forked from notaryproject/notary
/
roles.go
98 lines (88 loc) · 3.04 KB
/
roles.go
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
package handlers
import (
"time"
"golang.org/x/net/context"
"encoding/hex"
"encoding/json"
"fmt"
"github.com/docker/notary"
"github.com/docker/notary/server/errors"
"github.com/docker/notary/server/storage"
"github.com/docker/notary/server/timestamp"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/tuf/signed"
)
func getRole(ctx context.Context, store storage.MetaStore, gun, role, checksum string) (*time.Time, []byte, error) {
var (
lastModified *time.Time
out []byte
err error
)
if checksum == "" {
// the timestamp and snapshot might be server signed so are
// handled specially
switch role {
case data.CanonicalTimestampRole, data.CanonicalSnapshotRole:
return getMaybeServerSigned(ctx, store, gun, role)
}
lastModified, out, err = store.GetCurrent(gun, role)
} else {
lastModified, out, err = store.GetChecksum(gun, role, checksum)
}
if err != nil {
if _, ok := err.(storage.ErrNotFound); ok {
return nil, nil, errors.ErrMetadataNotFound.WithDetail(err)
}
return nil, nil, errors.ErrUnknown.WithDetail(err)
}
if out == nil {
return nil, nil, errors.ErrMetadataNotFound.WithDetail(nil)
}
return lastModified, out, nil
}
// getMaybeServerSigned writes the current snapshot or timestamp (based on the
// role passed) to the provided writer or returns an error. In retrieving
// the timestamp and snapshot, based on the keys held by the server, a new one
// might be generated and signed due to expiry of the previous one or updates
// to other roles.
func getMaybeServerSigned(ctx context.Context, store storage.MetaStore, gun, role string) (*time.Time, []byte, error) {
cryptoServiceVal := ctx.Value("cryptoService")
cryptoService, ok := cryptoServiceVal.(signed.CryptoService)
if !ok {
return nil, nil, errors.ErrNoCryptoService.WithDetail(nil)
}
var (
lastModified *time.Time
out []byte
err error
)
if role != data.CanonicalTimestampRole && role != data.CanonicalSnapshotRole {
return nil, nil, fmt.Errorf("role %s cannot be server signed", role)
}
lastModified, out, err = timestamp.GetOrCreateTimestamp(gun, store, cryptoService)
if err != nil {
switch err.(type) {
case *storage.ErrNoKey, storage.ErrNotFound:
return nil, nil, errors.ErrMetadataNotFound.WithDetail(err)
default:
return nil, nil, errors.ErrUnknown.WithDetail(err)
}
}
// If we wanted the snapshot, get it by checksum from the timestamp data
if role == data.CanonicalSnapshotRole {
ts := new(data.SignedTimestamp)
if err := json.Unmarshal(out, ts); err != nil {
return nil, nil, err
}
snapshotChecksums, err := ts.GetSnapshot()
if err != nil || snapshotChecksums == nil {
return nil, nil, fmt.Errorf("could not retrieve latest snapshot checksum")
}
if snapshotSha256Bytes, ok := snapshotChecksums.Hashes[notary.SHA256]; ok {
snapshotSha256Hex := hex.EncodeToString(snapshotSha256Bytes[:])
return store.GetChecksum(gun, role, snapshotSha256Hex)
}
return nil, nil, fmt.Errorf("could not retrieve sha256 snapshot checksum")
}
return lastModified, out, nil
}