Browse code
Updated to use latest version of notary
Update UX to use aliases for root, snapshot, and target key
Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan)
Derek McGowan authored on 2015/08/01 07:01:50Showing 3 changed files
| ... | ... |
@@ -13,6 +13,7 @@ import ( |
| 13 | 13 |
"os" |
| 14 | 14 |
"path/filepath" |
| 15 | 15 |
"regexp" |
| 16 |
+ "sort" |
|
| 16 | 17 |
"strconv" |
| 17 | 18 |
"strings" |
| 18 | 19 |
"time" |
| ... | ... |
@@ -176,11 +177,16 @@ func convertTarget(t client.Target) (target, error) {
|
| 176 | 176 |
} |
| 177 | 177 |
|
| 178 | 178 |
func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
|
| 179 |
- baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out) |
|
| 179 |
+ aliasMap := map[string]string{
|
|
| 180 |
+ "root": "offline", |
|
| 181 |
+ "snapshot": "tagging", |
|
| 182 |
+ "targets": "tagging", |
|
| 183 |
+ } |
|
| 184 |
+ baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out, aliasMap) |
|
| 180 | 185 |
env := map[string]string{
|
| 181 |
- "root": os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
|
|
| 182 |
- "targets": os.Getenv("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE"),
|
|
| 183 |
- "snapshot": os.Getenv("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE"),
|
|
| 186 |
+ "root": os.Getenv("DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE"),
|
|
| 187 |
+ "snapshot": os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"),
|
|
| 188 |
+ "targets": os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"),
|
|
| 184 | 189 |
} |
| 185 | 190 |
return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
|
| 186 | 191 |
if v := env[alias]; v != "" {
|
| ... | ... |
@@ -311,6 +317,22 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr |
| 311 | 311 |
return nil |
| 312 | 312 |
} |
| 313 | 313 |
|
| 314 |
+func selectKey(keys map[string]string) string {
|
|
| 315 |
+ if len(keys) == 0 {
|
|
| 316 |
+ return "" |
|
| 317 |
+ } |
|
| 318 |
+ |
|
| 319 |
+ keyIDs := []string{}
|
|
| 320 |
+ for k := range keys {
|
|
| 321 |
+ keyIDs = append(keyIDs, k) |
|
| 322 |
+ } |
|
| 323 |
+ |
|
| 324 |
+ // TODO(dmcgowan): let user choose if multiple keys, now pick consistently |
|
| 325 |
+ sort.Strings(keyIDs) |
|
| 326 |
+ |
|
| 327 |
+ return keyIDs[0] |
|
| 328 |
+} |
|
| 329 |
+ |
|
| 314 | 330 |
func targetStream(in io.Writer) (io.WriteCloser, <-chan []target) {
|
| 315 | 331 |
r, w := io.Pipe() |
| 316 | 332 |
out := io.MultiWriter(in, w) |
| ... | ... |
@@ -409,16 +431,13 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string, |
| 409 | 409 |
|
| 410 | 410 |
ks := repo.KeyStoreManager |
| 411 | 411 |
keys := ks.RootKeyStore().ListKeys() |
| 412 |
- var rootKey string |
|
| 413 | 412 |
|
| 414 |
- if len(keys) == 0 {
|
|
| 413 |
+ rootKey := selectKey(keys) |
|
| 414 |
+ if rootKey == "" {
|
|
| 415 | 415 |
rootKey, err = ks.GenRootKey("ecdsa")
|
| 416 | 416 |
if err != nil {
|
| 417 | 417 |
return err |
| 418 | 418 |
} |
| 419 |
- } else {
|
|
| 420 |
- // TODO(dmcgowan): let user choose |
|
| 421 |
- rootKey = keys[0] |
|
| 422 | 419 |
} |
| 423 | 420 |
|
| 424 | 421 |
cryptoService, err := ks.GetRootCryptoService(rootKey) |
| ... | ... |
@@ -275,7 +275,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c |
| 275 | 275 |
|
| 276 | 276 |
// Push with wrong passphrases |
| 277 | 277 |
pushCmd = exec.Command(dockerBinary, "push", repoName) |
| 278 |
- s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321", "87654321") |
|
| 278 |
+ s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321") |
|
| 279 | 279 |
out, _, err = runCommandWithOutput(pushCmd) |
| 280 | 280 |
if err == nil {
|
| 281 | 281 |
c.Fatalf("Error missing from trusted push with short targets passphrase: \n%s", out)
|
| ... | ... |
@@ -32,7 +32,8 @@ func newTestNotary(c *check.C) (*testNotary, error) {
|
| 32 | 32 |
"trust_service": {
|
| 33 | 33 |
"type": "local", |
| 34 | 34 |
"hostname": "", |
| 35 |
- "port": "" |
|
| 35 |
+ "port": "", |
|
| 36 |
+ "key_algorithm": "ed25519" |
|
| 36 | 37 |
}, |
| 37 | 38 |
"logging": {
|
| 38 | 39 |
"level": 5 |
| ... | ... |
@@ -116,25 +117,24 @@ func (t *testNotary) Close() {
|
| 116 | 116 |
|
| 117 | 117 |
func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) {
|
| 118 | 118 |
pwd := "12345678" |
| 119 |
- trustCmdEnv(cmd, s.not.address(), pwd, pwd, pwd) |
|
| 119 |
+ trustCmdEnv(cmd, s.not.address(), pwd, pwd) |
|
| 120 | 120 |
} |
| 121 | 121 |
|
| 122 | 122 |
func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {
|
| 123 | 123 |
pwd := "12345678" |
| 124 |
- trustCmdEnv(cmd, server, pwd, pwd, pwd) |
|
| 124 |
+ trustCmdEnv(cmd, server, pwd, pwd) |
|
| 125 | 125 |
} |
| 126 | 126 |
|
| 127 |
-func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {
|
|
| 128 |
- trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd) |
|
| 127 |
+func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, offlinePwd, taggingPwd string) {
|
|
| 128 |
+ trustCmdEnv(cmd, s.not.address(), offlinePwd, taggingPwd) |
|
| 129 | 129 |
} |
| 130 | 130 |
|
| 131 |
-func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
|
|
| 131 |
+func trustCmdEnv(cmd *exec.Cmd, server, offlinePwd, taggingPwd string) {
|
|
| 132 | 132 |
env := []string{
|
| 133 | 133 |
"DOCKER_CONTENT_TRUST=1", |
| 134 | 134 |
fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
|
| 135 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
|
|
| 136 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
|
|
| 137 |
- fmt.Sprintf("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
|
|
| 135 |
+ fmt.Sprintf("DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE=%s", offlinePwd),
|
|
| 136 |
+ fmt.Sprintf("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE=%s", taggingPwd),
|
|
| 138 | 137 |
} |
| 139 | 138 |
cmd.Env = append(os.Environ(), env...) |
| 140 | 139 |
} |