diff options
author | OpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com> | 2019-02-08 20:12:38 +0100 |
---|---|---|
committer | GitHub <noreply@github.com> | 2019-02-08 20:12:38 +0100 |
commit | afd4d5f4a4b05f421e6f336b4d74a0d808be57ed (patch) | |
tree | 2ccb4a0bd9bda70c1c258dcb1b8aca8961d9ad30 /cmd/podman/trust.go | |
parent | 962850c6e0dfcee926af31fc0ad24f1f6c26f8ac (diff) | |
parent | 25a3923b61a5ca014318e6d957f68abd03947297 (diff) | |
download | podman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.tar.gz podman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.tar.bz2 podman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.zip |
Merge pull request #2274 from baude/cobraprep
Migrate to cobra CLI
Diffstat (limited to 'cmd/podman/trust.go')
-rw-r--r-- | cmd/podman/trust.go | 368 |
1 files changed, 10 insertions, 358 deletions
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go index a99be6ba2..6304586c3 100644 --- a/cmd/podman/trust.go +++ b/cmd/podman/trust.go @@ -1,369 +1,21 @@ package main import ( - "encoding/json" - "fmt" - "io/ioutil" - "os" - "sort" - "strings" - - "github.com/containers/image/types" - "github.com/containers/libpod/cmd/podman/formats" - "github.com/containers/libpod/cmd/podman/libpodruntime" - "github.com/containers/libpod/libpod/image" - "github.com/containers/libpod/pkg/trust" - "github.com/pkg/errors" - "github.com/sirupsen/logrus" - "github.com/urfave/cli" + "github.com/containers/libpod/cmd/podman/cliconfig" + "github.com/spf13/cobra" ) var ( - setTrustFlags = []cli.Flag{ - cli.StringFlag{ - Name: "type, t", - Usage: "Trust type, accept values: signedBy(default), accept, reject.", - Value: "signedBy", - }, - cli.StringSliceFlag{ - Name: "pubkeysfile, f", - Usage: `Path of installed public key(s) to trust for TARGET. - Absolute path to keys is added to policy.json. May - used multiple times to define multiple public keys. - File(s) must exist before using this command.`, - }, - cli.StringFlag{ - Name: "policypath", - Hidden: true, - }, - } - showTrustFlags = []cli.Flag{ - cli.BoolFlag{ - Name: "raw", - Usage: "Output raw policy file", + trustCommand = cliconfig.PodmanCommand{ + Command: &cobra.Command{ + Use: "trust", + Short: "Manage container image trust policy", + Long: "podman image trust command", }, - cli.BoolFlag{ - Name: "json, j", - Usage: "Output as json", - }, - cli.StringFlag{ - Name: "policypath", - Hidden: true, - }, - cli.StringFlag{ - Name: "registrypath", - Hidden: true, - }, - } - - setTrustDescription = "Set default trust policy or add a new trust policy for a registry" - setTrustCommand = cli.Command{ - Name: "set", - Usage: "Set default trust policy or a new trust policy for a registry", - Description: setTrustDescription, - Flags: sortFlags(setTrustFlags), - ArgsUsage: "default | REGISTRY[/REPOSITORY]", - Action: setTrustCmd, - OnUsageError: usageErrorHandler, - } - - showTrustDescription = "Display trust policy for the system" - showTrustCommand = cli.Command{ - Name: "show", - Usage: "Display trust policy for the system", - Description: showTrustDescription, - Flags: sortFlags(showTrustFlags), - Action: showTrustCmd, - ArgsUsage: "", - UseShortOptionHandling: true, - OnUsageError: usageErrorHandler, - } - - trustSubCommands = []cli.Command{ - setTrustCommand, - showTrustCommand, - } - - trustDescription = fmt.Sprintf(`Manages the trust policy of the host system. (%s) - Trust policy describes a registry scope that must be signed by public keys.`, getDefaultPolicyPath()) - trustCommand = cli.Command{ - Name: "trust", - Usage: "Manage container image trust policy", - Description: trustDescription, - ArgsUsage: "{set,show} ...", - Subcommands: trustSubCommands, - OnUsageError: usageErrorHandler, } ) -func showTrustCmd(c *cli.Context) error { - runtime, err := libpodruntime.GetRuntime(c) - if err != nil { - return errors.Wrapf(err, "could not create runtime") - } - - var ( - policyPath string - systemRegistriesDirPath string - outjson interface{} - ) - if c.IsSet("policypath") { - policyPath = c.String("policypath") - } else { - policyPath = trust.DefaultPolicyPath(runtime.SystemContext()) - } - policyContent, err := ioutil.ReadFile(policyPath) - if err != nil { - return errors.Wrapf(err, "unable to read %s", policyPath) - } - if c.IsSet("registrypath") { - systemRegistriesDirPath = c.String("registrypath") - } else { - systemRegistriesDirPath = trust.RegistriesDirPath(runtime.SystemContext()) - } - - if c.Bool("raw") { - _, err := os.Stdout.Write(policyContent) - if err != nil { - return errors.Wrap(err, "could not read trust policies") - } - return nil - } - - policyContentStruct, err := trust.GetPolicy(policyPath) - if err != nil { - return errors.Wrapf(err, "could not read trust policies") - } - - if c.Bool("json") { - policyJSON, err := getPolicyJSON(policyContentStruct, systemRegistriesDirPath) - if err != nil { - return errors.Wrapf(err, "could not show trust policies in JSON format") - } - outjson = policyJSON - out := formats.JSONStruct{Output: outjson} - return formats.Writer(out).Out() - } - - showOutputMap, err := getPolicyShowOutput(policyContentStruct, systemRegistriesDirPath) - if err != nil { - return errors.Wrapf(err, "could not show trust policies") - } - out := formats.StdoutTemplateArray{Output: showOutputMap, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"} - return formats.Writer(out).Out() -} - -func setTrustCmd(c *cli.Context) error { - runtime, err := libpodruntime.GetRuntime(c) - if err != nil { - return errors.Wrapf(err, "could not create runtime") - } - var ( - policyPath string - policyContentStruct trust.PolicyContent - newReposContent []trust.RepoContent - ) - args := c.Args() - if len(args) != 1 { - return errors.Errorf("default or a registry name must be specified") - } - valid, err := image.IsValidImageURI(args[0]) - if err != nil || !valid { - return errors.Wrapf(err, "invalid image uri %s", args[0]) - } - - trusttype := c.String("type") - if !isValidTrustType(trusttype) { - return errors.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy')", trusttype) - } - if trusttype == "accept" { - trusttype = "insecureAcceptAnything" - } - - pubkeysfile := c.StringSlice("pubkeysfile") - if len(pubkeysfile) == 0 && trusttype == "signedBy" { - return errors.Errorf("At least one public key must be defined for type 'signedBy'") - } - - if c.IsSet("policypath") { - policyPath = c.String("policypath") - } else { - policyPath = trust.DefaultPolicyPath(runtime.SystemContext()) - } - _, err = os.Stat(policyPath) - if !os.IsNotExist(err) { - policyContent, err := ioutil.ReadFile(policyPath) - if err != nil { - return errors.Wrapf(err, "unable to read %s", policyPath) - } - if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil { - return errors.Errorf("could not read trust policies") - } - } - if len(pubkeysfile) != 0 { - for _, filepath := range pubkeysfile { - newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype, KeyType: "GPGKeys", KeyPath: filepath}) - } - } else { - newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype}) - } - if args[0] == "default" { - policyContentStruct.Default = newReposContent - } else { - if len(policyContentStruct.Default) == 0 { - return errors.Errorf("Default trust policy must be set.") - } - registryExists := false - for transport, transportval := range policyContentStruct.Transports { - _, registryExists = transportval[args[0]] - if registryExists { - policyContentStruct.Transports[transport][args[0]] = newReposContent - break - } - } - if !registryExists { - if policyContentStruct.Transports == nil { - policyContentStruct.Transports = make(map[string]trust.RepoMap) - } - if policyContentStruct.Transports["docker"] == nil { - policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent) - } - policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...) - } - } - - data, err := json.MarshalIndent(policyContentStruct, "", " ") - if err != nil { - return errors.Wrapf(err, "error setting trust policy") - } - err = ioutil.WriteFile(policyPath, data, 0644) - if err != nil { - return errors.Wrapf(err, "error setting trust policy") - } - return nil -} - -func sortShowOutputMapKey(m map[string]trust.ShowOutput) []string { - keys := make([]string, len(m)) - i := 0 - for k := range m { - keys[i] = k - i++ - } - sort.Strings(keys) - return keys -} - -func isValidTrustType(t string) bool { - if t == "accept" || t == "insecureAcceptAnything" || t == "reject" || t == "signedBy" { - return true - } - return false -} - -func getDefaultPolicyPath() string { - return trust.DefaultPolicyPath(&types.SystemContext{}) -} - -func getPolicyJSON(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) (map[string]map[string]interface{}, error) { - registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath) - if err != nil { - return nil, err - } - - policyJSON := make(map[string]map[string]interface{}) - if len(policyContentStruct.Default) > 0 { - policyJSON["* (default)"] = make(map[string]interface{}) - policyJSON["* (default)"]["type"] = policyContentStruct.Default[0].Type - } - for transname, transval := range policyContentStruct.Transports { - for repo, repoval := range transval { - policyJSON[repo] = make(map[string]interface{}) - policyJSON[repo]["type"] = repoval[0].Type - policyJSON[repo]["transport"] = transname - keyarr := []string{} - uids := []string{} - for _, repoele := range repoval { - if len(repoele.KeyPath) > 0 { - keyarr = append(keyarr, repoele.KeyPath) - uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...) - } - if len(repoele.KeyData) > 0 { - keyarr = append(keyarr, string(repoele.KeyData)) - uids = append(uids, trust.GetGPGIdFromKeyData(string(repoele.KeyData))...) - } - } - policyJSON[repo]["keys"] = keyarr - policyJSON[repo]["sigstore"] = "" - registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs) - if registryNamespace != nil { - policyJSON[repo]["sigstore"] = registryNamespace.SigStore - } - } - } - return policyJSON, nil -} - -var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"} - -func trustTypeDescription(trustType string) string { - trustDescription, exist := typeDescription[trustType] - if !exist { - logrus.Warnf("invalid trust type %s", trustType) - } - return trustDescription -} - -func getPolicyShowOutput(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) ([]interface{}, error) { - var output []interface{} - - registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath) - if err != nil { - return nil, err - } - - trustShowOutputMap := make(map[string]trust.ShowOutput) - if len(policyContentStruct.Default) > 0 { - defaultPolicyStruct := trust.ShowOutput{ - Repo: "default", - Trusttype: trustTypeDescription(policyContentStruct.Default[0].Type), - } - trustShowOutputMap["* (default)"] = defaultPolicyStruct - } - for _, transval := range policyContentStruct.Transports { - for repo, repoval := range transval { - tempTrustShowOutput := trust.ShowOutput{ - Repo: repo, - Trusttype: repoval[0].Type, - } - keyarr := []string{} - uids := []string{} - for _, repoele := range repoval { - if len(repoele.KeyPath) > 0 { - keyarr = append(keyarr, repoele.KeyPath) - uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...) - } - if len(repoele.KeyData) > 0 { - keyarr = append(keyarr, string(repoele.KeyData)) - uids = append(uids, trust.GetGPGIdFromKeyData(string(repoele.KeyData))...) - } - } - tempTrustShowOutput.GPGid = strings.Join(uids, ", ") - - registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs) - if registryNamespace != nil { - tempTrustShowOutput.Sigstore = registryNamespace.SigStore - } - trustShowOutputMap[repo] = tempTrustShowOutput - } - } - - sortedRepos := sortShowOutputMapKey(trustShowOutputMap) - for _, reponame := range sortedRepos { - showOutput, exists := trustShowOutputMap[reponame] - if exists { - output = append(output, interface{}(showOutput)) - } - } - return output, nil +func init() { + trustCommand.AddCommand(getTrustSubCommands()...) + imageCommand.AddCommand(trustCommand.Command) } |