Send push information to trust code out-of-band

The trust code used to parse the console output of `docker push` to extract the digest, tag, and size information and determine what to sign. This is fragile and might give an attacker control over what gets signed if the attacker can find a way to influence what gets printed as part of the push output. This commit sends the push metadata out-of-band. It introduces an `Aux` field in JSONMessage that can carry application-specific data alongside progress updates. Instead of parsing formatted output, the client looks in this field to get the digest, size, and tag from the push. Signed-off-by: Aaron Lehmann <aaron.lehmann@docker.com>
2015-12-21 15:02:44 -08:00 · 2015-12-21 15:02:44 -08:00 · 1fe4441875
commit 1fe4441875
parent 486bca6d94
5 changed files with 36 additions and 7 deletions
--- a/jsonmessage/jsonmessage.go
+++ b/jsonmessage/jsonmessage.go
@ -102,6 +102,8 @@ type JSONMessage struct {
 	TimeNano        int64         `json:"timeNano,omitempty"`
 	Error           *JSONError    `json:"errorDetail,omitempty"`
 	ErrorMessage    string        `json:"error,omitempty"` //deprecated
+	// Aux contains out-of-band data, such as digests for push signing.
+	Aux *json.RawMessage `json:"aux,omitempty"`
 }

 // Display displays the JSONMessage to `out`. `isTerminal` describes if `out`
@ -148,7 +150,7 @@ func (jm *JSONMessage) Display(out io.Writer, isTerminal bool) error {
 // DisplayJSONMessagesStream displays a json message stream from `in` to `out`, `isTerminal`
 // describes if `out` is a terminal. If this is the case, it will print `\n` at the end of
 // each line and move the cursor while displaying.
-func DisplayJSONMessagesStream(in io.Reader, out io.Writer, terminalFd uintptr, isTerminal bool) error {
+func DisplayJSONMessagesStream(in io.Reader, out io.Writer, terminalFd uintptr, isTerminal bool, auxCallback func(*json.RawMessage)) error {
 	var (
 		dec = json.NewDecoder(in)
 		ids = make(map[string]int)
@ -163,6 +165,13 @@ func DisplayJSONMessagesStream(in io.Reader, out io.Writer, terminalFd uintptr,
 			return err
 		}

+		if jm.Aux != nil {
+			if auxCallback != nil {
+				auxCallback(jm.Aux)
+			}
+			continue
+		}
+
 		if jm.Progress != nil {
 			jm.Progress.terminalFd = terminalFd
 		}
--- a/jsonmessage/jsonmessage_test.go
+++ b/jsonmessage/jsonmessage_test.go
@ -168,7 +168,7 @@ func TestDisplayJSONMessagesStreamInvalidJSON(t *testing.T) {
 	reader := strings.NewReader("This is not a 'valid' JSON []")
 	inFd, _ = term.GetFdInfo(reader)

-	if err := DisplayJSONMessagesStream(reader, data, inFd, false); err == nil && err.Error()[:17] != "invalid character" {
+	if err := DisplayJSONMessagesStream(reader, data, inFd, false, nil); err == nil && err.Error()[:17] != "invalid character" {
 		t.Fatalf("Should have thrown an error (invalid character in ..), got [%v]", err)
 	}
 }
@ -210,7 +210,7 @@ func TestDisplayJSONMessagesStream(t *testing.T) {
 		inFd, _ = term.GetFdInfo(reader)

 		// Without terminal
-		if err := DisplayJSONMessagesStream(reader, data, inFd, false); err != nil {
+		if err := DisplayJSONMessagesStream(reader, data, inFd, false, nil); err != nil {
 			t.Fatal(err)
 		}
 		if data.String() != expectedMessages[0] {
@ -220,7 +220,7 @@ func TestDisplayJSONMessagesStream(t *testing.T) {
 		// With terminal
 		data = bytes.NewBuffer([]byte{})
 		reader = strings.NewReader(jsonMessage)
-		if err := DisplayJSONMessagesStream(reader, data, inFd, true); err != nil {
+		if err := DisplayJSONMessagesStream(reader, data, inFd, true, nil); err != nil {
 			t.Fatal(err)
 		}
 		if data.String() != expectedMessages[1] {