moby--moby/trust/service.go

package trust

import (
	"fmt"
	"time"

	"github.com/Sirupsen/logrus"
	"github.com/docker/libtrust"
)

// NotVerifiedError reports a error when doing the key check.
// For example if the graph is not verified or the key has expired.
type NotVerifiedError string

func (e NotVerifiedError) Error() string {
	return string(e)
}

// CheckKey verifies that the given public key is allowed to perform
// the given action on the given node according to the trust graph.
func (t *Store) CheckKey(ns string, key []byte, perm uint16) (bool, error) {
	if len(key) == 0 {
		return false, fmt.Errorf("Missing PublicKey")
	}
	pk, err := libtrust.UnmarshalPublicKeyJWK(key)
	if err != nil {
		return false, fmt.Errorf("Error unmarshalling public key: %v", err)
	}

	if perm == 0 {
		perm = 0x03
	}

	t.RLock()
	defer t.RUnlock()
	if t.graph == nil {
		return false, NotVerifiedError("no graph")
	}

	// Check if any expired grants
	verified, err := t.graph.Verify(pk, ns, perm)
	if err != nil {
		return false, fmt.Errorf("Error verifying key to namespace: %s", ns)
	}
	if !verified {
		logrus.Debugf("Verification failed for %s using key %s", ns, pk.KeyID())
		return false, NotVerifiedError("not verified")
	}
	if t.expiration.Before(time.Now()) {
		return false, NotVerifiedError("expired")
	}
	return true, nil
}

// UpdateBase retrieves updated base graphs. This function cannot error, it
// should only log errors.
func (t *Store) UpdateBase() {
	t.fetch()
}
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`package trust`

			`import (`
			`"fmt"`
			`"time"`

Replace aliased imports of logrus, fixes #11762 Signed-off-by: Antonio Murdaca <me@runcom.ninja> 2015-03-26 18:22:04 -04:00			`"github.com/Sirupsen/logrus"`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`"github.com/docker/libtrust"`
			`)`

Finish linting opts and trust package. Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2015-08-27 03:33:21 -04:00			`// NotVerifiedError reports a error when doing the key check.`
			`// For example if the graph is not verified or the key has expired.`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`type NotVerifiedError string`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`func (e NotVerifiedError) Error() string {`
			`return string(e)`
			`}`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00
golint: trust contributes to #14756 Signed-off-by: Sevki Hasirci <s@sevki.org> 2015-07-28 14:18:04 -04:00			`// CheckKey verifies that the given public key is allowed to perform`
			`// the given action on the given node according to the trust graph.`
			`func (t *Store) CheckKey(ns string, key []byte, perm uint16) (bool, error) {`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`if len(key) == 0 {`
			`return false, fmt.Errorf("Missing PublicKey")`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`pk, err := libtrust.UnmarshalPublicKeyJWK(key)`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`if err != nil {`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`return false, fmt.Errorf("Error unmarshalling public key: %v", err)`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`

Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`if perm == 0 {`
			`perm = 0x03`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`

			`t.RLock()`
			`defer t.RUnlock()`
			`if t.graph == nil {`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`return false, NotVerifiedError("no graph")`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`

			`// Check if any expired grants`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`verified, err := t.graph.Verify(pk, ns, perm)`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`if err != nil {`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`return false, fmt.Errorf("Error verifying key to namespace: %s", ns)`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`
			`if !verified {`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`logrus.Debugf("Verification failed for %s using key %s", ns, pk.KeyID())`
			`return false, NotVerifiedError("not verified")`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`
Remove engine from trust Signed-off-by: Alexander Morozov <lk4d4@docker.com> 2015-04-20 15:48:33 -04:00			`if t.expiration.Before(time.Now()) {`
			`return false, NotVerifiedError("expired")`
			`}`
			`return true, nil`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`}`

Finish linting opts and trust package. Signed-off-by: Vincent Demeester <vincent@sbr.pm> 2015-08-27 03:33:21 -04:00			`// UpdateBase retrieves updated base graphs. This function cannot error, it`
			`// should only log errors.`
golint: trust contributes to #14756 Signed-off-by: Sevki Hasirci <s@sevki.org> 2015-07-28 14:18:04 -04:00			`func (t *Store) UpdateBase() {`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`t.fetch()`
			`}`