centersl/docker-docs
1
0
Fork 0
mirror of https://github.com/docker/docs.git synced 2026-04-12 14:25:46 +07:00
Code Issues Packages Projects Releases Wiki Activity
1,265 Commits 57 Branches 28 Tags
560ffd04837a91c3fc5e2c06a66d02fbba85d081
Commit Graph

242 Commits

Author SHA1 Message Date
Ying Li
877d47bb5c Add tests to ensure you can just drop a key in tuf_key and use it for signing. 
This is important for user keys, which do not necessarily need to be under a GUN,
and may have a role other than one of the canonical roles (e.g. "user" role).

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-15 18:54:41 -08:00
David Lawrence
c0fb05584e fixing incorrect comments 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-15 11:30:32 -08:00
David Lawrence
9e80ad8158 remove certs.NewManager function 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-15 11:30:32 -08:00
David Lawrence
a8b21cafe0 CertManager is completely removed 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-15 11:30:32 -08:00
Ying Li
d4820c5756 Translate ErrMetaNotFound when updating, so long as it's on root, to ErrRepositoryNotExist. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-14 15:27:11 -08:00
Ying Li
c65fc03ef9 Update test to make x509 keys start a day in the past. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-14 14:15:38 -08:00
Ying Li
f57f2beb08 Factor marshalling a SignedRoot into JSON into TUF/data/root.go, and 
add an injectable serializer (so we can test JSON marshalling/unmarshalling
error propagation).

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-14 10:51:24 -08:00
Ying Li
b74f1835b7 Ensure that we do not unnecessarily re-sign/serialize a root.json file on publish 
Adds additional tests to ensure that keys aren't unnecessarily created on error,
and that only the required keys to sign are used.

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-14 10:51:24 -08:00
Ying Li
4dc8299de5 Fix bug where the yubikey store was not prioritized over the filestore 
in a client repo.

Also, fix a test with exporting/importing all keys - because a key
that is imported into the yubikey is also backed up on disk, when exporting
all keys, it also gets exported.

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-13 18:19:48 -08:00
David Lawrence
a60f228189 fixing use of require vs assert 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-13 15:59:33 -08:00
Diogo Mónica
26d3f3f92b Merge pull request #413 from endophage/fix_root_download 
fixing bootstrapClient to prefer cached root
 2016-01-13 15:48:39 -08:00
David Lawrence
06d23e14c9 add test for invalid remote URL 
add offline store for use when we can't initialize a remote store
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-13 15:26:57 -08:00
Ying Li
cf4b77b760 Revert "switching out to consistently use canonical json for all marshalling of TUF data" 
This reverts commit f417c834c4.

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-08 14:53:09 -08:00
David Lawrence
5ced01a262 add test to confirm bootstrapClient with a bad URL errors 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-08 09:03:27 -08:00
David Lawrence
6d72fe7fd1 adding comment to bootstrapClient 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-08 09:03:27 -08:00
David Lawrence
d11f11748c when we download during bootstrapClient we should save the root to cache 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-08 09:03:03 -08:00
David Lawrence
762c997104 fixing bootstrapClient to prefer cached root 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-08 09:03:03 -08:00
David Lawrence
11795a4573 rename data.ValidRoles to data.BaseRoles 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-07 17:38:52 -08:00
David Lawrence
d52dbde683 removing the ability to configure role names. It adds a lot of complexity without adding much value. If somebody wants custom role names they can implement it at the display level 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-07 17:38:05 -08:00
Ying Li
c1c0ccf4be Combine bootstrapClient and tuf/client's Client.Update into NotaryRepository.Update. 
- it is easier to understand what's going on in the online functions of NotaryRepository
- we can test NotaryRepository.Update independently (although it'd be nice to have some way
  of ensuring that the actual public functions of NotaryRepository like ListTargets,
  GetTargetByName, and Publish actually calls Update.
- distinct error if the remote repo doesn't exist.

This also stops wrapping signed.ErrExpired in client.ErrExpired, and just passes
signed.ErrExpired on directly.

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-07 16:58:46 -08:00
David Lawrence
f417c834c4 switching out to consistently use canonical json for all marshalling of TUF data 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2016-01-06 11:15:27 -08:00
Diogo Mónica
30c488b3b4 Merge pull request #393 from docker/path-fix 
use path instead of filepath to express TUF roles
 2016-01-04 19:26:13 -08:00
Ying Li
61bbf7be49 Change ListTargetes and GetTargetsByName to return TargetWithRole. 
This object has both the target and the role in which the target was found.

Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-04 17:15:44 -08:00
Riyaz Faizullabhoy
dbb8c1065f use path instead of filepath to express TUF roles 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2016-01-04 16:23:02 -08:00
Ying Li
2f2a0b9c9f Display the role when listing targets using the Notary CLI. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-04 15:20:06 -08:00
Ying Li
ecd96c8218 Fix potential infinite loop in tuf/Client.TargetMeta 
Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-04 10:50:35 -08:00
Ying Li
9252d9d892 Update client.Target to include a RoleName, so we know where the target is when listed. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2016-01-04 10:49:54 -08:00
Ying Li
6028de0dd1 Merge pull request #387 from docker/backwards-compatibility 
Tests for backwards-compatibility reading/writing/exporting/importing old repo format
 2015-12-23 12:15:03 -08:00
Ying Li
785b2527b1 Test import/export of old repo format. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-23 11:47:37 -08:00
Diogo Mónica
ffca6fb522 Merge pull request #388 from docker/cleanup 
Rebased cleanup/remove PEM headers
 2015-12-23 11:36:25 -08:00
Ying Li
0465365fb6 Return an error if unable to encrypt a key as a valid PEM file 
Also address review comments and fix semantic conflict after rebase.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-23 09:44:51 -08:00
David Lawrence
fa788cb2a9 make x509 certs viable as delegated public key object 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
David Lawrence
e516dd88f2 cleaning up tests by converting t.Fatal to assert.___ 
Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)
 2015-12-23 09:41:03 -08:00
Ying Li
9573252ace Add backwards-compatbility test for client reading-writing 0.1-style repos. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 18:01:36 -08:00
Riyaz Faizullabhoy
9b0ae29427 ErrRepoNotInitialized test 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2015-12-22 16:53:31 -08:00
Riyaz Faizullabhoy
98b7dd7daf fixes to notary for docker integration 
Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
 2015-12-22 16:53:31 -08:00
Ying Li
332621607e Add more comments and assertions as per review. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:29:28 -08:00
Ying Li
6423c16233 Test pushing an uninitialized repo as well. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:29:28 -08:00
Ying Li
ebac6b158a Refactor tests to cover corrupt root/targets/delegations. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:29:28 -08:00
Ying Li
ab97f9e12e Refactor some of the code to reduce creating temp notary repo directory boilerplate. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:23:19 -08:00
Ying Li
d6234e5ef0 Add some simple failure cases where data is corrupt or we can't get server keys. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:23:19 -08:00
Ying Li
c1eb344b89 Rotation tests now test reading from other (non-publishing) clients. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 16:23:19 -08:00
Ying Li
f794193382 Address review comments (renaming, extra code left in, etc.) 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 15:32:05 -08:00
Ying Li
66384edfc3 Add some more publishing tests. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 00:44:50 -08:00
Ying Li
dcef24996e Add more delegation writing/publishing tests. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-22 00:23:32 -08:00
Ying Li
34055f8cf7 Code cleanups as per review, and after rebasing. 
Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-18 16:51:48 -08:00
Ying Li
0892ebb13f Add checks to TUFRepo to fail on updating a target if there are no signing keys. 
So UpdateDelegation, DeleteDelegation, AddTargets, RemoveTargets now
all check for the role existence, not metadata existence.  And they
also check the role's signing keys - there's no point in adding if
we can't sign.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-18 16:37:24 -08:00
Ying Li
a1cbe5d43c Add test for, and fix bug with, publishing a bare repo not sending the targets file. 
It should always be published the first time, like the root.json.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-18 16:37:24 -08:00
Ying Li
c12958af36 Do not sign the actual targets metadata unless it's dirty. 
Previously we were always signing it, but we can't do that anymore
because then delegated users won't be able to publish ever (they
probably don't have the target key).

Some other related changes: when role keys are rotated, that role
needs to be marked as dirty now in order to be re-signed and
published.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-18 16:37:24 -08:00
Ying Li
7592a029ef Do not create the delegation metadata when the delegation is created. 
Only create it when a target is added to it, or other delegations
are added to it, or when getting a child delegation.

Signed-off-by: Ying Li <ying.li@docker.com>
 2015-12-18 16:37:24 -08:00