Skip to content

Commit

Permalink
Also do not include imported roles
Browse files Browse the repository at this point in the history 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
  • Loading branch information
@riyazdf
riyazdf committed Jul 19, 2016
1 parent 6bdc900 commit c6b5876
Show file tree
Hide file tree
Showing 2 changed files with 42 additions and 1 deletion.
3 changes: 2 additions & 1 deletion cmd/notary/main.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -235,7 +235,8 @@ func getPassphraseRetriever() notary.PassRetriever {
// For delegation roles, we can also try the "delegation" alias if it is specified
// Note that we don't check if the role name is for a delegation to allow for names like "user"
// since delegation keys can be shared across repositories
if v := env["delegation"]; !data.IsBaseRole(alias) && v != "" {
// This cannot be a base role or imported key, though.
if v := env["delegation"]; !data.IsBaseRole(alias) && !strings.Contains(alias, "imported ") && v != "" {
return v, numAttempts > 1, nil
}
return baseRetriever(keyName, alias, createNew, numAttempts)
Expand Down
40 changes: 40 additions & 0 deletions cmd/notary/main_test.go
View file
Original file line number Diff line number Diff line change
Expand Up @@ -576,3 +576,43 @@ func TestPassphraseRetrieverCaching(t *testing.T) {
require.False(t, giveup)
require.Equal(t, passphrase, "delegation_passphrase")
}

func TestPassphraseRetrieverDelegationRoleCaching(t *testing.T) {
// Only set up one passphrase environment var first for delegations
require.NoError(t, os.Setenv("NOTARY_DELEGATION_PASSPHRASE", "delegation_passphrase"))
defer os.Clearenv()

// Check that any delegation role is cached
retriever := getPassphraseRetriever()

passphrase, giveup, err := retriever("key", "targets/releases", false, 0)
require.NoError(t, err)
require.False(t, giveup)
require.Equal(t, passphrase, "delegation_passphrase")
passphrase, giveup, err = retriever("key", "targets/delegation", false, 0)
require.NoError(t, err)
require.False(t, giveup)
require.Equal(t, passphrase, "delegation_passphrase")
passphrase, giveup, err = retriever("key", "targets/a/b/c/d", false, 0)
require.NoError(t, err)
require.False(t, giveup)
require.Equal(t, passphrase, "delegation_passphrase")

// Also check arbitrary usernames that are non-BaseRoles or imported so that this can be shared across keys
passphrase, giveup, err = retriever("key", "user", false, 0)
require.NoError(t, err)
require.False(t, giveup)
require.Equal(t, passphrase, "delegation_passphrase")

// Make sure base roles fail
passphrase, giveup, err = retriever("key", data.CanonicalRootRole, false, 0)
require.Error(t, err)
passphrase, giveup, err = retriever("key", data.CanonicalTargetsRole, false, 0)
require.Error(t, err)
passphrase, giveup, err = retriever("key", data.CanonicalSnapshotRole, false, 0)
require.Error(t, err)

// make sure "imported" role fails
passphrase, giveup, err = retriever("key", "imported "+data.CanonicalRootRole, false, 0)
require.Error(t, err)
}

0 comments on commit c6b5876

Please sign in to comment.