From 2e694dd3f0f15f77025797b20e884e7be90779f3 Mon Sep 17 00:00:00 2001
From: Joseph Schorr <josephschorr@users.noreply.github.com>
Date: Mon, 28 Sep 2015 15:43:20 -0400
Subject: [PATCH] Move Docker V2 key to be loaded from file or generated on
 server load

Fixes #394
---
 app.py                   | 11 +++++++++++
 endpoints/v2/manifest.py | 12 +++---------
 2 files changed, 14 insertions(+), 9 deletions(-)

diff --git a/app.py b/app.py
index f00d9d559..0bf65d5e7 100644
--- a/app.py
+++ b/app.py
@@ -8,6 +8,8 @@ from flask.ext.principal import Principal
 from flask.ext.login import LoginManager, UserMixin
 from flask.ext.mail import Mail
 from werkzeug.routing import BaseConverter
+from jwkest.jwk import RSAKey
+from Crypto.PublicKey import RSA
 
 import features
 
@@ -42,6 +44,8 @@ OVERRIDE_CONFIG_PY_FILENAME = 'conf/stack/config.py'
 
 OVERRIDE_CONFIG_KEY = 'QUAY_OVERRIDE_CONFIG'
 
+DOCKER_V2_SIGNINGKEY_FILENAME = 'docker_v2.pem'
+
 app = Flask(__name__)
 logger = logging.getLogger(__name__)
 
@@ -154,6 +158,13 @@ dockerfile_build_queue = WorkQueue(app.config['DOCKERFILE_BUILD_QUEUE_NAME'], tf
                                    reporter=MetricQueueReporter(metric_queue))
 notification_queue = WorkQueue(app.config['NOTIFICATION_QUEUE_NAME'], tf, metric_queue=metric_queue)
 
+# Check for a key in config. If none found, generate a new signing key for Docker V2 manifests.
+_v2_key_path = os.path.join(OVERRIDE_CONFIG_DIRECTORY, DOCKER_V2_SIGNINGKEY_FILENAME)
+if os.path.exists(_v2_key_path):
+  docker_v2_signing_key = RSAKey().load(_v2_key_path)
+else:
+  docker_v2_signing_key = RSAKey(key=RSA.generate(2048))
+
 database.configure(app.config)
 model.config.app_config = app.config
 model.config.store = storage
diff --git a/endpoints/v2/manifest.py b/endpoints/v2/manifest.py
index b927c82d4..e6202ebae 100644
--- a/endpoints/v2/manifest.py
+++ b/endpoints/v2/manifest.py
@@ -9,11 +9,9 @@ import json
 from flask import make_response, request, url_for
 from collections import namedtuple, OrderedDict
 from jwkest.jws import SIGNER_ALGS
-from jwkest.jwk import RSAKey
-from Crypto.PublicKey import RSA
 from datetime import datetime
 
-from app import storage
+from app import storage, docker_v2_signing_key
 from auth.jwt_auth import process_jwt_auth
 from endpoints.decorators import anon_protect
 from endpoints.v2 import v2_bp, require_repo_read, require_repo_write
@@ -332,12 +330,8 @@ def _generate_and_store_manifest(namespace, repo_name, tag_name):
   for parent in parents:
     builder.add_layer(parent.storage.checksum, __get_and_backfill_image_metadata(parent))
 
-  # TODO, stop generating a new key every time we sign a manifest, publish our key
-  new_key = RSA.generate(2048)
-  jwk = RSAKey(key=new_key)
-
-  manifest = builder.build(jwk)
-
+  # Sign the manifest with our signing key.
+  manifest = builder.build(docker_v2_signing_key)
   manifest_row = model.tag.associate_generated_tag_manifest(namespace, repo_name, tag_name,
                                                             manifest.digest, manifest.bytes)