theupdateframework · ethan-lowman-dd · Aug 25, 2021
@@ -18,6 +18,7 @@ import (
 	cjson "github.com/tent/canonical-json-go"
 	tuf "github.com/theupdateframework/go-tuf"
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/sets"
 	"github.com/theupdateframework/go-tuf/pkg/keys"
 	"github.com/theupdateframework/go-tuf/sign"
 	"github.com/theupdateframework/go-tuf/util"
@@ -362,7 +363,7 @@ func (s *ClientSuite) TestNewRoot(c *C) {
 		}
 		role := client.db.GetRole(name)
 		c.Assert(role, NotNil)
-		c.Assert(role.KeyIDs, DeepEquals, util.StringSliceToSet(ids))
+		c.Assert(role.KeyIDs, DeepEquals, sets.StringSliceToSet(ids))
 	}
 }
 
@@ -602,7 +603,7 @@ func (s *ClientSuite) TestNewTimestampKey(c *C) {
 	}
 	role := client.db.GetRole("timestamp")
 	c.Assert(role, NotNil)
-	c.Assert(role.KeyIDs, DeepEquals, util.StringSliceToSet(newIDs))
+	c.Assert(role.KeyIDs, DeepEquals, sets.StringSliceToSet(newIDs))
 }
 
 func (s *ClientSuite) TestNewSnapshotKey(c *C) {
@@ -642,7 +643,7 @@ func (s *ClientSuite) TestNewSnapshotKey(c *C) {
 	}
 	role := client.db.GetRole("snapshot")
 	c.Assert(role, NotNil)
-	c.Assert(role.KeyIDs, DeepEquals, util.StringSliceToSet(newIDs))
+	c.Assert(role.KeyIDs, DeepEquals, sets.StringSliceToSet(newIDs))
 }
 
 func (s *ClientSuite) TestNewTargetsKey(c *C) {
@@ -685,7 +686,7 @@ func (s *ClientSuite) TestNewTargetsKey(c *C) {
 	}
 	role := client.db.GetRole("targets")
 	c.Assert(role, NotNil)
-	c.Assert(role.KeyIDs, DeepEquals, util.StringSliceToSet(newIDs))
+	c.Assert(role.KeyIDs, DeepEquals, sets.StringSliceToSet(newIDs))
 }
 
 func (s *ClientSuite) TestLocalExpired(c *C) {

@@ -20,15 +20,15 @@ func (c *Client) getTargetFileMeta(target string) (data.TargetFileMeta, error) {
 	// - filter delegations with paths or path_hash_prefixes matching searched target
 	// - 5.6.7.1 cycles protection
 	// - 5.6.7.2 terminations
-	delegations := targets.NewDelegationsIterator(target)
+	delegations := targets.NewDelegationsIterator(target, c.db)
 	for i := 0; i < c.MaxDelegations; i++ {
 		d, ok := delegations.Next()
 		if !ok {
 			return data.TargetFileMeta{}, ErrUnknownTarget{target, snapshot.Version}
 		}
 
 		// covers 5.6.{1,2,3,4,5,6}
-		targets, err := c.loadDelegatedTargets(snapshot, d.Delegatee.Name, d.Verifier)
+		targets, err := c.loadDelegatedTargets(snapshot, d.Delegatee.Name, d.DB)
 		if err != nil {
 			return data.TargetFileMeta{}, err
 		}
@@ -39,11 +39,11 @@ func (c *Client) getTargetFileMeta(target string) (data.TargetFileMeta, error) {
 		}
 
 		if targets.Delegations != nil {
-			delegationsVerifier, err := verify.NewDelegationsVerifier(targets.Delegations)
+			delegationsDB, err := verify.NewDBFromDelegations(targets.Delegations)
 			if err != nil {
 				return data.TargetFileMeta{}, err
 			}
-			err = delegations.Add(targets.Delegations.Roles, d.Delegatee.Name, delegationsVerifier)
+			err = delegations.Add(targets.Delegations.Roles, d.Delegatee.Name, delegationsDB)
 			if err != nil {
 				return data.TargetFileMeta{}, err
 			}
@@ -75,7 +75,7 @@ func (c *Client) loadLocalSnapshot() (*data.Snapshot, error) {
 }
 
 // loadDelegatedTargets downloads, decodes, verifies and stores targets
-func (c *Client) loadDelegatedTargets(snapshot *data.Snapshot, role string, verifier verify.DelegationsVerifier) (*data.Targets, error) {
+func (c *Client) loadDelegatedTargets(snapshot *data.Snapshot, role string, db *verify.DB) (*data.Targets, error) {
 	var err error
 	fileName := role + ".json"
 	fileMeta, ok := snapshot.Meta[fileName]
@@ -98,11 +98,7 @@ func (c *Client) loadDelegatedTargets(snapshot *data.Snapshot, role string, veri
 	// 5.6.3 verify signature with parent public keys
 	// 5.6.5 verify that the targets is not expired
 	// role "targets" is a top role verified by root keys loaded in the client db
-	if role == "targets" {
-		err = c.db.Unmarshal(raw, targets, role, fileMeta.Version)
-	} else {
-		err = verifier.Unmarshal(raw, targets, role, fileMeta.Version)
-	}
+	err = db.Unmarshal(raw, targets, role, fileMeta.Version)
 	if err != nil {
 		return nil, ErrDecodeFailed{fileName, err}
 	}

@@ -82,12 +82,13 @@ func DefaultExpires(role string) time.Time {
 	switch role {
 	case "root":
 		t = time.Now().AddDate(1, 0, 0)
-	case "targets":
-		t = time.Now().AddDate(0, 3, 0)
 	case "snapshot":
 		t = time.Now().AddDate(0, 0, 7)
 	case "timestamp":
 		t = time.Now().AddDate(0, 0, 1)
+	default:
+		// Target
+		t = time.Now().AddDate(0, 3, 0)
 	}
 	return t.UTC().Round(time.Second)
 }

@@ -86,3 +86,11 @@ type ErrPassphraseRequired struct {
 func (e ErrPassphraseRequired) Error() string {
 	return fmt.Sprintf("tuf: a passphrase is required to access the encrypted %s keys file", e.Role)
 }
+
+type ErrNoDelegatedTarget struct {
+	Path string
+}
+
+func (e ErrNoDelegatedTarget) Error() string {
+	return fmt.Sprintf("tuf: no delegated target for path %s", e.Path)
+}
@@ -0,0 +1,41 @@
+package roles
+
+import (
+	"strconv"
+	"strings"
+)
+
+var TopLevelRoles = map[string]struct{}{
+	"root":      {},
+	"targets":   {},
+	"snapshot":  {},
+	"timestamp": {},
+}
+
+func IsTopLevelRole(name string) bool {
+	_, ok := TopLevelRoles[name]
+	return ok
+}
+
+func IsDelegatedTargetsRole(name string) bool {
+	return !IsTopLevelRole(name)
+}
+
+func IsTopLevelManifest(name string) bool {
+	return IsTopLevelRole(strings.TrimSuffix(name, ".json"))
+}
+
+func IsDelegatedTargetsManifest(name string) bool {
+	return !IsTopLevelManifest(name)
+}
+
+func IsVersionedManifest(name string) bool {
+	parts := strings.Split(name, ".")
+	// Versioned manifests have the form "x.role.json"
+	if len(parts) < 3 {
+		return false
+	}
+
+	_, err := strconv.Atoi(parts[0])
+	return err == nil
+}
@@ -0,0 +1,24 @@
+package sets
+
+func StringSliceToSet(items []string) map[string]struct{} {
+	s := make(map[string]struct{})
+	for _, item := range items {
+		s[item] = struct{}{}
+	}
+	return s
+}
+
+func StringSetToSlice(items map[string]struct{}) []string {
+	ret := []string{}
+
+	for k := range items {
+		ret = append(ret, k)
+	}
+
+	return ret
+}
+
+func DeduplicateStrings(items []string) []string {
+	s := StringSliceToSet(items)
+	return StringSetToSlice(s)
+}
@@ -2,13 +2,14 @@ package targets
 
 import (
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/sets"
 	"github.com/theupdateframework/go-tuf/verify"
 )
 
 type Delegation struct {
 	Delegator string
-	Verifier  verify.DelegationsVerifier
 	Delegatee data.DelegatedRole
+	DB        *verify.DB
 }
 
 type delegationsIterator struct {
@@ -18,13 +19,23 @@ type delegationsIterator struct {
 }
 
 // NewDelegationsIterator initialises an iterator with a first step
-// on top level targets
-func NewDelegationsIterator(target string) *delegationsIterator {
+// on top level targets.
+func NewDelegationsIterator(target string, topLevelKeysDB *verify.DB) *delegationsIterator {
+	role := topLevelKeysDB.GetRole("targets")
+	keyIDs := []string{}
+	if role != nil {
+		keyIDs = sets.StringSetToSlice(role.KeyIDs)
+	}
+
 	i := &delegationsIterator{
 		target: target,
 		stack: []Delegation{
 			{
-				Delegatee: data.DelegatedRole{Name: "targets"},
+				Delegatee: data.DelegatedRole{
+					Name:   "targets",
+					KeyIDs: keyIDs,
+				},
+				DB: topLevelKeysDB,
 			},
 		},
 		visitedRoles: make(map[string]struct{}),
@@ -57,7 +68,7 @@ func (d *delegationsIterator) Next() (value Delegation, ok bool) {
 	return delegation, true
 }
 
-func (d *delegationsIterator) Add(roles []data.DelegatedRole, delegator string, verifier verify.DelegationsVerifier) error {
+func (d *delegationsIterator) Add(roles []data.DelegatedRole, delegator string, db *verify.DB) error {
 	for i := len(roles) - 1; i >= 0; i-- {
 		// Push the roles onto the stack in reverse so we get an preorder traversal
 		// of the delegations graph.
@@ -70,7 +81,7 @@ func (d *delegationsIterator) Add(roles []data.DelegatedRole, delegator string,
 			delegation := Delegation{
 				Delegator: delegator,
 				Delegatee: r,
-				Verifier:  verifier,
+				DB:        db,
 			}
 			d.stack = append(d.stack, delegation)
 		}