repository load methods with trusted roots (#30)

iliana · web-flow · commit 3923a4358e8b · 2025-07-03T15:47:43.000-07:00
Part of oxidecomputer/omicron#3578. The current plan is to put our trust store in CockroachDB, which allows us to have multiple trust roots uploaded, so we loop through the roots in the trust store and try to load the repository metadata with each one. If we fail to verify any of the metadata, we try the next root in the provided trust store.
diff --git a/bin/src/dispatch.rs b/bin/src/dispatch.rs
@@ -44,12 +44,16 @@ impl Args {
         match self.command {
             Command::Init { system_version, no_generate_key } => {
                 let keys = maybe_generate_keys(self.keys, no_generate_key)?;
+                let root =
+                    tufaceous_lib::root::new_root(keys.clone(), self.expiry)
+                        .await?;
 
                 let repo = OmicronRepo::initialize(
                     log,
                     &repo_path,
                     system_version,
                     keys,
+                    root,
                     self.expiry,
                 )
                 .await?;
diff --git a/lib/src/assemble/build.rs b/lib/src/assemble/build.rs
@@ -5,6 +5,8 @@
 use anyhow::{Context, Result};
 use camino::{Utf8Path, Utf8PathBuf};
 use chrono::{DateTime, Utc};
+use tough::editor::signed::SignedRole;
+use tough::schema::Root;
 
 use crate::{AddArtifact, Key, OmicronRepo, utils::merge_anyhow_list};
 
@@ -17,6 +19,7 @@ pub struct OmicronRepoAssembler {
     manifest: ArtifactManifest,
     build_dir: Option<Utf8PathBuf>,
     keys: Vec<Key>,
+    root: Option<SignedRole<Root>>,
     expiry: DateTime<Utc>,
     output_path: Utf8PathBuf,
 }
@@ -34,6 +37,7 @@ impl OmicronRepoAssembler {
             manifest,
             build_dir: None,
             keys,
+            root: None,
             expiry,
             output_path,
         }
@@ -44,6 +48,11 @@ impl OmicronRepoAssembler {
         self
     }
 
+    pub fn set_root_role(&mut self, root_role: SignedRole<Root>) -> &mut Self {
+        self.root = Some(root_role);
+        self
+    }
+
     pub async fn build(&self) -> Result<()> {
         let (build_dir, is_temp) = match &self.build_dir {
             Some(dir) => (dir.clone(), false),
@@ -92,11 +101,18 @@ impl OmicronRepoAssembler {
     }
 
     async fn build_impl(&self, build_dir: &Utf8Path) -> Result<()> {
+        let root = match &self.root {
+            Some(root) => root.clone(),
+            None => {
+                crate::root::new_root(self.keys.clone(), self.expiry).await?
+            }
+        };
         let mut repository = OmicronRepo::initialize(
             &self.log,
             build_dir,
             self.manifest.system_version.clone(),
             self.keys.clone(),
+            root,
             self.expiry,
         )
         .await?
diff --git a/lib/src/lib.rs b/lib/src/lib.rs
@@ -7,7 +7,7 @@ mod artifact;
 pub mod assemble;
 mod key;
 mod repository;
-mod root;
+pub mod root;
 mod target;
 mod utils;
 
diff --git a/lib/src/repository.rs b/lib/src/repository.rs
@@ -14,6 +14,7 @@ use futures::TryStreamExt;
 use semver::Version;
 use tough::editor::RepositoryEditor;
 use tough::editor::signed::SignedRole;
+use tough::error::Error;
 use tough::schema::{Root, Target};
 use tough::{ExpirationEnforcement, Repository, RepositoryLoader, TargetName};
 use tufaceous_artifact::{
@@ -31,6 +32,7 @@ use crate::utils::merge_anyhow_list;
 use crate::{AddArtifact, ArchiveBuilder};
 
 /// A TUF repository describing Omicron.
+#[derive(Debug)]
 pub struct OmicronRepo {
     log: slog::Logger,
     repo: Repository,
@@ -44,9 +46,9 @@ impl OmicronRepo {
         repo_path: &Utf8Path,
         system_version: Version,
         keys: Vec<Key>,
+        root: SignedRole<Root>,
         expiry: DateTime<Utc>,
     ) -> Result<Self> {
-        let root = crate::root::new_root(keys.clone(), expiry).await?;
         let editor = OmicronRepoEditor::initialize(
             repo_path.to_owned(),
             root,
@@ -64,6 +66,86 @@ impl OmicronRepo {
         Self::load_untrusted(log, repo_path).await
     }
 
+    /// Loads a repository from the given path.
+    ///
+    /// This method enforces expirations. To load without expiration enforcement, use
+    /// [`Self::load_ignore_expiration`].
+    pub async fn load(
+        log: &slog::Logger,
+        repo_path: &Utf8Path,
+        trusted_roots: impl IntoIterator<Item = impl AsRef<[u8]>>,
+    ) -> Result<Self> {
+        Self::load_impl(
+            log,
+            repo_path,
+            trusted_roots,
+            ExpirationEnforcement::Safe,
+        )
+        .await
+    }
+
+    /// Loads a repository from the given path, ignoring expiration.
+    ///
+    /// Use cases for this include:
+    ///
+    /// 1. When you're editing an existing repository and will re-sign it afterwards.
+    /// 2. When you're reading a repository that was uploaded out-of-band,
+    ///    instead of fetched from a network-accessible repository
+    /// 3. In an environment in which time isn't available.
+    pub async fn load_ignore_expiration(
+        log: &slog::Logger,
+        repo_path: &Utf8Path,
+        trusted_roots: impl IntoIterator<Item = impl AsRef<[u8]>>,
+    ) -> Result<Self> {
+        Self::load_impl(
+            log,
+            repo_path,
+            trusted_roots,
+            ExpirationEnforcement::Unsafe,
+        )
+        .await
+    }
+
+    async fn load_impl(
+        log: &slog::Logger,
+        repo_path: &Utf8Path,
+        trusted_roots: impl IntoIterator<Item = impl AsRef<[u8]>>,
+        exp: ExpirationEnforcement,
+    ) -> Result<Self> {
+        let repo_path = repo_path.canonicalize_utf8()?;
+        let mut verify_error = None;
+        for root in trusted_roots {
+            match RepositoryLoader::new(
+                &root,
+                Url::from_file_path(repo_path.join("metadata"))
+                    .expect("the canonical path is not absolute?"),
+                Url::from_file_path(repo_path.join("targets"))
+                    .expect("the canonical path is not absolute?"),
+            )
+            .expiration_enforcement(exp)
+            .load()
+            .await
+            {
+                Ok(repo) => {
+                    return Ok(Self {
+                        log: log.new(slog::o!("component" => "OmicronRepo")),
+                        repo,
+                        repo_path,
+                    });
+                }
+                Err(
+                    err @ (Error::VerifyMetadata { .. }
+                    | Error::VerifyTrustedMetadata { .. }),
+                ) if verify_error.is_none() => {
+                    verify_error = Some(err.into());
+                    continue;
+                }
+                Err(err) => return Err(err.into()),
+            }
+        }
+        Err(verify_error.unwrap_or_else(|| anyhow!("trust store is empty")))
+    }
+
     /// Loads a repository from the given path.
     ///
     /// This method enforces expirations. To load without expiration enforcement, use
@@ -81,7 +163,9 @@ impl OmicronRepo {
     /// Use cases for this include:
     ///
     /// 1. When you're editing an existing repository and will re-sign it afterwards.
-    /// 2. In an environment in which time isn't available.
+    /// 2. When you're reading a repository that was uploaded out-of-band,
+    ///    instead of fetched from a network-accessible repository
+    /// 3. In an environment in which time isn't available.
     pub async fn load_untrusted_ignore_expiration(
         log: &slog::Logger,
         repo_path: &Utf8Path,
@@ -95,25 +179,12 @@ impl OmicronRepo {
         repo_path: &Utf8Path,
         exp: ExpirationEnforcement,
     ) -> Result<Self> {
-        let log = log.new(slog::o!("component" => "OmicronRepo"));
         let repo_path = repo_path.canonicalize_utf8()?;
         let root_json = repo_path.join("metadata").join("1.root.json");
         let root = tokio::fs::read(&root_json)
             .await
             .with_context(|| format!("error reading from {root_json}"))?;
-
-        let repo = RepositoryLoader::new(
-            &root,
-            Url::from_file_path(repo_path.join("metadata"))
-                .expect("the canonical path is not absolute?"),
-            Url::from_file_path(repo_path.join("targets"))
-                .expect("the canonical path is not absolute?"),
-        )
-        .expiration_enforcement(exp)
-        .load()
-        .await?;
-
-        Ok(Self { log, repo, repo_path })
+        Self::load_impl(log, &repo_path, &[root], exp).await
     }
 
     /// Returns a canonicalized form of the repository path.
@@ -503,11 +574,96 @@ mod tests {
     use dropshot::test_util::LogContext;
     use dropshot::{ConfigLogging, ConfigLoggingIfExists, ConfigLoggingLevel};
 
-    use crate::ArtifactSource;
-    use crate::assemble::ArtifactDeploymentUnits;
+    use crate::assemble::{
+        ArtifactDeploymentUnits, ArtifactManifest, OmicronRepoAssembler,
+    };
+    use crate::{ArchiveExtractor, ArtifactSource};
 
     use super::*;
 
+    #[tokio::test]
+    async fn load_trusted() {
+        let log_config = ConfigLogging::File {
+            level: ConfigLoggingLevel::Trace,
+            path: "UNUSED".into(),
+            if_exists: ConfigLoggingIfExists::Fail,
+        };
+        let logctx = LogContext::new(
+            "reject_artifacts_with_the_same_filename",
+            &log_config,
+        );
+
+        // Generate a "trusted" root and an "untrusted" root.
+        let expiry = Utc::now() + Days::new(1);
+        let trusted_key = Key::generate_ed25519().unwrap();
+        let trusted_root =
+            crate::root::new_root(vec![trusted_key.clone()], expiry)
+                .await
+                .unwrap();
+        let untrusted_key = Key::generate_ed25519().unwrap();
+        let untrusted_root =
+            crate::root::new_root(vec![untrusted_key], expiry).await.unwrap();
+
+        // Generate a repository using the trusted root.
+        let tempdir = Utf8TempDir::new().unwrap();
+        let archive_path = tempdir.path().join("repo.zip");
+        let mut assembler = OmicronRepoAssembler::new(
+            &logctx.log,
+            ArtifactManifest::new_fake(),
+            vec![trusted_key],
+            expiry,
+            archive_path.clone(),
+        );
+        assembler.set_root_role(trusted_root.clone());
+        assembler.build().await.unwrap();
+        // And now that we've created an archive and cleaned up the build
+        // directory, immediately unarchive it... this is a bit silly, huh?
+        let repo_dir = tempdir.path().join("repo");
+        ArchiveExtractor::from_path(&archive_path)
+            .unwrap()
+            .extract(&repo_dir)
+            .unwrap();
+
+        // If the trust store contains the root we generated the repo from, we
+        // should successfully load it.
+        for trust_store in [
+            vec![trusted_root.buffer()],
+            vec![trusted_root.buffer(), untrusted_root.buffer()],
+            vec![untrusted_root.buffer(), trusted_root.buffer()],
+            vec![trusted_root.buffer(), trusted_root.buffer()],
+        ] {
+            OmicronRepo::load(&logctx.log, &repo_dir, trust_store)
+                .await
+                .unwrap();
+        }
+        // If the trust store is empty, we should fail.
+        assert_eq!(
+            OmicronRepo::load(&logctx.log, &repo_dir, [] as [Vec<u8>; 0])
+                .await
+                .unwrap_err()
+                .to_string(),
+            "trust store is empty"
+        );
+        // If the trust store otherwise does not contain the root we generated
+        // the repo from, we should also fail.
+        for trust_store in [
+            vec![untrusted_root.buffer()],
+            vec![untrusted_root.buffer(), untrusted_root.buffer()],
+        ] {
+            assert_eq!(
+                OmicronRepo::load(&logctx.log, &repo_dir, trust_store)
+                    .await
+                    .unwrap_err()
+                    .to_string(),
+                "Failed to verify timestamp metadata: \
+                Signature threshold of 1 not met for role timestamp \
+                (0 valid signatures)"
+            )
+        }
+
+        logctx.cleanup_successful();
+    }
+
     #[tokio::test]
     async fn reject_artifacts_with_the_same_filename() {
         let log_config = ConfigLogging::File {
@@ -520,12 +676,16 @@ mod tests {
             &log_config,
         );
         let tempdir = Utf8TempDir::new().unwrap();
+        let keys = vec![Key::generate_ed25519().unwrap()];
+        let expiry = Utc::now() + Days::new(1);
+        let root = crate::root::new_root(keys.clone(), expiry).await.unwrap();
         let mut repo = OmicronRepo::initialize(
             &logctx.log,
             tempdir.path(),
             "0.0.0".parse().unwrap(),
-            vec![Key::generate_ed25519().unwrap()],
-            Utc::now() + Days::new(1),
+            keys,
+            root,
+            expiry,
         )
         .await
         .unwrap()
diff --git a/lib/src/root.rs b/lib/src/root.rs
@@ -13,7 +13,7 @@ use tough::schema::{KeyHolder, RoleKeys, RoleType, Root};
 
 use crate::key::Key;
 
-pub(crate) async fn new_root(
+pub async fn new_root(
     keys: Vec<Key>,
     expires: DateTime<Utc>,
 ) -> Result<SignedRole<Root>> {
