tuf

package
v0.0.0-...-af40d72 Latest Latest
Warning

This package is not in the latest version of its module.

 Go to latest Published: Jan 8, 2016 License: Apache-2.0, BSD-3-Clause Imports: 13 Imported by: 0

README

GOTUF

This is still a work in progress but will shortly be a fully compliant Go implementation of The Update Framework (TUF).

Where's the CLI

This repository provides a library only. The Notary project from Docker should be considered the official CLI to be used with this implementation of TUF.

TODOs:

  • Add Targets to existing repo
  • Sign metadata files
  • Refactor TufRepo to take care of signing and verification
  • Ensure consistent capitalization in naming (TUF___ vs Tuf___)
  • Make caching of metadata files smarter - PR #5
  • Add configuration for CLI commands. Order of configuration priority from most to least: flags, config file, defaults Notary should be the official CLI
  • Reasses organization of data types. Possibly consolidate a few things into the data package but break up package into a few more distinct files
  • Comprehensive test cases
  • Delete files no longer in use
  • Fix up errors. Some have to be instantiated, others don't, the inconsistency is annoying.
  • Bump version numbers in meta files (could probably be done better)

Credits

This implementation was originally forked from flynn/go-tuf, however in attempting to add delegations I found I was making such significant changes that I could not maintain backwards compatibility without the code becoming overly convoluted.

Some features such as pluggable verifiers have alreayd been merged upstream to flynn/go-tuf and we are in discussion with titanous about working to merge the 2 implementations.

This implementation retains the same 3 Clause BSD license present on the original flynn implementation.

Documentation

Overview

Package tuf defines the core TUF logic around manipulating a repo.

Index

Constants

This section is empty.

Variables

This section is empty.

Functions

This section is empty.

Types

type ErrLocalRootExpired 

type ErrLocalRootExpired struct{}

ErrLocalRootExpired - the local root file is out of date

func (ErrLocalRootExpired) Error 

func (e ErrLocalRootExpired) Error() string

type ErrMetaExpired 

type ErrMetaExpired struct{}

ErrMetaExpired - metadata file has expired

func (ErrMetaExpired) Error 

func (e ErrMetaExpired) Error() string

type ErrNotLoaded 

type ErrNotLoaded struct {
	// contains filtered or unexported fields
}

ErrNotLoaded - attempted to access data that has not been loaded into the repo

func (ErrNotLoaded) Error 

func (err ErrNotLoaded) Error() string

type ErrSigVerifyFail 

type ErrSigVerifyFail struct{}

ErrSigVerifyFail - signature verification failed

func (ErrSigVerifyFail) Error 

func (e ErrSigVerifyFail) Error() string

type Repo 

type Repo struct {
	Root      *data.SignedRoot
	Targets   map[string]*data.SignedTargets
	Snapshot  *data.SignedSnapshot
	Timestamp *data.SignedTimestamp
	// contains filtered or unexported fields
}

Repo is an in memory representation of the TUF Repo. It operates at the data.Signed level, accepting and producing data.Signed objects. Users of a Repo are responsible for fetching raw JSON and using the Set* functions to populate the Repo instance.

func NewRepo 

func NewRepo(keysDB *keys.KeyDB, cryptoService signed.CryptoService) *Repo

NewRepo initializes a Repo instance with a keysDB and a signer. If the Repo will only be used for reading, the signer should be nil.

func (*Repo) AddBaseKeys 

func (tr *Repo) AddBaseKeys(role string, keys ...data.PublicKey) error

AddBaseKeys is used to add keys to the role in root.json

func (*Repo) AddTargets 

func (tr *Repo) AddTargets(role string, targets data.Files) (data.Files, error)

AddTargets will attempt to add the given targets specifically to the directed role. If the metadata for the role doesn't exist yet, AddTargets will create one.

func (*Repo) DeleteDelegation 

func (tr *Repo) DeleteDelegation(role data.Role) error

DeleteDelegation removes a delegated targets role from its parent targets object. It also deletes the delegation from the snapshot. DeleteDelegation will only make use of the role Name field.

func (Repo) FindTarget 

func (tr Repo) FindTarget(path string) *data.FileMeta

FindTarget attempts to find the target represented by the given path by starting at the top targets file and traversing appropriate delegations until the first entry is found or it runs out of locations to search. N.B. Multiple entries may exist in different delegated roles 

for the same target. Only the first one encountered is returned.

func (*Repo) GetDelegation 

func (tr *Repo) GetDelegation(role string) (*data.Role, error)

GetDelegation finds the role entry representing the provided role name or ErrInvalidRole

func (*Repo) InitRepo 

func (tr *Repo) InitRepo(consistent bool) error

InitRepo creates the base files for a repo. It inspects data.BaseRoles and data.ValidTypes to determine what the role names and filename should be. It also relies on the keysDB having already been populated with the keys and roles.

func (*Repo) InitRoot 

func (tr *Repo) InitRoot(consistent bool) error

InitRoot initializes an empty root file with the 4 core roles based on the current content of th ekey db

func (*Repo) InitSnapshot 

func (tr *Repo) InitSnapshot() error

InitSnapshot initializes a snapshot based on the current root and targets

func (*Repo) InitTargets 

func (tr *Repo) InitTargets(role string) (*data.SignedTargets, error)

InitTargets initializes an empty targets, and returns the new empty target

func (*Repo) InitTimestamp 

func (tr *Repo) InitTimestamp() error

InitTimestamp initializes a timestamp based on the current snapshot

func (*Repo) RemoveBaseKeys 

func (tr *Repo) RemoveBaseKeys(role string, keyIDs ...string) error

RemoveBaseKeys is used to remove keys from the roles in root.json

func (*Repo) RemoveTargets 

func (tr *Repo) RemoveTargets(role string, targets ...string) error

RemoveTargets removes the given target (paths) from the given target role (delegation)

func (*Repo) ReplaceBaseKeys 

func (tr *Repo) ReplaceBaseKeys(role string, keys ...data.PublicKey) error

ReplaceBaseKeys is used to replace all keys for the given role with the new keys

func (*Repo) SetRoot 

func (tr *Repo) SetRoot(s *data.SignedRoot) error

SetRoot parses the Signed object into a SignedRoot object, sets the keys and roles in the KeyDB, and sets the Repo.Root field to the SignedRoot object.

func (*Repo) SetSnapshot 

func (tr *Repo) SetSnapshot(s *data.SignedSnapshot) error

SetSnapshot parses the Signed object into a SignedSnapshots object and sets the Repo.Snapshot field.

func (*Repo) SetTargets 

func (tr *Repo) SetTargets(role string, s *data.SignedTargets) error

SetTargets parses the Signed object into a SignedTargets object, reads the delegated roles and keys into the KeyDB, and sets the SignedTargets object agaist the role in the Repo.Targets map.

func (*Repo) SetTimestamp 

func (tr *Repo) SetTimestamp(s *data.SignedTimestamp) error

SetTimestamp parses the Signed object into a SignedTimestamp object and sets the Repo.Timestamp field.

func (*Repo) SignRoot 

func (tr *Repo) SignRoot(expires time.Time) (*data.Signed, error)

SignRoot signs the root

func (*Repo) SignSnapshot 

func (tr *Repo) SignSnapshot(expires time.Time) (*data.Signed, error)

SignSnapshot updates the snapshot based on the current targets and root then signs it

func (*Repo) SignTargets 

func (tr *Repo) SignTargets(role string, expires time.Time) (*data.Signed, error)

SignTargets signs the targets file for the given top level or delegated targets role

func (*Repo) SignTimestamp 

func (tr *Repo) SignTimestamp(expires time.Time) (*data.Signed, error)

SignTimestamp updates the timestamp based on the current snapshot then signs it

func (Repo) TargetDelegations 

func (tr Repo) TargetDelegations(role, path, pathHex string) []*data.Role

TargetDelegations returns a slice of Roles that are valid publishers for the target path provided.

func (Repo) TargetMeta 

func (tr Repo) TargetMeta(role, path string) *data.FileMeta

TargetMeta returns the FileMeta entry for the given path in the targets file associated with the given role. This may be nil if the target isn't found in the targets file.

func (*Repo) UpdateDelegations 

func (tr *Repo) UpdateDelegations(role *data.Role, keys []data.PublicKey) error

UpdateDelegations updates the appropriate delegations, either adding a new delegation or updating an existing one. If keys are provided, the IDs will be added to the role (if they do not exist there already), and the keys will be added to the targets file.

func (*Repo) UpdateSnapshot 

func (tr *Repo) UpdateSnapshot(role string, s *data.Signed) error

UpdateSnapshot updates the FileMeta for the given role based on the Signed object

func (*Repo) UpdateTimestamp 

func (tr *Repo) UpdateTimestamp(s *data.Signed) error

UpdateTimestamp updates the snapshot meta in the timestamp based on the Signed object

func (*Repo) VerifyCanSign 

func (tr *Repo) VerifyCanSign(roleName string) error

VerifyCanSign returns nil if the role exists and we have at least one signing key for the role, false otherwise. This does not check that we have enough signing keys to meet the threshold, since we want to support the use case of multiple signers for a role. It returns an error if the role doesn't exist or if there are no signing keys.

Source Files

View all Source files

Directories

Path Synopsis
Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase.
 Package encrypted provides a simple, secure system for encrypting data symmetrically with a passphrase.

Jump to

Keyboard shortcuts

? : This menu
/ : Search site
f or F : Jump to
y or Y : Canonical URL
go.dev uses cookies from Google to deliver and enhance the quality of its services and to analyze traffic. Learn more.