moby--moby/trust/service.go

package trust

import (
	"fmt"
	"time"

	log "github.com/Sirupsen/logrus"
	"github.com/docker/docker/engine"
	"github.com/docker/libtrust"
)

func (t *TrustStore) Install(eng *engine.Engine) error {
	for name, handler := range map[string]engine.Handler{
		"trust_key_check":   t.CmdCheckKey,
		"trust_update_base": t.CmdUpdateBase,
	} {
		if err := eng.Register(name, handler); err != nil {
			return fmt.Errorf("Could not register %q: %v", name, err)
		}
	}
	return nil
}

func (t *TrustStore) CmdCheckKey(job *engine.Job) engine.Status {
	if n := len(job.Args); n != 1 {
		return job.Errorf("Usage: %s NAMESPACE", job.Name)
	}
	var (
		namespace = job.Args[0]
		keyBytes  = job.Getenv("PublicKey")
	)

	if keyBytes == "" {
		return job.Errorf("Missing PublicKey")
	}
	pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
	if err != nil {
		return job.Errorf("Error unmarshalling public key: %s", err)
	}

	permission := uint16(job.GetenvInt("Permission"))
	if permission == 0 {
		permission = 0x03
	}

	t.RLock()
	defer t.RUnlock()
	if t.graph == nil {
		job.Stdout.Write([]byte("no graph"))
		return engine.StatusOK
	}

	// Check if any expired grants
	verified, err := t.graph.Verify(pk, namespace, permission)
	if err != nil {
		return job.Errorf("Error verifying key to namespace: %s", namespace)
	}
	if !verified {
		log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
		job.Stdout.Write([]byte("not verified"))
	} else if t.expiration.Before(time.Now()) {
		job.Stdout.Write([]byte("expired"))
	} else {
		job.Stdout.Write([]byte("verified"))
	}

	return engine.StatusOK
}

func (t *TrustStore) CmdUpdateBase(job *engine.Job) engine.Status {
	t.fetch()

	return engine.StatusOK
}
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`package trust`

			`import (`
			`"fmt"`
			`"time"`

Use logrus everywhere for logging Fixed #8761 Signed-off-by: Alexandr Morozov <lk4d4@docker.com> 2014-10-24 13:12:35 -04:00			`log "github.com/Sirupsen/logrus"`
Mass gofmt Signed-off-by: Alexandr Morozov <lk4d4@docker.com> 2014-10-24 18:11:48 -04:00			`"github.com/docker/docker/engine"`
Add provenance pull flow for official images Add support for pulling signed images from a version 2 registry. Only official images within the library namespace will be pull from the new registry and check the build signature. Signed-off-by: Derek McGowan <derek@mcgstyle.net> (github: dmcgowan) 2014-10-01 21:26:06 -04:00			`"github.com/docker/libtrust"`
			`)`

			`func (t TrustStore) Install(eng engine.Engine) error {`
			`for name, handler := range map[string]engine.Handler{`
			`"trust_key_check": t.CmdCheckKey,`
			`"trust_update_base": t.CmdUpdateBase,`
			`} {`
			`if err := eng.Register(name, handler); err != nil {`
			`return fmt.Errorf("Could not register %q: %v", name, err)`
			`}`
			`}`
			`return nil`
			`}`

			`func (t TrustStore) CmdCheckKey(job engine.Job) engine.Status {`
			`if n := len(job.Args); n != 1 {`
			`return job.Errorf("Usage: %s NAMESPACE", job.Name)`
			`}`
			`var (`
			`namespace = job.Args[0]`
			`keyBytes = job.Getenv("PublicKey")`
			`)`

			`if keyBytes == "" {`
			`return job.Errorf("Missing PublicKey")`
			`}`
			`pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))`
			`if err != nil {`
			`return job.Errorf("Error unmarshalling public key: %s", err)`
			`}`

			`permission := uint16(job.GetenvInt("Permission"))`
			`if permission == 0 {`
			`permission = 0x03`
			`}`

			`t.RLock()`
			`defer t.RUnlock()`
			`if t.graph == nil {`
			`job.Stdout.Write([]byte("no graph"))`
			`return engine.StatusOK`
			`}`

			`// Check if any expired grants`
			`verified, err := t.graph.Verify(pk, namespace, permission)`
			`if err != nil {`
			`return job.Errorf("Error verifying key to namespace: %s", namespace)`
			`}`
			`if !verified {`
			`log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())`
			`job.Stdout.Write([]byte("not verified"))`
			`} else if t.expiration.Before(time.Now()) {`
			`job.Stdout.Write([]byte("expired"))`
			`} else {`
			`job.Stdout.Write([]byte("verified"))`
			`}`

			`return engine.StatusOK`
			`}`

			`func (t TrustStore) CmdUpdateBase(job engine.Job) engine.Status {`
			`t.fetch()`

			`return engine.StatusOK`
			`}`