From c6b5876cc965410d5fbaf9badbb0281d8599e3c3 Mon Sep 17 00:00:00 2001 From: Riyaz Faizullabhoy Date: Fri, 8 Jul 2016 14:35:28 -0700 Subject: [PATCH] Also do not include imported roles Signed-off-by: Riyaz Faizullabhoy --- cmd/notary/main.go | 3 ++- cmd/notary/main_test.go | 40 ++++++++++++++++++++++++++++++++++++++++ 2 files changed, 42 insertions(+), 1 deletion(-) diff --git a/cmd/notary/main.go b/cmd/notary/main.go index 252dd7bd1..85eeb781c 100644 --- a/cmd/notary/main.go +++ b/cmd/notary/main.go @@ -235,7 +235,8 @@ func getPassphraseRetriever() notary.PassRetriever { // For delegation roles, we can also try the "delegation" alias if it is specified // Note that we don't check if the role name is for a delegation to allow for names like "user" // since delegation keys can be shared across repositories - if v := env["delegation"]; !data.IsBaseRole(alias) && v != "" { + // This cannot be a base role or imported key, though. + if v := env["delegation"]; !data.IsBaseRole(alias) && !strings.Contains(alias, "imported ") && v != "" { return v, numAttempts > 1, nil } return baseRetriever(keyName, alias, createNew, numAttempts) diff --git a/cmd/notary/main_test.go b/cmd/notary/main_test.go index ddf743e64..436d68657 100644 --- a/cmd/notary/main_test.go +++ b/cmd/notary/main_test.go @@ -576,3 +576,43 @@ func TestPassphraseRetrieverCaching(t *testing.T) { require.False(t, giveup) require.Equal(t, passphrase, "delegation_passphrase") } + +func TestPassphraseRetrieverDelegationRoleCaching(t *testing.T) { + // Only set up one passphrase environment var first for delegations + require.NoError(t, os.Setenv("NOTARY_DELEGATION_PASSPHRASE", "delegation_passphrase")) + defer os.Clearenv() + + // Check that any delegation role is cached + retriever := getPassphraseRetriever() + + passphrase, giveup, err := retriever("key", "targets/releases", false, 0) + require.NoError(t, err) + require.False(t, giveup) + require.Equal(t, passphrase, "delegation_passphrase") + passphrase, giveup, err = retriever("key", "targets/delegation", false, 0) + require.NoError(t, err) + require.False(t, giveup) + require.Equal(t, passphrase, "delegation_passphrase") + passphrase, giveup, err = retriever("key", "targets/a/b/c/d", false, 0) + require.NoError(t, err) + require.False(t, giveup) + require.Equal(t, passphrase, "delegation_passphrase") + + // Also check arbitrary usernames that are non-BaseRoles or imported so that this can be shared across keys + passphrase, giveup, err = retriever("key", "user", false, 0) + require.NoError(t, err) + require.False(t, giveup) + require.Equal(t, passphrase, "delegation_passphrase") + + // Make sure base roles fail + passphrase, giveup, err = retriever("key", data.CanonicalRootRole, false, 0) + require.Error(t, err) + passphrase, giveup, err = retriever("key", data.CanonicalTargetsRole, false, 0) + require.Error(t, err) + passphrase, giveup, err = retriever("key", data.CanonicalSnapshotRole, false, 0) + require.Error(t, err) + + // make sure "imported" role fails + passphrase, giveup, err = retriever("key", "imported "+data.CanonicalRootRole, false, 0) + require.Error(t, err) +}