the server was not setting the longer snapshot expiry time. When generating a timestamp it was also retriving the snapshot directly from the database and only validating the checksum still matched what was in the timestamp. Due to the addition of consistent downloads, this mean a new snapshot never got generated. It is necessary for GetOrCreateTimestamp to call GetOrCreateSnapshot to ensure a new snapshot is generated as and when required

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

client/client.go

@@ -27,13 +27,7 @@ import (
 )
 
 func init() {
-	data.SetDefaultExpiryTimes(
-		map[string]int{
-			"root":     3650,
-			"targets":  1095,
-			"snapshot": 1095,
-		},
-	)
+	data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
 }
 
 // ErrRepoNotInitialized is returned when trying to publish an uninitialized

const.go

@@ -1,5 +1,9 @@
 package notary
 
+import (
+	"time"
+)
+
 // application wide constants
 const (
 	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
@@ -24,4 +28,23 @@ const (
 	RootKeysSubdir = "root_keys"
 	// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
 	NonRootKeysSubdir = "tuf_keys"
+
+	// Day is a duration of one day
+	Day  = 24 * time.Hour
+	Year = 365 * Day
+
+	// NotaryRootExpiry is the duration representing the expiry time of the Root role
+	NotaryRootExpiry      = 10 * Year
+	NotaryTargetsExpiry   = 3 * Year
+	NotarySnapshotExpiry  = 3 * Year
+	NotaryTimestampExpiry = 14 * Day
 )
+
+// NotaryDefaultExpiries is the construct used to configure the default expiry times of
+// the various role files.
+var NotaryDefaultExpiries = map[string]time.Duration{
+	"root":      NotaryRootExpiry,
+	"targets":   NotaryTargetsExpiry,
+	"snapshot":  NotarySnapshotExpiry,
+	"timestamp": NotaryTimestampExpiry,
+}

server/server.go

@@ -9,6 +9,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/distribution/health"
 	"github.com/docker/distribution/registry/auth"
+	"github.com/docker/notary"
 	"github.com/docker/notary/server/handlers"
 	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/tuf/signed"
@@ -19,11 +20,7 @@ import (
 )
 
 func init() {
-	data.SetDefaultExpiryTimes(
-		map[string]int{
-			"timestamp": 14,
-		},
-	)
+	data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
 }
 
 func prometheusOpts(operation string) prometheus.SummaryOpts {

server/timestamp/timestamp.go

@@ -8,6 +8,7 @@ import (
 	"github.com/docker/notary/tuf/signed"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/notary/server/snapshot"
 	"github.com/docker/notary/server/storage"
 )
 
@@ -49,7 +50,7 @@ func GetOrCreateTimestampKey(gun string, store storage.MetaStore, crypto signed.
 // a new timestamp is generated either because none exists, or because the current
 // one has expired. Once generated, the timestamp is saved in the store.
 func GetOrCreateTimestamp(gun string, store storage.MetaStore, cryptoService signed.CryptoService) ([]byte, error) {
-	snapshot, err := store.GetCurrent(gun, "snapshot")
+	snapshot, err := snapshot.GetOrCreateSnapshot(gun, store, cryptoService)
 	if err != nil {
 		return nil, err
 	}

server/timestamp/timestamp_test.go

@@ -52,7 +52,11 @@ func TestGetTimestamp(t *testing.T) {
 	store := storage.NewMemStorage()
 	crypto := signed.NewEd25519()
 
-	snapshot := &data.SignedSnapshot{}
+	snapshot := &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapJSON, _ := json.Marshal(snapshot)
 
 	store.UpdateCurrent("gun", storage.MetaUpdate{Role: "snapshot", Version: 0, Data: snapJSON})
@@ -68,7 +72,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
 	store := storage.NewMemStorage()
 	crypto := signed.NewEd25519()
 
-	snapshot := data.SignedSnapshot{}
+	snapshot := &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapshot.Signed.Version = 0
 	snapJSON, _ := json.Marshal(snapshot)
 
@@ -80,7 +88,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
 	ts1, err := GetOrCreateTimestamp("gun", store, crypto)
 	assert.Nil(t, err, "GetTimestamp errored")
 
-	snapshot = data.SignedSnapshot{}
+	snapshot = &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapshot.Signed.Version = 1
 	snapJSON, _ = json.Marshal(snapshot)
 

tuf/data/types.go

@@ -12,6 +12,7 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/go/canonical/json"
+	"github.com/docker/notary"
 )
 
 // SigAlgorithm for types of signatures
@@ -171,16 +172,16 @@ func NewDelegations() *Delegations {
 	}
 }
 
-// defines number of days in which something should expire
-var defaultExpiryTimes = map[string]int{
-	CanonicalRootRole:      365,
-	CanonicalTargetsRole:   90,
-	CanonicalSnapshotRole:  7,
-	CanonicalTimestampRole: 1,
+// These values are recommended TUF expiry times.
+var defaultExpiryTimes = map[string]time.Duration{
+	CanonicalRootRole:      notary.Year,
+	CanonicalTargetsRole:   90 * notary.Day,
+	CanonicalSnapshotRole:  7 * notary.Day,
+	CanonicalTimestampRole: notary.Day,
 }
 
 // SetDefaultExpiryTimes allows one to change the default expiries.
-func SetDefaultExpiryTimes(times map[string]int) {
+func SetDefaultExpiryTimes(times map[string]time.Duration) {
 	for key, value := range times {
 		if _, ok := defaultExpiryTimes[key]; !ok {
 			logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key)
@@ -192,10 +193,10 @@ func SetDefaultExpiryTimes(times map[string]int) {
 
 // DefaultExpires gets the default expiry time for the given role
 func DefaultExpires(role string) time.Time {
-	var t time.Time
-	if t, ok := defaultExpiryTimes[role]; ok {
-		return time.Now().AddDate(0, 0, t)
+	if d, ok := defaultExpiryTimes[role]; ok {
+		return time.Now().Add(d)
 	}
+	var t time.Time
 	return t.UTC().Round(time.Second)
 }