From 851f61032a3902bd1d91dc02449de08fd413896a Mon Sep 17 00:00:00 2001 From: Tan Jiang Date: Fri, 24 Mar 2017 20:05:13 +0800 Subject: [PATCH 1/2] Do not generate new alias each time prepare runs --- make/prepare | 24 ++++++++++++++++-------- 1 file changed, 16 insertions(+), 8 deletions(-) diff --git a/make/prepare b/make/prepare index 9d26ed54c..c97abff93 100755 --- a/make/prepare +++ b/make/prepare @@ -40,20 +40,28 @@ def validate(conf, args): raise Exception("Error invalid value for project_creation_restriction: %s" % project_creation) def get_secret_key(path): - key_file = os.path.join(path, "secretkey") + secret_key = _get_secret(path, "secretkey") + if len(secret_key) != 16: + raise Exception("secret key's length has to be 16 chars, current length: %d" % len(secret_key)) + return secret_key + +def get_alias(path): + alias = _get_secret(path, "defaultalias", length=8) + return alias + +def _get_secret(folder, filename, length=16): + key_file = os.path.join(folder, filename) if os.path.isfile(key_file): with open(key_file, 'r') as f: key = f.read() - print("loaded secret key") - if len(key) != 16: - raise Exception("secret key's length has to be 16 chars, current length: %d" % len(key)) + print("loaded secret from file: %s" % key_file) return key - if not os.path.isdir(path): + if not os.path.isdir(folder): os.makedirs(path, mode=0600) - key = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(16)) + key = ''.join(random.choice(string.ascii_letters+string.digits) for i in range(length)) with open(key_file, 'w') as f: f.write(key) - print("generated and saved secret key") + print("Generated and saved secret to file: %s" % key_file) return key def prep_conf_dir(root, name): @@ -343,7 +351,7 @@ if args.notary_mode: shutil.copy2(os.path.join(templates_dir, "nginx", "notary.upstream.conf"), nginx_conf_d) shutil.copy2(os.path.join(templates_dir, "nginx", "notary.server.conf"), nginx_conf_d) - default_alias = ''.join(random.choice(string.ascii_letters) for i in range(8)) + default_alias = get_alias(secretkey_path) render(os.path.join(notary_temp_dir, "signer_env"), os.path.join(notary_config_dir, "signer_env"), alias = default_alias) FNULL.close() From 5e2598028fcb429f1c12e4d3764f7c799306cd58 Mon Sep 17 00:00:00 2001 From: Tan Jiang Date: Sat, 25 Mar 2017 17:00:26 +0800 Subject: [PATCH 2/2] remove root.json after getting the targets --- src/common/utils/notary/helper.go | 8 ++++++++ 1 file changed, 8 insertions(+) diff --git a/src/common/utils/notary/helper.go b/src/common/utils/notary/helper.go index 0c6be9fc6..3430d7b63 100644 --- a/src/common/utils/notary/helper.go +++ b/src/common/utils/notary/helper.go @@ -16,6 +16,8 @@ package notary import ( + "os" + "path" "strings" "github.com/docker/notary" @@ -74,6 +76,12 @@ func GetTargets(notaryEndpoint string, username string, fqRepo string) ([]Target } else if err != nil { return res, err } + //Remove root.json such that when remote repository is removed the local cache can't be reused. + rootJSON := path.Join(notaryCachePath, "tuf", fqRepo, "metadata/root.json") + rmErr := os.Remove(rootJSON) + if rmErr != nil { + log.Warningf("Failed to clear cached root.json: %s, error: %v, when repo is removed from notary the signature status maybe incorrect") + } for _, t := range targets { res = append(res, Target{t.Name, t.Hashes}) }