// Given a control.Marshal'able object, encode it to the blobstore, while
// also clearsigning the data.
func (a Archive) encodeClearsigned(data interface{}) (*blobstore.Object, error) {
if a.signingKey == nil {
return nil, fmt.Errorf("No signing key loaded")
}
fd, err := a.Store.Create()
if err != nil {
return nil, err
}
defer fd.Close()
wc, err := clearsign.Encode(fd, a.signingKey.PrivateKey, &packet.Config{
DefaultHash: crypto.SHA512,
})
if err != nil {
return nil, err
}
encoder, err := control.NewEncoder(wc)
if err != nil {
return nil, err
}
if err := encoder.Encode(data); err != nil {
return nil, err
}
if err := wc.Close(); err != nil {
return nil, err
}
return a.Store.Commit(*fd)
}
// ClearSign signs a chart with the given key.
//
// This takes the path to a chart archive file and a key, and it returns a clear signature.
//
// The Signatory must have a valid Entity.PrivateKey for this to work. If it does
// not, an error will be returned.
func (s *Signatory) ClearSign(chartpath string) (string, error) {
if s.Entity == nil {
return "", errors.New("private key not found")
} else if s.Entity.PrivateKey == nil {
return "", errors.New("provided key is not a private key")
}
if fi, err := os.Stat(chartpath); err != nil {
return "", err
} else if fi.IsDir() {
return "", errors.New("cannot sign a directory")
}
out := bytes.NewBuffer(nil)
b, err := messageBlock(chartpath)
if err != nil {
return "", nil
}
// Sign the buffer
w, err := clearsign.Encode(out, s.Entity.PrivateKey, &defaultPGPConfig)
if err != nil {
return "", err
}
_, err = io.Copy(w, b)
w.Close()
return out.String(), err
}
// ClearSign the assertions using the private key and return a clear-signed buffer.
// If the private key is encrypted, the passphrase must be supplied to decrypt
// the key.
func ClearSign(assertions, armoredPrivateKey, passphrase string) ([]byte, error) {
keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(armoredPrivateKey))
if err != nil {
return nil, err
}
// Decrypt the private key, if it is encrypted
privateKey := keyring[0].PrivateKey
if privateKey.Encrypted {
err = privateKey.Decrypt([]byte(passphrase))
if err != nil {
return nil, err
}
}
// Sign the assertions and save the result in the buffer
var buf bytes.Buffer
plaintext, err := clearsign.Encode(&buf, privateKey, nil)
if err != nil {
return nil, err
}
_, err = plaintext.Write([]byte(assertions))
if err != nil {
return nil, err
}
err = plaintext.Close()
if err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func testSignedManifest(t *testing.T, modify func(*pods.Manifest, *openpgp.Entity)) (*pods.Manifest, *openpgp.Entity) {
testManifest := testManifest(t)
if fakeSigner == nil {
var err error
fakeSigner, err = openpgp.ReadEntity(packet.NewReader(bytes.NewReader(fakeEntity)))
Assert(t).IsNil(err, "should have read entity")
}
if modify != nil {
modify(testManifest, fakeSigner)
}
manifestBytes, err := testManifest.Marshal()
Assert(t).IsNil(err, "manifest bytes error should have been nil")
var buf bytes.Buffer
sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil)
Assert(t).IsNil(err, "clearsign Encode error should have been nil")
sigWriter.Write(manifestBytes)
sigWriter.Close()
manifest, err := pods.ManifestFromBytes(buf.Bytes())
Assert(t).IsNil(err, "should have generated manifest from signed bytes")
return manifest, fakeSigner
}
func testHookListener(t *testing.T) (HookListener, string, <-chan struct{}) {
hookPrefix := kp.HOOK_TREE
destDir, _ := ioutil.TempDir("", "pods")
defer os.RemoveAll(destDir)
execDir, err := ioutil.TempDir("", "exec")
defer os.RemoveAll(execDir)
Assert(t).IsNil(err, "should not have erred creating a tempdir")
current, err := user.Current()
Assert(t).IsNil(err, "test setup: could not get the current user")
builder := manifest.NewBuilder()
builder.SetID("users")
builder.SetRunAsUser(current.Username)
builder.SetLaunchables(map[launch.LaunchableID]launch.LaunchableStanza{
"create": {
Location: util.From(runtime.Caller(0)).ExpandPath("hoisted-hello_def456.tar.gz"),
LaunchableType: "hoist",
LaunchableId: "create",
},
})
podManifest := builder.GetManifest()
manifestBytes, err := podManifest.Marshal()
Assert(t).IsNil(err, "manifest bytes error should have been nil")
fakeSigner, err := openpgp.NewEntity("p2", "p2-test", "*****@*****.**", nil)
Assert(t).IsNil(err, "NewEntity error should have been nil")
var buf bytes.Buffer
sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil)
Assert(t).IsNil(err, "clearsign encode error should have been nil")
sigWriter.Write(manifestBytes)
sigWriter.Close()
podManifest, err = manifest.FromBytes(buf.Bytes())
Assert(t).IsNil(err, "should have generated manifest from signed bytes")
fakeIntent := fakeStoreWithManifests(kp.ManifestResult{
Manifest: podManifest,
})
hookFactory := pods.NewHookFactory(destDir, "testNode")
listener := HookListener{
Intent: fakeIntent,
HookPrefix: hookPrefix,
ExecDir: execDir,
HookFactory: hookFactory,
Logger: logging.DefaultLogger,
authPolicy: auth.FixedKeyringPolicy{openpgp.EntityList{fakeSigner}, nil},
artifactVerifier: auth.NopVerifier(),
artifactRegistry: artifact.NewRegistry(nil, uri.DefaultFetcher, osversion.DefaultDetector),
}
return listener, destDir, fakeIntent.quit
}
func encodeCloudYAML(c *gc.C, yaml string) string {
// TODO(wallyworld) - move test signing key elsewhere
keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(sstesting.SignedMetadataPrivateKey))
c.Assert(err, jc.ErrorIsNil)
privateKey := keyring[0].PrivateKey
err = privateKey.Decrypt([]byte(sstesting.PrivateKeyPassphrase))
c.Assert(err, jc.ErrorIsNil)
var buf bytes.Buffer
plaintext, err := clearsign.Encode(&buf, privateKey, nil)
c.Assert(err, jc.ErrorIsNil)
_, err = plaintext.Write([]byte(yaml))
c.Assert(err, jc.ErrorIsNil)
err = plaintext.Close()
c.Assert(err, jc.ErrorIsNil)
return string(buf.Bytes())
}
// it will sign the sha256 hash (or any string) and save it
// under the path (signer Path) and uuid as file name
func (s *Signer) SignIt(sha256 string, uuid string) {
var buf bytes.Buffer
w, err := clearsign.Encode(&buf, s.Entity.PrivateKey, nil)
if err != nil {
log.Fatal(err)
}
_, _ = w.Write([]byte(sha256))
w.Close()
ret := buf.Bytes()
f, err := os.Create(filepath.Join(s.Path, uuid))
defer f.Close()
if err != nil {
log.Fatal(err)
}
f.WriteString(string(ret[:]))
}
func Clearsign(input io.Reader, output io.Writer, key string) error {
entity, err := findKey(key)
if err != nil {
return err
}
w, err := clearsign.Encode(output, entity.PrivateKey, nil)
if err != nil {
return err
}
_, err = io.Copy(w, input)
if err != nil {
return err
}
err = w.Close()
if err != nil {
return err
}
return nil
}
// Encode signs the data returned by the reader and returns an inline signed copy.
func Encode(r io.Reader, armoredPrivateKey, passphrase string) ([]byte, error) {
keyring, err := openpgp.ReadArmoredKeyRing(bytes.NewBufferString(armoredPrivateKey))
if err != nil {
return nil, err
}
privateKey := keyring[0].PrivateKey
if privateKey.Encrypted {
err = privateKey.Decrypt([]byte(passphrase))
if err != nil {
return nil, err
}
}
var buf bytes.Buffer
plaintext, err := clearsign.Encode(&buf, privateKey, nil)
if err != nil {
return nil, err
}
metadata, err := ioutil.ReadAll(r)
if err != nil {
return nil, err
}
dataToSign := metadata
if dataToSign[0] == '\n' {
dataToSign = dataToSign[1:]
}
_, err = plaintext.Write([]byte(dataToSign))
if err != nil {
return nil, err
}
err = plaintext.Close()
if err != nil {
return nil, err
}
return buf.Bytes(), nil
}
func TestHookPodsInstallAndLinkCorrectly(t *testing.T) {
hookPrefix := "hooks"
destDir, _ := ioutil.TempDir("", "pods")
defer os.RemoveAll(destDir)
execDir, err := ioutil.TempDir("", "exec")
defer os.RemoveAll(execDir)
Assert(t).IsNil(err, "should not have erred creating a tempdir")
current, err := user.Current()
Assert(t).IsNil(err, "test setup: could not get the current user")
manifest := &pods.Manifest{
Id: "users",
RunAs: current.Username,
LaunchableStanzas: map[string]pods.LaunchableStanza{
"create": pods.LaunchableStanza{
Location: util.From(runtime.Caller(0)).ExpandPath("hoisted-hello_def456.tar.gz"),
LaunchableType: "hoist",
LaunchableId: "create",
},
},
}
manifestBytes, err := manifest.OriginalBytes()
Assert(t).IsNil(err, "manifest bytes error should have been nil")
fakeSigner, err := openpgp.NewEntity("p2", "p2-test", "*****@*****.**", nil)
Assert(t).IsNil(err, "NewEntity error should have been nil")
var buf bytes.Buffer
sigWriter, err := clearsign.Encode(&buf, fakeSigner.PrivateKey, nil)
Assert(t).IsNil(err, "clearsign encode error should have been nil")
sigWriter.Write(manifestBytes)
sigWriter.Close()
manifest, err = pods.ManifestFromBytes(buf.Bytes())
Assert(t).IsNil(err, "should have generated manifest from signed bytes")
fakeIntent := fakeStoreWithManifests(kp.ManifestResult{
Path: path.Join(hookPrefix, "before_install/users"),
Manifest: *manifest,
})
listener := HookListener{
Intent: fakeIntent,
HookPrefix: hookPrefix,
ExecDir: execDir,
DestinationDir: destDir,
Logger: logging.DefaultLogger,
authPolicy: auth.FixedKeyringPolicy{openpgp.EntityList{fakeSigner}, nil},
}
errCh := make(chan error, 1)
listener.Sync(fakeIntent.quit, errCh)
select {
case err := <-errCh:
Assert(t).IsNil(err, "There should not have been an error in the call to sync")
default:
}
currentAlias := path.Join(destDir, "before_install", "users", "create", "current", "bin", "launch")
_, err = os.Stat(currentAlias)
Assert(t).IsNil(err, fmt.Sprintf("%s should have been created", currentAlias))
hookFile := path.Join(execDir, "before_install", "users__create__launch")
_, err = os.Stat(hookFile)
Assert(t).IsNil(err, "should have created the user launch script")
}
