This repository has been archived by the owner on Feb 24, 2020. It is now read-only.
/
validator.go
104 lines (94 loc) · 2.99 KB
/
validator.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
// Copyright 2015 The rkt Authors
//
// Licensed under the Apache License, Version 2.0 (the "License");
// you may not use this file except in compliance with the License.
// You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
// distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
package image
import (
"errors"
"fmt"
"io"
"github.com/hashicorp/errwrap"
"github.com/rkt/rkt/pkg/keystore"
"github.com/appc/spec/aci"
"github.com/appc/spec/schema"
"github.com/appc/spec/schema/types"
"golang.org/x/crypto/openpgp"
pgperrors "golang.org/x/crypto/openpgp/errors"
)
// validator is a general image checker
type validator struct {
image io.ReadSeeker
manifest *schema.ImageManifest
}
// newValidator returns a validator instance if passed image is indeed
// an ACI.
func newValidator(image io.ReadSeeker) (*validator, error) {
manifest, err := aci.ManifestFromImage(image)
if err != nil {
return nil, err
}
v := &validator{
image: image,
manifest: manifest,
}
return v, nil
}
// ImageName returns image name as it is in the image manifest.
func (v *validator) ImageName() string {
return v.manifest.Name.String()
}
// ValidateName checks if desired image name is actually the same as
// the one in the image manifest.
func (v *validator) ValidateName(imageName string) error {
name := v.ImageName()
if name != imageName {
return fmt.Errorf("error when reading the app name: %q expected but %q found",
imageName, name)
}
return nil
}
// ValidateLabels checks if desired image labels are actually the same as
// the ones in the image manifest.
func (v *validator) ValidateLabels(labels map[types.ACIdentifier]string) error {
for n, rv := range labels {
if av, ok := v.manifest.GetLabel(n.String()); ok {
if rv != av {
return fmt.Errorf("requested value for label %q: %q differs from fetched aci label value: %q", n, rv, av)
}
} else {
return fmt.Errorf("requested label %q not provided by the image manifest", n)
}
}
return nil
}
// ValidateWithSignature verifies the image against a given signature
// file.
func (v *validator) ValidateWithSignature(ks *keystore.Keystore, sig io.ReadSeeker) (*openpgp.Entity, error) {
if ks == nil {
return nil, nil
}
if _, err := v.image.Seek(0, 0); err != nil {
return nil, errwrap.Wrap(errors.New("error seeking ACI file"), err)
}
if _, err := sig.Seek(0, 0); err != nil {
return nil, errwrap.Wrap(errors.New("error seeking signature file"), err)
}
entity, err := ks.CheckSignature(v.ImageName(), v.image, sig)
if err == pgperrors.ErrUnknownIssuer {
log.Print("If you expected the signing key to change, try running:")
log.Print(" rkt trust --prefix <image>")
}
if err != nil {
return nil, err
}
return entity, nil
}