-
Notifications
You must be signed in to change notification settings - Fork 512
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Per-DB signer tests #863
Per-DB signer tests #863
Conversation
aabd5f6
to
fafad37
Compare
// Add the key to cache | ||
s.cachedKeys[privKey.ID()] = &cachedKey{key: privKey, role: role} | ||
} | ||
return privKey, role, err |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
non-blocking nit: while this shouldn't make any difference in actual values returned, it could be clearer if this returned data.PrivateKey{}, "", err
@@ -77,7 +79,7 @@ func rdbPrivateKeyFromJSON(data []byte) (interface{}, error) { | |||
// PrivateKeysRethinkTable is the table definition for notary signer's key information | |||
var PrivateKeysRethinkTable = rethinkdb.Table{ | |||
Name: RDBPrivateKey{}.TableName(), | |||
PrimaryKey: RDBPrivateKey{}.KeyID, | |||
PrimaryKey: "key_id", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
do we need the hardcoded string instead of the constant here?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
RDBPrivateKey{}.KeyID
was just the empty string, because it initialized the empty struct and so that value is just the zero value (so it wasn't correctly setting the primary key, so the unique key ID constraint wasn't being enforced).
If we wanted to declare a constant and use it to set the tag value (so we can use the constant here) or if we wanted to pull out the tag value, I think we're going to need some reflection to do so, or better yet: https://github.com/oleiade/reflections.
If we wanted to add that though, maybe it can be a different PR?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ah yes, sorry I missed that. I'm fine with a hardcoded string for now and following up with reflection in a separate PR
this is great, thank you for adding these fixes and tests! LGTM pending CI |
df3e66f
to
f7319e0
Compare
} | ||
|
||
// NewCachedKeyStore returns a new trustmanager.KeyStore that includes caching | ||
func NewCachedKeyStore(baseStore trustmanager.KeyStore) trustmanager.KeyStore { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I'm thinking this could also replace a chunk of trustmanager.GenericKeyStore
down the road, particularly if we get around to separating the password stuff out. We'd end up with something like NewCachedKeyStore( NewGenericKeyStore( NewPasswdStorage( NewFileStorage(keyDirectory) )))
:-D
…round a KeyStore. This can be used in the future for filesystem KeyStores too. Note that existing sql_keydbstore tests will now fail in this commit, to be fixed in the next commit. Signed-off-by: Ying Li <ying.li@docker.com>
…test file which has logic that can also be used to test rethink, and which expects a sqlite or mysql initializer. Also rename the KeyDBStore to SQLKeyDBStore, and fix delete key to always succeed. Configure dbtests.sh script to run both the server and signer db tests now. Signed-off-by: Ying Li <ying.li@docker.com>
…ion tests. Fix the following in the RethinkDB implementation: - health check needs to ensure the user has access to the db and table - store the public and private bits as byte slices, because the otherwise rethink can't deal with the binary data - fix the rethink queries for rotating a key passphrase - use the same code as GetKey Signed-off-by: Ying Li <ying.li@docker.com>
…implementations. Also wait to lock the keydb cache until after a key was retrieved successfully. Signed-off-by: Ying Li <ying.li@docker.com>
LGTM! Thank you so much for adding the rethink tests! |
This adds specific mysql DB and rethink DB tests for the signer.
It also does the following:
KeyStore
implementations into a wrapperKeyStore
KeyDBStore
toSQLKeyDBStore
and add SQL types to the Gorm model (otherwise the schema is not created correctly in MySQL tests)SQLKeyDBStore
'sRemoveKey
to always succeed, even if the key doesn't existRethinkKeyDBStore
's public and private bytes as[]byte
, otherwise rethink won't know that it's binary data and will mangle the result - this doesn't matter for the private key bytes, since we encrypt it in such a way that it's base64 encoded, but I changed it anyway in case we want to change encryption method in the futureRethinkKeyDBStore
's key rotation function - it now uses the same get query asGetKey