded library /usr/local/lib/libykcs11.dylib, but no HSM slots found
If there is a Yubikey:
DEBU[0000] Initialized PKCS11 library /usr/local/lib/libykcs11.dylib and started HSM session
Currently, when listing, publishing, or getting a particular target,
if the remote server errors, the client attempts to load it from a
local cache. However, if there is no local cache, it just returns
Metadata Not Found for listing and getting. Have it report the
remote the original remote error instead of Metadata Not Found
locally.
Signed-off-by: Ying Li <ying.li@docker.com>
Some more tests, one minor change
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Diogo Mónica <diogo.monica@gmail.com> (github: endophage)
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Added a test for this case as well - thanks @endophage!
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: David Lawrence <david.lawrence@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com> (github: endophage)
Ying Li
David Lawrence
Sven Dowideit
Ying Li
Diogo Mónica
David Lawrence
Diogo Monica