2014-09-30 20:03:57 -04:00
|
|
|
package graph
|
|
|
|
|
|
|
|
|
|
import (
|
2015-01-02 14:13:11 -05:00
|
|
|
"bytes"
|
2014-09-30 20:03:57 -04:00
|
|
|
"encoding/json"
|
2014-12-16 19:57:37 -05:00
|
|
|
"errors"
|
2014-09-30 20:03:57 -04:00
|
|
|
"fmt"
|
|
|
|
|
"io"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"path"
|
|
|
|
|
|
2015-01-02 14:13:11 -05:00
|
|
|
log "github.com/Sirupsen/logrus"
|
2014-09-30 20:03:57 -04:00
|
|
|
"github.com/docker/docker/engine"
|
|
|
|
|
"github.com/docker/docker/pkg/tarsum"
|
|
|
|
|
"github.com/docker/docker/registry"
|
|
|
|
|
"github.com/docker/docker/runconfig"
|
2015-01-02 14:13:11 -05:00
|
|
|
"github.com/docker/libtrust"
|
2014-09-30 20:03:57 -04:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (s *TagStore) CmdManifest(job *engine.Job) engine.Status {
|
|
|
|
|
if len(job.Args) != 1 {
|
|
|
|
|
return job.Errorf("usage: %s NAME", job.Name)
|
|
|
|
|
}
|
|
|
|
|
name := job.Args[0]
|
|
|
|
|
tag := job.Getenv("tag")
|
|
|
|
|
if tag == "" {
|
|
|
|
|
tag = "latest"
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// Resolve the Repository name from fqn to endpoint + name
|
2014-12-16 19:57:37 -05:00
|
|
|
repoInfo, err := registry.ParseRepositoryInfo(name)
|
2014-09-30 20:03:57 -04:00
|
|
|
if err != nil {
|
|
|
|
|
return job.Error(err)
|
|
|
|
|
}
|
|
|
|
|
|
2014-12-16 19:57:37 -05:00
|
|
|
manifestBytes, err := s.newManifest(name, repoInfo.RemoteName, tag)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return job.Error(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
_, err = job.Stdout.Write(manifestBytes)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return job.Error(err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return engine.StatusOK
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (s *TagStore) newManifest(localName, remoteName, tag string) ([]byte, error) {
|
2014-09-30 20:03:57 -04:00
|
|
|
manifest := ®istry.ManifestData{
|
|
|
|
|
Name: remoteName,
|
|
|
|
|
Tag: tag,
|
|
|
|
|
SchemaVersion: 1,
|
|
|
|
|
}
|
2015-01-02 14:13:11 -05:00
|
|
|
localRepo, err := s.Get(localName)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, err
|
|
|
|
|
}
|
|
|
|
|
if localRepo == nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, fmt.Errorf("Repo does not exist: %s", localName)
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
2015-01-02 14:13:11 -05:00
|
|
|
// Get the top-most layer id which the tag points to
|
2014-09-30 20:03:57 -04:00
|
|
|
layerId, exists := localRepo[tag]
|
|
|
|
|
if !exists {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, fmt.Errorf("Tag does not exist for %s: %s", localName, tag)
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
layersSeen := make(map[string]bool)
|
|
|
|
|
|
|
|
|
|
layer, err := s.graph.Get(layerId)
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
if layer.Config == nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, errors.New("Missing layer configuration")
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
manifest.Architecture = layer.Architecture
|
2014-10-09 20:34:52 -04:00
|
|
|
manifest.FSLayers = make([]*registry.FSLayer, 0, 4)
|
|
|
|
|
manifest.History = make([]*registry.ManifestHistory, 0, 4)
|
2014-09-30 20:03:57 -04:00
|
|
|
var metadata runconfig.Config
|
|
|
|
|
metadata = *layer.Config
|
|
|
|
|
|
|
|
|
|
for ; layer != nil; layer, err = layer.GetParent() {
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if layersSeen[layer.ID] {
|
|
|
|
|
break
|
|
|
|
|
}
|
|
|
|
|
if layer.Config != nil && metadata.Image != layer.ID {
|
|
|
|
|
err = runconfig.Merge(&metadata, layer.Config)
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
archive, err := layer.TarLayer()
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
2014-12-16 19:57:37 -05:00
|
|
|
tarSum, err := tarsum.NewTarSum(archive, true, tarsum.Version1)
|
2014-09-30 20:03:57 -04:00
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
if _, err := io.Copy(ioutil.Discard, tarSum); err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tarId := tarSum.Sum(nil)
|
|
|
|
|
|
2014-10-09 20:34:52 -04:00
|
|
|
manifest.FSLayers = append(manifest.FSLayers, ®istry.FSLayer{BlobSum: tarId})
|
2014-09-30 20:03:57 -04:00
|
|
|
|
|
|
|
|
layersSeen[layer.ID] = true
|
|
|
|
|
jsonData, err := ioutil.ReadFile(path.Join(s.graph.Root, layer.ID, "json"))
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, fmt.Errorf("Cannot retrieve the path for {%s}: %s", layer.ID, err)
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
2014-10-09 20:34:52 -04:00
|
|
|
manifest.History = append(manifest.History, ®istry.ManifestHistory{V1Compatibility: string(jsonData)})
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
manifestBytes, err := json.MarshalIndent(manifest, "", " ")
|
|
|
|
|
if err != nil {
|
2014-12-16 19:57:37 -05:00
|
|
|
return nil, err
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
|
|
|
|
|
2014-12-16 19:57:37 -05:00
|
|
|
return manifestBytes, nil
|
2014-09-30 20:03:57 -04:00
|
|
|
}
|
2015-01-02 14:13:11 -05:00
|
|
|
|
|
|
|
|
func (s *TagStore) verifyManifest(eng *engine.Engine, manifestBytes []byte) (*registry.ManifestData, bool, error) {
|
|
|
|
|
sig, err := libtrust.ParsePrettySignature(manifestBytes, "signatures")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error parsing payload: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
keys, err := sig.Verify()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error verifying payload: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
payload, err := sig.Payload()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error retrieving payload: %s", err)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var manifest registry.ManifestData
|
|
|
|
|
if err := json.Unmarshal(payload, &manifest); err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error unmarshalling manifest: %s", err)
|
|
|
|
|
}
|
|
|
|
|
if manifest.SchemaVersion != 1 {
|
|
|
|
|
return nil, false, fmt.Errorf("unsupported schema version: %d", manifest.SchemaVersion)
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
var verified bool
|
|
|
|
|
for _, key := range keys {
|
|
|
|
|
job := eng.Job("trust_key_check")
|
|
|
|
|
b, err := key.MarshalJSON()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error marshalling public key: %s", err)
|
|
|
|
|
}
|
|
|
|
|
namespace := manifest.Name
|
|
|
|
|
if namespace[0] != '/' {
|
|
|
|
|
namespace = "/" + namespace
|
|
|
|
|
}
|
|
|
|
|
stdoutBuffer := bytes.NewBuffer(nil)
|
|
|
|
|
|
|
|
|
|
job.Args = append(job.Args, namespace)
|
|
|
|
|
job.Setenv("PublicKey", string(b))
|
|
|
|
|
// Check key has read/write permission (0x03)
|
|
|
|
|
job.SetenvInt("Permission", 0x03)
|
|
|
|
|
job.Stdout.Add(stdoutBuffer)
|
|
|
|
|
if err = job.Run(); err != nil {
|
|
|
|
|
return nil, false, fmt.Errorf("error running key check: %s", err)
|
|
|
|
|
}
|
|
|
|
|
result := engine.Tail(stdoutBuffer, 1)
|
|
|
|
|
log.Debugf("Key check result: %q", result)
|
|
|
|
|
if result == "verified" {
|
|
|
|
|
verified = true
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return &manifest, verified, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func checkValidManifest(manifest *registry.ManifestData) error {
|
|
|
|
|
if len(manifest.FSLayers) != len(manifest.History) {
|
|
|
|
|
return fmt.Errorf("length of history not equal to number of layers")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if len(manifest.FSLayers) == 0 {
|
|
|
|
|
return fmt.Errorf("no FSLayers in manifest")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return nil
|
|
|
|
|
}
|
