add use of keyfile passphrase

Signed-off-by: Marina Moore <[email protected]>
notaryproject · Nov 29, 2021 · 4fee997 · 4fee997
1 parent f340d7e
commit 4fee997
Show file tree

Hide file tree

Showing 6 changed files with 50 additions and 10 deletions.
diff --git a/go.mod b/go.mod
@@ -63,6 +63,7 @@ require (
 	golang.org/x/net v0.0.0-20210405180319-a5a99cb37ef4 // indirect
 	golang.org/x/sync v0.0.0-20210220032951-036812b2e83c // indirect
 	golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 // indirect
+	golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 // indirect
 	golang.org/x/text v0.3.5 // indirect
 	google.golang.org/genproto v0.0.0-20210602131652-f16073e35f0c // indirect
 	google.golang.org/grpc v1.38.0 // indirect

diff --git a/go.sum b/go.sum
@@ -966,6 +966,7 @@ golang.org/x/sys v0.0.0-20210426230700-d19ff857e887/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1 h1:SrN+KX8Art/Sf4HNj6Zcz06G7VEz+7w9tdXTPOZ7+l4=
 golang.org/x/sys v0.0.0-20210615035016-665e8c7367d1/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
+golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1 h1:v+OssWQX+hTHEmOBgwxdZxK4zHq3yOs8F9J7mk0PY8E=
 golang.org/x/term v0.0.0-20201126162022-7de9c90e9dd1/go.mod h1:bj7SfCRtBDWHUb9snDiAeCFNEtKQo2Wmx5Cou7ajbmo=
 golang.org/x/text v0.0.0-20170915032832-14c0d48ead0c/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=

diff --git a/tuf-notary/cmd/delegate.go b/tuf-notary/cmd/delegate.go
@@ -10,7 +10,7 @@ import (
 
 func init() {
 	register("delegate", cmdDelegate, `
-usage: tuf-notary delegate <registry> <delegateeName> [--repo=<repository> --keyfiles=<namess> --threshold=<threshold>]
+usage: tuf-notary delegate <registry> <delegateeName> [--repo=<repository> --keyfiles=<namess> --threshold=<threshold> --no-passphrase]
 
 Add a delegation from the top-level targets role to delegatee and
 push the updated targets metadata to the TUF reposistory on the registry.
@@ -42,6 +42,11 @@ func cmdDelegate(args []string, opts docopt.Opts) error {
 		}
 	}
 
+	passphrase := true
+	if p := opts["--no-passphrase"]; p != nil {
+		passphrase = !p.(bool)
+	}
+
 	registry := args[0]
 	delegatee := args[1]
 
@@ -55,7 +60,7 @@ func cmdDelegate(args []string, opts docopt.Opts) error {
 	}
 
 	//add delegation
-	err = tufnotary.Delegate(repository, delegatee, keyfiles, threshold)
+	err = tufnotary.Delegate(repository, delegatee, keyfiles, threshold, passphrase)
 
 	if err != nil {
 		return err

diff --git a/tuf-notary/cmd/main.go b/tuf-notary/cmd/main.go
@@ -11,7 +11,7 @@ func main() {
 	usage := `
 Usage:
   tuf-notary <command> [<args>....]
-  tuf-notary <command> [<args>....] [--repo=<repository> --keyfiles=<names> --threshold<threshold>]
+  tuf-notary <command> [<args>....] [--repo=<repository> --keyfiles=<names> --threshold=<threshold> --no-passphrase]
 
 Commands:
   help          Show usage for a specific command

diff --git a/tuf-notary/registry-access.go b/tuf-notary/registry-access.go
@@ -68,6 +68,6 @@ func DownloadTUFMetadata(registry string, repository string, name string) error
 	fileStore := content.NewFile("")
 	defer fileStore.Close()
 	allowedMediaTypes := []string{mediaType}
-	desc, err := oras.Copy(ctx, reg, ref, fileStore, "", oras.WithAllowedMediaTypes(allowedMediaTypes))
+	_, err = oras.Copy(ctx, reg, ref, fileStore, "", oras.WithAllowedMediaTypes(allowedMediaTypes))
 	return err
 }
diff --git a/tuf-notary/tuf-repository.go b/tuf-notary/tuf-repository.go
@@ -1,14 +1,19 @@
 package tufnotary
 
 import (
+	"bytes"
+	"errors"
 	"fmt"
 	"os"
 	"path/filepath"
+	"strings"
+	"syscall"
 
 	"github.com/theupdateframework/go-tuf"
 	"github.com/theupdateframework/go-tuf/data"
 	"github.com/theupdateframework/go-tuf/pkg/keys"
 	util "github.com/theupdateframework/go-tuf/util"
+	"golang.org/x/crypto/ssh/terminal"
 )
 
 func Init(repository string) error {
@@ -65,20 +70,18 @@ func Init(repository string) error {
 	return err
 }
 
-func Delegate(repository string, delegatee string, keyfiles []string, threshold int) error {
+func Delegate(repository string, delegatee string, keyfiles []string, threshold int, passphrase bool) error {
 	workingDir, err := os.Getwd()
 	if err != nil {
 		return err
 	}
 
 	dir := filepath.Join(workingDir, repository)
 
-	//TODO: allow for this to be true
-	// insecure := true
 	var p util.PassphraseFunc
-	//if !insecure {
-	//p = getPassphrase
-	//}
+	if passphrase {
+		p = getPassphrase
+	}
 
 	repo, err := tuf.NewRepo(tuf.FileSystemStore(dir, p))
 	if err != nil {
@@ -148,3 +151,33 @@ func Delegate(repository string, delegatee string, keyfiles []string, threshold
 	err = repo.Commit()
 	return err
 }
+
+//from go-tuf/cmd/tuf/main.go
+func getPassphrase(role string, confirm bool) ([]byte, error) {
+	if pass := os.Getenv(fmt.Sprintf("TUF_%s_PASSPHRASE", strings.ToUpper(role))); pass != "" {
+		return []byte(pass), nil
+	}
+
+	fmt.Printf("Enter %s keys passphrase: ", role)
+	passphrase, err := terminal.ReadPassword(int(syscall.Stdin))
+	fmt.Println()
+	if err != nil {
+		return nil, err
+	}
+
+	if !confirm {
+		return passphrase, nil
+	}
+
+	fmt.Printf("Repeat %s keys passphrase: ", role)
+	confirmation, err := terminal.ReadPassword(int(syscall.Stdin))
+	fmt.Println()
+	if err != nil {
+		return nil, err
+	}
+
+	if !bytes.Equal(passphrase, confirmation) {
+		return nil, errors.New("The entered passphrases do not match")
+	}
+	return passphrase, nil
+}