[Delegations prereq 3] Add roles helpers (#193)

ethan-lowman-dd · web-flow · commit 4a33a14de85a · 2022-01-11T11:46:50.000-05:00
* [Delegations prereq] Add roles helpers Splitting up #175 * Remove unused validMetadata
diff --git a/internal/roles/roles.go b/internal/roles/roles.go
@@ -0,0 +1,41 @@
+package roles
+
+import (
+	"strconv"
+	"strings"
+)
+
+var TopLevelRoles = map[string]struct{}{
+	"root":      {},
+	"targets":   {},
+	"snapshot":  {},
+	"timestamp": {},
+}
+
+func IsTopLevelRole(name string) bool {
+	_, ok := TopLevelRoles[name]
+	return ok
+}
+
+func IsDelegatedTargetsRole(name string) bool {
+	return !IsTopLevelRole(name)
+}
+
+func IsTopLevelManifest(name string) bool {
+	return IsTopLevelRole(strings.TrimSuffix(name, ".json"))
+}
+
+func IsDelegatedTargetsManifest(name string) bool {
+	return !IsTopLevelManifest(name)
+}
+
+func IsVersionedManifest(name string) bool {
+	parts := strings.Split(name, ".")
+	// Versioned manifests have the form "x.role.json"
+	if len(parts) < 3 {
+		return false
+	}
+
+	_, err := strconv.Atoi(parts[0])
+	return err == nil
+}
diff --git a/internal/roles/roles_test.go b/internal/roles/roles_test.go
@@ -0,0 +1,48 @@
+package roles
+
+import (
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestIsTopLevelRole(t *testing.T) {
+	assert.True(t, IsTopLevelRole("root"))
+	assert.True(t, IsTopLevelRole("targets"))
+	assert.True(t, IsTopLevelRole("timestamp"))
+	assert.True(t, IsTopLevelRole("snapshot"))
+	assert.False(t, IsTopLevelRole("bins"))
+}
+
+func TestIsDelegatedTargetsRole(t *testing.T) {
+	assert.False(t, IsDelegatedTargetsRole("root"))
+	assert.False(t, IsDelegatedTargetsRole("targets"))
+	assert.False(t, IsDelegatedTargetsRole("timestamp"))
+	assert.False(t, IsDelegatedTargetsRole("snapshot"))
+	assert.True(t, IsDelegatedTargetsRole("deleg"))
+}
+
+func TestIsTopLevelManifest(t *testing.T) {
+	assert.True(t, IsTopLevelManifest("root.json"))
+	assert.True(t, IsTopLevelManifest("targets.json"))
+	assert.True(t, IsTopLevelManifest("timestamp.json"))
+	assert.True(t, IsTopLevelManifest("snapshot.json"))
+	assert.False(t, IsTopLevelManifest("bins.json"))
+}
+
+func TestIsDelegatedTargetsManifest(t *testing.T) {
+	assert.False(t, IsDelegatedTargetsManifest("root.json"))
+	assert.False(t, IsDelegatedTargetsManifest("targets.json"))
+	assert.False(t, IsDelegatedTargetsManifest("timestamp.json"))
+	assert.False(t, IsDelegatedTargetsManifest("snapshot.json"))
+	assert.True(t, IsDelegatedTargetsManifest("bins.json"))
+}
+
+func TestIsVersionedManifest(t *testing.T) {
+	assert.False(t, IsVersionedManifest("a.b"))
+	assert.False(t, IsVersionedManifest("a.b.c"))
+	assert.False(t, IsVersionedManifest("a.b.json"))
+	assert.False(t, IsVersionedManifest("1.a"))
+	assert.True(t, IsVersionedManifest("1.a.json"))
+	assert.True(t, IsVersionedManifest("2.a.json"))
+}
diff --git a/repo.go b/repo.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/secure-systems-lab/go-securesystemslib/cjson"
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/roles"
 	"github.com/theupdateframework/go-tuf/internal/signer"
 	"github.com/theupdateframework/go-tuf/pkg/keys"
 	"github.com/theupdateframework/go-tuf/sign"
@@ -199,7 +200,7 @@ func (r *Repo) GetThreshold(keyRole string) (int, error) {
 }
 
 func (r *Repo) SetThreshold(keyRole string, t int) error {
-	if !validMetadata(keyRole + ".json") {
+	if !roles.IsTopLevelRole(keyRole) {
 		// Delegations are not currently supported, so return an error if this is not a
 		// top-level metadata file.
 		return ErrInvalidRole{keyRole}
@@ -319,7 +320,7 @@ func (r *Repo) timestamp() (*data.Timestamp, error) {
 }
 
 func (r *Repo) ChangePassphrase(keyRole string) error {
-	if !verify.ValidRole(keyRole) {
+	if !roles.IsTopLevelRole(keyRole) {
 		return ErrInvalidRole{keyRole}
 	}
 
@@ -352,7 +353,7 @@ func (r *Repo) AddPrivateKey(role string, signer keys.Signer) error {
 }
 
 func (r *Repo) AddPrivateKeyWithExpires(keyRole string, signer keys.Signer, expires time.Time) error {
-	if !verify.ValidRole(keyRole) {
+	if !roles.IsTopLevelRole(keyRole) {
 		return ErrInvalidRole{keyRole}
 	}
 
@@ -451,7 +452,7 @@ func (r *Repo) RevokeKey(role, id string) error {
 }
 
 func (r *Repo) RevokeKeyWithExpires(keyRole, id string, expires time.Time) error {
-	if !verify.ValidRole(keyRole) {
+	if !roles.IsTopLevelRole(keyRole) {
 		return ErrInvalidRole{keyRole}
 	}
 
@@ -555,7 +556,7 @@ func (r *Repo) setMeta(roleFilename string, meta interface{}) error {
 
 func (r *Repo) Sign(roleFilename string) error {
 	role := strings.TrimSuffix(roleFilename, ".json")
-	if !verify.ValidRole(role) {
+	if !roles.IsTopLevelRole(role) {
 		return ErrInvalidRole{role}
 	}
 
@@ -591,7 +592,7 @@ func (r *Repo) Sign(roleFilename string) error {
 // The name must be a valid metadata file name, like root.json.
 func (r *Repo) AddOrUpdateSignature(roleFilename string, signature data.Signature) error {
 	role := strings.TrimSuffix(roleFilename, ".json")
-	if !verify.ValidRole(role) {
+	if !roles.IsTopLevelRole(role) {
 		return ErrInvalidRole{role}
 	}
 
@@ -695,15 +696,6 @@ func (r *Repo) SignedMeta(roleFilename string) (*data.Signed, error) {
 	return s, nil
 }
 
-func validMetadata(roleFilename string) bool {
-	for _, m := range topLevelMetadata {
-		if m == roleFilename {
-			return true
-		}
-	}
-	return false
-}
-
 func (r *Repo) AddTarget(path string, custom json.RawMessage) error {
 	return r.AddTargets([]string{path}, custom)
 }
diff --git a/verify/db.go b/verify/db.go
@@ -2,6 +2,7 @@ package verify
 
 import (
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/roles"
 	"github.com/theupdateframework/go-tuf/pkg/keys"
 )
 
@@ -44,7 +45,7 @@ func NewDelegationsVerifier(d *data.Delegations) (DelegationsVerifier, error) {
 		verifiers: make(map[string]keys.Verifier, len(d.Keys)),
 	}
 	for _, r := range d.Roles {
-		if _, ok := topLevelRoles[r.Name]; ok {
+		if _, ok := roles.TopLevelRoles[r.Name]; ok {
 			return DelegationsVerifier{}, ErrInvalidDelegatedRole
 		}
 		role := &data.Role{Threshold: r.Threshold, KeyIDs: r.KeyIDs}
@@ -72,25 +73,8 @@ func (db *DB) AddKey(id string, k *data.PublicKey) error {
 	return nil
 }
 
-var topLevelRoles = map[string]struct{}{
-	"root":      {},
-	"targets":   {},
-	"snapshot":  {},
-	"timestamp": {},
-}
-
-// ValidRole checks if a role is a top level role.
-func ValidRole(name string) bool {
-	return isTopLevelRole(name)
-}
-
-func isTopLevelRole(name string) bool {
-	_, ok := topLevelRoles[name]
-	return ok
-}
-
 func (db *DB) AddRole(name string, r *data.Role) error {
-	if !isTopLevelRole(name) {
+	if !roles.IsTopLevelRole(name) {
 		return ErrInvalidRole
 	}
 	return db.addRole(name, r)
diff --git a/verify/verify.go b/verify/verify.go
@@ -7,6 +7,7 @@ import (
 
 	"github.com/secure-systems-lab/go-securesystemslib/cjson"
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/roles"
 )
 
 type signedMeta struct {
@@ -25,7 +26,7 @@ func (db *DB) VerifyIgnoreExpiredCheck(s *data.Signed, role string, minVersion i
 		return err
 	}
 
-	if isTopLevelRole(role) {
+	if roles.IsTopLevelRole(role) {
 		// Top-level roles can only sign metadata of the same type (e.g. snapshot
 		// metadata must be signed by the snapshot role).
 		if !strings.EqualFold(sm.Type, role) {

Original file line number	Diff line number	Diff line change
`@@ -12,6 +12,7 @@ import (`
`12`	`12`
`13`	`13`	`"github.com/secure-systems-lab/go-securesystemslib/cjson"`
`14`	`14`	`"github.com/theupdateframework/go-tuf/data"`
	`15`	`+ "github.com/theupdateframework/go-tuf/internal/roles"`
`15`	`16`	`"github.com/theupdateframework/go-tuf/internal/signer"`
`16`	`17`	`"github.com/theupdateframework/go-tuf/pkg/keys"`
`17`	`18`	`"github.com/theupdateframework/go-tuf/sign"`
`@@ -199,7 +200,7 @@ func (r *Repo) GetThreshold(keyRole string) (int, error) {`
`199`	`200`	`}`
`200`	`201`
`201`	`202`	`func (r *Repo) SetThreshold(keyRole string, t int) error {`
`202`		`- if !validMetadata(keyRole + ".json") {`
	`203`	`+ if !roles.IsTopLevelRole(keyRole) {`
`203`	`204`	`// Delegations are not currently supported, so return an error if this is not a`
`204`	`205`	`// top-level metadata file.`
`205`	`206`	`return ErrInvalidRole{keyRole}`
`@@ -319,7 +320,7 @@ func (r Repo) timestamp() (data.Timestamp, error) {`
`319`	`320`	`}`
`320`	`321`
`321`	`322`	`func (r *Repo) ChangePassphrase(keyRole string) error {`
`322`		`- if !verify.ValidRole(keyRole) {`
	`323`	`+ if !roles.IsTopLevelRole(keyRole) {`
`323`	`324`	`return ErrInvalidRole{keyRole}`
`324`	`325`	`}`
`325`	`326`
`@@ -352,7 +353,7 @@ func (r *Repo) AddPrivateKey(role string, signer keys.Signer) error {`
`352`	`353`	`}`
`353`	`354`
`354`	`355`	`func (r *Repo) AddPrivateKeyWithExpires(keyRole string, signer keys.Signer, expires time.Time) error {`
`355`		`- if !verify.ValidRole(keyRole) {`
	`356`	`+ if !roles.IsTopLevelRole(keyRole) {`
`356`	`357`	`return ErrInvalidRole{keyRole}`
`357`	`358`	`}`
`358`	`359`
`@@ -451,7 +452,7 @@ func (r *Repo) RevokeKey(role, id string) error {`
`451`	`452`	`}`
`452`	`453`
`453`	`454`	`func (r *Repo) RevokeKeyWithExpires(keyRole, id string, expires time.Time) error {`
`454`		`- if !verify.ValidRole(keyRole) {`
	`455`	`+ if !roles.IsTopLevelRole(keyRole) {`
`455`	`456`	`return ErrInvalidRole{keyRole}`
`456`	`457`	`}`
`457`	`458`
`@@ -555,7 +556,7 @@ func (r *Repo) setMeta(roleFilename string, meta interface{}) error {`
`555`	`556`
`556`	`557`	`func (r *Repo) Sign(roleFilename string) error {`
`557`	`558`	`role := strings.TrimSuffix(roleFilename, ".json")`
`558`		`- if !verify.ValidRole(role) {`
	`559`	`+ if !roles.IsTopLevelRole(role) {`
`559`	`560`	`return ErrInvalidRole{role}`
`560`	`561`	`}`
`561`	`562`
`@@ -591,7 +592,7 @@ func (r *Repo) Sign(roleFilename string) error {`
`591`	`592`	`// The name must be a valid metadata file name, like root.json.`
`592`	`593`	`func (r *Repo) AddOrUpdateSignature(roleFilename string, signature data.Signature) error {`
`593`	`594`	`role := strings.TrimSuffix(roleFilename, ".json")`
`594`		`- if !verify.ValidRole(role) {`
	`595`	`+ if !roles.IsTopLevelRole(role) {`
`595`	`596`	`return ErrInvalidRole{role}`
`596`	`597`	`}`
`597`	`598`
`@@ -695,15 +696,6 @@ func (r Repo) SignedMeta(roleFilename string) (data.Signed, error) {`
`695`	`696`	`return s, nil`
`696`	`697`	`}`
`697`	`698`
`698`		`-func validMetadata(roleFilename string) bool {`
`699`		`- for _, m := range topLevelMetadata {`
`700`		`- if m == roleFilename {`
`701`		`- return true`
`702`		`- }`
`703`		`- }`
`704`		`- return false`
`705`		`-}`
`706`		`-`
`707`	`699`	`func (r *Repo) AddTarget(path string, custom json.RawMessage) error {`
`708`	`700`	`return r.AddTargets([]string{path}, custom)`
`709`	`701`	`}`
Original file line number	Diff line number	Diff line change
`@@ -7,6 +7,7 @@ import (`
`7`	`7`
`8`	`8`	`"github.com/secure-systems-lab/go-securesystemslib/cjson"`
`9`	`9`	`"github.com/theupdateframework/go-tuf/data"`
	`10`	`+ "github.com/theupdateframework/go-tuf/internal/roles"`
`10`	`11`	`)`
`11`	`12`
`12`	`13`	`type signedMeta struct {`
`@@ -25,7 +26,7 @@ func (db DB) VerifyIgnoreExpiredCheck(s data.Signed, role string, minVersion i`
`25`	`26`	`return err`
`26`	`27`	`}`
`27`	`28`
`28`		`- if isTopLevelRole(role) {`
	`29`	`+ if roles.IsTopLevelRole(role) {`
`29`	`30`	`// Top-level roles can only sign metadata of the same type (e.g. snapshot`
`30`	`31`	`// metadata must be signed by the snapshot role).`
`31`	`32`	`if !strings.EqualFold(sm.Type, role) {`