summaryrefslogtreecommitdiff
path: root/pkg
diff options
context:
space:
mode:
Diffstat (limited to 'pkg')
-rw-r--r--pkg/trust/trust.go129
-rw-r--r--pkg/util/utils.go12
2 files changed, 102 insertions, 39 deletions
diff --git a/pkg/trust/trust.go b/pkg/trust/trust.go
index efc760364..31e41903e 100644
--- a/pkg/trust/trust.go
+++ b/pkg/trust/trust.go
@@ -2,6 +2,7 @@ package trust
import (
"bufio"
+ "bytes"
"encoding/base64"
"encoding/json"
"io/ioutil"
@@ -9,7 +10,6 @@ import (
"os/exec"
"path/filepath"
"strings"
- "unsafe"
"github.com/containers/image/types"
"github.com/pkg/errors"
@@ -52,6 +52,14 @@ type RegistryNamespace struct {
SigStoreStaging string `json:"sigstore-staging"` // For writing only.
}
+// ShowOutput keep the fields for image trust show command
+type ShowOutput struct {
+ Repo string
+ Trusttype string
+ GPGid string
+ Sigstore string
+}
+
// DefaultPolicyPath returns a path to the default policy of the system.
func DefaultPolicyPath(sys *types.SystemContext) string {
systemDefaultPolicyPath := "/etc/containers/policy.json"
@@ -167,84 +175,127 @@ func CreateTmpFile(dir, pattern string, content []byte) (string, error) {
return tmpfile.Name(), nil
}
-// GetGPGId return GPG identity, either bracketed <email> or ID string
-// comma separated if more than one key
-func GetGPGId(keys []string) string {
+func getGPGIdFromKeyPath(path []string) []string {
+ var uids []string
+ for _, k := range path {
+ cmd := exec.Command("gpg2", "--with-colons", k)
+ results, err := cmd.Output()
+ if err != nil {
+ logrus.Warnf("error get key identity: %s", err)
+ continue
+ }
+ uids = append(uids, parseUids(results)...)
+ }
+ return uids
+}
+
+func getGPGIdFromKeyData(keys []string) []string {
+ var uids []string
for _, k := range keys {
- if _, err := os.Stat(k); err != nil {
- decodeKey, err := base64.StdEncoding.DecodeString(k)
- if err != nil {
- logrus.Warnf("error decoding key data")
- continue
- }
- tmpfileName, err := CreateTmpFile("/run/", "", decodeKey)
- if err != nil {
- logrus.Warnf("error creating key date temp file %s", err)
- }
- defer os.Remove(tmpfileName)
- k = tmpfileName
+ decodeKey, err := base64.StdEncoding.DecodeString(k)
+ if err != nil {
+ logrus.Warnf("error decoding key data")
+ continue
}
+ tmpfileName, err := CreateTmpFile("", "", decodeKey)
+ if err != nil {
+ logrus.Warnf("error creating key date temp file %s", err)
+ }
+ defer os.Remove(tmpfileName)
+ k = tmpfileName
cmd := exec.Command("gpg2", "--with-colons", k)
results, err := cmd.Output()
if err != nil {
logrus.Warnf("error get key identity: %s", err)
continue
}
- resultsStr := *(*string)(unsafe.Pointer(&results))
- scanner := bufio.NewScanner(strings.NewReader(resultsStr))
- var parseduids []string
- for scanner.Scan() {
- line := scanner.Text()
- if strings.HasPrefix(line, "uid:") || strings.HasPrefix(line, "pub:") {
- uid := strings.Split(line, ":")[9]
- if uid == "" {
- continue
- }
- parseduid := uid
- if strings.Contains(uid, "<") && strings.Contains(uid, ">") {
- parseduid = strings.SplitN(strings.SplitAfterN(uid, "<", 2)[1], ">", 2)[0]
- }
- parseduids = append(parseduids, parseduid)
+ uids = append(uids, parseUids(results)...)
+ }
+ return uids
+}
+
+func parseUids(colonDelimitKeys []byte) []string {
+ var parseduids []string
+ scanner := bufio.NewScanner(bytes.NewReader(colonDelimitKeys))
+ for scanner.Scan() {
+ line := scanner.Text()
+ if strings.HasPrefix(line, "uid:") || strings.HasPrefix(line, "pub:") {
+ uid := strings.Split(line, ":")[9]
+ if uid == "" {
+ continue
+ }
+ parseduid := uid
+ if strings.Contains(uid, "<") && strings.Contains(uid, ">") {
+ parseduid = strings.SplitN(strings.SplitAfterN(uid, "<", 2)[1], ">", 2)[0]
}
+ parseduids = append(parseduids, parseduid)
}
- return strings.Join(parseduids, ",")
}
- return ""
+ return parseduids
}
-// GetPolicyJSON return the struct to show policy.json in json format
-func GetPolicyJSON(policyContentStruct PolicyContent, systemRegistriesDirPath string) (map[string]map[string]interface{}, error) {
+var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"}
+
+func trustTypeDescription(trustType string) string {
+ trustDescription, exist := typeDescription[trustType]
+ if !exist {
+ logrus.Warnf("invalid trust type %s", trustType)
+ }
+ return trustDescription
+}
+
+// GetPolicy return the struct to show policy.json in json format and a map (reponame, ShowOutput) pair for image trust show command
+func GetPolicy(policyContentStruct PolicyContent, systemRegistriesDirPath string) (map[string]map[string]interface{}, map[string]ShowOutput, error) {
registryConfigs, err := LoadAndMergeConfig(systemRegistriesDirPath)
if err != nil {
- return nil, err
+ return nil, nil, err
}
+ trustShowOutputMap := make(map[string]ShowOutput)
policyJSON := make(map[string]map[string]interface{})
if len(policyContentStruct.Default) > 0 {
policyJSON["* (default)"] = make(map[string]interface{})
policyJSON["* (default)"]["type"] = policyContentStruct.Default[0].Type
+
+ var defaultPolicyStruct ShowOutput
+ defaultPolicyStruct.Repo = "default"
+ defaultPolicyStruct.Trusttype = trustTypeDescription(policyContentStruct.Default[0].Type)
+ trustShowOutputMap["* (default)"] = defaultPolicyStruct
}
for transname, transval := range policyContentStruct.Transports {
for repo, repoval := range transval {
+ tempTrustShowOutput := ShowOutput{
+ Repo: repo,
+ Trusttype: repoval[0].Type,
+ }
policyJSON[repo] = make(map[string]interface{})
policyJSON[repo]["type"] = repoval[0].Type
policyJSON[repo]["transport"] = transname
+ keyDataArr := []string{}
+ keyPathArr := []string{}
+ keyarr := []string{}
for _, repoele := range repoval {
- keyarr := []string{}
if len(repoele.KeyPath) > 0 {
keyarr = append(keyarr, repoele.KeyPath)
+ keyPathArr = append(keyPathArr, repoele.KeyPath)
}
if len(repoele.KeyData) > 0 {
keyarr = append(keyarr, string(repoele.KeyData))
+ keyDataArr = append(keyDataArr, string(repoele.KeyData))
}
- policyJSON[repo]["keys"] = keyarr
}
+ policyJSON[repo]["keys"] = keyarr
+ uids := append(getGPGIdFromKeyPath(keyPathArr), getGPGIdFromKeyData(keyDataArr)...)
+ tempTrustShowOutput.GPGid = strings.Join(uids, ",")
+
policyJSON[repo]["sigstore"] = ""
registryNamespace := HaveMatchRegistry(repo, registryConfigs)
if registryNamespace != nil {
policyJSON[repo]["sigstore"] = registryNamespace.SigStore
+ tempTrustShowOutput.Sigstore = registryNamespace.SigStore
}
+ trustShowOutputMap[repo] = tempTrustShowOutput
}
}
- return policyJSON, nil
+ return policyJSON, trustShowOutputMap, nil
}
diff --git a/pkg/util/utils.go b/pkg/util/utils.go
index 2b752afe1..e0b94b011 100644
--- a/pkg/util/utils.go
+++ b/pkg/util/utils.go
@@ -316,8 +316,20 @@ func GetDefaultStoreOptions() (storage.StoreOptions, string, error) {
storageConf := StorageConfigFile()
if _, err := os.Stat(storageConf); err == nil {
+ defaultRootlessRunRoot := storageOpts.RunRoot
+ defaultRootlessGraphRoot := storageOpts.GraphRoot
storageOpts = storage.StoreOptions{}
storage.ReloadConfigurationFile(storageConf, &storageOpts)
+
+ // If the file did not specify a graphroot or runroot,
+ // set sane defaults so we don't try and use root-owned
+ // directories
+ if storageOpts.RunRoot == "" {
+ storageOpts.RunRoot = defaultRootlessRunRoot
+ }
+ if storageOpts.GraphRoot == "" {
+ storageOpts.GraphRoot = defaultRootlessGraphRoot
+ }
} else if os.IsNotExist(err) {
os.MkdirAll(filepath.Dir(storageConf), 0755)
file, err := os.OpenFile(storageConf, os.O_RDWR|os.O_CREATE|os.O_EXCL, 0666)