Add configurable timeout for creating the transport

cmd/list.go

@@ -40,5 +40,5 @@ $ signy list docker.io/library/alpine
 }
 
 func (l *listCmd) run() error {
-	return tuf.PrintTargets(l.gun, trustServer, tlscacert, trustDir)
+	return tuf.PrintTargets(l.gun, trustServer, tlscacert, trustDir, timeout)
 }

cmd/main.go

@@ -16,6 +16,7 @@ var (
 	tlscacert   string
 	trustDir    string
 	logLevel    string
+	timeout     string
 )
 var rootCmd = &cobra.Command{
 	Use:   "signy",
@@ -40,8 +41,8 @@ func init() {
 	rootCmd.PersistentFlags().StringVarP(&trustServer, "server", "", tuf.DockerNotaryServer, "The trust server used")
 	rootCmd.PersistentFlags().StringVarP(&tlscacert, "tlscacert", "", "", "Trust certs signed only by this CA")
 	rootCmd.PersistentFlags().StringVarP(&trustDir, "dir", "d", defaultTrustDir(), "Directory where the trust data is persisted to")
-
 	rootCmd.PersistentFlags().StringVar(&logLevel, "log", "info", `Set the logging level ("debug"|"info"|"warn"|"error"|"fatal")`)
+	rootCmd.PersistentFlags().StringVarP(&timeout, "timeout", "t", "5s", `Timeout for the trust server`)
 }
 
 func main() {

cmd/sign.go

@@ -109,7 +109,7 @@ func (s *signCmd) run() error {
 		cm = &custom
 	}
 
-	target, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, cm)
+	target, err := tuf.SignAndPublish(trustDir, trustServer, s.ref, s.file, tlscacert, s.rootKey, timeout, cm)
 	if err != nil {
 		return fmt.Errorf("cannot sign and publish trust data: %v", err)
 	}

cmd/verify.go

@@ -88,15 +88,15 @@ func (v *verifyCmd) run() error {
 			return fmt.Errorf("no local file provided for thick bundle verification")
 		}
 		if v.intoto {
-			return trust.ValidateThickBundle(v.ref, v.localFile, trustServer, tlscacert, trustDir, v.verificationImage, logLevel, v.targetFiles, v.keepTempDir)
+			return trust.ValidateThickBundle(v.ref, v.localFile, trustServer, tlscacert, trustDir, v.verificationImage, logLevel, timeout, v.targetFiles, v.keepTempDir)
 		}
 
-		return tuf.VerifyFileTrust(v.ref, v.localFile, trustServer, tlscacert, trustDir)
+		return tuf.VerifyFileTrust(v.ref, v.localFile, trustServer, tlscacert, trustDir, timeout)
 	}
 
 	if v.intoto {
-		return trust.ValidateThinBundle(v.ref, trustServer, tlscacert, trustDir, v.verificationImage, logLevel, v.targetFiles, v.keepTempDir)
+		return trust.ValidateThinBundle(v.ref, trustServer, tlscacert, trustDir, v.verificationImage, logLevel, timeout, v.targetFiles, v.keepTempDir)
 	}
 
-	return tuf.VerifyCNABTrust(v.ref, trustServer, tlscacert, trustDir)
+	return tuf.VerifyCNABTrust(v.ref, trustServer, tlscacert, trustDir, timeout)
 }

pkg/trust/sign.go

@@ -11,7 +11,7 @@ import (
 )
 
 // SignAndPublish takes a CNAB bundle, pushes the signature and metadata to a trust server, then pushes the bundle
-func SignAndPublish(ref, layout, linkDir, layoutKey, trustDir, trustServer, file, tlscacert string) error {
+func SignAndPublish(ref, layout, linkDir, layoutKey, trustDir, trustServer, file, tlscacert, timeout string) error {
 	err := intoto.ValidateFromPath(layout)
 	if err != nil {
 		return fmt.Errorf("validation for in-toto metadata failed: %v", err)
@@ -23,7 +23,7 @@ func SignAndPublish(ref, layout, linkDir, layoutKey, trustDir, trustServer, file
 
 	log.Infof("Adding In-Toto layout and links metadata to TUF")
 
-	target, err := tuf.SignAndPublish(trustDir, trustServer, ref, file, tlscacert, "", &r)
+	target, err := tuf.SignAndPublish(trustDir, trustServer, ref, file, tlscacert, "", timeout, &r)
 	if err != nil {
 		return fmt.Errorf("cannot sign and publish trust data: %v", err)
 	}

pkg/trust/validate.go

@@ -14,27 +14,27 @@ import (
 )
 
 // ValidateThinBundle runs the TUF and in-toto validations for a CNAB bundle in thin format (canonical JSON form)
-func ValidateThinBundle(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel string, targets []string, keep bool) error {
-	err := tuf.VerifyCNABTrust(ref, trustServer, tlscacert, trustDir)
+func ValidateThinBundle(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, timeout string, targets []string, keep bool) error {
+	err := tuf.VerifyCNABTrust(ref, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return err
 	}
 
-	return runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, targets, keep)
+	return runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, timeout, targets, keep)
 }
 
 // ValidateThickBundle runs the TUF and in-toto validations for a CNAB bundle in thick format
-func ValidateThickBundle(ref, file, trustServer, tlscacert, trustDir, verificationImage, logLevel string, targets []string, keep bool) error {
-	err := tuf.VerifyFileTrust(ref, file, trustServer, tlscacert, trustDir)
+func ValidateThickBundle(ref, file, trustServer, tlscacert, trustDir, verificationImage, logLevel, timeout string, targets []string, keep bool) error {
+	err := tuf.VerifyFileTrust(ref, file, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return err
 	}
 
-	return runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, targets, keep)
+	return runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, timeout, targets, keep)
 }
 
-func runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel string, targets []string, keep bool) error {
-	target, _, err := tuf.GetTargetAndSHA(ref, trustServer, tlscacert, trustDir)
+func runVerifications(ref, trustServer, tlscacert, trustDir, verificationImage, logLevel, timeout string, targets []string, keep bool) error {
+	target, _, err := tuf.GetTargetAndSHA(ref, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return err
 	}

pkg/tuf/helpers.go

@@ -41,7 +41,7 @@ const (
 	defaultIndexServer = "https://index.docker.io/v1/"
 )
 
-func makeTransport(server, gun, tlsCaCert string) (http.RoundTripper, error) {
+func makeTransport(server, gun, tlsCaCert, timeout string) (http.RoundTripper, error) {
 	modifiers := []transport.RequestModifier{
 		transport.NewHeaderRequestModifier(http.Header{
 			"User-Agent": []string{"signy"},
@@ -63,10 +63,15 @@ func makeTransport(server, gun, tlsCaCert string) (http.RoundTripper, error) {
 		}
 	}
 
+	t, err := time.ParseDuration(timeout)
+	if err != nil {
+		return nil, err
+	}
+
 	authTransport := transport.NewTransport(base, modifiers...)
 	pingClient := &http.Client{
 		Transport: authTransport,
-		Timeout:   5 * time.Second,
+		Timeout:   t * time.Second,
 	}
 	req, err := http.NewRequest("GET", server+"/v2/", nil)
 	if err != nil {

pkg/tuf/list.go

@@ -10,8 +10,8 @@ import (
 )
 
 // PrintTargets prints all the targets for a specific GUN from a trust server
-func PrintTargets(gun, trustServer, tlscacert, trustDir string) error {
-	targets, err := GetTargets(gun, trustServer, tlscacert, trustDir)
+func PrintTargets(gun, trustServer, tlscacert, trustDir, timeout string) error {
+	targets, err := GetTargets(gun, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return fmt.Errorf("cannot list targets:%v", err)
 	}
@@ -23,8 +23,8 @@ func PrintTargets(gun, trustServer, tlscacert, trustDir string) error {
 }
 
 // GetTargetWithRole returns a single target by name from the trusted collection
-func GetTargetWithRole(gun, name, trustServer, tlscacert, trustDir string) (*client.TargetWithRole, error) {
-	targets, err := GetTargets(gun, trustServer, tlscacert, trustDir)
+func GetTargetWithRole(gun, name, trustServer, tlscacert, trustDir, timeout string) (*client.TargetWithRole, error) {
+	targets, err := GetTargets(gun, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return nil, fmt.Errorf("cannot list targets:%v", err)
 	}
@@ -39,12 +39,12 @@ func GetTargetWithRole(gun, name, trustServer, tlscacert, trustDir string) (*cli
 }
 
 // GetTargets returns all targets for a given gun from the trusted collection
-func GetTargets(gun, trustServer, tlscacert, trustDir string) ([]*client.TargetWithRole, error) {
+func GetTargets(gun, trustServer, tlscacert, trustDir, timeout string) ([]*client.TargetWithRole, error) {
 	if err := ensureTrustDir(trustDir); err != nil {
 		return nil, fmt.Errorf("cannot ensure trust directory: %v", err)
 	}
 
-	transport, err := makeTransport(trustServer, gun, tlscacert)
+	transport, err := makeTransport(trustServer, gun, tlscacert, timeout)
 	if err != nil {
 		return nil, fmt.Errorf("cannot make transport: %v", err)
 	}

pkg/tuf/sign.go

@@ -12,14 +12,14 @@ import (
 )
 
 // SignAndPublish signs an artifact, then publishes the metadata to a trust server
-func SignAndPublish(trustDir, trustServer, ref, file, tlscacert, rootKey string, custom *canonicaljson.RawMessage) (*client.Target, error) {
+func SignAndPublish(trustDir, trustServer, ref, file, tlscacert, rootKey, timeout string, custom *canonicaljson.RawMessage) (*client.Target, error) {
 	if err := ensureTrustDir(trustDir); err != nil {
 		return nil, fmt.Errorf("cannot ensure trust directory: %v", err)
 	}
 
 	gun, name := cnab.SplitTargetRef(ref)
 
-	transport, err := makeTransport(trustServer, gun, tlscacert)
+	transport, err := makeTransport(trustServer, gun, tlscacert, timeout)
 	if err != nil {
 		return nil, fmt.Errorf("cannot make transport: %v", err)
 	}

pkg/tuf/verify.go

@@ -14,8 +14,8 @@ import (
 )
 
 // VerifyCNABTrust ensures the trust metadata for a given GUN matches the metadata of the pushed bundle
-func VerifyCNABTrust(ref, trustServer, tlscacert, trustDir string) error {
-	target, trustedSHA, err := GetTargetAndSHA(ref, trustServer, tlscacert, trustDir)
+func VerifyCNABTrust(ref, trustServer, tlscacert, trustDir, timeout string) error {
+	target, trustedSHA, err := GetTargetAndSHA(ref, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return err
 	}
@@ -40,8 +40,8 @@ func VerifyCNABTrust(ref, trustServer, tlscacert, trustDir string) error {
 }
 
 // VerifyFileTrust ensures the trust metadata for a given GUN matches the computed metadata of the local file
-func VerifyFileTrust(ref, localFile, trustServer, tlscacert, trustDir string) error {
-	target, trustedSHA, err := GetTargetAndSHA(ref, trustServer, tlscacert, trustDir)
+func VerifyFileTrust(ref, localFile, trustServer, tlscacert, trustDir, timeout string) error {
+	target, trustedSHA, err := GetTargetAndSHA(ref, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return err
 	}
@@ -75,9 +75,9 @@ func verifyTargetSHAFromBytes(target *client.TargetWithRole, buf []byte) error {
 }
 
 // GetTargetAndSHA returns the target with roles and the SHA256 of the target file
-func GetTargetAndSHA(ref, trustServer, tlscacert, trustDir string) (*client.TargetWithRole, string, error) {
+func GetTargetAndSHA(ref, trustServer, tlscacert, trustDir, timeout string) (*client.TargetWithRole, string, error) {
 	gun, name := cnab.SplitTargetRef(ref)
-	target, err := GetTargetWithRole(gun, name, trustServer, tlscacert, trustDir)
+	target, err := GetTargetWithRole(gun, name, trustServer, tlscacert, trustDir, timeout)
 	if err != nil {
 		return nil, "", err
 	}