Skip to content

Commit

Permalink
Merge pull request #875 from endophage/witness
Browse files Browse the repository at this point in the history
Witness command
  • Loading branch information
riyazdf authored Aug 3, 2016
2 parents 41625dc + 3b9ffbc commit dc74bd3
Show file tree
Hide file tree
Showing 15 changed files with 466 additions and 112 deletions.
1 change: 1 addition & 0 deletions client/changelist/change.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ const (
TypeRootRole = "role"
TypeTargetsTarget = "target"
TypeTargetsDelegation = "delegation"
TypeWitness = "witness"
)

// TUFChange represents a change to a TUF repo
Expand Down
17 changes: 9 additions & 8 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/trustpinning"
"github.com/docker/notary/tuf"
tufclient "github.com/docker/notary/tuf/client"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/tuf/signed"
"github.com/docker/notary/tuf/utils"
Expand Down Expand Up @@ -85,6 +84,7 @@ type NotaryRepository struct {
fileStore store.MetadataStore
CryptoService signed.CryptoService
tufRepo *tuf.Repo
invalid *tuf.Repo // known data that was parsable but deemed invalid
roundTrip http.RoundTripper
trustPinning trustpinning.TrustPinConfig
}
Expand Down Expand Up @@ -616,7 +616,7 @@ func (r *NotaryRepository) publish(cl changelist.Changelist) error {
}
}
// apply the changelist to the repo
if err := applyChangelist(r.tufRepo, cl); err != nil {
if err := applyChangelist(r.tufRepo, r.invalid, cl); err != nil {
logrus.Debug("Error applying changelist")
return err
}
Expand Down Expand Up @@ -714,7 +714,7 @@ func (r *NotaryRepository) bootstrapRepo() error {
}
}

tufRepo, err := b.Finish()
tufRepo, _, err := b.Finish()
if err == nil {
r.tufRepo = tufRepo
}
Expand Down Expand Up @@ -787,7 +787,7 @@ func (r *NotaryRepository) Update(forWrite bool) error {
}
return err
}
repo, err := c.Update()
repo, invalid, err := c.Update()
if err != nil {
// notFound.Resource may include a checksum so when the role is root,
// it will be root or root.<checksum>. Therefore best we can
Expand All @@ -800,6 +800,7 @@ func (r *NotaryRepository) Update(forWrite bool) error {
// we can be assured if we are at this stage that the repo we built is good
// no need to test the following function call for an error as it will always be fine should the repo be good- it is!
r.tufRepo = repo
r.invalid = invalid
warnRolesNearExpiry(repo)
return nil
}
Expand All @@ -811,16 +812,16 @@ func (r *NotaryRepository) Update(forWrite bool) error {
// and return an error if the remote repository errors.
//
// Populates a tuf.RepoBuilder with this root metadata (only use
// tufclient.Client.Update to load the rest).
// TUFClient.Update to load the rest).
//
// Fails if the remote server is reachable and does not know the repo
// (i.e. before the first r.Publish()), in which case the error is
// store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
// is not trusted.
//
// Returns a tufclient.Client for the remote server, which may not be actually
// Returns a TUFClient for the remote server, which may not be actually
// operational (if the URL is invalid but a root.json is cached).
func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Client, error) {
func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*TUFClient, error) {
minVersion := 1
// the old root on disk should not be validated against any trust pinning configuration
// because if we have an old root, it itself is the thing that pins trust
Expand Down Expand Up @@ -887,7 +888,7 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Cl
return nil, ErrRepoNotInitialized{}
}

return tufclient.NewClient(oldBuilder, newBuilder, remote, r.fileStore), nil
return NewTUFClient(oldBuilder, newBuilder, remote, r.fileStore), nil
}

// RotateKey removes all existing keys associated with the role, and either
Expand Down
36 changes: 18 additions & 18 deletions client/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1202,7 +1202,7 @@ func testListTarget(t *testing.T, rootType string) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

fakeServerData(t, repo, mux, keys)
Expand Down Expand Up @@ -1280,7 +1280,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo, then clear it
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
require.NoError(t, cl.Clear(""))

Expand All @@ -1305,7 +1305,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
filepath.Join(repo.baseDir, "tuf", filepath.FromSlash(repo.gun), "changelist"))
require.NoError(t, err, "could not open changelist")
// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
// check the changelist was applied
_, ok = repo.tufRepo.Targets["targets/level1/level2"].Signed.Targets["level2"]
Expand Down Expand Up @@ -1430,7 +1430,7 @@ func TestListTargetRestrictsDelegationPaths(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

require.NoError(t, cl.Clear(""))
Expand All @@ -1452,7 +1452,7 @@ func TestListTargetRestrictsDelegationPaths(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

fakeServerData(t, repo, mux, keys)
Expand Down Expand Up @@ -2948,7 +2948,7 @@ func TestAddDelegationChangefileApplicable(t *testing.T) {
require.Len(t, changes, 2)

// ensure that it can be applied correctly
err = applyTargetsChange(repo.tufRepo, changes[0])
err = applyTargetsChange(repo.tufRepo, nil, changes[0])
require.NoError(t, err)

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
Expand Down Expand Up @@ -3025,8 +3025,8 @@ func TestRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation("targets/a", []data.PublicKey{rootPubKey}, []string{""}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3038,7 +3038,7 @@ func TestRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.RemoveDelegationKeys("targets/a", []string{rootKeyCanonicalID}))
changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

targetRole = repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3061,14 +3061,14 @@ func TestClearAllPathsDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation("targets/a", []data.PublicKey{rootPubKey}, []string{"abc,123,xyz,path"}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

// now clear paths it
require.NoError(t, repo.ClearDelegationPaths("targets/a"))
changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3105,7 +3105,7 @@ func TestFullAddDelegationChangefileApplicable(t *testing.T) {

changes := getChanges(t, repo)
require.Len(t, changes, 1)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3136,8 +3136,8 @@ func TestFullRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation(delegationName, []data.PublicKey{rootPubKey, key2}, []string{"abc", "123"}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3155,7 +3155,7 @@ func TestFullRemoveDelegationChangefileApplicable(t *testing.T) {

changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3577,7 +3577,7 @@ func TestGetAllTargetInfo(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo, then clear it
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
require.NoError(t, cl.Clear(""))

Expand All @@ -3602,7 +3602,7 @@ func TestGetAllTargetInfo(t *testing.T) {
filepath.Join(repo.baseDir, "tuf", filepath.FromSlash(repo.gun), "changelist"))
require.NoError(t, err, "could not open changelist")
// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
// check the changelist was applied
_, ok = repo.tufRepo.Targets["targets/level1/level2"].Signed.Targets["level2"]
Expand Down
16 changes: 9 additions & 7 deletions client/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStor
return s, err
}

func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
func applyChangelist(repo *tuf.Repo, invalid *tuf.Repo, cl changelist.Changelist) error {
it, err := cl.NewIterator()
if err != nil {
return err
Expand All @@ -43,11 +43,11 @@ func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
isDel := data.IsDelegation(c.Scope()) || data.IsWildDelegation(c.Scope())
switch {
case c.Scope() == changelist.ScopeTargets || isDel:
err = applyTargetsChange(repo, c)
err = applyTargetsChange(repo, invalid, c)
case c.Scope() == changelist.ScopeRoot:
err = applyRootChange(repo, c)
default:
logrus.Debug("scope not supported: ", c.Scope())
return fmt.Errorf("scope not supported: %s", c.Scope())
}
if err != nil {
logrus.Debugf("error attempting to apply change #%d: %s, on scope: %s path: %s type: %s", index, c.Action(), c.Scope(), c.Path(), c.Type())
Expand All @@ -59,12 +59,14 @@ func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
return nil
}

func applyTargetsChange(repo *tuf.Repo, c changelist.Change) error {
func applyTargetsChange(repo *tuf.Repo, invalid *tuf.Repo, c changelist.Change) error {
switch c.Type() {
case changelist.TypeTargetsTarget:
return changeTargetMeta(repo, c)
case changelist.TypeTargetsDelegation:
return changeTargetsDelegation(repo, c)
case changelist.TypeWitness:
return witnessTargets(repo, invalid, c.Scope())
default:
return fmt.Errorf("only target meta and delegations changes supported")
}
Expand Down Expand Up @@ -155,7 +157,7 @@ func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {
}

default:
logrus.Debug("action not yet supported: ", c.Action())
err = fmt.Errorf("action not yet supported: %s", c.Action())
}
return err
}
Expand All @@ -166,7 +168,7 @@ func applyRootChange(repo *tuf.Repo, c changelist.Change) error {
case changelist.TypeRootRole:
err = applyRootRoleChange(repo, c)
default:
logrus.Debug("type of root change not yet supported: ", c.Type())
err = fmt.Errorf("type of root change not yet supported: %s", c.Type())
}
return err // might be nil
}
Expand All @@ -185,7 +187,7 @@ func applyRootRoleChange(repo *tuf.Repo, c changelist.Change) error {
return err
}
default:
logrus.Debug("action not yet supported for root: ", c.Action())
return fmt.Errorf("action not yet supported for root: %s", c.Action())
}
return nil
}
Expand Down
Loading

0 comments on commit dc74bd3

Please sign in to comment.