forked from moby/moby
-
Notifications
You must be signed in to change notification settings - Fork 1
/
service.go
74 lines (63 loc) · 1.68 KB
/
service.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
package trust
import (
"fmt"
"time"
log "github.com/Sirupsen/logrus"
"github.com/docker/docker/engine"
"github.com/docker/libtrust"
)
func (t *TrustStore) Install(eng *engine.Engine) error {
for name, handler := range map[string]engine.Handler{
"trust_key_check": t.CmdCheckKey,
"trust_update_base": t.CmdUpdateBase,
} {
if err := eng.Register(name, handler); err != nil {
return fmt.Errorf("Could not register %q: %v", name, err)
}
}
return nil
}
func (t *TrustStore) CmdCheckKey(job *engine.Job) engine.Status {
if n := len(job.Args); n != 1 {
return job.Errorf("Usage: %s NAMESPACE", job.Name)
}
var (
namespace = job.Args[0]
keyBytes = job.Getenv("PublicKey")
)
if keyBytes == "" {
return job.Errorf("Missing PublicKey")
}
pk, err := libtrust.UnmarshalPublicKeyJWK([]byte(keyBytes))
if err != nil {
return job.Errorf("Error unmarshalling public key: %s", err)
}
permission := uint16(job.GetenvInt("Permission"))
if permission == 0 {
permission = 0x03
}
t.RLock()
defer t.RUnlock()
if t.graph == nil {
job.Stdout.Write([]byte("no graph"))
return engine.StatusOK
}
// Check if any expired grants
verified, err := t.graph.Verify(pk, namespace, permission)
if err != nil {
return job.Errorf("Error verifying key to namespace: %s", namespace)
}
if !verified {
log.Debugf("Verification failed for %s using key %s", namespace, pk.KeyID())
job.Stdout.Write([]byte("not verified"))
} else if t.expiration.Before(time.Now()) {
job.Stdout.Write([]byte("expired"))
} else {
job.Stdout.Write([]byte("verified"))
}
return engine.StatusOK
}
func (t *TrustStore) CmdUpdateBase(job *engine.Job) engine.Status {
t.fetch()
return engine.StatusOK
}