@@ -258,6 +258,11 @@ func (cli *DockerCli) trustedReference(ref reference.NamedTagged) (reference.Can

 	if err != nil {

 		return nil, err

 	}

+	// Only list tags in the top level targets role or the releases delegation role - ignore

+	// all other delegation roles

+	if t.Role != releasesRole && t.Role != data.CanonicalTargetsRole {

+		return nil, notaryError(repoInfo.FullName(), fmt.Errorf("No trust data for %s", ref.Tag()))

+	}

 	r, err := convertTarget(t.Target)

 	if err != nil {

 		return nil, err

@@ -331,13 +336,28 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr

 				fmt.Fprintf(cli.out, "Skipping target for %q\n", repoInfo.Name())

 				continue

 			}

+			// Only list tags in the top level targets role or the releases delegation role - ignore

+			// all other delegation roles

+			if tgt.Role != releasesRole && tgt.Role != data.CanonicalTargetsRole {

+				continue

+			}

 			refs = append(refs, t)

 		}

+		if len(refs) == 0 {

+			return notaryError(repoInfo.FullName(), fmt.Errorf("No trusted tags for %s", repoInfo.FullName()))

+		}

 	} else {

 		t, err := notaryRepo.GetTargetByName(ref.String(), releasesRole, data.CanonicalTargetsRole)

 		if err != nil {

 			return notaryError(repoInfo.FullName(), err)

 		}

+		// Only get the tag if it's in the top level targets role or the releases delegation role

+		// ignore it if it's in any other delegation roles

+		if t.Role != releasesRole && t.Role != data.CanonicalTargetsRole {

+			return notaryError(repoInfo.FullName(), fmt.Errorf("No trust data for %s", ref.String()))

+		}

+

+		logrus.Debugf("retrieving target for %s role\n", t.Role)

 		r, err := convertTarget(t.Target)

 		if err != nil {

 			return err

@@ -441,39 +461,95 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string,

 		return err

 	}

-	if err := repo.AddTarget(target, releasesRole); err != nil {

-		return err

+	// get the latest repository metadata so we can figure out which roles to sign

+	_, err = repo.Update(false)

+

+	switch err.(type) {

+	case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:

+		keys := repo.CryptoService.ListKeys(data.CanonicalRootRole)

+		var rootKeyID string

+		// always select the first root key

+		if len(keys) > 0 {

+			sort.Strings(keys)

+			rootKeyID = keys[0]

+		} else {

+			rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)

+			if err != nil {

+				return err

+			}

+			rootKeyID = rootPublicKey.ID()

+		}

+

+		// Initialize the notary repository with a remotely managed snapshot key

+		if err := repo.Initialize(rootKeyID, data.CanonicalSnapshotRole); err != nil {

+			return notaryError(repoInfo.FullName(), err)

+		}

+		fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.FullName())

+		err = repo.AddTarget(target, data.CanonicalTargetsRole)

+	case nil:

+		// already initialized and we have successfully downloaded the latest metadata

+		err = cli.addTargetToAllSignableRoles(repo, target)

+	default:

+		return notaryError(repoInfo.FullName(), err)

 	}

-	err = repo.Publish()

 	if err == nil {

-		fmt.Fprintf(cli.out, "Successfully signed %q:%s\n", repoInfo.FullName(), tag)

-		return nil

-	} else if _, ok := err.(client.ErrRepoNotInitialized); !ok {

+		err = repo.Publish()

+	}

+

+	if err != nil {

 		fmt.Fprintf(cli.out, "Failed to sign %q:%s - %s\n", repoInfo.FullName(), tag, err.Error())

 		return notaryError(repoInfo.FullName(), err)

 	}

-	keys := repo.CryptoService.ListKeys(data.CanonicalRootRole)

+	fmt.Fprintf(cli.out, "Successfully signed %q:%s\n", repoInfo.FullName(), tag)

+	return nil

+}

-	var rootKeyID string

-	// always select the first root key

-	if len(keys) > 0 {

-		sort.Strings(keys)

-		rootKeyID = keys[0]

-	} else {

-		rootPublicKey, err := repo.CryptoService.Create(data.CanonicalRootRole, data.ECDSAKey)

-		if err != nil {

-			return err

+// Attempt to add the image target to all the top level delegation roles we can

+// (based on whether we have the signing key and whether the role's path allows

+// us to).

+// If there are no delegation roles, we add to the targets role.

+func (cli *DockerCli) addTargetToAllSignableRoles(repo *client.NotaryRepository, target *client.Target) error {

+	var signableRoles []string

+

+	// translate the full key names, which includes the GUN, into just the key IDs

+	allCanonicalKeyIDs := make(map[string]struct{})

+	for fullKeyID := range repo.CryptoService.ListAllKeys() {

+		allCanonicalKeyIDs[path.Base(fullKeyID)] = struct{}{}

+	}

+

+	allDelegationRoles, err := repo.GetDelegationRoles()

+	if err != nil {

+		return err

+	}

+

+	// if there are no delegation roles, then just try to sign it into the targets role

+	if len(allDelegationRoles) == 0 {

+		return repo.AddTarget(target, data.CanonicalTargetsRole)

+	}

+

+	// there are delegation roles, find every delegation role we have a key for, and

+	// attempt to sign into into all those roles.

+	for _, delegationRole := range allDelegationRoles {

+		// We do not support signing any delegation role that isn't a direct child of the targets role.

+		// Also don't bother checking the keys if we can't add the target

+		// to this role due to path restrictions

+		if path.Dir(delegationRole.Name) != data.CanonicalTargetsRole || !delegationRole.CheckPaths(target.Name) {

+			continue

+		}

+

+		for _, canonicalKeyID := range delegationRole.KeyIDs {

+			if _, ok := allCanonicalKeyIDs[canonicalKeyID]; ok {

+				signableRoles = append(signableRoles, delegationRole.Name)

+				break

+			}

 		}

-		rootKeyID = rootPublicKey.ID()

 	}

-	// Initialize the notary repository with a remotely managed snapshot key

-	if err := repo.Initialize(rootKeyID, data.CanonicalSnapshotRole); err != nil {

-		return notaryError(repoInfo.FullName(), err)

+	if len(signableRoles) == 0 {

+		return fmt.Errorf("no valid signing keys for delegation roles")

 	}

-	fmt.Fprintf(cli.out, "Finished initializing %q\n", repoInfo.FullName())

-	return notaryError(repoInfo.FullName(), repo.Publish())

+	return repo.AddTarget(target, signableRoles...)

 }

@@ -108,19 +108,13 @@ $ docker pull someimage@sha256:d149ab53f8718e987c3a3024bb8aa0e2caadf6c0328f1d9d8

 ```

 Trust for an image tag is managed through the use of signing keys. A key set is

-created when an operation using content trust is first invoked. Docker's content

-trust makes use of four different keys:

+created when an operation using content trust is first invoked. A key set consists

+of the following classes of keys:

-| Key                 | Description                                                                                                                                                                                                                                                                                                                                                                         |

-|---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|

-| root key         | Root of content trust for a image tag. When content trust is enabled, you create the root key once. |

-| target and snapshot | These two keys are known together as the "repository" key. When content trust is enabled, you create this key when you add a new image repository. If you have the root key, you can export the repository key and allow other publishers to sign the image tags.    |

-| timestamp           | This key applies to a repository. It allows Docker repositories to have freshness security guarantees without requiring periodic content refreshes on the client's side.                                                                                                              |

-

-With the exception of the timestamp, all the keys are generated and stored locally

-client-side. The timestamp is safely generated and stored in a signing server that

-is deployed alongside the Docker registry. All keys are generated in a backend

-service that isn't directly exposed to the internet and are encrypted at rest.

+- an offline key that is the root of content trust for a image tag

+- repository or tagging keys that sign tags

+- server-managed keys such as the timestamp key, which provides freshness

+	security guarantees for your repository

 The following image depicts the various signing keys and their relationships:

@@ -133,9 +127,9 @@ The following image depicts the various signing keys and their relationships:

 >tag from this repository prior to the loss.

 You should backup the root key somewhere safe. Given that it is only required

-to create new repositories, it is a good idea to store it offline. Make sure you

-read [Manage keys for content trust](trust_key_mng.md) information

-for details on securing, and backing up your keys. 

+to create new repositories, it is a good idea to store it offline.

+For details on securing, and backing up your keys, make sure you

+read how to [manage keys for content trust](trust_key_mng.md).

 ## Survey of typical content trust operations

@@ -302,4 +296,5 @@ $  docker push --disable-content-trust docker/trusttest:untrusted

 * [Manage keys for content trust](trust_key_mng.md)

 * [Automation with content trust](trust_automation.md)

+* [Delegations for content trust](trust_delegation.md)

 * [Play in a content trust sandbox](trust_sandbox.md)

@@ -17,4 +17,5 @@ The following topics are available:

 * [Content trust in Docker](content_trust.md)

 * [Manage keys for content trust](trust_key_mng.md)

 * [Automation with content trust](trust_automation.md)

+* [Delegations for content trust](trust_delegation.md)

 * [Play in a content trust sandbox](trust_sandbox.md)

@@ -73,7 +73,8 @@ unable to process Dockerfile: No trust data for notrust

 ## Related information

-* [Content trust in Docker](content_trust.md) 

+* [Content trust in Docker](content_trust.md)

 * [Manage keys for content trust](trust_key_mng.md)

+* [Delegations for content trust](trust_delegation.md)

 * [Play in a content trust sandbox](trust_sandbox.md)

new file mode 100644

@@ -0,0 +1,226 @@

+<!--[metadata]>

+title = "Delegations for content trust"

+description = "Delegations for content trust"

+keywords = ["trust, security, delegations, keys, repository"]

+[menu.main]

+parent= "smn_content_trust"

+<![end-metadata]-->

+

+# Delegations for content trust

+

+Docker Engine supports the usage of the `targets/releases` delegation as the

+canonical source of a trusted image tag.

+

+Using this delegation allows you to collaborate with other publishers without

+sharing your repository key (a combination of your targets and snapshot keys -

+please see "[Manage keys for content trust](trust_key_mng.md)" for more information).

+A collaborator can keep their own delegation key private.

+

+The `targest/releases` delegation is currently an optional feature - in order

+to set up delegations, you must use the Notary CLI:

+

+1. [Download the client](https://github.com/docker/notary/releases) and ensure that it is

+available on your path

+

+2. Create a configuration file at `~/.notary/config.json` with the following content:

+

+	```

+	{

+	  "trust_dir" : "~/.docker/trust",

+	  "remote_server": {

+	    "url": "https://notary.docker.io"

+	  }

+	}

+	```

+

+	This tells Notary where the Docker Content Trust data is stored, and to use the

+	Notary server used for images in Docker Hub.

+

+For more detailed information about how to use Notary outside of the default

+Docker Content Trust use cases, please refer to the

+[the Notary CLI documentation](https://docs.docker.com/notary/getting_started/).

+

+Note that when publishing and listing delegation changes using the Notary client,

+your Docker Hub credentials are required.

+

+## Generating delegation keys

+

+Your collaborator needs to generate a private key (either RSA or ECDSA)

+and give you the public key so that you can add it to the `targets/releases`

+delegation.

+

+The easiest way to for them to generate these keys is with OpenSSL.

+Here is an example of how to generate a 2048-bit RSA portion key (all RSA keys

+must be at least 2048 bits):

+

+```

+$ opensl genrsa -out delegation.key 2048

+Generating RSA private key, 2048 bit long modulus

+....................................................+++

+............+++

+e is 65537 (0x10001)

+

+```

+

+They should keep `delegation.key` private - this is what they will use to sign

+tags.

+

+Then they need to generate a x509 certificate containing the public key, which is

+what they will give to you.  Here is the command to generate a CSR (certificate

+signing request):

+

+```

+$ openssl req -new -sha256 -key delegation.key -out delegation.csr

+```

+

+Then they can send it to whichever CA you trust to sign certificates, or they

+can self-sign the certificate (in this example, creating a certificate that is

+valid for 1 year):

+

+```

+$ openssl x509 -req -days 365 -in delegation.csr -signkey delegation.key -out delegation.crt

+```

+

+Then they need to give you `delegation.crt`, whether it is self-signed or signed

+by a CA.

+

+## Adding a delegation key to an existing repository

+

+If your repository was created using a version of Docker Engine prior to 1.11,

+then before adding any delegations, you should rotate the snapshot key to the server

+so that collaborators will not require your snapshot key to sign and publish tags:

+

+```

+$ notary key rotate docker.io/<username>/<imagename> snapshot -r

+```

+

+This tells Notary to rotate a key for your particular image repository - note that

+you must include the `docker.io/` prefix.  `snapshot -r` specifies that you want

+to rotate the snapshot key specifically, and you want the server to manage it (`-r`

+stands for "remote").

+

+When adding a delegation, your must acquire

+[the PEM-encoded x509 certificate with the public key](#generating-delegation-keys)

+of the collaborator you wish to delegate to.

+

+Assuming you have the certificate `delegation.crt`, you can add a delegation

+for this user and then publish the delegation change:

+

+```

+$ notary delegation add docker.io/<username>/<imagename> targets/releases delegation.crt --all-paths

+$ notary publish docker.io/<username>/<imagename>

+```

+

+The preceding example illustrates a request to add the delegation

+`targets/releases` to the image repository, if it doesn't exist.  Be sure to use

+`targets/releases` - Notary supports multiple delegation roles, so if you mistype

+the delegation name, the Notary CLI will not error.  However, Docker Engine

+supports reading only from `targets/releases`.

+

+It also adds the collaborator's public key to the delegation, enabling them to sign

+the `targets/releases` delegation so long as they have the private key corresponding

+to this public key.  The `--all-paths` flags tells Notary not to restrict the tag

+names that can be signed into `targets/releases`, which we highly recommend for

+`targets/releases`.

+

+Publishing the changes tells the server about the changes to the `targets/releases`

+delegation.

+

+After publishing, view the delegation information to ensure that you correctly added

+the keys to `targets/releases`:

+

+```

+$ notary delegation list docker.io/<username>/<imagename>

+

+      ROLE               PATHS                                   KEY IDS                                THRESHOLD

+---------------------------------------------------------------------------------------------------------------

+  targets/releases   "" <all paths>  729c7094a8210fd1e780e7b17b7bb55c9a28a48b871b07f65d97baf93898523a   1

+```

+

+You can see the `targets/releases` with its paths and the key ID you just added.

+

+Notary currently does not map collaborators names to keys, so we recommend

+that you add and list delegation keys one at a time, and keep a mapping of the key

+IDs to collaborators yourself should you need to remove a collaborator.

+

+## Removing a delegation key from an existing repository

+

+To revoke a collaborator's permission to sign tags for your image repository, you must

+know the IDs of their keys, because you need to remove their keys from the

+`targets/releases` delegation.

+

+```

+$ notary delegation remove docker.io/<username>/<imagename> targets/releases 729c7094a8210fd1e780e7b17b7bb55c9a28a48b871b07f65d97baf93898523a

+

+Removal of delegation role targets/releases with keys [729c7094a8210fd1e780e7b17b7bb55c9a28a48b871b07f65d97baf93898523a], to repository "docker.io/<username>/<imagename>" staged for next publish.

+```

+

+The revocation will take effect as soon as you publish:

+

+```

+$ notary publish docker.io/<username>/<imagename>

+```

+

+Note that by removing all the keys from the `targets/releases` delegation, the

+delegation (and any tags that are signed into it) is removed.  That means that

+these tags will all be deleted, and you may end up with older, legacy tags that

+were signed directly by the targets key.

+

+## Removing the `targets/releases` delegation entirely from a repository

+

+If you've decided that delegations aren't for you, you can delete the

+`targets/releases` delegation entirely. This also removes all the tags that

+are currently in `targets/releases`, however, and you may end up with older,

+legacy tags that were signed directly by the targets key.

+

+To delete the `targets/releases` delegation:

+

+```

+$ notary delegation remove docker.io/<username>/<imagename> targets/releases

+

+Are you sure you want to remove all data for this delegation? (yes/no)

+yes

+

+Forced removal (including all keys and paths) of delegation role targets/releases to repository "docker.io/<username>/<imagename>" staged for next publish.

+

+$ notary publish docker.io/<username>/<imagename>

+```

+

+## Pushing trusted data as a collaborator

+

+As a collaborator with a private key that has been added to a repository's

+`targets/releases` delegation, you need to import the private key that you

+generated into Content Trust.

+

+To do so, you can run:

+

+```

+$ notary key import delegation.key --role user

+```

+

+where `delegation.key` is the file containing your PEM-encoded private key.

+

+After you have done so, running `docker push` on any repository that

+includes your key in the `targets/releases` delegation will automatically sign

+tags using this imported key.

+

+## `docker push` behavior

+

+When running `docker push` with Docker Content Trust, Docker Engine

+will attempt to sign and push with the `targets/releases` delegation if it exists.

+If it does not, the targets key will be used to sign the tag, if the key is available.

+

+## `docker pull` and `docker build` behavior

+

+When running `docker pull` or `docker build` with Docker Content Trust, Docker

+Engine will pull tags only signed by the `targets/releases` delegation role or

+the legacy tags that were signed directly with the `targets` key.

+

+## Related information

+

+* [Content trust in Docker](content_trust.md)

+* [Manage keys for content trust](trust_key_mng.md)

+* [Automation with content trust](trust_automation.md)

+* [Play in a content trust sandbox](trust_sandbox.md)

@@ -11,18 +11,34 @@ parent= "smn_content_trust"

 # Manage keys for content trust

 Trust for an image tag is managed through the use of keys. Docker's content

-trust makes use four different keys:

+trust makes use of five different types of keys:

 | Key                 | Description                                                                                                                                                                                                                                                                                                                                                                         |

 |---------------------|---------------------------------------------------------------------------------------------------------------------------------------------------------------------|

-| root key         | Root of content trust for a image tag. When content trust is enabled, you create the root key once. |

-| target and snapshot | These two keys are known together as the "repository" key. When content trust is enabled, you create this key when you add a new image repository. If you have the root key, you can export the repository key and allow other publishers to sign the image tags.    |

-| timestamp           | This key applies to a repository. It allows Docker repositories to have freshness security guarantees without requiring periodic content refreshes on the client's side.                                                                                                              |

+| root key         | Root of content trust for a image tag. When content trust is enabled, you create the root key once. Also known as the offline key, because it should be kept offline. |

+| targets          | This key allows you to sign image tags, to manage delegations including delegated keys or permitted delegation paths. Also known as the repository key, since this key determines what tags can be signed into an image repository. |

+| snapshot         | This key signs the current collection of image tags, preventing mix and match attacks.

+| timestamp        | This key allows Docker image repositories to have freshness security guarantees without requiring periodic content refreshes on the client's side. |

+| delegation       | Delegation keys are optional tagging keys and allow you to delegate signing image tags to other publishers without having to share your targets key. |

-With the exception of the timestamp, all the keys are generated and stored locally

-client-side. The timestamp is safely generated and stored in a signing server that

-is deployed alongside the Docker registry. All keys are generated in a backend

-service that isn't directly exposed to the internet and are encrypted at rest.

+When doing a `docker push` with Content Trust enabled for the first time, the

+root, targets, snapshot, and timestamp keys are generated automatically for

+the image repository:

+

+- The root and targets key are generated and stored locally client-side.

+

+- The timestamp and snapshot keys are safely generated and stored in a signing server

+	that is deployed alongside the Docker registry. These keys are generated in a backend

+	service that isn't directly exposed to the internet and are encrypted at rest.

+

+Delegation keys are optional, and not generated as part of the normal `docker`

+workflow.  They need to be

+[manually generated and added to the repository](trust_delegation.md#generating-delegation-keys).

+

+Note: Prior to Docker Engine 1.11, the snapshot key was also generated and stored

+locally client-side. [Use the Notary CLI to manage your snapshot key locally

+again](https://docs.docker.com/notary/advanced_usage/#rotate-keys) for

+repositories created with newer versions of Docker.

 ## Choosing a passphrase

@@ -68,6 +84,7 @@ the new key.

 ## Related information

-* [Content trust in Docker](content_trust.md) 

+* [Content trust in Docker](content_trust.md)

 * [Automation with content trust](trust_automation.md)

+* [Delegations for content trust](trust_delegation.md)

 * [Play in a content trust sandbox](trust_sandbox.md)

@@ -2,8 +2,11 @@ package main

 import (

 	"fmt"

+	"os"

+	"path/filepath"

 	"testing"

+	"github.com/docker/docker/cliconfig"

 	"github.com/docker/docker/pkg/reexec"

 	"github.com/go-check/check"

 )

@@ -206,5 +209,8 @@ func (s *DockerTrustSuite) TearDownTest(c *check.C) {

 	if s.not != nil {

 		s.not.Close()

 	}

+

+	// Remove trusted keys and metadata after test

+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))

 	s.ds.TearDownTest(c)

 }

@@ -5799,6 +5799,83 @@ func (s *DockerTrustSuite) TestBuildContextDirIsSymlink(c *check.C) {

 	}

 }

+func (s *DockerTrustSuite) TestTrustedBuildTagFromReleasesRole(c *check.C) {

+	testRequires(c, NotaryHosting)

+

+	latestTag := s.setupTrustedImage(c, "trusted-build-releases-role")

+	repoName := strings.TrimSuffix(latestTag, ":latest")

+

+	// Now create the releases role

+	s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)

+	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)

+	s.notaryPublish(c, repoName)

+

+	// push a different tag to the releases role

+	otherTag := fmt.Sprintf("%s:other", repoName)

+	dockerCmd(c, "tag", "busybox", otherTag)

+

+	pushCmd := exec.Command(dockerBinary, "push", otherTag)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf("Trusted push failed: %s", out))

+	s.assertTargetInRoles(c, repoName, "other", "targets/releases")

+	s.assertTargetNotInRoles(c, repoName, "other", "targets")

+

+	out, status := dockerCmd(c, "rmi", otherTag)

+	c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))

+

+	dockerFile := fmt.Sprintf(`

+  FROM %s

+  RUN []

+    `, otherTag)

+

+	name := "testtrustedbuildreleasesrole"

+

+	buildCmd := buildImageCmd(name, dockerFile, true)

+	s.trustedCmd(buildCmd)

+	out, _, err = runCommandWithOutput(buildCmd)

+	c.Assert(err, check.IsNil, check.Commentf("Trusted build failed: %s", out))

+	c.Assert(out, checker.Contains, fmt.Sprintf("FROM %s@sha", repoName))

+}

+

+func (s *DockerTrustSuite) TestTrustedBuildTagIgnoresOtherDelegationRoles(c *check.C) {

+	testRequires(c, NotaryHosting)

+

+	latestTag := s.setupTrustedImage(c, "trusted-build-releases-role")

+	repoName := strings.TrimSuffix(latestTag, ":latest")

+

+	// Now create a non-releases delegation role

+	s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public)

+	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private)

+	s.notaryPublish(c, repoName)

+

+	// push a different tag to the other role

+	otherTag := fmt.Sprintf("%s:other", repoName)

+	dockerCmd(c, "tag", "busybox", otherTag)

+

+	pushCmd := exec.Command(dockerBinary, "push", otherTag)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf("Trusted push failed: %s", out))

+	s.assertTargetInRoles(c, repoName, "other", "targets/other")

+	s.assertTargetNotInRoles(c, repoName, "other", "targets")

+

+	out, status := dockerCmd(c, "rmi", otherTag)

+	c.Assert(status, check.Equals, 0, check.Commentf("docker rmi failed: %s", out))

+

+	dockerFile := fmt.Sprintf(`

+  FROM %s

+  RUN []

+    `, otherTag)

+

+	name := "testtrustedbuildotherrole"

+

+	buildCmd := buildImageCmd(name, dockerFile, true)

+	s.trustedCmd(buildCmd)

+	out, _, err = runCommandWithOutput(buildCmd)

+	c.Assert(err, check.NotNil, check.Commentf("Trusted build expected to fail: %s", out))

+}

+

 // Issue #15634: COPY fails when path starts with "null"

 func (s *DockerSuite) TestBuildNullStringInAddCopyVolume(c *check.C) {

 	name := "testbuildnullstringinaddcopyvolume"

@@ -254,3 +254,112 @@ func (s *DockerTrustSuite) TestTrustedPullDelete(c *check.C) {

 	_, err = inspectFieldWithError(imageID, "Id")

 	c.Assert(err, checker.NotNil, check.Commentf("image should have been deleted"))

 }

+

+func (s *DockerTrustSuite) TestTrustedPullReadsFromReleasesRole(c *check.C) {

+	testRequires(c, NotaryHosting)

+	repoName := fmt.Sprintf("%v/dockerclireleasesdelegationpulling/trusted", privateRegistryURL)

+	targetName := fmt.Sprintf("%s:latest", repoName)

+

+	// Push with targets first, initializing the repo

+	dockerCmd(c, "tag", "busybox", targetName)

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf(out))

+	s.assertTargetInRoles(c, repoName, "latest", "targets")

+

+	// Try pull, check we retrieve from targets role

+	pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.IsNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "retrieving target for targets role")

+

+	// Now we'll create the releases role, and try pushing and pulling

+	s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)

+	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)

+	s.notaryPublish(c, repoName)

+

+	// try a pull, check that we can still pull because we can still read the

+	// old tag in the targets role

+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.IsNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "retrieving target for targets role")

+

+	// try a pull -a, check that it succeeds because we can still pull from the

+	// targets role

+	pullCmd = exec.Command(dockerBinary, "-D", "pull", "-a", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.IsNil, check.Commentf(out))

+

+	// Push, should sign with targets/releases

+	dockerCmd(c, "tag", "busybox", targetName)

+	pushCmd = exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err = runCommandWithOutput(pushCmd)

+	s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases")

+

+	// Try pull, check we retrieve from targets/releases role

+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")

+

+	// Create another delegation that we'll sign with

+	s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[1].Public)

+	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[1].Private)

+	s.notaryPublish(c, repoName)

+

+	dockerCmd(c, "tag", "busybox", targetName)

+	pushCmd = exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err = runCommandWithOutput(pushCmd)

+	s.assertTargetInRoles(c, repoName, "latest", "targets", "targets/releases", "targets/other")

+

+	// Try pull, check we retrieve from targets/releases role

+	pullCmd = exec.Command(dockerBinary, "-D", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(out, checker.Contains, "retrieving target for targets/releases role")

+}

+

+func (s *DockerTrustSuite) TestTrustedPullIgnoresOtherDelegationRoles(c *check.C) {

+	testRequires(c, NotaryHosting)

+	repoName := fmt.Sprintf("%v/dockerclipullotherdelegation/trusted", privateRegistryURL)

+	targetName := fmt.Sprintf("%s:latest", repoName)

+

+	// We'll create a repo first with a non-release delegation role, so that when we

+	// push we'll sign it into the delegation role

+	s.notaryInitRepo(c, repoName)

+	s.notaryCreateDelegation(c, repoName, "targets/other", s.not.keys[0].Public)

+	s.notaryImportKey(c, repoName, "targets/other", s.not.keys[0].Private)

+	s.notaryPublish(c, repoName)

+

+	// Push should write to the delegation role, not targets

+	dockerCmd(c, "tag", "busybox", targetName)

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf(out))

+	s.assertTargetInRoles(c, repoName, "latest", "targets/other")

+	s.assertTargetNotInRoles(c, repoName, "latest", "targets")

+

+	// Try pull - we should fail, since pull will only pull from the targets/releases

+	// role or the targets role

+	pullCmd := exec.Command(dockerBinary, "-D", "pull", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "No trust data for")

+

+	// try a pull -a: we should fail since pull will only pull from the targets/releases

+	// role or the targets role

+	pullCmd = exec.Command(dockerBinary, "-D", "pull", "-a", repoName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.NotNil, check.Commentf(out))

+	c.Assert(out, checker.Contains, "No trusted tags for")

+}

@@ -497,37 +497,143 @@ func (s *DockerTrustSuite) TestTrustedPushWithExpiredTimestamp(c *check.C) {

 	})

 }

-func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegation(c *check.C) {

+func (s *DockerTrustSuite) TestTrustedPushWithReleasesDelegationOnly(c *check.C) {

 	testRequires(c, NotaryHosting)

-	repoName := fmt.Sprintf("%v/dockerclireleasedelegation/trusted", privateRegistryURL)

+	repoName := fmt.Sprintf("%v/dockerclireleasedelegationinitfirst/trusted", privateRegistryURL)

 	targetName := fmt.Sprintf("%s:latest", repoName)

-	pwd := "12345678"

-	s.setupDelegations(c, repoName, pwd)

+	s.notaryInitRepo(c, repoName)

+	s.notaryCreateDelegation(c, repoName, "targets/releases", s.not.keys[0].Public)

+	s.notaryPublish(c, repoName)

+

+	s.notaryImportKey(c, repoName, "targets/releases", s.not.keys[0].Private)

 	// tag the image and upload it to the private registry

 	dockerCmd(c, "tag", "busybox", targetName)

-	pushCmd := exec.Command(dockerBinary, "-D", "push", targetName)

-	s.trustedCmdWithPassphrases(pushCmd, pwd, pwd)

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

 	out, _, err := runCommandWithOutput(pushCmd)

 	c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))

 	c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))

+	// check to make sure that the target has been added to targets/releases and not targets

+	s.assertTargetInRoles(c, repoName, "latest", "targets/releases")

+	s.assertTargetNotInRoles(c, repoName, "latest", "targets")

 	// Try pull after push

+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))

+

 	pullCmd := exec.Command(dockerBinary, "pull", targetName)

 	s.trustedCmd(pullCmd)

 	out, _, err = runCommandWithOutput(pullCmd)

 	c.Assert(err, check.IsNil, check.Commentf(out))

 	c.Assert(string(out), checker.Contains, "Status: Downloaded", check.Commentf(out))

+}

-	// check to make sure that the target has been added to targets/releases and not targets

-	contents, err := ioutil.ReadFile(filepath.Join(cliconfig.ConfigDir(), "trust/tuf", repoName, "metadata/targets.json"))

-	c.Assert(err, check.IsNil, check.Commentf("Unable to read targets metadata"))

-	c.Assert(strings.Contains(string(contents), `"latest"`), checker.False, check.Commentf(string(contents)))

+func (s *DockerTrustSuite) TestTrustedPushSignsAllFirstLevelRolesWeHaveKeysFor(c *check.C) {

+	testRequires(c, NotaryHosting)

+	repoName := fmt.Sprintf("%v/dockerclimanyroles/trusted", privateRegistryURL)

+	targetName := fmt.Sprintf("%s:latest", repoName)

+	s.notaryInitRepo(c, repoName)

+	s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)

+	s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public)

+	s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public)

+

+	// import everything except the third key

+	s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)

+	s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)

+

+	s.notaryCreateDelegation(c, repoName, "targets/role1/subrole", s.not.keys[3].Public)

+	s.notaryImportKey(c, repoName, "targets/role1/subrole", s.not.keys[3].Private)

+

+	s.notaryPublish(c, repoName)

+

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", targetName)

+

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))

+	c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))

+

+	// check to make sure that the target has been added to targets/role1 and targets/role2, and

+	// not targets (because there are delegations) or targets/role3 (due to missing key) or

+	// targets/role1/subrole (due to it being a second level delegation)

+	s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role2")

+	s.assertTargetNotInRoles(c, repoName, "latest", "targets")

+

+	// Try pull after push

+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))

+

+	// pull should fail because none of these are the releases role

+	pullCmd := exec.Command(dockerBinary, "pull", targetName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.NotNil, check.Commentf(out))

+}

+

+func (s *DockerTrustSuite) TestTrustedPushSignsForRolesWithKeysAndValidPaths(c *check.C) {

+	repoName := fmt.Sprintf("%v/dockerclirolesbykeysandpaths/trusted", privateRegistryURL)

+	targetName := fmt.Sprintf("%s:latest", repoName)

+	s.notaryInitRepo(c, repoName)

+	s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public, "l", "z")

+	s.notaryCreateDelegation(c, repoName, "targets/role2", s.not.keys[1].Public, "x", "y")

+	s.notaryCreateDelegation(c, repoName, "targets/role3", s.not.keys[2].Public, "latest")

+	s.notaryCreateDelegation(c, repoName, "targets/role4", s.not.keys[3].Public, "latest")

+

+	// import everything except the third key

+	s.notaryImportKey(c, repoName, "targets/role1", s.not.keys[0].Private)

+	s.notaryImportKey(c, repoName, "targets/role2", s.not.keys[1].Private)

+	s.notaryImportKey(c, repoName, "targets/role4", s.not.keys[3].Private)

+

+	s.notaryPublish(c, repoName)

+

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", targetName)

+

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.IsNil, check.Commentf("trusted push failed: %s\n%s", err, out))

+	c.Assert(out, checker.Contains, "Signing and pushing trust metadata", check.Commentf("Missing expected output on trusted push with existing tag"))

+

+	// check to make sure that the target has been added to targets/role1 and targets/role4, and

+	// not targets (because there are delegations) or targets/role2 (due to path restrictions) or

+	// targets/role3 (due to missing key)

+	s.assertTargetInRoles(c, repoName, "latest", "targets/role1", "targets/role4")

+	s.assertTargetNotInRoles(c, repoName, "latest", "targets")

+

+	// Try pull after push

+	os.RemoveAll(filepath.Join(cliconfig.ConfigDir(), "trust"))

+

+	// pull should fail because none of these are the releases role

+	pullCmd := exec.Command(dockerBinary, "pull", targetName)

+	s.trustedCmd(pullCmd)

+	out, _, err = runCommandWithOutput(pullCmd)

+	c.Assert(err, check.NotNil, check.Commentf(out))

+}

+

+func (s *DockerTrustSuite) TestTrustedPushDoesntSignTargetsIfDelegationsExist(c *check.C) {

+	testRequires(c, NotaryHosting)

+	repoName := fmt.Sprintf("%v/dockerclireleasedelegationnotsignable/trusted", privateRegistryURL)

+	targetName := fmt.Sprintf("%s:latest", repoName)

+	s.notaryInitRepo(c, repoName)

+	s.notaryCreateDelegation(c, repoName, "targets/role1", s.not.keys[0].Public)

+	s.notaryPublish(c, repoName)

+

+	// do not import any delegations key

+

+	// tag the image and upload it to the private registry

+	dockerCmd(c, "tag", "busybox", targetName)

+

+	pushCmd := exec.Command(dockerBinary, "push", targetName)

+	s.trustedCmd(pushCmd)

+	out, _, err := runCommandWithOutput(pushCmd)

+	c.Assert(err, check.NotNil, check.Commentf("trusted push succeeded but should have failed:\n%s", out))

+	c.Assert(out, checker.Contains, "no valid signing keys",

+		check.Commentf("Missing expected output on trusted push without keys"))

-	contents, err = ioutil.ReadFile(filepath.Join(cliconfig.ConfigDir(), "trust/tuf", repoName, "metadata/targets/releases.json"))

-	c.Assert(err, check.IsNil, check.Commentf("Unable to read targets/releases metadata"))