wildcarded trustpinning for cert ids

[endophage]

Closes #1123

Signed-off-by: David Lawrence david.lawrence@docker.com (github: endophage)

[endophage]

@ecordell figure you'll be interested in this. It basically makes individual key pinning useful in light of your wildcarded root cert CNs PR we merged. It'll also be useful when we roll back the requirement for root keys to be certs in the first place.

[endophage]

@riyazdf you did trustpinning originally so would like your review too.

[riyazdf]

code generally LGTM but have a test case and a couple of nits before the final green light 👍

[riyazdf]

super nit: s/is/it/

[riyazdf]

nit: I think you can get away with := here and avoiding the extra var, but only because this is the last use of t.pinnedCertIDs. I'm generally of the opinion of the way you wrote this is more defensive though, so 👍

[endophage]

Will double check but I think one of the go tools was shouting at me when I originally had :=

[endophage]

Yeah, it complains about non-name t.pinnedCertIDs on left side of :=

[riyazdf]

can we rename k and v to something more descriptive like gunPrefix and keyIDs?

[riyazdf]

can we add another test case or two for the precedence between globbed and non-globbed matches?

Ex:
this fails

Certs: map[string][]string{
    "docker.io/notary": {"badID"},
    "docker.io/notar*": {ecdsax509Key.ID()},
 },

this succeeds

Certs: map[string][]string{
    "docker.io/notary": {ecdsax509Key.ID()},
    "docker.io/notar*": {"badID"},
 },

[endophage]

Those are the other way around right? The first should succeed and the second should fail?

[riyazdf]

I thought that exact matches had precedence over wildcards?

[endophage]

nevermind, misunderstood because the docker.io/notary was short, you meant it to be docker.io/notary/test right? (i.e. the gun in use in the test)

[riyazdf]

sorry, yes that's what I meant!

[cyli]

Similar to this, can we also add a test that the more specific glob takes precedence over the less specific glob?
e.g.

			Certs: map[string][]string{
 				"docker.io/notary/te*": {"badID"},
 				"docker.io/notar*":      {ecdsax509Key.ID()},
 			},

fails while

			Certs: map[string][]string{
 				"docker.io/notary/te*": {ecdsax509Key.ID()},
 				"docker.io/notar*":      {"badID"},
 			},

succeeds?

[cyli]

Oh hm, nm - looks like https://github.com/docker/notary/pull/1126/files#diff-46adf7b1ba08ec329d671042ce0c84efR29 provides the test for the longest.

[endophage]

@riyazdf I think I addressed all your comments.

[riyazdf]

LGTM on green - I wasn't able to view the logs for the circleci failure but seemed like it was just on one container (the one with linting and postgres)

[endophage]

@riyazdf /go/src/github.com/docker/notary/trustpinning/certs_test.go:388:2: ineffectual assignment to validatedRoot fixing it now :-P

[cyli]

Is docker.io/endophage/b* actually the first match it finds? Since we can't depend on map order, couldn't the keys have come in any order? It chooses the longest matching one, right?

[endophage]

ah sorry, I need to update the comment. I originally did first and was just going to have the user prioritize in their config file however they want, but that was before I remembered the random map ordering. Will update the comment.

[cyli]

Minor nitpick on a comment, but other than that LGTM!

[GordonTheTurtle]

Please sign your commits following these rules:
https://github.com/docker/docker/blob/master/CONTRIBUTING.md#sign-your-work
The easiest way to do this is to amend the last commit:

$ git clone -b "wildcard_trustpin_key" git@github.com:endophage/notary.git somewhere
$ cd somewhere
$ git rebase -i HEAD~842354364088
editor opens
change each 'pick' to 'edit'
save the file and quit
$ git commit --amend -s --no-edit
$ git rebase --continue # and repeat the amend for each commit
$ git push -f

Amending updates the existing PR. You DO NOT need to open a new one.