docker
/
docs
mirror of https://github.com/docker/docs.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity
docs/cryptoservice/import_export_test.go

448 lines
17 KiB
Go
Raw Blame History

package cryptoservice
//import (
// "archive/zip"
// "bytes"
// "fmt"
// "io/ioutil"
// "net/http"
// "net/http/httptest"
// "os"
// "path/filepath"
// "strings"
// "testing"
//
// "github.com/docker/notary/client"
// "github.com/docker/notary/keystoremanager"
// "github.com/docker/notary/trustmanager"
// "github.com/docker/notary/tuf/data"
// "github.com/stretchr/testify/assert"
//)
//
//const timestampECDSAKeyJSON = `
//{"keytype":"ecdsa","keyval":{"public":"MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw==","private":"MHcCAQEEIDqtcdzU7H3AbIPSQaxHl9+xYECt7NpK7B1+6ep5cv9CoAoGCCqGSM49AwEHoUQDQgAEgl3rzMPMEKhS1k/AX16MM4PdidpjJr+z4pj0Td+30QnpbOIARgpyR1PiFztU8BZlqG3cUazvFclr2q/xHvfrqw=="}}`
//
//func createTestServer(t *testing.T) (*httptest.Server, *http.ServeMux) {
// mux := http.NewServeMux()
// // TUF will request /v2/docker.com/notary/_trust/tuf/timestamp.key
// // Return a canned timestamp.key
// mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.key", func(w http.ResponseWriter, r *http.Request) {
// // Also contains the private key, but for the purpose of this
// // test, we don't care
// fmt.Fprint(w, timestampECDSAKeyJSON)
// })
//
// ts := httptest.NewServer(mux)
//
// return ts, mux
//}
//
//var oldPassphrase = "oldPassphrase"
//var exportPassphrase = "exportPassphrase"
//var oldPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return oldPassphrase, false, nil }
//var newPassphraseRetriever = func(string, string, bool, int) (string, bool, error) { return exportPassphrase, false, nil }
//
//func TestImportExportZip(t *testing.T) {
// gun := "docker.com/notary"
//
// // Temporary directory where test files will be created
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// ts, _ := createTestServer(t)
// defer ts.Close()
//
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo.Initialize(rootKeyID)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
// tempZipFilePath := tempZipFile.Name()
// defer os.Remove(tempZipFilePath)
//
// err = repo.KeyStoreManager.ExportAllKeys(tempZipFile, newPassphraseRetriever)
// tempZipFile.Close()
// assert.NoError(t, err)
//
// // Reopen the zip file for importing
// zipReader, err := zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file")
//
// // Map of files to expect in the zip file, with the passphrases
// passphraseByFile := make(map[string]string)
//
// // Add non-root keys to the map. These should use the new passphrase
// // because the passwords were chosen by the newPassphraseRetriever.
// privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys()
// for privKeyName := range privKeyMap {
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
// assert.NoError(t, err, "privKey %s has no alias", privKeyName)
//
// if alias == "root" {
// continue
// }
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// passphraseByFile[relKeyPath] = exportPassphrase
// }
//
// // Add root key to the map. This will use the export passphrase because it
// // will be reencrypted.
// relRootKey := filepath.Join("private", "root_keys", rootKeyID+"_root.key")
// passphraseByFile[relRootKey] = exportPassphrase
//
// // Iterate through the files in the archive, checking that the files
// // exist and are encrypted with the expected passphrase.
// for _, f := range zipReader.File {
// expectedPassphrase, present := passphraseByFile[f.Name]
// if !present {
// t.Fatalf("unexpected file %s in zip file", f.Name)
// }
//
// delete(passphraseByFile, f.Name)
//
// rc, err := f.Open()
// assert.NoError(t, err, "could not open file inside zip archive")
//
// pemBytes, err := ioutil.ReadAll(rc)
// assert.NoError(t, err, "could not read file from zip")
//
// _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
// assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
//
// rc.Close()
// }
//
// zipReader.Close()
//
// // Are there any keys that didn't make it to the zip?
// for fileNotFound := range passphraseByFile {
// t.Fatalf("%s not found in zip", fileNotFound)
// }
//
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo2.Initialize(rootKeyID2)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// // Reopen the zip file for importing
// zipReader, err = zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file")
//
// // Now try with a valid passphrase. This time it should succeed.
// err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader)
// assert.NoError(t, err)
// zipReader.Close()
//
// // Look for keys in private. The filenames should match the key IDs
// // in the repo's private key store.
// for privKeyName := range privKeyMap {
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
// assert.NoError(t, err, "privKey %s has no alias", privKeyName)
//
// if alias == "root" {
// continue
// }
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
// _, err = os.Stat(privKeyFileName)
// assert.NoError(t, err, "missing private key: %s", privKeyName)
// }
//
// // Look for keys in root_keys
// // There should be a file named after the key ID of the root key we
// // passed in.
// rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "missing root key")
//}
//
//func TestImportExportGUN(t *testing.T) {
// gun := "docker.com/notary"
//
// // Temporary directory where test files will be created
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// ts, _ := createTestServer(t)
// defer ts.Close()
//
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo.Initialize(rootKeyID)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// tempZipFile, err := ioutil.TempFile("", "notary-test-export-")
// tempZipFilePath := tempZipFile.Name()
// defer os.Remove(tempZipFilePath)
//
// err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, gun, newPassphraseRetriever)
// assert.NoError(t, err)
//
// // With an invalid GUN, this should return an error
// err = repo.KeyStoreManager.ExportKeysByGUN(tempZipFile, "does.not.exist/in/repository", newPassphraseRetriever)
// assert.EqualError(t, err, keystoremanager.ErrNoKeysFoundForGUN.Error())
//
// tempZipFile.Close()
//
// // Reopen the zip file for importing
// zipReader, err := zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file")
//
// // Map of files to expect in the zip file, with the passphrases
// passphraseByFile := make(map[string]string)
//
// // Add keys non-root keys to the map. These should use the new passphrase
// // because they were formerly unencrypted.
// privKeyMap := repo.KeyStoreManager.KeyStore.ListKeys()
// for privKeyName := range privKeyMap {
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
// if err != nil {
// t.Fatalf("privKey %s has no alias", privKeyName)
// }
// if alias == "root" {
// continue
// }
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
//
// passphraseByFile[relKeyPath] = exportPassphrase
// }
//
// // Iterate through the files in the archive, checking that the files
// // exist and are encrypted with the expected passphrase.
// for _, f := range zipReader.File {
//
// expectedPassphrase, present := passphraseByFile[f.Name]
// if !present {
// t.Fatalf("unexpected file %s in zip file", f.Name)
// }
//
// delete(passphraseByFile, f.Name)
//
// rc, err := f.Open()
// assert.NoError(t, err, "could not open file inside zip archive")
//
// pemBytes, err := ioutil.ReadAll(rc)
// assert.NoError(t, err, "could not read file from zip")
//
// _, err = trustmanager.ParsePEMPrivateKey(pemBytes, expectedPassphrase)
// assert.NoError(t, err, "PEM not encrypted with the expected passphrase")
//
// rc.Close()
// }
//
// zipReader.Close()
//
// // Are there any keys that didn't make it to the zip?
// for fileNotFound := range passphraseByFile {
// t.Fatalf("%s not found in zip", fileNotFound)
// }
//
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo2.Initialize(rootKeyID2)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// // Reopen the zip file for importing
// zipReader, err = zip.OpenReader(tempZipFilePath)
// assert.NoError(t, err, "could not open zip file")
//
// // Now try with a valid passphrase. This time it should succeed.
// err = repo2.KeyStoreManager.ImportKeysZip(zipReader.Reader)
// assert.NoError(t, err)
// zipReader.Close()
//
// // Look for keys in private. The filenames should match the key IDs
// // in the repo's private key store.
// for privKeyName := range privKeyMap {
// _, alias, err := repo.KeyStoreManager.KeyStore.GetKey(privKeyName)
// if err != nil {
// t.Fatalf("privKey %s has no alias", privKeyName)
// }
// if alias == "root" {
// continue
// }
// relKeyPath := filepath.Join("private", "tuf_keys", privKeyName+"_"+alias+".key")
// privKeyFileName := filepath.Join(tempBaseDir2, relKeyPath)
// _, err = os.Stat(privKeyFileName)
// }
//}
//
//func TestImportExportRootKey(t *testing.T) {
// gun := "docker.com/notary"
//
// // Temporary directory where test files will be created
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// ts, _ := createTestServer(t)
// defer ts.Close()
//
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo.Initialize(rootKeyID)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// tempKeyFilePath := tempKeyFile.Name()
// defer os.Remove(tempKeyFilePath)
//
// err = repo.KeyStoreManager.ExportRootKey(tempKeyFile, rootKeyID)
// assert.NoError(t, err)
// tempKeyFile.Close()
//
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo2.Initialize(rootKeyID2)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// keyReader, err := os.Open(tempKeyFilePath)
// assert.NoError(t, err, "could not open key file")
//
// err = repo2.KeyStoreManager.ImportRootKey(keyReader)
// assert.NoError(t, err)
// keyReader.Close()
//
// // Look for repo's root key in repo2
// // There should be a file named after the key ID of the root key we
// // imported.
// rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "missing root key")
//
// // Try to import a decrypted version of the root key and make sure it
// // doesn't succeed
// pemBytes, err := ioutil.ReadFile(tempKeyFilePath)
// assert.NoError(t, err, "could not read key file")
// privKey, err := trustmanager.ParsePEMPrivateKey(pemBytes, oldPassphrase)
// assert.NoError(t, err, "could not decrypt key file")
// decryptedPEMBytes, err := trustmanager.KeyToPEM(privKey)
// assert.NoError(t, err, "could not convert key to PEM")
//
// err = repo2.KeyStoreManager.ImportRootKey(bytes.NewReader(decryptedPEMBytes))
// assert.EqualError(t, err, keystoremanager.ErrRootKeyNotEncrypted.Error())
//
// // Try to import garbage and make sure it doesn't succeed
// err = repo2.KeyStoreManager.ImportRootKey(strings.NewReader("this is not PEM"))
// assert.EqualError(t, err, keystoremanager.ErrNoValidPrivateKey.Error())
//
// // Should be able to unlock the root key with the old password
// key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key")
// assert.Equal(t, "root", alias)
// assert.Equal(t, rootKeyID, key.ID())
//}
//
//func TestImportExportRootKeyReencrypt(t *testing.T) {
// gun := "docker.com/notary"
//
// // Temporary directory where test files will be created
// tempBaseDir, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// ts, _ := createTestServer(t)
// defer ts.Close()
//
// repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, oldPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID, err := repo.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo.Initialize(rootKeyID)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// tempKeyFile, err := ioutil.TempFile("", "notary-test-export-")
// tempKeyFilePath := tempKeyFile.Name()
// defer os.Remove(tempKeyFilePath)
//
// err = repo.KeyStoreManager.ExportRootKeyReencrypt(tempKeyFile, rootKeyID, newPassphraseRetriever)
// assert.NoError(t, err)
// tempKeyFile.Close()
//
// // Create new repo to test import
// tempBaseDir2, err := ioutil.TempDir("", "notary-test-")
// defer os.RemoveAll(tempBaseDir2)
//
// assert.NoError(t, err, "failed to create a temporary directory: %s", err)
//
// repo2, err := client.NewNotaryRepository(tempBaseDir2, gun, ts.URL, http.DefaultTransport, newPassphraseRetriever)
// assert.NoError(t, err, "error creating repo: %s", err)
//
// rootKeyID2, err := repo2.KeyStoreManager.GenRootKey(data.ECDSAKey)
// assert.NoError(t, err, "error generating root key: %s", err)
//
// err = repo2.Initialize(rootKeyID2)
// assert.NoError(t, err, "error creating repository: %s", err)
//
// keyReader, err := os.Open(tempKeyFilePath)
// assert.NoError(t, err, "could not open key file")
//
// err = repo2.KeyStoreManager.ImportRootKey(keyReader)
// assert.NoError(t, err)
// keyReader.Close()
//
// // Look for repo's root key in repo2
// // There should be a file named after the key ID of the root key we
// // imported.
// rootKeyFilename := rootKeyID + "_root.key"
// _, err = os.Stat(filepath.Join(tempBaseDir2, "private", "root_keys", rootKeyFilename))
// assert.NoError(t, err, "missing root key")
//
// // Should be able to unlock the root key with the new password
// key, alias, err := repo2.KeyStoreManager.KeyStore.GetKey(rootKeyID)
// assert.NoError(t, err, "could not unlock root key")
// assert.Equal(t, "root", alias)
// assert.Equal(t, rootKeyID, key.ID())
//}
Reference in New Issue View Git Blame Copy Permalink