From 9e50bf6270f426f6ef6649b1985036988b207407 Mon Sep 17 00:00:00 2001 From: Alexander Morozov Date: Mon, 20 Apr 2015 12:48:33 -0700 Subject: [PATCH] Remove engine from trust Signed-off-by: Alexander Morozov --- daemon/daemon.go | 28 +++++++++--------- graph/manifest.go | 36 +++++++++++------------ graph/pull.go | 5 +--- graph/tags.go | 21 ++++++++++---- graph/tags_unit_test.go | 6 +++- trust/service.go | 63 ++++++++++++++--------------------------- 6 files changed, 74 insertions(+), 85 deletions(-) diff --git a/daemon/daemon.go b/daemon/daemon.go index ccf254b2cf..7dc0f21976 100644 --- a/daemon/daemon.go +++ b/daemon/daemon.go @@ -108,7 +108,6 @@ type Daemon struct { containerGraph *graphdb.Database driver graphdriver.Driver execDriver execdriver.Driver - trustStore *trust.TrustStore statsCollector *statsCollector defaultLogConfig runconfig.LogConfig RegistryService *registry.Service @@ -129,9 +128,6 @@ func (daemon *Daemon) Install(eng *engine.Engine) error { if err := daemon.Repositories().Install(eng); err != nil { return err } - if err := daemon.trustStore.Install(eng); err != nil { - return err - } // FIXME: this hack is necessary for legacy integration tests to access // the daemon object. eng.HackSetGlobalVar("httpapi.daemon", daemon) @@ -903,22 +899,29 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine, registryService return nil, err } - eventsService := events.New() - logrus.Debug("Creating repository list") - repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), g, trustKey, registryService, eventsService) - if err != nil { - return nil, fmt.Errorf("Couldn't create Tag store: %s", err) - } - trustDir := path.Join(config.Root, "trust") if err := os.MkdirAll(trustDir, 0700); err != nil && !os.IsExist(err) { return nil, err } - t, err := trust.NewTrustStore(trustDir) + trustService, err := trust.NewTrustStore(trustDir) if err != nil { return nil, fmt.Errorf("could not create trust store: %s", err) } + eventsService := events.New() + logrus.Debug("Creating repository list") + tagCfg := &graph.TagStoreConfig{ + Graph: g, + Key: trustKey, + Registry: registryService, + Events: eventsService, + Trust: trustService, + } + repositories, err := graph.NewTagStore(path.Join(config.Root, "repositories-"+driver.String()), tagCfg) + if err != nil { + return nil, fmt.Errorf("Couldn't create Tag store: %s", err) + } + if !config.DisableNetwork { if err := bridge.InitDriver(&config.Bridge); err != nil { return nil, fmt.Errorf("Error initializing Bridge: %v", err) @@ -980,7 +983,6 @@ func NewDaemonFromDirectory(config *Config, eng *engine.Engine, registryService sysInitPath: sysInitPath, execDriver: ed, eng: eng, - trustStore: t, statsCollector: newStatsCollector(1 * time.Second), defaultLogConfig: config.LogConfig, RegistryService: registryService, diff --git a/graph/manifest.go b/graph/manifest.go index 7e9281537e..e6d5ebc39c 100644 --- a/graph/manifest.go +++ b/graph/manifest.go @@ -1,7 +1,6 @@ package graph import ( - "bytes" "encoding/json" "fmt" @@ -9,6 +8,7 @@ import ( "github.com/docker/distribution/digest" "github.com/docker/docker/engine" "github.com/docker/docker/registry" + "github.com/docker/docker/trust" "github.com/docker/docker/utils" "github.com/docker/libtrust" ) @@ -69,32 +69,28 @@ func (s *TagStore) loadManifest(eng *engine.Engine, manifestBytes []byte, dgst, var verified bool for _, key := range keys { - job := eng.Job("trust_key_check") - b, err := key.MarshalJSON() - if err != nil { - return nil, false, fmt.Errorf("error marshalling public key: %s", err) - } namespace := manifest.Name if namespace[0] != '/' { namespace = "/" + namespace } - stdoutBuffer := bytes.NewBuffer(nil) - - job.Args = append(job.Args, namespace) - job.Setenv("PublicKey", string(b)) - // Check key has read/write permission (0x03) - job.SetenvInt("Permission", 0x03) - job.Stdout.Add(stdoutBuffer) - if err = job.Run(); err != nil { - return nil, false, fmt.Errorf("error running key check: %s", err) + b, err := key.MarshalJSON() + if err != nil { + return nil, false, fmt.Errorf("error marshalling public key: %s", err) } - result := engine.Tail(stdoutBuffer, 1) - logrus.Debugf("Key check result: %q", result) - if result == "verified" { - verified = true + // Check key has read/write permission (0x03) + v, err := s.trustService.CheckKey(namespace, b, 0x03) + if err != nil { + vErr, ok := err.(trust.NotVerifiedError) + if !ok { + return nil, false, fmt.Errorf("error running key check: %s", err) + } + logrus.Debugf("Key check result: %v", vErr) + } + verified = v + if verified { + logrus.Debug("Key check result: verified") } } - return &manifest, verified, nil } diff --git a/graph/pull.go b/graph/pull.go index fa22d335d3..edc67df9d6 100644 --- a/graph/pull.go +++ b/graph/pull.go @@ -70,10 +70,7 @@ func (s *TagStore) Pull(image string, tag string, imagePullConfig *ImagePullConf if len(repoInfo.Index.Mirrors) == 0 && (repoInfo.Index.Official || endpoint.Version == registry.APIVersion2) { if repoInfo.Official { - j := eng.Job("trust_update_base") - if err = j.Run(); err != nil { - logrus.Errorf("error updating trust base graph: %s", err) - } + s.trustService.UpdateBase() } logrus.Debugf("pulling v2 repository with local name %q", repoInfo.LocalName) diff --git a/graph/tags.go b/graph/tags.go index 444e74f726..39f0ffc29a 100644 --- a/graph/tags.go +++ b/graph/tags.go @@ -18,6 +18,7 @@ import ( "github.com/docker/docker/pkg/parsers" "github.com/docker/docker/pkg/stringid" "github.com/docker/docker/registry" + "github.com/docker/docker/trust" "github.com/docker/docker/utils" "github.com/docker/libtrust" ) @@ -42,6 +43,7 @@ type TagStore struct { pushingPool map[string]chan struct{} registryService *registry.Service eventsService *events.Events + trustService *trust.TrustStore } type Repository map[string]string @@ -64,7 +66,15 @@ func (r Repository) Contains(u Repository) bool { return true } -func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey, registryService *registry.Service, eventsService *events.Events) (*TagStore, error) { +type TagStoreConfig struct { + Graph *Graph + Key libtrust.PrivateKey + Registry *registry.Service + Events *events.Events + Trust *trust.TrustStore +} + +func NewTagStore(path string, cfg *TagStoreConfig) (*TagStore, error) { abspath, err := filepath.Abs(path) if err != nil { return nil, err @@ -72,13 +82,14 @@ func NewTagStore(path string, graph *Graph, key libtrust.PrivateKey, registrySer store := &TagStore{ path: abspath, - graph: graph, - trustKey: key, + graph: cfg.Graph, + trustKey: cfg.Key, Repositories: make(map[string]Repository), pullingPool: make(map[string]chan struct{}), pushingPool: make(map[string]chan struct{}), - registryService: registryService, - eventsService: eventsService, + registryService: cfg.Registry, + eventsService: cfg.Events, + trustService: cfg.Trust, } // Load the json file if it exists, otherwise create it. if err := store.reload(); os.IsNotExist(err) { diff --git a/graph/tags_unit_test.go b/graph/tags_unit_test.go index 4a4ddbe4b3..0482fa58e3 100644 --- a/graph/tags_unit_test.go +++ b/graph/tags_unit_test.go @@ -60,7 +60,11 @@ func mkTestTagStore(root string, t *testing.T) *TagStore { if err != nil { t.Fatal(err) } - store, err := NewTagStore(path.Join(root, "tags"), graph, nil, nil, events.New()) + tagCfg := &TagStoreConfig{ + Graph: graph, + Events: events.New(), + } + store, err := NewTagStore(path.Join(root, "tags"), tagCfg) if err != nil { t.Fatal(err) } diff --git a/trust/service.go b/trust/service.go index 12b9645667..6a804faf52 100644 --- a/trust/service.go +++ b/trust/service.go @@ -5,70 +5,49 @@ import ( "time" "github.com/Sirupsen/logrus" - "github.com/docker/docker/engine" "github.com/docker/libtrust" ) -func (t *TrustStore) Install(eng *engine.Engine) error { - for name, handler := range map[string]engine.Handler{ - "trust_key_check": t.CmdCheckKey, - "trust_update_base": t.CmdUpdateBase, - } { - if err := eng.Register(name, handler); err != nil { - return fmt.Errorf("Could not register %q: %v", name, err) - } - } - return nil +type NotVerifiedError string + +func (e NotVerifiedError) Error() string { + return string(e) } -func (t *TrustStore) CmdCheckKey(job *engine.Job) error { - if n := len(job.Args); n != 1 { - return fmt.Errorf("Usage: %s NAMESPACE", job.Name) +func (t *TrustStore) CheckKey(ns string, key []byte, perm uint16) (bool, error) { + if len(key) == 0 { + return false, fmt.Errorf("Missing PublicKey") } - var ( - namespace = job.Args[0] - keyBytes = job.Getenv("PublicKey") - ) - - if keyBytes == "" { - return fmt.Errorf("Missing PublicKey") - } - pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes)) + pk, err := libtrust.UnmarshalPublicKeyJWK(key) if err != nil { - return fmt.Errorf("Error unmarshalling public key: %s", err) + return false, fmt.Errorf("Error unmarshalling public key: %v", err) } - permission := uint16(job.GetenvInt("Permission")) - if permission == 0 { - permission = 0x03 + if perm == 0 { + perm = 0x03 } t.RLock() defer t.RUnlock() if t.graph == nil { - job.Stdout.Write([]byte("no graph")) - return nil + return false, NotVerifiedError("no graph") } // Check if any expired grants - verified, err := t.graph.Verify(pk, namespace, permission) + verified, err := t.graph.Verify(pk, ns, perm) if err != nil { - return fmt.Errorf("Error verifying key to namespace: %s", namespace) + return false, fmt.Errorf("Error verifying key to namespace: %s", ns) } if !verified { - logrus.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID()) - job.Stdout.Write([]byte("not verified")) - } else if t.expiration.Before(time.Now()) { - job.Stdout.Write([]byte("expired")) - } else { - job.Stdout.Write([]byte("verified")) + logrus.Debugf("Verification failed for %s using key %s", ns, pk.KeyID()) + return false, NotVerifiedError("not verified") } - - return nil + if t.expiration.Before(time.Now()) { + return false, NotVerifiedError("expired") + } + return true, nil } -func (t *TrustStore) CmdUpdateBase(job *engine.Job) error { +func (t *TrustStore) UpdateBase() { t.fetch() - - return nil }