Change the CLI to be able to rotate server managed keys #571
Conversation
| } | ||
|
|
||
| // ErrInvalidLocalRole is returned when the client wants to manage | ||
| // an unsupported key type |
There was a problem hiding this comment.
super nit: I'd change an unsupported key type to a key type that is not permitted so that it's consistent with the err message
|
LGTM after comments! |
cyli
force-pushed
the
cli-server-rotate
branch
from
544c61e to
e61fc7f
Compare
| @@ -2392,16 +2392,24 @@ func TestRotateKeyInvalidRole(t *testing.T) { | |||
| repo, _ := initializeRepo(t, data.ECDSAKey, "docker.com/notary", ts.URL, false) | |||
| defer os.RemoveAll(repo.baseDir) | |||
|
|
|||
| // the equivalent of: (root, true), (root, false), (timestamp, true), | |||
| // (timestamp, false), (targets, true) | |||
| // the equivalent of: remotely remotely rotating the root key | |||
cyli
force-pushed
the
cli-server-rotate
branch
from
90db14e to
815981f
Compare
| } | ||
| err = nRepo.RotateKey(rotateKeyRole, k.rotateKeyServerManaged) | ||
| if err == nil && k.rotateKeyServerManaged { | ||
| err = nRepo.Publish() |
There was a problem hiding this comment.
One thought that we were discussing: is it possible for publish only the key rotation change, instead of all staged changes? I'm not sure of the best way to go about doing this without making users published all staged changes prior to this one?
There was a problem hiding this comment.
We'd need to break up Publish into a few component steps but that wouldn't be a bad thing.
There was a problem hiding this comment.
I can move the call to publish to nRepo.RotateKey - I was thinking about adding a private publish(changelist) command. RotateKey can generate an in-memory change file that gets published using that private method.
There was a problem hiding this comment.
Unless we were thinking about breaking Publish up into several publicly exposed component functions such as (for example) LoadOrUpdate, ApplyChanges, and UploadChanges or something. Then have the CLI call all those in sequence.
It might make more sense to have the CLI publish rather than have RotateKey do it. This would be a much bigger change than the private publish function described in the previous comment, though.
There was a problem hiding this comment.
Slack discussion: publish(changelist) seems like the way to go
cyli
force-pushed
the
cli-server-rotate
branch
5 times, most recently
from
684af0b to
da68512
Compare
| return ErrInvalidRemoteRole{Role: data.CanonicalTargetsRole} | ||
| switch { | ||
| // We currently support locally or remotely managing snapshot keys... | ||
| case role == data.CanonicalSnapshotRole: |
There was a problem hiding this comment.
Can we add an explicit break just to be clear that this case is intentionally empty.
|
I don't have a strong opinion on collapsing the case/if statements. LGTM |
cyli
force-pushed
the
cli-server-rotate
branch
2 times, most recently
from
0564e5e to
3c1fca2
Compare
|
Rebase and we can merge this :-) |
| @@ -90,11 +90,13 @@ subsection. | |||
| In case of potential compromise, notary provides a CLI command for rotating keys. Currently, you can use the `notary key rotate` command to rotate the targets or snapshot keys. | |||
|
|
|||
| While the snapshot key is managed by the notary client by default, use the `notary key | |||
There was a problem hiding this comment.
nit: It seems like I missed this documentation piece -- it might be nice to also mention the Docker 1.11 default behavior for managing snapshot keys on the server here.
There was a problem hiding this comment.
It looks like your documentation appears in the next paragraph. :) This just needed a rebase.
…ons. Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
Signed-off-by: Ying Li <ying.li@docker.com>
…ions Signed-off-by: Ying Li <ying.li@docker.com>
Change the CLI to be able to rotate server managed keys
This includes some minor changes from #553.
Fixes #554