Merge pull request #17219 from endophage/gotuf_bugfixes
some bugfixes on getting tuf files
This commit is contained in:
commit
967e49bdbc
5 changed files with 29 additions and 18 deletions
|
@ -43,7 +43,7 @@ clone git github.com/docker/distribution 20c4b7a1805a52753dfd593ee1cc35558722a0c
|
||||||
clone git github.com/vbatts/tar-split v0.9.10
|
clone git github.com/vbatts/tar-split v0.9.10
|
||||||
|
|
||||||
clone git github.com/docker/notary 089d8450d8928aa1c58fd03f09cabbde9bcb4590
|
clone git github.com/docker/notary 089d8450d8928aa1c58fd03f09cabbde9bcb4590
|
||||||
clone git github.com/endophage/gotuf 876c31a61bc4aa0dae09bb8ef3946dc26dd04924
|
clone git github.com/endophage/gotuf 2df1c8e0a7b7e10ae2113bf37aaa1bf1c1de8cc5
|
||||||
clone git github.com/jfrazelle/go 6e461eb70cb4187b41a84e9a567d7137bdbe0f16
|
clone git github.com/jfrazelle/go 6e461eb70cb4187b41a84e9a567d7137bdbe0f16
|
||||||
clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
|
clone git github.com/agl/ed25519 d2b94fd789ea21d12fac1a4443dd3a3f79cda72c
|
||||||
|
|
||||||
|
|
|
@ -261,8 +261,7 @@ func (c *Client) downloadTimestamp() error {
|
||||||
}
|
}
|
||||||
// unlike root, targets and snapshot, always try and download timestamps
|
// unlike root, targets and snapshot, always try and download timestamps
|
||||||
// from remote, only using the cache one if we couldn't reach remote.
|
// from remote, only using the cache one if we couldn't reach remote.
|
||||||
raw, err := c.remote.GetMeta(role, maxSize)
|
raw, s, err := c.downloadSigned(role, maxSize, nil)
|
||||||
var s *data.Signed
|
|
||||||
if err != nil || len(raw) == 0 {
|
if err != nil || len(raw) == 0 {
|
||||||
if err, ok := err.(store.ErrMetaNotFound); ok {
|
if err, ok := err.(store.ErrMetaNotFound); ok {
|
||||||
return err
|
return err
|
||||||
|
@ -279,11 +278,6 @@ func (c *Client) downloadTimestamp() error {
|
||||||
s = old
|
s = old
|
||||||
} else {
|
} else {
|
||||||
download = true
|
download = true
|
||||||
s = &data.Signed{}
|
|
||||||
err = json.Unmarshal(raw, s)
|
|
||||||
if err != nil {
|
|
||||||
return err
|
|
||||||
}
|
|
||||||
}
|
}
|
||||||
err = signed.Verify(s, role, version, c.keysDB)
|
err = signed.Verify(s, role, version, c.keysDB)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
|
@ -305,10 +299,13 @@ func (c *Client) downloadTimestamp() error {
|
||||||
func (c *Client) downloadSnapshot() error {
|
func (c *Client) downloadSnapshot() error {
|
||||||
logrus.Debug("downloadSnapshot")
|
logrus.Debug("downloadSnapshot")
|
||||||
role := data.RoleName("snapshot")
|
role := data.RoleName("snapshot")
|
||||||
|
if c.local.Timestamp == nil {
|
||||||
|
return ErrMissingMeta{role: "snapshot"}
|
||||||
|
}
|
||||||
size := c.local.Timestamp.Signed.Meta[role].Length
|
size := c.local.Timestamp.Signed.Meta[role].Length
|
||||||
expectedSha256, ok := c.local.Timestamp.Signed.Meta[role].Hashes["sha256"]
|
expectedSha256, ok := c.local.Timestamp.Signed.Meta[role].Hashes["sha256"]
|
||||||
if !ok {
|
if !ok {
|
||||||
return fmt.Errorf("Sha256 is currently the only hash supported by this client. No Sha256 found for snapshot")
|
return ErrMissingMeta{role: "snapshot"}
|
||||||
}
|
}
|
||||||
|
|
||||||
var download bool
|
var download bool
|
||||||
|
@ -373,6 +370,9 @@ func (c *Client) downloadSnapshot() error {
|
||||||
// including delegates roles.
|
// including delegates roles.
|
||||||
func (c *Client) downloadTargets(role string) error {
|
func (c *Client) downloadTargets(role string) error {
|
||||||
role = data.RoleName(role) // this will really only do something for base targets role
|
role = data.RoleName(role) // this will really only do something for base targets role
|
||||||
|
if c.local.Snapshot == nil {
|
||||||
|
return ErrMissingMeta{role: role}
|
||||||
|
}
|
||||||
snap := c.local.Snapshot.Signed
|
snap := c.local.Snapshot.Signed
|
||||||
root := c.local.Root.Signed
|
root := c.local.Root.Signed
|
||||||
r := c.keysDB.GetRole(role)
|
r := c.keysDB.GetRole(role)
|
||||||
|
@ -398,13 +398,12 @@ func (c *Client) downloadTargets(role string) error {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (c *Client) downloadSigned(role string, size int64, expectedSha256 []byte) ([]byte, *data.Signed, error) {
|
func (c *Client) downloadSigned(role string, size int64, expectedSha256 []byte) ([]byte, *data.Signed, error) {
|
||||||
logrus.Debugf("downloading new %s", role)
|
|
||||||
raw, err := c.remote.GetMeta(role, size)
|
raw, err := c.remote.GetMeta(role, size)
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, nil, err
|
return nil, nil, err
|
||||||
}
|
}
|
||||||
genHash := sha256.Sum256(raw)
|
genHash := sha256.Sum256(raw)
|
||||||
if !bytes.Equal(genHash[:], expectedSha256) {
|
if expectedSha256 != nil && !bytes.Equal(genHash[:], expectedSha256) {
|
||||||
return nil, nil, ErrChecksumMismatch{role: role}
|
return nil, nil, ErrChecksumMismatch{role: role}
|
||||||
}
|
}
|
||||||
s := &data.Signed{}
|
s := &data.Signed{}
|
||||||
|
@ -419,11 +418,11 @@ func (c Client) GetTargetsFile(role string, keyIDs []string, snapshotMeta data.F
|
||||||
// require role exists in snapshots
|
// require role exists in snapshots
|
||||||
roleMeta, ok := snapshotMeta[role]
|
roleMeta, ok := snapshotMeta[role]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("Snapshot does not contain target role")
|
return nil, ErrMissingMeta{role: role}
|
||||||
}
|
}
|
||||||
expectedSha256, ok := snapshotMeta[role].Hashes["sha256"]
|
expectedSha256, ok := snapshotMeta[role].Hashes["sha256"]
|
||||||
if !ok {
|
if !ok {
|
||||||
return nil, fmt.Errorf("Sha256 is currently the only hash supported by this client. No Sha256 found for targets role %s", role)
|
return nil, ErrMissingMeta{role: role}
|
||||||
}
|
}
|
||||||
|
|
||||||
// try to get meta file from content addressed cache
|
// try to get meta file from content addressed cache
|
||||||
|
|
|
@ -18,6 +18,14 @@ func (e ErrChecksumMismatch) Error() string {
|
||||||
return fmt.Sprintf("tuf: checksum for %s did not match", e.role)
|
return fmt.Sprintf("tuf: checksum for %s did not match", e.role)
|
||||||
}
|
}
|
||||||
|
|
||||||
|
type ErrMissingMeta struct {
|
||||||
|
role string
|
||||||
|
}
|
||||||
|
|
||||||
|
func (e ErrMissingMeta) Error() string {
|
||||||
|
return fmt.Sprintf("tuf: sha256 checksum required for %s", e.role)
|
||||||
|
}
|
||||||
|
|
||||||
type ErrMissingRemoteMetadata struct {
|
type ErrMissingRemoteMetadata struct {
|
||||||
Name string
|
Name string
|
||||||
}
|
}
|
||||||
|
|
|
@ -99,10 +99,6 @@ func (s HTTPStore) GetMeta(name string, size int64) ([]byte, error) {
|
||||||
logrus.Debugf("%d when retrieving metadata for %s", resp.StatusCode, name)
|
logrus.Debugf("%d when retrieving metadata for %s", resp.StatusCode, name)
|
||||||
b := io.LimitReader(resp.Body, size)
|
b := io.LimitReader(resp.Body, size)
|
||||||
body, err := ioutil.ReadAll(b)
|
body, err := ioutil.ReadAll(b)
|
||||||
if resp.ContentLength > 0 && int64(len(body)) < resp.ContentLength {
|
|
||||||
return nil, ErrShortRead{}
|
|
||||||
}
|
|
||||||
|
|
||||||
if err != nil {
|
if err != nil {
|
||||||
return nil, err
|
return nil, err
|
||||||
}
|
}
|
||||||
|
|
|
@ -31,7 +31,15 @@ type memoryStore struct {
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *memoryStore) GetMeta(name string, size int64) ([]byte, error) {
|
func (m *memoryStore) GetMeta(name string, size int64) ([]byte, error) {
|
||||||
return m.meta[name], nil
|
d, ok := m.meta[name]
|
||||||
|
if ok {
|
||||||
|
if int64(len(d)) < size {
|
||||||
|
return d, nil
|
||||||
|
}
|
||||||
|
return d[:size], nil
|
||||||
|
} else {
|
||||||
|
return nil, ErrMetaNotFound{}
|
||||||
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
func (m *memoryStore) SetMeta(name string, meta []byte) error {
|
func (m *memoryStore) SetMeta(name string, meta []byte) error {
|
||||||
|
|
Loading…
Reference in a new issue