package data import ( "bytes" "fmt" "github.com/Sirupsen/logrus" "github.com/docker/go/canonical/json" "github.com/docker/notary" ) // SignedSnapshot is a fully unpacked snapshot.json type SignedSnapshot struct { Signatures []Signature Signed Snapshot Dirty bool } // Snapshot is the Signed component of a snapshot.json type Snapshot struct { SignedCommon Meta Files `json:"meta"` } // IsValidSnapshotStructure returns an error, or nil, depending on whether the content of the // struct is valid for snapshot metadata. This does not check signatures or expiry, just that // the metadata content is valid. func IsValidSnapshotStructure(s Snapshot) error { expectedType := TUFTypes[CanonicalSnapshotRole] if s.Type != expectedType { return ErrInvalidMetadata{ role: CanonicalSnapshotRole, msg: fmt.Sprintf("expected type %s, not %s", expectedType, s.Type)} } if s.Version < 1 { return ErrInvalidMetadata{ role: CanonicalSnapshotRole, msg: "version cannot be less than one"} } for _, file := range []RoleName{CanonicalRootRole, CanonicalTargetsRole} { // Meta is a map of FileMeta, so if the role isn't in the map it returns // an empty FileMeta, which has an empty map, and you can check on keys // from an empty map. // // For now sha256 is required and sha512 is not. if _, ok := s.Meta[file.String()].Hashes[notary.SHA256]; !ok { return ErrInvalidMetadata{ role: CanonicalSnapshotRole, msg: fmt.Sprintf("missing %s sha256 checksum information", file.String()), } } if err := CheckValidHashStructures(s.Meta[file.String()].Hashes); err != nil { return ErrInvalidMetadata{ role: CanonicalSnapshotRole, msg: fmt.Sprintf("invalid %s checksum information, %v", file.String(), err), } } } return nil } // NewSnapshot initilizes a SignedSnapshot with a given top level root // and targets objects func NewSnapshot(root *Signed, targets *Signed) (*SignedSnapshot, error) { logrus.Debug("generating new snapshot...") targetsJSON, err := json.Marshal(targets) if err != nil { logrus.Debug("Error Marshalling Targets") return nil, err } rootJSON, err := json.Marshal(root) if err != nil { logrus.Debug("Error Marshalling Root") return nil, err } rootMeta, err := NewFileMeta(bytes.NewReader(rootJSON), NotaryDefaultHashes...) if err != nil { return nil, err } targetsMeta, err := NewFileMeta(bytes.NewReader(targetsJSON), NotaryDefaultHashes...) if err != nil { return nil, err } return &SignedSnapshot{ Signatures: make([]Signature, 0), Signed: Snapshot{ SignedCommon: SignedCommon{ Type: TUFTypes[CanonicalSnapshotRole], Version: 0, Expires: DefaultExpires(CanonicalSnapshotRole), }, Meta: Files{ CanonicalRootRole.String(): rootMeta, CanonicalTargetsRole.String(): targetsMeta, }, }, }, nil } // ToSigned partially serializes a SignedSnapshot for further signing func (sp *SignedSnapshot) ToSigned() (*Signed, error) { s, err := defaultSerializer.MarshalCanonical(sp.Signed) if err != nil { return nil, err } signed := json.RawMessage{} err = signed.UnmarshalJSON(s) if err != nil { return nil, err } sigs := make([]Signature, len(sp.Signatures)) copy(sigs, sp.Signatures) return &Signed{ Signatures: sigs, Signed: &signed, }, nil } // AddMeta updates a role in the snapshot with new meta func (sp *SignedSnapshot) AddMeta(role RoleName, meta FileMeta) { sp.Signed.Meta[role.String()] = meta sp.Dirty = true } // GetMeta gets the metadata for a particular role, returning an error if it's // not found func (sp *SignedSnapshot) GetMeta(role RoleName) (*FileMeta, error) { if meta, ok := sp.Signed.Meta[role.String()]; ok { if _, ok := meta.Hashes["sha256"]; ok { return &meta, nil } } return nil, ErrMissingMeta{Role: role.String()} } // DeleteMeta removes a role from the snapshot. If the role doesn't // exist in the snapshot, it's a noop. func (sp *SignedSnapshot) DeleteMeta(role RoleName) { if _, ok := sp.Signed.Meta[role.String()]; ok { delete(sp.Signed.Meta, role.String()) sp.Dirty = true } } // MarshalJSON returns the serialized form of SignedSnapshot as bytes func (sp *SignedSnapshot) MarshalJSON() ([]byte, error) { signed, err := sp.ToSigned() if err != nil { return nil, err } return defaultSerializer.Marshal(signed) } // SnapshotFromSigned fully unpacks a Signed object into a SignedSnapshot func SnapshotFromSigned(s *Signed) (*SignedSnapshot, error) { sp := Snapshot{} if err := defaultSerializer.Unmarshal(*s.Signed, &sp); err != nil { return nil, err } if err := IsValidSnapshotStructure(sp); err != nil { return nil, err } sigs := make([]Signature, len(s.Signatures)) copy(sigs, s.Signatures) return &SignedSnapshot{ Signatures: sigs, Signed: sp, }, nil }