When publishing, also publish all the dirty targets roles.

This is in addition to the canonical targets role, which always gets re-signed and publish (we may want to revisit this later). This makes some tests pass - still need to do fallback of roles and publishing a created delegation role without necessarily having the signing key for that role. Signed-off-by: Ying Li <ying.li@docker.com>
2015-12-17 18:49:25 -08:00 · 2015-12-17 18:49:25 -08:00 · 3ecba24410
parent 9f04ca66f7
commit 3ecba24410
3 changed files with 17 additions and 12 deletions
--- a/client/client.go
+++ b/client/client.go
@ -584,12 +584,17 @@ func (r *NotaryRepository) Publish() error {
 		updatedFiles[data.CanonicalRootRole] = rootJSON
 	}

-	// we will always re-sign targets
-	targetsJSON, err := serializeCanonicalRole(r.tufRepo, data.CanonicalTargetsRole)
-	if err != nil {
-		return err
+	// iterate through all the targets files - if they are dirty, or if they
+	// are the canonical target role, then sign and update
+	for roleName, roleObj := range r.tufRepo.Targets {
+		if roleName == data.CanonicalTargetsRole || roleObj.Dirty {
+			targetsJSON, err := serializeCanonicalRole(r.tufRepo, roleName)
+			if err != nil {
+				return err
+			}
+			updatedFiles[roleName] = targetsJSON
+		}
 	}
-	updatedFiles[data.CanonicalTargetsRole] = targetsJSON

 	// if we initialized the repo while designating the server as the snapshot
 	// signer, then there won't be a snapshots file.  However, we might now
--- a/client/helpers.go
+++ b/client/helpers.go
@ -216,14 +216,14 @@ func addKeyForRole(kdb *keys.KeyDB, role string, key data.PublicKey) error {
 // signs and serializes the metadata for a canonical role in a tuf repo to JSON
 func serializeCanonicalRole(tufRepo *tuf.Repo, role string) (out []byte, err error) {
 	var s *data.Signed
-	switch role {
-	case data.CanonicalRootRole:
+	if role == data.CanonicalRootRole {
 		s, err = tufRepo.SignRoot(data.DefaultExpires(role))
-	case data.CanonicalSnapshotRole:
+	} else if role == data.CanonicalSnapshotRole {
 		s, err = tufRepo.SignSnapshot(data.DefaultExpires(role))
-	case data.CanonicalTargetsRole:
-		s, err = tufRepo.SignTargets(role, data.DefaultExpires(role))
-	default:
+	} else if _, ok := tufRepo.Targets[role]; ok {
+		s, err = tufRepo.SignTargets(
+			role, data.DefaultExpires(data.CanonicalTargetsRole))
+	} else {
 		err = fmt.Errorf("%s not supported role to sign on the client", role)
 	}

--- a/tuf/client/client.go
+++ b/tuf/client/client.go
@ -500,7 +500,7 @@ func (c Client) getTargetsFile(role string, keyIDs []string, snapshotMeta data.F
 		// if we error when setting meta, we should continue.
 		err = c.cache.SetMeta(role, raw)
 		if err != nil {
-			logrus.Errorf("Failed to write snapshot to local cache: %s", err.Error())
+			logrus.Errorf("Failed to write %s to local cache: %s", role, err.Error())
 		}
 	}
 	return s, nil