Merge branch 'master' into cleanup

README.md

@@ -1,9 +1,15 @@
+[![Go Report Card](https://goreportcard.com/badge/github.com/Senetas/crypto-cli)](https://goreportcard.com/report/github.com/Senetas/crypto-cli)
+[![license](https://img.shields.io/badge/license-Apache-blue.svg?style=flat)](https://raw.githubusercontent.com/Senetas/crypto-cli/master/LICENSE)
+
 # Crypto-Cli
 
-A command line utility to push and pull encrypted docker images. This is in the pre-alpha proof of concept stage and is not indented for any use other than to prove that Docker Hub may be used to distribute encrypted docker images. Currently, it only runs on Linux with Linux images. See also the privacy section below.
+A command line utility to push and pull encrypted docker images. Currently, it only runs on Linux with Linux images. See also the privacy section below.
 
 ## Warning
-This application is not suitable for use in a production environment. There are no guarantees as to the security of these implementations. Use at your own risk.
+This application is not suitable for use in a production environment. There are no guarantees as to the security of these implementations. Use at your own risk...that being said we make a concerted effort on the crypto side. See the cryptography section below.
+
+## Issues
+Don't try to pull an encrypted image with `docker pull`, it will fail.
 
 ## License
 Apache 2.0
@@ -43,12 +49,12 @@ For example, in the following Dockerfile:
 ```Dockerfile
 FROM alpine:latest
 LABEL "com.senetas.crypto.enabled"="true"
-RUN echo "hello" > file.txt
+RUN echo "some secret" > secret-file.txt
 LABEL "com.senetas.crypto.enabled"="false"
-RUN rm file.txt
+RUN echo "some not secret" > not-secret-file.txt
 ENTRYPOINT ["/bin/sh"]
 ```
-only the layer resulting from the command `RUN echo "hello" > file.txt` will be encrypted.
+only the layer resulting from the command `RUN echo "some secret" > secret-file.txt` will be encrypted.
 
 Note that although in general a `LABEL` line may contain multiple labels, this is not supported for the `com.senetas.crypto.enabled` label for the purposes of this application.
 

cmd/pull.go

@@ -30,7 +30,7 @@ var pullCmd = &cobra.Command{
 	Use:   "pull [OPTIONS] NAME[:TAG]",
 	Short: "Download an image from a remote repository, decrypting if necessary.",
 	Long: `pull is used to download an image from a repository, decrypt it if necessary and
-load that images into the local docker engine. It is then avaliable to be run under the same
+load that images into the local docker engine. It is then available to be run under the same
 name as it was downloaded.`,
 	RunE: func(cmd *cobra.Command, args []string) error {
 		cmd.Flags().VisitAll(checkFlagsPull)

crypto/algos.go

@@ -38,9 +38,7 @@ type versionData struct {
 	nonceLength int
 }
 
-var (
-	versionDataStore = map[int]versionData{0: versionData{saltLength: 16, nonceLength: 12}}
-)
+var versionDataStore = map[int]versionData{0: {saltLength: 16, nonceLength: 12}}
 
 // ValidateAlgos converts a string to valid Algos if possible
 func ValidateAlgos(ctstr string) (Algos, error) {

distribution/blob.go

@@ -33,7 +33,7 @@ type Blob interface {
 	ReadCloser() (io.ReadCloser, error)
 }
 
-// NoncryptedBlob is a vanilla blob with no encrpytion data
+// NoncryptedBlob is a vanilla blob with no encryption data
 // Despite appearnces, the MediaType type is not indicative of whether
 // the blob is compressed or not
 type NoncryptedBlob struct {

distribution/manifest.go

@@ -311,7 +311,7 @@ func mkBlobs(
 
 	// read the archive manifest
 	// manifestfile consists of information that is local to the os, or supplied by the user or the
-	// docker daemon. Thus, assuming they are not comprimised, it is safe to open
+	// docker daemon. Thus, assuming they are not compromised, it is safe to open
 	manifestfile := filepath.Join(path, "manifest.json")
 	manifestFH, err := os.Open(manifestfile) // #nosec
 	defer func() { err = utils.CheckedClose(manifestFH, err) }()
@@ -406,7 +406,7 @@ func pbkdf2Aes256GcmEncrypt(
 // note its error are not wraped
 func fileDigest(filename string) (d digest.Digest, err error) {
 	// filename consists of information that is local to the os or the docker
-	// daemon. Thus assuming they are not comprimised, it is safe to open
+	// daemon. Thus assuming they are not compromised, it is safe to open
 	fh, err := os.Open(filename) // #nosec
 	defer func() { err = utils.CheckedClose(fh, err) }()
 	if err != nil {

registry/pull.go

@@ -55,7 +55,7 @@ func PullImage(
 	if err != nil {
 		return nil, err
 	}
-	log.Info().Msg("Mainfest obtained.")
+	log.Info().Msg("Manifest obtained.")
 
 	if err = manifest.DecryptKeys(ref, opts); err != nil {
 		return
@@ -147,7 +147,7 @@ func PullManifest(
 	return manifest, nil
 }
 
-// PullFromDigest downloads a blob (refereced by its digest) from the registry to a temporay file.
+// PullFromDigest downloads a blob (refereced by its digest) from the registry to a temporary file.
 // It verifies that the downloaded file matches its digest, deleting if it does not. While the
 // digest is used to name the file, it is first verified to be a valid digest, so this cannot lead
 // to a file inclusion vulrenability.
@@ -233,7 +233,7 @@ func download(
 	err = processResp(resp, d, fn, fh, timer)
 }
 
-// processResp handles the responce to the request to download a blob
+// processResp handles the response to the request to download a blob
 // includeing: downloading any data, time handling, verifying that the
 // download matches the expected digest
 func processResp(

utils/io.go

@@ -23,7 +23,7 @@ import (
 	"golang.org/x/text/unicode/rangetable"
 )
 
-// CounterWriter is a writer that counts the number bytes writen to it
+// CounterWriter is a writer that counts the number bytes written to it
 type CounterWriter struct {
 	io.Writer
 	Count int

utils/utils_test.go

@@ -67,9 +67,9 @@ func TestConcat(t *testing.T) {
 		out []byte
 	}{
 		{[][]byte{[]byte("3.14"), []byte("159")}, []byte("3.14159")},
-		{[][]byte{[]byte{}, []byte("159")}, []byte("159")},
-		{[][]byte{[]byte("3.14"), []byte{}}, []byte("3.14")},
-		{[][]byte{[]byte{}, []byte{}}, []byte{}},
+		{[][]byte{{}, []byte("159")}, []byte("159")},
+		{[][]byte{[]byte("3.14"), {}}, []byte("3.14")},
+		{[][]byte{{}, {}}, []byte{}},
 		{[][]byte{[]byte("3.14"), []byte("159"), []byte("265")}, []byte("3.14159265")},
 	}