summaryrefslogtreecommitdiff
path: root/cmd/podman/trust.go
diff options
context:
space:
mode:
authorOpenShift Merge Robot <openshift-merge-robot@users.noreply.github.com>2019-02-08 20:12:38 +0100
committerGitHub <noreply@github.com>2019-02-08 20:12:38 +0100
commitafd4d5f4a4b05f421e6f336b4d74a0d808be57ed (patch)
tree2ccb4a0bd9bda70c1c258dcb1b8aca8961d9ad30 /cmd/podman/trust.go
parent962850c6e0dfcee926af31fc0ad24f1f6c26f8ac (diff)
parent25a3923b61a5ca014318e6d957f68abd03947297 (diff)
downloadpodman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.tar.gz
podman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.tar.bz2
podman-afd4d5f4a4b05f421e6f336b4d74a0d808be57ed.zip
Merge pull request #2274 from baude/cobraprep
Migrate to cobra CLI
Diffstat (limited to 'cmd/podman/trust.go')
-rw-r--r--cmd/podman/trust.go368
1 files changed, 10 insertions, 358 deletions
diff --git a/cmd/podman/trust.go b/cmd/podman/trust.go
index a99be6ba2..6304586c3 100644
--- a/cmd/podman/trust.go
+++ b/cmd/podman/trust.go
@@ -1,369 +1,21 @@
package main
import (
- "encoding/json"
- "fmt"
- "io/ioutil"
- "os"
- "sort"
- "strings"
-
- "github.com/containers/image/types"
- "github.com/containers/libpod/cmd/podman/formats"
- "github.com/containers/libpod/cmd/podman/libpodruntime"
- "github.com/containers/libpod/libpod/image"
- "github.com/containers/libpod/pkg/trust"
- "github.com/pkg/errors"
- "github.com/sirupsen/logrus"
- "github.com/urfave/cli"
+ "github.com/containers/libpod/cmd/podman/cliconfig"
+ "github.com/spf13/cobra"
)
var (
- setTrustFlags = []cli.Flag{
- cli.StringFlag{
- Name: "type, t",
- Usage: "Trust type, accept values: signedBy(default), accept, reject.",
- Value: "signedBy",
- },
- cli.StringSliceFlag{
- Name: "pubkeysfile, f",
- Usage: `Path of installed public key(s) to trust for TARGET.
- Absolute path to keys is added to policy.json. May
- used multiple times to define multiple public keys.
- File(s) must exist before using this command.`,
- },
- cli.StringFlag{
- Name: "policypath",
- Hidden: true,
- },
- }
- showTrustFlags = []cli.Flag{
- cli.BoolFlag{
- Name: "raw",
- Usage: "Output raw policy file",
+ trustCommand = cliconfig.PodmanCommand{
+ Command: &cobra.Command{
+ Use: "trust",
+ Short: "Manage container image trust policy",
+ Long: "podman image trust command",
},
- cli.BoolFlag{
- Name: "json, j",
- Usage: "Output as json",
- },
- cli.StringFlag{
- Name: "policypath",
- Hidden: true,
- },
- cli.StringFlag{
- Name: "registrypath",
- Hidden: true,
- },
- }
-
- setTrustDescription = "Set default trust policy or add a new trust policy for a registry"
- setTrustCommand = cli.Command{
- Name: "set",
- Usage: "Set default trust policy or a new trust policy for a registry",
- Description: setTrustDescription,
- Flags: sortFlags(setTrustFlags),
- ArgsUsage: "default | REGISTRY[/REPOSITORY]",
- Action: setTrustCmd,
- OnUsageError: usageErrorHandler,
- }
-
- showTrustDescription = "Display trust policy for the system"
- showTrustCommand = cli.Command{
- Name: "show",
- Usage: "Display trust policy for the system",
- Description: showTrustDescription,
- Flags: sortFlags(showTrustFlags),
- Action: showTrustCmd,
- ArgsUsage: "",
- UseShortOptionHandling: true,
- OnUsageError: usageErrorHandler,
- }
-
- trustSubCommands = []cli.Command{
- setTrustCommand,
- showTrustCommand,
- }
-
- trustDescription = fmt.Sprintf(`Manages the trust policy of the host system. (%s)
- Trust policy describes a registry scope that must be signed by public keys.`, getDefaultPolicyPath())
- trustCommand = cli.Command{
- Name: "trust",
- Usage: "Manage container image trust policy",
- Description: trustDescription,
- ArgsUsage: "{set,show} ...",
- Subcommands: trustSubCommands,
- OnUsageError: usageErrorHandler,
}
)
-func showTrustCmd(c *cli.Context) error {
- runtime, err := libpodruntime.GetRuntime(c)
- if err != nil {
- return errors.Wrapf(err, "could not create runtime")
- }
-
- var (
- policyPath string
- systemRegistriesDirPath string
- outjson interface{}
- )
- if c.IsSet("policypath") {
- policyPath = c.String("policypath")
- } else {
- policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
- }
- policyContent, err := ioutil.ReadFile(policyPath)
- if err != nil {
- return errors.Wrapf(err, "unable to read %s", policyPath)
- }
- if c.IsSet("registrypath") {
- systemRegistriesDirPath = c.String("registrypath")
- } else {
- systemRegistriesDirPath = trust.RegistriesDirPath(runtime.SystemContext())
- }
-
- if c.Bool("raw") {
- _, err := os.Stdout.Write(policyContent)
- if err != nil {
- return errors.Wrap(err, "could not read trust policies")
- }
- return nil
- }
-
- policyContentStruct, err := trust.GetPolicy(policyPath)
- if err != nil {
- return errors.Wrapf(err, "could not read trust policies")
- }
-
- if c.Bool("json") {
- policyJSON, err := getPolicyJSON(policyContentStruct, systemRegistriesDirPath)
- if err != nil {
- return errors.Wrapf(err, "could not show trust policies in JSON format")
- }
- outjson = policyJSON
- out := formats.JSONStruct{Output: outjson}
- return formats.Writer(out).Out()
- }
-
- showOutputMap, err := getPolicyShowOutput(policyContentStruct, systemRegistriesDirPath)
- if err != nil {
- return errors.Wrapf(err, "could not show trust policies")
- }
- out := formats.StdoutTemplateArray{Output: showOutputMap, Template: "{{.Repo}}\t{{.Trusttype}}\t{{.GPGid}}\t{{.Sigstore}}"}
- return formats.Writer(out).Out()
-}
-
-func setTrustCmd(c *cli.Context) error {
- runtime, err := libpodruntime.GetRuntime(c)
- if err != nil {
- return errors.Wrapf(err, "could not create runtime")
- }
- var (
- policyPath string
- policyContentStruct trust.PolicyContent
- newReposContent []trust.RepoContent
- )
- args := c.Args()
- if len(args) != 1 {
- return errors.Errorf("default or a registry name must be specified")
- }
- valid, err := image.IsValidImageURI(args[0])
- if err != nil || !valid {
- return errors.Wrapf(err, "invalid image uri %s", args[0])
- }
-
- trusttype := c.String("type")
- if !isValidTrustType(trusttype) {
- return errors.Errorf("invalid choice: %s (choose from 'accept', 'reject', 'signedBy')", trusttype)
- }
- if trusttype == "accept" {
- trusttype = "insecureAcceptAnything"
- }
-
- pubkeysfile := c.StringSlice("pubkeysfile")
- if len(pubkeysfile) == 0 && trusttype == "signedBy" {
- return errors.Errorf("At least one public key must be defined for type 'signedBy'")
- }
-
- if c.IsSet("policypath") {
- policyPath = c.String("policypath")
- } else {
- policyPath = trust.DefaultPolicyPath(runtime.SystemContext())
- }
- _, err = os.Stat(policyPath)
- if !os.IsNotExist(err) {
- policyContent, err := ioutil.ReadFile(policyPath)
- if err != nil {
- return errors.Wrapf(err, "unable to read %s", policyPath)
- }
- if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
- return errors.Errorf("could not read trust policies")
- }
- }
- if len(pubkeysfile) != 0 {
- for _, filepath := range pubkeysfile {
- newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype, KeyType: "GPGKeys", KeyPath: filepath})
- }
- } else {
- newReposContent = append(newReposContent, trust.RepoContent{Type: trusttype})
- }
- if args[0] == "default" {
- policyContentStruct.Default = newReposContent
- } else {
- if len(policyContentStruct.Default) == 0 {
- return errors.Errorf("Default trust policy must be set.")
- }
- registryExists := false
- for transport, transportval := range policyContentStruct.Transports {
- _, registryExists = transportval[args[0]]
- if registryExists {
- policyContentStruct.Transports[transport][args[0]] = newReposContent
- break
- }
- }
- if !registryExists {
- if policyContentStruct.Transports == nil {
- policyContentStruct.Transports = make(map[string]trust.RepoMap)
- }
- if policyContentStruct.Transports["docker"] == nil {
- policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent)
- }
- policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...)
- }
- }
-
- data, err := json.MarshalIndent(policyContentStruct, "", " ")
- if err != nil {
- return errors.Wrapf(err, "error setting trust policy")
- }
- err = ioutil.WriteFile(policyPath, data, 0644)
- if err != nil {
- return errors.Wrapf(err, "error setting trust policy")
- }
- return nil
-}
-
-func sortShowOutputMapKey(m map[string]trust.ShowOutput) []string {
- keys := make([]string, len(m))
- i := 0
- for k := range m {
- keys[i] = k
- i++
- }
- sort.Strings(keys)
- return keys
-}
-
-func isValidTrustType(t string) bool {
- if t == "accept" || t == "insecureAcceptAnything" || t == "reject" || t == "signedBy" {
- return true
- }
- return false
-}
-
-func getDefaultPolicyPath() string {
- return trust.DefaultPolicyPath(&types.SystemContext{})
-}
-
-func getPolicyJSON(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) (map[string]map[string]interface{}, error) {
- registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
- if err != nil {
- return nil, err
- }
-
- policyJSON := make(map[string]map[string]interface{})
- if len(policyContentStruct.Default) > 0 {
- policyJSON["* (default)"] = make(map[string]interface{})
- policyJSON["* (default)"]["type"] = policyContentStruct.Default[0].Type
- }
- for transname, transval := range policyContentStruct.Transports {
- for repo, repoval := range transval {
- policyJSON[repo] = make(map[string]interface{})
- policyJSON[repo]["type"] = repoval[0].Type
- policyJSON[repo]["transport"] = transname
- keyarr := []string{}
- uids := []string{}
- for _, repoele := range repoval {
- if len(repoele.KeyPath) > 0 {
- keyarr = append(keyarr, repoele.KeyPath)
- uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...)
- }
- if len(repoele.KeyData) > 0 {
- keyarr = append(keyarr, string(repoele.KeyData))
- uids = append(uids, trust.GetGPGIdFromKeyData(string(repoele.KeyData))...)
- }
- }
- policyJSON[repo]["keys"] = keyarr
- policyJSON[repo]["sigstore"] = ""
- registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs)
- if registryNamespace != nil {
- policyJSON[repo]["sigstore"] = registryNamespace.SigStore
- }
- }
- }
- return policyJSON, nil
-}
-
-var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
-
-func trustTypeDescription(trustType string) string {
- trustDescription, exist := typeDescription[trustType]
- if !exist {
- logrus.Warnf("invalid trust type %s", trustType)
- }
- return trustDescription
-}
-
-func getPolicyShowOutput(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) ([]interface{}, error) {
- var output []interface{}
-
- registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath)
- if err != nil {
- return nil, err
- }
-
- trustShowOutputMap := make(map[string]trust.ShowOutput)
- if len(policyContentStruct.Default) > 0 {
- defaultPolicyStruct := trust.ShowOutput{
- Repo: "default",
- Trusttype: trustTypeDescription(policyContentStruct.Default[0].Type),
- }
- trustShowOutputMap["* (default)"] = defaultPolicyStruct
- }
- for _, transval := range policyContentStruct.Transports {
- for repo, repoval := range transval {
- tempTrustShowOutput := trust.ShowOutput{
- Repo: repo,
- Trusttype: repoval[0].Type,
- }
- keyarr := []string{}
- uids := []string{}
- for _, repoele := range repoval {
- if len(repoele.KeyPath) > 0 {
- keyarr = append(keyarr, repoele.KeyPath)
- uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...)
- }
- if len(repoele.KeyData) > 0 {
- keyarr = append(keyarr, string(repoele.KeyData))
- uids = append(uids, trust.GetGPGIdFromKeyData(string(repoele.KeyData))...)
- }
- }
- tempTrustShowOutput.GPGid = strings.Join(uids, ", ")
-
- registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs)
- if registryNamespace != nil {
- tempTrustShowOutput.Sigstore = registryNamespace.SigStore
- }
- trustShowOutputMap[repo] = tempTrustShowOutput
- }
- }
-
- sortedRepos := sortShowOutputMapKey(trustShowOutputMap)
- for _, reponame := range sortedRepos {
- showOutput, exists := trustShowOutputMap[reponame]
- if exists {
- output = append(output, interface{}(showOutput))
- }
- }
- return output, nil
+func init() {
+ trustCommand.AddCommand(getTrustSubCommands()...)
+ imageCommand.AddCommand(trustCommand.Command)
}