Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Witness command #875

Merged
merged 3 commits into from
Aug 3, 2016
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions client/changelist/change.go
Original file line number Diff line number Diff line change
Expand Up @@ -23,6 +23,7 @@ const (
TypeRootRole = "role"
TypeTargetsTarget = "target"
TypeTargetsDelegation = "delegation"
TypeWitness = "witness"
)

// TUFChange represents a change to a TUF repo
Expand Down
17 changes: 9 additions & 8 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,6 @@ import (
"github.com/docker/notary/trustmanager"
"github.com/docker/notary/trustpinning"
"github.com/docker/notary/tuf"
tufclient "github.com/docker/notary/tuf/client"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/tuf/signed"
"github.com/docker/notary/tuf/utils"
Expand Down Expand Up @@ -85,6 +84,7 @@ type NotaryRepository struct {
fileStore store.MetadataStore
CryptoService signed.CryptoService
tufRepo *tuf.Repo
invalid *tuf.Repo // known data that was parsable but deemed invalid
roundTrip http.RoundTripper
trustPinning trustpinning.TrustPinConfig
}
Expand Down Expand Up @@ -616,7 +616,7 @@ func (r *NotaryRepository) publish(cl changelist.Changelist) error {
}
}
// apply the changelist to the repo
if err := applyChangelist(r.tufRepo, cl); err != nil {
if err := applyChangelist(r.tufRepo, r.invalid, cl); err != nil {
logrus.Debug("Error applying changelist")
return err
}
Expand Down Expand Up @@ -714,7 +714,7 @@ func (r *NotaryRepository) bootstrapRepo() error {
}
}

tufRepo, err := b.Finish()
tufRepo, _, err := b.Finish()
if err == nil {
r.tufRepo = tufRepo
}
Expand Down Expand Up @@ -787,7 +787,7 @@ func (r *NotaryRepository) Update(forWrite bool) error {
}
return err
}
repo, err := c.Update()
repo, invalid, err := c.Update()
if err != nil {
// notFound.Resource may include a checksum so when the role is root,
// it will be root or root.<checksum>. Therefore best we can
Expand All @@ -800,6 +800,7 @@ func (r *NotaryRepository) Update(forWrite bool) error {
// we can be assured if we are at this stage that the repo we built is good
// no need to test the following function call for an error as it will always be fine should the repo be good- it is!
r.tufRepo = repo
r.invalid = invalid
warnRolesNearExpiry(repo)
return nil
}
Expand All @@ -811,16 +812,16 @@ func (r *NotaryRepository) Update(forWrite bool) error {
// and return an error if the remote repository errors.
//
// Populates a tuf.RepoBuilder with this root metadata (only use
// tufclient.Client.Update to load the rest).
// TUFClient.Update to load the rest).
//
// Fails if the remote server is reachable and does not know the repo
// (i.e. before the first r.Publish()), in which case the error is
// store.ErrMetaNotFound, or if the root metadata (from whichever source is used)
// is not trusted.
//
// Returns a tufclient.Client for the remote server, which may not be actually
// Returns a TUFClient for the remote server, which may not be actually
// operational (if the URL is invalid but a root.json is cached).
func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Client, error) {
func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*TUFClient, error) {
minVersion := 1
// the old root on disk should not be validated against any trust pinning configuration
// because if we have an old root, it itself is the thing that pins trust
Expand Down Expand Up @@ -887,7 +888,7 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Cl
return nil, ErrRepoNotInitialized{}
}

return tufclient.NewClient(oldBuilder, newBuilder, remote, r.fileStore), nil
return NewTUFClient(oldBuilder, newBuilder, remote, r.fileStore), nil
}

// RotateKey removes all existing keys associated with the role, and either
Expand Down
36 changes: 18 additions & 18 deletions client/client_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -1202,7 +1202,7 @@ func testListTarget(t *testing.T, rootType string) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

fakeServerData(t, repo, mux, keys)
Expand Down Expand Up @@ -1280,7 +1280,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo, then clear it
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
require.NoError(t, cl.Clear(""))

Expand All @@ -1305,7 +1305,7 @@ func testListTargetWithDelegates(t *testing.T, rootType string) {
filepath.Join(repo.baseDir, "tuf", filepath.FromSlash(repo.gun), "changelist"))
require.NoError(t, err, "could not open changelist")
// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
// check the changelist was applied
_, ok = repo.tufRepo.Targets["targets/level1/level2"].Signed.Targets["level2"]
Expand Down Expand Up @@ -1430,7 +1430,7 @@ func TestListTargetRestrictsDelegationPaths(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

require.NoError(t, cl.Clear(""))
Expand All @@ -1452,7 +1452,7 @@ func TestListTargetRestrictsDelegationPaths(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")

fakeServerData(t, repo, mux, keys)
Expand Down Expand Up @@ -2948,7 +2948,7 @@ func TestAddDelegationChangefileApplicable(t *testing.T) {
require.Len(t, changes, 2)

// ensure that it can be applied correctly
err = applyTargetsChange(repo.tufRepo, changes[0])
err = applyTargetsChange(repo.tufRepo, nil, changes[0])
require.NoError(t, err)

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
Expand Down Expand Up @@ -3025,8 +3025,8 @@ func TestRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation("targets/a", []data.PublicKey{rootPubKey}, []string{""}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3038,7 +3038,7 @@ func TestRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.RemoveDelegationKeys("targets/a", []string{rootKeyCanonicalID}))
changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

targetRole = repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3061,14 +3061,14 @@ func TestClearAllPathsDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation("targets/a", []data.PublicKey{rootPubKey}, []string{"abc,123,xyz,path"}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

// now clear paths it
require.NoError(t, repo.ClearDelegationPaths("targets/a"))
changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3105,7 +3105,7 @@ func TestFullAddDelegationChangefileApplicable(t *testing.T) {

changes := getChanges(t, repo)
require.Len(t, changes, 1)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3136,8 +3136,8 @@ func TestFullRemoveDelegationChangefileApplicable(t *testing.T) {
require.NoError(t, repo.AddDelegation(delegationName, []data.PublicKey{rootPubKey, key2}, []string{"abc", "123"}))
changes := getChanges(t, repo)
require.Len(t, changes, 2)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[1]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[0]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[1]))

targetRole := repo.tufRepo.Targets[data.CanonicalTargetsRole]
require.Len(t, targetRole.Signed.Delegations.Roles, 1)
Expand All @@ -3155,7 +3155,7 @@ func TestFullRemoveDelegationChangefileApplicable(t *testing.T) {

changes = getChanges(t, repo)
require.Len(t, changes, 3)
require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
require.NoError(t, applyTargetsChange(repo.tufRepo, nil, changes[2]))

delgRoles := repo.tufRepo.Targets[data.CanonicalTargetsRole].Signed.Delegations.Roles
require.Len(t, delgRoles, 1)
Expand Down Expand Up @@ -3577,7 +3577,7 @@ func TestGetAllTargetInfo(t *testing.T) {
require.NoError(t, err, "could not open changelist")

// apply the changelist to the repo, then clear it
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
require.NoError(t, cl.Clear(""))

Expand All @@ -3602,7 +3602,7 @@ func TestGetAllTargetInfo(t *testing.T) {
filepath.Join(repo.baseDir, "tuf", filepath.FromSlash(repo.gun), "changelist"))
require.NoError(t, err, "could not open changelist")
// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
err = applyChangelist(repo.tufRepo, nil, cl)
require.NoError(t, err, "could not apply changelist")
// check the changelist was applied
_, ok = repo.tufRepo.Targets["targets/level1/level2"].Signed.Targets["level2"]
Expand Down
16 changes: 9 additions & 7 deletions client/helpers.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@ func getRemoteStore(baseURL, gun string, rt http.RoundTripper) (store.RemoteStor
return s, err
}

func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
func applyChangelist(repo *tuf.Repo, invalid *tuf.Repo, cl changelist.Changelist) error {
it, err := cl.NewIterator()
if err != nil {
return err
Expand All @@ -43,11 +43,11 @@ func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
isDel := data.IsDelegation(c.Scope()) || data.IsWildDelegation(c.Scope())
switch {
case c.Scope() == changelist.ScopeTargets || isDel:
err = applyTargetsChange(repo, c)
err = applyTargetsChange(repo, invalid, c)
case c.Scope() == changelist.ScopeRoot:
err = applyRootChange(repo, c)
default:
logrus.Debug("scope not supported: ", c.Scope())
return fmt.Errorf("scope not supported: %s", c.Scope())
}
if err != nil {
logrus.Debugf("error attempting to apply change #%d: %s, on scope: %s path: %s type: %s", index, c.Action(), c.Scope(), c.Path(), c.Type())
Expand All @@ -59,12 +59,14 @@ func applyChangelist(repo *tuf.Repo, cl changelist.Changelist) error {
return nil
}

func applyTargetsChange(repo *tuf.Repo, c changelist.Change) error {
func applyTargetsChange(repo *tuf.Repo, invalid *tuf.Repo, c changelist.Change) error {
switch c.Type() {
case changelist.TypeTargetsTarget:
return changeTargetMeta(repo, c)
case changelist.TypeTargetsDelegation:
return changeTargetsDelegation(repo, c)
case changelist.TypeWitness:
return witnessTargets(repo, invalid, c.Scope())
default:
return fmt.Errorf("only target meta and delegations changes supported")
}
Expand Down Expand Up @@ -155,7 +157,7 @@ func changeTargetMeta(repo *tuf.Repo, c changelist.Change) error {
}

default:
logrus.Debug("action not yet supported: ", c.Action())
err = fmt.Errorf("action not yet supported: %s", c.Action())
}
return err
}
Expand All @@ -166,7 +168,7 @@ func applyRootChange(repo *tuf.Repo, c changelist.Change) error {
case changelist.TypeRootRole:
err = applyRootRoleChange(repo, c)
default:
logrus.Debug("type of root change not yet supported: ", c.Type())
err = fmt.Errorf("type of root change not yet supported: %s", c.Type())
}
return err // might be nil
}
Expand All @@ -185,7 +187,7 @@ func applyRootRoleChange(repo *tuf.Repo, c changelist.Change) error {
return err
}
default:
logrus.Debug("action not yet supported for root: ", c.Action())
return fmt.Errorf("action not yet supported for root: %s", c.Action())
}
return nil
}
Expand Down
Loading