// NewNotaryRepository is a helper method that returns a new notary repository.
// It takes the base directory under where all the trust files will be stored
// (usually ~/.docker/trust/).
func NewNotaryRepository(baseDir, gun, baseURL string) (*NotaryRepository, error) {
trustDir := filepath.Join(baseDir, trustDir)
rootKeysDir := filepath.Join(baseDir, rootKeysDir)
privKeyStore, err := trustmanager.NewKeyFileStore(filepath.Join(baseDir, privDir))
if err != nil {
return nil, err
}
signer := signed.NewSigner(NewCryptoService(gun, privKeyStore))
nRepo := &NotaryRepository{
Gun: gun,
baseDir: baseDir,
baseURL: baseURL,
tufRepoPath: filepath.Join(baseDir, tufDir, gun),
signer: signer,
privKeyStore: privKeyStore,
}
if err := nRepo.loadKeys(trustDir, rootKeysDir); err != nil {
return nil, err
}
return nRepo, nil
}
func tufAdd(cmd *cobra.Command, args []string) {
if len(args) < 3 {
cmd.Usage()
fatalf("must specify a GUN, target, and path to target data")
}
gun := args[0]
targetName := args[1]
targetPath := args[2]
kdb := keys.NewDB()
signer := signed.NewSigner(NewCryptoService(gun))
repo := tuf.NewTufRepo(kdb, signer)
b, err := ioutil.ReadFile(targetPath)
if err != nil {
fatalf(err.Error())
}
filestore := bootstrapRepo(gun, repo)
fmt.Println("Generating metadata for target")
meta, err := data.NewFileMeta(bytes.NewBuffer(b))
if err != nil {
fatalf(err.Error())
}
fmt.Printf("Adding target \"%s\" with sha256 \"%s\" and size %d bytes.\n", targetName, meta.Hashes["sha256"], meta.Length)
_, err = repo.AddTargets("targets", data.Files{targetName: meta})
if err != nil {
fatalf(err.Error())
}
saveRepo(repo, filestore)
}
func TestInitRepo(t *testing.T) {
ed25519 := signed.NewEd25519()
signer := signed.NewSigner(ed25519)
keyDB := keys.NewDB()
repo := initRepo(t, signer, keyDB)
writeRepo(t, "/tmp/tufrepo", repo)
}
// GetRootSigner retreives a root key that includes the ID and a signer
func (r *NotaryRepository) GetRootSigner(rootKeyID, passphrase string) (*UnlockedSigner, error) {
privKey, err := r.rootKeyStore.GetDecryptedKey(rootKeyID, passphrase)
if err != nil {
return nil, fmt.Errorf("could not get decrypted root key: %v", err)
}
// This signer will be used for all of the normal TUF operations, except for
// when a root key is needed.
signer := signed.NewSigner(NewRootCryptoService(r.rootKeyStore, passphrase))
return &UnlockedSigner{
privKey: privKey,
signer: signer}, nil
}
func TestGetTimestamp(t *testing.T) {
store := storage.NewMemStorage()
crypto := signed.NewEd25519()
signer := signed.NewSigner(crypto)
snapshot := &data.SignedSnapshot{}
snapJSON, _ := json.Marshal(snapshot)
store.UpdateCurrent("gun", "snapshot", 0, snapJSON)
// create a key to be used by GetTimestamp
_, err := GetOrCreateTimestampKey("gun", store, crypto)
assert.Nil(t, err, "GetTimestampKey errored")
_, err = GetOrCreateTimestamp("gun", store, signer)
assert.Nil(t, err, "GetTimestamp errored")
}
// ServeHTTP serves an HTTP request and implements the http.Handler interface.
func (root *rootHandler) ServeHTTP(w http.ResponseWriter, r *http.Request) {
vars := mux.Vars(r)
ctx := context.WithValue(root.context, "repo", vars["imageName"])
// endophage: I don't guarantee that a signer will always be stateless but a CryptoService
// is expected to be. Create a new Signer for each request.
ctx = context.WithValue(ctx, "signer", signed.NewSigner(root.trust))
ctx = context.WithValue(ctx, "cryptoService", root.trust)
ctx = context.WithValue(ctx, "http.request", r)
if err := root.handler(ctx, w, r); err != nil {
logrus.Error("[Notary Server] ", err.Error())
http.Error(w, err.Error(), err.HTTPStatus)
return
}
return
}
func tufRemove(cmd *cobra.Command, args []string) {
if len(args) < 2 {
cmd.Usage()
fatalf("must specify a GUN and target")
}
gun := args[0]
targetName := args[1]
kdb := keys.NewDB()
signer := signed.NewSigner(NewCryptoService(gun))
repo := tuf.NewTufRepo(kdb, signer)
fmt.Println("Removing target ", targetName, " from ", gun)
filestore := bootstrapRepo(gun, repo)
err := repo.RemoveTargets("targets", targetName)
if err != nil {
fatalf(err.Error())
}
saveRepo(repo, filestore)
}
func TestUpdateDelegations(t *testing.T) {
ed25519 := signed.NewEd25519()
signer := signed.NewSigner(ed25519)
keyDB := keys.NewDB()
repo := initRepo(t, signer, keyDB)
testKey, err := signer.Create("targets/test")
if err != nil {
t.Fatal(err)
}
role, err := data.NewRole("targets/test", 1, []string{testKey.ID()}, []string{"test"}, []string{})
if err != nil {
t.Fatal(err)
}
err = repo.UpdateDelegations(role, []data.Key{testKey}, "")
if err != nil {
t.Fatal(err)
}
testDeepKey, err := signer.Create("targets/test/deep")
if err != nil {
t.Fatal(err)
}
roleDeep, err := data.NewRole("targets/test/deep", 1, []string{testDeepKey.ID()}, []string{"test/deep"}, []string{})
if err != nil {
t.Fatal(err)
}
err = repo.UpdateDelegations(roleDeep, []data.Key{testDeepKey}, "")
if err != nil {
t.Fatal(err)
}
writeRepo(t, "/tmp/tufdelegation", repo)
}
func tufInit(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
kdb := keys.NewDB()
signer := signed.NewSigner(NewCryptoService(gun))
rootKey, err := signer.Create("root")
if err != nil {
fatalf(err.Error())
}
targetsKey, err := signer.Create("targets")
if err != nil {
fatalf(err.Error())
}
snapshotKey, err := signer.Create("snapshot")
if err != nil {
fatalf(err.Error())
}
timestampKey, err := signer.Create("timestamp")
if err != nil {
fatalf(err.Error())
}
kdb.AddKey(rootKey)
kdb.AddKey(targetsKey)
kdb.AddKey(snapshotKey)
kdb.AddKey(timestampKey)
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil, nil)
if err != nil {
fatalf(err.Error())
}
targetsRole, err := data.NewRole("targets", 1, []string{targetsKey.ID()}, nil, nil)
if err != nil {
fatalf(err.Error())
}
snapshotRole, err := data.NewRole("snapshot", 1, []string{snapshotKey.ID()}, nil, nil)
if err != nil {
fatalf(err.Error())
}
timestampRole, err := data.NewRole("timestamp", 1, []string{timestampKey.ID()}, nil, nil)
if err != nil {
fatalf(err.Error())
}
err = kdb.AddRole(rootRole)
if err != nil {
fatalf(err.Error())
}
err = kdb.AddRole(targetsRole)
if err != nil {
fatalf(err.Error())
}
err = kdb.AddRole(snapshotRole)
if err != nil {
fatalf(err.Error())
}
err = kdb.AddRole(timestampRole)
if err != nil {
fatalf(err.Error())
}
repo := tuf.NewTufRepo(kdb, signer)
filestore, err := store.NewFilesystemStore(
path.Join(viper.GetString("tufDir"), gun), // TODO: base trust dir from config
"metadata",
"json",
"targets",
)
if err != nil {
fatalf(err.Error())
}
err = repo.InitRepo(false)
if err != nil {
fatalf(err.Error())
}
saveRepo(repo, filestore)
}