fixed exports, imports and tests for the flattened KS

Signed-off-by: Avi Vaid <[email protected]>

cmd/notary/integration_test.go

@@ -2131,7 +2131,7 @@ func TestClientKeyImport(t *testing.T) {
 	// if there is hardware available, root will only be on hardware, and not
 	// on disk
 	assertNumKeys(t, tempDir, 2, 1, !rootOnHardware())
-	file, err := os.OpenFile(filepath.Join(tempDir, "private", notary.NonRootKeysSubdir, privKey.ID()+".key"), os.O_RDONLY, notary.PrivKeyPerms)
+	file, err := os.OpenFile(filepath.Join(tempDir, notary.PrivDir, privKey.ID()+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
 	filebytes, _ := ioutil.ReadAll(file)
 	require.Contains(t, string(filebytes), ("role: " + notary.DefaultImportRole))
@@ -2162,8 +2162,13 @@ func TestClientKeyImport(t *testing.T) {
 	// if there is hardware available, root will only be on hardware, and not
 	// on disk
 	assertNumKeys(t, tempDir, 2, 2, !rootOnHardware())
-	_, err = os.Open(filepath.Join(tempDir, "private", notary.NonRootKeysSubdir, newKeyID+".key"))
+	_, err = os.Open(filepath.Join(tempDir, "private", newKeyID+".key"))
+	require.NoError(t, err)
+	file, err = os.OpenFile(filepath.Join(tempDir, notary.PrivDir, privKey.ID()+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
+	filebytes, _ = ioutil.ReadAll(file)
+	require.Contains(t, string(filebytes), ("role: " + "somerole"))
+	require.NotContains(t, string(filebytes), ("gun: " + "somegun"))
 
 	// test 5, no path non root role with canonical role and gun flag with unencrypted key
 
@@ -2191,8 +2196,15 @@ func TestClientKeyImport(t *testing.T) {
 	// if there is hardware available, root will only be on hardware, and not
 	// on disk
 	assertNumKeys(t, tempDir, 2, 3, !rootOnHardware())
-	_, err = os.Open(filepath.Join(tempDir, "private", notary.NonRootKeysSubdir, "somegun", newKeyID+".key"))
+	_, err = os.Open(filepath.Join(tempDir, "private", newKeyID+".key"))
+	require.NoError(t, err)
+	_, err = os.Open(filepath.Join(tempDir, "private", newKeyID+".key"))
+	require.NoError(t, err)
+	file, err = os.OpenFile(filepath.Join(tempDir, notary.PrivDir, privKey.ID()+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
+	filebytes, _ = ioutil.ReadAll(file)
+	require.Contains(t, string(filebytes), ("role: " + data.CanonicalSnapshotRole))
+	require.Contains(t, string(filebytes), ("gun: " + "somegun"))
 
 	// test6, no path but role=root included with encrypted key, should fail since we don't know what keyid to save to
 
@@ -2246,8 +2258,14 @@ func TestClientKeyImport(t *testing.T) {
 	// if there is hardware available, root will only be on hardware, and not
 	// on disk
 	assertNumKeys(t, tempDir, 2, 4, !rootOnHardware())
-	_, err = os.Open(filepath.Join(tempDir, "private", notary.NonRootKeysSubdir, newKeyID+".key"))
+	_, err = os.Open(filepath.Join(tempDir, "private", newKeyID+".key"))
+	require.NoError(t, err)
+	_, err = os.Open(filepath.Join(tempDir, "private", newKeyID+".key"))
+	require.NoError(t, err)
+	file, err = os.OpenFile(filepath.Join(tempDir, notary.PrivDir, privKey.ID()+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
+	filebytes, _ = ioutil.ReadAll(file)
+	require.Contains(t, string(filebytes), ("role: " + "somerole"))
 
 	// test 8, non root canonical key with no gun
 
@@ -2374,8 +2392,7 @@ func TestAddDelImportKeyPublishFlow(t *testing.T) {
 	require.NotContains(t, output, "No delegations present in this repository.")
 
 	// remove the targets key to demonstrate that delegates don't need this key
-	keyDir := filepath.Join(tempDir, "private", "tuf_keys")
-	require.NoError(t, os.Remove(filepath.Join(keyDir, "gun", targetKeyID+".key")))
+	require.NoError(t, os.Remove(filepath.Join(tempDir, "private", targetKeyID+".key")))
 
 	// we are now set up with the first part, now import the delegation key- add a target- publish
 
@@ -2417,7 +2434,7 @@ func TestAddDelImportKeyPublishFlow(t *testing.T) {
 	// make sure that it has been imported fine
 	// if there is hardware available, root will only be on hardware, and not
 	// on disk
-	_, err = os.Open(filepath.Join(tempDir, "private", notary.NonRootKeysSubdir, privKey.ID()+".key"))
+	_, err = os.Open(filepath.Join(tempDir, "private", privKey.ID()+".key"))
 	require.NoError(t, err)
 
 	// now try to publish
@@ -2504,7 +2521,7 @@ func TestExportImportFlow(t *testing.T) {
 
 	if !rootOnHardware() {
 		// validate root is imported correctly
-		rootKey, err := os.OpenFile(filepath.Join(newTempDir, "private", notary.RootKeysSubdir, root[0]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
+		rootKey, err := os.OpenFile(filepath.Join(newTempDir, "private", root[0]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 		require.NoError(t, err)
 		defer rootKey.Close()
 		rootBytes, _ := ioutil.ReadAll(rootKey)
@@ -2515,7 +2532,7 @@ func TestExportImportFlow(t *testing.T) {
 	}
 
 	// validate snapshot is imported correctly
-	snapKey, err := os.OpenFile(filepath.Join(newTempDir, "private", notary.NonRootKeysSubdir, "gun", signing[0]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
+	snapKey, err := os.OpenFile(filepath.Join(newTempDir, "private", signing[0]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
 	defer snapKey.Close()
 	snapBytes, _ := ioutil.ReadAll(snapKey)
@@ -2524,7 +2541,7 @@ func TestExportImportFlow(t *testing.T) {
 	require.True(t, strings.Contains(snapString, "role: snapshot") || strings.Contains(snapString, "role: target"))
 
 	// validate targets is imported correctly
-	targKey, err := os.OpenFile(filepath.Join(newTempDir, "private", notary.NonRootKeysSubdir, "gun", signing[1]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
+	targKey, err := os.OpenFile(filepath.Join(newTempDir, "private", signing[1]+".key"), os.O_RDONLY, notary.PrivKeyPerms)
 	require.NoError(t, err)
 	defer targKey.Close()
 	targBytes, _ := ioutil.ReadAll(targKey)

cmd/notary/keys_test.go

@@ -556,11 +556,17 @@ func TestExportKeys(t *testing.T) {
 	err = output.Close() // close so export can open
 	require.NoError(t, err)
 
-	b := &pem.Block{}
+	keyHeaders := make(map[string]string)
+	keyHeaders["gun"] = "discworld"
+	b := &pem.Block{
+		Headers: keyHeaders,
+	}
 	b.Bytes = make([]byte, 1000)
 	rand.Read(b.Bytes)
 
-	c := &pem.Block{}
+	c := &pem.Block{
+		Headers: keyHeaders,
+	}
 	c.Bytes = make([]byte, 1000)
 	rand.Read(c.Bytes)
 
@@ -569,9 +575,9 @@ func TestExportKeys(t *testing.T) {
 	require.NoError(t, err)
 
 	fileStore, err := store.NewPrivateKeyFileStorage(tempBaseDir, notary.KeyExtension)
-	err = fileStore.Set(filepath.Join(notary.NonRootKeysSubdir, "discworld/ankh"), bBytes)
+	err = fileStore.Set("discworld/ankh", bBytes)
 	require.NoError(t, err)
-	err = fileStore.Set(filepath.Join(notary.NonRootKeysSubdir, "discworld/morpork"), cBytes)
+	err = fileStore.Set("discworld/morpork", cBytes)
 	require.NoError(t, err)
 
 	err = k.exportKeys(&cobra.Command{}, nil)
@@ -582,12 +588,12 @@ func TestExportKeys(t *testing.T) {
 
 	block, rest := pem.Decode(outRes)
 	require.Equal(t, b.Bytes, block.Bytes)
-	require.Equal(t, filepath.Join(notary.NonRootKeysSubdir, "discworld/ankh"), block.Headers["path"])
+	require.Equal(t, "discworld/ankh", block.Headers["path"])
 	require.Equal(t, "discworld", block.Headers["gun"])
 
 	block, rest = pem.Decode(rest)
 	require.Equal(t, c.Bytes, block.Bytes)
-	require.Equal(t, filepath.Join(notary.NonRootKeysSubdir, "discworld/morpork"), block.Headers["path"])
+	require.Equal(t, "discworld/morpork", block.Headers["path"])
 	require.Equal(t, "discworld", block.Headers["gun"])
 	require.Len(t, rest, 0)
 

tuf/utils/x509_test.go

@@ -125,15 +125,15 @@ func TestKeyOperations(t *testing.T) {
 	require.Equal(t, rsaKey.Private(), decodedRSAKey.Private())
 
 	// Encrypt our ED Key
-	encryptedEDKey, err := EncryptPrivateKey(edKey, data.CanonicalRootRole, "ilove", "ponies")
+	encryptedEDKey, err := EncryptPrivateKey(edKey, data.CanonicalRootRole, "", "ponies")
 	require.NoError(t, err)
 
 	// Encrypt our EC Key
-	encryptedECKey, err := EncryptPrivateKey(ecKey, data.CanonicalRootRole, "ilove", "ponies")
+	encryptedECKey, err := EncryptPrivateKey(ecKey, data.CanonicalRootRole, "", "ponies")
 	require.NoError(t, err)
 
 	// Encrypt our RSA Key
-	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, data.CanonicalRootRole, "ilove", "ponies")
+	encryptedRSAKey, err := EncryptPrivateKey(rsaKey, data.CanonicalRootRole, "", "ponies")
 	require.NoError(t, err)
 
 	// Check to see if ED key it is encrypted

utils/keys.go

@@ -3,7 +3,6 @@ package utils
 import (
 	"encoding/pem"
 	"errors"
-	"fmt"
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/notary"
 	tufdata "github.com/docker/notary/tuf/data"
@@ -67,20 +66,10 @@ func ExportKeys(to io.Writer, s Exporter, from string) error {
 		return err
 	}
 
-	gun := ""
-	if strings.HasPrefix(from, notary.NonRootKeysSubdir) {
-		// trim subdir
-		gun = strings.TrimPrefix(from, notary.NonRootKeysSubdir)
-		// trim filename
-		gun = filepath.Dir(gun)
-		// trim leading and trailing path separator
-		gun = strings.Trim(gun, fmt.Sprintf("%c", filepath.Separator))
-	}
 	// parse PEM blocks if there are more than one
 	for block, rest := pem.Decode(k); block != nil; block, rest = pem.Decode(rest) {
 		// add from path in a header for later import
 		block.Headers["path"] = from
-		block.Headers["gun"] = gun
 		// write serialized PEM
 		err = pem.Encode(to, block)
 		if err != nil {

utils/keys_test.go

@@ -498,19 +498,19 @@ func TestEncryptedKeyImportSuccess(t *testing.T) {
 	originalKey := privKey.Private()
 	require.NoError(t, err)
 
-	pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "", cannedPassphrase)
+	pemBytes, err := utils.EncryptPrivateKey(privKey, data.CanonicalSnapshotRole, "somegun", cannedPassphrase)
 	require.NoError(t, err)
 
 	b, _ := pem.Decode(pemBytes)
-	b.Headers["path"] = filepath.Join(notary.NonRootKeysSubdir, "somegun", "encryptedkey")
+	b.Headers["path"] = privKey.ID()
 	pemBytes = pem.EncodeToMemory(b)
 
 	in := bytes.NewBuffer(pemBytes)
 
 	_ = ImportKeys(in, []Importer{s}, "", "", passphraseRetriever)
 	require.Len(t, s.data, 1)
 
-	keyBytes := s.data[filepath.Join(notary.NonRootKeysSubdir, "somegun", "encryptedkey")]
+	keyBytes := s.data[privKey.ID()]
 
 	bFinal, bRest := pem.Decode(keyBytes)
 	require.Equal(t, "somegun", bFinal.Headers["gun"])