本文整理汇总了Golang中github.com/docker/notary/tuf.NewRepoBuilder函数的典型用法代码示例。如果您正苦于以下问题:Golang NewRepoBuilder函数的具体用法?Golang NewRepoBuilder怎么用?Golang NewRepoBuilder使用的例子?那么恭喜您, 这里精选的函数代码示例或许可以为您提供帮助。
在下文中一共展示了NewRepoBuilder函数的15个代码示例,这些例子默认根据受欢迎程度排序。您可以为喜欢或者感觉有用的代码点赞,您的评价将有助于系统推荐出更棒的Golang代码示例。
示例1: TestTimestampPreAndPostChecksumming
// No matter what order timestamp and snapshot is loaded, if the snapshot's checksum doesn't match
// what's in the timestamp, the builder will error and refuse to load the latest piece of metadata
// whether that is snapshot (because it was loaded after timestamp) or timestamp (because builder
// retroactive checks the loaded snapshot's checksum). Timestamp ONLY checks the snapshot checksum.
func TestTimestampPreAndPostChecksumming(t *testing.T) {
gun := "docker.com/notary"
repo, _, err := testutils.EmptyRepo(gun, "targets/other", "targets/other/other")
require.NoError(t, err)
// add invalid checkums for all the other roles to timestamp too, and show that
// cached items aren't checksummed against this
fakeChecksum, err := data.NewFileMeta(bytes.NewBuffer([]byte("fake")), notary.SHA256, notary.SHA512)
require.NoError(t, err)
for _, roleName := range append(data.BaseRoles, "targets/other") {
// add a wrong checksum for every role, including timestamp itself
repo.Timestamp.Signed.Meta[roleName] = fakeChecksum
}
// this will overwrite the snapshot checksum with the right one
meta, err := testutils.SignAndSerialize(repo)
require.NoError(t, err)
// ensure that the fake meta for other roles weren't destroyed by signing the timestamp
require.Len(t, repo.Timestamp.Signed.Meta, 5)
snapJSON := append(meta[data.CanonicalSnapshotRole], ' ')
// --- load timestamp first
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
// timestamp doesn't fail, even though its checksum for root is wrong according to timestamp
require.NoError(t, builder.Load(data.CanonicalTimestampRole, meta[data.CanonicalTimestampRole], 1, false))
// loading the snapshot in fails, because of the checksum the timestamp has
err = builder.Load(data.CanonicalSnapshotRole, snapJSON, 1, false)
require.Error(t, err)
require.IsType(t, data.ErrMismatchedChecksum{}, err)
require.True(t, builder.IsLoaded(data.CanonicalTimestampRole))
require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
// all the other metadata can be loaded in, even though the checksums are wrong according to timestamp
for _, roleName := range []string{data.CanonicalTargetsRole, "targets/other"} {
require.NoError(t, builder.Load(roleName, meta[roleName], 1, false))
}
// --- load snapshot first
builder = tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
for _, roleName := range append(data.BaseRoles, "targets/other") {
switch roleName {
case data.CanonicalTimestampRole:
continue
case data.CanonicalSnapshotRole:
require.NoError(t, builder.Load(roleName, snapJSON, 1, false))
default:
require.NoError(t, builder.Load(roleName, meta[roleName], 1, false))
}
}
// timestamp fails because the snapshot checksum is wrong
err = builder.Load(data.CanonicalTimestampRole, meta[data.CanonicalTimestampRole], 1, false)
require.Error(t, err)
checksumErr, ok := err.(data.ErrMismatchedChecksum)
require.True(t, ok)
require.Contains(t, checksumErr.Error(), "checksum for snapshot did not match")
require.False(t, builder.IsLoaded(data.CanonicalTimestampRole))
require.True(t, builder.IsLoaded(data.CanonicalSnapshotRole))
}示例2: TestSnapshotLoadedAfterChecksumsOthersRetroactively
// If any other metadata is loaded first, when the snapshot is loaded it will retroactively go back
// and validate that metadata. If anything fails to validate, or there is metadata for which this
// snapshot has no checksums for, the snapshot will fail to validate.
func TestSnapshotLoadedAfterChecksumsOthersRetroactively(t *testing.T) {
gun := "docker.com/notary"
meta := setupSnapshotChecksumming(t, gun)
// --- load all the other metadata first, but with an extra space at the end which should
// --- validate fine, except for the checksum.
for _, roleNameToPermute := range append(data.BaseRoles, "targets/other") {
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
if roleNameToPermute == data.CanonicalSnapshotRole {
continue
}
// load all the roles normally, except for roleToPermute, which has one space added
// to the end, thus changing the checksum
for _, roleNameToLoad := range append(data.BaseRoles, "targets/other") {
switch roleNameToLoad {
case data.CanonicalSnapshotRole:
continue // we load this later
case roleNameToPermute:
// having a space added at the end should not affect any validity check except checksum
require.NoError(t, builder.Load(roleNameToLoad, append(meta[roleNameToLoad], ' '), 0, false))
default:
require.NoError(t, builder.Load(roleNameToLoad, meta[roleNameToLoad], 1, false))
}
require.True(t, builder.IsLoaded(roleNameToLoad))
}
// now load the snapshot - it should fail with the checksum failure for the permuted role
err := builder.Load(data.CanonicalSnapshotRole, meta[data.CanonicalSnapshotRole], 1, false)
switch roleNameToPermute {
case data.CanonicalTimestampRole:
require.NoError(t, err) // we don't check the timestamp's checksum
default:
require.Error(t, err)
checksumErr, ok := err.(data.ErrMismatchedChecksum)
require.True(t, ok)
require.Contains(t, checksumErr.Error(), fmt.Sprintf("checksum for %s did not match", roleNameToPermute))
require.False(t, builder.IsLoaded(data.CanonicalSnapshotRole))
}
}
// load all the metadata as is without alteration (so they should validate all checksums)
// but also load the metadata that is not contained in the snapshot. Then when the snapshot
// is loaded it will fail validation, because it doesn't have target/other/other's checksum
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
for _, roleNameToLoad := range append(data.BaseRoles, "targets/other", "targets/other/other") {
if roleNameToLoad == data.CanonicalSnapshotRole {
continue
}
require.NoError(t, builder.Load(roleNameToLoad, meta[roleNameToLoad], 1, false))
}
err := builder.Load(data.CanonicalSnapshotRole, meta[data.CanonicalSnapshotRole], 1, false)
require.Error(t, err)
require.IsType(t, data.ErrMissingMeta{}, err)
}示例3: TestSnapshotLoadedFirstChecksumsOthers
// If the snapshot is loaded first (-ish, because really root has to be loaded first)
// it will be used to validate the checksums of all other metadata that gets loaded.
// If the checksum doesn't match, or if there is no checksum, then the other metadata
// cannot be loaded.
func TestSnapshotLoadedFirstChecksumsOthers(t *testing.T) {
gun := "docker.com/notary"
meta := setupSnapshotChecksumming(t, gun)
// --- load root then snapshot
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
require.NoError(t, builder.Load(data.CanonicalSnapshotRole, meta[data.CanonicalSnapshotRole], 1, false))
// loading timestamp is fine, even though the timestamp metadata has the wrong checksum because
// we don't check timestamp checksums
require.NoError(t, builder.Load(data.CanonicalTimestampRole, meta[data.CanonicalTimestampRole], 1, false))
// loading the other roles' metadata with a space will fail because of a checksum failure (builder
// checks right away if the snapshot is loaded) - in the case of targets/other/other, which should
// not be in snapshot at all, loading should fail even without a space because there is no checksum
// for it
for _, roleNameToLoad := range []string{data.CanonicalTargetsRole, "targets/other"} {
err := builder.Load(roleNameToLoad, append(meta[roleNameToLoad], ' '), 0, false)
require.Error(t, err)
checksumErr, ok := err.(data.ErrMismatchedChecksum)
require.True(t, ok)
require.Contains(t, checksumErr.Error(), fmt.Sprintf("checksum for %s did not match", roleNameToLoad))
require.False(t, builder.IsLoaded(roleNameToLoad))
// now load it for real (since we need targets loaded before trying to load "targets/other")
require.NoError(t, builder.Load(roleNameToLoad, meta[roleNameToLoad], 1, false))
}
// loading the non-existent role wil fail
err := builder.Load("targets/other/other", meta["targets/other/other"], 1, false)
require.Error(t, err)
require.IsType(t, data.ErrMissingMeta{}, err)
require.False(t, builder.IsLoaded("targets/other/other"))
}示例4: TestGenerateSnapshotRootNotLoaded
// ### generateSnapshot tests ###
func TestGenerateSnapshotRootNotLoaded(t *testing.T) {
gun := "docker.com/notary"
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
_, err := generateSnapshot(gun, builder, storage.NewMemStorage())
require.Error(t, err)
require.IsType(t, validation.ErrValidation{}, err)
}示例5: createTimestamp
// CreateTimestamp creates a new timestamp. If a prev timestamp is provided, it
// is assumed this is the immediately previous one, and the new one will have a
// version number one higher than prev. The store is used to lookup the current
// snapshot, this function does not save the newly generated timestamp.
func createTimestamp(gun string, prev *data.SignedTimestamp, snapshot []byte, store storage.MetaStore,
cryptoService signed.CryptoService) (*storage.MetaUpdate, error) {
builder := tuf.NewRepoBuilder(gun, cryptoService, trustpinning.TrustPinConfig{})
// load the current root to ensure we use the correct timestamp key.
_, root, err := store.GetCurrent(gun, data.CanonicalRootRole)
if err != nil {
logrus.Debug("Previous timestamp, but no root for GUN ", gun)
return nil, err
}
if err := builder.Load(data.CanonicalRootRole, root, 1, false); err != nil {
logrus.Debug("Could not load valid previous root for GUN ", gun)
return nil, err
}
// load snapshot so we can include it in timestamp
if err := builder.Load(data.CanonicalSnapshotRole, snapshot, 1, false); err != nil {
logrus.Debug("Could not load valid previous snapshot for GUN ", gun)
return nil, err
}
meta, ver, err := builder.GenerateTimestamp(prev)
if err != nil {
return nil, err
}
return &storage.MetaUpdate{
Role: data.CanonicalTimestampRole,
Version: ver,
Data: meta,
}, nil
}示例6: bootstrapRepo
// bootstrapRepo loads the repository from the local file system (i.e.
// a not yet published repo or a possibly obsolete local copy) into
// r.tufRepo. This attempts to load metadata for all roles. Since server
// snapshots are supported, if the snapshot metadata fails to load, that's ok.
// This assumes that bootstrapRepo is only used by Publish() or RotateKey()
func (r *NotaryRepository) bootstrapRepo() error {
b := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
logrus.Debugf("Loading trusted collection.")
for _, role := range data.BaseRoles {
jsonBytes, err := r.fileStore.GetMeta(role, store.NoSizeLimit)
if err != nil {
if _, ok := err.(store.ErrMetaNotFound); ok &&
// server snapshots are supported, and server timestamp management
// is required, so if either of these fail to load that's ok - especially
// if the repo is new
role == data.CanonicalSnapshotRole || role == data.CanonicalTimestampRole {
continue
}
return err
}
if err := b.Load(role, jsonBytes, 1, true); err != nil {
return err
}
}
tufRepo, err := b.Finish()
if err == nil {
r.tufRepo = tufRepo
}
return nil
}示例7: TestBuilderOnlyAcceptsDelegationsAfterParent
func TestBuilderOnlyAcceptsDelegationsAfterParent(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
// load the root
require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
// delegations can't be loaded without target
for _, delgName := range []string{"targets/a", "targets/a/b"} {
err := builder.Load(delgName, meta[delgName], 1, false)
require.Error(t, err)
require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
require.Contains(t, err.Error(), "targets must be loaded first")
require.False(t, builder.IsLoaded(delgName))
require.Equal(t, 1, builder.GetLoadedVersion(delgName))
}
// load the targets
require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
// targets/a/b can't be loaded because targets/a isn't loaded
err := builder.Load("targets/a/b", meta["targets/a/b"], 1, false)
require.Error(t, err)
require.IsType(t, data.ErrInvalidRole{}, err)
// targets/a can be loaded now though because targets is loaded
require.NoError(t, builder.Load("targets/a", meta["targets/a"], 1, false))
// and now targets/a/b can be loaded because targets/a is loaded
require.NoError(t, builder.Load("targets/a/b", meta["targets/a/b"], 1, false))
}示例8: TestBuilderLoadsValidRolesOnly
// We load only if the rolename is a valid rolename - even if the metadata we provided is valid
func TestBuilderLoadsValidRolesOnly(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
err := builder.Load("NotRoot", meta[data.CanonicalRootRole], 1, false)
require.Error(t, err)
require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
require.Contains(t, err.Error(), "is an invalid role")
}示例9: TestMarkingIsValid
func TestMarkingIsValid(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
// testing that the signed objects have a false isValid value confirming
// that verify signatures has not been called on them yet
// now when we check that isValid is true after calling load which calls
// verify signatures- we can be sure that verify signatures is actually
// setting the isValid fields for our data.Signed objects
for _, meta := range meta {
signedObj := &data.Signed{}
if err := json.Unmarshal(meta, signedObj); err != nil {
require.NoError(t, err)
}
require.Len(t, signedObj.Signatures, 1)
require.False(t, signedObj.Signatures[0].IsValid)
}
// load the root
require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
// load a timestamp
require.NoError(t, builder.Load(data.CanonicalTimestampRole, meta[data.CanonicalTimestampRole], 1, false))
// load a snapshot
require.NoError(t, builder.Load(data.CanonicalSnapshotRole, meta[data.CanonicalSnapshotRole], 1, false))
// load the targets
require.NoError(t, builder.Load(data.CanonicalTargetsRole, meta[data.CanonicalTargetsRole], 1, false))
// targets/a can be loaded now though because targets is loaded
require.NoError(t, builder.Load("targets/a", meta["targets/a"], 1, false))
// and now targets/a/b can be loaded because targets/a is loaded
require.NoError(t, builder.Load("targets/a/b", meta["targets/a/b"], 1, false))
valid, _, err := builder.Finish()
// TODO: Once ValidateRoot is changes to set IsValid as per PR #800 we should uncomment the below test to make
// sure that IsValid is being set on loadRoot
//require.True(t, valid.Root.Signatures[0].IsValid)
require.True(t, valid.Timestamp.Signatures[0].IsValid)
require.True(t, valid.Snapshot.Signatures[0].IsValid)
require.True(t, valid.Targets[data.CanonicalTargetsRole].Signatures[0].IsValid)
require.True(t, valid.Targets["targets/a"].Signatures[0].IsValid)
require.True(t, valid.Targets["targets/a/b"].Signatures[0].IsValid)
require.NoError(t, err)
}示例10: TestBuilderStopsAcceptingOrProducingDataOnceDone
func TestBuilderStopsAcceptingOrProducingDataOnceDone(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
for _, roleName := range data.BaseRoles {
require.NoError(t, builder.Load(roleName, meta[roleName], 1, false))
require.True(t, builder.IsLoaded(roleName))
}
_, err := builder.Finish()
require.NoError(t, err)
err = builder.Load("targets/a", meta["targets/a"], 1, false)
require.Error(t, err)
require.Equal(t, tuf.ErrBuildDone, err)
// a new bootstrapped builder can also not have any more input output
bootstrapped := builder.BootstrapNewBuilder()
err = bootstrapped.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 0, false)
require.Error(t, err)
require.Equal(t, tuf.ErrBuildDone, err)
for _, b := range []tuf.RepoBuilder{builder, bootstrapped} {
_, err = b.Finish()
require.Error(t, err)
require.Equal(t, tuf.ErrBuildDone, err)
_, _, err = b.GenerateSnapshot(nil)
require.Error(t, err)
require.Equal(t, tuf.ErrBuildDone, err)
_, _, err = b.GenerateTimestamp(nil)
require.Error(t, err)
require.Equal(t, tuf.ErrBuildDone, err)
for roleName := range meta {
// a finished builder thinks nothing is loaded
require.False(t, b.IsLoaded(roleName))
// checksums are all empty, versions are all zero
require.Equal(t, 0, b.GetLoadedVersion(roleName))
require.Equal(t, tuf.ConsistentInfo{RoleName: roleName}, b.GetConsistentInfo(roleName))
}
}
}示例11: TestBuilderOnlyAcceptsRootFirstWhenLoading
func TestBuilderOnlyAcceptsRootFirstWhenLoading(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
for roleName, content := range meta {
if roleName != data.CanonicalRootRole {
err := builder.Load(roleName, content, 1, true)
require.Error(t, err)
require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
require.Contains(t, err.Error(), "root must be loaded first")
require.False(t, builder.IsLoaded(roleName))
require.Equal(t, 1, builder.GetLoadedVersion(roleName))
}
}
// we can load the root
require.NoError(t, builder.Load(data.CanonicalRootRole, meta[data.CanonicalRootRole], 1, false))
require.True(t, builder.IsLoaded(data.CanonicalRootRole))
}示例12: TestValidateTargetsParentInUpdate
// If the parent is not in the store, then the parent must be in the update else
// validation fails.
func TestValidateTargetsParentInUpdate(t *testing.T) {
gun := "docker.com/notary"
delgName := "targets/level1"
metadata, _, err := testutils.NewRepoMetadata(gun, delgName, path.Join(delgName, "other"))
require.NoError(t, err)
store := storage.NewMemStorage()
// load the root into the builder, else we can't load anything else
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
require.NoError(t, builder.Load(data.CanonicalRootRole, metadata[data.CanonicalRootRole], 0, false))
targetsUpdate := storage.MetaUpdate{
Role: data.CanonicalTargetsRole,
Version: 1,
Data: []byte("Invalid metadata"),
}
delgUpdate := storage.MetaUpdate{
Role: delgName,
Version: 1,
Data: metadata[delgName],
}
upload := map[string]storage.MetaUpdate{
"targets/level1": delgUpdate,
data.CanonicalTargetsRole: targetsUpdate,
}
// parent update not readable - fail
_, err = loadAndValidateTargets(gun, builder, upload, store)
require.Error(t, err)
require.IsType(t, validation.ErrBadTargets{}, err)
// because we sort the roles, the list of returned updates
// will contain shallower roles first, in this case "targets",
// and then "targets/level1"
targetsUpdate.Data = metadata[data.CanonicalTargetsRole]
upload[data.CanonicalTargetsRole] = targetsUpdate
updates, err := loadAndValidateTargets(gun, builder, upload, store)
require.NoError(t, err)
require.Equal(t, []storage.MetaUpdate{targetsUpdate, delgUpdate}, updates)
}示例13: TestBuilderAcceptRoleOnce
func TestBuilderAcceptRoleOnce(t *testing.T) {
meta, gun := getSampleMeta(t)
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
for _, roleName := range append(data.BaseRoles, "targets/a", "targets/a/b") {
// first time loading is ok
require.NoError(t, builder.Load(roleName, meta[roleName], 1, false))
require.True(t, builder.IsLoaded(roleName))
require.Equal(t, 1, builder.GetLoadedVersion(roleName))
// second time loading is not
err := builder.Load(roleName, meta[roleName], 1, false)
require.Error(t, err)
require.IsType(t, tuf.ErrInvalidBuilderInput{}, err)
require.Contains(t, err.Error(), "has already been loaded")
// still loaded
require.True(t, builder.IsLoaded(roleName))
}
}示例14: TestGenerateSnapshotNoKey
func TestGenerateSnapshotNoKey(t *testing.T) {
gun := "docker.com/notary"
metadata, cs, err := testutils.NewRepoMetadata(gun)
require.NoError(t, err)
store := storage.NewMemStorage()
// delete snapshot key in the cryptoservice
for _, keyID := range cs.ListKeys(data.CanonicalSnapshotRole) {
require.NoError(t, cs.RemoveKey(keyID))
}
builder := tuf.NewRepoBuilder(gun, cs, trustpinning.TrustPinConfig{})
// only load root and targets
require.NoError(t, builder.Load(data.CanonicalRootRole, metadata[data.CanonicalRootRole], 0, false))
require.NoError(t, builder.Load(data.CanonicalTargetsRole, metadata[data.CanonicalTargetsRole], 0, false))
_, err = generateSnapshot(gun, builder, store)
require.Error(t, err)
require.IsType(t, validation.ErrBadHierarchy{}, err)
}示例15: TestLoadTargetsLoadsNothingIfNoUpdates
// ### Target validation with delegations tests
func TestLoadTargetsLoadsNothingIfNoUpdates(t *testing.T) {
gun := "docker.com/notary"
metadata, _, err := testutils.NewRepoMetadata(gun)
require.NoError(t, err)
// load the root into the builder, else we can't load anything else
builder := tuf.NewRepoBuilder(gun, nil, trustpinning.TrustPinConfig{})
require.NoError(t, builder.Load(data.CanonicalRootRole, metadata[data.CanonicalRootRole], 0, false))
store := storage.NewMemStorage()
store.UpdateCurrent(gun, storage.MetaUpdate{
Role: data.CanonicalTargetsRole,
Version: 1,
Data: metadata[data.CanonicalTargetsRole],
})
// if no updates, nothing is loaded
targetsToUpdate, err := loadAndValidateTargets(gun, builder, nil, store)
require.Empty(t, targetsToUpdate)
require.NoError(t, err)
require.False(t, builder.IsLoaded(data.CanonicalTargetsRole))
}