Пример #1
0
// AddTargets will attempt to add the given targets specifically to
// the directed role. If the metadata for the role doesn't exist yet,
// AddTargets will create one.
func (tr *Repo) AddTargets(role string, targets data.Files) (data.Files, error) {

	err := tr.VerifyCanSign(role)
	if err != nil {
		return nil, err
	}

	// check the role's metadata
	t, ok := tr.Targets[role]
	if !ok { // the targetfile may not exist yet - if not, then create it
		var err error
		t, err = tr.InitTargets(role)
		if err != nil {
			return nil, err
		}
	}

	var r data.DelegationRole
	if role != data.CanonicalTargetsRole {
		// we only call r.CheckPaths if the role is not "targets"
		// so r being nil is fine in the case role == "targets"
		r, err = tr.GetDelegationRole(role)
		if err != nil {
			return nil, err
		}
	}

	invalid := make(data.Files)
	for path, target := range targets {
		if role == data.CanonicalTargetsRole || r.CheckPaths(path) {
			t.Signed.Targets[path] = target
		} else {
			invalid[path] = target
		}
	}
	t.Dirty = true
	if len(invalid) > 0 {
		return invalid, fmt.Errorf("Could not add all targets")
	}
	return nil, nil
}
Пример #2
0
// helper function that returns whether the delegation Role is valid against the given path
// Will return true if given an empty candidatePath
func isValidPath(candidatePath string, delgRole data.DelegationRole) bool {
	return candidatePath == "" || delgRole.CheckPaths(candidatePath)
}
Пример #3
0
func TestDelegationRolesParent(t *testing.T) {
	delgA := data.DelegationRole{
		BaseRole: data.BaseRole{
			Keys:      nil,
			Name:      "targets/a",
			Threshold: 1,
		},
		Paths: []string{"path", "anotherpath"},
	}

	delgB := data.DelegationRole{
		BaseRole: data.BaseRole{
			Keys:      nil,
			Name:      "targets/a/b",
			Threshold: 1,
		},
		Paths: []string{"path/b", "anotherpath/b", "b/invalidpath"},
	}

	// Assert direct parent relationship
	assert.True(t, delgA.IsParentOf(delgB))
	assert.False(t, delgB.IsParentOf(delgA))
	assert.False(t, delgA.IsParentOf(delgA))

	delgC := data.DelegationRole{
		BaseRole: data.BaseRole{
			Keys:      nil,
			Name:      "targets/a/b/c",
			Threshold: 1,
		},
		Paths: []string{"path/b", "anotherpath/b/c", "c/invalidpath"},
	}

	// Assert direct parent relationship
	assert.True(t, delgB.IsParentOf(delgC))
	assert.False(t, delgB.IsParentOf(delgB))
	assert.False(t, delgA.IsParentOf(delgC))
	assert.False(t, delgC.IsParentOf(delgB))
	assert.False(t, delgC.IsParentOf(delgA))
	assert.False(t, delgC.IsParentOf(delgC))

	// Check that parents correctly restrict paths
	restrictedDelgB, err := delgA.Restrict(delgB)
	assert.NoError(t, err)
	assert.Contains(t, restrictedDelgB.Paths, "path/b")
	assert.Contains(t, restrictedDelgB.Paths, "anotherpath/b")
	assert.NotContains(t, restrictedDelgB.Paths, "b/invalidpath")

	_, err = delgB.Restrict(delgA)
	assert.Error(t, err)
	_, err = delgA.Restrict(delgC)
	assert.Error(t, err)
	_, err = delgC.Restrict(delgB)
	assert.Error(t, err)
	_, err = delgC.Restrict(delgA)
	assert.Error(t, err)

	// Make delgA have no paths and check that it changes delgB and delgC accordingly when chained
	delgA.Paths = []string{}
	restrictedDelgB, err = delgA.Restrict(delgB)
	assert.NoError(t, err)
	assert.Empty(t, restrictedDelgB.Paths)
	restrictedDelgC, err := restrictedDelgB.Restrict(delgC)
	assert.NoError(t, err)
	assert.Empty(t, restrictedDelgC.Paths)
}