Skip to content

Commit

Permalink
Merge commit from fork
Browse files Browse the repository at this point in the history
Signed-off-by: Radoslav Dimitrov <radoslav@stacklok.com>
  • Loading branch information
rdimitrov authored Sep 30, 2024
1 parent f95222b commit f36420c
Show file tree
Hide file tree
Showing 3 changed files with 21 additions and 13 deletions.
18 changes: 10 additions & 8 deletions metadata/metadata.go
Original file line number Diff line number Diff line change
Expand Up @@ -562,28 +562,30 @@ func isTargetInPathPattern(targetpath string, pathpattern string) bool {

// GetRolesForTarget return the names and terminating status of all
// delegated roles who are responsible for targetFilepath
func (role *Delegations) GetRolesForTarget(targetFilepath string) map[string]bool {
res := map[string]bool{}
// standard delegations
// Note the result should be an ordered list, ref. https://github.com/theupdateframework/go-tuf/security/advisories/GHSA-4f8r-qqr9-fq8j
func (role *Delegations) GetRolesForTarget(targetFilepath string) []RoleResult {
var res []RoleResult
// Standard delegations
if role.Roles != nil {
for _, r := range role.Roles {
ok, err := r.IsDelegatedPath(targetFilepath)
if err == nil && ok {
res[r.Name] = r.Terminating
res = append(res, RoleResult{Name: r.Name, Terminating: r.Terminating})
}
}
} else if role.SuccinctRoles != nil {
// SuccinctRoles delegations
res = role.SuccinctRoles.GetRolesForTarget(targetFilepath)
}
// We preserve the same order as the actual roles list
return res
}

// GetRolesForTarget calculate the name of the delegated role responsible for "targetFilepath".
// The target at path "targetFilepath" is assigned to a bin by casting
// the left-most "BitLength" of bits of the file path hash digest to
// int, using it as bin index between 0 and “2**BitLength - 1“.
func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) map[string]bool {
// int, using it as bin index between 0 and “2**BitLength-1”.
func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) []RoleResult {
// calculate the suffixLen value based on the total number of bins in
// hex. If bit_length = 10 then numberOfBins = 1024 or bin names will
// have a suffix between "000" and "3ff" in hex and suffixLen will be 3
Expand All @@ -604,8 +606,8 @@ func (role *SuccinctRoles) GetRolesForTarget(targetFilepath string) map[string]b
// add zero padding if necessary and cast to hex the suffix
suffix := fmt.Sprintf("%0*x", suffixLen, binNumber)
// we consider all succinct_roles as terminating.
// for more information read TAP 15.
return map[string]bool{fmt.Sprintf("%s-%s", role.NamePrefix, suffix): true}
// for more information, read TAP 15.
return []RoleResult{{Name: fmt.Sprintf("%s-%s", role.NamePrefix, suffix), Terminating: true}}
}

// GetRoles returns the names of all different delegated roles
Expand Down
6 changes: 6 additions & 0 deletions metadata/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -171,3 +171,9 @@ type SuccinctRoles struct {
NamePrefix string `json:"name_prefix"`
UnrecognizedFields map[string]any `json:"-"`
}

// RoleResult represents the name and terminating status of a delegated role that is responsible for targetFilepath
type RoleResult struct {
Name string
Terminating bool
}
10 changes: 5 additions & 5 deletions metadata/updater/updater.go
Original file line number Diff line number Diff line change
Expand Up @@ -550,14 +550,14 @@ func (update *Updater) preOrderDepthFirstWalk(targetFilePath string) (*metadata.
// after pre-order check, add current role to set of visited roles
visitedRoleNames[delegation.Role] = true
if targets.Signed.Delegations != nil {
childRolesToVisit := []roleParentTuple{}
var childRolesToVisit []roleParentTuple
// note that this may be a slow operation if there are many
// delegated roles
roles := targets.Signed.Delegations.GetRolesForTarget(targetFilePath)
for child, terminating := range roles {
log.Info("Adding child role", "role", child)
childRolesToVisit = append(childRolesToVisit, roleParentTuple{Role: child, Parent: delegation.Role})
if terminating {
for _, rolesForTarget := range roles {
log.Info("Adding child role", "role", rolesForTarget.Name)
childRolesToVisit = append(childRolesToVisit, roleParentTuple{Role: rolesForTarget.Name, Parent: delegation.Role})
if rolesForTarget.Terminating {
log.Info("Not backtracking to other roles")
delegationsToVisit = []roleParentTuple{}
break
Expand Down

0 comments on commit f36420c

Please sign in to comment.