Only use delegation passphrase env var for non-base roles

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>

cmd/notary/main.go

@@ -10,6 +10,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/notary"
 	"github.com/docker/notary/passphrase"
+	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/version"
 	homedir "github.com/mitchellh/go-homedir"
 	"github.com/spf13/cobra"
@@ -234,7 +235,7 @@ func getPassphraseRetriever() notary.PassRetriever {
 		// For delegation roles, we can also try the "delegation" alias if it is specified
 		// Note that we don't check if the role name is for a delegation to allow for names like "user"
 		// since delegation keys can be shared across repositories
-		if v := env["delegation"]; v != "" {
+		if v := env["delegation"]; !data.IsBaseRole(alias) && v != "" {
 			return v, numAttempts > 1, nil
 		}
 		return baseRetriever(keyName, alias, createNew, numAttempts)

cmd/notary/main_test.go

@@ -523,16 +523,34 @@ func TestConfigFileTrustPinning(t *testing.T) {
 }
 
 func TestPassphraseRetrieverCaching(t *testing.T) {
-	// Set up passphrase environment vars
+	// Only set up one passphrase environment var first for root
 	require.NoError(t, os.Setenv("NOTARY_ROOT_PASSPHRASE", "root_passphrase"))
+	defer os.Clearenv()
+
+	// Check that root is cached
+	retriever := getPassphraseRetriever()
+	passphrase, giveup, err := retriever("key", data.CanonicalRootRole, false, 0)
+	require.NoError(t, err)
+	require.False(t, giveup)
+	require.Equal(t, passphrase, "root_passphrase")
+
+	passphrase, giveup, err = retriever("key", "user", false, 0)
+	require.Error(t, err)
+	passphrase, giveup, err = retriever("key", data.CanonicalTargetsRole, false, 0)
+	require.Error(t, err)
+	passphrase, giveup, err = retriever("key", data.CanonicalSnapshotRole, false, 0)
+	require.Error(t, err)
+	passphrase, giveup, err = retriever("key", "targets/delegation", false, 0)
+	require.Error(t, err)
+
+	// Set up the rest of them
 	require.NoError(t, os.Setenv("NOTARY_TARGETS_PASSPHRASE", "targets_passphrase"))
 	require.NoError(t, os.Setenv("NOTARY_SNAPSHOT_PASSPHRASE", "snapshot_passphrase"))
 	require.NoError(t, os.Setenv("NOTARY_DELEGATION_PASSPHRASE", "delegation_passphrase"))
 
-	defer os.Clearenv()
-	// Check the caching
-	retriever := getPassphraseRetriever()
-	passphrase, giveup, err := retriever("key", data.CanonicalRootRole, false, 0)
+	// Get a new retriever and check the caching
+	retriever = getPassphraseRetriever()
+	passphrase, giveup, err = retriever("key", data.CanonicalRootRole, false, 0)
 	require.NoError(t, err)
 	require.False(t, giveup)
 	require.Equal(t, passphrase, "root_passphrase")

tuf/data/roles.go

@@ -86,6 +86,16 @@ func IsDelegation(role string) bool {
 		isClean
 }
 
+// IsBaseRole checks if the role is a base role
+func IsBaseRole(role string) bool {
+	for _, baseRole := range BaseRoles {
+		if role == baseRole {
+			return true
+		}
+	}
+	return false
+}
+
 // BaseRole is an internal representation of a root/targets/snapshot/timestamp role, with its public keys included
 type BaseRole struct {
 	Keys      map[string]PublicKey

tuf/data/roles_test.go

@@ -165,6 +165,17 @@ func TestValidRoleFunction(t *testing.T) {
 	require.False(t, ValidRole(path.Join("role")))
 }
 
+func TestIsBaseRole(t *testing.T) {
+	for _, role := range BaseRoles {
+		require.True(t, IsBaseRole(role))
+	}
+	require.False(t, IsBaseRole("user"))
+	require.False(t, IsBaseRole(
+		path.Join(CanonicalTargetsRole, "level1", "level2", "level3")))
+	require.False(t, IsBaseRole(path.Join(CanonicalTargetsRole, "level1")))
+	require.False(t, IsBaseRole(""))
+}
+
 func TestBaseRoleEquals(t *testing.T) {
 	fakeKeyHello := NewRSAPublicKey([]byte("hello"))
 	fakeKeyThere := NewRSAPublicKey([]byte("there"))