func validateSnapshot(role string, oldSnap *data.SignedSnapshot, snapUpdate storage.MetaUpdate, roles map[string]storage.MetaUpdate, repo *tuf.Repo) error { s := &data.Signed{} err := json.Unmarshal(snapUpdate.Data, s) if err != nil { return errors.New("could not parse snapshot") } // version specifically gets validated when writing to store to // better handle race conditions there. snapshotRole, err := repo.GetBaseRole(role) if err != nil { return err } if err := signed.Verify(s, snapshotRole, 0); err != nil { return err } snap, err := data.SnapshotFromSigned(s) if err != nil { return errors.New("could not parse snapshot") } if !data.ValidTUFType(snap.Signed.Type, data.CanonicalSnapshotRole) { return errors.New("snapshot has wrong type") } err = checkSnapshotEntries(role, oldSnap, snap, roles) if err != nil { return err } return nil }
func copyTimestampKey(t *testing.T, fromRepo *tuf.Repo, toStore storage.MetaStore, gun string) { role, err := fromRepo.GetBaseRole(data.CanonicalTimestampRole) assert.NoError(t, err) assert.NotNil(t, role, "No timestamp role in the root file") assert.Len(t, role.ListKeyIDs(), 1, fmt.Sprintf( "Expected 1 timestamp key in timestamp role, got %d", len(role.ListKeyIDs()))) pubTimestampKey := role.ListKeys()[0] err = toStore.SetKey(gun, data.CanonicalTimestampRole, pubTimestampKey.Algorithm(), pubTimestampKey.Public()) assert.NoError(t, err) }
func validateTargets(role string, roles map[string]storage.MetaUpdate, repo *tuf.Repo) (*data.SignedTargets, error) { // TODO: when delegations are being validated, validate parent // role exists for any delegation s := &data.Signed{} err := json.Unmarshal(roles[role].Data, s) if err != nil { return nil, fmt.Errorf("could not parse %s", role) } // version specifically gets validated when writing to store to // better handle race conditions there. var targetOrDelgRole data.BaseRole if role == data.CanonicalTargetsRole { targetOrDelgRole, err = repo.GetBaseRole(role) if err != nil { logrus.Debugf("no %s role loaded", role) return nil, err } } else { delgRole, err := repo.GetDelegationRole(role) if err != nil { logrus.Debugf("no %s delegation role loaded", role) return nil, err } targetOrDelgRole = delgRole.BaseRole } if err := signed.Verify(s, targetOrDelgRole, 0); err != nil { return nil, err } t, err := data.TargetsFromSigned(s) if err != nil { return nil, err } if !data.ValidTUFType(t.Signed.Type, data.CanonicalTargetsRole) { return nil, fmt.Errorf("%s has wrong type", role) } return t, nil }
func generateSnapshot(gun string, repo *tuf.Repo, store storage.MetaStore) (*storage.MetaUpdate, error) { role, err := repo.GetBaseRole(data.CanonicalSnapshotRole) if err != nil { return nil, validation.ErrBadRoot{Msg: "root did not include snapshot role"} } algo, keyBytes, err := store.GetKey(gun, data.CanonicalSnapshotRole) if err != nil { return nil, validation.ErrBadHierarchy{Msg: "could not retrieve snapshot key. client must provide snapshot"} } foundK := data.NewPublicKey(algo, keyBytes) validKey := false for _, id := range role.ListKeyIDs() { if id == foundK.ID() { validKey = true break } } if !validKey { return nil, validation.ErrBadHierarchy{ Missing: data.CanonicalSnapshotRole, Msg: "no snapshot was included in update and server does not hold current snapshot key for repository"} } currentJSON, err := store.GetCurrent(gun, data.CanonicalSnapshotRole) if err != nil { if _, ok := err.(storage.ErrNotFound); !ok { return nil, validation.ErrValidation{Msg: err.Error()} } } var sn *data.SignedSnapshot if currentJSON != nil { sn = new(data.SignedSnapshot) err := json.Unmarshal(currentJSON, sn) if err != nil { return nil, validation.ErrValidation{Msg: err.Error()} } err = repo.SetSnapshot(sn) if err != nil { return nil, validation.ErrValidation{Msg: err.Error()} } } else { // this will only occurr if no snapshot has ever been created for the repository err := repo.InitSnapshot() if err != nil { return nil, validation.ErrBadSnapshot{Msg: err.Error()} } } sgnd, err := repo.SignSnapshot(data.DefaultExpires(data.CanonicalSnapshotRole)) if err != nil { return nil, validation.ErrBadSnapshot{Msg: err.Error()} } sgndJSON, err := json.Marshal(sgnd) if err != nil { return nil, validation.ErrBadSnapshot{Msg: err.Error()} } return &storage.MetaUpdate{ Role: data.CanonicalSnapshotRole, Version: repo.Snapshot.Signed.Version, Data: sgndJSON, }, nil }