-
Notifications
You must be signed in to change notification settings - Fork 511
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
#806 Part 3: Reimplement import export #825
#806 Part 3: Reimplement import export #825
Conversation
2e34719
to
81e4114
Compare
81e4114
to
1c967ee
Compare
if k.outFile == "" { | ||
out = cmd.Out() | ||
} else { | ||
f, err := os.OpenFile(k.outFile, os.O_TRUNC|os.O_CREATE|os.O_WRONLY, notary.PrivKeyPerms) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
nit: might be worth explaining the bitwise or over these flags to explain that we're creating a new file in write mode, and possibly truncating
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually I'm happy with the usage comment, which explains this at a higher level
1c967ee
to
86b916a
Compare
@@ -159,10 +159,6 @@ var exampleValidCommands = []string{ | |||
"key list", | |||
"key rotate repo snapshot", | |||
"key generate rsa", | |||
"key backup tempfile.zip", | |||
"key export e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 backup.pem", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think it'd be good to bring back the key import
and key export
commands here. This just tests for invalid number of arguments, if I remember correctly.
86b916a
to
b4bbd1c
Compare
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) { | ||
loc, ok := block.Headers["path"] | ||
if !ok || loc == "" { | ||
continue // don't know where to copy this key. Skip it. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
might be worth adding a debug log here in case users get confused why non-notary exported keys can't be imported due to the missing "path"
header
this cleanup is awesome, thank you for tackling it! I think it'd be good to add some of the following tests around notary repositories:
Also we should open an issue for tracking the delegation "import key" flow - we'll still want a way to easily import a key fresh from openssl (without PEM headers) into a delegation role |
e82dcf3
to
ce5df78
Compare
1f99671
to
0c04e1d
Compare
|
||
// NewPrivateSimpleFileStore is a wrapper to create an owner readable/writeable | ||
// _only_ filestore | ||
func NewPrivateSimpleFileStore(baseDir, fileExt string) (*FilesystemStore, error) { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
With the modification of import/export to use NewPrivateKeyFileStorage
, I think this constructor is no longer used anywhere else except filestore_test.go
, where I don't think permissions are getting checked (we could use one of the other constructors?).
b21de94
to
e710460
Compare
1919f33
to
1a1845c
Compare
Tons of code changed, I think it's a good choice to just wait it to be merged for myself 😄 |
1a1845c
to
6a650a6
Compare
Signed-off-by: David Lawrence <dclwrnc@gmail.com> (github: endophage)
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
var cmdKeyImportTemplate = usageTemplate{ | ||
Use: "import pemfile [ pemfile ... ]", | ||
Short: "Imports all keys from all provided .pem files", | ||
Long: "Imports all keys from all provided .pem files by reading each PEM block from the file and writing that block to a unique object in the local keystore", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Do we want to mention that hardware storage is preferred in the long usage description?
6a650a6
to
7f60c41
Compare
269f314
to
b861f8c
Compare
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
b861f8c
to
dff7044
Compare
I did a quick export - remove keys - re-import - publish test and it worked great 👍 LGTM!! Thank you for all of your hard work on this PR and the parts that preceded it :) If you don't mind, I'd like to file a couple of follow-up issues: importing delegation keys without the |
Thank you for all your work on this refactor! LGTM! |
@riyazdf goal is to make the |
Hi, is there any plan to add new docs for this, I find that I can no longer use the command like
|
Depends on #808
Still need to write some tests for the newcmd/notary/keys.go
code. Not sure my parsing of CLI flags is correct.N.B. import will no longer import to a yubikey. More discussion required but I think this needs to be more explicit around when we import to a yubikey, maybe even a separate command, because it hits the key management APIs at a different level.Functionality has been brought up to parity :-)This PR contains parts 1 and 2 which have been closed in favour of merging this PR alone (means only this PR has to be rebased, not all 3)