10 年前 · 6ce76cd9ed
--- a/api/client/trust.go
+++ b/api/client/trust.go
@@ -13,6 +13,7 @@ import (
 
				 	"os"
			
 
				 	"path/filepath"
			
 
				 	"regexp"
			
 
				+	"sort"
			
 
				 	"strconv"
			
 
				 	"strings"
			
 
				 	"time"
			
@@ -176,11 +177,16 @@ func convertTarget(t client.Target) (target, error) {
 
				 }
			
 
				 
			
 
				 func (cli *DockerCli) getPassphraseRetriever() passphrase.Retriever {
			
 
				-	baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out)
			
 
				+	aliasMap := map[string]string{
			
 
				+		"root":     "offline",
			
 
				+		"snapshot": "tagging",
			
 
				+		"targets":  "tagging",
			
 
				+	}
			
 
				+	baseRetriever := passphrase.PromptRetrieverWithInOut(cli.in, cli.out, aliasMap)
			
 
				 	env := map[string]string{
			
 
				-		"root":     os.Getenv("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE"),
			
 
				-		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE"),
			
 
				-		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE"),
			
 
				+		"root":     os.Getenv("DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE"),
			
 
				+		"snapshot": os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"),
			
 
				+		"targets":  os.Getenv("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE"),
			
 
				 	}
			
 
				 	return func(keyName string, alias string, createNew bool, numAttempts int) (string, bool, error) {
			
 
				 		if v := env[alias]; v != "" {
			
@@ -311,6 +317,22 @@ func (cli *DockerCli) trustedPull(repoInfo *registry.RepositoryInfo, ref registr
 
				 	return nil
			
 
				 }
			
 
				 
			
 
				+func selectKey(keys map[string]string) string {
			
 
				+	if len(keys) == 0 {
			
 
				+		return ""
			
 
				+	}
			
 
				+
			
 
				+	keyIDs := []string{}
			
 
				+	for k := range keys {
			
 
				+		keyIDs = append(keyIDs, k)
			
 
				+	}
			
 
				+
			
 
				+	// TODO(dmcgowan): let user choose if multiple keys, now pick consistently
			
 
				+	sort.Strings(keyIDs)
			
 
				+
			
 
				+	return keyIDs[0]
			
 
				+}
			
 
				+
			
 
				 func targetStream(in io.Writer) (io.WriteCloser, <-chan []target) {
			
 
				 	r, w := io.Pipe()
			
 
				 	out := io.MultiWriter(in, w)
			
@@ -409,16 +431,13 @@ func (cli *DockerCli) trustedPush(repoInfo *registry.RepositoryInfo, tag string,
 
				 
			
 
				 	ks := repo.KeyStoreManager
			
 
				 	keys := ks.RootKeyStore().ListKeys()
			
 
				-	var rootKey string
			
 
				 
			
 
				-	if len(keys) == 0 {
			
 
				+	rootKey := selectKey(keys)
			
 
				+	if rootKey == "" {
			
 
				 		rootKey, err = ks.GenRootKey("ecdsa")
			
 
				 		if err != nil {
			
 
				 			return err
			
 
				 		}
			
 
				-	} else {
			
 
				-		// TODO(dmcgowan): let user choose
			
 
				-		rootKey = keys[0]
			
 
				 	}
			
 
				 
			
 
				 	cryptoService, err := ks.GetRootCryptoService(rootKey)
			
--- a/integration-cli/docker_cli_push_test.go
+++ b/integration-cli/docker_cli_push_test.go
@@ -275,7 +275,7 @@ func (s *DockerTrustSuite) TestTrustedPushWithIncorrectPassphraseForNonRoot(c *c
 
				 
			
 
				 	// Push with wrong passphrases
			
 
				 	pushCmd = exec.Command(dockerBinary, "push", repoName)
			
 
				-	s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321", "87654321")
			
 
				+	s.trustedCmdWithPassphrases(pushCmd, "12345678", "87654321")
			
 
				 	out, _, err = runCommandWithOutput(pushCmd)
			
 
				 	if err == nil {
			
 
				 		c.Fatalf("Error missing from trusted push with short targets passphrase: \n%s", out)
			
--- a/integration-cli/trust_server.go
+++ b/integration-cli/trust_server.go
@@ -32,7 +32,8 @@ func newTestNotary(c *check.C) (*testNotary, error) {
 
				 	"trust_service": {
			
 
				 		"type": "local",
			
 
				 		"hostname": "",
			
 
				-		"port": ""
			
 
				+		"port": "",
			
 
				+		"key_algorithm": "ed25519"
			
 
				 	},
			
 
				 	"logging": {
			
 
				 		"level": 5
			
@@ -116,25 +117,24 @@ func (t *testNotary) Close() {
 
				 
			
 
				 func (s *DockerTrustSuite) trustedCmd(cmd *exec.Cmd) {
			
 
				 	pwd := "12345678"
			
 
				-	trustCmdEnv(cmd, s.not.address(), pwd, pwd, pwd)
			
 
				+	trustCmdEnv(cmd, s.not.address(), pwd, pwd)
			
 
				 }
			
 
				 
			
 
				 func (s *DockerTrustSuite) trustedCmdWithServer(cmd *exec.Cmd, server string) {
			
 
				 	pwd := "12345678"
			
 
				-	trustCmdEnv(cmd, server, pwd, pwd, pwd)
			
 
				+	trustCmdEnv(cmd, server, pwd, pwd)
			
 
				 }
			
 
				 
			
 
				-func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, rootPwd, snapshotPwd, targetPwd string) {
			
 
				-	trustCmdEnv(cmd, s.not.address(), rootPwd, snapshotPwd, targetPwd)
			
 
				+func (s *DockerTrustSuite) trustedCmdWithPassphrases(cmd *exec.Cmd, offlinePwd, taggingPwd string) {
			
 
				+	trustCmdEnv(cmd, s.not.address(), offlinePwd, taggingPwd)
			
 
				 }
			
 
				 
			
 
				-func trustCmdEnv(cmd *exec.Cmd, server, rootPwd, snapshotPwd, targetPwd string) {
			
 
				+func trustCmdEnv(cmd *exec.Cmd, server, offlinePwd, taggingPwd string) {
			
 
				 	env := []string{
			
 
				 		"DOCKER_CONTENT_TRUST=1",
			
 
				 		fmt.Sprintf("DOCKER_CONTENT_TRUST_SERVER=%s", server),
			
 
				-		fmt.Sprintf("DOCKER_CONTENT_TRUST_ROOT_PASSPHRASE=%s", rootPwd),
			
 
				-		fmt.Sprintf("DOCKER_CONTENT_TRUST_SNAPSHOT_PASSPHRASE=%s", snapshotPwd),
			
 
				-		fmt.Sprintf("DOCKER_CONTENT_TRUST_TARGET_PASSPHRASE=%s", targetPwd),
			
 
				+		fmt.Sprintf("DOCKER_CONTENT_TRUST_OFFLINE_PASSPHRASE=%s", offlinePwd),
			
 
				+		fmt.Sprintf("DOCKER_CONTENT_TRUST_TAGGING_PASSPHRASE=%s", taggingPwd),
			
 
				 	}
			
 
				 	cmd.Env = append(os.Environ(), env...)
			
 
				 }