This repository has been archived by the owner on Nov 13, 2020. It is now read-only.
/
filefetcher.go
124 lines (107 loc) · 3.18 KB
/
filefetcher.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
// Copyright 2015 The rkt Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package image
import (
"errors"
"fmt"
"os"
"path/filepath"
"github.com/hashicorp/errwrap"
"github.com/rkt/rkt/pkg/keystore"
rktflag "github.com/rkt/rkt/rkt/flag"
"github.com/rkt/rkt/store/imagestore"
)
// fileFetcher is used to fetch files from a local filesystem
type fileFetcher struct {
InsecureFlags *rktflag.SecFlags
S *imagestore.Store
Ks *keystore.Keystore
Debug bool
}
// Hash opens a file, optionally verifies it against passed asc,
// stores it in the store and returns the hash.
func (f *fileFetcher) Hash(aciPath string, a *asc) (string, error) {
ensureLogger(f.Debug)
absPath, err := filepath.Abs(aciPath)
if err != nil {
return "", errwrap.Wrap(fmt.Errorf("failed to get an absolute path for %q", aciPath), err)
}
aciPath = absPath
aciFile, err := f.getFile(aciPath, a)
if err != nil {
return "", err
}
defer aciFile.Close()
key, err := f.S.WriteACI(aciFile, imagestore.ACIFetchInfo{
Latest: false,
})
if err != nil {
return "", err
}
return key, nil
}
func (f *fileFetcher) getFile(aciPath string, a *asc) (*os.File, error) {
if f.InsecureFlags.SkipImageCheck() && f.Ks != nil {
log.Printf("warning: image signature verification has been disabled")
}
if f.InsecureFlags.SkipImageCheck() || f.Ks == nil {
aciFile, err := os.Open(aciPath)
if err != nil {
return nil, errwrap.Wrap(errors.New("error opening ACI file"), err)
}
return aciFile, nil
}
aciFile, err := f.getVerifiedFile(aciPath, a)
if err != nil {
return nil, err
}
return aciFile, nil
}
// fetch opens and verifies the ACI.
func (f *fileFetcher) getVerifiedFile(aciPath string, a *asc) (*os.File, error) {
var aciFile *os.File // closed on error
var errClose error // error signaling to close aciFile
f.maybeOverrideAsc(aciPath, a)
ascFile, err := a.Get()
if err != nil {
return nil, errwrap.Wrap(errors.New("error opening signature file"), err)
}
defer ascFile.Close()
aciFile, err = os.Open(aciPath)
if err != nil {
return nil, errwrap.Wrap(errors.New("error opening ACI file"), err)
}
defer func() {
if errClose != nil {
aciFile.Close()
}
}()
validator, errClose := newValidator(aciFile)
if errClose != nil {
return nil, errClose
}
entity, errClose := validator.ValidateWithSignature(f.Ks, ascFile)
if errClose != nil {
return nil, errwrap.Wrap(fmt.Errorf("image %q verification failed", validator.ImageName()), errClose)
}
printIdentities(entity)
return aciFile, nil
}
func (f *fileFetcher) maybeOverrideAsc(aciPath string, a *asc) {
if a.Fetcher != nil {
return
}
a.Location = ascPathFromImgPath(aciPath)
a.Fetcher = &localAscFetcher{}
}