Only use delegation passphrase env var for non-base roles #822
Conversation
| @@ -234,7 +235,8 @@ func getPassphraseRetriever() notary.PassRetriever { | |||
| // For delegation roles, we can also try the "delegation" alias if it is specified | |||
| // Note that we don't check if the role name is for a delegation to allow for names like "user" | |||
| // since delegation keys can be shared across repositories | |||
| if v := env["delegation"]; v != "" { | |||
| // This cannot be a base role or imported key, though. | |||
| if v := env["delegation"]; !data.IsBaseRole(alias) && !strings.Contains(alias, "imported ") && v != "" { | |||
There was a problem hiding this comment.
👍 Nice catch for if the base roles aren't provided but delegation roles are!
There was a problem hiding this comment.
I'm wondering if we should should specify a constant or otherwise provide some kind of utility function for this, so we ensure that all imported keys have a similarly-formatted alias?
Edit: "this" = the word "imported"
There was a problem hiding this comment.
totally agree, I've refactored "imported " into a constant 👍
|
Thanks for fixing this bug! I have one caveat about the word "imported" being special, but this LGTM other than that! |
|
Want to circle back on this once the import refactor is merged |
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
riyazdf
force-pushed
the
passphrase-delegation-alias
branch
from
3373c40
to
06a12a8
Compare
|
@endophage: rebased, doesn't handle the |
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
riyazdf
force-pushed
the
passphrase-delegation-alias
branch
from
06a12a8
to
7a98a07
Compare
|
LGTM pending CI |
Part of the issue noted in #820
Signed-off-by: Riyaz Faizullabhoy riyaz.faizullabhoy@docker.com