Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

adding --role flag to key import #882

Merged
merged 9 commits into from
Aug 10, 2016
Merged

Conversation

avaid96
Copy link
Contributor

@avaid96 avaid96 commented Jul 28, 2016

closes #881

Signed-off-by: Avi Vaid avaid1996@gmail.com

@docker-jenkins
Copy link

Can one of the admins verify this patch?

@avaid96
Copy link
Contributor Author

avaid96 commented Jul 28, 2016

This is still WIP
Discussion:

  1. should we have a --gun flag for compatibility with the flat key store? as of now you can specify the path if you want a key associated with a gun but this won't be possible in a flat keystore. followup: should we even have a path if we have a flat keystore
  2. if there is a role flag should we limit to importing only one key or add that to all specified keys?

@HuKeping
Copy link
Contributor

HuKeping commented Jul 28, 2016

Thanks for the quick fixing!
btw, isn't it 1:00 AM at CA?

@HuKeping
Copy link
Contributor

Do you get this error when import keys:

failed to import key to store: PEM headers did not contain import path

@cyli
Copy link
Contributor

cyli commented Jul 28, 2016

@avaid96 I think taking a GUN makes sense, and a GUN header makes sense more than a path header in the flattened keystore. I think #825 included both headers - can import guess the path based on the GUN for now until flatten keystore is merged?

@@ -103,6 +103,9 @@ func ImportKeys(from io.Reader, to []Importer) error {
toWrite []byte
)
for block, rest := pem.Decode(data); block != nil; block, rest = pem.Decode(rest) {
if role != "" {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this conditional logic should be slightly different to match the usage comment - we should check if block.Headers["role"] exists, and set it to role if it's empty.

Also, I think this logic should combine with the pathing logic below since to-be-imported delegation keys may not have a path PEM header. We can check if we have a provided role and if it's a delegation we can write it to private/tuf_keys/<KEY_ID>.key. If we follow @cyli's suggestion for GUN headers we can include that in the path we construct for non-delegation keys as well.

@cyli
Copy link
Contributor

cyli commented Jul 29, 2016

@HuKeping Yep, that's what we are trying to fix. :)

@riyazdf riyazdf added this to the Notary 0.4 milestone Jul 29, 2016
@avaid96 avaid96 changed the title adding --role flag to key import WIP: adding --role flag to key import Aug 1, 2016
@@ -93,7 +94,7 @@ func ExportKeys(to io.Writer, s Exporter, from string) error {
// Each block is written to the subpath indicated in the "path" PEM
// header. If the file already exists, the file is truncated. Multiple
// adjacent PEMs with the same "path" header are appended together.
func ImportKeys(from io.Reader, to []Importer) error {
func ImportKeys(from io.Reader, to []Importer, role string, gun string, passRet notary.PassRetriever) error {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we call role and gun -> fallbackRole and fallbackGun or some such, to make it clear they're only used if there is no provided role or gun/path?

@avaid96 avaid96 changed the title WIP: adding --role flag to key import adding --role flag to key import Aug 4, 2016
@@ -26,7 +27,7 @@ type Importer interface {
// ExportKeysByGUN exports all keys filtered to a GUN
func ExportKeysByGUN(to io.Writer, s Exporter, gun string) error {
keys := s.ListFiles()
sort.Strings(keys) // ensure consistenct. ListFiles has no order guarantee
sort.Strings(keys) // ensure consistent. ListFiles has no order guarantee
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: I think this was originally a typo for consistency

@avaid96 avaid96 self-assigned this Aug 5, 2016
@@ -0,0 +1,27 @@
-----BEGIN RSA PRIVATE KEY-----
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: can we put these keys in the fixtures directory? Also, you may not need this key without the role header because we other keys (ex: secure.example.com.key) without headers that we can test with

@avaid96 avaid96 force-pushed the rolefl branch 2 times, most recently from ce5cf73 to 722a65d Compare August 5, 2016 23:40
@riyazdf
Copy link
Contributor

riyazdf commented Aug 8, 2016

jenkins, ok to test.

keyID := decodedKey.ID()
if block.Headers["role"] == tufdata.CanonicalRootRole {
// this is a root key so import it to trustDir/root_keys/
delete(block.Headers, "gun")
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking: Should we move this logic out of the if block? E.g. after setting the path, we can delete the "gun" header if the role is root or a delegation? Since currently it's only deleted if the path is not specified.

require.Len(t, bFinal.Headers, 0) // path header is stripped during import
_, ok := bFinal.Headers["path"]
require.False(t, ok, "expected no path header, should have been removed at import")
require.Equal(t, notary.DefaultImportRole, bFinal.Headers["role"]) // if no role is specified we assume it is a delegation key
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Should we add an assertion that no gun is included in the header as well?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added it, thanks 😄

from, _ := os.OpenFile("../fixtures/precedence.example.com.key", os.O_RDONLY, notary.PrivKeyPerms)
}

func TestBlockHeaderPrecedencePathGun(t *testing.T) {
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking nitpick: should this be "TestBlockHeaderPrecedencePathRole", since the header has both the path and the role, but not the gun?

@avaid96 avaid96 force-pushed the rolefl branch 2 times, most recently from 6dbafff to 130decd Compare August 9, 2016 23:37
err := ImportKeys(in, []Importer{s}, "", "", passphraseRetriever)
require.NoError(t, err)

bFinal, bRest := pem.Decode(s.data[filepath.Join(notary.NonRootKeysSubdir, "12ba0e0a8e05e177bc2c3489bdb6d28836879469f078e68a4812fc8a2d521497")])
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Non-blocking question, just because I don't know what we decided for this: it seems like we are ok with one of the base non-root roles not having a gun also (we don't delete it, but we don't error if we can't infer one) - we infer a path being just the non-root subdirectory + the key ID, as you've included in your test.

I'm ok with that, since the user messed this up, but this would mean that earlier versions of docker probably wouldn't be able to use this key? cc @riyazdf @endophage

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm okay with either method, but I would be tempted to lean towards not importing it since we don't import encrypted keys without a path etc (cases where the user messed up as well). Would make sense to have some consistency there. This would mean changing the code and this test etc since as @cyli mentioned correctly we now just import the key. Happy to do it once we decide @riyazdf @endophage

…e PEM data. need to write tests + address additional concerns

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
… defaults etc, need to write tests for this new functionality

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
…rors when we don't have enough info to import a key

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
Signed-off-by: Avi Vaid <avaid1996@gmail.com>
Signed-off-by: Avi Vaid <avaid1996@gmail.com>
… of tests covering more cases, added a delegation add- import and publish flow test

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
…being encryption tests and export import testflow test

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
@avaid96 avaid96 force-pushed the rolefl branch 2 times, most recently from 15f51cc to ef393b6 Compare August 10, 2016 17:51
@endophage
Copy link
Contributor

LGTM when CI goes green!


nBytes, err = tempFile3.Write(pemBytes)
require.NoError(t, err)
tempFile2.Close()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nit: tempFile3.Close()

@@ -408,8 +415,8 @@ func (k *keyCommander) importKeys(cmd *cobra.Command, args []string) error {
for _, file := range args {
from, err := os.OpenFile(file, os.O_RDONLY, notary.PrivKeyPerms)
defer from.Close()

if err = utils.ImportKeys(from, importers); err != nil {
passRetriever := k.getRetriever()
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

super non-blocking nit: we can remove this line and just directly use k.getRetriever in the next line since we don't use the passRetriever variable elsewhere

…ithout a gun

Signed-off-by: Avi Vaid <avaid1996@gmail.com>
@riyazdf
Copy link
Contributor

riyazdf commented Aug 10, 2016

LGTM pending CI. Thank you for all of your hard work on this feature!

@avaid96
Copy link
Contributor Author

avaid96 commented Aug 10, 2016

Of course, thanks for the detailed review on this PR! 😄

@avaid96 avaid96 merged commit ba795f0 into notaryproject:master Aug 10, 2016
@cyli
Copy link
Contributor

cyli commented Aug 10, 2016

Thank you for all your work on this @avaid96! :D

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Add --role flag for key import
7 participants