diff --git a/server/handlers/validation.go b/server/handlers/validation.go index b8b1d2755f..2eb8dc63dd 100644 --- a/server/handlers/validation.go +++ b/server/handlers/validation.go @@ -194,7 +194,7 @@ func loadTargetsFromStore(gun, role string, repo *tuf.Repo, store storage.MetaSt } func generateSnapshot(gun string, repo *tuf.Repo, store storage.MetaStore) (*storage.MetaUpdate, error) { - role, err := repo.GetRole(data.CanonicalSnapshotRole) + role, err := repo.GetRoleWithKeys(data.CanonicalSnapshotRole) if err != nil { return nil, validation.ErrBadRoot{Msg: "root did not include snapshot role"} } @@ -265,7 +265,7 @@ func validateSnapshot(role string, oldSnap *data.SignedSnapshot, snapUpdate stor } // version specifically gets validated when writing to store to // better handle race conditions there. - snapshotRole, err := repo.GetRole(role) + snapshotRole, err := repo.GetRoleWithKeys(role) if err != nil { return err } @@ -329,7 +329,7 @@ func validateTargets(role string, roles map[string]storage.MetaUpdate, repo *tuf } // version specifically gets validated when writing to store to // better handle race conditions there. - targetsRole, err := repo.GetRole(role) + targetsRole, err := repo.GetRoleWithKeys(role) if err != nil { return nil, err } diff --git a/server/handlers/validation_test.go b/server/handlers/validation_test.go index b73172ba47..99e64ce077 100644 --- a/server/handlers/validation_test.go +++ b/server/handlers/validation_test.go @@ -270,7 +270,7 @@ func TestValidateSnapshotGenerateWithPrev(t *testing.T) { kdb, repo, cs, err := testutils.EmptyRepo("docker.com/notary") assert.NoError(t, err) store := storage.NewMemStorage() - snapRole, err := repo.GetRole(data.CanonicalSnapshotRole) + snapRole, err := repo.GetRoleWithKeys(data.CanonicalSnapshotRole) assert.NoError(t, err) for _, k := range snapRole.Keys { @@ -310,7 +310,7 @@ func TestValidateSnapshotGeneratePrevCorrupt(t *testing.T) { kdb, repo, cs, err := testutils.EmptyRepo("docker.com/notary") assert.NoError(t, err) store := storage.NewMemStorage() - snapRole, err := repo.GetRole(data.CanonicalSnapshotRole) + snapRole, err := repo.GetRoleWithKeys(data.CanonicalSnapshotRole) assert.NoError(t, err) for _, k := range snapRole.Keys { @@ -340,7 +340,7 @@ func TestValidateSnapshotGenerateNoTargets(t *testing.T) { kdb, repo, cs, err := testutils.EmptyRepo("docker.com/notary") assert.NoError(t, err) store := storage.NewMemStorage() - snapRole, err := repo.GetRole(data.CanonicalSnapshotRole) + snapRole, err := repo.GetRoleWithKeys(data.CanonicalSnapshotRole) assert.NoError(t, err) for _, k := range snapRole.Keys { @@ -364,7 +364,7 @@ func TestValidateSnapshotGenerate(t *testing.T) { kdb, repo, cs, err := testutils.EmptyRepo("docker.com/notary") assert.NoError(t, err) store := storage.NewMemStorage() - snapRole, err := repo.GetRole(data.CanonicalSnapshotRole) + snapRole, err := repo.GetRoleWithKeys(data.CanonicalSnapshotRole) assert.NoError(t, err) for _, k := range snapRole.Keys { diff --git a/tuf/client/client.go b/tuf/client/client.go index 60b846fe67..d89f8ed889 100644 --- a/tuf/client/client.go +++ b/tuf/client/client.go @@ -200,11 +200,11 @@ func (c *Client) downloadRoot() error { func (c Client) verifyRoot(role string, s *data.Signed, minVersion int) error { // this will confirm that the root has been signed by the old root role - // as c.keysDB contains the root keys we bootstrapped with. + // with the root keys we bootstrapped with. // Still need to determine if there has been a root key update and // confirm signature with new root key logrus.Debug("verifying root with existing keys") - rootRole, err := c.local.GetRole(role) + rootRole, err := c.local.GetRoleWithKeys(role) if err != nil { logrus.Debug("no previous root role loaded") return err @@ -231,7 +231,7 @@ func (c Client) verifyRoot(role string, s *data.Signed, minVersion int) error { // TODO(endophage): be more intelligent and only re-verify if we detect // there has been a change in root keys logrus.Debug("verifying root with updated keys") - rootRole, err = c.local.GetRole(role) + rootRole, err = c.local.GetRoleWithKeys(role) if err != nil { logrus.Debug("root role with new keys not loaded") return err @@ -302,7 +302,7 @@ func (c *Client) downloadTimestamp() error { // verifies that a timestamp is valid, and returned the SignedTimestamp object to add to the tuf repo func (c *Client) verifyTimestamp(s *data.Signed, minVersion int) (*data.SignedTimestamp, error) { - timestampRole, err := c.local.GetRole(data.CanonicalTimestampRole) + timestampRole, err := c.local.GetRoleWithKeys(data.CanonicalTimestampRole) if err != nil { logrus.Debug("no timestamp role loaded") return nil, err @@ -365,7 +365,7 @@ func (c *Client) downloadSnapshot() error { s = old } - snapshotRole, err := c.local.GetRole(role) + snapshotRole, err := c.local.GetRoleWithKeys(role) if err != nil { logrus.Debug("no snapshot role loaded") return err @@ -508,7 +508,7 @@ func (c Client) getTargetsFile(role string, keyIDs []string, snapshotMeta data.F s = old } - targetsRole, err := c.local.GetRole(role) + targetsRole, err := c.local.GetRoleWithKeys(role) if err != nil { logrus.Debugf("no %s role loaded", role) return nil, err diff --git a/tuf/data/roles.go b/tuf/data/roles.go index 0ca6739655..8446f9b4b7 100644 --- a/tuf/data/roles.go +++ b/tuf/data/roles.go @@ -249,5 +249,5 @@ func subtractStrSlices(orig, remove []string) []string { // RoleWithKeys is a role that has the signing keys for the role embedded type RoleWithKeys struct { Role - Keys map[string]PublicKey + Keys Keys } diff --git a/tuf/signed/verify_test.go b/tuf/signed/verify_test.go index a5127f9f51..93f189ee28 100644 --- a/tuf/signed/verify_test.go +++ b/tuf/signed/verify_test.go @@ -23,7 +23,7 @@ func TestRoleNoKeys(t *testing.T) { nil, ) assert.NoError(t, err) - roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k.ID(): k}} + roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: data.Keys{k.ID(): k}} meta := &data.SignedCommon{Type: "Root", Version: 1, Expires: data.DefaultExpires("root")} @@ -47,7 +47,7 @@ func TestNotEnoughSigs(t *testing.T) { nil, ) assert.NoError(t, err) - roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k.ID(): k}} + roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: data.Keys{k.ID(): k}} meta := &data.SignedCommon{Type: "Root", Version: 1, Expires: data.DefaultExpires("root")} @@ -73,7 +73,7 @@ func TestMoreThanEnoughSigs(t *testing.T) { nil, ) assert.NoError(t, err) - roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k1.ID(): k1, k2.ID(): k2}} + roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: data.Keys{k1.ID(): k1, k2.ID(): k2}} meta := &data.SignedCommon{Type: "Root", Version: 1, Expires: data.DefaultExpires("root")} @@ -98,7 +98,7 @@ func TestDuplicateSigs(t *testing.T) { nil, ) assert.NoError(t, err) - roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k.ID(): k}} + roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: data.Keys{k.ID(): k}} meta := &data.SignedCommon{Type: "Root", Version: 1, Expires: data.DefaultExpires("root")} @@ -125,7 +125,7 @@ func TestUnknownKeyBelowThreshold(t *testing.T) { nil, ) assert.NoError(t, err) - roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k.ID(): k, unknown.ID(): unknown}} + roleWithKeys := &data.RoleWithKeys{Role: *r, Keys: data.Keys{k.ID(): k, unknown.ID(): unknown}} meta := &data.SignedCommon{Type: "Root", Version: 1, Expires: data.DefaultExpires("root")} @@ -209,7 +209,7 @@ func Test(t *testing.T) { nil, ) assert.NoError(t, err) - run.roleData = &data.RoleWithKeys{Role: *r, Keys: map[string]data.PublicKey{k.ID(): k}} + run.roleData = &data.RoleWithKeys{Role: *r, Keys: data.Keys{k.ID(): k}} meta := &data.SignedCommon{Type: run.typ, Version: run.ver, Expires: *run.exp} b, err := json.MarshalCanonical(meta) diff --git a/tuf/tuf.go b/tuf/tuf.go index 5a0e608254..644c68b4e5 100644 --- a/tuf/tuf.go +++ b/tuf/tuf.go @@ -772,13 +772,13 @@ func (tr Repo) sign(signedData *data.Signed, role data.Role) (*data.Signed, erro return signedData, nil } -// GetRole returns a RoleWithKeys object, given a role name. -func (tr Repo) GetRole(role string) (*data.RoleWithKeys, error) { +// GetRoleWithKeys returns a RoleWithKeys object, given a role name. +func (tr Repo) GetRoleWithKeys(role string) (*data.RoleWithKeys, error) { roleData := tr.keysDB.GetRole(role) if roleData == nil { return nil, ErrNotLoaded{role: role} } - keysInRole := make(map[string]data.PublicKey) + keysInRole := make(data.Keys) for _, keyID := range roleData.KeyIDs { k := tr.keysDB.GetKey(keyID) if k != nil {