2014-10-02 05:26:06 +04:00
|
|
|
package trust
|
|
|
|
|
|
|
|
import (
|
|
|
|
"fmt"
|
|
|
|
"time"
|
|
|
|
|
2014-10-24 21:12:35 +04:00
|
|
|
log "github.com/Sirupsen/logrus"
|
2014-10-25 02:11:48 +04:00
|
|
|
"github.com/docker/docker/engine"
|
2014-10-02 05:26:06 +04:00
|
|
|
"github.com/docker/libtrust"
|
|
|
|
)
|
|
|
|
|
|
|
|
func (t *TrustStore) Install(eng *engine.Engine) error {
|
|
|
|
for name, handler := range map[string]engine.Handler{
|
|
|
|
"trust_key_check": t.CmdCheckKey,
|
|
|
|
"trust_update_base": t.CmdUpdateBase,
|
|
|
|
} {
|
|
|
|
if err := eng.Register(name, handler); err != nil {
|
|
|
|
return fmt.Errorf("Could not register %q: %v", name, err)
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return nil
|
|
|
|
}
|
|
|
|
|
2015-03-25 10:44:12 +03:00
|
|
|
func (t *TrustStore) CmdCheckKey(job *engine.Job) error {
|
2014-10-02 05:26:06 +04:00
|
|
|
if n := len(job.Args); n != 1 {
|
2015-03-25 10:44:12 +03:00
|
|
|
return fmt.Errorf("Usage: %s NAMESPACE", job.Name)
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
var (
|
|
|
|
namespace = job.Args[0]
|
|
|
|
keyBytes = job.Getenv("PublicKey")
|
|
|
|
)
|
|
|
|
|
|
|
|
if keyBytes == "" {
|
2015-03-25 10:44:12 +03:00
|
|
|
return fmt.Errorf("Missing PublicKey")
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
|
|
|
|
if err != nil {
|
2015-03-25 10:44:12 +03:00
|
|
|
return fmt.Errorf("Error unmarshalling public key: %s", err)
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
permission := uint16(job.GetenvInt("Permission"))
|
|
|
|
if permission == 0 {
|
|
|
|
permission = 0x03
|
|
|
|
}
|
|
|
|
|
|
|
|
t.RLock()
|
|
|
|
defer t.RUnlock()
|
|
|
|
if t.graph == nil {
|
|
|
|
job.Stdout.Write([]byte("no graph"))
|
2015-03-25 10:44:12 +03:00
|
|
|
return nil
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
|
|
|
|
// Check if any expired grants
|
|
|
|
verified, err := t.graph.Verify(pk, namespace, permission)
|
|
|
|
if err != nil {
|
2015-03-25 10:44:12 +03:00
|
|
|
return fmt.Errorf("Error verifying key to namespace: %s", namespace)
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
if !verified {
|
|
|
|
log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
|
|
|
|
job.Stdout.Write([]byte("not verified"))
|
|
|
|
} else if t.expiration.Before(time.Now()) {
|
|
|
|
job.Stdout.Write([]byte("expired"))
|
|
|
|
} else {
|
|
|
|
job.Stdout.Write([]byte("verified"))
|
|
|
|
}
|
|
|
|
|
2015-03-25 10:44:12 +03:00
|
|
|
return nil
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|
|
|
|
|
2015-03-25 10:44:12 +03:00
|
|
|
func (t *TrustStore) CmdUpdateBase(job *engine.Job) error {
|
2014-10-02 05:26:06 +04:00
|
|
|
t.fetch()
|
|
|
|
|
2015-03-25 10:44:12 +03:00
|
|
|
return nil
|
2014-10-02 05:26:06 +04:00
|
|
|
}
|