Notary repository lazy initialization

client/client.go

@@ -120,6 +120,11 @@ func NewNotaryRepository(baseDir string, gun data.GUN, baseURL string, remoteSto
 	return nRepo, nil
 }
 
+// GetGUN is a getter for the GUN object from a NotaryRepository
+func (r *NotaryRepository) GetGUN() data.GUN {
+	return r.gun
+}
+
 // Target represents a simplified version of the data TUF operates on, so external
 // applications don't have to depend on TUF data types.
 type Target struct {
@@ -174,13 +179,10 @@ func rootCertKey(gun data.GUN, privKey data.PrivateKey) (data.PublicKey, error)
 // result is only stored on local disk, not published to the server. To do that,
 // use r.Publish() eventually.
 func (r *NotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ...data.RoleName) error {
-	privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
-	for _, keyID := range rootKeyIDs {
-		privKey, _, err := r.CryptoService.GetPrivateKey(keyID)
-		if err != nil {
-			return err
-		}
-		privKeys = append(privKeys, privKey)
+
+	privKeys, err := getAllPrivKeys(rootKeyIDs, r.CryptoService)
+	if err != nil {
+		return err
 	}
 
 	// currently we only support server managing timestamps and snapshots, and
@@ -254,7 +256,6 @@ func (r *NotaryRepository) Initialize(rootKeyIDs []string, serverManagedRoles ..
 
 func (r *NotaryRepository) initializeRoles(rootKeys []data.PublicKey, localRoles, remoteRoles []data.RoleName) (
 	root, targets, snapshot, timestamp data.BaseRole, err error) {
-
 	root = data.NewBaseRole(
 		data.CanonicalRootRole,
 		notary.MinThreshold,
@@ -618,17 +619,13 @@ func (r *NotaryRepository) publish(cl changelist.Changelist) error {
 	// update first before publishing
 	if err := r.Update(true); err != nil {
 		// If the remote is not aware of the repo, then this is being published
-		// for the first time.  Try to load from disk instead for publishing.
+		// for the first time.  Try to initialize the repository before publishing.
 		if _, ok := err.(ErrRepositoryNotExist); ok {
-			err := r.bootstrapRepo()
+			err := r.initializeFromCache()
 			if err != nil {
-				logrus.Debugf("Unable to load repository from local files: %s",
-					err.Error())
-				if _, ok := err.(store.ErrMetaNotFound); ok {
-					return ErrRepoNotInitialized{}
-				}
 				return err
 			}
+
 			// Ensure we will push the initial root and targets file.  Either or
 			// both of the root and targets may not be marked as Dirty, since
 			// there may not be any changes that update them, so use a
@@ -837,6 +834,27 @@ func (r *NotaryRepository) bootstrapRepo() error {
 	return nil
 }
 
+func (r *NotaryRepository) initializeFromCache() error {
+	metaCached, err := isMetaCached(r.cache)
+	if err != nil {
+		logrus.Debugf("Unable to verify on-disk cache: %s", err.Error())
+		return err
+	}
+
+	if metaCached {
+		err = r.bootstrapRepo()
+	} else {
+		err = r.Initialize(nil)
+	}
+	if err != nil {
+		logrus.Debugf("Unable to initialize repository at publish-time: %s",
+			err.Error())
+		return err
+	}
+
+	return nil
+}
+
 // saveMetadata saves contents of r.tufRepo onto the local disk, creating
 // signatures as necessary, possibly prompting for passphrases.
 func (r *NotaryRepository) saveMetadata(ignoreSnapshot bool) error {

client/client_test.go

@@ -1650,14 +1650,13 @@ func testPublishNoData(t *testing.T, rootType string, clearCache, serverManagesS
 	}
 }
 
-// Publishing an uninitialized repo will fail, but initializing and republishing
-// after should succeed
+// Publishing an uninitialized repo should not fail
 func TestPublishUninitializedRepo(t *testing.T) {
 	var gun data.GUN = "docker.com/notary"
 	ts := fullTestServer(t)
 	defer ts.Close()
 
-	// uninitialized repo should fail to publish
+	// uninitialized repo should not fail to publish
 	tempBaseDir, err := ioutil.TempDir("", "notary-tests")
 	require.NoError(t, err)
 	defer os.RemoveAll(tempBaseDir)
@@ -1666,14 +1665,31 @@ func TestPublishUninitializedRepo(t *testing.T) {
 		http.DefaultTransport, passphraseRetriever, trustpinning.TrustPinConfig{})
 	require.NoError(t, err, "error creating repository: %s", err)
 	err = repo.Publish()
-	require.Error(t, err)
+	require.NoError(t, err)
 
-	// no metadata created
-	requireRepoHasExpectedMetadata(t, repo, data.CanonicalRootRole, false)
-	requireRepoHasExpectedMetadata(t, repo, data.CanonicalSnapshotRole, false)
-	requireRepoHasExpectedMetadata(t, repo, data.CanonicalTargetsRole, false)
+	// metadata is created
+	requireRepoHasExpectedMetadata(t, repo, data.CanonicalRootRole, true)
+	requireRepoHasExpectedMetadata(t, repo, data.CanonicalSnapshotRole, true)
+	requireRepoHasExpectedMetadata(t, repo, data.CanonicalTargetsRole, true)
+}
+
+// Tnitializing a repo and republishing after should succeed
+func TestPublishInitializedRepo(t *testing.T) {
+	var gun data.GUN = "docker.com/notary"
+	ts := fullTestServer(t)
+	defer ts.Close()
+
+	// uninitialized repo should not fail to publish
+	tempBaseDir, err := ioutil.TempDir("", "notary-tests")
+	require.NoError(t, err)
+	defer os.RemoveAll(tempBaseDir)
+
+	// initialized repo should not fail to publish either
+	repo, err := NewFileCachedNotaryRepository(tempBaseDir, gun, ts.URL,
+		http.DefaultTransport, passphraseRetriever, trustpinning.TrustPinConfig{})
+	require.NoError(t, err, "error creating repository: %s", err)
 
-	// now, initialize and republish in the same directory
+	// now, initialize and publish
 	rootPubKey, err := repo.CryptoService.Create(data.CanonicalRootRole, repo.gun, data.ECDSAKey)
 	require.NoError(t, err, "error generating root key: %s", err)
 
@@ -1684,6 +1700,7 @@ func TestPublishUninitializedRepo(t *testing.T) {
 	requireRepoHasExpectedMetadata(t, repo, data.CanonicalSnapshotRole, true)
 	requireRepoHasExpectedMetadata(t, repo, data.CanonicalTargetsRole, true)
 
+	// check we can just call publish again
 	require.NoError(t, repo.Publish())
 }
 
@@ -1985,26 +2002,6 @@ func testPublishBadMetadata(t *testing.T, roleName string, repo *NotaryRepositor
 	}
 }
 
-// If the repo is not initialized, calling repo.Publish() should return ErrRepoNotInitialized
-func TestNotInitializedOnPublish(t *testing.T) {
-	// Temporary directory where test files will be created
-	tempBaseDir, err := ioutil.TempDir("", "notary-test-")
-	defer os.RemoveAll(tempBaseDir)
-	require.NoError(t, err, "failed to create a temporary directory: %s", err)
-
-	gun := "docker.com/notary"
-	ts := fullTestServer(t)
-	defer ts.Close()
-
-	repo, _, _ := createRepoAndKey(t, data.ECDSAKey, tempBaseDir, gun, ts.URL)
-
-	addTarget(t, repo, "v1", "../fixtures/intermediate-ca.crt")
-
-	err = repo.Publish()
-	require.Error(t, err)
-	require.IsType(t, ErrRepoNotInitialized{}, err)
-}
-
 type cannotCreateKeys struct {
 	signed.CryptoService
 }
@@ -2650,8 +2647,10 @@ func TestRemoteRotationNoRootKey(t *testing.T) {
 	require.IsType(t, signed.ErrInsufficientSignatures{}, err)
 }
 
-// The repo hasn't been initialized, so we can't rotate
-func TestRemoteRotationNonexistentRepo(t *testing.T) {
+// The repo is initialized at publish time after
+// rotating the key. We should be denied the access
+// to metadata by the server when trying to retrieve it.
+func TestRemoteRotationNoInit(t *testing.T) {
 	ts, _, _ := simpleTestServer(t)
 	defer ts.Close()
 
@@ -2660,7 +2659,7 @@ func TestRemoteRotationNonexistentRepo(t *testing.T) {
 
 	err := repo.RotateKey(data.CanonicalTimestampRole, true, nil)
 	require.Error(t, err)
-	require.IsType(t, ErrRepoNotInitialized{}, err)
+	require.IsType(t, store.ErrMetaNotFound{}, err)
 }
 
 // Rotates the keys.  After the rotation, downloading the latest metadata

client/helpers.go

@@ -11,6 +11,7 @@ import (
 	store "github.com/docker/notary/storage"
 	"github.com/docker/notary/tuf"
 	"github.com/docker/notary/tuf/data"
+	"github.com/docker/notary/tuf/signed"
 	"github.com/docker/notary/tuf/utils"
 )
 
@@ -268,3 +269,59 @@ func serializeCanonicalRole(tufRepo *tuf.Repo, role data.RoleName, extraSigningK
 
 	return json.Marshal(s)
 }
+
+func isMetaCached(cache store.MetadataStore) (bool, error) {
+	if cache == nil {
+		return false, nil
+	}
+
+	for _, role := range data.BaseRoles {
+		_, err := cache.GetSized(role.String(), store.NoSizeLimit)
+		if err != nil {
+			if _, ok := err.(store.ErrMetaNotFound); ok {
+				continue
+			}
+
+			return false, err
+		}
+
+		return true, nil
+	}
+
+	return false, nil
+}
+
+func getAllPrivKeys(rootKeyIDs []string, cryptoService signed.CryptoService) ([]data.PrivateKey, error) {
+	if cryptoService == nil {
+		return nil, fmt.Errorf("no crypto service available to get private keys from")
+	}
+
+	privKeys := make([]data.PrivateKey, 0, len(rootKeyIDs))
+	for _, keyID := range rootKeyIDs {
+		privKey, _, err := cryptoService.GetPrivateKey(keyID)
+		if err != nil {
+			return nil, err
+		}
+		privKeys = append(privKeys, privKey)
+	}
+	if len(privKeys) == 0 {
+		var rootKeyID string
+		rootKeyList := cryptoService.ListKeys(data.CanonicalRootRole)
+		if len(rootKeyList) == 0 {
+			rootPublicKey, err := cryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
+			if err != nil {
+				return nil, err
+			}
+			rootKeyID = rootPublicKey.ID()
+		} else {
+			rootKeyID = rootKeyList[0]
+		}
+		privKey, _, err := cryptoService.GetPrivateKey(rootKeyID)
+		if err != nil {
+			return nil, err
+		}
+		privKeys = append(privKeys, privKey)
+	}
+
+	return privKeys, nil
+}

cmd/notary/tuf.go

@@ -142,7 +142,10 @@ func (t *tufCommander) AddToCommand(cmd *cobra.Command) {
 	cmdReset.Flags().BoolVar(&t.resetAll, "all", false, "Reset all changes shown in the status list")
 	cmd.AddCommand(cmdReset)
 
-	cmd.AddCommand(cmdTUFPublishTemplate.ToCommand(t.tufPublish))
+	cmdTUFPublish := cmdTUFPublishTemplate.ToCommand(t.tufPublish)
+	cmdTUFPublish.Flags().StringVar(&t.rootKey, "rootkey", "", "Root key to initialize the repository with")
+	cmd.AddCommand(cmdTUFPublish)
+
 	cmd.AddCommand(cmdTUFLookupTemplate.ToCommand(t.tufLookup))
 
 	cmdTUFList := cmdTUFListTemplate.ToCommand(t.tufList)
@@ -385,6 +388,35 @@ func (t *tufCommander) tufDeleteGUN(cmd *cobra.Command, args []string) error {
 	return nil
 }
 
+func importRootKey(cmd *cobra.Command, rootKey string, nRepo *notaryclient.NotaryRepository, retriever notary.PassRetriever) ([]string, error) {
+	var rootKeyList []string
+
+	if rootKey != "" {
+		privKey, err := readKey(data.CanonicalRootRole, rootKey, retriever)
+		if err != nil {
+			return nil, err
+		}
+		err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey)
+		if err != nil {
+			return nil, fmt.Errorf("Error importing key: %v", err)
+		}
+		rootKeyList = []string{privKey.ID()}
+	} else {
+		rootKeyList = nRepo.CryptoService.ListKeys(data.CanonicalRootRole)
+	}
+
+	if len(rootKeyList) > 0 {
+		// Chooses the first root key available, which is initialization specific
+		// but should return the HW one first.
+		rootKeyID := rootKeyList[0]
+		cmd.Printf("Root key found, using: %s\n", rootKeyID)
+
+		return []string{rootKeyID}, nil
+	}
+
+	return []string{}, nil
+}
+
 func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
 	if len(args) < 1 {
 		cmd.Usage()
@@ -413,38 +445,12 @@ func (t *tufCommander) tufInit(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	var rootKeyList []string
-
-	if t.rootKey != "" {
-		privKey, err := readKey(data.CanonicalRootRole, t.rootKey, t.retriever)
-		if err != nil {
-			return err
-		}
-		err = nRepo.CryptoService.AddKey(data.CanonicalRootRole, "", privKey)
-		if err != nil {
-			return fmt.Errorf("Error importing key: %v", err)
-		}
-		rootKeyList = []string{privKey.ID()}
-	} else {
-		rootKeyList = nRepo.CryptoService.ListKeys(data.CanonicalRootRole)
-	}
-
-	var rootKeyID string
-	if len(rootKeyList) < 1 {
-		cmd.Println("No root keys found. Generating a new root key...")
-		rootPublicKey, err := nRepo.CryptoService.Create(data.CanonicalRootRole, "", data.ECDSAKey)
-		if err != nil {
-			return err
-		}
-		rootKeyID = rootPublicKey.ID()
-	} else {
-		// Chooses the first root key available, which is initialization specific
-		// but should return the HW one first.
-		rootKeyID = rootKeyList[0]
-		cmd.Printf("Root key found, using: %s\n", rootKeyID)
+	rootKeyIDs, err := importRootKey(cmd, t.rootKey, nRepo, t.retriever)
+	if err != nil {
+		return err
 	}
 
-	if err = nRepo.Initialize([]string{rootKeyID}); err != nil {
+	if err = nRepo.Initialize(rootKeyIDs); err != nil {
 		return err
 	}
 
@@ -686,7 +692,7 @@ func (t *tufCommander) tufPublish(cmd *cobra.Command, args []string) error {
 		return err
 	}
 
-	return publishAndPrintToCLI(cmd, nRepo, gun)
+	return publishAndPrintToCLI(cmd, nRepo)
 }
 
 func (t *tufCommander) tufRemove(cmd *cobra.Command, args []string) error {
@@ -1031,14 +1037,14 @@ func maybeAutoPublish(cmd *cobra.Command, doPublish bool, gun data.GUN, config *
 		return err
 	}
 
-	cmd.Println("Auto-publishing changes to", gun)
-	return publishAndPrintToCLI(cmd, nRepo, gun)
+	cmd.Println("Auto-publishing changes to", nRepo.GetGUN())
+	return publishAndPrintToCLI(cmd, nRepo)
 }
 
-func publishAndPrintToCLI(cmd *cobra.Command, nRepo *notaryclient.NotaryRepository, gun data.GUN) error {
+func publishAndPrintToCLI(cmd *cobra.Command, nRepo *notaryclient.NotaryRepository) error {
 	if err := nRepo.Publish(); err != nil {
 		return err
 	}
-	cmd.Printf("Successfully published changes for repository %s\n", gun)
+	cmd.Printf("Successfully published changes for repository %s\n", nRepo.GetGUN())
 	return nil
 }