本文整理汇总了Golang中github.com/docker/notary/tuf/data.IsDelegation函数的典型用法代码示例。如果您正苦于以下问题:Golang IsDelegation函数的具体用法?Golang IsDelegation怎么用?Golang IsDelegation使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了IsDelegation函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: delegationAddInput
func delegationAddInput(d *delegationCommander, cmd *cobra.Command, args []string) (
config *viper.Viper, gun string, role string, keyIDs []string, error error) {
if len(args) < 2 {
cmd.Usage()
return nil, "", "", nil, fmt.Errorf("must specify the Global Unique Name and the role of the delegation along with optional keyIDs and/or a list of paths to remove")
}
config, err := d.configGetter()
if err != nil {
return nil, "", "", nil, err
}
gun = args[0]
role = args[1]
// Check if role is valid delegation name before requiring any user input
if !data.IsDelegation(role) {
return nil, "", "", nil, fmt.Errorf("invalid delegation name %s", role)
}
// If we're only given the gun and the role, attempt to remove all data for this delegation
if len(args) == 2 && d.paths == nil && !d.allPaths {
d.removeAll = true
}
if len(args) > 2 {
keyIDs = args[2:]
}
// If the user passes --all-paths, don't use any of the passed in --paths
if d.allPaths {
d.paths = nil
}
return config, gun, role, keyIDs, nil
}示例2: AddDelegationRoleAndKeys
// AddDelegationRoleAndKeys creates a changelist entry to add provided delegation public keys.
// This method is the simplest way to create a new delegation, because the delegation must have at least
// one key upon creation to be valid since we will reject the changelist while validating the threshold.
func (r *NotaryRepository) AddDelegationRoleAndKeys(name string, delegationKeys []data.PublicKey) error {
if !data.IsDelegation(name) {
return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
}
cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
if err != nil {
return err
}
defer cl.Close()
logrus.Debugf(`Adding delegation "%s" with threshold %d, and %d keys\n`,
name, notary.MinThreshold, len(delegationKeys))
// Defaulting to threshold of 1, since we don't allow for larger thresholds at the moment.
tdJSON, err := json.Marshal(&changelist.TufDelegation{
NewThreshold: notary.MinThreshold,
AddKeys: data.KeyList(delegationKeys),
})
if err != nil {
return err
}
template := newCreateDelegationChange(name, tdJSON)
return addChange(cl, template, name)
}示例3: UpdateDelegationKeys
// UpdateDelegationKeys updates the appropriate delegations, either adding
// a new delegation or updating an existing one. If keys are
// provided, the IDs will be added to the role (if they do not exist
// there already), and the keys will be added to the targets file.
func (tr *Repo) UpdateDelegationKeys(roleName string, addKeys data.KeyList, removeKeys []string, newThreshold int) error {
if !data.IsDelegation(roleName) {
return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
}
parent := path.Dir(roleName)
if err := tr.VerifyCanSign(parent); err != nil {
return err
}
// check the parent role's metadata
_, ok := tr.Targets[parent]
if !ok { // the parent targetfile may not exist yet - if not, then create it
var err error
_, err = tr.InitTargets(parent)
if err != nil {
return err
}
}
// Walk to the parent of this delegation, since that is where its role metadata exists
// We do not have to verify that the walker reached its desired role in this scenario
// since we've already done another walk to the parent role in VerifyCanSign, and potentially made a targets file
err := tr.WalkTargets("", parent, delegationUpdateVisitor(roleName, addKeys, removeKeys, []string{}, []string{}, false, newThreshold))
if err != nil {
return err
}
return nil
}示例4: VerifyCanSign
// VerifyCanSign returns nil if the role exists and we have at least one
// signing key for the role, false otherwise. This does not check that we have
// enough signing keys to meet the threshold, since we want to support the use
// case of multiple signers for a role. It returns an error if the role doesn't
// exist or if there are no signing keys.
func (tr *Repo) VerifyCanSign(roleName string) error {
var (
role data.BaseRole
err error
)
// we only need the BaseRole part of a delegation because we're just
// checking KeyIDs
if data.IsDelegation(roleName) {
r, err := tr.GetDelegationRole(roleName)
if err != nil {
return err
}
role = r.BaseRole
} else {
role, err = tr.GetBaseRole(roleName)
}
if err != nil {
return data.ErrInvalidRole{Role: roleName, Reason: "does not exist"}
}
for keyID, k := range role.Keys {
check := []string{keyID}
if canonicalID, err := utils.CanonicalKeyID(k); err == nil {
check = append(check, canonicalID)
}
for _, id := range check {
p, _, err := tr.cryptoService.GetPrivateKey(id)
if err == nil && p != nil {
return nil
}
}
}
return signed.ErrNoKeys{KeyIDs: role.ListKeyIDs()}
}示例5: addChange
// adds a TUF Change template to the given roles
func addChange(cl *changelist.FileChangelist, c changelist.Change, roles ...string) error {
if len(roles) == 0 {
roles = []string{data.CanonicalTargetsRole}
}
var changes []changelist.Change
for _, role := range roles {
role = strings.ToLower(role)
// Ensure we can only add targets to the CanonicalTargetsRole,
// or a Delegation role (which is <CanonicalTargetsRole>/something else)
if role != data.CanonicalTargetsRole && !data.IsDelegation(role) {
return data.ErrInvalidRole{
Role: role,
Reason: "cannot add targets to this role",
}
}
changes = append(changes, changelist.NewTufChange(
c.Action(),
role,
c.Type(),
c.Path(),
c.Content(),
))
}
for _, c := range changes {
if err := cl.Add(c); err != nil {
return err
}
}
return nil
}示例6: AddDelegation
// AddDelegation creates a new changelist entry to add a delegation to the repository
// when the changelist gets applied at publish time. This does not do any validation
// other than checking the name of the delegation to add - all that will happen
// at publish time.
func (r *NotaryRepository) AddDelegation(name string, threshold int,
delegationKeys []data.PublicKey, paths []string) error {
if !data.IsDelegation(name) {
return data.ErrInvalidRole{Role: name, Reason: "invalid delegation role name"}
}
cl, err := changelist.NewFileChangelist(filepath.Join(r.tufRepoPath, "changelist"))
if err != nil {
return err
}
defer cl.Close()
logrus.Debugf(`Adding delegation "%s" with threshold %d, and %d keys\n`,
name, threshold, len(delegationKeys))
tdJSON, err := json.Marshal(&changelist.TufDelegation{
NewThreshold: threshold,
AddKeys: data.KeyList(delegationKeys),
AddPaths: paths,
})
if err != nil {
return err
}
template := changelist.NewTufChange(
changelist.ActionCreate,
name,
changelist.TypeTargetsDelegation,
"", // no path
tdJSON,
)
return addChange(cl, template, name)
}示例7: applyChangelist
func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
it, err := cl.NewIterator()
if err != nil {
return err
}
index := 0
for it.HasNext() {
c, err := it.Next()
if err != nil {
return err
}
isDel := data.IsDelegation(c.Scope())
switch {
case c.Scope() == changelist.ScopeTargets || isDel:
err = applyTargetsChange(repo, c)
case c.Scope() == changelist.ScopeRoot:
err = applyRootChange(repo, c)
default:
logrus.Debug("scope not supported: ", c.Scope())
}
index++
if err != nil {
return err
}
}
logrus.Debugf("applied %d change(s)", index)
return nil
}示例8: GetDelegation
// GetDelegation finds the role entry representing the provided
// role name along with its associated public keys, or ErrInvalidRole
func (tr *Repo) GetDelegation(role string) (*data.Role, data.Keys, error) {
if !data.IsDelegation(role) {
return nil, nil, data.ErrInvalidRole{Role: role, Reason: "not a valid delegated role"}
}
parent := path.Dir(role)
// check the parent role
if _, err := tr.GetDelegationRole(parent); parent != data.CanonicalTargetsRole && err != nil {
return nil, nil, data.ErrInvalidRole{Role: role, Reason: "parent role not found"}
}
// check the parent role's metadata
p, ok := tr.Targets[parent]
if !ok { // the parent targetfile may not exist yet, so it can't be in the list
return nil, nil, data.ErrNoSuchRole{Role: role}
}
foundAt := utils.FindRoleIndex(p.Signed.Delegations.Roles, role)
if foundAt < 0 {
return nil, nil, data.ErrNoSuchRole{Role: role}
}
delegationRole := p.Signed.Delegations.Roles[foundAt]
keys := make(data.Keys)
for _, keyID := range delegationRole.KeyIDs {
keys[keyID] = p.Signed.Delegations.Keys[keyID]
}
return delegationRole, keys, nil
}示例9: UpdateDelegationPaths
// UpdateDelegationPaths updates the appropriate delegation's paths.
// It is not allowed to create a new delegation.
func (tr *Repo) UpdateDelegationPaths(roleName string, addPaths, removePaths []string, clearPaths bool) error {
if !data.IsDelegation(roleName) {
return data.ErrInvalidRole{Role: roleName, Reason: "not a valid delegated role"}
}
parent := path.Dir(roleName)
if err := tr.VerifyCanSign(parent); err != nil {
return err
}
// check the parent role's metadata
_, ok := tr.Targets[parent]
if !ok { // the parent targetfile may not exist yet
// if not, this is an error because a delegation must exist to edit only paths
return data.ErrInvalidRole{Role: roleName, Reason: "no valid delegated role exists"}
}
// Walk to the parent of this delegation, since that is where its role metadata exists
// We do not have to verify that the walker reached its desired role in this scenario
// since we've already done another walk to the parent role in VerifyCanSign
err := tr.WalkTargets("", parent, delegationUpdateVisitor(roleName, data.KeyList{}, []string{}, addPaths, removePaths, clearPaths, notary.MinThreshold))
if err != nil {
return err
}
return nil
}示例10: applyChangelist
func applyChangelist(repo *tuf.Repo, invalid *tuf.Repo, cl changelist.Changelist) error {
it, err := cl.NewIterator()
if err != nil {
return err
}
index := 0
for it.HasNext() {
c, err := it.Next()
if err != nil {
return err
}
isDel := data.IsDelegation(c.Scope()) || data.IsWildDelegation(c.Scope())
switch {
case c.Scope() == changelist.ScopeTargets || isDel:
err = applyTargetsChange(repo, invalid, c)
case c.Scope() == changelist.ScopeRoot:
err = applyRootChange(repo, c)
default:
return fmt.Errorf("scope not supported: %s", c.Scope())
}
if err != nil {
logrus.Debugf("error attempting to apply change #%d: %s, on scope: %s path: %s type: %s", index, c.Action(), c.Scope(), c.Path(), c.Type())
return err
}
index++
}
logrus.Debugf("applied %d change(s)", index)
return nil
}示例11: RotateKey
// RotateKey rotates the key for a role - this can invalidate that role's metadata
// if it is not signed by that key. Particularly if the key being rotated is the
// root key, because it is not signed by the new key, only the old key.
func (m *MetadataSwizzler) RotateKey(role string, key data.PublicKey) error {
roleSpecifier := data.CanonicalRootRole
if data.IsDelegation(role) {
roleSpecifier = path.Dir(role)
}
b, err := m.MetadataCache.GetSized(roleSpecifier, store.NoSizeLimit)
if err != nil {
return err
}
signedThing := &data.Signed{}
if err := json.Unmarshal(b, signedThing); err != nil {
return err
}
// get keys before the keys are rotated
pubKeys, err := getPubKeys(m.CryptoService, signedThing, roleSpecifier)
if err != nil {
return err
}
if roleSpecifier == data.CanonicalRootRole {
signedRoot, err := data.RootFromSigned(signedThing)
if err != nil {
return err
}
signedRoot.Signed.Roles[role].KeyIDs = []string{key.ID()}
signedRoot.Signed.Keys[key.ID()] = key
if signedThing, err = signedRoot.ToSigned(); err != nil {
return err
}
} else {
signedTargets, err := data.TargetsFromSigned(signedThing, roleSpecifier)
if err != nil {
return err
}
for _, roleObject := range signedTargets.Signed.Delegations.Roles {
if roleObject.Name == role {
roleObject.KeyIDs = []string{key.ID()}
break
}
}
signedTargets.Signed.Delegations.Keys[key.ID()] = key
if signedThing, err = signedTargets.ToSigned(); err != nil {
return err
}
}
metaBytes, err := serializeMetadata(m.CryptoService, signedThing, roleSpecifier, pubKeys...)
if err != nil {
return err
}
return m.MetadataCache.Set(roleSpecifier, metaBytes)
}示例12: InitTargets
// InitTargets initializes an empty targets, and returns the new empty target
func (tr *Repo) InitTargets(role string) (*data.SignedTargets, error) {
if !data.IsDelegation(role) && role != data.CanonicalTargetsRole {
return nil, data.ErrInvalidRole{
Role: role,
Reason: fmt.Sprintf("role is not a valid targets role name: %s", role),
}
}
targets := data.NewTargets()
tr.Targets[role] = targets
return targets, nil
}示例13: UpdateDelegations
// UpdateDelegations updates the appropriate delegations, either adding
// a new delegation or updating an existing one. If keys are
// provided, the IDs will be added to the role (if they do not exist
// there already), and the keys will be added to the targets file.
func (tr *Repo) UpdateDelegations(role *data.Role, keys []data.PublicKey) error {
if !data.IsDelegation(role.Name) {
return data.ErrInvalidRole{Role: role.Name, Reason: "not a valid delegated role"}
}
parent := path.Dir(role.Name)
if err := tr.VerifyCanSign(parent); err != nil {
return err
}
// check the parent role's metadata
p, ok := tr.Targets[parent]
if !ok { // the parent targetfile may not exist yet - if not, then create it
var err error
p, err = tr.InitTargets(parent)
if err != nil {
return err
}
}
for _, k := range keys {
if !utils.StrSliceContains(role.KeyIDs, k.ID()) {
role.KeyIDs = append(role.KeyIDs, k.ID())
}
p.Signed.Delegations.Keys[k.ID()] = k
}
// if the role has fewer keys than the threshold, it
// will never be able to create a valid targets file
// and should be considered invalid.
if len(role.KeyIDs) < role.Threshold {
return data.ErrInvalidRole{Role: role.Name, Reason: "insufficient keys to meet threshold"}
}
foundAt := utils.FindRoleIndex(p.Signed.Delegations.Roles, role.Name)
if foundAt >= 0 {
p.Signed.Delegations.Roles[foundAt] = role
} else {
p.Signed.Delegations.Roles = append(p.Signed.Delegations.Roles, role)
}
// We've made a change to parent. Set it to dirty
p.Dirty = true
// We don't actually want to create the new delegation metadata yet.
// When we add a delegation, it may only be signable by a key we don't have
// (hence we are delegating signing).
utils.RemoveUnusedKeys(p)
return nil
}示例14: RotateKey
// RotateKey removes all existing keys associated with the role, and either
// creates and adds one new key or delegates managing the key to the server.
// These changes are staged in a changelist until publish is called.
func (r *NotaryRepository) RotateKey(role string, serverManagesKey bool) error {
// We currently support remotely managing timestamp and snapshot keys
canBeRemoteKey := role == data.CanonicalTimestampRole || role == data.CanonicalSnapshotRole
// And locally managing root, targets, and snapshot keys
canBeLocalKey := (role == data.CanonicalSnapshotRole || role == data.CanonicalTargetsRole ||
role == data.CanonicalRootRole)
switch {
case !data.ValidRole(role) || data.IsDelegation(role):
return fmt.Errorf("notary does not currently permit rotating the %s key", role)
case serverManagesKey && !canBeRemoteKey:
return ErrInvalidRemoteRole{Role: role}
case !serverManagesKey && !canBeLocalKey:
return ErrInvalidLocalRole{Role: role}
}
var (
pubKey data.PublicKey
err error
errFmtMsg string
)
switch serverManagesKey {
case true:
pubKey, err = getRemoteKey(r.baseURL, r.gun, role, r.roundTrip)
errFmtMsg = "unable to rotate remote key: %s"
default:
pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
errFmtMsg = "unable to generate key: %s"
}
if err != nil {
return fmt.Errorf(errFmtMsg, err)
}
// if this is a root role, generate a root cert for the public key
if role == data.CanonicalRootRole {
privKey, _, err := r.CryptoService.GetPrivateKey(pubKey.ID())
if err != nil {
return err
}
pubKey, err = rootCertKey(r.gun, privKey)
if err != nil {
return err
}
}
cl := changelist.NewMemChangelist()
if err := r.rootFileKeyChange(cl, role, changelist.ActionCreate, pubKey); err != nil {
return err
}
return r.publish(cl)
}示例15: SetThreshold
// SetThreshold sets a threshold for a metadata role - can invalidate metadata for which
// the threshold is increased, if there aren't enough signatures or can be invalid because
// the threshold is 0
func (m *MetadataSwizzler) SetThreshold(role string, newThreshold int) error {
roleSpecifier := data.CanonicalRootRole
if data.IsDelegation(role) {
roleSpecifier = path.Dir(role)
}
b, err := m.MetadataCache.GetSized(roleSpecifier, store.NoSizeLimit)
if err != nil {
return err
}
signedThing := &data.Signed{}
if err := json.Unmarshal(b, signedThing); err != nil {
return err
}
if roleSpecifier == data.CanonicalRootRole {
signedRoot, err := data.RootFromSigned(signedThing)
if err != nil {
return err
}
signedRoot.Signed.Roles[role].Threshold = newThreshold
if signedThing, err = signedRoot.ToSigned(); err != nil {
return err
}
} else {
signedTargets, err := data.TargetsFromSigned(signedThing, roleSpecifier)
if err != nil {
return err
}
for _, roleObject := range signedTargets.Signed.Delegations.Roles {
if roleObject.Name == role {
roleObject.Threshold = newThreshold
break
}
}
if signedThing, err = signedTargets.ToSigned(); err != nil {
return err
}
}
var metaBytes []byte
pubKeys, err := getPubKeys(m.CryptoService, signedThing, roleSpecifier)
if err == nil {
metaBytes, err = serializeMetadata(m.CryptoService, signedThing, roleSpecifier, pubKeys...)
}
if err != nil {
return err
}
return m.MetadataCache.Set(roleSpecifier, metaBytes)
}