chore(trdl): server v0

.github/PULL_REQUEST_TEMPLATE.md

@@ -1,13 +1,14 @@
 Please fill in the fields below to submit a pull request.  The more information that is provided, the better.
 
 Fixes #<Issue>
+
 Release Notes: <!-- What comments/remarks should we include in the release notes for this change? -->
 
 **Types of changes**:
 <!--- What types of changes does your code introduce? Put an `x` in all the boxes that apply: -->
 - [ ] Bug fix (non-breaking change which fixes an issue)
 - [ ] New feature (non-breaking change which adds functionality)
-- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected)
+- [ ] Breaking change (fix or feature that would cause existing functionality to not work as expected). **Please ensure that your PR title** is a [Conventional Commit](https://www.conventionalcommits.org/en/v1.0.0/) breaking change (with a `!`, as in `feat!: change foo`). 
 
 **Description of the changes being introduced by the pull request**:
 

.github/workflows/changelog.yml

@@ -13,6 +13,6 @@ jobs:
     runs-on: "ubuntu-latest"
     steps:
       - name:
-        uses: amannn/action-semantic-pull-request@91682d013dea3ff257520b9b68c9cb93ced4fe9b
+        uses: amannn/action-semantic-pull-request@01d5fd8a8ebb9aafe902c40c53f0f4744f7381eb
         env:
           GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/ci.yml

@@ -6,6 +6,8 @@ on:
     tags:
       - "v*"
 name: CI
+permissions:
+  contents: write
 jobs:
   tests:
     uses: ./.github/workflows/tests.yml

.github/workflows/release.yml

@@ -16,14 +16,14 @@ jobs:
         with:
           fetch-depth: 0
       - name: Get Go version
-        uses: arnested/go-version-action@6d27c5921683f55415260f7a285d330ddb146fa2
+        uses: arnested/go-version-action@b556f8d91b644164318c709d28b9083eaf0c064d
         id: go-version
       - name: Set up Go
-        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
           go-version: ${{ steps.go-version.outputs.minimal }}
       - name: Run GoReleaser
-        uses: goreleaser/goreleaser-action@ff11ca24a9b39f2d36796d1fbd7a4e39c182630a
+        uses: goreleaser/goreleaser-action@8f67e590f2d095516493f017008adc464e63adb1
         with:
           distribution: goreleaser
           version: "v1.7.0"

.github/workflows/specification-version-check.yml

@@ -11,4 +11,4 @@ jobs:
       issues: write
     uses: theupdateframework/specification/.github/workflows/check-latest-spec-version.yml@master
     with:
-      tuf-version: "v1.0.29" # Should be updated to the according version either manually or extracted automatically as how it's done in python-tuf
+      tuf-version: "v1.0.31" # Should be updated to the according version either manually or extracted automatically as how it's done in python-tuf

.github/workflows/tests.yml

@@ -9,11 +9,12 @@ jobs:
       matrix: ${{ steps.versions.outputs.matrix }}
     steps:
       - uses: actions/checkout@v3
-      - uses: arnested/go-version-action@6d27c5921683f55415260f7a285d330ddb146fa2
+      - uses: arnested/go-version-action@b556f8d91b644164318c709d28b9083eaf0c064d
         id: versions
 
   run:
     strategy:
+      fail-fast: false # Keep running if one leg fails.
       matrix:
         os: [ubuntu-latest, macos-latest, windows-latest]
         go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
@@ -24,12 +25,12 @@ jobs:
         uses: actions/checkout@v3
 
       - name: Setup - Go ${{ matrix.go-version }}
-        uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
+        uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
           go-version: ${{ matrix.go-version }}
 
       - name: Setup - Python
-        uses: actions/setup-python@b55428b1882923874294fa556849718a1d7f2ca5
+        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
         with:
           python-version: "3.10"
           cache: "pip"
@@ -58,12 +59,12 @@ jobs:
     runs-on: ${{ matrix.os }}
     needs: get-go-versions
     steps:
-      - uses: actions/setup-go@268d8c0ca0432bb2cf416faae41297df9d262d7f
+      - uses: actions/setup-go@6edd4406fa81c3da01a34fa6f6343087c207a568
         with:
           go-version: ${{ matrix.go-version }}
       - uses: actions/checkout@v3
       - name: golangci-lint
-        uses: golangci/golangci-lint-action@537aa1903e5d359d0b27dbc19ddd22c5087f3fbc
+        uses: golangci/golangci-lint-action@0ad9a0988b3973e851ab0a07adf248ec2e100376
         with:
-          version: v1.49.0
-          args: --timeout 3m
+          version: v1.49
+          args: --timeout 5m --verbose

.golangci.yml

@@ -13,3 +13,4 @@ linters:
     - gosimple
     - unused
     - typecheck
+    - forbidigo

.goreleaser/tuf.yml

@@ -23,7 +23,7 @@ changelog:
   use: github
   groups:
     - title: "Breaking changes"
-      regexp: "^.*BREAKING CHANGE[(\\w)]*:+.*$"
+      regexp: "^.*(?:BREAKING CHANGE)|![(\\w)]*:+.*$"
       order: 0
     - title: Features
       regexp: "^.*feat[(\\w)]*:+.*$"

README.md

@@ -603,6 +603,39 @@ $ tree .
 └── staged
 ```
 
+#### Adding a new root key
+
+Copy `staged/root.json` to the root box and generate a new root key on the root box:
+
+```bash
+$ tuf gen-key root
+$ tuf sign root.json
+```
+
+Copy `staged/root.json` from the root box and commit:
+
+```bash
+$ tuf commit
+```
+
+#### Rotating root key(s)
+
+Copy `staged/root.json` to the root box to do the rotation, where `abcd` is the keyid of the key that is being replaced:
+
+```bash
+$ tuf gen-key root
+$ tuf revoke-key root abcd
+$ tuf sign root.json
+```
+
+Note that `revoke-key` removes the old key from `root.json`, but the key remains in the `keys/` directory on the root box as it is needed to sign the next `root.json`. After this signing is done, the old key may be removed from `keys/`. Any number of keys may be added or revoked during this step, but ensure that at least a threshold of valid keys remain.
+
+Copy `staged/root.json` from the root box to commit:
+
+```bash
+$ tuf commit
+```
+
 ## Client
 
 For the client package, see https://godoc.org/github.com/theupdateframework/go-tuf/client.

client/client.go

@@ -4,9 +4,11 @@ import (
 	"bytes"
 	"encoding/hex"
 	"encoding/json"
+	"fmt"
 	"io"
 
 	"github.com/theupdateframework/go-tuf/data"
+	"github.com/theupdateframework/go-tuf/internal/roles"
 	"github.com/theupdateframework/go-tuf/util"
 	"github.com/theupdateframework/go-tuf/verify"
 )
@@ -143,7 +145,13 @@ func (c *Client) Update() (data.TargetFiles, error) {
 	}
 	// 5.4.(2,3 and 4) - Verify timestamp against various attacks
 	// Returns the extracted snapshot metadata
-	snapshotMeta, err := c.decodeTimestamp(timestampJSON)
+	snapshotMeta, sameTimestampVersion, err := c.decodeTimestamp(timestampJSON)
+	if sameTimestampVersion {
+		// The new timestamp.json file had the same version; we don't need to
+		// update, so bail early.
+		return c.targets, nil
+	}
+
 	if err != nil {
 		return nil, err
 	}
@@ -393,8 +401,8 @@ func (c *Client) getLocalMeta() error {
 		}
 	}
 
+	snapshot := &data.Snapshot{}
 	if snapshotJSON, ok := meta["snapshot.json"]; ok {
-		snapshot := &data.Snapshot{}
 		if err := c.db.UnmarshalTrusted(snapshotJSON, snapshot, "snapshot"); err != nil {
 			loadFailed = true
 			retErr = err
@@ -417,13 +425,83 @@ func (c *Client) getLocalMeta() error {
 			c.loadTargets(targets.Targets)
 		}
 	}
+
+	if loadFailed {
+		// If any of the metadata failed to be verified, return the reason for that failure
+		// and fail fast before delegated targets
+		return retErr
+	}
+
+	// verifiedDelegatedTargets is a set of verified delegated targets
+	verifiedDelegatedTargets := make(map[string]bool)
+	for fileName := range meta {
+		if !verifiedDelegatedTargets[fileName] && roles.IsDelegatedTargetsManifest(fileName) {
+			if delegationPath, err := c.getDelegationPathFromRaw(snapshot, meta[fileName]); err != nil {
+				loadFailed = true
+				retErr = err
+			} else {
+				// Every delegated targets in the path has been verified
+				// as a side effect of getDelegationPathFromRaw
+				for _, key := range delegationPath {
+					fileName := fmt.Sprintf("%s.json", key)
+					verifiedDelegatedTargets[fileName] = true
+				}
+			}
+		}
+	}
+
+	for fileName := range verifiedDelegatedTargets {
+		c.localMeta[fileName] = meta[fileName]
+	}
+
 	if loadFailed {
 		// If any of the metadata failed to be verified, return the reason for that failure
 		return retErr
 	}
 	return nil
 }
 
+// getDelegationPathFromRaw verifies a delegated targets against
+// a given snapshot and returns an error if it's invalid
+//
+// Delegation must have targets to get a path, else an empty list
+// will be returned: this is because the delegation iterator is leveraged.
+//
+// Concrete example:
+// targets
+// └── a.json
+//   └── b.json
+//      └── c.json
+//        └── target_file.txt
+//
+// If you try to use that function on "a.json" or "b.json", it'll return an empty list
+// with no error, as neither of them declare a target file
+// On the other hand, if you use that function on "c.json", it'll return & verify
+// [c.json, b.json, a.json]. Running that function on every delegated targets
+// guarantees that if a delegated targets is in the path of a target file, then it will
+// appear at least once in the result
+func (c *Client) getDelegationPathFromRaw(snapshot *data.Snapshot, delegatedTargetsJSON json.RawMessage) ([]string, error) {
+	// unmarshal the delegated targets first without verifying as
+	// we need at least one targets file name to leverage the
+	// getTargetFileMetaDelegationPath method
+	s := &data.Signed{}
+	if err := json.Unmarshal(delegatedTargetsJSON, s); err != nil {
+		return nil, err
+	}
+	targets := &data.Targets{}
+	if err := json.Unmarshal(s.Signed, targets); err != nil {
+		return nil, err
+	}
+	for targetPath := range targets.Targets {
+		_, resp, err := c.getTargetFileMetaDelegationPath(targetPath, snapshot)
+		// We only need to test one targets file:
+		// - If it is valid, it means the delegated targets has been validated
+		// - If it is not, the delegated targets isn't valid
+		return resp, err
+	}
+	return nil, nil
+}
+
 // loadAndVerifyLocalRootMeta decodes and verifies root metadata from
 // local storage and loads the top-level keys. This method first clears
 // the DB for top-level keys and then loads the new keys.
@@ -740,22 +818,31 @@ func (c *Client) decodeTargets(b json.RawMessage) (data.TargetFiles, error) {
 }
 
 // decodeTimestamp decodes and verifies timestamp metadata, and returns the
-// new snapshot file meta.
-func (c *Client) decodeTimestamp(b json.RawMessage) (data.TimestampFileMeta, error) {
+// new snapshot file meta and signals whether the update should be aborted early
+// (the new timestamp has the same version as the old one, so there's no need to
+// complete the update).
+func (c *Client) decodeTimestamp(b json.RawMessage) (data.TimestampFileMeta, bool, error) {
 	timestamp := &data.Timestamp{}
+
 	if err := c.db.Unmarshal(b, timestamp, "timestamp", c.timestampVer); err != nil {
-		return data.TimestampFileMeta{}, ErrDecodeFailed{"timestamp.json", err}
+		return data.TimestampFileMeta{}, false, ErrDecodeFailed{"timestamp.json", err}
+	}
+	// 5.4.3.1  - Check for timestamp rollback attack
+	// We already checked for timestamp.Version < c.timestampVer in the Unmarshal call above.
+	// Here, we're checking for version equality, which indicates that we can abandon this update.
+	if timestamp.Version == c.timestampVer {
+		return data.TimestampFileMeta{}, true, nil
 	}
 	// 5.4.3.2 - Check for snapshot rollback attack
 	// Verify that the current snapshot meta version is less than or equal to the new one
 	if timestamp.Meta["snapshot.json"].Version < c.snapshotVer {
-		return data.TimestampFileMeta{}, verify.ErrLowVersion{Actual: timestamp.Meta["snapshot.json"].Version, Current: c.snapshotVer}
+		return data.TimestampFileMeta{}, false, verify.ErrLowVersion{Actual: timestamp.Meta["snapshot.json"].Version, Current: c.snapshotVer}
 	}
-	// At this point we can trust the new timestamp and the snaphost version it refers to
+	// At this point we can trust the new timestamp and the snapshot version it refers to
 	// so we can update the client's trusted versions and proceed with persisting the new timestamp
 	c.timestampVer = timestamp.Version
 	c.snapshotVer = timestamp.Meta["snapshot.json"].Version
-	return timestamp.Meta["snapshot.json"], nil
+	return timestamp.Meta["snapshot.json"], false, nil
 }
 
 // hasMetaFromSnapshot checks whether local metadata has the given meta
@@ -792,6 +879,8 @@ type Destination interface {
 //   - The target does not exist in any targets
 //   - Metadata cannot be generated for the downloaded data
 //   - Generated metadata does not match local metadata for the given file
+//   - Size of the download does not match if the reported size is known and
+//     incorrect
 func (c *Client) Download(name string, dest Destination) (err error) {
 	// delete dest if there is an error
 	defer func() {