github.com/mheon/docker@v0.11.2-0.20150922122814-44f47903a831/trust/service.go (about)

     1  package trust
     2  
     3  import (
     4  	"fmt"
     5  	"time"
     6  
     7  	"github.com/Sirupsen/logrus"
     8  	"github.com/docker/libtrust"
     9  )
    10  
    11  // NotVerifiedError reports a error when doing the key check.
    12  // For example if the graph is not verified or the key has expired.
    13  type NotVerifiedError string
    14  
    15  func (e NotVerifiedError) Error() string {
    16  	return string(e)
    17  }
    18  
    19  // CheckKey verifies that the given public key is allowed to perform
    20  // the given action on the given node according to the trust graph.
    21  func (t *Store) CheckKey(ns string, key []byte, perm uint16) (bool, error) {
    22  	if len(key) == 0 {
    23  		return false, fmt.Errorf("Missing PublicKey")
    24  	}
    25  	pk, err := libtrust.UnmarshalPublicKeyJWK(key)
    26  	if err != nil {
    27  		return false, fmt.Errorf("Error unmarshalling public key: %v", err)
    28  	}
    29  
    30  	if perm == 0 {
    31  		perm = 0x03
    32  	}
    33  
    34  	t.RLock()
    35  	defer t.RUnlock()
    36  	if t.graph == nil {
    37  		return false, NotVerifiedError("no graph")
    38  	}
    39  
    40  	// Check if any expired grants
    41  	verified, err := t.graph.Verify(pk, ns, perm)
    42  	if err != nil {
    43  		return false, fmt.Errorf("Error verifying key to namespace: %s", ns)
    44  	}
    45  	if !verified {
    46  		logrus.Debugf("Verification failed for %s using key %s", ns, pk.KeyID())
    47  		return false, NotVerifiedError("not verified")
    48  	}
    49  	if t.expiration.Before(time.Now()) {
    50  		return false, NotVerifiedError("expired")
    51  	}
    52  	return true, nil
    53  }
    54  
    55  // UpdateBase retrieves updated base graphs. This function cannot error, it
    56  // should only log errors.
    57  func (t *Store) UpdateBase() {
    58  	t.fetch()
    59  }