tuf: fix on-disk cache when writing targets in subfolders (#729)

Added a test, patched cosign locally, and can confirm this now works correctly with the v5 root changes. Note: no old clients will break from this change. It's forward compatible. It's in anticipation of a root update that we'll push to a separate repository as to not break clients who are still using this version. Clients won't break until the current repository loses lifetime: in late January next year. Signed-off-by: Asra Ali <asraa@google.com>
sigstore · Oct 6, 2022 · a862909 · a862909
1 parent bba7507
commit a862909
Show file tree

Hide file tree

Showing 2 changed files with 44 additions and 2 deletions.
diff --git a/pkg/tuf/client.go b/pkg/tuf/client.go
@@ -677,10 +677,12 @@ func (d *diskCache) Set(p string, b []byte) error {
 	if err := d.memory.Set(p, b); err != nil {
 		return err
 	}
-	if err := os.MkdirAll(d.base, 0o700); err != nil {
+
+	fp := filepath.FromSlash(filepath.Join(d.base, p))
+	if err := os.MkdirAll(filepath.Dir(fp), 0o700); err != nil {
 		return fmt.Errorf("creating targets dir: %w", err)
 	}
-	fp := filepath.FromSlash(filepath.Join(d.base, p))
+
 	return os.WriteFile(fp, b, 0o600)
 }
 

diff --git a/pkg/tuf/client_test.go b/pkg/tuf/client_test.go
@@ -749,3 +749,43 @@ func TestKeyFormatMigration(t *testing.T) {
 	}
 	checkTargetsAndMeta(t, tuf, []string{"fulcio.crt.pem"})
 }
+
+// Test to validate that sigstore TUF client can cache targets that
+// are located in sub-folders.
+func TestTargetsSubfolder(t *testing.T) {
+	ctx := context.Background()
+	// Create a remote repository.
+	td := t.TempDir()
+	remote, r := newTufCustomRepo(t, td, "foo")
+	newTarget := "subfolder/fooNew.txt"
+	addNewCustomTarget(t, td, r, map[string]string{newTarget: "newdata"})
+
+	// Serve remote repository.
+	s := httptest.NewServer(http.FileServer(http.Dir(filepath.Join(td, "repository"))))
+	defer s.Close()
+
+	// Initialize with custom root.
+	tufRoot := t.TempDir()
+	// Set the TUF_ROOT so we don't interact with other tests and local TUF roots.
+	t.Setenv("TUF_ROOT", tufRoot)
+	meta, err := remote.GetMeta()
+	if err != nil {
+		t.Error(err)
+	}
+	rootBytes, ok := meta["root.json"]
+	if !ok {
+		t.Error(err)
+	}
+
+	if err := Initialize(ctx, s.URL, rootBytes); err != nil {
+		t.Error(err)
+	}
+
+	defer resetForTests()
+
+	tuf, err := NewFromEnv(ctx)
+	if err != nil {
+		t.Fatal(err)
+	}
+	checkTargetsAndMeta(t, tuf, []string{newTarget})
+}