Skip to content

Commit

Permalink
Merge pull request #588 from endophage/fix_snapshot_expiry
Browse files Browse the repository at this point in the history
Fix server signed snapshot expiry/regeneration
  • Loading branch information
endophage committed Feb 25, 2016
2 parents 4904c88 + cb2dd07 commit 3a89320
Show file tree
Hide file tree
Showing 6 changed files with 54 additions and 26 deletions.
8 changes: 1 addition & 7 deletions client/client.go
Original file line number Diff line number Diff line change
Expand Up @@ -27,13 +27,7 @@ import (
)

func init() {
data.SetDefaultExpiryTimes(
map[string]int{
"root": 3650,
"targets": 1095,
"snapshot": 1095,
},
)
data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
}

// ErrRepoNotInitialized is returned when trying to publish an uninitialized
Expand Down
23 changes: 23 additions & 0 deletions const.go
Original file line number Diff line number Diff line change
@@ -1,5 +1,9 @@
package notary

import (
"time"
)

// application wide constants
const (
// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
Expand All @@ -24,4 +28,23 @@ const (
RootKeysSubdir = "root_keys"
// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
NonRootKeysSubdir = "tuf_keys"

// Day is a duration of one day
Day = 24 * time.Hour
Year = 365 * Day

// NotaryRootExpiry is the duration representing the expiry time of the Root role
NotaryRootExpiry = 10 * Year
NotaryTargetsExpiry = 3 * Year
NotarySnapshotExpiry = 3 * Year
NotaryTimestampExpiry = 14 * Day
)

// NotaryDefaultExpiries is the construct used to configure the default expiry times of
// the various role files.
var NotaryDefaultExpiries = map[string]time.Duration{
"root": NotaryRootExpiry,
"targets": NotaryTargetsExpiry,
"snapshot": NotarySnapshotExpiry,
"timestamp": NotaryTimestampExpiry,
}
7 changes: 2 additions & 5 deletions server/server.go
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,7 @@ import (
"github.com/Sirupsen/logrus"
"github.com/docker/distribution/health"
"github.com/docker/distribution/registry/auth"
"github.com/docker/notary"
"github.com/docker/notary/server/handlers"
"github.com/docker/notary/tuf/data"
"github.com/docker/notary/tuf/signed"
Expand All @@ -19,11 +20,7 @@ import (
)

func init() {
data.SetDefaultExpiryTimes(
map[string]int{
"timestamp": 14,
},
)
data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
}

func prometheusOpts(operation string) prometheus.SummaryOpts {
Expand Down
3 changes: 2 additions & 1 deletion server/timestamp/timestamp.go
Original file line number Diff line number Diff line change
Expand Up @@ -8,6 +8,7 @@ import (
"github.com/docker/notary/tuf/signed"

"github.com/Sirupsen/logrus"
"github.com/docker/notary/server/snapshot"
"github.com/docker/notary/server/storage"
)

Expand Down Expand Up @@ -49,7 +50,7 @@ func GetOrCreateTimestampKey(gun string, store storage.MetaStore, crypto signed.
// a new timestamp is generated either because none exists, or because the current
// one has expired. Once generated, the timestamp is saved in the store.
func GetOrCreateTimestamp(gun string, store storage.MetaStore, cryptoService signed.CryptoService) ([]byte, error) {
snapshot, err := store.GetCurrent(gun, "snapshot")
snapshot, err := snapshot.GetOrCreateSnapshot(gun, store, cryptoService)
if err != nil {
return nil, err
}
Expand Down
18 changes: 15 additions & 3 deletions server/timestamp/timestamp_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -52,7 +52,11 @@ func TestGetTimestamp(t *testing.T) {
store := storage.NewMemStorage()
crypto := signed.NewEd25519()

snapshot := &data.SignedSnapshot{}
snapshot := &data.SignedSnapshot{
Signed: data.Snapshot{
Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
},
}
snapJSON, _ := json.Marshal(snapshot)

store.UpdateCurrent("gun", storage.MetaUpdate{Role: "snapshot", Version: 0, Data: snapJSON})
Expand All @@ -68,7 +72,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
store := storage.NewMemStorage()
crypto := signed.NewEd25519()

snapshot := data.SignedSnapshot{}
snapshot := &data.SignedSnapshot{
Signed: data.Snapshot{
Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
},
}
snapshot.Signed.Version = 0
snapJSON, _ := json.Marshal(snapshot)

Expand All @@ -80,7 +88,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
ts1, err := GetOrCreateTimestamp("gun", store, crypto)
assert.Nil(t, err, "GetTimestamp errored")

snapshot = data.SignedSnapshot{}
snapshot = &data.SignedSnapshot{
Signed: data.Snapshot{
Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
},
}
snapshot.Signed.Version = 1
snapJSON, _ = json.Marshal(snapshot)

Expand Down
21 changes: 11 additions & 10 deletions tuf/data/types.go
Original file line number Diff line number Diff line change
Expand Up @@ -12,6 +12,7 @@ import (

"github.com/Sirupsen/logrus"
"github.com/docker/go/canonical/json"
"github.com/docker/notary"
)

// SigAlgorithm for types of signatures
Expand Down Expand Up @@ -171,16 +172,16 @@ func NewDelegations() *Delegations {
}
}

// defines number of days in which something should expire
var defaultExpiryTimes = map[string]int{
CanonicalRootRole: 365,
CanonicalTargetsRole: 90,
CanonicalSnapshotRole: 7,
CanonicalTimestampRole: 1,
// These values are recommended TUF expiry times.
var defaultExpiryTimes = map[string]time.Duration{
CanonicalRootRole: notary.Year,
CanonicalTargetsRole: 90 * notary.Day,
CanonicalSnapshotRole: 7 * notary.Day,
CanonicalTimestampRole: notary.Day,
}

// SetDefaultExpiryTimes allows one to change the default expiries.
func SetDefaultExpiryTimes(times map[string]int) {
func SetDefaultExpiryTimes(times map[string]time.Duration) {
for key, value := range times {
if _, ok := defaultExpiryTimes[key]; !ok {
logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key)
Expand All @@ -192,10 +193,10 @@ func SetDefaultExpiryTimes(times map[string]int) {

// DefaultExpires gets the default expiry time for the given role
func DefaultExpires(role string) time.Time {
var t time.Time
if t, ok := defaultExpiryTimes[role]; ok {
return time.Now().AddDate(0, 0, t)
if d, ok := defaultExpiryTimes[role]; ok {
return time.Now().Add(d)
}
var t time.Time
return t.UTC().Round(time.Second)
}

Expand Down

0 comments on commit 3a89320

Please sign in to comment.