func TestValidateSnapshotMissing(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
root, targets, _, _, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrBadHierarchy{}, err)
}
func TestValidateNoRoot(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
_, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
updates := []storage.MetaUpdate{
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrValidation{}, err)
}
func TestValidateTargetsModifiedHash(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
snap, err := data.SnapshotFromSigned(sn)
assert.NoError(t, err)
snap.Signed.Meta["targets"].Hashes["sha256"][0] = snap.Signed.Meta["targets"].Hashes["sha256"][0] ^ 0xff
sn, err = snap.ToSigned()
assert.NoError(t, err)
root, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrBadSnapshot{}, err)
}
// ### Snapshot size mismatch negative tests ###
func TestValidateRootModifiedSize(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
// add another copy of the signature so the hash is different
r.Signatures = append(r.Signatures, r.Signatures[0])
root, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
// flip all the bits in the first byte
root[0] = root[0] ^ 0xff
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrBadRoot{}, err)
}
// ### Signature missing negative tests ###
func TestValidateRootSigMissing(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
delete(repo.Root.Signed.Roles, "snapshot")
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
r.Signatures = nil
root, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrBadRoot{}, err)
}
func TestValidateSnapshotCorrupt(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
root, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
// flip all the bits in the first byte
snapshot[0] = snapshot[0] ^ 0xff
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.Error(t, err)
assert.IsType(t, ErrBadSnapshot{}, err)
}
func TestValidateOnlySnapshot(t *testing.T) {
_, repo, _ := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
root, targets, snapshot, _, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
store.UpdateCurrent(
"testGUN",
storage.MetaUpdate{
Role: "root",
Version: 1,
Data: root,
},
)
store.UpdateCurrent(
"testGUN",
storage.MetaUpdate{
Role: "targets",
Version: 1,
Data: targets,
},
)
updates := []storage.MetaUpdate{
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
}
err = validateUpdate("testGUN", updates, store)
assert.NoError(t, err)
}
func TestValidateRootRotation(t *testing.T) {
_, repo, crypto := testutils.EmptyRepo()
store := storage.NewMemStorage()
r, tg, sn, ts, err := testutils.Sign(repo)
assert.NoError(t, err)
root, targets, snapshot, timestamp, err := testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
store.UpdateCurrent(
"testGUN",
storage.MetaUpdate{
Role: "root",
Version: 1,
Data: root,
},
)
oldRootRole := repo.Root.Signed.Roles["root"]
oldRootKey := repo.Root.Signed.Keys[oldRootRole.KeyIDs[0]]
rootKey, err := crypto.Create("root", data.ED25519Key)
assert.NoError(t, err)
rootRole, err := data.NewRole("root", 1, []string{rootKey.ID()}, nil, nil)
assert.NoError(t, err)
delete(repo.Root.Signed.Keys, oldRootRole.KeyIDs[0])
repo.Root.Signed.Roles["root"] = &rootRole.RootRole
repo.Root.Signed.Keys[rootKey.ID()] = data.NewPrivateKey(rootKey.Algorithm(), rootKey.Public(), nil)
r, err = repo.SignRoot(data.DefaultExpires(data.CanonicalRootRole), nil)
assert.NoError(t, err)
err = signed.Sign(crypto, r, rootKey, oldRootKey)
assert.NoError(t, err)
rt, err := data.RootFromSigned(r)
assert.NoError(t, err)
repo.SetRoot(rt)
sn, err = repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole), nil)
assert.NoError(t, err)
root, targets, snapshot, timestamp, err = testutils.Serialize(r, tg, sn, ts)
assert.NoError(t, err)
updates := []storage.MetaUpdate{
{
Role: "root",
Version: 1,
Data: root,
},
{
Role: "targets",
Version: 1,
Data: targets,
},
{
Role: "snapshot",
Version: 1,
Data: snapshot,
},
{
Role: "timestamp",
Version: 1,
Data: timestamp,
},
}
err = validateUpdate("testGUN", updates, store)
assert.NoError(t, err)
}