github.1git.de/docker/cli@v26.1.3+incompatible/cli/command/trust/signer_add.go

github.1git.de/docker/cli@v26.1.3+incompatible/cli/command/trust/signer_add.go (about)

     1  package trust
     2  
     3  import (
     4  	"context"
     5  	"fmt"
     6  	"io"
     7  	"os"
     8  	"path"
     9  	"regexp"
    10  	"strings"
    11  
    12  	"github.com/docker/cli/cli"
    13  	"github.com/docker/cli/cli/command"
    14  	"github.com/docker/cli/cli/command/image"
    15  	"github.com/docker/cli/cli/trust"
    16  	"github.com/docker/cli/opts"
    17  	"github.com/pkg/errors"
    18  	"github.com/spf13/cobra"
    19  	"github.com/theupdateframework/notary/client"
    20  	"github.com/theupdateframework/notary/tuf/data"
    21  	tufutils "github.com/theupdateframework/notary/tuf/utils"
    22  )
    23  
    24  type signerAddOptions struct {
    25  	keys   opts.ListOpts
    26  	signer string
    27  	repos  []string
    28  }
    29  
    30  func newSignerAddCommand(dockerCLI command.Cli) *cobra.Command {
    31  	var options signerAddOptions
    32  	cmd := &cobra.Command{
    33  		Use:   "add OPTIONS NAME REPOSITORY [REPOSITORY...] ",
    34  		Short: "Add a signer",
    35  		Args:  cli.RequiresMinArgs(2),
    36  		RunE: func(cmd *cobra.Command, args []string) error {
    37  			options.signer = args[0]
    38  			options.repos = args[1:]
    39  			return addSigner(cmd.Context(), dockerCLI, options)
    40  		},
    41  	}
    42  	flags := cmd.Flags()
    43  	options.keys = opts.NewListOpts(nil)
    44  	flags.Var(&options.keys, "key", "Path to the signer's public key file")
    45  	return cmd
    46  }
    47  
    48  var validSignerName = regexp.MustCompile(`^[a-z0-9][a-z0-9\_\-]*$`).MatchString
    49  
    50  func addSigner(ctx context.Context, dockerCLI command.Cli, options signerAddOptions) error {
    51  	signerName := options.signer
    52  	if !validSignerName(signerName) {
    53  		return fmt.Errorf("signer name \"%s\" must start with lowercase alphanumeric characters and can include \"-\" or \"_\" after the first character", signerName)
    54  	}
    55  	if signerName == "releases" {
    56  		return fmt.Errorf("releases is a reserved keyword, please use a different signer name")
    57  	}
    58  
    59  	if options.keys.Len() == 0 {
    60  		return fmt.Errorf("path to a public key must be provided using the `--key` flag")
    61  	}
    62  	signerPubKeys, err := ingestPublicKeys(options.keys.GetAll())
    63  	if err != nil {
    64  		return err
    65  	}
    66  	var errRepos []string
    67  	for _, repoName := range options.repos {
    68  		fmt.Fprintf(dockerCLI.Out(), "Adding signer \"%s\" to %s...\n", signerName, repoName)
    69  		if err := addSignerToRepo(ctx, dockerCLI, signerName, repoName, signerPubKeys); err != nil {
    70  			fmt.Fprintln(dockerCLI.Err(), err.Error()+"\n")
    71  			errRepos = append(errRepos, repoName)
    72  		} else {
    73  			fmt.Fprintf(dockerCLI.Out(), "Successfully added signer: %s to %s\n\n", signerName, repoName)
    74  		}
    75  	}
    76  	if len(errRepos) > 0 {
    77  		return fmt.Errorf("failed to add signer to: %s", strings.Join(errRepos, ", "))
    78  	}
    79  	return nil
    80  }
    81  
    82  func addSignerToRepo(ctx context.Context, dockerCLI command.Cli, signerName string, repoName string, signerPubKeys []data.PublicKey) error {
    83  	imgRefAndAuth, err := trust.GetImageReferencesAndAuth(ctx, image.AuthResolver(dockerCLI), repoName)
    84  	if err != nil {
    85  		return err
    86  	}
    87  
    88  	notaryRepo, err := dockerCLI.NotaryClient(imgRefAndAuth, trust.ActionsPushAndPull)
    89  	if err != nil {
    90  		return trust.NotaryError(imgRefAndAuth.Reference().Name(), err)
    91  	}
    92  
    93  	if _, err = notaryRepo.ListTargets(); err != nil {
    94  		switch err.(type) {
    95  		case client.ErrRepoNotInitialized, client.ErrRepositoryNotExist:
    96  			fmt.Fprintf(dockerCLI.Out(), "Initializing signed repository for %s...\n", repoName)
    97  			if err := getOrGenerateRootKeyAndInitRepo(notaryRepo); err != nil {
    98  				return trust.NotaryError(repoName, err)
    99  			}
   100  			fmt.Fprintf(dockerCLI.Out(), "Successfully initialized %q\n", repoName)
   101  		default:
   102  			return trust.NotaryError(repoName, err)
   103  		}
   104  	}
   105  
   106  	newSignerRoleName := data.RoleName(path.Join(data.CanonicalTargetsRole.String(), signerName))
   107  
   108  	if err := addStagedSigner(notaryRepo, newSignerRoleName, signerPubKeys); err != nil {
   109  		return errors.Wrapf(err, "could not add signer to repo: %s", strings.TrimPrefix(newSignerRoleName.String(), "targets/"))
   110  	}
   111  
   112  	return notaryRepo.Publish()
   113  }
   114  
   115  func ingestPublicKeys(pubKeyPaths []string) ([]data.PublicKey, error) {
   116  	pubKeys := []data.PublicKey{}
   117  	for _, pubKeyPath := range pubKeyPaths {
   118  		// Read public key bytes from PEM file, limit to 1 KiB
   119  		pubKeyFile, err := os.OpenFile(pubKeyPath, os.O_RDONLY, 0o666)
   120  		if err != nil {
   121  			return nil, errors.Wrap(err, "unable to read public key from file")
   122  		}
   123  		defer pubKeyFile.Close()
   124  		// limit to
   125  		l := io.LimitReader(pubKeyFile, 1<<20)
   126  		pubKeyBytes, err := io.ReadAll(l)
   127  		if err != nil {
   128  			return nil, errors.Wrap(err, "unable to read public key from file")
   129  		}
   130  
   131  		// Parse PEM bytes into type PublicKey
   132  		pubKey, err := tufutils.ParsePEMPublicKey(pubKeyBytes)
   133  		if err != nil {
   134  			return nil, errors.Wrapf(err, "could not parse public key from file: %s", pubKeyPath)
   135  		}
   136  		pubKeys = append(pubKeys, pubKey)
   137  	}
   138  	return pubKeys, nil
   139  }