1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
|
package trust
import (
"bufio"
"bytes"
"encoding/base64"
"encoding/json"
"fmt"
"io/ioutil"
"os"
"os/exec"
"path/filepath"
"strings"
"github.com/containers/image/v5/types"
"github.com/sirupsen/logrus"
)
// PolicyContent struct for policy.json file
type PolicyContent struct {
Default []RepoContent `json:"default"`
Transports TransportsContent `json:"transports,omitempty"`
}
// RepoContent struct used under each repo
type RepoContent struct {
Type string `json:"type"`
KeyType string `json:"keyType,omitempty"`
KeyPath string `json:"keyPath,omitempty"`
KeyData string `json:"keyData,omitempty"`
SignedIdentity json.RawMessage `json:"signedIdentity,omitempty"`
}
// RepoMap map repo name to policycontent for each repo
type RepoMap map[string][]RepoContent
// TransportsContent struct for content under "transports"
type TransportsContent map[string]RepoMap
// DefaultPolicyPath returns a path to the default policy of the system.
func DefaultPolicyPath(sys *types.SystemContext) string {
systemDefaultPolicyPath := "/etc/containers/policy.json"
if sys != nil {
if sys.SignaturePolicyPath != "" {
return sys.SignaturePolicyPath
}
if sys.RootForImplicitAbsolutePaths != "" {
return filepath.Join(sys.RootForImplicitAbsolutePaths, systemDefaultPolicyPath)
}
}
return systemDefaultPolicyPath
}
// CreateTmpFile creates a temp file under dir and writes the content into it
func CreateTmpFile(dir, pattern string, content []byte) (string, error) {
tmpfile, err := ioutil.TempFile(dir, pattern)
if err != nil {
return "", err
}
defer tmpfile.Close()
if _, err := tmpfile.Write(content); err != nil {
return "", err
}
return tmpfile.Name(), nil
}
// GetGPGIdFromKeyPath return user keyring from key path
func GetGPGIdFromKeyPath(path string) []string {
cmd := exec.Command("gpg2", "--with-colons", path)
results, err := cmd.Output()
if err != nil {
logrus.Errorf("Getting key identity: %s", err)
return nil
}
return parseUids(results)
}
// GetGPGIdFromKeyData return user keyring from keydata
func GetGPGIdFromKeyData(key string) []string {
decodeKey, err := base64.StdEncoding.DecodeString(key)
if err != nil {
logrus.Errorf("%s, error decoding key data", err)
return nil
}
tmpfileName, err := CreateTmpFile("", "", decodeKey)
if err != nil {
logrus.Errorf("Creating key date temp file %s", err)
}
defer os.Remove(tmpfileName)
return GetGPGIdFromKeyPath(tmpfileName)
}
func parseUids(colonDelimitKeys []byte) []string {
var parseduids []string
scanner := bufio.NewScanner(bytes.NewReader(colonDelimitKeys))
for scanner.Scan() {
line := scanner.Text()
if strings.HasPrefix(line, "uid:") || strings.HasPrefix(line, "pub:") {
uid := strings.Split(line, ":")[9]
if uid == "" {
continue
}
parseduid := uid
if strings.Contains(uid, "<") && strings.Contains(uid, ">") {
parseduid = strings.SplitN(strings.SplitAfterN(uid, "<", 2)[1], ">", 2)[0]
}
parseduids = append(parseduids, parseduid)
}
}
return parseduids
}
// GetPolicy parse policy.json into PolicyContent struct
func GetPolicy(policyPath string) (PolicyContent, error) {
var policyContentStruct PolicyContent
policyContent, err := ioutil.ReadFile(policyPath)
if err != nil {
return policyContentStruct, fmt.Errorf("unable to read policy file: %w", err)
}
if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil {
return policyContentStruct, fmt.Errorf("could not parse trust policies from %s: %w", policyPath, err)
}
return policyContentStruct, nil
}
|
