func (pod *Pod) Verify(manifest *Manifest, authPolicy auth.Policy) error {
for _, stanza := range manifest.LaunchableStanzas {
if stanza.DigestLocation == "" {
continue
}
launchable, err := pod.getLaunchable(stanza, manifest.RunAsUser())
if err != nil {
return err
}
// Retrieve the digest data
launchableDigest, err := digest.ParseUris(
launchable.Fetcher,
stanza.DigestLocation,
stanza.DigestSignatureLocation,
)
if err != nil {
return err
}
// Check that the digest is certified
err = authPolicy.CheckDigest(launchableDigest)
if err != nil {
return err
}
// Check that the installed files match the digest
err = launchableDigest.VerifyDir(launchable.InstallDir())
if err != nil {
return err
}
}
return nil
}
func (pod *Pod) Verify(manifest manifest.Manifest, authPolicy auth.Policy) error {
for launchableID, stanza := range manifest.GetLaunchableStanzas() {
if stanza.DigestLocation == "" {
continue
}
launchable, err := pod.getLaunchable(launchableID, stanza, manifest.RunAsUser())
if err != nil {
return err
}
digestLocationURL, err := url.Parse(stanza.DigestLocation)
if err != nil {
return util.Errorf("Couldn't parse digest location '%s' as a url: %s", stanza.DigestLocation, err)
}
digestSignatureLocationURL, err := url.Parse(stanza.DigestSignatureLocation)
if err != nil {
return util.Errorf("Couldn't parse digest signature location '%s' as a url: %s", stanza.DigestSignatureLocation, err)
}
// Retrieve the digest data
launchableDigest, err := digest.ParseUris(
uri.DefaultFetcher,
digestLocationURL,
digestSignatureLocationURL,
)
if err != nil {
return err
}
// Check that the digest is certified
err = authPolicy.CheckDigest(launchableDigest)
if err != nil {
return err
}
// Check that the installed files match the digest
err = launchableDigest.VerifyDir(launchable.InstallDir())
if err != nil {
return err
}
}
return nil
}
func authorize(manifest manifest.Manifest) error {
var policy auth.Policy
var err error
switch *authType {
case auth.Null:
if *keyring != "" {
return util.Errorf("--keyring may not be specified if --auth-type is '%s'", *authType)
}
if *deployPolicy != "" {
return util.Errorf("--deploy-policy may not be specified if --auth-type is '%s'", *authType)
}
if len(*allowedUsers) != 0 {
return util.Errorf("--allowed-users may not be specified if --auth-type is '%s'", *authType)
}
return nil
case auth.Keyring:
if *keyring == "" {
return util.Errorf("Must specify --keyring if --auth-type is '%s'", *authType)
}
if len(*allowedUsers) == 0 {
return util.Errorf("Must specify at least one allowed user if using a keyring auth type")
}
policy, err = auth.NewFileKeyringPolicy(
*keyring,
map[types.PodID][]string{
constants.PreparerPodID: *allowedUsers,
},
)
if err != nil {
return err
}
case auth.User:
if *keyring == "" {
return util.Errorf("Must specify --keyring if --auth-type is '%s'", *authType)
}
if *deployPolicy == "" {
return util.Errorf("Must specify --deploy-policy if --auth-type is '%s'", *authType)
}
policy, err = auth.NewUserPolicy(
*keyring,
*deployPolicy,
constants.PreparerPodID,
constants.PreparerPodID.String(),
)
if err != nil {
return err
}
default:
return util.Errorf("Unknown --auth-type: %s", *authType)
}
logger := logging.NewLogger(logrus.Fields{})
logger.Logger.Formatter = new(logrus.TextFormatter)
err = policy.AuthorizeApp(manifest, logger)
if err != nil {
if err, ok := err.(auth.Error); ok {
logger.WithFields(err.Fields).Errorln(err)
} else {
logger.NoFields().Errorln(err)
}
return err
}
return nil
}