package main import ( "fmt" "io/ioutil" "net" "net/http" "os" "os/exec" "path/filepath" "strings" "time" "github.com/docker/docker/cliconfig" "github.com/docker/docker/pkg/tlsconfig" "github.com/docker/notary/client" "github.com/docker/notary/passphrase" "github.com/docker/notary/tuf/data" "github.com/go-check/check" ) var notaryBinary = "notary-server" var notaryClientBinary = "notary" type testNotary struct { cmd *exec.Cmd dir string } const notaryHost = "localhost:4443" const notaryURL = "https://" + notaryHost func newTestNotary(c *check.C) (*testNotary, error) { // generate server config template := `{ "server": { "http_addr": "%s", "tls_key_file": "%s", "tls_cert_file": "%s" }, "trust_service": { "type": "local", "hostname": "", "port": "", "key_algorithm": "ed25519" }, "logging": { "level": "debug" }, "storage": { "backend": "memory" } }` tmp, err := ioutil.TempDir("", "notary-test-") if err != nil { return nil, err } confPath := filepath.Join(tmp, "config.json") config, err := os.Create(confPath) defer config.Close() if err != nil { return nil, err } workingDir, err := os.Getwd() if err != nil { return nil, err } if _, err := fmt.Fprintf(config, template, notaryHost, filepath.Join(workingDir, "fixtures/notary/localhost.key"), filepath.Join(workingDir, "fixtures/notary/localhost.cert")); err != nil { os.RemoveAll(tmp) return nil, err } // generate client config clientConfPath := filepath.Join(tmp, "client-config.json") clientConfig, err := os.Create(clientConfPath) defer clientConfig.Close() if err != nil { return nil, err } template = `{ "trust_dir" : "%s", "remote_server": { "url": "%s", "skipTLSVerify": true } }` if _, err = fmt.Fprintf(clientConfig, template, filepath.Join(cliconfig.ConfigDir(), "trust"), notaryURL); err != nil { os.RemoveAll(tmp) return nil, err } // run notary-server cmd := exec.Command(notaryBinary, "-config", confPath) if err := cmd.Start(); err != nil { os.RemoveAll(tmp) if os.IsNotExist(err) { c.Skip(err.Error()) } return nil, err } testNotary := &testNotary{ cmd: cmd, dir: tmp, } // Wait for notary to be ready to serve requests. for i := 1; i <= 5; i++ { if err = testNotary.Ping(); err == nil { break } time.Sleep(10 * time.Millisecond * time.Duration(i*i)) } if err != nil { c.Fatalf("Timeout waiting for test notary to become available: %s", err) } return testNotary, nil } func (t *testNotary) Ping() error { tlsConfig := tlsconfig.ClientDefault tlsConfig.InsecureSkipVerify = true client := http.Client{ Transport: &http.Transport{ Proxy: http.ProxyFromEnvironment, Dial: (&net.Dialer{ Timeout: 30 * time.Second, KeepAlive: 30 * time.Second, }).Dial, TLSHandshakeTimeout: 10 * time.Second, TLSClientConfig: &tlsConfig, }, } resp, err := client.Get(fmt.Sprintf("%s/v2/", notaryURL)) if err != nil { return err } if resp.StatusCode != 200 { return fmt.Errorf("notary ping replied with an unexpected status code %d", resp.StatusCode) } return nil } func (t *testNotary) Close() { t.cmd.Process.Kill() os.RemoveAll(t.dir) } func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) { pwd := "12345678" trustCmdEnv(cmd, notaryURL, pwd, pwd) } func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) { pwd := "12345678" trustCmdEnv(cmd, server, pwd, pwd) } func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, repositoryPwd string) { trustCmdEnv(cmd, notaryURL, rootPwd, repositoryPwd) } func (s *DockerTrustSuite) trustedCmdWithDeprecatedEnvPassphrases(cmd *exec.Cmd, offlinePwd, taggingPwd string) { trustCmdDeprecatedEnv(cmd, notaryURL, offlinePwd, taggingPwd) } func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, repositoryPwd string) { env := []string{ "DOCKER_CONTENT_TRUST=1", fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server), fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd), fmt.Sprintf("DOCKER_CONTENT_TRUST_REPOSITORY_PASSPHRASE=%s", repositoryPwd), } cmd.Env = append(os.Environ(), env...) } // Helper method to test the old env variables OFFLINE and TAGGING that will // be deprecated by 1.10 func trustCmdDeprecatedEnv(cmd *exec.Cmd, server, offlinePwd, taggingPwd string) { env := []string{ "DOCKER_CONTENT_TRUST=1", fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server), fmt.Sprintf("DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE=%s", offlinePwd), fmt.Sprintf("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE=%s", taggingPwd), } cmd.Env = append(os.Environ(), env...) } func (s *DockerTrustSuite) setupTrustedImage(c *check.C, name string) string { repoName := fmt.Sprintf("%v/dockercli/%s:latest", privateRegistryURL, name) // tag the image and upload it to the private registry dockerCmd(c, "tag", "busybox", repoName) pushCmd := exec.Command(dockerBinary, "push", repoName) s.trustedCmd(pushCmd) out, _, err := runCommandWithOutput(pushCmd) if err != nil { c.Fatalf("Error running trusted push: %s\n%s", err, out) } if !strings.Contains(string(out), "Signing and pushing trust metadata") { c.Fatalf("Missing expected output on trusted push:\n%s", out) } if out, status := dockerCmd(c, "rmi", repoName); status != 0 { c.Fatalf("Error removing image %q\n%s", repoName, out) } return repoName } func notaryClientEnv(cmd *exec.Cmd, rootPwd, repositoryPwd string) { env := []string{ fmt.Sprintf("NOTARY_ROOT_PASSPHRASE=%s", rootPwd), fmt.Sprintf("NOTARY_TARGETS_PASSPHRASE=%s", repositoryPwd), fmt.Sprintf("NOTARY_SNAPSHOT_PASSPHRASE=%s", repositoryPwd), } cmd.Env = append(os.Environ(), env...) } func (s *DockerTrustSuite) setupDelegations(c *check.C, repoName, pwd string) { initCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "init", repoName) notaryClientEnv(initCmd, pwd, pwd) out, _, err := runCommandWithOutput(initCmd) if err != nil { c.Fatalf("Error initializing notary repository: %s\n", out) } // no command line for this, so build by hand nRepo, err := client.NewNotaryRepository(filepath.Join(cliconfig.ConfigDir(), "trust"), repoName, notaryURL, nil, passphrase.ConstantRetriever(pwd)) if err != nil { c.Fatalf("Error creating notary repository: %s\n", err) } delgKey, err := nRepo.CryptoService.Create("targets/releases", data.ECDSAKey) if err != nil { c.Fatalf("Error creating delegation key: %s\n", err) } err = nRepo.AddDelegation("targets/releases", 1, []data.PublicKey{delgKey}, []string{""}) if err != nil { c.Fatalf("Error creating delegation: %s\n", err) } // publishing first simulates the client pushing to a repo that they have been given delegated access to pubCmd := exec.Command(notaryClientBinary, "-c", filepath.Join(s.not.dir, "client-config.json"), "publish", repoName) notaryClientEnv(pubCmd, pwd, pwd) out, _, err = runCommandWithOutput(pubCmd) if err != nil { c.Fatalf("Error publishing notary repository: %s\n", out) } }