tuf: use cached targets when available

Signed-off-by: Appu Goundan <[email protected]>

Author: loosebazooka

build-logic/jvm/src/main/kotlin/build-logic.spotless-base.gradle.kts

@@ -11,7 +11,7 @@ spotless {
         target("*.md", ".gitignore", "**/*.yaml")
 
         trimTrailingWhitespace()
-        indentWithSpaces()
+        leadingTabsToSpaces()
         endWithNewline()
     }
 }

sigstore-java/src/main/java/dev/sigstore/tuf/FileSystemTufStore.java

@@ -77,6 +77,12 @@ public byte[] readTarget(String targetName) throws IOException {
     return Files.readAllBytes(targetsDir.resolve(encoded));
   }
 
+  @Override
+  public boolean hasTarget(String targetName) throws IOException {
+    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
+    return Files.isRegularFile(targetsDir.resolve(encoded));
+  }
+
   @Override
   public void writeMeta(String roleName, SignedTufMeta<?> meta) throws IOException {
     storeRole(roleName, meta);

sigstore-java/src/main/java/dev/sigstore/tuf/TargetReader.java

@@ -29,4 +29,13 @@ public interface TargetReader {
    * @throws IOException if an error occurs
    */
   byte[] readTarget(String targetName) throws IOException;
+
+  /**
+   * Checks if the local TUF store actually contains a target file with name.
+   *
+   * @param targetName the name of the target file to read (e.g. ctfe.pub)
+   * @return true if the target exists locally
+   * @throws IOException if an error occurs
+   */
+  boolean hasTarget(String targetName) throws IOException;
 }

sigstore-java/src/main/java/dev/sigstore/tuf/Updater.java

@@ -116,13 +116,27 @@ public void updateMeta() throws IOException, NoSuchAlgorithmException, InvalidKe
     }
   }
 
-  /** Download a single target defined in targets. Does not handle delegated targets. */
-  public void downloadTarget(String targetName)
-      throws IOException, NoSuchAlgorithmException, InvalidKeySpecException {
+  /**
+   * Download a single target defined in targets. Will not re-download a target that is already
+   * cached locally. Does not handle delegated targets.
+   */
+  public void downloadTarget(String targetName) throws IOException {
     var targetData = trustedMetaStore.getTargets().getSignedMeta().getTargets().get(targetName);
     if (targetData == null) {
       throw new TargetMetadataMissingException(targetName);
     }
+    if (targetStore.hasTarget(targetName)) {
+      byte[] target = targetStore.readTarget(targetName);
+      // TODO: Using exceptions for control flow here, we should have something that returns a true
+      // TODO: or false on hashes, but requires reworking verifyHashes.
+      try {
+        verifyHashes(targetName, target, targetData.getHashes());
+        // found a valid cached instance of the target
+        return;
+      } catch (InvalidHashesException ioe) {
+        // continue to download targets
+      }
+    }
     downloadTarget(targetName, targetData);
   }