From 111b01d5e4366ce8df996814231fa3bca2960905 Mon Sep 17 00:00:00 2001 From: avaid96 Date: Tue, 14 Jun 2016 11:35:12 -0700 Subject: [PATCH] added nearexpiry functionality and removed an unused testutil function Signed-off-by: avaid96 --- client/client.go | 5 ++++- client/helpers.go | 25 ++++++++++++++++++++-- client/helpers_test.go | 48 ++++++++++++++++++++++++++++++++++++++++-- tuf/testutils/repo.go | 19 ----------------- 4 files changed, 73 insertions(+), 24 deletions(-) diff --git a/client/client.go b/client/client.go index 17c397be79..eababee600 100644 --- a/client/client.go +++ b/client/client.go @@ -612,7 +612,7 @@ func (r *NotaryRepository) publish(cl changelist.Changelist) error { // check if our root file is nearing expiry or dirty. Resign if it is. If // root is not dirty but we are publishing for the first time, then just // publish the existing root we have. - if nearExpiry(r.tufRepo.Root) || r.tufRepo.Root.Dirty { + if nearExpiry(r.tufRepo.Root.Signed.SignedCommon) || r.tufRepo.Root.Dirty { rootJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalRootRole) if err != nil { return err @@ -781,7 +781,10 @@ func (r *NotaryRepository) Update(forWrite bool) error { } return err } + // we can be assured if we are at this stage that the repo we built is good + // no need to test the following function call for an error as it will always be fine should the repo be good- it is! r.tufRepo = repo + warnRolesNearExpiry(repo) return nil } diff --git a/client/helpers.go b/client/helpers.go index 495c8cab3f..e109eae8d6 100644 --- a/client/helpers.go +++ b/client/helpers.go @@ -190,9 +190,30 @@ func applyRootRoleChange(repo *tuf.Repo, c changelist.Change) error { return nil } -func nearExpiry(r *data.SignedRoot) bool { +func nearExpiry(r data.SignedCommon) bool { plus6mo := time.Now().AddDate(0, 6, 0) - return r.Signed.Expires.Before(plus6mo) + return r.Expires.Before(plus6mo) +} + +func warnRolesNearExpiry(r *tuf.Repo) error { + //get every role and its respective signed common and call nearExpiry on it + //Root check + if nearExpiry(r.Root.Signed.SignedCommon) { + logrus.Warn("root is nearing expiry, you should re-sign the key") + } + //Targets and delegations check + for role, signedTOrD := range r.Targets { + //signedTOrD is of type *data.SignedTargets + if nearExpiry(signedTOrD.Signed.SignedCommon) { + logrus.Warn(role, " metadata is nearing expiry, you should re-sign the key") + } + } + //Snapshot check + if nearExpiry(r.Snapshot.Signed.SignedCommon) { + logrus.Warn("snapshot is nearing expiry, you should re-sign the key") + } + return nil + //Timestamp is not checked since the user doesn't need to worry about it, we deal with it } // Fetches a public key from a remote store, given a gun and role diff --git a/client/helpers_test.go b/client/helpers_test.go index 0efe5d4d38..3af3c50f8d 100644 --- a/client/helpers_test.go +++ b/client/helpers_test.go @@ -1,14 +1,16 @@ package client import ( + "bytes" "crypto/sha256" "encoding/json" - "testing" - + log "github.com/Sirupsen/logrus" "github.com/docker/notary/client/changelist" "github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/testutils" "github.com/stretchr/testify/require" + "testing" + "time" ) func TestApplyTargetsChange(t *testing.T) { @@ -968,3 +970,45 @@ func TestChangeTargetMetaFailsIfPrefixError(t *testing.T) { require.Empty(t, repo.Targets[data.CanonicalTargetsRole].Signed.Targets) require.Empty(t, repo.Targets["targets/level1"].Signed.Targets) } + +func TestAllNearExpiry(t *testing.T) { + repo, _, err := testutils.EmptyRepo("docker.com/notary") + require.NoError(t, err) + nearexpdate := time.Now().AddDate(0, 1, 0) + repo.Root.Signed.SignedCommon.Expires = nearexpdate + repo.Snapshot.Signed.SignedCommon.Expires = nearexpdate + repo.Targets["targets"].Signed.Expires = nearexpdate + _, err1 := repo.InitTargets("targets/exp") + require.NoError(t, err1) + repo.Targets["targets/exp"].Signed.Expires = nearexpdate + //Reset levels to display warnings through logrus + log.SetLevel(log.WarnLevel) + b := bytes.NewBuffer(nil) + log.SetOutput(b) + warnRolesNearExpiry(repo) + require.Contains(t, b.String(), "targets metadata is nearing expiry, you should re-sign the key", "targets should show near expiry") + require.Contains(t, b.String(), "targets/exp metadata is nearing expiry, you should re-sign the key", b.String(), "targets/exp should show near expiry") + require.Contains(t, b.String(), "root is nearing expiry, you should re-sign the key", "Root should show near expiry") + require.Contains(t, b.String(), "snapshot is nearing expiry, you should re-sign the key", "Snapshot should show near expiry") +} + +func TestAllNotNearExpiry(t *testing.T) { + repo, _, err := testutils.EmptyRepo("docker.com/notary") + require.NoError(t, err) + notnearexpdate := time.Now().AddDate(0, 10, 0) + repo.Root.Signed.SignedCommon.Expires = notnearexpdate + repo.Snapshot.Signed.SignedCommon.Expires = notnearexpdate + repo.Targets["targets"].Signed.Expires = notnearexpdate + _, err1 := repo.InitTargets("targets/noexp") + require.NoError(t, err1) + repo.Targets["targets/noexp"].Signed.Expires = notnearexpdate + //Reset levels to display warnings through logrus + log.SetLevel(log.WarnLevel) + a := bytes.NewBuffer(nil) + log.SetOutput(a) + warnRolesNearExpiry(repo) + require.NotContains(t, a.String(), "targets metadata is nearing expiry, you should re-sign the key", "targets should not show near expiry") + require.NotContains(t, a.String(), "targets/noexp metadata is nearing expiry, you should re-sign the key", "targets/noexp should not show near expiry") + require.NotContains(t, a.String(), "root is nearing expiry, you should re-sign the key", "Root should not show near expiry") + require.NotContains(t, a.String(), "snapshot is nearing expiry, you should re-sign the key", "Snapshot should not show near expiry") +} diff --git a/tuf/testutils/repo.go b/tuf/testutils/repo.go index d9e4499270..96c8de8cc9 100644 --- a/tuf/testutils/repo.go +++ b/tuf/testutils/repo.go @@ -12,8 +12,6 @@ import ( "github.com/docker/notary/passphrase" "github.com/docker/notary/trustmanager" "github.com/docker/notary/tuf/data" - "github.com/docker/notary/tuf/utils" - fuzz "github.com/google/gofuzz" "github.com/stretchr/testify/require" tuf "github.com/docker/notary/tuf" @@ -142,23 +140,6 @@ func CopyRepoMetadata(from map[string][]byte) map[string][]byte { return copied } -// AddTarget generates a fake target and adds it to a repo. -func AddTarget(role string, r *tuf.Repo) (name string, meta data.FileMeta, content []byte, err error) { - randness := fuzz.Continue{} - content = RandomByteSlice(1024) - name = randness.RandString() - t := data.FileMeta{ - Length: int64(len(content)), - Hashes: data.Hashes{ - "sha256": utils.DoHash("sha256", content), - "sha512": utils.DoHash("sha512", content), - }, - } - files := data.Files{name: t} - _, err = r.AddTargets(role, files) - return -} - // RandomByteSlice generates some random data to be used for testing only func RandomByteSlice(maxSize int) []byte { r := rand.New(rand.NewSource(time.Now().UnixNano()))