// Per-test set up that returns a cleanup function. This set up:
// - changes the passphrase retriever to always produce a constant passphrase
// - disables touch on yubikeys
// - deletes all keys on the yubikey
func setUp(t *testing.T) func() {
oldRetriever := retriever
var fake = func(k, a string, c bool, n int) (string, bool, error) {
if k == "Yubikey" {
return oldRetriever(k, a, c, n)
}
return testPassphrase, false, nil
}
retriever = fake
getRetriever = func() passphrase.Retriever { return fake }
yubikey.SetYubikeyKeyMode(yubikey.KeymodeNone)
// //we're just removing keys here, so nil is fine
s, err := yubikey.NewYubiKeyStore(nil, retriever)
assert.NoError(t, err)
for k := range s.ListKeys() {
err := s.RemoveKey(k)
assert.NoError(t, err)
}
return func() {
retriever = oldRetriever
getRetriever = getPassphraseRetriever
yubikey.SetYubikeyKeyMode(yubikey.KeymodeTouch | yubikey.KeymodePinOnce)
}
}
func init() {
yubikey.SetYubikeyKeyMode(yubikey.KeymodeNone)
regRetriver := passphrase.PromptRetriever()
_retriever := func(k, a string, c bool, n int) (string, bool, error) {
if k == "Yubikey" {
return regRetriver(k, a, c, n)
}
return testPassphrase, false, nil
}
// best effort at removing keys here, so nil is fine
s, err := yubikey.NewYubiKeyStore(nil, _retriever)
if err != nil {
for k := range s.ListKeys() {
s.RemoveKey(k)
}
}
NewNotaryCommand = func() *cobra.Command {
commander := ¬aryCommander{
getRetriever: func() passphrase.Retriever { return _retriever },
}
return commander.GetCommand()
}
}
// Per-test set up deletes all keys on the yubikey
func setUp(t *testing.T) {
//we're just removing keys here, so nil is fine
s, err := yubikey.NewYubiKeyStore(nil, _retriever)
assert.NoError(t, err)
for k := range s.ListKeys() {
err := s.RemoveKey(k)
assert.NoError(t, err)
}
}
// ensures that the root is actually on the yubikey - this makes sure the
// commands are hooked up to interact with the yubikey, rather than right files
// on disk
func verifyRootKeyOnHardware(t *testing.T, rootKeyID string) {
// do not bother verifying if there is no yubikey available
if yubikey.YubikeyAccessible() {
// //we're just getting keys here, so nil is fine
s, err := yubikey.NewYubiKeyStore(nil, retriever)
assert.NoError(t, err)
privKey, role, err := s.GetKey(rootKeyID)
assert.NoError(t, err)
assert.NotNil(t, privKey)
assert.Equal(t, data.CanonicalRootRole, role)
}
}
// clear out all keys
func init() {
yubikey.SetYubikeyKeyMode(0)
if !yubikey.YubikeyAccessible() {
return
}
store, err := yubikey.NewYubiKeyStore(nil, nil)
if err == nil {
for k := range store.ListKeys() {
store.RemoveKey(k)
}
}
}
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
retriever passphrase.Retriever) (
*NotaryRepository, error) {
fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
if err != nil {
return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
}
keyStores := []trustmanager.KeyStore{fileKeyStore}
yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)
if yubiKeyStore != nil {
keyStores = []trustmanager.KeyStore{yubiKeyStore, fileKeyStore}
}
return repositoryFromKeystores(baseDir, gun, baseURL, rt, keyStores)
}
// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string, rt http.RoundTripper,
retriever passphrase.Retriever) (*NotaryRepository, error) {
fileKeyStore, err := trustmanager.NewKeyFileStore(baseDir, retriever)
if err != nil {
return nil, fmt.Errorf("failed to create private key store in directory: %s", baseDir)
}
keyStoreManager, err := keystoremanager.NewKeyStoreManager(baseDir)
yubiKeyStore, _ := yubikey.NewYubiKeyStore(fileKeyStore, retriever)
var cryptoService signed.CryptoService
if yubiKeyStore == nil {
cryptoService = cryptoservice.NewCryptoService(gun, fileKeyStore)
} else {
cryptoService = cryptoservice.NewCryptoService(gun, yubiKeyStore, fileKeyStore)
}
nRepo := &NotaryRepository{
gun: gun,
baseDir: baseDir,
baseURL: baseURL,
tufRepoPath: filepath.Join(baseDir, tufDir, filepath.FromSlash(gun)),
CryptoService: cryptoService,
roundTrip: rt,
KeyStoreManager: keyStoreManager,
}
fileStore, err := store.NewFilesystemStore(
nRepo.tufRepoPath,
"metadata",
"json",
"",
)
if err != nil {
return nil, err
}
nRepo.fileStore = fileStore
return nRepo, nil
}
func getYubiKeyStore(fileKeyStore trustmanager.KeyStore, ret passphrase.Retriever) (trustmanager.KeyStore, error) {
return yubikey.NewYubiKeyStore(fileKeyStore, ret)
}
