func TestBuilderLoadInvalidDelegationsOldVersion(t *testing.T) { gun := "docker.com/notary" tufRepo, _, err := testutils.EmptyRepo(gun, "targets/a", "targets/a/b", "targets/b") require.NoError(t, err) meta, err := testutils.SignAndSerialize(tufRepo) require.NoError(t, err) builder := tuf.NewBuilderFromRepo(gun, tufRepo, trustpinning.TrustPinConfig{}) delete(tufRepo.Targets, "targets/a") // load targets/a with high min-version so this one is too old err = builder.Load( "targets/a", meta["targets/a"], 10, false, ) require.Error(t, err) require.IsType(t, signed.ErrLowVersion{}, err) _, invalid, err := builder.Finish() require.NoError(t, err) _, ok := invalid.Targets["targets/a"] require.False(t, ok) }
func TestBuilderLoadInvalidDelegations(t *testing.T) { gun := "docker.com/notary" tufRepo, _, err := testutils.EmptyRepo(gun, "targets/a", "targets/a/b", "targets/b") require.NoError(t, err) meta, err := testutils.SignAndSerialize(tufRepo) require.NoError(t, err) builder := tuf.NewBuilderFromRepo(gun, tufRepo, trustpinning.TrustPinConfig{}) // modify targets/a to remove the signature and update the snapshot // (we're not going to load the timestamp so no need to modify) targetsAJSON := meta["targets/a"] targetsA := data.Signed{} err = json.Unmarshal(targetsAJSON, &targetsA) require.NoError(t, err) targetsA.Signatures = make([]data.Signature, 0) targetsAJSON, err = json.Marshal(&targetsA) require.NoError(t, err) meta["targets/a"] = targetsAJSON delete(tufRepo.Targets, "targets/a") snap := tufRepo.Snapshot m, err := data.NewFileMeta( bytes.NewReader(targetsAJSON), "sha256", "sha512", ) require.NoError(t, err) snap.AddMeta("targets/a", m) // load snapshot directly into repo to bypass signature check (we've invalidated // the signature by modifying it) tufRepo.Snapshot = snap // load targets/a require.Error( t, builder.Load( "targets/a", meta["targets/a"], 1, false, ), ) _, invalid, err := builder.Finish() require.NoError(t, err) _, ok := invalid.Targets["targets/a"] require.True(t, ok) }