This adds some command line flags and configuration for the notary client:
--tlscacert
--tlscert
--tlskey
This enables the notary client to do mutual authentication with the notary server.
Signed-off-by: Ying Li <ying.li@docker.com>
Various tests have been calling trustmanager.NewCertificate and
open-coding most of cryptoservice.GenerateCertificate. So, add
cryptoservice.GenerateTestingCertificate. It differs only by using
crypto.Signer instead of data.PrivateKey because the tests
have a crypto.Signer more frequently available, and converting
from data.PrivateKey to crypto.Signer is easier than the other way.
This will make it easier to add policy parameters which the tests don't
care about to trustmanager.NewCertificate and
cryptoservice.GenerateCertificate in the future.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
None of these `filename`, `ext` or `configPath` should be in `main`,
they are all just for creating a instance of Viper and then nothing.
Do it in a separate function will make the function `main` more readable.
Signed-off-by: Hu Keping <hukeping@huawei.com>
The server already supported a memory backend, but now it must be
specified, rather than just being a fallback if no storage is
specified. This also adds a signer backend to signer, which
previously required a MySQL backend.
Thanks @endophage for the excellent suggestion!
Signed-off-by: Ying Li <ying.li@docker.com>
Previously, if a relative path was provided, it was relative to the
current working directory to wherever the binaries were run. Now
it is relative to whatever config file was used.
Signed-off-by: Ying Li <ying.li@docker.com>
Also support parameterized allowed backends when parsing for
storage backends, so that a DB backend can be tested.
Signed-off-by: Ying Li <ying.li@docker.com>
This curve is not available on Fedora and RHEL systems, so removing the
reference allows tests to pass there. Vast majority of the
curve-specific work is done in the golang crypto/elliptic package, so
this does not weaken the tests noticeably.
Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Test for if client cert is passed without a client key and vice versa.
Fail in ConfigureClientTLS if only one of client cert/key is passed.
Lint fixes.
Signed-off-by: Ying Li <ying.li@docker.com>
If Authorized returns an error, it returns nil for ctx. This means the
deferred function will dereference a nil pointer.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Use the github.com/docker/distribution/context package to get a logger
that adds a unique ID and useful information about each HTTP request.
Use this logger in HTTP handlers instead of using logrus or the log
package directly.
Remove [Notary Server] and [Notary Signer] prefixes from log messages.
The distribution/context package was already vendored, so there are no
Godeps changes necessary.
Sample output:
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="retrieving timestamp key for docker.com/docker"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=debug msg="generated ECDSA key with keyID: ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=debug msg="generated new ecdsa key for role: and keyID: ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notarysigner_1 | time="2015-07-31T23:02:01Z" level=info msg="CreateKey: Created KeyID ea89e7dc49a13feab1e5ed349760b148c3c6ebd86968b2bc6cb0d003a8b79f78"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="Creating new timestamp key for docker.com/docker. With algo: ecdsa"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="Inserting timestamp key for docker.com/docker"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=debug msg="200 GET timestamp key" docker.com/docker=gun http.request.host="192.168.99.100:4443" http.request.id=a720da02-4312-48ae-b122-6d4bce9d3b20 http.request.method=GET http.request.remoteaddr="192.168.99.1:58178" http.request.uri="/v2/docker.com/docker/_trust/tuf/timestamp.key" http.request.useragent="Go 1.1 package http"
notaryserver_1 | time="2015-07-31T23:02:01Z" level=info msg="response completed" http.request.host="192.168.99.100:4443" http.request.id=a720da02-4312-48ae-b122-6d4bce9d3b20 http.request.method=GET http.request.remoteaddr="192.168.99.1:58178" http.request.uri="/v2/docker.com/docker/_trust/tuf/timestamp.key" http.request.useragent="Go 1.1 package http" http.response.duration=29.703624ms http.response.status=200 http.response.written=181
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
Import github.com/docker/distribution/registry/api/v2 to share the
regexps that the registry API uses.
Remove ErrUnauthorized in errors package, since it conflicts with one
defined in v2.
Fixes#92
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
We now deal with CryptoServices directly instead of passing around
Signers.
UnlockedSigner becomes UnlockedCryptoService because it no longer
contains a Signer.
Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
HuKeping
Ying Li
Ying Li
Miloslav Trmač
David Lawrence
Aaron Lehmann
Derek McGowan
Diogo Mónica
Nathan McCauley