func (t *tufCommander) tufList(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
rt, err := getTransport(config, gun, true)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever)
if err != nil {
return err
}
// Retrieve the remote list of signed targets, prioritizing the passed-in list over targets
roles := append(t.roles, data.CanonicalTargetsRole)
targetList, err := nRepo.ListTargets(roles...)
if err != nil {
return err
}
prettyPrintTargets(targetList, cmd.Out())
return nil
}
func (t *tufCommander) tufAdd(cmd *cobra.Command, args []string) error {
if len(args) < 3 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN, target, and path to target data")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
targetName := args[1]
targetPath := args[2]
// no online operations are performed by add so the transport argument
// should be nil
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), nil, t.retriever)
if err != nil {
return err
}
target, err := notaryclient.NewTarget(targetName, targetPath)
if err != nil {
return err
}
// If roles is empty, we default to adding to targets
if err = nRepo.AddTarget(target, t.roles...); err != nil {
return err
}
cmd.Printf(
"Addition of target \"%s\" to repository \"%s\" staged for next publish.\n",
targetName, gun)
return nil
}
func (s *DockerTrustSuite) setupDelegations(c *check.C, repoName, pwd string) {
initCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "init", repoName)
notaryClientEnv(initCmd, pwd, pwd)
out, _, err := runCommandWithOutput(initCmd)
if err != nil {
c.Fatalf("Error initializing notary repository: %s\n", out)
}
// no command line for this, so build by hand
nRepo, err := client.NewNotaryRepository(filepath.Join(cliconfig.ConfigDir(), "trust"), repoName, notaryURL, nil, passphrase.ConstantRetriever(pwd))
if err != nil {
c.Fatalf("Error creating notary repository: %s\n", err)
}
delgKey, err := nRepo.CryptoService.Create("targets/releases", data.ECDSAKey)
if err != nil {
c.Fatalf("Error creating delegation key: %s\n", err)
}
err = nRepo.AddDelegation("targets/releases", []data.PublicKey{delgKey}, []string{""})
if err != nil {
c.Fatalf("Error creating delegation: %s\n", err)
}
// publishing first simulates the client pushing to a repo that they have been given delegated access to
pubCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "publish", repoName)
notaryClientEnv(pubCmd, pwd, pwd)
out, _, err = runCommandWithOutput(pubCmd)
if err != nil {
c.Fatalf("Error publishing notary repository: %s\n", out)
}
}
func (t *tufCommander) tufLookup(cmd *cobra.Command, args []string) error {
if len(args) < 2 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN and target")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
targetName := args[1]
rt, err := getTransport(config, gun, true)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever)
if err != nil {
return err
}
target, err := nRepo.GetTargetByName(targetName)
if err != nil {
return err
}
cmd.Println(target.Name, fmt.Sprintf("sha256:%x", target.Hashes["sha256"]), target.Length)
return nil
}
func (t *tufCommander) tufRemove(cmd *cobra.Command, args []string) error {
if len(args) < 2 {
return fmt.Errorf("Must specify a GUN and target")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
targetName := args[1]
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
// no online operation are performed by remove so the transport argument
// should be nil.
repo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), nil, t.retriever, trustPin)
if err != nil {
return err
}
// If roles is empty, we default to removing from targets
if err = repo.RemoveTarget(targetName, t.roles...); err != nil {
return err
}
cmd.Printf("Removal of %s from %s staged for next publish.\n", targetName, gun)
return nil
}
func (t *tufCommander) tufPublish(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
cmd.Println("Pushing changes to", gun)
rt, err := getTransport(config, gun, false)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin)
if err != nil {
return err
}
if err = nRepo.Publish(); err != nil {
return err
}
return nil
}
// The command line uses NotaryRepository's RotateKey - this is just testing
// that the correct config variables are passed for the client to request a key
// from the remote server.
func TestRotateKeyRemoteServerManagesKey(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
defer os.RemoveAll(tempBaseDir)
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ret := passphrase.ConstantRetriever("pass")
ts, initialKeys := setUpRepo(t, tempBaseDir, gun, ret)
defer ts.Close()
k := &keyCommander{
configGetter: func() (*viper.Viper, error) {
v := viper.New()
v.SetDefault("trust_dir", tempBaseDir)
v.SetDefault("remote_server.url", ts.URL)
return v, nil
},
getRetriever: func() passphrase.Retriever { return ret },
rotateKeyRole: data.CanonicalSnapshotRole,
rotateKeyServerManaged: true,
}
err = k.keysRotate(&cobra.Command{}, []string{gun})
assert.NoError(t, err)
repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, nil, ret)
assert.NoError(t, err, "error creating repo: %s", err)
cl, err := repo.GetChangelist()
assert.NoError(t, err, "unable to get changelist: %v", err)
assert.Len(t, cl.List(), 1)
// no keys have been created, since a remote key was specified
assert.Equal(t, initialKeys, repo.CryptoService.ListAllKeys())
}
// initialize a repo with keys, so they can be rotated
func setUpRepo(t *testing.T, tempBaseDir, gun string, ret passphrase.Retriever) (
*httptest.Server, map[string]string) {
// server that always returns 200 (and a key)
key, err := trustmanager.GenerateECDSAKey(rand.Reader)
assert.NoError(t, err)
pubKey := data.PublicKeyFromPrivate(key)
jsonBytes, err := json.MarshalCanonical(&pubKey)
assert.NoError(t, err)
keyJSON := string(jsonBytes)
ts := httptest.NewServer(http.HandlerFunc(
func(w http.ResponseWriter, r *http.Request) {
fmt.Fprint(w, keyJSON)
}))
repo, err := client.NewNotaryRepository(
tempBaseDir, gun, ts.URL, http.DefaultTransport, ret)
assert.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", data.ECDSAKey)
assert.NoError(t, err, "error generating root key: %s", err)
err = repo.Initialize(rootPubKey.ID())
assert.NoError(t, err)
return ts, repo.CryptoService.ListAllKeys()
}
// initialize a repo with keys, so they can be rotated
func setUpRepo(t *testing.T, tempBaseDir, gun string, ret notary.PassRetriever) (
*httptest.Server, map[string]string) {
// Set up server
ctx := context.WithValue(
context.Background(), "metaStore", storage.NewMemStorage())
// Do not pass one of the const KeyAlgorithms here as the value! Passing a
// string is in itself good test that we are handling it correctly as we
// will be receiving a string from the configuration.
ctx = context.WithValue(ctx, "keyAlgorithm", "ecdsa")
// Eat the logs instead of spewing them out
l := logrus.New()
l.Out = bytes.NewBuffer(nil)
ctx = ctxu.WithLogger(ctx, logrus.NewEntry(l))
cryptoService := cryptoservice.NewCryptoService(trustmanager.NewKeyMemoryStore(ret))
ts := httptest.NewServer(server.RootHandler(nil, ctx, cryptoService, nil, nil, nil))
repo, err := client.NewNotaryRepository(
tempBaseDir, gun, ts.URL, http.DefaultTransport, ret, trustpinning.TrustPinConfig{})
require.NoError(t, err, "error creating repo: %s", err)
rootPubKey, err := repo.CryptoService.Create("root", "", data.ECDSAKey)
require.NoError(t, err, "error generating root key: %s", err)
err = repo.Initialize(rootPubKey.ID())
require.NoError(t, err)
return ts, repo.CryptoService.ListAllKeys()
}
func tufAdd(cmd *cobra.Command, args []string) {
if len(args) < 3 {
cmd.Usage()
fatalf("must specify a GUN, target, and path to target data")
}
gun := args[0]
targetName := args[1]
targetPath := args[2]
repo, err := notaryclient.NewNotaryRepository(viper.GetString("baseTrustDir"), gun, hardcodedBaseURL, getInsecureTransport())
if err != nil {
fatalf(err.Error())
}
target, err := notaryclient.NewTarget(targetName, targetPath)
if err != nil {
fatalf(err.Error())
}
err = repo.AddTarget(target)
if err != nil {
fatalf(err.Error())
}
fmt.Println("Successfully added targets")
}
func tufStatus(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
parseConfig()
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), nil, retriever)
if err != nil {
fatalf(err.Error())
}
cl, err := nRepo.GetChangelist()
if err != nil {
fatalf(err.Error())
}
if len(cl.List()) == 0 {
fmt.Printf("No unpublished changes for %s\n", gun)
return
}
fmt.Printf("Unpublished changes for %s:\n\n", gun)
fmt.Printf("%-10s%-10s%-12s%s\n", "action", "scope", "type", "path")
fmt.Println("----------------------------------------------------")
for _, ch := range cl.List() {
fmt.Printf("%-10s%-10s%-12s%s\n", ch.Action(), ch.Scope(), ch.Type(), ch.Path())
}
}
func tufAdd(cmd *cobra.Command, args []string) {
if len(args) < 3 {
cmd.Usage()
fatalf("must specify a GUN, target, and path to target data")
}
gun := args[0]
targetName := args[1]
targetPath := args[2]
parseConfig()
// no online operations are performed by add so the transport argument
// should be nil
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), nil, retriever)
if err != nil {
fatalf(err.Error())
}
target, err := notaryclient.NewTarget(targetName, targetPath)
if err != nil {
fatalf(err.Error())
}
err = nRepo.AddTarget(target)
if err != nil {
fatalf(err.Error())
}
fmt.Printf("Addition of %s to %s staged for next publish.\n", targetName, gun)
}
// The command line uses NotaryRepository's RotateKey - this is just testing
// that multiple keys can be rotated at once locally
func TestRotateKeyBothKeys(t *testing.T) {
setUp(t)
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
defer os.RemoveAll(tempBaseDir)
require.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ret := passphrase.ConstantRetriever("pass")
ts, initialKeys := setUpRepo(t, tempBaseDir, gun, ret)
defer ts.Close()
k := &keyCommander{
configGetter: func() (*viper.Viper, error) {
v := viper.New()
v.SetDefault("trust_dir", tempBaseDir)
v.SetDefault("remote_server.url", ts.URL)
return v, nil
},
getRetriever: func() notary.PassRetriever { return ret },
}
require.NoError(t, k.keysRotate(&cobra.Command{}, []string{gun, data.CanonicalTargetsRole}))
require.NoError(t, k.keysRotate(&cobra.Command{}, []string{gun, data.CanonicalSnapshotRole}))
repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, nil, ret, trustpinning.TrustPinConfig{})
require.NoError(t, err, "error creating repo: %s", err)
cl, err := repo.GetChangelist()
require.NoError(t, err, "unable to get changelist: %v", err)
require.Len(t, cl.List(), 0)
// two new keys have been created, and the old keys should still be gone
newKeys := repo.CryptoService.ListAllKeys()
// there should be 3 keys - snapshot, targets, and root
require.Len(t, newKeys, 3)
// the old snapshot/targets keys should be gone
for keyID, role := range initialKeys {
r, ok := newKeys[keyID]
switch r {
case data.CanonicalSnapshotRole, data.CanonicalTargetsRole:
require.False(t, ok, "original key %s still there", keyID)
case data.CanonicalRootRole:
require.Equal(t, role, r)
require.True(t, ok, "old root key has changed")
}
}
found := make(map[string]bool)
for _, role := range newKeys {
found[role] = true
}
require.True(t, found[data.CanonicalTargetsRole], "targets key was not created")
require.True(t, found[data.CanonicalSnapshotRole], "snapshot key was not created")
require.True(t, found[data.CanonicalRootRole], "root key was removed somehow")
}
// The command line uses NotaryRepository's RotateKey - this is just testing
// that the correct config variables are passed for the client to rotate
// both the targets and snapshot key, and create them locally
func TestRotateKeyBothKeys(t *testing.T) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
defer os.RemoveAll(tempBaseDir)
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ret := passphrase.ConstantRetriever("pass")
ts, initialKeys := setUpRepo(t, tempBaseDir, gun, ret)
// we won't need this anymore since we are creating keys locally
ts.Close()
k := &keyCommander{
configGetter: func() (*viper.Viper, error) {
v := viper.New()
v.SetDefault("trust_dir", tempBaseDir)
// won't need a remote server URL, since we are creating local keys
return v, nil
},
getRetriever: func() passphrase.Retriever { return ret },
}
err = k.keysRotate(&cobra.Command{}, []string{gun})
assert.NoError(t, err)
repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, nil, ret)
assert.NoError(t, err, "error creating repo: %s", err)
cl, err := repo.GetChangelist()
assert.NoError(t, err, "unable to get changelist: %v", err)
assert.Len(t, cl.List(), 2)
// two new keys have been created, and the old keys should still be there
newKeys := repo.CryptoService.ListAllKeys()
for keyID, role := range initialKeys {
r, ok := newKeys[keyID]
assert.True(t, ok, "original key %s missing", keyID)
assert.Equal(t, role, r)
delete(newKeys, keyID)
}
// there should be 2 keys left
assert.Len(t, newKeys, 2)
// one for each role
var targetsFound, snapshotFound bool
for _, role := range newKeys {
switch role {
case data.CanonicalTargetsRole:
targetsFound = true
case data.CanonicalSnapshotRole:
snapshotFound = true
}
}
assert.True(t, targetsFound, "targets key was not created")
assert.True(t, snapshotFound, "snapshot key was not created")
}
// The command line uses NotaryRepository's RotateKey - this is just testing
// that the correct config variables are passed for the client to request a key
// from the remote server.
func TestRotateKeyRemoteServerManagesKey(t *testing.T) {
for _, role := range []string{data.CanonicalSnapshotRole, data.CanonicalTimestampRole} {
setUp(t)
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("/tmp", "notary-test-")
defer os.RemoveAll(tempBaseDir)
require.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ret := passphrase.ConstantRetriever("pass")
ts, initialKeys := setUpRepo(t, tempBaseDir, gun, ret)
defer ts.Close()
require.Len(t, initialKeys, 3)
k := &keyCommander{
configGetter: func() (*viper.Viper, error) {
v := viper.New()
v.SetDefault("trust_dir", tempBaseDir)
v.SetDefault("remote_server.url", ts.URL)
return v, nil
},
getRetriever: func() notary.PassRetriever { return ret },
rotateKeyServerManaged: true,
}
require.NoError(t, k.keysRotate(&cobra.Command{}, []string{gun, role, "-r"}))
repo, err := client.NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, ret, trustpinning.TrustPinConfig{})
require.NoError(t, err, "error creating repo: %s", err)
cl, err := repo.GetChangelist()
require.NoError(t, err, "unable to get changelist: %v", err)
require.Len(t, cl.List(), 0, "expected the changes to have been published")
finalKeys := repo.CryptoService.ListAllKeys()
// no keys have been created, since a remote key was specified
if role == data.CanonicalSnapshotRole {
require.Len(t, finalKeys, 2)
for k, r := range initialKeys {
if r != data.CanonicalSnapshotRole {
_, ok := finalKeys[k]
require.True(t, ok)
}
}
} else {
require.Len(t, finalKeys, 3)
for k := range initialKeys {
_, ok := finalKeys[k]
require.True(t, ok)
}
}
}
}
func (k *keyCommander) keysRotate(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
rotateKeyRole := strings.ToLower(k.rotateKeyRole)
var rolesToRotate []string
switch rotateKeyRole {
case "":
rolesToRotate = []string{data.CanonicalSnapshotRole, data.CanonicalTargetsRole}
case data.CanonicalSnapshotRole:
rolesToRotate = []string{data.CanonicalSnapshotRole}
case data.CanonicalTargetsRole:
rolesToRotate = []string{data.CanonicalTargetsRole}
default:
return fmt.Errorf("key rotation not supported for %s keys", k.rotateKeyRole)
}
if k.rotateKeyServerManaged && rotateKeyRole != data.CanonicalSnapshotRole {
return fmt.Errorf(
"remote signing/key management is only supported for the snapshot key")
}
config, err := k.configGetter()
if err != nil {
return err
}
gun := args[0]
var rt http.RoundTripper
if k.rotateKeyServerManaged {
// this does not actually push the changes, just creates the keys, but
// it creates a key remotely so it needs a transport
rt, err = getTransport(config, gun, false)
if err != nil {
return err
}
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config),
rt, k.getRetriever())
if err != nil {
return err
}
for _, role := range rolesToRotate {
if err := nRepo.RotateKey(role, k.rotateKeyServerManaged); err != nil {
return err
}
}
return nil
}
func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
rt, err := getTransport(config, gun, false)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin)
if err != nil {
return err
}
rootKeyList := nRepo.CryptoService.ListKeys(data.CanonicalRootRole)
var rootKeyID string
if len(rootKeyList) < 1 {
cmd.Println("No root keys found. Generating a new root key...")
rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
rootKeyID = rootPublicKey.ID()
if err != nil {
return err
}
} else {
// Choses the first root key available, which is initialization specific
// but should return the HW one first.
rootKeyID = rootKeyList[0]
cmd.Printf("Root key found, using: %s\n", rootKeyID)
}
if err = nRepo.Initialize(rootKeyID); err != nil {
return err
}
return nil
}
func keysRotate(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("must specify a GUN and target")
}
parseConfig()
gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, remoteTrustServer, nil, retriever)
if err != nil {
fatalf(err.Error())
}
if err := nRepo.RotateKeys(); err != nil {
fatalf(err.Error())
}
}
func (k *keyCommander) keysRotate(cmd *cobra.Command, args []string) error {
if len(args) < 2 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN and a key role to rotate")
}
config, err := k.configGetter()
if err != nil {
return err
}
gun := args[0]
rotateKeyRole := args[1]
rt, err := getTransport(config, gun, readWrite)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config),
rt, k.getRetriever(), trustPin)
if err != nil {
return err
}
if rotateKeyRole == data.CanonicalRootRole {
cmd.Print("Warning: you are about to rotate your root key.\n\n" +
"You must use your old key to sign this root rotation. We recommend that\n" +
"you sign all your future root changes with this key as well, so that\n" +
"clients can have a smoother update process. Please do not delete\n" +
"this key after rotating.\n\n" +
"Are you sure you want to proceed? (yes/no) ")
if !askConfirm(k.input) {
fmt.Fprintln(cmd.Out(), "\nAborting action.")
return nil
}
}
return nRepo.RotateKey(rotateKeyRole, k.rotateKeyServerManaged)
}
func tufInit(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(viper.GetString("baseTrustDir"), gun, hardcodedBaseURL, getInsecureTransport())
if err != nil {
fatalf(err.Error())
}
keysList := nRepo.KeyStoreManager.RootKeyStore().ListKeys()
var passphrase string
var rootKeyID string
if len(keysList) < 1 {
fmt.Println("No root keys found. Generating a new root key...")
passphrase, err = passphraseRetriever()
if err != nil {
fatalf(err.Error())
}
rootKeyID, err = nRepo.KeyStoreManager.GenRootKey("ECDSA", passphrase)
if err != nil {
fatalf(err.Error())
}
} else {
rootKeyID = keysList[0]
fmt.Println("Root key found.")
fmt.Printf("Enter passphrase for: %s (%d)\n", rootKeyID, len(rootKeyID))
passphrase, err = passphraseRetriever()
if err != nil {
fatalf(err.Error())
}
}
rootCryptoService, err := nRepo.KeyStoreManager.GetRootCryptoService(rootKeyID, passphrase)
if err != nil {
fatalf(err.Error())
}
nRepo.Initialize(rootCryptoService)
if err != nil {
fatalf(err.Error())
}
}
func (t *tufCommander) tufVerify(cmd *cobra.Command, args []string) error {
if len(args) < 2 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN and target")
}
config, err := t.configGetter()
if err != nil {
return err
}
payload, err := getPayload(t)
if err != nil {
return err
}
gun := args[0]
targetName := args[1]
rt, err := getTransport(config, gun, true)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever, trustPin)
if err != nil {
return err
}
target, err := nRepo.GetTargetByName(targetName)
if err != nil {
return fmt.Errorf("error retrieving target by name:%s, error:%v", targetName, err)
}
if err := data.CheckHashes(payload, targetName, target.Hashes); err != nil {
return fmt.Errorf("data not present in the trusted collection, %v", err)
}
return feedback(t, payload)
}
func (t *tufCommander) tufVerify(cmd *cobra.Command, args []string) error {
if len(args) < 2 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN and target")
}
config, err := t.configGetter()
if err != nil {
return err
}
// Reads all of the data on STDIN
payload, err := ioutil.ReadAll(os.Stdin)
if err != nil {
return fmt.Errorf("Error reading content from STDIN: %v", err)
}
gun := args[0]
targetName := args[1]
rt, err := getTransport(config, gun, true)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, t.retriever)
if err != nil {
return err
}
target, err := nRepo.GetTargetByName(targetName)
if err != nil {
return fmt.Errorf("error retrieving target by name:%s, error:%v", targetName, err)
}
// Create hasher and hash data
stdinHash := sha256.Sum256(payload)
serverHash := target.Hashes["sha256"]
if subtle.ConstantTimeCompare(stdinHash[:], serverHash) == 0 {
return fmt.Errorf("notary: data not present in the trusted collection")
}
_, _ = os.Stdout.Write(payload)
return nil
}
func tufInit(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
parseConfig()
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
if err != nil {
fatalf(err.Error())
}
keysMap := nRepo.KeyStoreManager.RootKeyStore().ListKeys()
var rootKeyID string
if len(keysMap) < 1 {
fmt.Println("No root keys found. Generating a new root key...")
rootKeyID, err = nRepo.KeyStoreManager.GenRootKey("ECDSA")
if err != nil {
fatalf(err.Error())
}
} else {
// TODO(diogo): ask which root key to use
for keyID := range keysMap {
rootKeyID = keyID
}
fmt.Printf("Root key found, using: %s\n", rootKeyID)
}
rootCryptoService, err := nRepo.KeyStoreManager.GetRootCryptoService(rootKeyID)
if err != nil {
fatalf(err.Error())
}
err = nRepo.Initialize(rootCryptoService)
if err != nil {
fatalf(err.Error())
}
}
func tufPublish(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
fmt.Println("Pushing changes to ", gun, ".")
repo, err := notaryclient.NewNotaryRepository(viper.GetString("baseTrustDir"), gun, hardcodedBaseURL, getInsecureTransport())
if err != nil {
fatalf(err.Error())
}
err = repo.Publish(passphraseRetriever)
if err != nil {
fatalf(err.Error())
}
}
// delegationsList lists all the delegations for a particular GUN
func (d *delegationCommander) delegationsList(cmd *cobra.Command, args []string) error {
if len(args) != 1 {
cmd.Usage()
return fmt.Errorf(
"Please provide a Global Unique Name as an argument to list")
}
config, err := d.configGetter()
if err != nil {
return err
}
gun := args[0]
rt, err := getTransport(config, gun, true)
if err != nil {
return err
}
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
// initialize repo with transport to get latest state of the world before listing delegations
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), rt, d.retriever, trustPin)
if err != nil {
return err
}
delegationRoles, err := nRepo.GetDelegationRoles()
if err != nil {
return fmt.Errorf("Error retrieving delegation roles for repository %s: %v", gun, err)
}
cmd.Println("")
prettyPrintRoles(delegationRoles, cmd.Out(), "delegations")
cmd.Println("")
return nil
}
func (t *tufCommander) tufStatus(cmd *cobra.Command, args []string) error {
if len(args) < 1 {
cmd.Usage()
return fmt.Errorf("Must specify a GUN")
}
config, err := t.configGetter()
if err != nil {
return err
}
gun := args[0]
trustPin, err := getTrustPinning(config)
if err != nil {
return err
}
nRepo, err := notaryclient.NewNotaryRepository(
config.GetString("trust_dir"), gun, getRemoteTrustServer(config), nil, t.retriever, trustPin)
if err != nil {
return err
}
cl, err := nRepo.GetChangelist()
if err != nil {
return err
}
if len(cl.List()) == 0 {
cmd.Printf("No unpublished changes for %s\n", gun)
return nil
}
cmd.Printf("Unpublished changes for %s:\n\n", gun)
cmd.Printf("%-10s%-10s%-12s%s\n", "action", "scope", "type", "path")
cmd.Println("----------------------------------------------------")
for _, ch := range cl.List() {
cmd.Printf("%-10s%-10s%-12s%s\n", ch.Action(), ch.Scope(), ch.Type(), ch.Path())
}
return nil
}
func tufRemove(cmd *cobra.Command, args []string) {
if len(args) < 2 {
cmd.Usage()
fatalf("must specify a GUN and target")
}
gun := args[0]
targetName := args[1]
parseConfig()
repo, err := notaryclient.NewNotaryRepository(trustDir, gun, remoteTrustServer,
getTransport(), retriever)
if err != nil {
fatalf(err.Error())
}
err = repo.RemoveTarget(targetName)
if err != nil {
fatalf(err.Error())
}
fmt.Printf("Removal of %s from %s staged for next publish.\n", targetName, gun)
}
func tufList(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
parseConfig()
gun := args[0]
nRepo, err := notaryclient.NewNotaryRepository(mainViper.GetString("trust_dir"), gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
if err != nil {
fatalf(err.Error())
}
// Retreive the remote list of signed targets
targetList, err := nRepo.ListTargets()
if err != nil {
fatalf(err.Error())
}
prettyPrintTargets(targetList, cmd.Out())
}
func tufLookup(cmd *cobra.Command, args []string) {
if len(args) < 2 {
cmd.Usage()
fatalf("must specify a GUN and target")
}
gun := args[0]
targetName := args[1]
parseConfig()
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, true), retriever)
if err != nil {
fatalf(err.Error())
}
target, err := nRepo.GetTargetByName(targetName)
if err != nil {
fatalf(err.Error())
}
fmt.Println(target.Name, fmt.Sprintf("sha256:%x", target.Hashes["sha256"]), target.Length)
}
func tufPublish(cmd *cobra.Command, args []string) {
if len(args) < 1 {
cmd.Usage()
fatalf("Must specify a GUN")
}
gun := args[0]
parseConfig()
fmt.Println("Pushing changes to ", gun, ".")
nRepo, err := notaryclient.NewNotaryRepository(trustDir, gun, getRemoteTrustServer(), getTransport(gun, false), retriever)
if err != nil {
fatalf(err.Error())
}
err = nRepo.Publish()
if err != nil {
fatalf(err.Error())
}
}