forked from toolshed/abra
chore: vendor
This commit is contained in:
.gitignoremodules.txt
vendor
coopcloud.tech
dario.cat
mergo
git.coopcloud.tech
coop-cloud
github.com
AlecAivazis
survey
v2
CONTRIBUTING.mdLICENSEREADME.mdconfirm.go
core
editor.gofilter.goinput.gomultiline.gomultiselect.gopassword.gorenderer.goselect.gosurvey.goterminal
LICENSE.txtREADME.mdbuffered_reader.gocursor.gocursor_windows.godisplay.godisplay_posix.godisplay_windows.goerror.gooutput.gooutput_windows.gorunereader.gorunereader_bsd.gorunereader_linux.gorunereader_posix.gorunereader_ppc64le.gorunereader_windows.gosequences.gostdio.gosyscall_windows.goterminal.go
transform.govalidate.goAzure
go-ansiterm
BurntSushi
toml
Microsoft
go-winio
ProtonMail
go-crypto
AUTHORSCONTRIBUTORSLICENSEPATENTSkey_generation.gokeys.gokeys_test_data.go
bitcurves
brainpool
eax
internal
byteutil
ocb
openpgp
aes
keywrap
armor
canonical_text.goecdh
ecdsa
eddsa
elgamal
errors
hash.gointernal
algorithm
ecc
encoding
packet
aead_config.goaead_crypter.goaead_encrypted.gocompressed.goconfig.goencrypted_key.goliteral.gonotation.goocfb.goone_pass_signature.goopaque.gopacket.goprivate_key.goprivate_key_test_data.gopublic_key.gopublic_key_test_data.goreader.gosignature.gosymmetric_key_encrypted.gosymmetrically_encrypted.gosymmetrically_encrypted_aead.gosymmetrically_encrypted_mdc.gouserattribute.gouserid.go
read.goread_write_test_data.gos2k
write.goaymanbagabas
beorn7
perks
cenkalti
backoff
cespare
xxhash
charmbracelet
lipgloss
.gitignore.golangci-soft.yml.golangci.ymlLICENSEREADME.mdalign.goansi_unix.goansi_windows.goborders.gocolor.goget.gojoin.goposition.gorenderer.gorunes.goset.gosize.gostyle.go
table
unset.gowhitespace.golog
.gitignore.golangci.yml.goreleaser.ymlLICENSEREADME.mdcontext.goformatter.gojson.golevel.golevel_121.golevel_no121.gologfmt.gologger.gologger_121.gologger_no121.gooptions.gopkg.gostdlog.gostyles.gotext.go
x
cloudflare
containerd
containerd
log
containers
image
LICENSE
docker
cache.godocker_client.godocker_image.godocker_image_dest.godocker_image_src.godocker_transport.golookaside.go
policyconfiguration
reference
wwwauthenticate.goimage
manifest
pkg
blobinfocache
none
docker
keyctl
strslice
sysregistriesv2
tlsclientconfig
transports
types
cpuguy83
go-md2man
v2
cyphar
davecgh
decentral1se
distribution
reference
docker
cli
AUTHORSLICENSENOTICE
cli-plugins
hooks
manager
cli
cobra.go
command
cli.gocli_options.gocontext.godefaultcontextstore.gotelemetry.gotelemetry_docker.gotelemetry_options.gotelemetry_utils.gotrust.goutils.go
formatter
buildcache.gocontainer.gocontext.gocustom.godisk_usage.godisplayutils.goformatter.goimage.goreflect.go
registry.gotabwriter
volume.goservice
progress
stack
formatter
compose
interpolation
loader
schema
data
config_schema_v3.0.jsonconfig_schema_v3.1.jsonconfig_schema_v3.10.jsonconfig_schema_v3.11.jsonconfig_schema_v3.12.jsonconfig_schema_v3.13.jsonconfig_schema_v3.2.jsonconfig_schema_v3.3.jsonconfig_schema_v3.4.jsonconfig_schema_v3.5.jsonconfig_schema_v3.6.jsonconfig_schema_v3.7.jsonconfig_schema_v3.8.jsonconfig_schema_v3.9.json
schema.gotemplate
types
config
config.go
configfile
credentials
credentials.godefault_store.godefault_store_darwin.godefault_store_linux.godefault_store_unsupported.godefault_store_windows.gofile_store.gonative_store.go
types
connhelper
context
debug
error.goflags
hints
manifest
registry
required.gostreams
trust
version
opts
capabilities.goconfig.goduration.goenv.goenvfile.gofile.gogpus.gohosts.gohosts_unix.gohosts_windows.gomount.gonetwork.goopts.goparse.goport.goquotedstring.gosecret.gothrottledevice.goulimit.goweightdevice.go
templates
distribution
.dockerignore.gitignore.golangci.yml.mailmapBUILDING.mdCONTRIBUTING.mdDockerfileLICENSEMAINTAINERSMakefileREADME.mdROADMAP.mdblobs.godoc.godocker-bake.hclerrors.go
manifest
manifests.gometrics
registry.goregistry
tags.gouuid
vendor.confdocker-credential-helpers
docker
AUTHORSLICENSENOTICE
api
README.mdcommon.goswagger-gen.yamlswagger.yaml
types
blkiodev
checkpoint
client.gocontainer
change_type.gochange_types.goconfig.gocontainer.gocontainer_top.gocontainer_update.gocreate_request.gocreate_response.goerrors.goexec.gofilesystem_change.gohostconfig.gohostconfig_unix.gohostconfig_windows.gooptions.gostats.gowait_exit_error.gowait_response.gowaitcondition.go
error_response.goerror_response_ext.goevents
filters
graph_driver_data.goid_response.goimage
mount
network
plugin.goplugin_device.goplugin_env.goplugin_interface_type.goplugin_mount.goplugin_responses.goport.goregistry
strslice
swarm
common.goconfig.gocontainer.gonetwork.gonode.goruntime.go
runtime
secret.goservice.goservice_create_response.goservice_update_response.goswarm.gotask.gosystem
time
types.gotypes_deprecated.goversions
volume
client
README.mdbuild_cancel.gobuild_prune.gocheckpoint_create.gocheckpoint_delete.gocheckpoint_list.goclient.goclient_deprecated.goclient_unix.goclient_windows.goconfig_create.goconfig_inspect.goconfig_list.goconfig_remove.goconfig_update.gocontainer_attach.gocontainer_commit.gocontainer_copy.gocontainer_create.gocontainer_diff.gocontainer_exec.gocontainer_export.gocontainer_inspect.gocontainer_kill.gocontainer_list.gocontainer_logs.gocontainer_pause.gocontainer_prune.gocontainer_remove.gocontainer_rename.gocontainer_resize.gocontainer_restart.gocontainer_start.gocontainer_stats.gocontainer_stop.gocontainer_top.gocontainer_unpause.gocontainer_update.gocontainer_wait.godisk_usage.godistribution_inspect.goenvvars.goerrors.goevents.gohijack.goimage_build.goimage_create.goimage_history.goimage_import.goimage_inspect.goimage_list.goimage_load.goimage_prune.goimage_pull.goimage_push.goimage_remove.goimage_save.goimage_search.goimage_tag.goinfo.gointerface.gointerface_experimental.gointerface_stable.gologin.gonetwork_connect.gonetwork_create.gonetwork_disconnect.gonetwork_inspect.gonetwork_list.gonetwork_prune.gonetwork_remove.gonode_inspect.gonode_list.gonode_remove.gonode_update.gooptions.goping.goplugin_create.goplugin_disable.goplugin_enable.goplugin_inspect.goplugin_install.goplugin_list.goplugin_push.goplugin_remove.goplugin_set.goplugin_upgrade.gorequest.gosecret_create.gosecret_inspect.gosecret_list.gosecret_remove.gosecret_update.goservice_create.goservice_inspect.goservice_list.goservice_logs.goservice_remove.goservice_update.goswarm_get_unlock_key.goswarm_init.goswarm_inspect.goswarm_join.goswarm_leave.goswarm_unlock.goswarm_update.gotask_inspect.gotask_list.gotask_logs.goutils.goversion.govolume_create.govolume_inspect.govolume_list.govolume_prune.govolume_remove.govolume_update.go
errdefs
internal
multierror
pkg
archive
archive.goarchive_linux.goarchive_other.goarchive_unix.goarchive_windows.gochanges.gochanges_linux.gochanges_other.gochanges_unix.gochanges_windows.gocopy.gocopy_unix.gocopy_windows.godiff.godiff_unix.godiff_windows.gopath.gopath_unix.gopath_windows.gotime_linux.gotime_unsupported.gowhiteouts.gowrap.go
homedir
idtools
idtools.goidtools_unix.goidtools_windows.gousergroupadd_linux.gousergroupadd_unsupported.goutils_unix.go
ioutils
jsonmessage
pools
progress
stdcopy
streamformatter
stringid
system
args_windows.gochtimes.gochtimes_nowindows.gochtimes_windows.goerrors.gofilesys.gofilesys_unix.gofilesys_windows.goinit_windows.golstat_unix.golstat_windows.gomknod.gomknod_freebsd.gomknod_unix.gostat_bsd.gostat_darwin.gostat_illumos.gostat_linux.gostat_openbsd.gostat_unix.gostat_windows.goutimes_unix.goutimes_unsupported.goxattrs.goxattrs_linux.goxattrs_unsupported.go
registry
go-connections
LICENSE
nat
sockets
README.mdinmem_socket.goproxy.gosockets.gosockets_unix.gosockets_windows.gotcp_socket.gounix_socket.go
tlsconfig
go-metrics
CONTRIBUTING.mdLICENSELICENSE.docsNOTICEREADME.mdcounter.godocs.gogauge.gohandler.gohelpers.gonamespace.goregister.gotimer.gounit.go
go-units
go
libtrust
emirpasic
gods
felixge
httpsnoop
fvbommel
ghodss
go-git
gcfg
go-billy
v5
go-git
v5
.gitignoreCODE_OF_CONDUCT.mdCOMPATIBILITY.mdCONTRIBUTING.mdEXTENDING.mdLICENSEMakefileREADME.mdSECURITY.mdblame.gocommon.gohash.goreference.gorevision.goprune.goremote.gorepository.gosigner.gostatus.gosubmodule.goworktree.goworktree_bsd.goworktree_commit.goworktree_js.goworktree_linux.goworktree_plan9.goworktree_status.goworktree_unix_other.goworktree_windows.go
config
doc.gointernal
object_walker.gooptions.gooss-fuzz.shplumbing
cache
color
error.gofilemode
format
config
diff
gitignore
idxfile
index
objfile
packfile
common.godelta_index.godelta_selector.godiff_delta.godoc.goencoder.goerror.gofsobject.goobject_pack.gopackfile.goparser.gopatch_delta.goscanner.go
pktline
hash
memory.goobject.goobject
blob.gochange.gochange_adaptor.gocommit.gocommit_walker.gocommit_walker_bfs.gocommit_walker_bfs_filtered.gocommit_walker_ctime.gocommit_walker_limit.gocommit_walker_path.godifftree.gofile.gomerge_base.goobject.gopatch.gorename.gosignature.gotag.gotree.gotreenoder.go
protocol
packp
revlist
storer
transport
storage
filesystem
memory
storer.goutils
binary
diff
ioutil
merkletrie
sync
trace
go-logfmt
go-logr
logr
.golangci.yamlCHANGELOG.mdCONTRIBUTING.mdLICENSEREADME.mdSECURITY.mdcontext.gocontext_noslog.gocontext_slog.godiscard.go
funcr
logr.gosloghandler.goslogr.goslogsink.gostdr
go-viper
mapstructure
gogo
protobuf
AUTHORSCONTRIBUTORSLICENSE
proto
Makefileclone.gocustom_gogo.godecode.godeprecated.godiscard.goduration.goduration_gogo.goencode.goencode_gogo.goequal.goextensions.goextensions_gogo.golib.golib_gogo.gomessage_set.gopointer_reflect.gopointer_reflect_gogo.gopointer_unsafe.gopointer_unsafe_gogo.goproperties.goproperties_gogo.goskip_gogo.gotable_marshal.gotable_marshal_gogo.gotable_merge.gotable_unmarshal.gotable_unmarshal_gogo.gotext.gotext_gogo.gotext_parser.gotimestamp.gotimestamp_gogo.gowrappers.gowrappers_gogo.go
golang
google
gorilla
mux
grpc-ecosystem
grpc-gateway
hashicorp
go-cleanhttp
go-retryablehttp
inconshreveable
jbenet
kballard
go-shellquote
kevinburke
ssh_config
klauspost
compress
.gitattributes.gitignore.goreleaser.ymlLICENSEREADME.mdSECURITY.mdcompressible.gos2sx.mods2sx.sum
fse
gen.shhuff0
.gitignoreREADME.mdbitreader.gobitwriter.gocompress.godecompress.godecompress_amd64.godecompress_amd64.sdecompress_generic.gohuff0.go
internal
cpuinfo
snapref
zstd
README.mdbitreader.gobitwriter.goblockdec.goblockenc.goblocktype_string.gobytebuf.gobytereader.godecodeheader.godecoder.godecoder_options.godict.goenc_base.goenc_best.goenc_better.goenc_dfast.goenc_fast.goencoder.goencoder_options.goframedec.goframeenc.gofse_decoder.gofse_decoder_amd64.gofse_decoder_amd64.sfse_decoder_generic.gofse_encoder.gofse_predefined.gohash.gohistory.gomatchlen_amd64.gomatchlen_amd64.smatchlen_generic.goseqdec.goseqdec_amd64.goseqdec_amd64.sseqdec_generic.goseqenc.gosnappy.gozip.gozstd.go
internal
xxhash
lucasb-eyer
go-colorful
mattn
go-colorable
LICENSEREADME.mdcolorable_appengine.gocolorable_others.gocolorable_windows.gogo.test.shnoncolorable.go
go-isatty
LICENSEREADME.mddoc.gogo.test.shisatty_bsd.goisatty_others.goisatty_plan9.goisatty_solaris.goisatty_tcgets.goisatty_windows.go
go-runewidth
mgutz
miekg
pkcs11
mitchellh
colorstring
moby
docker-image-spec
patternmatcher
sys
sequential
signal
LICENSEsignal.gosignal_darwin.gosignal_freebsd.gosignal_linux.gosignal_linux_mipsx.gosignal_unix.gosignal_unsupported.gosignal_windows.go
user
term
morikuni
muesli
termenv
.gitignore.golangci-soft.yml.golangci.ymlLICENSEREADME.mdansi_compat.mdansicolors.gocolor.goconstants_linux.goconstants_solaris.goconstants_unix.gocopy.gohyperlink.gonotification.gooutput.goprofile.goscreen.gostyle.gotemplatehelper.gotermenv.gotermenv_other.gotermenv_posix.gotermenv_solaris.gotermenv_unix.gotermenv_windows.go
munnerz
goautoneg
opencontainers
go-digest
.mailmap.pullapprove.yml.travis.ymlCONTRIBUTING.mdLICENSELICENSE.docsMAINTAINERSREADME.mdalgorithm.godigest.godigester.godoc.goverifiers.go
image-spec
pjbgf
sha1cd
pkg
pmezard
go-difflib
prometheus
client_golang
LICENSENOTICE
prometheus
.gitignoreREADME.mdbuild_info_collector.gocollector.gocounter.godesc.godoc.goexpvar_collector.gofnv.gogauge.goget_pid.goget_pid_gopherjs.gogo_collector.gogo_collector_go116.gogo_collector_latest.gohistogram.go
internal
labels.gometric.gonum_threads.gonum_threads_gopherjs.goobserver.goprocess_collector.goprocess_collector_js.goprocess_collector_other.goprocess_collector_wasip1.goprocess_collector_windows.gopromhttp
registry.gosummary.gotimer.gountyped.govalue.govec.govnext.gowrap.goclient_model
common
procfs
.gitignore.golangci.ymlCODE_OF_CONDUCT.mdCONTRIBUTING.mdLICENSEMAINTAINERS.mdMakefileMakefile.commonNOTICEREADME.mdSECURITY.mdarp.gobuddyinfo.gocmdline.gocpuinfo.gocpuinfo_armx.gocpuinfo_loong64.gocpuinfo_mipsx.gocpuinfo_others.gocpuinfo_ppcx.gocpuinfo_riscvx.gocpuinfo_s390x.gocpuinfo_x86.gocrypto.godoc.gofs.gofs_statfs_notype.gofs_statfs_type.gofscache.go
internal
ipvs.gokernel_random.goloadavg.gomdstat.gomeminfo.gomountinfo.gomountstats.gonet_conntrackstat.gonet_dev.gonet_ip_socket.gonet_protocols.gonet_route.gonet_sockstat.gonet_softnet.gonet_tcp.gonet_tls_stat.gonet_udp.gonet_unix.gonet_wireless.gonet_xfrm.gonetstat.goproc.goproc_cgroup.goproc_cgroups.goproc_environ.goproc_fdinfo.goproc_interrupts.goproc_io.goproc_limits.goproc_maps.goproc_netstat.goproc_ns.goproc_psi.goproc_smaps.goproc_snmp.goproc_snmp6.goproc_stat.goproc_status.goproc_sys.goschedstat.goslab.gosoftirqs.gostat.goswaps.gothread.gottarvm.gozoneinfo.gorivo
uniseg
russross
blackfriday
schollz
sergi
go-diff
sirupsen
logrus
.gitignore.golangci.yml.travis.ymlCHANGELOG.mdLICENSEREADME.mdalt_exit.goappveyor.ymlbuffer_pool.godoc.goentry.goexported.goformatter.gohooks.gojson_formatter.gologger.gologrus.goterminal_check_appengine.goterminal_check_bsd.goterminal_check_js.goterminal_check_no_terminal.goterminal_check_notappengine.goterminal_check_solaris.goterminal_check_unix.goterminal_check_windows.gotext_formatter.gowriter.go
skeema
knownhosts
spf13
cobra
.gitignore.golangci.yml.mailmapCONDUCT.mdCONTRIBUTING.mdLICENSE.txtMAINTAINERSMakefileREADME.mdactive_help.goargs.gobash_completions.gobash_completionsV2.gocobra.gocommand.gocommand_notwin.gocommand_win.gocompletions.gofish_completions.goflag_groups.gopowershell_completions.goshell_completions.gozsh_completions.go
pflag
.gitignore.travis.ymlLICENSEREADME.mdbool.gobool_slice.gobytes.gocount.goduration.goduration_slice.goflag.gofloat32.gofloat32_slice.gofloat64.gofloat64_slice.gogolangflag.goint.goint16.goint32.goint32_slice.goint64.goint64_slice.goint8.goint_slice.goip.goip_slice.goipmask.goipnet.gostring.gostring_array.gostring_slice.gostring_to_int.gostring_to_int64.gostring_to_string.gouint.gouint16.gouint32.gouint64.gouint8.gouint_slice.go
stretchr
testify
theupdateframework
notary
.gitignoreCHANGELOG.mdCODE_OF_CONDUCT.mdCONTRIBUTING.mdCONTRIBUTORSDockerfileJenkinsfileLICENSEMAINTAINERSMAINTAINERS.ALUMNIMAINTAINERS_RULES.mdMakefileNOTARY_VERSIONREADME.mdcodecov.ymlconst.goconst_nowindows.goconst_windows.gocross.Dockerfile
client
changelist
client.godelegations.goerrors.gohelpers.gointerface.goreader.gorepo.gorepo_pkcs11.gotufclient.gowitness.gocryptoservice
development.mysql.ymldevelopment.postgresql.ymldevelopment.rethink.ymldocker-compose.postgresql.ymldocker-compose.rethink.ymldocker-compose.ymlescrow.Dockerfilefips.gonotary.gopassphrase
server.Dockerfileserver.minimal.Dockerfilesigner.Dockerfilesigner.minimal.Dockerfilestorage
trustmanager
trustpinning
tuf
urfave
cli
.flake8.gitignoreCODE_OF_CONDUCT.mdLICENSEREADME.mdapp.gocategory.gocli.gocommand.gocontext.godocs.goerrors.gofish.goflag.goflag_bool.goflag_bool_t.goflag_duration.goflag_float64.goflag_generic.goflag_int.goflag_int64.goflag_int64_slice.goflag_int_slice.goflag_string.goflag_string_slice.goflag_uint.goflag_uint64.gofuncs.gohelp.goparse.gosort.gotemplate.go
xanzy
xeipuuv
gojsonpointer
gojsonreference
gojsonschema
go.opentelemetry.io
contrib
instrumentation
net
http
otel
.codespellignore.codespellrc.gitattributes.gitignore.golangci.yml.lycheeignore.markdownlint.yamlCHANGELOG.mdCODEOWNERSCONTRIBUTING.mdLICENSEMakefileREADME.mdRELEASING.mdVERSIONING.mdget_main_pkgs.shhandler.gotrace.go
attribute
baggage
codes
doc.goerror_handler.goexporters
otlp
otlpmetric
otlpmetricgrpc
otlptrace
LICENSEREADME.mdclients.godoc.goexporter.go
internal
tracetransform
otlptracegrpc
LICENSEREADME.mdclient.godoc.goexporter.go
version.gointernal
options.gointernal
internal_logging.gometric.gometric
LICENSEREADME.mdasyncfloat64.goasyncint64.goconfig.godoc.go
propagation.goembedded
instrument.gometer.gonoop
syncfloat64.gosyncint64.gopropagation
renovate.jsonrequirements.txtsdk
LICENSEREADME.md
instrumentation
internal
metric
LICENSEREADME.mdaggregation.gocache.goconfig.godoc.goenv.goexemplar.goexporter.goinstrument.goinstrumentkind_string.go
internal
manual_reader.gometer.gometricdata
periodic_reader.gopipeline.goprovider.goreader.goversion.goview.goresource
README.mdauto.gobuiltin.goconfig.gocontainer.godoc.goenv.gohost_id.gohost_id_bsd.gohost_id_darwin.gohost_id_exec.gohost_id_linux.gohost_id_readfile.gohost_id_unsupported.gohost_id_windows.goos.goos_release_darwin.goos_release_unix.goos_unix.goos_unsupported.goos_windows.goprocess.goresource.go
trace
README.mdbatch_span_processor.godoc.goevent.goevictedqueue.goid_generator.golink.goprovider.gosampler_env.gosampling.gosimple_span_processor.gosnapshot.gospan.gospan_exporter.gospan_limits.gospan_processor.gotracer.goversion.go
version.gosemconv
v1.20.0
v1.21.0
v1.24.0
v1.26.0
trace
verify_examples.shverify_readmes.shversion.goversions.yamlproto
otlp
golang.org
x
crypto
LICENSEPATENTS
argon2
blake2b
blake2b.goblake2bAVX2_amd64.goblake2bAVX2_amd64.sblake2b_amd64.sblake2b_generic.goblake2b_ref.goblake2x.goregister.go
blowfish
cast5
chacha20
chacha_arm64.gochacha_arm64.schacha_generic.gochacha_noasm.gochacha_ppc64le.gochacha_ppc64le.schacha_s390x.gochacha_s390x.sxor.go
curve25519
ed25519
hkdf
internal
alias
poly1305
pbkdf2
sha3
doc.gohashes.gohashes_noasm.gokeccakf.gokeccakf_amd64.gokeccakf_amd64.ssha3.gosha3_s390x.gosha3_s390x.sshake.goshake_noasm.goxor.go
ssh
exp
net
LICENSEPATENTS
context
http
httpguts
http2
.gitignoreascii.gociphers.goclient_conn_pool.godatabuffer.goerrors.goflow.goframe.gogotrack.goheadermap.go
hpack
http2.gopipe.goserver.gotimer.gotransport.gowrite.gowritesched.gowritesched_priority.gowritesched_random.gowritesched_roundrobin.goidna
go118.goidna10.0.0.goidna9.0.0.gopre_go118.gopunycode.gotables10.0.0.gotables11.0.0.gotables12.0.0.gotables13.0.0.gotables15.0.0.gotables9.0.0.gotrie.gotrie12.0.0.gotrie13.0.0.gotrieval.go
internal
proxy
trace
sync
sys
LICENSEPATENTS
cpu
asm_aix_ppc64.sbyteorder.gocpu.gocpu_aix.gocpu_arm.gocpu_arm64.gocpu_arm64.scpu_gc_arm64.gocpu_gc_s390x.gocpu_gc_x86.gocpu_gccgo_arm64.gocpu_gccgo_s390x.gocpu_gccgo_x86.ccpu_gccgo_x86.gocpu_linux.gocpu_linux_arm.gocpu_linux_arm64.gocpu_linux_mips64x.gocpu_linux_noinit.gocpu_linux_ppc64x.gocpu_linux_s390x.gocpu_loong64.gocpu_mips64x.gocpu_mipsx.gocpu_netbsd_arm64.gocpu_openbsd_arm64.gocpu_openbsd_arm64.scpu_other_arm.gocpu_other_arm64.gocpu_other_mips64x.gocpu_other_ppc64x.gocpu_other_riscv64.gocpu_ppc64x.gocpu_riscv64.gocpu_s390x.gocpu_s390x.scpu_wasm.gocpu_x86.gocpu_x86.scpu_zos.gocpu_zos_s390x.goendian_big.goendian_little.gohwcap_linux.goparse.goproc_cpuinfo_linux.goruntime_auxv.goruntime_auxv_go121.gosyscall_aix_gccgo.gosyscall_aix_ppc64_gc.go
execabs
plan9
asm.sasm_plan9_386.sasm_plan9_amd64.sasm_plan9_arm.sconst_plan9.godir_plan9.goenv_plan9.goerrors_plan9.gomkall.shmkerrors.shmksysnum_plan9.shpwd_go15_plan9.gopwd_plan9.gorace.gorace0.gostr.gosyscall.gosyscall_plan9.gozsyscall_plan9_386.gozsyscall_plan9_amd64.gozsyscall_plan9_arm.gozsysnum_plan9.go
unix
.gitignoreREADME.mdaffinity_linux.goaliases.goasm_aix_ppc64.sasm_bsd_386.sasm_bsd_amd64.sasm_bsd_arm.sasm_bsd_arm64.sasm_bsd_ppc64.sasm_bsd_riscv64.sasm_linux_386.sasm_linux_amd64.sasm_linux_arm.sasm_linux_arm64.sasm_linux_loong64.sasm_linux_mips64x.sasm_linux_mipsx.sasm_linux_ppc64x.sasm_linux_riscv64.sasm_linux_s390x.sasm_openbsd_mips64.sasm_solaris_amd64.sasm_zos_s390x.sbluetooth_linux.gobpxsvc_zos.gobpxsvc_zos.scap_freebsd.goconstants.godev_aix_ppc.godev_aix_ppc64.godev_darwin.godev_dragonfly.godev_freebsd.godev_linux.godev_netbsd.godev_openbsd.godev_zos.godirent.goendian_big.goendian_little.goenv_unix.gofcntl.gofcntl_darwin.gofcntl_linux_32bit.gofdset.gogccgo.gogccgo_c.cgccgo_linux_amd64.goifreq_linux.goioctl_linux.goioctl_signed.goioctl_unsigned.goioctl_zos.gomkall.shmkerrors.shmmap_nomremap.gomremap.gopagesize_unix.gopledge_openbsd.goptrace_darwin.goptrace_ios.gorace.gorace0.goreaddirent_getdents.goreaddirent_getdirentries.gosockcmsg_dragonfly.gosockcmsg_linux.gosockcmsg_unix.gosockcmsg_unix_other.gosockcmsg_zos.gosymaddr_zos_s390x.ssyscall.gosyscall_aix.gosyscall_aix_ppc.gosyscall_aix_ppc64.gosyscall_bsd.gosyscall_darwin.gosyscall_darwin_amd64.gosyscall_darwin_arm64.gosyscall_darwin_libSystem.gosyscall_dragonfly.gosyscall_dragonfly_amd64.gosyscall_freebsd.gosyscall_freebsd_386.gosyscall_freebsd_amd64.gosyscall_freebsd_arm.gosyscall_freebsd_arm64.gosyscall_freebsd_riscv64.gosyscall_hurd.gosyscall_hurd_386.gosyscall_illumos.gosyscall_linux.gosyscall_linux_386.gosyscall_linux_alarm.gosyscall_linux_amd64.gosyscall_linux_amd64_gc.gosyscall_linux_arm.gosyscall_linux_arm64.gosyscall_linux_gc.gosyscall_linux_gc_386.gosyscall_linux_gc_arm.gosyscall_linux_gccgo_386.gosyscall_linux_gccgo_arm.gosyscall_linux_loong64.gosyscall_linux_mips64x.gosyscall_linux_mipsx.gosyscall_linux_ppc.gosyscall_linux_ppc64x.gosyscall_linux_riscv64.gosyscall_linux_s390x.gosyscall_linux_sparc64.gosyscall_netbsd.gosyscall_netbsd_386.gosyscall_netbsd_amd64.gosyscall_netbsd_arm.gosyscall_netbsd_arm64.gosyscall_openbsd.gosyscall_openbsd_386.gosyscall_openbsd_amd64.gosyscall_openbsd_arm.gosyscall_openbsd_arm64.gosyscall_openbsd_libc.gosyscall_openbsd_mips64.gosyscall_openbsd_ppc64.gosyscall_openbsd_riscv64.gosyscall_solaris.gosyscall_solaris_amd64.gosyscall_unix.gosyscall_unix_gc.gosyscall_unix_gc_ppc64x.gosyscall_zos_s390x.gosysvshm_linux.gosysvshm_unix.gosysvshm_unix_other.gotimestruct.gounveil_openbsd.goxattr_bsd.gozerrors_aix_ppc.gozerrors_aix_ppc64.gozerrors_darwin_amd64.gozerrors_darwin_arm64.gozerrors_dragonfly_amd64.gozerrors_freebsd_386.gozerrors_freebsd_amd64.gozerrors_freebsd_arm.gozerrors_freebsd_arm64.gozerrors_freebsd_riscv64.gozerrors_linux.gozerrors_linux_386.gozerrors_linux_amd64.gozerrors_linux_arm.gozerrors_linux_arm64.gozerrors_linux_loong64.gozerrors_linux_mips.gozerrors_linux_mips64.gozerrors_linux_mips64le.gozerrors_linux_mipsle.gozerrors_linux_ppc.gozerrors_linux_ppc64.gozerrors_linux_ppc64le.gozerrors_linux_riscv64.gozerrors_linux_s390x.gozerrors_linux_sparc64.gozerrors_netbsd_386.gozerrors_netbsd_amd64.gozerrors_netbsd_arm.gozerrors_netbsd_arm64.gozerrors_openbsd_386.gozerrors_openbsd_amd64.gozerrors_openbsd_arm.gozerrors_openbsd_arm64.gozerrors_openbsd_mips64.gozerrors_openbsd_ppc64.gozerrors_openbsd_riscv64.gozerrors_solaris_amd64.gozerrors_zos_s390x.gozptrace_armnn_linux.gozptrace_linux_arm64.gozptrace_mipsnn_linux.gozptrace_mipsnnle_linux.gozptrace_x86_linux.gozsymaddr_zos_s390x.szsyscall_aix_ppc.gozsyscall_aix_ppc64.gozsyscall_aix_ppc64_gc.gozsyscall_aix_ppc64_gccgo.gozsyscall_darwin_amd64.gozsyscall_darwin_amd64.szsyscall_darwin_arm64.gozsyscall_darwin_arm64.szsyscall_dragonfly_amd64.gozsyscall_freebsd_386.gozsyscall_freebsd_amd64.gozsyscall_freebsd_arm.gozsyscall_freebsd_arm64.gozsyscall_freebsd_riscv64.gozsyscall_illumos_amd64.gozsyscall_linux.gozsyscall_linux_386.gozsyscall_linux_amd64.gozsyscall_linux_arm.gozsyscall_linux_arm64.gozsyscall_linux_loong64.gozsyscall_linux_mips.gozsyscall_linux_mips64.gozsyscall_linux_mips64le.gozsyscall_linux_mipsle.gozsyscall_linux_ppc.gozsyscall_linux_ppc64.gozsyscall_linux_ppc64le.gozsyscall_linux_riscv64.gozsyscall_linux_s390x.gozsyscall_linux_sparc64.gozsyscall_netbsd_386.gozsyscall_netbsd_amd64.gozsyscall_netbsd_arm.gozsyscall_netbsd_arm64.gozsyscall_openbsd_386.gozsyscall_openbsd_386.szsyscall_openbsd_amd64.gozsyscall_openbsd_amd64.szsyscall_openbsd_arm.gozsyscall_openbsd_arm.szsyscall_openbsd_arm64.gozsyscall_openbsd_arm64.szsyscall_openbsd_mips64.gozsyscall_openbsd_mips64.szsyscall_openbsd_ppc64.gozsyscall_openbsd_ppc64.szsyscall_openbsd_riscv64.gozsyscall_openbsd_riscv64.szsyscall_solaris_amd64.gozsyscall_zos_s390x.gozsysctl_openbsd_386.gozsysctl_openbsd_amd64.gozsysctl_openbsd_arm.gozsysctl_openbsd_arm64.gozsysctl_openbsd_mips64.gozsysctl_openbsd_ppc64.gozsysctl_openbsd_riscv64.gozsysnum_darwin_amd64.gozsysnum_darwin_arm64.gozsysnum_dragonfly_amd64.gozsysnum_freebsd_386.gozsysnum_freebsd_amd64.gozsysnum_freebsd_arm.gozsysnum_freebsd_arm64.gozsysnum_freebsd_riscv64.gozsysnum_linux_386.gozsysnum_linux_amd64.gozsysnum_linux_arm.gozsysnum_linux_arm64.gozsysnum_linux_loong64.gozsysnum_linux_mips.gozsysnum_linux_mips64.gozsysnum_linux_mips64le.gozsysnum_linux_mipsle.gozsysnum_linux_ppc.gozsysnum_linux_ppc64.gozsysnum_linux_ppc64le.gozsysnum_linux_riscv64.gozsysnum_linux_s390x.gozsysnum_linux_sparc64.gozsysnum_netbsd_386.gozsysnum_netbsd_amd64.gozsysnum_netbsd_arm.gozsysnum_netbsd_arm64.gozsysnum_openbsd_386.gozsysnum_openbsd_amd64.gozsysnum_openbsd_arm.gozsysnum_openbsd_arm64.gozsysnum_openbsd_mips64.gozsysnum_openbsd_ppc64.gozsysnum_openbsd_riscv64.gozsysnum_zos_s390x.goztypes_aix_ppc.goztypes_aix_ppc64.goztypes_darwin_amd64.goztypes_darwin_arm64.goztypes_dragonfly_amd64.goztypes_freebsd_386.goztypes_freebsd_amd64.goztypes_freebsd_arm.goztypes_freebsd_arm64.goztypes_freebsd_riscv64.goztypes_linux.goztypes_linux_386.goztypes_linux_amd64.goztypes_linux_arm.goztypes_linux_arm64.goztypes_linux_loong64.goztypes_linux_mips.goztypes_linux_mips64.goztypes_linux_mips64le.goztypes_linux_mipsle.goztypes_linux_ppc.goztypes_linux_ppc64.goztypes_linux_ppc64le.goztypes_linux_riscv64.goztypes_linux_s390x.goztypes_linux_sparc64.goztypes_netbsd_386.goztypes_netbsd_amd64.goztypes_netbsd_arm.goztypes_netbsd_arm64.goztypes_openbsd_386.goztypes_openbsd_amd64.goztypes_openbsd_arm.goztypes_openbsd_arm64.goztypes_openbsd_mips64.goztypes_openbsd_ppc64.goztypes_openbsd_riscv64.goztypes_solaris_amd64.goztypes_zos_s390x.go
windows
aliases.godll_windows.goenv_windows.goeventlog.goexec_windows.gomemory_windows.gomkerrors.bashmkknownfolderids.bashmksyscall.gorace.gorace0.go
registry
security_windows.goservice.gosetupapi_windows.gostr.gosyscall.gosyscall_windows.gotypes_windows.gotypes_windows_386.gotypes_windows_amd64.gotypes_windows_arm.gotypes_windows_arm64.gozerrors_windows.gozknownfolderids_windows.gozsyscall_windows.goterm
CONTRIBUTING.mdLICENSEPATENTSREADME.mdcodereview.cfgterm.goterm_plan9.goterm_unix.goterm_unix_bsd.goterm_unix_other.goterm_unsupported.goterm_windows.goterminal.go
text
LICENSEPATENTS
cases
cases.gocontext.gofold.goicu.goinfo.gomap.gotables10.0.0.gotables11.0.0.gotables12.0.0.gotables13.0.0.gotables15.0.0.gotables9.0.0.gotrieval.go
internal
internal.go
language
match.gotag
language
secure
transform
unicode
bidi
bidi.gobracket.gocore.goprop.gotables10.0.0.gotables11.0.0.gotables12.0.0.gotables13.0.0.gotables15.0.0.gotables9.0.0.gotrieval.go
norm
width
time
google.golang.org
genproto
googleapis
grpc
AUTHORSCODE-OF-CONDUCT.mdCONTRIBUTING.mdGOVERNANCE.mdLICENSEMAINTAINERS.mdMakefileNOTICE.txtREADME.mdSECURITY.mdcall.gointerceptor.go
attributes
backoff.gobackoff
balancer
balancer_wrapper.gobinarylog
grpc_binarylog_v1
channelz
clientconn.gocodec.gocodes
connectivity
credentials
dialoptions.godoc.goencoding
grpclog
health
grpc_health_v1
internal
backoff
balancer
gracefulswitch
balancerload
binarylog
buffer
channelz
channel.gochannelmap.gofuncs.gologging.goserver.gosocket.gosubchannel.gosyscall_linux.gosyscall_nonlinux.gotrace.go
credentials
envconfig
experimental.gogrpclog
grpcsync
grpcutil
idle
internal.gometadata
pretty
resolver
serviceconfig
status
syscall
tcp_keepalive_others.gotcp_keepalive_unix.gotcp_keepalive_windows.gotransport
keepalive
metadata
peer
picker_wrapper.gopreloader.goregenerate.shresolver
resolver_wrapper.gorpc_util.goserver.goservice_config.goserviceconfig
shared_buffer_pool.gostats
status
stream.gostream_interfaces.gotap
trace.gotrace_notrace.gotrace_withtrace.goversion.goprotobuf
LICENSEPATENTS
encoding
protodelim
protojson
prototext
protowire
internal
descfmt
descopts
detrand
editiondefaults
encoding
defval
json
messageset
tag
text
errors
filedesc
filetype
flags
genid
any_gen.goapi_gen.godescriptor_gen.godoc.goduration_gen.goempty_gen.gofield_mask_gen.gogo_features_gen.gogoname.gomap_entry.gosource_context_gen.gostruct_gen.gotimestamp_gen.gotype_gen.gowrappers.gowrappers_gen.go
impl
api_export.gocheckinit.gocodec_extension.gocodec_field.gocodec_gen.gocodec_map.gocodec_map_go111.gocodec_map_go112.gocodec_message.gocodec_messageset.gocodec_reflect.gocodec_tables.gocodec_unsafe.goconvert.goconvert_list.goconvert_map.godecode.goencode.goenum.goextension.golegacy_enum.golegacy_export.golegacy_extension.golegacy_file.golegacy_message.gomerge.gomerge_gen.gomessage.gomessage_reflect.gomessage_reflect_field.gomessage_reflect_gen.gopointer_reflect.gopointer_unsafe.govalidate.goweak.go
order
pragma
set
strs
version
proto
checkinit.godecode.godecode_gen.godoc.goencode.goencode_gen.goequal.goextension.gomerge.gomessageset.goproto.goproto_methods.goproto_reflect.goreset.gosize.gosize_gen.gowrappers.go
protoadapt
reflect
protoreflect
methods.goproto.gosource.gosource_gen.gotype.govalue.govalue_equal.govalue_pure.govalue_union.govalue_unsafe_go120.govalue_unsafe_go121.go
protoregistry
runtime
types
known
anypb
durationpb
fieldmaskpb
structpb
timestamppb
wrapperspb
gopkg.in
warnings.v0
yaml.v2
.travis.ymlLICENSELICENSE.libyamlNOTICEREADME.mdapic.godecode.goemitterc.goencode.goparserc.goreaderc.goresolve.goscannerc.gosorter.gowriterc.goyaml.goyamlh.goyamlprivateh.go
yaml.v3
gotest.tools
v3
998
vendor/github.com/theupdateframework/notary/client/client.go
generated
vendored
Normal file
998
vendor/github.com/theupdateframework/notary/client/client.go
generated
vendored
Normal file
@ -0,0 +1,998 @@
|
||||
// Package client implements everything required for interacting with a Notary repository.
|
||||
package client
|
||||
|
||||
import (
|
||||
"bytes"
|
||||
"encoding/json"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/http"
|
||||
"os"
|
||||
"path/filepath"
|
||||
"time"
|
||||
|
||||
canonicaljson "github.com/docker/go/canonical/json"
|
||||
"github.com/sirupsen/logrus"
|
||||
"github.com/theupdateframework/notary"
|
||||
"github.com/theupdateframework/notary/client/changelist"
|
||||
"github.com/theupdateframework/notary/cryptoservice"
|
||||
store "github.com/theupdateframework/notary/storage"
|
||||
"github.com/theupdateframework/notary/trustpinning"
|
||||
"github.com/theupdateframework/notary/tuf"
|
||||
"github.com/theupdateframework/notary/tuf/data"
|
||||
"github.com/theupdateframework/notary/tuf/signed"
|
||||
"github.com/theupdateframework/notary/tuf/utils"
|
||||
)
|
||||
|
||||
const (
|
||||
tufDir = "tuf"
|
||||
|
||||
// SignWithAllOldVersions is a sentinel constant for LegacyVersions flag
|
||||
SignWithAllOldVersions = -1
|
||||
)
|
||||
|
||||
func init() {
|
||||
data.SetDefaultExpiryTimes(data.NotaryDefaultExpiries)
|
||||
}
|
||||
|
||||
// repository stores all the information needed to operate on a notary repository.
|
||||
type repository struct {
|
||||
gun data.GUN
|
||||
baseURL string
|
||||
changelist changelist.Changelist
|
||||
cache store.MetadataStore
|
||||
remoteStore store.RemoteStore
|
||||
cryptoService signed.CryptoService
|
||||
tufRepo *tuf.Repo
|
||||
invalid *tuf.Repo // known data that was parsable but deemed invalid
|
||||
roundTrip http.RoundTripper
|
||||
trustPinning trustpinning.TrustPinConfig
|
||||
LegacyVersions int // number of versions back to fetch roots to sign with
|
||||
}
|
||||
|
||||
// NewFileCachedRepository is a wrapper for NewRepository that initializes
|
||||
// a file cache from the provided repository, local config information and a crypto service.
|
||||
// It also retrieves the remote store associated to the base directory under where all the
|
||||
// trust files will be stored (This is normally defaults to "~/.notary" or "~/.docker/trust"
|
||||
// when enabling Docker content trust) and the specified GUN.
|
||||
//
|
||||
// In case of a nil RoundTripper, a default offline store is used instead.
|
||||
func NewFileCachedRepository(baseDir string, gun data.GUN, baseURL string, rt http.RoundTripper,
|
||||
retriever notary.PassRetriever, trustPinning trustpinning.TrustPinConfig) (Repository, error) {
|
||||
|
||||
cache, err := store.NewFileStore(
|
||||
filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()), "metadata"),
|
||||
"json",
|
||||
)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
keyStores, err := getKeyStores(baseDir, retriever)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cryptoService := cryptoservice.NewCryptoService(keyStores...)
|
||||
|
||||
remoteStore, err := getRemoteStore(baseURL, gun, rt)
|
||||
if err != nil {
|
||||
// baseURL is syntactically invalid
|
||||
return nil, err
|
||||
}
|
||||
|
||||
cl, err := changelist.NewFileChangelist(filepath.Join(
|
||||
filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()), "changelist"),
|
||||
))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return NewRepository(gun, baseURL, remoteStore, cache, trustPinning, cryptoService, cl)
|
||||
}
|
||||
|
||||
// NewRepository is the base method that returns a new notary repository.
|
||||
// It expects an initialized cache. In case of a nil remote store, a default
|
||||
// offline store is used.
|
||||
func NewRepository(gun data.GUN, baseURL string, remoteStore store.RemoteStore, cache store.MetadataStore,
|
||||
trustPinning trustpinning.TrustPinConfig, cryptoService signed.CryptoService, cl changelist.Changelist) (Repository, error) {
|
||||
|
||||
// Repo's remote store is either a valid remote store or an OfflineStore
|
||||
if remoteStore == nil {
|
||||
remoteStore = store.OfflineStore{}
|
||||
}
|
||||
|
||||
if cache == nil {
|
||||
return nil, fmt.Errorf("got an invalid cache (nil metadata store)")
|
||||
}
|
||||
|
||||
nRepo := &repository{
|
||||
gun: gun,
|
||||
baseURL: baseURL,
|
||||
changelist: cl,
|
||||
cache: cache,
|
||||
remoteStore: remoteStore,
|
||||
cryptoService: cryptoService,
|
||||
trustPinning: trustPinning,
|
||||
LegacyVersions: 0, // By default, don't sign with legacy roles
|
||||
}
|
||||
|
||||
return nRepo, nil
|
||||
}
|
||||
|
||||
// GetGUN is a getter for the GUN object from a Repository
|
||||
func (r *repository) GetGUN() data.GUN {
|
||||
return r.gun
|
||||
}
|
||||
|
||||
func (r *repository) updateTUF(forWrite bool) error {
|
||||
repo, invalid, err := LoadTUFRepo(TUFLoadOptions{
|
||||
GUN: r.gun,
|
||||
TrustPinning: r.trustPinning,
|
||||
CryptoService: r.cryptoService,
|
||||
Cache: r.cache,
|
||||
RemoteStore: r.remoteStore,
|
||||
AlwaysCheckInitialized: forWrite,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
r.tufRepo = repo
|
||||
r.invalid = invalid
|
||||
return nil
|
||||
}
|
||||
|
||||
// ListTargets calls update first before listing targets
|
||||
func (r *repository) ListTargets(roles ...data.RoleName) ([]*TargetWithRole, error) {
|
||||
if err := r.updateTUF(false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewReadOnly(r.tufRepo).ListTargets(roles...)
|
||||
}
|
||||
|
||||
// GetTargetByName calls update first before getting target by name
|
||||
func (r *repository) GetTargetByName(name string, roles ...data.RoleName) (*TargetWithRole, error) {
|
||||
if err := r.updateTUF(false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewReadOnly(r.tufRepo).GetTargetByName(name, roles...)
|
||||
}
|
||||
|
||||
// GetAllTargetMetadataByName calls update first before getting targets by name
|
||||
func (r *repository) GetAllTargetMetadataByName(name string) ([]TargetSignedStruct, error) {
|
||||
if err := r.updateTUF(false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewReadOnly(r.tufRepo).GetAllTargetMetadataByName(name)
|
||||
|
||||
}
|
||||
|
||||
// ListRoles calls update first before getting roles
|
||||
func (r *repository) ListRoles() ([]RoleWithSignatures, error) {
|
||||
if err := r.updateTUF(false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewReadOnly(r.tufRepo).ListRoles()
|
||||
}
|
||||
|
||||
// GetDelegationRoles calls update first before getting all delegation roles
|
||||
func (r *repository) GetDelegationRoles() ([]data.Role, error) {
|
||||
if err := r.updateTUF(false); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
return NewReadOnly(r.tufRepo).GetDelegationRoles()
|
||||
}
|
||||
|
||||
// NewTarget is a helper method that returns a Target
|
||||
func NewTarget(targetName, targetPath string, targetCustom *canonicaljson.RawMessage) (*Target, error) {
|
||||
b, err := ioutil.ReadFile(targetPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
meta, err := data.NewFileMeta(bytes.NewBuffer(b), data.NotaryDefaultHashes...)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return &Target{Name: targetName, Hashes: meta.Hashes, Length: meta.Length, Custom: targetCustom}, nil
|
||||
}
|
||||
|
||||
// rootCertKey generates the corresponding certificate for the private key given the privKey and repo's GUN
|
||||
func rootCertKey(gun data.GUN, privKey data.PrivateKey) (data.PublicKey, error) {
|
||||
// Hard-coded policy: the generated certificate expires in 10 years.
|
||||
startTime := time.Now()
|
||||
cert, err := cryptoservice.GenerateCertificate(
|
||||
privKey, gun, startTime, startTime.Add(notary.Year*10))
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
x509PublicKey := utils.CertToKey(cert)
|
||||
if x509PublicKey == nil {
|
||||
return nil, fmt.Errorf("cannot generate public key from private key with id: %v and algorithm: %v", privKey.ID(), privKey.Algorithm())
|
||||
}
|
||||
|
||||
return x509PublicKey, nil
|
||||
}
|
||||
|
||||
// GetCryptoService is the getter for the repository's CryptoService
|
||||
func (r *repository) GetCryptoService() signed.CryptoService {
|
||||
return r.cryptoService
|
||||
}
|
||||
|
||||
// initialize initializes the notary repository with a set of rootkeys, root certificates and roles.
|
||||
func (r *repository) initialize(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
|
||||
|
||||
// currently we only support server managing timestamps and snapshots, and
|
||||
// nothing else - timestamps are always managed by the server, and implicit
|
||||
// (do not have to be passed in as part of `serverManagedRoles`, so that
|
||||
// the API of Initialize doesn't change).
|
||||
var serverManagesSnapshot bool
|
||||
locallyManagedKeys := []data.RoleName{
|
||||
data.CanonicalTargetsRole,
|
||||
data.CanonicalSnapshotRole,
|
||||
// root is also locally managed, but that should have been created
|
||||
// already
|
||||
}
|
||||
remotelyManagedKeys := []data.RoleName{data.CanonicalTimestampRole}
|
||||
for _, role := range serverManagedRoles {
|
||||
switch role {
|
||||
case data.CanonicalTimestampRole:
|
||||
continue // timestamp is already in the right place
|
||||
case data.CanonicalSnapshotRole:
|
||||
// because we put Snapshot last
|
||||
locallyManagedKeys = []data.RoleName{data.CanonicalTargetsRole}
|
||||
remotelyManagedKeys = append(
|
||||
remotelyManagedKeys, data.CanonicalSnapshotRole)
|
||||
serverManagesSnapshot = true
|
||||
default:
|
||||
return ErrInvalidRemoteRole{Role: role}
|
||||
}
|
||||
}
|
||||
|
||||
// gets valid public keys corresponding to the rootKeyIDs or generate if necessary
|
||||
var publicKeys []data.PublicKey
|
||||
var err error
|
||||
if len(rootCerts) == 0 {
|
||||
publicKeys, err = r.createNewPublicKeyFromKeyIDs(rootKeyIDs)
|
||||
} else {
|
||||
publicKeys, err = r.publicKeysOfKeyIDs(rootKeyIDs, rootCerts)
|
||||
}
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
//initialize repo with public keys
|
||||
rootRole, targetsRole, snapshotRole, timestampRole, err := r.initializeRoles(
|
||||
publicKeys,
|
||||
locallyManagedKeys,
|
||||
remotelyManagedKeys,
|
||||
)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
r.tufRepo = tuf.NewRepo(r.GetCryptoService())
|
||||
|
||||
if err := r.tufRepo.InitRoot(
|
||||
rootRole,
|
||||
timestampRole,
|
||||
snapshotRole,
|
||||
targetsRole,
|
||||
false,
|
||||
); err != nil {
|
||||
logrus.Debug("Error on InitRoot: ", err.Error())
|
||||
return err
|
||||
}
|
||||
if _, err := r.tufRepo.InitTargets(data.CanonicalTargetsRole); err != nil {
|
||||
logrus.Debug("Error on InitTargets: ", err.Error())
|
||||
return err
|
||||
}
|
||||
if err := r.tufRepo.InitSnapshot(); err != nil {
|
||||
logrus.Debug("Error on InitSnapshot: ", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
return r.saveMetadata(serverManagesSnapshot)
|
||||
}
|
||||
|
||||
// createNewPublicKeyFromKeyIDs generates a set of public keys corresponding to the given list of
|
||||
// key IDs existing in the repository's CryptoService.
|
||||
// the public keys returned are ordered to correspond to the keyIDs
|
||||
func (r *repository) createNewPublicKeyFromKeyIDs(keyIDs []string) ([]data.PublicKey, error) {
|
||||
publicKeys := []data.PublicKey{}
|
||||
|
||||
privKeys, err := getAllPrivKeys(keyIDs, r.GetCryptoService())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for _, privKey := range privKeys {
|
||||
rootKey, err := rootCertKey(r.gun, privKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
publicKeys = append(publicKeys, rootKey)
|
||||
}
|
||||
return publicKeys, nil
|
||||
}
|
||||
|
||||
// publicKeysOfKeyIDs confirms that the public key and private keys (by Key IDs) forms valid, strictly ordered key pairs
|
||||
// (eg. keyIDs[0] must match pubKeys[0] and keyIDs[1] must match certs[1] and so on).
|
||||
// Or throw error when they mismatch.
|
||||
func (r *repository) publicKeysOfKeyIDs(keyIDs []string, pubKeys []data.PublicKey) ([]data.PublicKey, error) {
|
||||
if len(keyIDs) != len(pubKeys) {
|
||||
err := fmt.Errorf("require matching number of keyIDs and public keys but got %d IDs and %d public keys", len(keyIDs), len(pubKeys))
|
||||
return nil, err
|
||||
}
|
||||
|
||||
if err := matchKeyIdsWithPubKeys(r, keyIDs, pubKeys); err != nil {
|
||||
return nil, fmt.Errorf("could not obtain public key from IDs: %v", err)
|
||||
}
|
||||
return pubKeys, nil
|
||||
}
|
||||
|
||||
// matchKeyIdsWithPubKeys validates that the private keys (represented by their IDs) and the public keys
|
||||
// forms matching key pairs
|
||||
func matchKeyIdsWithPubKeys(r *repository, ids []string, pubKeys []data.PublicKey) error {
|
||||
for i := 0; i < len(ids); i++ {
|
||||
privKey, _, err := r.GetCryptoService().GetPrivateKey(ids[i])
|
||||
if err != nil {
|
||||
return fmt.Errorf("could not get the private key matching id %v: %v", ids[i], err)
|
||||
}
|
||||
|
||||
pubKey := pubKeys[i]
|
||||
err = signed.VerifyPublicKeyMatchesPrivateKey(privKey, pubKey)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Initialize creates a new repository by using rootKey as the root Key for the
|
||||
// TUF repository. The server must be reachable (and is asked to generate a
|
||||
// timestamp key and possibly other serverManagedRoles), but the created repository
|
||||
// result is only stored on local disk, not published to the server. To do that,
|
||||
// use r.Publish() eventually.
|
||||
func (r *repository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
|
||||
return r.initialize(rootKeyIDs, nil, serverManagedRoles...)
|
||||
}
|
||||
|
||||
type errKeyNotFound struct{}
|
||||
|
||||
func (errKeyNotFound) Error() string {
|
||||
return fmt.Sprintf("cannot find matching private key id")
|
||||
}
|
||||
|
||||
// keyExistsInList returns the id of the private key in ids that matches the public key
|
||||
// otherwise return empty string
|
||||
func keyExistsInList(cert data.PublicKey, ids map[string]bool) error {
|
||||
pubKeyID, err := utils.CanonicalKeyID(cert)
|
||||
if err != nil {
|
||||
return fmt.Errorf("failed to obtain the public key id from the given certificate: %v", err)
|
||||
}
|
||||
if _, ok := ids[pubKeyID]; ok {
|
||||
return nil
|
||||
}
|
||||
return errKeyNotFound{}
|
||||
}
|
||||
|
||||
// InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
|
||||
func (r *repository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey,
|
||||
serverManagedRoles ...data.RoleName) error {
|
||||
|
||||
// If we explicitly pass in certificate(s) but not key, then look keys up using certificate
|
||||
if len(rootKeyIDs) == 0 && len(rootCerts) != 0 {
|
||||
rootKeyIDs = []string{}
|
||||
availableRootKeyIDs := make(map[string]bool)
|
||||
for _, k := range r.GetCryptoService().ListKeys(data.CanonicalRootRole) {
|
||||
availableRootKeyIDs[k] = true
|
||||
}
|
||||
|
||||
for _, cert := range rootCerts {
|
||||
if err := keyExistsInList(cert, availableRootKeyIDs); err != nil {
|
||||
return fmt.Errorf("error initializing repository with certificate: %v", err)
|
||||
}
|
||||
keyID, _ := utils.CanonicalKeyID(cert)
|
||||
rootKeyIDs = append(rootKeyIDs, keyID)
|
||||
}
|
||||
}
|
||||
return r.initialize(rootKeyIDs, rootCerts, serverManagedRoles...)
|
||||
}
|
||||
|
||||
func (r *repository) initializeRoles(rootKeys []data.PublicKey, localRoles, remoteRoles []data.RoleName) (
|
||||
root, targets, snapshot, timestamp data.BaseRole, err error) {
|
||||
root = data.NewBaseRole(
|
||||
data.CanonicalRootRole,
|
||||
notary.MinThreshold,
|
||||
rootKeys...,
|
||||
)
|
||||
|
||||
// we want to create all the local keys first so we don't have to
|
||||
// make unnecessary network calls
|
||||
for _, role := range localRoles {
|
||||
// This is currently hardcoding the keys to ECDSA.
|
||||
var key data.PublicKey
|
||||
key, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
switch role {
|
||||
case data.CanonicalSnapshotRole:
|
||||
snapshot = data.NewBaseRole(
|
||||
role,
|
||||
notary.MinThreshold,
|
||||
key,
|
||||
)
|
||||
case data.CanonicalTargetsRole:
|
||||
targets = data.NewBaseRole(
|
||||
role,
|
||||
notary.MinThreshold,
|
||||
key,
|
||||
)
|
||||
}
|
||||
}
|
||||
|
||||
remote := r.getRemoteStore()
|
||||
|
||||
for _, role := range remoteRoles {
|
||||
// This key is generated by the remote server.
|
||||
var key data.PublicKey
|
||||
key, err = getRemoteKey(role, remote)
|
||||
if err != nil {
|
||||
return
|
||||
}
|
||||
logrus.Debugf("got remote %s %s key with keyID: %s",
|
||||
role, key.Algorithm(), key.ID())
|
||||
switch role {
|
||||
case data.CanonicalSnapshotRole:
|
||||
snapshot = data.NewBaseRole(
|
||||
role,
|
||||
notary.MinThreshold,
|
||||
key,
|
||||
)
|
||||
case data.CanonicalTimestampRole:
|
||||
timestamp = data.NewBaseRole(
|
||||
role,
|
||||
notary.MinThreshold,
|
||||
key,
|
||||
)
|
||||
}
|
||||
}
|
||||
return root, targets, snapshot, timestamp, nil
|
||||
}
|
||||
|
||||
// adds a TUF Change template to the given roles
|
||||
func addChange(cl changelist.Changelist, c changelist.Change, roles ...data.RoleName) error {
|
||||
if len(roles) == 0 {
|
||||
roles = []data.RoleName{data.CanonicalTargetsRole}
|
||||
}
|
||||
|
||||
var changes []changelist.Change
|
||||
for _, role := range roles {
|
||||
// Ensure we can only add targets to the CanonicalTargetsRole,
|
||||
// or a Delegation role (which is <CanonicalTargetsRole>/something else)
|
||||
if role != data.CanonicalTargetsRole && !data.IsDelegation(role) && !data.IsWildDelegation(role) {
|
||||
return data.ErrInvalidRole{
|
||||
Role: role,
|
||||
Reason: "cannot add targets to this role",
|
||||
}
|
||||
}
|
||||
|
||||
changes = append(changes, changelist.NewTUFChange(
|
||||
c.Action(),
|
||||
role,
|
||||
c.Type(),
|
||||
c.Path(),
|
||||
c.Content(),
|
||||
))
|
||||
}
|
||||
|
||||
for _, c := range changes {
|
||||
if err := cl.Add(c); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// AddTarget creates new changelist entries to add a target to the given roles
|
||||
// in the repository when the changelist gets applied at publish time.
|
||||
// If roles are unspecified, the default role is "targets"
|
||||
func (r *repository) AddTarget(target *Target, roles ...data.RoleName) error {
|
||||
if len(target.Hashes) == 0 {
|
||||
return fmt.Errorf("no hashes specified for target \"%s\"", target.Name)
|
||||
}
|
||||
logrus.Debugf("Adding target \"%s\" with sha256 \"%x\" and size %d bytes.\n", target.Name, target.Hashes["sha256"], target.Length)
|
||||
|
||||
meta := data.FileMeta{Length: target.Length, Hashes: target.Hashes, Custom: target.Custom}
|
||||
metaJSON, err := json.Marshal(meta)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
template := changelist.NewTUFChange(
|
||||
changelist.ActionCreate, "", changelist.TypeTargetsTarget,
|
||||
target.Name, metaJSON)
|
||||
return addChange(r.changelist, template, roles...)
|
||||
}
|
||||
|
||||
// RemoveTarget creates new changelist entries to remove a target from the given
|
||||
// roles in the repository when the changelist gets applied at publish time.
|
||||
// If roles are unspecified, the default role is "target".
|
||||
func (r *repository) RemoveTarget(targetName string, roles ...data.RoleName) error {
|
||||
logrus.Debugf("Removing target \"%s\"", targetName)
|
||||
template := changelist.NewTUFChange(changelist.ActionDelete, "",
|
||||
changelist.TypeTargetsTarget, targetName, nil)
|
||||
return addChange(r.changelist, template, roles...)
|
||||
}
|
||||
|
||||
// GetChangelist returns the list of the repository's unpublished changes
|
||||
func (r *repository) GetChangelist() (changelist.Changelist, error) {
|
||||
return r.changelist, nil
|
||||
}
|
||||
|
||||
// getRemoteStore returns the remoteStore of a repository if valid or
|
||||
// or an OfflineStore otherwise
|
||||
func (r *repository) getRemoteStore() store.RemoteStore {
|
||||
if r.remoteStore != nil {
|
||||
return r.remoteStore
|
||||
}
|
||||
|
||||
r.remoteStore = &store.OfflineStore{}
|
||||
|
||||
return r.remoteStore
|
||||
}
|
||||
|
||||
// Publish pushes the local changes in signed material to the remote notary-server
|
||||
// Conceptually it performs an operation similar to a `git rebase`
|
||||
func (r *repository) Publish() error {
|
||||
if err := r.publish(r.changelist); err != nil {
|
||||
return err
|
||||
}
|
||||
if err := r.changelist.Clear(""); err != nil {
|
||||
// This is not a critical problem when only a single host is pushing
|
||||
// but will cause weird behaviour if changelist cleanup is failing
|
||||
// and there are multiple hosts writing to the repo.
|
||||
logrus.Warn("Unable to clear changelist. You may want to manually delete the folder ", r.changelist.Location())
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// publish pushes the changes in the given changelist to the remote notary-server
|
||||
// Conceptually it performs an operation similar to a `git rebase`
|
||||
func (r *repository) publish(cl changelist.Changelist) error {
|
||||
var initialPublish bool
|
||||
// update first before publishing
|
||||
if err := r.updateTUF(true); err != nil {
|
||||
// If the remote is not aware of the repo, then this is being published
|
||||
// for the first time. Try to initialize the repository before publishing.
|
||||
if _, ok := err.(ErrRepositoryNotExist); ok {
|
||||
err := r.bootstrapRepo()
|
||||
if _, ok := err.(store.ErrMetaNotFound); ok {
|
||||
logrus.Infof("No TUF data found locally or remotely - initializing repository %s for the first time", r.gun.String())
|
||||
err = r.Initialize(nil)
|
||||
}
|
||||
|
||||
if err != nil {
|
||||
logrus.WithError(err).Debugf("Unable to load or initialize repository during first publish: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
// Ensure we will push the initial root and targets file. Either or
|
||||
// both of the root and targets may not be marked as Dirty, since
|
||||
// there may not be any changes that update them, so use a
|
||||
// different boolean.
|
||||
initialPublish = true
|
||||
} else {
|
||||
// We could not update, so we cannot publish.
|
||||
logrus.Error("Could not publish Repository since we could not update: ", err.Error())
|
||||
return err
|
||||
}
|
||||
}
|
||||
// apply the changelist to the repo
|
||||
if err := applyChangelist(r.tufRepo, r.invalid, cl); err != nil {
|
||||
logrus.Debug("Error applying changelist")
|
||||
return err
|
||||
}
|
||||
|
||||
// these are the TUF files we will need to update, serialized as JSON before
|
||||
// we send anything to remote
|
||||
updatedFiles := make(map[data.RoleName][]byte)
|
||||
|
||||
// Fetch old keys to support old clients
|
||||
legacyKeys, err := r.oldKeysForLegacyClientSupport(r.LegacyVersions, initialPublish)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// check if our root file is nearing expiry or dirty. Resign if it is. If
|
||||
// root is not dirty but we are publishing for the first time, then just
|
||||
// publish the existing root we have.
|
||||
if err := signRootIfNecessary(updatedFiles, r.tufRepo, legacyKeys, initialPublish); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if err := signTargets(updatedFiles, r.tufRepo, initialPublish); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
// if we initialized the repo while designating the server as the snapshot
|
||||
// signer, then there won't be a snapshots file. However, we might now
|
||||
// have a local key (if there was a rotation), so initialize one.
|
||||
if r.tufRepo.Snapshot == nil {
|
||||
if err := r.tufRepo.InitSnapshot(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
if snapshotJSON, err := serializeCanonicalRole(
|
||||
r.tufRepo, data.CanonicalSnapshotRole, nil); err == nil {
|
||||
// Only update the snapshot if we've successfully signed it.
|
||||
updatedFiles[data.CanonicalSnapshotRole] = snapshotJSON
|
||||
} else if signErr, ok := err.(signed.ErrInsufficientSignatures); ok && signErr.FoundKeys == 0 {
|
||||
// If signing fails due to us not having the snapshot key, then
|
||||
// assume the server is going to sign, and do not include any snapshot
|
||||
// data.
|
||||
logrus.Debugf("Client does not have the key to sign snapshot. " +
|
||||
"Assuming that server should sign the snapshot.")
|
||||
} else {
|
||||
logrus.Debugf("Client was unable to sign the snapshot: %s", err.Error())
|
||||
return err
|
||||
}
|
||||
|
||||
remote := r.getRemoteStore()
|
||||
|
||||
return remote.SetMulti(data.MetadataRoleMapToStringMap(updatedFiles))
|
||||
}
|
||||
|
||||
func signRootIfNecessary(updates map[data.RoleName][]byte, repo *tuf.Repo, extraSigningKeys data.KeyList, initialPublish bool) error {
|
||||
if len(extraSigningKeys) > 0 {
|
||||
repo.Root.Dirty = true
|
||||
}
|
||||
if nearExpiry(repo.Root.Signed.SignedCommon) || repo.Root.Dirty {
|
||||
rootJSON, err := serializeCanonicalRole(repo, data.CanonicalRootRole, extraSigningKeys)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
updates[data.CanonicalRootRole] = rootJSON
|
||||
} else if initialPublish {
|
||||
rootJSON, err := repo.Root.MarshalJSON()
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
updates[data.CanonicalRootRole] = rootJSON
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// Fetch back a `legacyVersions` number of roots files, collect the root public keys
|
||||
// This includes old `root` roles as well as legacy versioned root roles, e.g. `1.root`
|
||||
func (r *repository) oldKeysForLegacyClientSupport(legacyVersions int, initialPublish bool) (data.KeyList, error) {
|
||||
if initialPublish {
|
||||
return nil, nil
|
||||
}
|
||||
|
||||
var oldestVersion int
|
||||
prevVersion := r.tufRepo.Root.Signed.Version
|
||||
|
||||
if legacyVersions == SignWithAllOldVersions {
|
||||
oldestVersion = 1
|
||||
} else {
|
||||
oldestVersion = r.tufRepo.Root.Signed.Version - legacyVersions
|
||||
}
|
||||
|
||||
if oldestVersion < 1 {
|
||||
oldestVersion = 1
|
||||
}
|
||||
|
||||
if prevVersion <= 1 || oldestVersion == prevVersion {
|
||||
return nil, nil
|
||||
}
|
||||
oldKeys := make(map[string]data.PublicKey)
|
||||
|
||||
c, err := bootstrapClient(TUFLoadOptions{
|
||||
GUN: r.gun,
|
||||
TrustPinning: r.trustPinning,
|
||||
CryptoService: r.cryptoService,
|
||||
Cache: r.cache,
|
||||
RemoteStore: r.remoteStore,
|
||||
AlwaysCheckInitialized: true,
|
||||
})
|
||||
// require a server connection to fetch old roots
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
for v := prevVersion; v >= oldestVersion; v-- {
|
||||
logrus.Debugf("fetching old keys from version %d", v)
|
||||
// fetch old root version
|
||||
versionedRole := fmt.Sprintf("%d.%s", v, data.CanonicalRootRole.String())
|
||||
|
||||
raw, err := c.remote.GetSized(versionedRole, -1)
|
||||
if err != nil {
|
||||
logrus.Debugf("error downloading %s: %s", versionedRole, err)
|
||||
continue
|
||||
}
|
||||
|
||||
signedOldRoot := &data.Signed{}
|
||||
if err := json.Unmarshal(raw, signedOldRoot); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
oldRootVersion, err := data.RootFromSigned(signedOldRoot)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
// extract legacy versioned root keys
|
||||
oldRootVersionKeys := getOldRootPublicKeys(oldRootVersion)
|
||||
for _, oldKey := range oldRootVersionKeys {
|
||||
oldKeys[oldKey.ID()] = oldKey
|
||||
}
|
||||
}
|
||||
oldKeyList := make(data.KeyList, 0, len(oldKeys))
|
||||
for _, key := range oldKeys {
|
||||
oldKeyList = append(oldKeyList, key)
|
||||
}
|
||||
return oldKeyList, nil
|
||||
}
|
||||
|
||||
// get all the saved previous roles keys < the current root version
|
||||
func getOldRootPublicKeys(root *data.SignedRoot) data.KeyList {
|
||||
rootRole, err := root.BuildBaseRole(data.CanonicalRootRole)
|
||||
if err != nil {
|
||||
return nil
|
||||
}
|
||||
return rootRole.ListKeys()
|
||||
}
|
||||
|
||||
func signTargets(updates map[data.RoleName][]byte, repo *tuf.Repo, initialPublish bool) error {
|
||||
// iterate through all the targets files - if they are dirty, sign and update
|
||||
for roleName, roleObj := range repo.Targets {
|
||||
if roleObj.Dirty || (roleName == data.CanonicalTargetsRole && initialPublish) {
|
||||
targetsJSON, err := serializeCanonicalRole(repo, roleName, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
updates[roleName] = targetsJSON
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// bootstrapRepo loads the repository from the local file system (i.e.
|
||||
// a not yet published repo or a possibly obsolete local copy) into
|
||||
// r.tufRepo. This attempts to load metadata for all roles. Since server
|
||||
// snapshots are supported, if the snapshot metadata fails to load, that's ok.
|
||||
// This assumes that bootstrapRepo is only used by Publish() or RotateKey()
|
||||
func (r *repository) bootstrapRepo() error {
|
||||
b := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), r.trustPinning)
|
||||
|
||||
logrus.Debugf("Loading trusted collection.")
|
||||
|
||||
for _, role := range data.BaseRoles {
|
||||
jsonBytes, err := r.cache.GetSized(role.String(), store.NoSizeLimit)
|
||||
if err != nil {
|
||||
if _, ok := err.(store.ErrMetaNotFound); ok &&
|
||||
// server snapshots are supported, and server timestamp management
|
||||
// is required, so if either of these fail to load that's ok - especially
|
||||
// if the repo is new
|
||||
role == data.CanonicalSnapshotRole || role == data.CanonicalTimestampRole {
|
||||
continue
|
||||
}
|
||||
return err
|
||||
}
|
||||
if err := b.Load(role, jsonBytes, 1, true); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
|
||||
tufRepo, _, err := b.Finish()
|
||||
if err == nil {
|
||||
r.tufRepo = tufRepo
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// saveMetadata saves contents of r.tufRepo onto the local disk, creating
|
||||
// signatures as necessary, possibly prompting for passphrases.
|
||||
func (r *repository) saveMetadata(ignoreSnapshot bool) error {
|
||||
logrus.Debugf("Saving changes to Trusted Collection.")
|
||||
|
||||
rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
err = r.cache.Set(data.CanonicalRootRole.String(), rootJSON)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
targetsToSave := make(map[data.RoleName][]byte)
|
||||
for t := range r.tufRepo.Targets {
|
||||
signedTargets, err := r.tufRepo.SignTargets(t, data.DefaultExpires(data.CanonicalTargetsRole))
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
targetsJSON, err := json.Marshal(signedTargets)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
targetsToSave[t] = targetsJSON
|
||||
}
|
||||
|
||||
for role, blob := range targetsToSave {
|
||||
// If the parent directory does not exist, the cache.Set will create it
|
||||
r.cache.Set(role.String(), blob)
|
||||
}
|
||||
|
||||
if ignoreSnapshot {
|
||||
return nil
|
||||
}
|
||||
|
||||
snapshotJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalSnapshotRole, nil)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return r.cache.Set(data.CanonicalSnapshotRole.String(), snapshotJSON)
|
||||
}
|
||||
|
||||
// RotateKey removes all existing keys associated with the role. If no keys are
|
||||
// specified in keyList, then this creates and adds one new key or delegates
|
||||
// managing the key to the server. If key(s) are specified by keyList, then they are
|
||||
// used for signing the role.
|
||||
// These changes are staged in a changelist until publish is called.
|
||||
func (r *repository) RotateKey(role data.RoleName, serverManagesKey bool, keyList []string) error {
|
||||
if err := checkRotationInput(role, serverManagesKey); err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
pubKeyList, err := r.pubKeyListForRotation(role, serverManagesKey, keyList)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
cl := changelist.NewMemChangelist()
|
||||
if err := r.rootFileKeyChange(cl, role, changelist.ActionCreate, pubKeyList); err != nil {
|
||||
return err
|
||||
}
|
||||
return r.publish(cl)
|
||||
}
|
||||
|
||||
// Given a set of new keys to rotate to and a set of keys to drop, returns the list of current keys to use
|
||||
func (r *repository) pubKeyListForRotation(role data.RoleName, serverManaged bool, newKeys []string) (pubKeyList data.KeyList, err error) {
|
||||
var pubKey data.PublicKey
|
||||
|
||||
// If server manages the key being rotated, request a rotation and return the new key
|
||||
if serverManaged {
|
||||
remote := r.getRemoteStore()
|
||||
pubKey, err = rotateRemoteKey(role, remote)
|
||||
pubKeyList = make(data.KeyList, 0, 1)
|
||||
pubKeyList = append(pubKeyList, pubKey)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to rotate remote key: %s", err)
|
||||
}
|
||||
return pubKeyList, nil
|
||||
}
|
||||
|
||||
// If no new keys are passed in, we generate one
|
||||
if len(newKeys) == 0 {
|
||||
pubKeyList = make(data.KeyList, 0, 1)
|
||||
pubKey, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
|
||||
pubKeyList = append(pubKeyList, pubKey)
|
||||
}
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("unable to generate key: %s", err)
|
||||
}
|
||||
|
||||
// If a list of keys to rotate to are provided, we add those
|
||||
if len(newKeys) > 0 {
|
||||
pubKeyList = make(data.KeyList, 0, len(newKeys))
|
||||
for _, keyID := range newKeys {
|
||||
pubKey = r.GetCryptoService().GetKey(keyID)
|
||||
if pubKey == nil {
|
||||
return nil, fmt.Errorf("unable to find key: %s", keyID)
|
||||
}
|
||||
pubKeyList = append(pubKeyList, pubKey)
|
||||
}
|
||||
}
|
||||
|
||||
// Convert to certs (for root keys)
|
||||
if pubKeyList, err = r.pubKeysToCerts(role, pubKeyList); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
|
||||
return pubKeyList, nil
|
||||
}
|
||||
|
||||
func (r *repository) pubKeysToCerts(role data.RoleName, pubKeyList data.KeyList) (data.KeyList, error) {
|
||||
// only generate certs for root keys
|
||||
if role != data.CanonicalRootRole {
|
||||
return pubKeyList, nil
|
||||
}
|
||||
|
||||
for i, pubKey := range pubKeyList {
|
||||
privKey, loadedRole, err := r.GetCryptoService().GetPrivateKey(pubKey.ID())
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if loadedRole != role {
|
||||
return nil, fmt.Errorf("attempted to load root key but given %s key instead", loadedRole)
|
||||
}
|
||||
pubKey, err = rootCertKey(r.gun, privKey)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
pubKeyList[i] = pubKey
|
||||
}
|
||||
return pubKeyList, nil
|
||||
}
|
||||
|
||||
func checkRotationInput(role data.RoleName, serverManaged bool) error {
|
||||
// We currently support remotely managing timestamp and snapshot keys
|
||||
canBeRemoteKey := role == data.CanonicalTimestampRole || role == data.CanonicalSnapshotRole
|
||||
// And locally managing root, targets, and snapshot keys
|
||||
canBeLocalKey := role == data.CanonicalSnapshotRole || role == data.CanonicalTargetsRole ||
|
||||
role == data.CanonicalRootRole
|
||||
|
||||
switch {
|
||||
case !data.ValidRole(role) || data.IsDelegation(role):
|
||||
return fmt.Errorf("notary does not currently permit rotating the %s key", role)
|
||||
case serverManaged && !canBeRemoteKey:
|
||||
return ErrInvalidRemoteRole{Role: role}
|
||||
case !serverManaged && !canBeLocalKey:
|
||||
return ErrInvalidLocalRole{Role: role}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
func (r *repository) rootFileKeyChange(cl changelist.Changelist, role data.RoleName, action string, keyList []data.PublicKey) error {
|
||||
meta := changelist.TUFRootData{
|
||||
RoleName: role,
|
||||
Keys: keyList,
|
||||
}
|
||||
metaJSON, err := json.Marshal(meta)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
c := changelist.NewTUFChange(
|
||||
action,
|
||||
changelist.ScopeRoot,
|
||||
changelist.TypeBaseRole,
|
||||
role.String(),
|
||||
metaJSON,
|
||||
)
|
||||
return cl.Add(c)
|
||||
}
|
||||
|
||||
// DeleteTrustData removes the trust data stored for this repo in the TUF cache on the client side
|
||||
// Note that we will not delete any private key material from local storage
|
||||
func DeleteTrustData(baseDir string, gun data.GUN, URL string, rt http.RoundTripper, deleteRemote bool) error {
|
||||
localRepo := filepath.Join(baseDir, tufDir, filepath.FromSlash(gun.String()))
|
||||
// Remove the tufRepoPath directory, which includes local TUF metadata files and changelist information
|
||||
if err := os.RemoveAll(localRepo); err != nil {
|
||||
return fmt.Errorf("error clearing TUF repo data: %v", err)
|
||||
}
|
||||
// Note that this will require admin permission for the gun in the roundtripper
|
||||
if deleteRemote {
|
||||
remote, err := getRemoteStore(URL, gun, rt)
|
||||
if err != nil {
|
||||
logrus.Errorf("unable to instantiate a remote store: %v", err)
|
||||
return err
|
||||
}
|
||||
if err := remote.RemoveAll(); err != nil {
|
||||
return err
|
||||
}
|
||||
}
|
||||
return nil
|
||||
}
|
||||
|
||||
// SetLegacyVersions allows the number of legacy versions of the root
|
||||
// to be inspected for old signing keys to be configured.
|
||||
func (r *repository) SetLegacyVersions(n int) {
|
||||
r.LegacyVersions = n
|
||||
}
|
Reference in New Issue
Block a user