Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Support modifying role thresholds #135

Merged
merged 4 commits into from
Jun 30, 2021
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
9 changes: 5 additions & 4 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,11 @@ Prompts the user for an encryption passphrase (unless the
writes it to the relevant key file in the `keys` directory. It also stages
the addition of the new key to the `root` manifest.

#### `tuf set-threshold <role> <threshold>`

Sets the `role` threshold, the required number of keys for signing, to
`threshold`.

#### `tuf add [<path>...]`

Hashes files in the `staged/targets` directory at the given path(s), then
Expand Down Expand Up @@ -501,10 +506,6 @@ $ tree .
└── staged
```

#### Modify key thresholds

TODO

## Client

For the client package, see https://godoc.org/github.com/theupdateframework/go-tuf/client.
Expand Down
28 changes: 28 additions & 0 deletions cmd/tuf/get_threshold.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
package main

import (
"fmt"

"github.com/flynn/go-docopt"
"github.com/theupdateframework/go-tuf"
)

func init() {
register("get-threshold", cmdGetThreshold, `
usage: tuf get-threshold <role>

Gets the threshold for a role.
`)
}

func cmdGetThreshold(args *docopt.Args, repo *tuf.Repo) error {
role := args.String["<role>"]

threshold, err := repo.GetThreshold(role)
if err != nil {
return err
}

fmt.Println("Got", role, "threshold", threshold)
return nil
}
1 change: 1 addition & 0 deletions cmd/tuf/main.go
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,7 @@ Commands:
regenerate Recreate the targets manifest
clean Remove all staged manifests
root-keys Output a JSON serialized array of root keys to STDOUT
set-threshold Sets the threshold for a role

See "tuf help <command>" for more information on a specific command
`
Expand Down
33 changes: 33 additions & 0 deletions cmd/tuf/set_threshold.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,33 @@
package main

import (
"fmt"
"strconv"

"github.com/flynn/go-docopt"
"github.com/theupdateframework/go-tuf"
)

func init() {
register("set-threshold", cmdSetThreshold, `
usage: tuf set-threshold <role> <threshold>

Set the threshold for a role.
`)
}

func cmdSetThreshold(args *docopt.Args, repo *tuf.Repo) error {
role := args.String["<role>"]
thresholdStr := args.String["<threshold>"]
threshold, err := strconv.Atoi(thresholdStr)
if err != nil {
return err
}

if err := repo.SetThreshold(role, threshold); err != nil {
return err
}

fmt.Println("Set ", role, "threshold to", threshold)
return nil
}
39 changes: 39 additions & 0 deletions repo.go
Original file line number Diff line number Diff line change
Expand Up @@ -167,6 +167,45 @@ func (r *Repo) RootVersion() (int, error) {
return root.Version, nil
}

func (r *Repo) GetThreshold(keyRole string) (int, error) {
asraa marked this conversation as resolved.
Show resolved Hide resolved
root, err := r.root()
if err != nil {
return -1, err
}
role, ok := root.Roles[keyRole]
if !ok {
return -1, ErrInvalidRole{keyRole}
}

return role.Threshold, nil
}

func (r *Repo) SetThreshold(keyRole string, t int) error {
if !validManifest(keyRole + ".json") {
// Delegations are not currently supported, so return an error if this is not a
// top-level manifest.
return ErrInvalidRole{keyRole}
}
root, err := r.root()
if err != nil {
return err
}
role, ok := root.Roles[keyRole]
if !ok {
return ErrInvalidRole{keyRole}
}
if role.Threshold == t {
// Change was a no-op.
return nil
}
role.Threshold = t
if _, ok := r.versionUpdated["root.json"]; !ok {
asraa marked this conversation as resolved.
Show resolved Hide resolved
root.Version++
r.versionUpdated["root.json"] = struct{}{}
trishankatdatadog marked this conversation as resolved.
Show resolved Hide resolved
}
return r.setMeta("root.json", root)
}

func (r *Repo) Targets() (data.TargetFiles, error) {
targets, err := r.targets()
if err != nil {
Expand Down
54 changes: 53 additions & 1 deletion repo_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -705,7 +705,7 @@ func (rs *RepoSuite) TestCommitVersions(c *C) {
c.Assert(err, IsNil)
c.Assert(snapshotVersion, Equals, 3)

timestampVersion, err = r.SnapshotVersion()
timestampVersion, err = r.TimestampVersion()
asraa marked this conversation as resolved.
Show resolved Hide resolved
asraa marked this conversation as resolved.
Show resolved Hide resolved
c.Assert(err, IsNil)
c.Assert(timestampVersion, Equals, 3)
}
Expand Down Expand Up @@ -1378,3 +1378,55 @@ func (rs *RepoSuite) TestUnknownKeyIDs(c *C) {
c.Assert(ok, Equals, true)
c.Assert(unknownKey, DeepEquals, key.PublicData())
}

func (rs *RepoSuite) TestThreshold(c *C) {
local := MemoryStore(make(map[string]json.RawMessage), nil)
r, err := NewRepo(local)
c.Assert(err, IsNil)

// Add one key to each role
genKey(c, r, "root")
genKey(c, r, "targets")
genKey(c, r, "snapshot")
genKey(c, r, "timestamp")
t, err := r.GetThreshold("root")
c.Assert(err, IsNil)
c.Assert(t, Equals, 1)

// commit the metadata to the store.
c.Assert(r.AddTargets([]string{}, nil), IsNil)
c.Assert(r.Snapshot(CompressionTypeNone), IsNil)
c.Assert(r.Timestamp(), IsNil)
c.Assert(r.Commit(), IsNil)

// Set a new threshold. Commit without threshold keys
c.Assert(r.SetThreshold("root", 2), IsNil)
t, err = r.GetThreshold("root")
c.Assert(err, IsNil)
c.Assert(t, Equals, 2)
c.Assert(r.Commit(), DeepEquals, ErrNotEnoughKeys{"root", 1, 2})

// Add a second root key and try again
genKey(c, r, "root")
c.Assert(r.Sign("root.json"), IsNil)
c.Assert(r.Snapshot(CompressionTypeNone), IsNil)
c.Assert(r.Timestamp(), IsNil)
c.Assert(r.Commit(), IsNil)

// Check versions updated
rootVersion, err := r.RootVersion()
c.Assert(err, IsNil)
c.Assert(rootVersion, Equals, 2)

targetsVersion, err := r.TargetsVersion()
c.Assert(err, IsNil)
c.Assert(targetsVersion, Equals, 1)

snapshotVersion, err := r.SnapshotVersion()
c.Assert(err, IsNil)
c.Assert(snapshotVersion, Equals, 2)

timestampVersion, err := r.TimestampVersion()
c.Assert(err, IsNil)
c.Assert(timestampVersion, Equals, 2)
}