Fix auth login error messages and messaging when witnessing a delegation with 0 valid keys #972
Conversation
cyli
force-pushed
the
fix-error-messages
branch
from
4265df6
to
272b194
Compare
|
Is there an easy way to get Godep to exclude the distribution |
|
I can manually remove them - Godep tried to include the vendor dir :| |
| switch { | ||
| case len(e.MissingKeyIDs) < e.NeededKeys: | ||
| return fmt.Sprintf( | ||
| "cannot sign because while %d signatures are needed, an insufficient number of valid signing keys have been specified", |
There was a problem hiding this comment.
This reads a little verbosely. Maybe something like: "insufficient signing keys available. %d signatures are required but only %d keys are available"
There was a problem hiding this comment.
Hmm... that implies that we are missing keys. We may not be missing any keys - it's just that the role doesn't specify enough keys for anyone to sign.
There was a problem hiding this comment.
Maybe I should just say that the role is broken?
There was a problem hiding this comment.
this case could be broken down further into len(e.MissingKeyIDS) + e.FoundKeys < e.NeededKeys and len(e.MissingKeyIDS) + e.FoundKeys >= e.NeededKeys right?
For len(e.MissingKeyIDS) + e.FoundKeys < e.NeededKeys: role is broken
For len(e.MissingKeyIDS) + e.FoundKeys >= e.NeededKeys: @endophage's suggestion of "insufficient signing keys available. %d signatures are required but only %d keys are available" This could be the base case in default
There was a problem hiding this comment.
As per discussion IRL, this is basically just a role validity check. The only way we can get to this weird invalid state is with Witness, so we should just move this check to that functionality.
cyli
force-pushed
the
fix-error-messages
branch
from
272b194
to
3352b85
Compare
Signed-off-by: Ying Li <ying.li@docker.com>
…h errors Signed-off-by: Ying Li <ying.li@docker.com>
… be less verbose Signed-off-by: Ying Li <ying.li@docker.com>
cyli
force-pushed
the
fix-error-messages
branch
from
3352b85
to
d94ba8d
Compare
…essed is invalid Signed-off-by: Ying Li <ying.li@docker.com>
cyli
force-pushed
the
fix-error-messages
branch
from
c270051
to
7772deb
Compare
|
@endophage @riyazdf sorry this took so long to update. Tried to fix some of the messaging around witnessing an invalid delegation role as suggested above. |
| require.NoError(t, err) | ||
| _, err = runCommand(t, tempDir, "-s", server.URL, "witness", "-p", "gun", delgName) | ||
| require.Error(t, err) | ||
| require.Contains(t, err.Error(), "role does not specify enough valid signing keys to meet its required threshold") |
There was a problem hiding this comment.
awesome, thanks for adding this test 👍
| @@ -755,7 +757,8 @@ type passwordStore struct { | |||
| } | |||
|
|
|||
| func (ps passwordStore) Basic(u *url.URL) (string, string) { | |||
| if ps.anonymous { | |||
| // if it's not a terminal, don't wait on input | |||
| if ps.anonymous || !terminal.IsTerminal(int(os.Stdin.Fd())) { | |||
There was a problem hiding this comment.
Shouldn't we be checking the input that was set on the command?
There was a problem hiding this comment.
IRL: leave as is for now as we use os.Stdin elsewhere too. Issue open already for looking into this.
Signed-off-by: Ying Li <ying.li@docker.com>
cyli
force-pushed
the
fix-error-messages
branch
from
f293fd7
to
220cfb5
Compare
When I remove a key from a delegation that has a single key, then I try to witness that delegation, signing fails because there are no valid keys for that delegation. The error message was:
* fatal: signing keys not available, need 1 keys out of:- I've fixed the error message to say there are an insufficient number of valid signing keys for the threshold required, basically. We might want to move this error check up further to when we apply a witness change, since I think that might be the only time when we might have an invalid role.Fixes #969 - that format string was in distribution, so I re-vendored. I also added logic to check if the login username/password is a terminal, otherwise fail.
Note: possibly we want to rebase this to 0.4.0 so that it can be added to 0.4.1