use ad-hoc libtrust key
This is only used for tests, and the key is not verified anymore, so
instead of creating a key and storing it, we can just use an ad-hoc
one.
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
(cherry picked from commit 8feeaecb84
)
Signed-off-by: Sebastiaan van Stijn <github@gone.nl>
This commit is contained in:
parent
f2463e1e86
commit
e7b26fa1b1
7 changed files with 0 additions and 92 deletions
|
@ -65,8 +65,6 @@ func (o *daemonOptions) installFlags(flags *pflag.FlagSet) {
|
|||
flags.BoolVar(&o.TLS, FlagTLS, DefaultTLSValue, "Use TLS; implied by --tlsverify")
|
||||
flags.BoolVar(&o.TLSVerify, FlagTLSVerify, dockerTLSVerify || DefaultTLSValue, "Use TLS and verify the remote")
|
||||
|
||||
// TODO use flag flags.String("identity"}, "i", "", "Path to libtrust key file")
|
||||
|
||||
o.TLSOptions = &tlsconfig.Options{}
|
||||
tlsOptions := o.TLSOptions
|
||||
flags.StringVar(&tlsOptions.CAFile, "tlscacert", filepath.Join(dockerCertPath, DefaultCaFile), "Trust certs signed only by this CA")
|
||||
|
|
|
@ -1053,19 +1053,6 @@ func NewDaemon(ctx context.Context, config *config.Config, pluginStore *plugin.S
|
|||
ContentNamespace: config.ContainerdNamespace,
|
||||
}
|
||||
|
||||
// This is a temporary environment variables used in CI to allow pushing
|
||||
// manifest v2 schema 1 images to test-registries used for testing *pulling*
|
||||
// these images.
|
||||
if os.Getenv("DOCKER_ALLOW_SCHEMA1_PUSH_DONOTUSE") != "" {
|
||||
imgSvcConfig.TrustKey, err = loadOrCreateTrustKey(config.TrustKeyPath)
|
||||
if err != nil {
|
||||
return nil, err
|
||||
}
|
||||
if err = system.MkdirAll(filepath.Join(config.Root, "trust"), 0700); err != nil {
|
||||
return nil, err
|
||||
}
|
||||
}
|
||||
|
||||
// containerd is not currently supported with Windows.
|
||||
// So sometimes d.containerdCli will be nil
|
||||
// In that case we'll create a local content store... but otherwise we'll use containerd
|
||||
|
|
|
@ -54,7 +54,6 @@ func (i *ImageService) PushImage(ctx context.Context, image, tag string, metaHea
|
|||
},
|
||||
ConfigMediaType: schema2.MediaTypeImageConfig,
|
||||
LayerStores: distribution.NewLayerProvidersFromStore(i.layerStore),
|
||||
TrustKey: i.trustKey,
|
||||
UploadManager: i.uploadManager,
|
||||
}
|
||||
|
||||
|
|
|
@ -17,7 +17,6 @@ import (
|
|||
"github.com/docker/docker/layer"
|
||||
dockerreference "github.com/docker/docker/reference"
|
||||
"github.com/docker/docker/registry"
|
||||
"github.com/docker/libtrust"
|
||||
"github.com/opencontainers/go-digest"
|
||||
"github.com/pkg/errors"
|
||||
"golang.org/x/sync/singleflight"
|
||||
|
@ -44,7 +43,6 @@ type ImageServiceConfig struct {
|
|||
MaxDownloadAttempts int
|
||||
ReferenceStore dockerreference.Store
|
||||
RegistryService registry.Service
|
||||
TrustKey libtrust.PrivateKey
|
||||
ContentStore content.Store
|
||||
Leases leases.Manager
|
||||
ContentNamespace string
|
||||
|
@ -61,7 +59,6 @@ func NewImageService(config ImageServiceConfig) *ImageService {
|
|||
layerStore: config.LayerStore,
|
||||
referenceStore: config.ReferenceStore,
|
||||
registryService: config.RegistryService,
|
||||
trustKey: config.TrustKey,
|
||||
uploadManager: xfer.NewLayerUploadManager(config.MaxConcurrentUploads),
|
||||
leases: config.Leases,
|
||||
content: config.ContentStore,
|
||||
|
@ -80,7 +77,6 @@ type ImageService struct {
|
|||
pruneRunning int32
|
||||
referenceStore dockerreference.Store
|
||||
registryService registry.Service
|
||||
trustKey libtrust.PrivateKey
|
||||
uploadManager *xfer.LayerUploadManager
|
||||
leases leases.Manager
|
||||
content content.Store
|
||||
|
|
|
@ -1,9 +0,0 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import "github.com/docker/libtrust"
|
||||
|
||||
// LoadOrCreateTrustKey attempts to load the libtrust key at the given path,
|
||||
// otherwise generates a new one.
|
||||
func loadOrCreateTrustKey(trustKeyPath string) (libtrust.PrivateKey, error) {
|
||||
return libtrust.LoadOrCreateTrustKey(trustKeyPath)
|
||||
}
|
|
@ -1,59 +0,0 @@
|
|||
package daemon // import "github.com/docker/docker/daemon"
|
||||
|
||||
import (
|
||||
"os"
|
||||
"path/filepath"
|
||||
"testing"
|
||||
|
||||
"gotest.tools/v3/assert"
|
||||
is "gotest.tools/v3/assert/cmp"
|
||||
)
|
||||
|
||||
// LoadOrCreateTrustKey
|
||||
func TestLoadOrCreateTrustKeyInvalidKeyFile(t *testing.T) {
|
||||
tmpKeyFile, err := os.CreateTemp(t.TempDir(), "keyfile")
|
||||
assert.NilError(t, err)
|
||||
_ = tmpKeyFile.Close()
|
||||
|
||||
_, err = loadOrCreateTrustKey(tmpKeyFile.Name())
|
||||
assert.Check(t, is.ErrorContains(err, "error loading key file"))
|
||||
}
|
||||
|
||||
func TestLoadOrCreateTrustKeyCreateKeyWhenFileDoesNotExist(t *testing.T) {
|
||||
tmpKeyFile := filepath.Join(t.TempDir(), "keyfile")
|
||||
|
||||
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||
assert.NilError(t, err)
|
||||
assert.Check(t, key != nil)
|
||||
|
||||
_, err = os.Stat(tmpKeyFile)
|
||||
assert.NilError(t, err, "key file doesn't exist")
|
||||
}
|
||||
|
||||
func TestLoadOrCreateTrustKeyCreateKeyWhenDirectoryDoesNotExist(t *testing.T) {
|
||||
tmpKeyFile := filepath.Join(t.TempDir(), "folder/hierarchy/keyfile")
|
||||
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||
assert.NilError(t, err)
|
||||
assert.Check(t, key != nil)
|
||||
|
||||
_, err = os.Stat(tmpKeyFile)
|
||||
assert.NilError(t, err, "key file doesn't exist")
|
||||
}
|
||||
|
||||
func TestLoadOrCreateTrustKeyCreateKeyNoPath(t *testing.T) {
|
||||
defer os.Remove("keyfile")
|
||||
key, err := loadOrCreateTrustKey("keyfile")
|
||||
assert.NilError(t, err)
|
||||
assert.Check(t, key != nil)
|
||||
|
||||
_, err = os.Stat("keyfile")
|
||||
assert.NilError(t, err, "key file doesn't exist")
|
||||
}
|
||||
|
||||
func TestLoadOrCreateTrustKeyLoadValidKey(t *testing.T) {
|
||||
tmpKeyFile := filepath.Join("testdata", "keyfile")
|
||||
key, err := loadOrCreateTrustKey(tmpKeyFile)
|
||||
assert.NilError(t, err)
|
||||
expected := "AWX2:I27X:WQFX:IOMK:CNAK:O7PW:VYNB:ZLKC:CVAE:YJP2:SI4A:XXAY"
|
||||
assert.Check(t, is.Contains(key.String(), expected))
|
||||
}
|
|
@ -17,7 +17,6 @@ import (
|
|||
"github.com/docker/docker/pkg/system"
|
||||
refstore "github.com/docker/docker/reference"
|
||||
"github.com/docker/docker/registry"
|
||||
"github.com/docker/libtrust"
|
||||
"github.com/opencontainers/go-digest"
|
||||
specs "github.com/opencontainers/image-spec/specs-go/v1"
|
||||
"github.com/pkg/errors"
|
||||
|
@ -74,9 +73,6 @@ type ImagePushConfig struct {
|
|||
ConfigMediaType string
|
||||
// LayerStores manages layers.
|
||||
LayerStores PushLayerProvider
|
||||
// TrustKey is the private key for legacy signatures. This is typically
|
||||
// an ephemeral key, since these signatures are no longer verified.
|
||||
TrustKey libtrust.PrivateKey
|
||||
// UploadManager dispatches uploads.
|
||||
UploadManager *xfer.LayerUploadManager
|
||||
}
|
||||
|
|
Loading…
Reference in a new issue