mirror of
https://github.com/moby/moby.git
synced 2022-11-09 12:21:53 -05:00
Remove libtrust dep from api
Signed-off-by: Daniel Nephin <dnephin@docker.com>
This commit is contained in:
parent
22b246417f
commit
2f007e46d0
6 changed files with 130 additions and 133 deletions
|
@ -1,17 +1,5 @@
|
||||||
package api
|
package api
|
||||||
|
|
||||||
import (
|
|
||||||
"encoding/json"
|
|
||||||
"encoding/pem"
|
|
||||||
"fmt"
|
|
||||||
"os"
|
|
||||||
"path/filepath"
|
|
||||||
|
|
||||||
"github.com/docker/docker/pkg/ioutils"
|
|
||||||
"github.com/docker/docker/pkg/system"
|
|
||||||
"github.com/docker/libtrust"
|
|
||||||
)
|
|
||||||
|
|
||||||
// Common constants for daemon and client.
|
// Common constants for daemon and client.
|
||||||
const (
|
const (
|
||||||
// DefaultVersion of Current REST API
|
// DefaultVersion of Current REST API
|
||||||
|
@ -21,45 +9,3 @@ const (
|
||||||
// command to specify that no base image is to be used.
|
// command to specify that no base image is to be used.
|
||||||
NoBaseImageSpecifier string = "scratch"
|
NoBaseImageSpecifier string = "scratch"
|
||||||
)
|
)
|
||||||
|
|
||||||
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
|
|
||||||
// otherwise generates a new one
|
|
||||||
func LoadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
|
|
||||||
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")
|
|
||||||
if err != nil {
|
|
||||||
return nil, err
|
|
||||||
}
|
|
||||||
trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
|
|
||||||
if err == libtrust.ErrKeyFileDoesNotExist {
|
|
||||||
trustKey, err = libtrust.GenerateECP256PrivateKey()
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Error generating key: %s", err)
|
|
||||||
}
|
|
||||||
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("Error serializing key: %s", err)
|
|
||||||
}
|
|
||||||
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
|
|
||||||
return nil, fmt.Errorf("Error saving key file: %s", err)
|
|
||||||
}
|
|
||||||
} else if err != nil {
|
|
||||||
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
|
|
||||||
}
|
|
||||||
return trustKey, nil
|
|
||||||
}
|
|
||||||
|
|
||||||
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
|
|
||||||
if ext == ".json" || ext == ".jwk" {
|
|
||||||
encoded, err = json.Marshal(key)
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
|
|
||||||
}
|
|
||||||
} else {
|
|
||||||
pemBlock, err := key.PEMBlock()
|
|
||||||
if err != nil {
|
|
||||||
return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
|
|
||||||
}
|
|
||||||
encoded = pem.EncodeToMemory(pemBlock)
|
|
||||||
}
|
|
||||||
return
|
|
||||||
}
|
|
||||||
|
|
|
@ -1,77 +0,0 @@
|
||||||
package api
|
|
||||||
|
|
||||||
import (
|
|
||||||
"io/ioutil"
|
|
||||||
"path/filepath"
|
|
||||||
"testing"
|
|
||||||
|
|
||||||
"os"
|
|
||||||
)
|
|
||||||
|
|
||||||
// LoadOrCreateTrustKey
|
|
||||||
func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
|
|
||||||
tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(tmpKeyFolderPath)
|
|
||||||
|
|
||||||
tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := LoadOrCreateTrustKey(tmpKeyFile.Name()); err == nil {
|
|
||||||
t.Fatal("expected an error, got nothing.")
|
|
||||||
}
|
|
||||||
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestLoadOrCreateTrustKeyCreateKey(t *testing.T) {
|
|
||||||
tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")
|
|
||||||
if err != nil {
|
|
||||||
t.Fatal(err)
|
|
||||||
}
|
|
||||||
defer os.RemoveAll(tmpKeyFolderPath)
|
|
||||||
|
|
||||||
// Without the need to create the folder hierarchy
|
|
||||||
tmpKeyFile := filepath.Join(tmpKeyFolderPath, "keyfile")
|
|
||||||
|
|
||||||
if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {
|
|
||||||
t.Fatalf("expected a new key file, got : %v and %v", err, key)
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := os.Stat(tmpKeyFile); err != nil {
|
|
||||||
t.Fatalf("Expected to find a file %s, got %v", tmpKeyFile, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// With the need to create the folder hierarchy as tmpKeyFie is in a path
|
|
||||||
// where some folders do not exist.
|
|
||||||
tmpKeyFile = filepath.Join(tmpKeyFolderPath, "folder/hierarchy/keyfile")
|
|
||||||
|
|
||||||
if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {
|
|
||||||
t.Fatalf("expected a new key file, got : %v and %v", err, key)
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := os.Stat(tmpKeyFile); err != nil {
|
|
||||||
t.Fatalf("Expected to find a file %s, got %v", tmpKeyFile, err)
|
|
||||||
}
|
|
||||||
|
|
||||||
// With no path at all
|
|
||||||
defer os.Remove("keyfile")
|
|
||||||
if key, err := LoadOrCreateTrustKey("keyfile"); err != nil || key == nil {
|
|
||||||
t.Fatalf("expected a new key file, got : %v and %v", err, key)
|
|
||||||
}
|
|
||||||
|
|
||||||
if _, err := os.Stat("keyfile"); err != nil {
|
|
||||||
t.Fatalf("Expected to find a file keyfile, got %v", err)
|
|
||||||
}
|
|
||||||
}
|
|
||||||
|
|
||||||
func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {
|
|
||||||
tmpKeyFile := filepath.Join("fixtures", "keyfile")
|
|
||||||
|
|
||||||
if key, err := LoadOrCreateTrustKey(tmpKeyFile); err != nil || key == nil {
|
|
||||||
t.Fatalf("expected a key file, got : %v and %v", err, key)
|
|
||||||
}
|
|
||||||
}
|
|
|
@ -19,7 +19,6 @@ import (
|
||||||
"time"
|
"time"
|
||||||
|
|
||||||
containerd "github.com/containerd/containerd/api/grpc/types"
|
containerd "github.com/containerd/containerd/api/grpc/types"
|
||||||
"github.com/docker/docker/api"
|
|
||||||
"github.com/docker/docker/api/types"
|
"github.com/docker/docker/api/types"
|
||||||
containertypes "github.com/docker/docker/api/types/container"
|
containertypes "github.com/docker/docker/api/types/container"
|
||||||
"github.com/docker/docker/api/types/swarm"
|
"github.com/docker/docker/api/types/swarm"
|
||||||
|
@ -713,7 +712,7 @@ func NewDaemon(config *config.Config, registryService registry.Service, containe
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
||||||
trustKey, err := api.LoadOrCreateTrustKey(config.TrustKeyPath)
|
trustKey, err := loadOrCreateTrustKey(config.TrustKeyPath)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
57
daemon/trustkey.go
Normal file
57
daemon/trustkey.go
Normal file
|
@ -0,0 +1,57 @@
|
||||||
|
package daemon
|
||||||
|
|
||||||
|
import (
|
||||||
|
"encoding/json"
|
||||||
|
"encoding/pem"
|
||||||
|
"fmt"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
|
||||||
|
"github.com/docker/docker/pkg/ioutils"
|
||||||
|
"github.com/docker/docker/pkg/system"
|
||||||
|
"github.com/docker/libtrust"
|
||||||
|
)
|
||||||
|
|
||||||
|
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
|
||||||
|
// otherwise generates a new one
|
||||||
|
// TODO: this should use more of libtrust.LoadOrCreateTrustKey which may need
|
||||||
|
// a refactor or this function to be moved into libtrust
|
||||||
|
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
|
||||||
|
err := system.MkdirAll(filepath.Dir(trustKeyPath), 0700, "")
|
||||||
|
if err != nil {
|
||||||
|
return nil, err
|
||||||
|
}
|
||||||
|
trustKey, err := libtrust.LoadKeyFile(trustKeyPath)
|
||||||
|
if err == libtrust.ErrKeyFileDoesNotExist {
|
||||||
|
trustKey, err = libtrust.GenerateECP256PrivateKey()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error generating key: %s", err)
|
||||||
|
}
|
||||||
|
encodedKey, err := serializePrivateKey(trustKey, filepath.Ext(trustKeyPath))
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error serializing key: %s", err)
|
||||||
|
}
|
||||||
|
if err := ioutils.AtomicWriteFile(trustKeyPath, encodedKey, os.FileMode(0600)); err != nil {
|
||||||
|
return nil, fmt.Errorf("Error saving key file: %s", err)
|
||||||
|
}
|
||||||
|
} else if err != nil {
|
||||||
|
return nil, fmt.Errorf("Error loading key file %s: %s", trustKeyPath, err)
|
||||||
|
}
|
||||||
|
return trustKey, nil
|
||||||
|
}
|
||||||
|
|
||||||
|
func serializePrivateKey(key libtrust.PrivateKey, ext string) (encoded []byte, err error) {
|
||||||
|
if ext == ".json" || ext == ".jwk" {
|
||||||
|
encoded, err = json.Marshal(key)
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("unable to encode private key JWK: %s", err)
|
||||||
|
}
|
||||||
|
} else {
|
||||||
|
pemBlock, err := key.PEMBlock()
|
||||||
|
if err != nil {
|
||||||
|
return nil, fmt.Errorf("unable to encode private key PEM: %s", err)
|
||||||
|
}
|
||||||
|
encoded = pem.EncodeToMemory(pemBlock)
|
||||||
|
}
|
||||||
|
return
|
||||||
|
}
|
72
daemon/trustkey_test.go
Normal file
72
daemon/trustkey_test.go
Normal file
|
@ -0,0 +1,72 @@
|
||||||
|
package daemon
|
||||||
|
|
||||||
|
import (
|
||||||
|
"io/ioutil"
|
||||||
|
"os"
|
||||||
|
"path/filepath"
|
||||||
|
"testing"
|
||||||
|
|
||||||
|
"github.com/docker/docker/internal/testutil"
|
||||||
|
"github.com/gotestyourself/gotestyourself/fs"
|
||||||
|
"github.com/stretchr/testify/assert"
|
||||||
|
"github.com/stretchr/testify/require"
|
||||||
|
)
|
||||||
|
|
||||||
|
// LoadOrCreateTrustKey
|
||||||
|
func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
|
||||||
|
tmpKeyFolderPath, err := ioutil.TempDir("", "api-trustkey-test")
|
||||||
|
require.NoError(t, err)
|
||||||
|
defer os.RemoveAll(tmpKeyFolderPath)
|
||||||
|
|
||||||
|
tmpKeyFile, err := ioutil.TempFile(tmpKeyFolderPath, "keyfile")
|
||||||
|
require.NoError(t, err)
|
||||||
|
|
||||||
|
_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
|
||||||
|
testutil.ErrorContains(t, err, "Error loading key file")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
|
||||||
|
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
|
||||||
|
defer tmpKeyFolderPath.Remove()
|
||||||
|
|
||||||
|
// Without the need to create the folder hierarchy
|
||||||
|
tmpKeyFile := tmpKeyFolderPath.Join("keyfile")
|
||||||
|
|
||||||
|
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, key)
|
||||||
|
|
||||||
|
_, err = os.Stat(tmpKeyFile)
|
||||||
|
require.NoError(t, err, "key file doesn't exist")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
|
||||||
|
tmpKeyFolderPath := fs.NewDir(t, "api-trustkey-test")
|
||||||
|
defer tmpKeyFolderPath.Remove()
|
||||||
|
tmpKeyFile := tmpKeyFolderPath.Join("folder/hierarchy/keyfile")
|
||||||
|
|
||||||
|
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, key)
|
||||||
|
|
||||||
|
_, err = os.Stat(tmpKeyFile)
|
||||||
|
require.NoError(t, err, "key file doesn't exist")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) {
|
||||||
|
defer os.Remove("keyfile")
|
||||||
|
key, err := loadOrCreateTrustKey("keyfile")
|
||||||
|
require.NoError(t, err)
|
||||||
|
assert.NotNil(t, key)
|
||||||
|
|
||||||
|
_, err = os.Stat("keyfile")
|
||||||
|
require.NoError(t, err, "key file doesn't exist")
|
||||||
|
}
|
||||||
|
|
||||||
|
func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {
|
||||||
|
tmpKeyFile := filepath.Join("testdata", "keyfile")
|
||||||
|
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||||
|
require.NoError(t, err)
|
||||||
|
expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY"
|
||||||
|
assert.Contains(t, key.String(), expected)
|
||||||
|
}
|
Loading…
Reference in a new issue