make -1 read up to 100MB of data, use for non-timestamps. Reduce

timestamp to 1MB max Signed-off-by: Riyaz Faizullabhoy <riyaz.faizullabhoy@docker.com>
2016-01-25 14:40:01 -08:00 · 2016-01-25 14:40:01 -08:00 · 41643d4a9c
parent 660c4a5f23
commit 41643d4a9c
12 changed files with 122 additions and 46 deletions
--- a/client/client.go
+++ b/client/client.go
@ -743,7 +743,7 @@ func (r *NotaryRepository) bootstrapRepo() error {
 	tufRepo := tuf.NewRepo(kdb, r.CryptoService)

 	logrus.Debugf("Loading trusted collection.")
-	rootJSON, err := r.fileStore.GetMeta("root", notary.MaxMetaSize)
+	rootJSON, err := r.fileStore.GetMeta("root", -1)
 	if err != nil {
 		return err
 	}
@ -756,7 +756,7 @@ func (r *NotaryRepository) bootstrapRepo() error {
 	if err != nil {
 		return err
 	}
-	targetsJSON, err := r.fileStore.GetMeta("targets", notary.MaxMetaSize)
+	targetsJSON, err := r.fileStore.GetMeta("targets", -1)
 	if err != nil {
 		return err
 	}
@ -767,7 +767,7 @@ func (r *NotaryRepository) bootstrapRepo() error {
 	}
 	tufRepo.SetTargets("targets", targets)

-	snapshotJSON, err := r.fileStore.GetMeta("snapshot", notary.MaxMetaSize)
+	snapshotJSON, err := r.fileStore.GetMeta("snapshot", -1)
 	if err == nil {
 		snapshot := &data.SignedSnapshot{}
 		err = json.Unmarshal(snapshotJSON, snapshot)
@ -872,7 +872,7 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Cl
 	// try to read root from cache first. We will trust this root
 	// until we detect a problem during update which will cause
 	// us to download a new root and perform a rotation.
-	rootJSON, cachedRootErr := r.fileStore.GetMeta("root", notary.MaxMetaSize)
+	rootJSON, cachedRootErr := r.fileStore.GetMeta("root", -1)

 	if cachedRootErr == nil {
 		signedRoot, cachedRootErr = r.validateRoot(rootJSON)
@ -886,7 +886,8 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufclient.Cl
 		// checking for initialization of the repo).

 		// if remote store successfully set up, try and get root from remote
-		tmpJSON, err := remote.GetMeta("root", notary.MaxMetaSize)
+		// We don't have any local data to determine the size of root, so try the maximum (though it is restricted at 100MB)
+		tmpJSON, err := remote.GetMeta("root", -1)
 		if err != nil {
 			// we didn't have a root in cache and were unable to load one from
 			// the server. Nothing we can do but error.
--- a/client/client_update_test.go
+++ b/client/client_update_test.go
@ -9,7 +9,6 @@ import (
 	"os"
 	"testing"

-	"github.com/docker/notary"
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/tuf/store"
@ -59,7 +58,7 @@ func readOnlyServer(t *testing.T, cache store.MetadataStore, notFoundStatus int)
 	m.HandleFunc("/v2/docker.com/notary/_trust/tuf/{role:.*}.json",
 		func(w http.ResponseWriter, r *http.Request) {
 			vars := mux.Vars(r)
-			metaBytes, err := cache.GetMeta(vars["role"], notary.MaxMetaSize)
+			metaBytes, err := cache.GetMeta(vars["role"], -1)
 			if _, ok := err.(store.ErrMetaNotFound); ok {
 				w.WriteHeader(notFoundStatus)
 			} else {
@ -108,7 +107,7 @@ func TestUpdateSucceedsEvenIfCannotWriteNewRepo(t *testing.T) {
 		}

 		for r, expected := range serverMeta {
-			actual, err := repo.fileStore.GetMeta(r, notary.MaxMetaSize)
+			actual, err := repo.fileStore.GetMeta(r, -1)
 			if r == role {
 				require.Error(t, err)
 				require.IsType(t, store.ErrMetaNotFound{}, err,
@ -159,7 +158,7 @@ func TestUpdateSucceedsEvenIfCannotWriteExistingRepo(t *testing.T) {
 			require.NoError(t, err)

 			for r, expected := range serverMeta {
-				actual, err := repo.fileStore.GetMeta(r, notary.MaxMetaSize)
+				actual, err := repo.fileStore.GetMeta(r, -1)
 				require.NoError(t, err, "problem getting repo metadata for %s", r)
 				if role == r {
 					require.False(t, bytes.Equal(expected, actual),
@ -224,7 +223,7 @@ func TestUpdateReplacesCorruptOrMissingMetadata(t *testing.T) {
 				_, err := repo.Update(forWrite)
 				require.NoError(t, err)
 				for r, expected := range serverMeta {
-					actual, err := repo.fileStore.GetMeta(r, notary.MaxMetaSize)
+					actual, err := repo.fileStore.GetMeta(r, -1)
 					require.NoError(t, err, "problem getting repo metadata for %s", role)
 					require.True(t, bytes.Equal(expected, actual),
 						"%s for %s: expected to recover after update", text, role)
@ -271,7 +270,7 @@ func TestUpdateFailsIfServerRootKeyChangedWithoutMultiSign(t *testing.T) {
 	for text, messItUp := range waysToMessUpLocalMetadata(repoSwizzler) {
 		for _, forWrite := range []bool{true, false} {
 			require.NoError(t, messItUp(data.CanonicalRootRole), "could not fuzz root (%s)", text)
-			messedUpMeta, err := repo.fileStore.GetMeta(data.CanonicalRootRole, notary.MaxMetaSize)
+			messedUpMeta, err := repo.fileStore.GetMeta(data.CanonicalRootRole, -1)

 			if _, ok := err.(store.ErrMetaNotFound); ok { // one of the ways to mess up is to delete metadata

@ -290,7 +289,7 @@ func TestUpdateFailsIfServerRootKeyChangedWithoutMultiSign(t *testing.T) {
 				// same because it has failed to update.
 				for role, expected := range origMeta {
 					if role != data.CanonicalTimestampRole && role != data.CanonicalSnapshotRole {
-						actual, err := repo.fileStore.GetMeta(role, notary.MaxMetaSize)
+						actual, err := repo.fileStore.GetMeta(role, -1)
 						require.NoError(t, err, "problem getting repo metadata for %s", role)

 						if role == data.CanonicalRootRole {
--- a/const.go
+++ b/const.go
@ -2,9 +2,10 @@ package notary

 // application wide constants
 const (
-	// MaxMetaSize is the maximum size of metadata - 5MiB.
-	// Should be used only for testing, downloading new timestamps, or downloading roles when we have no local metadata
-	MaxMetaSize int64 = 5 << 20
+	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
+	MaxDownloadSize int64 = 100 << 20
+	// MaxTimestampSize is the maximum size of timestamp metadata - 1MiB.
+	MaxTimestampSize int64 = 1 << 20
 	// MinRSABitSize is the minimum bit size for RSA keys allowed in notary
 	MinRSABitSize = 2048
 	// MinThreshold requires a minimum of one threshold for roles; currently we do not support a higher threshold
--- a/tuf/client/client.go
+++ b/tuf/client/client.go
@ -130,7 +130,9 @@ func (c Client) checkRoot() error {
 func (c *Client) downloadRoot() error {
 	logrus.Debug("Downloading Root...")
 	role := data.CanonicalRootRole
-	size := notary.MaxMetaSize
+	// We can't read an exact size for the root metadata without risking getting stuck in the TUF update cycle
+	// since it's possible that downloading timestamp/snapshot metadata may fail due to a signature mismatch
+	var size int64 = -1
 	var expectedSha256 []byte
 	if c.local.Snapshot != nil {
 		size = c.local.Snapshot.Signed.Meta[role].Length
@ -251,7 +253,7 @@ func (c *Client) downloadTimestamp() error {
 		old         *data.Signed
 		version     = 0
 	)
-	cachedTS, err := c.cache.GetMeta(role, notary.MaxMetaSize)
+	cachedTS, err := c.cache.GetMeta(role, notary.MaxTimestampSize)
 	if err == nil {
 		cached := &data.Signed{}
 		err := json.Unmarshal(cachedTS, cached)
@ -265,7 +267,7 @@ func (c *Client) downloadTimestamp() error {
 	}
 	// unlike root, targets and snapshot, always try and download timestamps
 	// from remote, only using the cache one if we couldn't reach remote.
-	raw, s, err := c.downloadSigned(role, notary.MaxMetaSize, nil)
+	raw, s, err := c.downloadSigned(role, notary.MaxTimestampSize, nil)
 	if err != nil || len(raw) == 0 {
 		if old == nil {
 			if err == nil {
--- a/tuf/store/filestore.go
+++ b/tuf/store/filestore.go
@ -2,6 +2,7 @@ package store

 import (
 	"fmt"
+	"github.com/docker/notary"
 	"io/ioutil"
 	"os"
 	"path"
@ -45,6 +46,7 @@ func (f *FilesystemStore) getPath(name string) string {
 }

 // GetMeta returns the meta for the given name (a role) up to size bytes
+// If size is -1, this corresponds to "infinite," but we cut off at 100MB
 func (f *FilesystemStore) GetMeta(name string, size int64) ([]byte, error) {
 	meta, err := ioutil.ReadFile(f.getPath(name))
 	if err != nil {
@ -53,6 +55,9 @@ func (f *FilesystemStore) GetMeta(name string, size int64) ([]byte, error) {
 		}
 		return nil, err
 	}
+	if size == -1 {
+		size = notary.MaxDownloadSize
+	}
 	// Only return up to size bytes
 	if int64(len(meta)) < size {
 		return meta, nil
--- a/tuf/store/filestore_test.go
+++ b/tuf/store/filestore_test.go
@ -90,6 +90,12 @@ func TestGetMeta(t *testing.T) {

 	assert.Equal(t, testContent, content, "Content read from file was corrupted.")

+	// Check that -1 size reads everything
+	content, err = s.GetMeta("testMeta", int64(-1))
+	assert.Nil(t, err, "GetMeta returned unexpected error: %v", err)
+
+	assert.Equal(t, testContent, content, "Content read from file was corrupted.")
+
 	// Check that we return only up to size bytes
 	content, err = s.GetMeta("testMeta", 4)
 	assert.Nil(t, err, "GetMeta returned unexpected error: %v", err)
--- a/tuf/store/httpstore.go
+++ b/tuf/store/httpstore.go
@ -23,6 +23,7 @@ import (
 	"path"

 	"github.com/Sirupsen/logrus"
+	"github.com/docker/notary"
 	"github.com/docker/notary/tuf/validation"
 )

@ -140,6 +141,7 @@ func translateStatusToError(resp *http.Response, resource string) error {
 // GetMeta downloads the named meta file with the given size. A short body
 // is acceptable because in the case of timestamp.json, the size is a cap,
 // not an exact length.
+// If size is -1, this corresponds to "infinite," but we cut off at 100MB
 func (s HTTPStore) GetMeta(name string, size int64) ([]byte, error) {
 	url, err := s.buildMetaURL(name)
 	if err != nil {
@ -158,6 +160,9 @@ func (s HTTPStore) GetMeta(name string, size int64) ([]byte, error) {
 		logrus.Debugf("received HTTP status %d when requesting %s.", resp.StatusCode, name)
 		return nil, err
 	}
+	if size == -1 {
+		size = notary.MaxDownloadSize
+	}
 	if resp.ContentLength > size {
 		return nil, ErrMaliciousServer{}
 	}
--- a/tuf/store/httpstore_test.go
+++ b/tuf/store/httpstore_test.go
@ -80,6 +80,56 @@ func TestHTTPStoreGetMeta(t *testing.T) {

 }

+// Test that passing -1 to httpstore's GetMeta will return all content
+func TestHTTPStoreGetAllMeta(t *testing.T) {
+	handler := func(w http.ResponseWriter, r *http.Request) {
+		w.Write([]byte(testRoot))
+	}
+	server := httptest.NewServer(http.HandlerFunc(handler))
+	defer server.Close()
+	store, err := NewHTTPStore(
+		server.URL,
+		"metadata",
+		"txt",
+		"targets",
+		"key",
+		&http.Transport{},
+	)
+	if err != nil {
+		t.Fatal(err)
+	}
+	j, err := store.GetMeta("root", -1)
+	if err != nil {
+		t.Fatal(err)
+	}
+	p := &data.Signed{}
+	err = json.Unmarshal(j, p)
+	if err != nil {
+		t.Fatal(err)
+	}
+	rootKey, err := base64.StdEncoding.DecodeString(testRootKey)
+	assert.NoError(t, err)
+	k := data.NewPublicKey("ecdsa-x509", rootKey)
+
+	sigBytes := p.Signatures[0].Signature
+	if err != nil {
+		t.Fatal(err)
+	}
+	var decoded map[string]interface{}
+	if err := json.Unmarshal(p.Signed, &decoded); err != nil {
+		t.Fatal(err)
+	}
+	msg, err := json.MarshalCanonical(decoded)
+	if err != nil {
+		t.Fatal(err)
+	}
+	method := p.Signatures[0].Method
+	err = signed.Verifiers[method].Verify(k, sigBytes, msg)
+	if err != nil {
+		t.Fatal(err)
+	}
+}
+
 func TestSetMultiMeta(t *testing.T) {
 	metas := map[string][]byte{
 		"root":    []byte("root data"),
--- a/tuf/store/memorystore.go
+++ b/tuf/store/memorystore.go
@ -5,6 +5,7 @@ import (
 	"fmt"
 	"io"

+	"github.com/docker/notary"
 	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/tuf/utils"
 )
@ -31,9 +32,13 @@ type memoryStore struct {
 	keys  map[string][]data.PrivateKey
 }

+// If size is -1, this corresponds to "infinite," but we cut off at 100MB
 func (m *memoryStore) GetMeta(name string, size int64) ([]byte, error) {
 	d, ok := m.meta[name]
 	if ok {
+		if size == -1 {
+			size = notary.MaxDownloadSize
+		}
 		if int64(len(d)) < size {
 			return d, nil
 		}
--- a/tuf/store/memorystore_test.go
+++ b/tuf/store/memorystore_test.go
@ -21,6 +21,10 @@ func TestMemoryStore(t *testing.T) {
 	require.NoError(t, err)
 	require.Equal(t, metaContent, meta)

+	meta, err = s.GetMeta("exists", -1)
+	require.NoError(t, err)
+	require.Equal(t, metaContent, meta)
+
 	err = s.RemoveAll()
 	require.NoError(t, err)

--- a/tuf/testutils/swizzler.go
+++ b/tuf/testutils/swizzler.go
@ -6,7 +6,6 @@ import (
 	"time"

 	"github.com/docker/go/canonical/json"
-	"github.com/docker/notary"
 	"github.com/docker/notary/cryptoservice"
 	"github.com/docker/notary/passphrase"
 	"github.com/docker/notary/trustmanager"
@ -84,7 +83,7 @@ func serializeMetadata(cs signed.CryptoService, s *data.Signed, role string,

 // gets a Signed from the metadata store
 func signedFromStore(cache store.MetadataStore, role string) (*data.Signed, error) {
-	b, err := cache.GetMeta(role, notary.MaxMetaSize)
+	b, err := cache.GetMeta(role, -1)
 	if err != nil {
 		return nil, err
 	}
@ -117,7 +116,7 @@ func NewMetadataSwizzler(gun string, initialMetadata map[string][]byte,

 // SetInvalidJSON corrupts metadata into something that is no longer valid JSON
 func (m *MetadataSwizzler) SetInvalidJSON(role string) error {
-	metaBytes, err := m.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+	metaBytes, err := m.MetadataCache.GetMeta(role, -1)
 	if err != nil {
 		return err
 	}
@ -324,7 +323,7 @@ func (m *MetadataSwizzler) SetThreshold(role string, newThreshold int) error {
 		roleSpecifier = path.Dir(role)
 	}

-	b, err := m.MetadataCache.GetMeta(roleSpecifier, notary.MaxMetaSize)
+	b, err := m.MetadataCache.GetMeta(roleSpecifier, -1)
 	if err != nil {
 		return err
 	}
@ -374,7 +373,7 @@ func (m *MetadataSwizzler) ChangeRootKey() error {
 		return err
 	}

-	b, err := m.MetadataCache.GetMeta(data.CanonicalRootRole, notary.MaxMetaSize)
+	b, err := m.MetadataCache.GetMeta(data.CanonicalRootRole, -1)
 	if err != nil {
 		return err
 	}
@ -407,7 +406,7 @@ func (m *MetadataSwizzler) UpdateSnapshotHashes(roles ...string) error {
 		snapshotSigned *data.Signed
 		err            error
 	)
-	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize); err != nil {
+	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1); err != nil {
 		return err
 	}

@ -423,7 +422,7 @@ func (m *MetadataSwizzler) UpdateSnapshotHashes(roles ...string) error {

 	for _, role := range roles {
 		if role != data.CanonicalSnapshotRole && role != data.CanonicalTimestampRole {
-			if metaBytes, err = m.MetadataCache.GetMeta(role, notary.MaxMetaSize); err != nil {
+			if metaBytes, err = m.MetadataCache.GetMeta(role, -1); err != nil {
 				return err
 			}

@ -455,7 +454,7 @@ func (m *MetadataSwizzler) UpdateTimestampHash() error {
 		timestampSigned *data.Signed
 		err             error
 	)
-	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalTimestampRole, notary.MaxMetaSize); err != nil {
+	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalTimestampRole, -1); err != nil {
 		return err
 	}
 	// we can't just create a new timestamp, because then the expiry would be
@ -464,7 +463,7 @@ func (m *MetadataSwizzler) UpdateTimestampHash() error {
 		return err
 	}

-	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize); err != nil {
+	if metaBytes, err = m.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1); err != nil {
 		return err
 	}

--- a/tuf/testutils/swizzler_test.go
+++ b/tuf/testutils/swizzler_test.go
@ -10,7 +10,6 @@ import (
 	"testing"
 	"time"

-	"github.com/docker/notary"
 	"github.com/docker/notary/tuf"
 	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/tuf/keys"
@ -82,7 +81,7 @@ func TestSwizzlerSetInvalidJSON(t *testing.T) {
 	f.SetInvalidJSON(data.CanonicalSnapshotRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalSnapshotRole {
@ -104,7 +103,7 @@ func TestSwizzlerSetInvalidSigned(t *testing.T) {
 	f.SetInvalidSigned(data.CanonicalTargetsRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalTargetsRole {
@ -128,7 +127,7 @@ func TestSwizzlerSetInvalidSignedMeta(t *testing.T) {
 	f.SetInvalidSignedMeta(data.CanonicalTargetsRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalTargetsRole {
@ -152,7 +151,7 @@ func TestSwizzlerSetInvalidMetadataType(t *testing.T) {
 	f.SetInvalidMetadataType(data.CanonicalTargetsRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalTargetsRole {
@ -175,7 +174,7 @@ func TestSwizzlerInvalidateMetadataSignatures(t *testing.T) {
 	f.InvalidateMetadataSignatures(data.CanonicalRootRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalRootRole {
@ -206,7 +205,7 @@ func TestSwizzlerRemoveMetadata(t *testing.T) {
 	f.RemoveMetadata("targets/a")

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		if role != "targets/a" {
 			require.NoError(t, err)
 			require.True(t, bytes.Equal(metaBytes, newMeta), "bytes have changed for role %s", role)
@ -224,7 +223,7 @@ func TestSwizzlerSignMetadataWithInvalidKey(t *testing.T) {
 	f.SignMetadataWithInvalidKey(data.CanonicalTimestampRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalTimestampRole {
@ -251,7 +250,7 @@ func TestSwizzlerOffsetMetadataVersion(t *testing.T) {
 	f.OffsetMetadataVersion("targets/a", -2)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != "targets/a" {
@ -274,7 +273,7 @@ func TestSwizzlerExpireMetadata(t *testing.T) {
 	f.ExpireMetadata(data.CanonicalRootRole)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		if role != data.CanonicalRootRole {
@ -298,7 +297,7 @@ func TestSwizzlerSetThresholdBaseRole(t *testing.T) {
 	f.SetThreshold(data.CanonicalTargetsRole, 3)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		// the threshold for base roles is set in root
@ -326,7 +325,7 @@ func TestSwizzlerSetThresholdDelegatedRole(t *testing.T) {
 	f.SetThreshold("targets/a/b", 3)

 	for role, metaBytes := range origMeta {
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		// the threshold for "targets/a/b" is in "targets/a"
@ -358,7 +357,7 @@ func TestSwizzlerChangeRootKey(t *testing.T) {

 	for _, role := range roles {
 		origMeta := origMeta[role]
-		newMeta, err := f.MetadataCache.GetMeta(role, notary.MaxMetaSize)
+		newMeta, err := f.MetadataCache.GetMeta(role, -1)
 		require.NoError(t, err)

 		// the threshold for base roles is set in root
@ -401,7 +400,7 @@ func TestSwizzlerUpdateSnapshotHashesSpecifiedRoles(t *testing.T) {
 	// nothing has changed, signed data should be the same (signatures might
 	// change because signatures may have random elements
 	f.UpdateSnapshotHashes(data.CanonicalTargetsRole)
-	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize)
+	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1)

 	origSigned, newSigned := &data.Signed{}, &data.Signed{}
 	require.NoError(t, json.Unmarshal(origMeta[data.CanonicalSnapshotRole], origSigned))
@ -415,7 +414,7 @@ func TestSwizzlerUpdateSnapshotHashesSpecifiedRoles(t *testing.T) {
 	// update the snapshot with just 1 role
 	f.UpdateSnapshotHashes(data.CanonicalTargetsRole)

-	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize)
+	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1)
 	require.NoError(t, err)
 	require.False(t, bytes.Equal(origMeta[data.CanonicalSnapshotRole], newMeta))

@ -445,7 +444,7 @@ func TestSwizzlerUpdateSnapshotHashesNoSpecifiedRoles(t *testing.T) {
 	// nothing has changed, signed data should be the same (signatures might
 	// change because signatures may have random elements
 	f.UpdateSnapshotHashes()
-	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize)
+	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1)
 	require.NoError(t, err)

 	origSigned, newSigned := &data.Signed{}, &data.Signed{}
@ -460,7 +459,7 @@ func TestSwizzlerUpdateSnapshotHashesNoSpecifiedRoles(t *testing.T) {
 	// update the snapshot with just no specified roles
 	f.UpdateSnapshotHashes()

-	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, notary.MaxMetaSize)
+	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalSnapshotRole, -1)
 	require.NoError(t, err)
 	require.False(t, bytes.Equal(origMeta[data.CanonicalSnapshotRole], newMeta))

@ -491,7 +490,7 @@ func TestSwizzlerUpdateTimestamp(t *testing.T) {
 	// nothing has changed, signed data should be the same (signatures might
 	// change because signatures may have random elements
 	f.UpdateTimestampHash()
-	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalTimestampRole, notary.MaxMetaSize)
+	newMeta, err := f.MetadataCache.GetMeta(data.CanonicalTimestampRole, -1)
 	require.NoError(t, err)

 	origSigned, newSigned := &data.Signed{}, &data.Signed{}
@ -504,7 +503,7 @@ func TestSwizzlerUpdateTimestamp(t *testing.T) {
 	// update the timestamp
 	f.UpdateTimestampHash()

-	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalTimestampRole, notary.MaxMetaSize)
+	newMeta, err = f.MetadataCache.GetMeta(data.CanonicalTimestampRole, -1)
 	require.NoError(t, err)
 	require.False(t, bytes.Equal(origMeta[data.CanonicalTimestampRole], newMeta))