func testAddListTarget(t *testing.T, rootType data.KeyAlgorithm) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
defer os.RemoveAll(tempBaseDir)
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ts, mux := createTestServer(t)
defer ts.Close()
repo, err := NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, passphraseRetriever)
assert.NoError(t, err, "error creating repository: %s", err)
rootKeyID, err := repo.KeyStoreManager.GenRootKey(rootType.String())
assert.NoError(t, err, "error generating root key: %s", err)
rootCryptoService, err := repo.KeyStoreManager.GetRootCryptoService(rootKeyID)
assert.NoError(t, err, "error retreiving root key: %s", err)
err = repo.Initialize(rootCryptoService)
assert.NoError(t, err, "error creating repository: %s", err)
// tests need to manually boostrap timestamp as client doesn't generate it
err = repo.tufRepo.InitTimestamp()
assert.NoError(t, err, "error creating repository: %s", err)
// Add fixtures/intermediate-ca.crt as a target. There's no particular reason
// for using this file except that it happens to be available as
// a fixture.
latestTarget, err := NewTarget("latest", "../fixtures/intermediate-ca.crt")
assert.NoError(t, err, "error creating target")
err = repo.AddTarget(latestTarget)
assert.NoError(t, err, "error adding target")
// Look for the changelist file
changelistDirPath := filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "changelist")
changelistDir, err := os.Open(changelistDirPath)
assert.NoError(t, err, "could not open changelist directory")
fileInfos, err := changelistDir.Readdir(0)
assert.NoError(t, err, "could not read changelist directory")
// Should only be one file in the directory
assert.Len(t, fileInfos, 1, "wrong number of changelist files found")
clName := fileInfos[0].Name()
raw, err := ioutil.ReadFile(filepath.Join(changelistDirPath, clName))
assert.NoError(t, err, "could not read changelist file %s", clName)
c := &changelist.TufChange{}
err = json.Unmarshal(raw, c)
assert.NoError(t, err, "could not unmarshal changelist file %s", clName)
assert.EqualValues(t, changelist.ActionCreate, c.Actn)
assert.Equal(t, "targets", c.Role)
assert.Equal(t, "target", c.ChangeType)
assert.Equal(t, "latest", c.ChangePath)
assert.NotEmpty(t, c.Data)
changelistDir.Close()
// Create a second target
currentTarget, err := NewTarget("current", "../fixtures/intermediate-ca.crt")
assert.NoError(t, err, "error creating target")
err = repo.AddTarget(currentTarget)
assert.NoError(t, err, "error adding target")
changelistDir, err = os.Open(changelistDirPath)
assert.NoError(t, err, "could not open changelist directory")
// There should now be a second file in the directory
fileInfos, err = changelistDir.Readdir(0)
assert.NoError(t, err, "could not read changelist directory")
assert.Len(t, fileInfos, 2, "wrong number of changelist files found")
newFileFound := false
for _, fileInfo := range fileInfos {
if fileInfo.Name() != clName {
clName2 := fileInfo.Name()
raw, err := ioutil.ReadFile(filepath.Join(changelistDirPath, clName2))
assert.NoError(t, err, "could not read changelist file %s", clName2)
c := &changelist.TufChange{}
err = json.Unmarshal(raw, c)
assert.NoError(t, err, "could not unmarshal changelist file %s", clName2)
assert.EqualValues(t, changelist.ActionCreate, c.Actn)
assert.Equal(t, "targets", c.Role)
assert.Equal(t, "target", c.ChangeType)
assert.Equal(t, "current", c.ChangePath)
assert.NotEmpty(t, c.Data)
newFileFound = true
break
}
}
assert.True(t, newFileFound, "second changelist file not found")
changelistDir.Close()
// Now test ListTargets. In preparation, we need to expose some signed
// metadata files on the internal HTTP server.
// Apply the changelist. Normally, this would be done by Publish
// load the changelist for this repo
cl, err := changelist.NewFileChangelist(filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "changelist"))
assert.NoError(t, err, "could not open changelist")
// apply the changelist to the repo
err = applyChangelist(repo.tufRepo, cl)
assert.NoError(t, err, "could not apply changelist")
var tempKey data.TUFKey
json.Unmarshal([]byte(timestampECDSAKeyJSON), &tempKey)
repo.KeyStoreManager.NonRootKeyStore().AddKey(filepath.Join(filepath.FromSlash(gun), tempKey.ID()), "nonroot", &tempKey)
// Because ListTargets will clear this
savedTUFRepo := repo.tufRepo
rootJSONFile := filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "metadata", "root.json")
rootFileBytes, err := ioutil.ReadFile(rootJSONFile)
signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"), nil)
assert.NoError(t, err)
signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"), nil)
assert.NoError(t, err)
signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"), nil)
assert.NoError(t, err)
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/root.json", func(w http.ResponseWriter, r *http.Request) {
assert.NoError(t, err)
fmt.Fprint(w, string(rootFileBytes))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.json", func(w http.ResponseWriter, r *http.Request) {
timestampJSON, _ := json.Marshal(signedTimestamp)
fmt.Fprint(w, string(timestampJSON))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/snapshot.json", func(w http.ResponseWriter, r *http.Request) {
snapshotJSON, _ := json.Marshal(signedSnapshot)
fmt.Fprint(w, string(snapshotJSON))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/targets.json", func(w http.ResponseWriter, r *http.Request) {
targetsJSON, _ := json.Marshal(signedTargets)
fmt.Fprint(w, string(targetsJSON))
})
targets, err := repo.ListTargets()
assert.NoError(t, err)
// Should be two targets
assert.Len(t, targets, 2, "unexpected number of targets returned by ListTargets")
if targets[0].Name == "latest" {
assert.Equal(t, latestTarget, targets[0], "latest target does not match")
assert.Equal(t, currentTarget, targets[1], "current target does not match")
} else if targets[0].Name == "current" {
assert.Equal(t, currentTarget, targets[0], "current target does not match")
assert.Equal(t, latestTarget, targets[1], "latest target does not match")
} else {
t.Fatalf("unexpected target name: %s", targets[0].Name)
}
// Also test GetTargetByName
newLatestTarget, err := repo.GetTargetByName("latest")
assert.NoError(t, err)
assert.Equal(t, latestTarget, newLatestTarget, "latest target does not match")
newCurrentTarget, err := repo.GetTargetByName("current")
assert.NoError(t, err)
assert.Equal(t, currentTarget, newCurrentTarget, "current target does not match")
}
func validateRootSuccessfully(t *testing.T, rootType data.KeyAlgorithm) {
// Temporary directory where test files will be created
tempBaseDir, err := ioutil.TempDir("", "notary-test-")
defer os.RemoveAll(tempBaseDir)
assert.NoError(t, err, "failed to create a temporary directory: %s", err)
gun := "docker.com/notary"
ts, mux := createTestServer(t)
defer ts.Close()
repo, err := NewNotaryRepository(tempBaseDir, gun, ts.URL, http.DefaultTransport, passphraseRetriever)
assert.NoError(t, err, "error creating repository: %s", err)
rootKeyID, err := repo.KeyStoreManager.GenRootKey(rootType.String())
assert.NoError(t, err, "error generating root key: %s", err)
rootCryptoService, err := repo.KeyStoreManager.GetRootCryptoService(rootKeyID)
assert.NoError(t, err, "error retrieving root key: %s", err)
err = repo.Initialize(rootCryptoService)
assert.NoError(t, err, "error creating repository: %s", err)
// tests need to manually boostrap timestamp as client doesn't generate it
err = repo.tufRepo.InitTimestamp()
assert.NoError(t, err, "error creating repository: %s", err)
// Initialize is supposed to have created new certificate for this repository
// Lets check for it and store it for later use
allCerts := repo.KeyStoreManager.TrustedCertificateStore().GetCertificates()
assert.Len(t, allCerts, 1)
// Now test ListTargets. In preparation, we need to expose some signed
// metadata files on the internal HTTP server.
var tempKey data.TUFKey
json.Unmarshal([]byte(timestampECDSAKeyJSON), &tempKey)
repo.KeyStoreManager.NonRootKeyStore().AddKey(filepath.Join(filepath.FromSlash(gun), tempKey.ID()), "root", &tempKey)
// Because ListTargets will clear this
savedTUFRepo := repo.tufRepo
rootJSONFile := filepath.Join(tempBaseDir, "tuf", filepath.FromSlash(gun), "metadata", "root.json")
rootFileBytes, err := ioutil.ReadFile(rootJSONFile)
signedTargets, err := savedTUFRepo.SignTargets("targets", data.DefaultExpires("targets"), nil)
assert.NoError(t, err)
signedSnapshot, err := savedTUFRepo.SignSnapshot(data.DefaultExpires("snapshot"), nil)
assert.NoError(t, err)
signedTimestamp, err := savedTUFRepo.SignTimestamp(data.DefaultExpires("timestamp"), nil)
assert.NoError(t, err)
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/root.json", func(w http.ResponseWriter, r *http.Request) {
assert.NoError(t, err)
fmt.Fprint(w, string(rootFileBytes))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/timestamp.json", func(w http.ResponseWriter, r *http.Request) {
timestampJSON, _ := json.Marshal(signedTimestamp)
fmt.Fprint(w, string(timestampJSON))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/snapshot.json", func(w http.ResponseWriter, r *http.Request) {
snapshotJSON, _ := json.Marshal(signedSnapshot)
fmt.Fprint(w, string(snapshotJSON))
})
mux.HandleFunc("/v2/docker.com/notary/_trust/tuf/targets.json", func(w http.ResponseWriter, r *http.Request) {
targetsJSON, _ := json.Marshal(signedTargets)
fmt.Fprint(w, string(targetsJSON))
})
_, err = repo.ListTargets()
assert.NoError(t, err)
//
// Test TOFUS logic. We remove all certs and expect a new one to be added after ListTargets
//
err = repo.KeyStoreManager.TrustedCertificateStore().RemoveAll()
assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 0)
// This list targets is expected to succeed and the certificate store to have the new certificate
_, err = repo.ListTargets()
assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 1)
//
// Test certificate mismatch logic. We remove all certs, add a different cert to the
// same CN, and expect ValidateRoot to fail
//
// First, remove all certs
err = repo.KeyStoreManager.TrustedCertificateStore().RemoveAll()
assert.NoError(t, err)
assert.Len(t, repo.KeyStoreManager.TrustedCertificateStore().GetCertificates(), 0)
// Add a previously generated certificate with CN=docker.com/notary
err = repo.KeyStoreManager.TrustedCertificateStore().AddCertFromFile("../fixtures/self-signed_docker.com-notary.crt")
assert.NoError(t, err)
// This list targets is expected to fail, since there already exists a certificate
// in the store for the dnsName docker.com/notary, so TOFUS doesn't apply
_, err = repo.ListTargets()
if assert.Error(t, err, "An error was expected") {
assert.Equal(t, err, &keystoremanager.ErrValidationFail{Reason: "failed to validate data with current trusted certificates"})
}
}
