2016-11-22 19:32:10 +00:00
|
|
|
// Policy evaluation for prSignedBy.
|
|
|
|
|
|
|
|
|
|
package signature
|
|
|
|
|
|
|
|
|
|
import (
|
|
|
|
|
"fmt"
|
|
|
|
|
"io/ioutil"
|
|
|
|
|
"os"
|
|
|
|
|
"strings"
|
|
|
|
|
|
2016-10-17 13:53:40 +00:00
|
|
|
"github.com/pkg/errors"
|
|
|
|
|
|
2016-11-22 19:32:10 +00:00
|
|
|
"github.com/containers/image/manifest"
|
|
|
|
|
"github.com/containers/image/types"
|
2016-10-17 13:53:40 +00:00
|
|
|
"github.com/opencontainers/go-digest"
|
2016-11-22 19:32:10 +00:00
|
|
|
)
|
|
|
|
|
|
|
|
|
|
func (pr *prSignedBy) isSignatureAuthorAccepted(image types.UnparsedImage, sig []byte) (signatureAcceptanceResult, *Signature, error) {
|
|
|
|
|
switch pr.KeyType {
|
|
|
|
|
case SBKeyTypeGPGKeys:
|
|
|
|
|
case SBKeyTypeSignedByGPGKeys, SBKeyTypeX509Certificates, SBKeyTypeSignedByX509CAs:
|
|
|
|
|
// FIXME? Reject this at policy parsing time already?
|
2016-10-17 13:53:40 +00:00
|
|
|
return sarRejected, nil, errors.Errorf(`"Unimplemented "keyType" value "%s"`, string(pr.KeyType))
|
2016-11-22 19:32:10 +00:00
|
|
|
default:
|
|
|
|
|
// This should never happen, newPRSignedBy ensures KeyType.IsValid()
|
2016-10-17 13:53:40 +00:00
|
|
|
return sarRejected, nil, errors.Errorf(`"Unknown "keyType" value "%s"`, string(pr.KeyType))
|
2016-11-22 19:32:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if pr.KeyPath != "" && pr.KeyData != nil {
|
|
|
|
|
return sarRejected, nil, errors.New(`Internal inconsistency: both "keyPath" and "keyData" specified`)
|
|
|
|
|
}
|
|
|
|
|
// FIXME: move this to per-context initialization
|
|
|
|
|
var data []byte
|
|
|
|
|
if pr.KeyData != nil {
|
|
|
|
|
data = pr.KeyData
|
|
|
|
|
} else {
|
|
|
|
|
d, err := ioutil.ReadFile(pr.KeyPath)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return sarRejected, nil, err
|
|
|
|
|
}
|
|
|
|
|
data = d
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// FIXME: move this to per-context initialization
|
|
|
|
|
dir, err := ioutil.TempDir("", "skopeo-signedBy-")
|
|
|
|
|
if err != nil {
|
|
|
|
|
return sarRejected, nil, err
|
|
|
|
|
}
|
|
|
|
|
defer os.RemoveAll(dir)
|
|
|
|
|
mech, err := newGPGSigningMechanismInDirectory(dir)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return sarRejected, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
trustedIdentities, err := mech.ImportKeysFromBytes(data)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return sarRejected, nil, err
|
|
|
|
|
}
|
|
|
|
|
if len(trustedIdentities) == 0 {
|
|
|
|
|
return sarRejected, nil, PolicyRequirementError("No public keys imported")
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
signature, err := verifyAndExtractSignature(mech, sig, signatureAcceptanceRules{
|
|
|
|
|
validateKeyIdentity: func(keyIdentity string) error {
|
|
|
|
|
for _, trustedIdentity := range trustedIdentities {
|
|
|
|
|
if keyIdentity == trustedIdentity {
|
|
|
|
|
return nil
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
// Coverage: We use a private GPG home directory and only import trusted keys, so this should
|
|
|
|
|
// not be reachable.
|
|
|
|
|
return PolicyRequirementError(fmt.Sprintf("Signature by key %s is not accepted", keyIdentity))
|
|
|
|
|
},
|
|
|
|
|
validateSignedDockerReference: func(ref string) error {
|
|
|
|
|
if !pr.SignedIdentity.matchesDockerReference(image, ref) {
|
|
|
|
|
return PolicyRequirementError(fmt.Sprintf("Signature for identity %s is not accepted", ref))
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
validateSignedDockerManifestDigest: func(digest digest.Digest) error {
|
|
|
|
|
m, _, err := image.Manifest()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
digestMatches, err := manifest.MatchesDigest(m, digest)
|
|
|
|
|
if err != nil {
|
|
|
|
|
return err
|
|
|
|
|
}
|
|
|
|
|
if !digestMatches {
|
|
|
|
|
return PolicyRequirementError(fmt.Sprintf("Signature for digest %s does not match", digest))
|
|
|
|
|
}
|
|
|
|
|
return nil
|
|
|
|
|
},
|
|
|
|
|
})
|
|
|
|
|
if err != nil {
|
|
|
|
|
return sarRejected, nil, err
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return sarAccepted, signature, nil
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
func (pr *prSignedBy) isRunningImageAllowed(image types.UnparsedImage) (bool, error) {
|
|
|
|
|
sigs, err := image.Signatures()
|
|
|
|
|
if err != nil {
|
|
|
|
|
return false, err
|
|
|
|
|
}
|
|
|
|
|
var rejections []error
|
|
|
|
|
for _, s := range sigs {
|
|
|
|
|
var reason error
|
|
|
|
|
switch res, _, err := pr.isSignatureAuthorAccepted(image, s); res {
|
|
|
|
|
case sarAccepted:
|
|
|
|
|
// One accepted signature is enough.
|
|
|
|
|
return true, nil
|
|
|
|
|
case sarRejected:
|
|
|
|
|
reason = err
|
|
|
|
|
case sarUnknown:
|
|
|
|
|
// Huh?! This should not happen at all; treat it as any other invalid value.
|
|
|
|
|
fallthrough
|
|
|
|
|
default:
|
2016-10-17 13:53:40 +00:00
|
|
|
reason = errors.Errorf(`Internal error: Unexpected signature verification result "%s"`, string(res))
|
2016-11-22 19:32:10 +00:00
|
|
|
}
|
|
|
|
|
rejections = append(rejections, reason)
|
|
|
|
|
}
|
|
|
|
|
var summary error
|
|
|
|
|
switch len(rejections) {
|
|
|
|
|
case 0:
|
|
|
|
|
summary = PolicyRequirementError("A signature was required, but no signature exists")
|
|
|
|
|
case 1:
|
|
|
|
|
summary = rejections[0]
|
|
|
|
|
default:
|
|
|
|
|
var msgs []string
|
|
|
|
|
for _, e := range rejections {
|
|
|
|
|
msgs = append(msgs, e.Error())
|
|
|
|
|
}
|
|
|
|
|
summary = PolicyRequirementError(fmt.Sprintf("None of the signatures were accepted, reasons: %s",
|
|
|
|
|
strings.Join(msgs, "; ")))
|
|
|
|
|
}
|
|
|
|
|
return false, summary
|
|
|
|
|
}
|
