aboutsummaryrefslogtreecommitdiff
path: root/pkg/trust/policy.go
diff options
context:
space:
mode:
authorMiloslav Trmač <mitr@redhat.com>2022-08-24 21:39:14 +0200
committerMiloslav Trmač <mitr@redhat.com>2022-08-29 17:55:38 +0200
commite43881af37707e4e76059b707eee90aa2b307590 (patch)
tree69af72d503cecbf78a4c55302b6faa79eb0dac1f /pkg/trust/policy.go
parent5cd584f43e6ed3738dba0430675088c77013dbb7 (diff)
downloadpodman-e43881af37707e4e76059b707eee90aa2b307590.tar.gz
podman-e43881af37707e4e76059b707eee90aa2b307590.tar.bz2
podman-e43881af37707e4e76059b707eee90aa2b307590.zip
Move most of imageEngine.SetTrust to pkg/trust.AddPolicyEntries
This will allow us to write unit tests without setting up the complete Podman runtime (and without the Linux dependency). Also, actually add a basic smoke test of the core functionality. Should not change behavior. Signed-off-by: Miloslav Trmač <mitr@redhat.com>
Diffstat (limited to 'pkg/trust/policy.go')
-rw-r--r--pkg/trust/policy.go74
1 files changed, 74 insertions, 0 deletions
diff --git a/pkg/trust/policy.go b/pkg/trust/policy.go
index 62950131d..352be781c 100644
--- a/pkg/trust/policy.go
+++ b/pkg/trust/policy.go
@@ -5,6 +5,7 @@ import (
"bytes"
"encoding/base64"
"encoding/json"
+ "errors"
"fmt"
"io/ioutil"
"os"
@@ -123,3 +124,76 @@ func GetPolicy(policyPath string) (PolicyContent, error) {
}
return policyContentStruct, nil
}
+
+// AddPolicyEntriesInput collects some parameters to AddPolicyEntries,
+// primarily so that the callers use named values instead of just strings in a sequence.
+type AddPolicyEntriesInput struct {
+ Scope string // "default" or a docker/atomic scope name
+ Type string
+ PubKeyFiles []string // For signature enforcement types, paths to public keys files (where the image needs to be signed by at least one key from _each_ of the files). File format depends on Type.
+}
+
+// AddPolicyEntries adds one or more policy entries necessary to implement AddPolicyEntriesInput.
+func AddPolicyEntries(policyPath string, input AddPolicyEntriesInput) error {
+ var (
+ policyContentStruct PolicyContent
+ newReposContent []RepoContent
+ )
+ trustType := input.Type
+ if trustType == "accept" {
+ trustType = "insecureAcceptAnything"
+ }
+
+ pubkeysfile := input.PubKeyFiles
+ if len(pubkeysfile) == 0 && trustType == "signedBy" {
+ return errors.New("at least one public key must be defined for type 'signedBy'")
+ }
+
+ _, err := os.Stat(policyPath)
+ if !os.IsNotExist(err) {
+ policyContent, err := ioutil.ReadFile(policyPath)
+ if err != nil {
+ return err
+ }
+ if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
+ return errors.New("could not read trust policies")
+ }
+ }
+ if len(pubkeysfile) != 0 {
+ for _, filepath := range pubkeysfile {
+ newReposContent = append(newReposContent, RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath})
+ }
+ } else {
+ newReposContent = append(newReposContent, RepoContent{Type: trustType})
+ }
+ if input.Scope == "default" {
+ policyContentStruct.Default = newReposContent
+ } else {
+ if len(policyContentStruct.Default) == 0 {
+ return errors.New("default trust policy must be set")
+ }
+ registryExists := false
+ for transport, transportval := range policyContentStruct.Transports {
+ _, registryExists = transportval[input.Scope]
+ if registryExists {
+ policyContentStruct.Transports[transport][input.Scope] = newReposContent
+ break
+ }
+ }
+ if !registryExists {
+ if policyContentStruct.Transports == nil {
+ policyContentStruct.Transports = make(map[string]RepoMap)
+ }
+ if policyContentStruct.Transports["docker"] == nil {
+ policyContentStruct.Transports["docker"] = make(map[string][]RepoContent)
+ }
+ policyContentStruct.Transports["docker"][input.Scope] = append(policyContentStruct.Transports["docker"][input.Scope], newReposContent...)
+ }
+ }
+
+ data, err := json.MarshalIndent(policyContentStruct, "", " ")
+ if err != nil {
+ return fmt.Errorf("error setting trust policy: %w", err)
+ }
+ return ioutil.WriteFile(policyPath, data, 0644)
+}