github.com/hanks177/podman/v4@v4.1.3-0.20220613032544-16d90015bc83/pkg/domain/infra/abi/trust.go (about) 1 package abi 2 3 import ( 4 "context" 5 "encoding/json" 6 "io/ioutil" 7 "os" 8 "strings" 9 10 "github.com/hanks177/podman/v4/pkg/domain/entities" 11 "github.com/hanks177/podman/v4/pkg/trust" 12 "github.com/pkg/errors" 13 "github.com/sirupsen/logrus" 14 ) 15 16 func (ir *ImageEngine) ShowTrust(ctx context.Context, args []string, options entities.ShowTrustOptions) (*entities.ShowTrustReport, error) { 17 var ( 18 err error 19 report entities.ShowTrustReport 20 ) 21 policyPath := trust.DefaultPolicyPath(ir.Libpod.SystemContext()) 22 if len(options.PolicyPath) > 0 { 23 policyPath = options.PolicyPath 24 } 25 report.Raw, err = ioutil.ReadFile(policyPath) 26 if err != nil { 27 return nil, err 28 } 29 if options.Raw { 30 return &report, nil 31 } 32 report.SystemRegistriesDirPath = trust.RegistriesDirPath(ir.Libpod.SystemContext()) 33 if len(options.RegistryPath) > 0 { 34 report.SystemRegistriesDirPath = options.RegistryPath 35 } 36 policyContentStruct, err := trust.GetPolicy(policyPath) 37 if err != nil { 38 return nil, errors.Wrapf(err, "could not read trust policies") 39 } 40 report.Policies, err = getPolicyShowOutput(policyContentStruct, report.SystemRegistriesDirPath) 41 if err != nil { 42 return nil, errors.Wrapf(err, "could not show trust policies") 43 } 44 return &report, nil 45 } 46 47 func (ir *ImageEngine) SetTrust(ctx context.Context, args []string, options entities.SetTrustOptions) error { 48 var ( 49 policyContentStruct trust.PolicyContent 50 newReposContent []trust.RepoContent 51 ) 52 trustType := options.Type 53 if trustType == "accept" { 54 trustType = "insecureAcceptAnything" 55 } 56 57 pubkeysfile := options.PubKeysFile 58 if len(pubkeysfile) == 0 && trustType == "signedBy" { 59 return errors.Errorf("At least one public key must be defined for type 'signedBy'") 60 } 61 62 policyPath := trust.DefaultPolicyPath(ir.Libpod.SystemContext()) 63 if len(options.PolicyPath) > 0 { 64 policyPath = options.PolicyPath 65 } 66 _, err := os.Stat(policyPath) 67 if !os.IsNotExist(err) { 68 policyContent, err := ioutil.ReadFile(policyPath) 69 if err != nil { 70 return err 71 } 72 if err := json.Unmarshal(policyContent, &policyContentStruct); err != nil { 73 return errors.Errorf("could not read trust policies") 74 } 75 } 76 if len(pubkeysfile) != 0 { 77 for _, filepath := range pubkeysfile { 78 newReposContent = append(newReposContent, trust.RepoContent{Type: trustType, KeyType: "GPGKeys", KeyPath: filepath}) 79 } 80 } else { 81 newReposContent = append(newReposContent, trust.RepoContent{Type: trustType}) 82 } 83 if args[0] == "default" { 84 policyContentStruct.Default = newReposContent 85 } else { 86 if len(policyContentStruct.Default) == 0 { 87 return errors.Errorf("default trust policy must be set") 88 } 89 registryExists := false 90 for transport, transportval := range policyContentStruct.Transports { 91 _, registryExists = transportval[args[0]] 92 if registryExists { 93 policyContentStruct.Transports[transport][args[0]] = newReposContent 94 break 95 } 96 } 97 if !registryExists { 98 if policyContentStruct.Transports == nil { 99 policyContentStruct.Transports = make(map[string]trust.RepoMap) 100 } 101 if policyContentStruct.Transports["docker"] == nil { 102 policyContentStruct.Transports["docker"] = make(map[string][]trust.RepoContent) 103 } 104 policyContentStruct.Transports["docker"][args[0]] = append(policyContentStruct.Transports["docker"][args[0]], newReposContent...) 105 } 106 } 107 108 data, err := json.MarshalIndent(policyContentStruct, "", " ") 109 if err != nil { 110 return errors.Wrapf(err, "error setting trust policy") 111 } 112 return ioutil.WriteFile(policyPath, data, 0644) 113 } 114 115 func getPolicyShowOutput(policyContentStruct trust.PolicyContent, systemRegistriesDirPath string) ([]*trust.Policy, error) { 116 var output []*trust.Policy 117 118 registryConfigs, err := trust.LoadAndMergeConfig(systemRegistriesDirPath) 119 if err != nil { 120 return nil, err 121 } 122 123 if len(policyContentStruct.Default) > 0 { 124 defaultPolicyStruct := trust.Policy{ 125 Transport: "all", 126 Name: "* (default)", 127 RepoName: "default", 128 Type: trustTypeDescription(policyContentStruct.Default[0].Type), 129 } 130 output = append(output, &defaultPolicyStruct) 131 } 132 for transport, transval := range policyContentStruct.Transports { 133 if transport == "docker" { 134 transport = "repository" 135 } 136 137 for repo, repoval := range transval { 138 tempTrustShowOutput := trust.Policy{ 139 Name: repo, 140 RepoName: repo, 141 Transport: transport, 142 Type: trustTypeDescription(repoval[0].Type), 143 } 144 // TODO - keyarr is not used and I don't know its intent; commenting out for now for someone to fix later 145 // keyarr := []string{} 146 uids := []string{} 147 for _, repoele := range repoval { 148 if len(repoele.KeyPath) > 0 { 149 // keyarr = append(keyarr, repoele.KeyPath) 150 uids = append(uids, trust.GetGPGIdFromKeyPath(repoele.KeyPath)...) 151 } 152 if len(repoele.KeyData) > 0 { 153 // keyarr = append(keyarr, string(repoele.KeyData)) 154 uids = append(uids, trust.GetGPGIdFromKeyData(repoele.KeyData)...) 155 } 156 } 157 tempTrustShowOutput.GPGId = strings.Join(uids, ", ") 158 159 registryNamespace := trust.HaveMatchRegistry(repo, registryConfigs) 160 if registryNamespace != nil { 161 tempTrustShowOutput.SignatureStore = registryNamespace.SigStore 162 } 163 output = append(output, &tempTrustShowOutput) 164 } 165 } 166 return output, nil 167 } 168 169 var typeDescription = map[string]string{"insecureAcceptAnything": "accept", "signedBy": "signed", "reject": "reject"} 170 171 func trustTypeDescription(trustType string) string { 172 trustDescription, exist := typeDescription[trustType] 173 if !exist { 174 logrus.Warnf("Invalid trust type %s", trustType) 175 } 176 return trustDescription 177 }