fix(server): Adds default host keys and signing keys to keychain

This automatically adds the keys from signing-keys.toml to the keychain and adds the auto-generated host key to the keychain as well. Fixes #356 Signed-off-by: Taylor Thomas <[email protected]>
deislabs · Dec 16, 2022 · 72c4e2c · 72c4e2c
1 parent e43a08c
commit 72c4e2c
Showing 1 changed file with 28 additions and 7 deletions.
diff --git a/bin/server.rs b/bin/server.rs
@@ -1,14 +1,15 @@
-use std::net::SocketAddr;
 use std::path::PathBuf;
+use std::{net::SocketAddr, path::Path};
 
+use bindle::signature::KeyRingSaver;
 use clap::Parser;
 use tracing::{debug, info, warn};
 
 use bindle::{
     invoice::signature::{KeyRing, SignatureRole},
     provider, search,
     server::{server, TlsConfig},
-    signature::{KeyRingLoader, SecretKeyFile},
+    signature::{KeyEntry, KeyRingLoader, SecretKeyFile},
     SecretKeyEntry,
 };
 
@@ -173,7 +174,6 @@ async fn main() -> anyhow::Result<()> {
             .join("bindle")
     });
 
-    // TODO: Should we ensure a keyring?
     let keyring_file: PathBuf = config
         .keyring_file
         .unwrap_or_else(|| default_config_dir().join("keyring.toml"));
@@ -184,7 +184,7 @@ async fn main() -> anyhow::Result<()> {
     // a keyring does not exist.
     //
     // All other cases are considered errors worthy of failing.
-    let keyring: KeyRing = match tokio::fs::metadata(&keyring_file).await {
+    let mut keyring: KeyRing = match tokio::fs::metadata(&keyring_file).await {
         Ok(md) if md.is_file() => keyring_file.load().await?,
         Ok(_) => {
             anyhow::bail!("Expected {} to be a regular file", keyring_file.display());
@@ -207,7 +207,7 @@ async fn main() -> anyhow::Result<()> {
         }
         None => {
             debug!("No signing key file set, attempting to load from default");
-            ensure_signing_keys().await?
+            ensure_signing_keys(&mut keyring, &keyring_file).await?
         }
     };
 
@@ -236,6 +236,15 @@ async fn main() -> anyhow::Result<()> {
         )
     })?;
 
+    // If there are any keys we use for signing, we should trust them in our keychain
+    keyring.key.extend(
+        secret_store
+            .key
+            .iter()
+            .map(|sk| KeyEntry::try_from(sk.clone()))
+            .collect::<Result<Vec<_>, _>>()?,
+    );
+
     tracing::log::info!(
         "Starting server at {}, and serving bindles from {}",
         addr.to_string(),
@@ -405,7 +414,11 @@ async fn ensure_config_dir() -> anyhow::Result<PathBuf> {
     Ok(dir)
 }
 
-async fn ensure_signing_keys() -> anyhow::Result<PathBuf> {
+/// Makes sure signing keys exist for the host. If it generates a key, it will add it to the current keyring and save it to the path
+async fn ensure_signing_keys(
+    keyring: &mut KeyRing,
+    keyring_path: &Path,
+) -> anyhow::Result<PathBuf> {
     let base = ensure_config_dir().await?;
     let signing_keyfile = base.join("signing-keys.toml");
 
@@ -421,7 +434,7 @@ async fn ensure_signing_keys() -> anyhow::Result<PathBuf> {
                 signing_keyfile.display()
             );
             let key = SecretKeyEntry::new("Default host key", vec![SignatureRole::Host]);
-            default_keyfile.key.push(key);
+            default_keyfile.key.push(key.clone());
             default_keyfile
                 .save_file(&signing_keyfile)
                 .await
@@ -432,6 +445,14 @@ async fn ensure_signing_keys() -> anyhow::Result<PathBuf> {
                         e
                     )
                 })?;
+            keyring.add_entry(key.try_into()?);
+            keyring_path.save(keyring).await.map_err(|e| {
+                anyhow::anyhow!(
+                    "Unable to save newly created key to keyring {}: {}",
+                    keyring_path.display(),
+                    e
+                )
+            })?;
             Ok(signing_keyfile)
         }
         Err(e) => Err(anyhow::anyhow!(