Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Notary client interface type #1220

Merged
merged 3 commits into from
Sep 7, 2017
Merged
Show file tree
Hide file tree
Changes from 2 commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
19 changes: 12 additions & 7 deletions client/backwards_compatibility_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -35,12 +35,16 @@ func requireValidFixture(t *testing.T, notaryRepo *NotaryRepository) {
// recursively copies the contents of one directory into another - ignores
// symlinks
func recursiveCopy(sourceDir, targetDir string) error {
sourceDir, err := filepath.Abs(sourceDir)
if err != nil {
return err
}
return filepath.Walk(sourceDir, func(fp string, fi os.FileInfo, err error) error {
if err != nil {
return err
}

targetFP := filepath.Join(targetDir, strings.TrimPrefix(fp, sourceDir+"/"))
Copy link
Contributor

@HuKeping HuKeping Sep 4, 2017

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Happy to see we finally get rid of the +"/"

targetFP := filepath.Join(targetDir, strings.TrimPrefix(fp, sourceDir))

if fi.IsDir() {
return os.MkdirAll(targetFP, fi.Mode())
Expand Down Expand Up @@ -68,7 +72,7 @@ func recursiveCopy(sourceDir, targetDir string) error {
if err != nil {
return err
}
return nil
return out.Sync()
})
}

Expand All @@ -91,7 +95,8 @@ func Test0Dot1Migration(t *testing.T) {
require.NoError(t, err, "error creating repo: %s", err)

// check that root_keys and tuf_keys are gone and that all corect keys are present and have the correct headers
files, _ := ioutil.ReadDir(filepath.Join(tmpDir, notary.PrivDir))
files, err := ioutil.ReadDir(filepath.Join(tmpDir, notary.PrivDir))
require.NoError(t, err)
require.Equal(t, files[0].Name(), "7fc757801b9bab4ec9e35bfe7a6b61668ff6f4c81b5632af19e6c728ab799599.key")
targKey, err := os.OpenFile(filepath.Join(tmpDir, notary.PrivDir, "7fc757801b9bab4ec9e35bfe7a6b61668ff6f4c81b5632af19e6c728ab799599.key"), os.O_RDONLY, notary.PrivExecPerms)
require.NoError(t, err)
Expand Down Expand Up @@ -220,10 +225,10 @@ func Test0Dot1RepoFormat(t *testing.T) {
require.Len(t, targets, 2)

// Also check that we can add/remove keys by rotating keys
oldTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
oldTargetsKeys := repo.CryptoService().ListKeys(data.CanonicalTargetsRole)
require.NoError(t, repo.RotateKey(data.CanonicalTargetsRole, false, nil))
require.NoError(t, repo.Publish())
newTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
newTargetsKeys := repo.CryptoService().ListKeys(data.CanonicalTargetsRole)

require.Len(t, oldTargetsKeys, 1)
require.Len(t, newTargetsKeys, 1)
Expand Down Expand Up @@ -287,10 +292,10 @@ func Test0Dot3RepoFormat(t *testing.T) {
require.Equal(t, data.RoleName("targets/releases"), delegations[0].Name)

// Also check that we can add/remove keys by rotating keys
oldTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
oldTargetsKeys := repo.CryptoService().ListKeys(data.CanonicalTargetsRole)
require.NoError(t, repo.RotateKey(data.CanonicalTargetsRole, false, nil))
require.NoError(t, repo.Publish())
newTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
newTargetsKeys := repo.CryptoService().ListKeys(data.CanonicalTargetsRole)

require.Len(t, oldTargetsKeys, 1)
require.Len(t, newTargetsKeys, 1)
Expand Down
41 changes: 26 additions & 15 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -45,7 +45,7 @@ type NotaryRepository struct {
changelist changelist.Changelist
cache store.MetadataStore
remoteStore store.RemoteStore
CryptoService signed.CryptoService
cryptoService signed.CryptoService
tufRepo *tuf.Repo
invalid *tuf.Repo // known data that was parsable but deemed invalid
roundTrip http.RoundTripper
Expand Down Expand Up @@ -120,7 +120,7 @@ func NewNotaryRepository(baseDir string, gun data.GUN, baseURL string, remoteSto
changelist: cl,
cache: cache,
remoteStore: remoteStore,
CryptoService: cryptoService,
cryptoService: cryptoService,
trustPinning: trustPinning,
LegacyVersions: 0, // By default, don't sign with legacy roles
}
Expand Down Expand Up @@ -182,6 +182,11 @@ func rootCertKey(gun data.GUN, privKey data.PrivateKey) (data.PublicKey, error)
return x509PublicKey, nil
}

// CryptoService is the getter for the repository's CryptoService
func (r *NotaryRepository) CryptoService() signed.CryptoService {
return r.cryptoService
}

// initialize initializes the notary repository with a set of rootkeys, root certificates and roles.
func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {

Expand Down Expand Up @@ -234,7 +239,7 @@ func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.Publ
return err
}

r.tufRepo = tuf.NewRepo(r.CryptoService)
r.tufRepo = tuf.NewRepo(r.CryptoService())

if err := r.tufRepo.InitRoot(
rootRole,
Expand Down Expand Up @@ -264,7 +269,7 @@ func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.Publ
func (r *NotaryRepository) createNewPublicKeyFromKeyIDs(keyIDs []string) ([]data.PublicKey, error) {
publicKeys := []data.PublicKey{}

privKeys, err := getAllPrivKeys(keyIDs, r.CryptoService)
privKeys, err := getAllPrivKeys(keyIDs, r.CryptoService())
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -298,7 +303,7 @@ func (r *NotaryRepository) publicKeysOfKeyIDs(keyIDs []string, pubKeys []data.Pu
// forms matching key pairs
func matchKeyIdsWithPubKeys(r *NotaryRepository, ids []string, pubKeys []data.PublicKey) error {
for i := 0; i < len(ids); i++ {
privKey, _, err := r.CryptoService.GetPrivateKey(ids[i])
privKey, _, err := r.CryptoService().GetPrivateKey(ids[i])
if err != nil {
return fmt.Errorf("could not get the private key matching id %v: %v", ids[i], err)
}
Expand Down Expand Up @@ -342,13 +347,13 @@ func keyExistsInList(cert data.PublicKey, ids map[string]bool) error {

// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
func (r *NotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey,
nRepo *NotaryRepository, serverManagedRoles ...data.RoleName) error {
serverManagedRoles ...data.RoleName) error {

// If we explicitly pass in certificate(s) but not key, then look keys up using certificate
if len(rootKeyIDs) == 0 && len(rootCerts) != 0 {
rootKeyIDs = []string{}
availableRootKeyIDs := make(map[string]bool)
for _, k := range nRepo.CryptoService.ListKeys(data.CanonicalRootRole) {
for _, k := range r.CryptoService().ListKeys(data.CanonicalRootRole) {
availableRootKeyIDs[k] = true
}

Expand Down Expand Up @@ -376,7 +381,7 @@ func (r *NotaryRepository) initializeRoles(rootKeys []data.PublicKey, localRoles
for _, role := range localRoles {
// This is currently hardcoding the keys to ECDSA.
var key data.PublicKey
key, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
key, err = r.CryptoService().Create(role, r.gun, data.ECDSAKey)
if err != nil {
return
}
Expand Down Expand Up @@ -928,7 +933,7 @@ func signTargets(updates map[data.RoleName][]byte, repo *tuf.Repo, initialPublis
// snapshots are supported, if the snapshot metadata fails to load, that's ok.
// This assumes that bootstrapRepo is only used by Publish() or RotateKey()
func (r *NotaryRepository) bootstrapRepo() error {
b := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
b := tuf.NewRepoBuilder(r.gun, r.CryptoService(), r.trustPinning)

logrus.Debugf("Loading trusted collection.")

Expand Down Expand Up @@ -1063,10 +1068,10 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufClient, e
minVersion := 1
// the old root on disk should not be validated against any trust pinning configuration
// because if we have an old root, it itself is the thing that pins trust
oldBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
oldBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService(), trustpinning.TrustPinConfig{})

// by default, we want to use the trust pinning configuration on any new root that we download
newBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
newBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService(), r.trustPinning)

// Try to read root from cache first. We will trust this root until we detect a problem
// during update which will cause us to download a new root and perform a rotation.
Expand All @@ -1080,7 +1085,7 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufClient, e

// again, the root on disk is the source of trust pinning, so use an empty trust
// pinning configuration
newBuilder = tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
newBuilder = tuf.NewRepoBuilder(r.gun, r.CryptoService(), trustpinning.TrustPinConfig{})

if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
// Ok, the old root is expired - we want to download a new one. But we want to use the
Expand Down Expand Up @@ -1170,7 +1175,7 @@ func (r *NotaryRepository) pubKeyListForRotation(role data.RoleName, serverManag
// If no new keys are passed in, we generate one
if len(newKeys) == 0 {
pubKeyList = make(data.KeyList, 0, 1)
pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
pubKey, err = r.CryptoService().Create(role, r.gun, data.ECDSAKey)
pubKeyList = append(pubKeyList, pubKey)
}
if err != nil {
Expand All @@ -1181,7 +1186,7 @@ func (r *NotaryRepository) pubKeyListForRotation(role data.RoleName, serverManag
if len(newKeys) > 0 {
pubKeyList = make(data.KeyList, 0, len(newKeys))
for _, keyID := range newKeys {
pubKey = r.CryptoService.GetKey(keyID)
pubKey = r.CryptoService().GetKey(keyID)
if pubKey == nil {
return nil, fmt.Errorf("unable to find key: %s", keyID)
}
Expand All @@ -1204,7 +1209,7 @@ func (r *NotaryRepository) pubKeysToCerts(role data.RoleName, pubKeyList data.Ke
}

for i, pubKey := range pubKeyList {
privKey, loadedRole, err := r.CryptoService.GetPrivateKey(pubKey.ID())
privKey, loadedRole, err := r.CryptoService().GetPrivateKey(pubKey.ID())
if err != nil {
return nil, err
}
Expand Down Expand Up @@ -1279,3 +1284,9 @@ func DeleteTrustData(baseDir string, gun data.GUN, URL string, rt http.RoundTrip
}
return nil
}

// SetLegacyVersions allows the number of legacy versions of the root
// to be inspected for old signing keys to be configured.
func (r NotaryRepository) SetLegacyVersions(n int) {
r.LegacyVersions = n
}
Loading