trust: move signer and key commands down one level

Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
This commit is contained in:
Riyaz Faizullabhoy 2017-10-09 10:44:52 -07:00
parent 4e797eaa04
commit 532d223db4
12 changed files with 94 additions and 52 deletions

View File

@ -18,10 +18,8 @@ func NewTrustCommand(dockerCli command.Cli) *cobra.Command {
newViewCommand(dockerCli), newViewCommand(dockerCli),
newRevokeCommand(dockerCli), newRevokeCommand(dockerCli),
newSignCommand(dockerCli), newSignCommand(dockerCli),
newKeyGenerateCommand(dockerCli), newTrustKeyCommand(dockerCli),
newKeyLoadCommand(dockerCli), newTrustSignerCommand(dockerCli),
newSignerAddCommand(dockerCli),
newSignerRemoveCommand(dockerCli),
) )
return cmd return cmd
} }

22
cli/command/trust/key.go Normal file
View File

@ -0,0 +1,22 @@
package trust
import (
"github.com/docker/cli/cli"
"github.com/docker/cli/cli/command"
"github.com/spf13/cobra"
)
// newTrustKeyCommand returns a cobra command for `trust key` subcommands
func newTrustKeyCommand(dockerCli command.Streams) *cobra.Command {
cmd := &cobra.Command{
Use: "key",
Short: "Manage keys for signing Docker images (experimental)",
Args: cli.NoArgs,
RunE: command.ShowHelp(dockerCli.Err()),
}
cmd.AddCommand(
newKeyGenerateCommand(dockerCli),
newKeyLoadCommand(dockerCli),
)
return cmd
}

View File

@ -21,7 +21,7 @@ import (
func newKeyGenerateCommand(dockerCli command.Streams) *cobra.Command { func newKeyGenerateCommand(dockerCli command.Streams) *cobra.Command {
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "key-generate NAME [NAME...]", Use: "generate NAME [NAME...]",
Short: "Generate and load a signing key-pair", Short: "Generate and load a signing key-pair",
Args: cli.ExactArgs(1), Args: cli.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {

View File

@ -28,7 +28,7 @@ type keyLoadOptions struct {
func newKeyLoadCommand(dockerCli command.Streams) *cobra.Command { func newKeyLoadCommand(dockerCli command.Streams) *cobra.Command {
var options keyLoadOptions var options keyLoadOptions
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "key-load [OPTIONS] KEY", Use: "load [OPTIONS] KEY",
Short: "Load a private key file for signing", Short: "Load a private key file for signing",
Args: cli.ExactArgs(1), Args: cli.ExactArgs(1),
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {
@ -79,7 +79,7 @@ func loadPrivKeyFromPath(privKeyImporters []utils.Importer, keyPath, keyName str
return err return err
} }
if _, _, err := tufutils.ExtractPrivateKeyAttributes(keyBytes); err != nil { if _, _, err := tufutils.ExtractPrivateKeyAttributes(keyBytes); err != nil {
return fmt.Errorf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer-add", keyPath) return fmt.Errorf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", keyPath)
} }
// Rewind the file pointer // Rewind the file pointer
if _, err := from.Seek(0, 0); err != nil { if _, err := from.Seek(0, 0); err != nil {

View File

@ -204,5 +204,5 @@ func TestLoadPubKeyFailure(t *testing.T) {
// import the key to our keyStorageDir - it should fail // import the key to our keyStorageDir - it should fail
err = loadPrivKeyFromPath(privKeyImporters, pubKeyFilepath, "signer", cannedPasswordRetriever) err = loadPrivKeyFromPath(privKeyImporters, pubKeyFilepath, "signer", cannedPasswordRetriever)
assert.Error(t, err) assert.Error(t, err)
assert.Contains(t, fmt.Sprintf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer-add", pubKeyFilepath), err.Error()) assert.Contains(t, fmt.Sprintf("provided file %s is not a supported private key - to add a signer's public key use docker trust signer add", pubKeyFilepath), err.Error())
} }

View File

@ -0,0 +1,22 @@
package trust
import (
"github.com/docker/cli/cli"
"github.com/docker/cli/cli/command"
"github.com/spf13/cobra"
)
// newTrustSignerCommand returns a cobra command for `trust signer` subcommands
func newTrustSignerCommand(dockerCli command.Cli) *cobra.Command {
cmd := &cobra.Command{
Use: "signer",
Short: "Manage entities who can sign Docker images (experimental)",
Args: cli.NoArgs,
RunE: command.ShowHelp(dockerCli.Err()),
}
cmd.AddCommand(
newSignerAddCommand(dockerCli),
newSignerRemoveCommand(dockerCli),
)
return cmd
}

View File

@ -30,7 +30,7 @@ type signerAddOptions struct {
func newSignerAddCommand(dockerCli command.Cli) *cobra.Command { func newSignerAddCommand(dockerCli command.Cli) *cobra.Command {
var options signerAddOptions var options signerAddOptions
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "signer-add [OPTIONS] NAME IMAGE [IMAGE...] ", Use: "add [OPTIONS] NAME IMAGE [IMAGE...] ",
Short: "Add a signer", Short: "Add a signer",
Args: cli.RequiresMinArgs(2), Args: cli.RequiresMinArgs(2),
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {

View File

@ -23,7 +23,7 @@ type signerRemoveOptions struct {
func newSignerRemoveCommand(dockerCli command.Cli) *cobra.Command { func newSignerRemoveCommand(dockerCli command.Cli) *cobra.Command {
options := signerRemoveOptions{} options := signerRemoveOptions{}
cmd := &cobra.Command{ cmd := &cobra.Command{
Use: "signer-remove [OPTIONS] NAME IMAGE [IMAGE...]", Use: "remove [OPTIONS] NAME IMAGE [IMAGE...]",
Short: "Remove a signer", Short: "Remove a signer",
Args: cli.RequiresMinArgs(2), Args: cli.RequiresMinArgs(2),
RunE: func(cmd *cobra.Command, args []string) error { RunE: func(cmd *cobra.Command, args []string) error {

View File

@ -1,6 +1,6 @@
--- ---
title: "key-generate" title: "key generate"
description: "The key-generate command description and usage" description: "The key generate command description and usage"
keywords: "Key, notary, trust" keywords: "Key, notary, trust"
--- ---
@ -13,10 +13,10 @@ keywords: "Key, notary, trust"
will be rejected. will be rejected.
--> -->
# trust key-generate # trust key generate
```markdown ```markdown
Usage: docker trust key-generate NAME Usage: docker trust key generate NAME
Generate and load a signing key-pair Generate and load a signing key-pair
@ -24,17 +24,17 @@ Generate and load a signing key-pair
## Description ## Description
`docker trust key-generate` generates a key-pair to be used with signing, `docker trust key generate` generates a key-pair to be used with signing,
and loads the private key into the local docker trust keystore. and loads the private key into the local docker trust keystore.
`docker trust key-generate` is currently experimental. `docker trust key generate` is currently experimental.
## Examples ## Examples
### Generate a key-pair ### Generate a key-pair
```bash ```bash
$ docker trust key-generate alice $ docker trust key generate alice
Generating key for alice... Generating key for alice...
Enter passphrase for new alice key with ID 17acf3c: Enter passphrase for new alice key with ID 17acf3c:
@ -49,4 +49,4 @@ The private signing key is encrypted by the passphrase and loaded into the docke
All passphrase requests to sign with the key will be referred to by the provided `NAME`. All passphrase requests to sign with the key will be referred to by the provided `NAME`.
The public key component `alice.pub` will be available in the current working directory, and can The public key component `alice.pub` will be available in the current working directory, and can
be used directly by `docker trust signer-add`. be used directly by `docker trust signer add`.

View File

@ -1,6 +1,6 @@
--- ---
title: "key-load" title: "key load"
description: "The key-load command description and usage" description: "The key load command description and usage"
keywords: "Key, notary, trust" keywords: "Key, notary, trust"
--- ---
@ -13,10 +13,10 @@ keywords: "Key, notary, trust"
will be rejected. will be rejected.
--> -->
# trust key-load # trust key load
```markdown ```markdown
Usage: docker trust key-load [OPTIONS] KEY Usage: docker trust key load [OPTIONS] KEY
Load a signing key Load a signing key
@ -24,9 +24,9 @@ Load a signing key
## Description ## Description
`docker trust key-load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer-add`. `docker trust key load` adds private keys to the local docker trust keystore. To add a signer to a repository use `docker trust signer add`.
`docker trust key-load` is currently experimental. `docker trust key load` is currently experimental.
## Examples ## Examples
@ -35,7 +35,7 @@ Load a signing key
For a private key `alice.pem` with permissions `-rw-------` For a private key `alice.pem` with permissions `-rw-------`
```bash ```bash
$ docker trust key-load alice.pem $ docker trust key load alice.pem
Loading key from "alice.pem"... Loading key from "alice.pem"...
Enter passphrase for new signer key with ID f8097df: Enter passphrase for new signer key with ID f8097df:
@ -46,7 +46,7 @@ Successfully imported key from alice.pem
to specify a name use the `--name` flag to specify a name use the `--name` flag
```bash ```bash
$ docker trust key-load --name alice-key alice.pem $ docker trust key load --name alice-key alice.pem
Loading key from "alice.pem"... Loading key from "alice.pem"...
Enter passphrase for new alice-key key with ID f8097df: Enter passphrase for new alice-key key with ID f8097df:

View File

@ -1,6 +1,6 @@
--- ---
title: "signer-add" title: "signer add"
description: "The signer-add command description and usage" description: "The signer add command description and usage"
keywords: "signer, notary, trust" keywords: "signer, notary, trust"
--- ---
@ -13,10 +13,10 @@ keywords: "signer, notary, trust"
will be rejected. will be rejected.
--> -->
# trust signer-add # trust signer add
```markdown ```markdown
Usage: docker trust signer-add [OPTIONS] NAME IMAGE [IMAGE...] Usage: docker trust signer add [OPTIONS] NAME IMAGE [IMAGE...]
Add a signer to one or more repositories Add a signer to one or more repositories
@ -24,9 +24,9 @@ Add a signer to one or more repositories
## Description ## Description
`docker trust signer-add` adds signers to signed repositories. `docker trust signer add` adds signers to signed repositories.
`docker trust signer-add` is currently experimental. `docker trust signer add` is currently experimental.
## Examples ## Examples
@ -50,10 +50,10 @@ Repository Key: 642692c14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
Add `alice` with `docker trust signer-add`: Add `alice` with `docker trust signer add`:
```bash ```bash
$ docker trust signer-add alice example/trust-demo --key alice.crt $ docker trust signer add alice example/trust-demo --key alice.crt
Adding signer "alice" to example/trust-demo... Adding signer "alice" to example/trust-demo...
Enter passphrase for repository key with ID 642692c: Enter passphrase for repository key with ID 642692c:
@ -81,7 +81,7 @@ Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
## Initialize a new repo and add a signer ## Initialize a new repo and add a signer
When adding a signer on a repo for the first time, `docker trust signer-add` sets up a new repo if it doesn't exist. When adding a signer on a repo for the first time, `docker trust signer add` sets up a new repo if it doesn't exist.
```bash ```bash
$ docker trust inspect example/trust-demo $ docker trust inspect example/trust-demo
@ -89,7 +89,7 @@ No signatures or cannot access example/trust-demo
``` ```
```bash ```bash
$ docker trust signer-add alice example/trust-demo --key alice.crt $ docker trust signer add alice example/trust-demo --key alice.crt
Initializing signed repository for example/trust-demo... Initializing signed repository for example/trust-demo...
Enter passphrase for root key with ID 748121c: Enter passphrase for root key with ID 748121c:
Enter passphrase for new repository key with ID 95b9e55: Enter passphrase for new repository key with ID 95b9e55:
@ -149,10 +149,10 @@ Administrative keys for example/trust-demo2:
Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268 Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
Add `alice` to both repositories with a single `docker trust signer-add` command: Add `alice` to both repositories with a single `docker trust signer add` command:
```bash ```bash
$ docker trust signer-add alice example/trust-demo example/trust-demo2 -k alice.crt $ docker trust signer add alice example/trust-demo example/trust-demo2 -k alice.crt
Adding signer "alice" to example/trust-demo... Adding signer "alice" to example/trust-demo...
Enter passphrase for repository key with ID 95b9e55: Enter passphrase for repository key with ID 95b9e55:
@ -197,10 +197,10 @@ Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
`docker trust signer-add` adds signers to repositories on a best effort basis, so it will continue to add the signer to subsequent repositories if one attempt fails: `docker trust signer add` adds signers to repositories on a best effort basis, so it will continue to add the signer to subsequent repositories if one attempt fails:
```bash ```bash
$ docker trust signer-add alice example/unauthorized example/authorized -k alice.crt $ docker trust signer add alice example/unauthorized example/authorized -k alice.crt
Adding signer "alice" to example/unauthorized... Adding signer "alice" to example/unauthorized...
you are not authorized to perform this operation: server returned 401. you are not authorized to perform this operation: server returned 401.

View File

@ -1,6 +1,6 @@
--- ---
title: "signer-remove" title: "signer remove"
description: "The signer-remove command description and usage" description: "The signer remove command description and usage"
keywords: "signer, notary, trust" keywords: "signer, notary, trust"
--- ---
@ -13,10 +13,10 @@ keywords: "signer, notary, trust"
will be rejected. will be rejected.
--> -->
# trust signer-remove # trust signer remove
```markdown ```markdown
Usage: docker trust signer-remove [OPTIONS] NAME IMAGE [IMAGE...] Usage: docker trust signer remove [OPTIONS] NAME IMAGE [IMAGE...]
Remove a signer from one or more repositories Remove a signer from one or more repositories
@ -24,9 +24,9 @@ Remove a signer from one or more repositories
## Description ## Description
`docker trust signer-remove` removes signers from signed repositories. `docker trust signer remove` removes signers from signed repositories.
`docker trust signer-remove` is currently experimental. `docker trust signer remove` is currently experimental.
## Examples ## Examples
@ -51,10 +51,10 @@ Repository Key: ecc457614c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4555b3c6ab02f71e
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
Remove `alice` with `docker trust signer-remove`: Remove `alice` with `docker trust signer remove`:
```bash ```bash
$ docker trust signer-remove alice example/trust-demo $ docker trust signer remove alice example/trust-demo
Enter passphrase for repository key with ID 642692c: Enter passphrase for repository key with ID 642692c:
Successfully removed alice from example/trust-demo Successfully removed alice from example/trust-demo
@ -112,10 +112,10 @@ Administrative keys for example/trust-demo2:
Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268 Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d9268
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
Remove `alice` from both images with a single `docker trust signer-remove` command: Remove `alice` from both images with a single `docker trust signer remove` command:
```bash ```bash
$ docker trust signer-remove alice example/trust-demo example/trust-demo2 $ docker trust signer remove alice example/trust-demo example/trust-demo2
Enter passphrase for repository key with ID 95b9e55: Enter passphrase for repository key with ID 95b9e55:
Successfully removed alice from example/trust-demo Successfully removed alice from example/trust-demo
Enter passphrase for repository key with ID ece554f: Enter passphrase for repository key with ID ece554f:
@ -151,10 +151,10 @@ Repository Key: ece554f14c9fc399da523a5f4e24fe306a0a6ee1cc79a10e4553d2ab20a8d926
Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949 Root Key: 3cb2228f6561e58f46dbc4cda4fcaff9d5ef22e865a94636f82450d1d2234949
``` ```
`docker trust signer-remove` removes signers to repositories on a best effort basis, so it will continue to remove the signer from subsequent repositories if one attempt fails: `docker trust signer remove` removes signers to repositories on a best effort basis, so it will continue to remove the signer from subsequent repositories if one attempt fails:
```bash ```bash
$ docker trust signer-remove alice example/unauthorized example/authorized $ docker trust signer remove alice example/unauthorized example/authorized
Removing signer "alice" from image example/unauthorized... Removing signer "alice" from image example/unauthorized...
No signer alice for image example/unauthorized No signer alice for image example/unauthorized