Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

deps: @sigstore/tuf@2.3.0 #7132

Merged
merged 1 commit into from
Jan 16, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
91 changes: 55 additions & 36 deletions node_modules/@sigstore/tuf/dist/client.js
Original file line number Diff line number Diff line change
Expand Up @@ -22,12 +22,29 @@ limitations under the License.
const fs_1 = __importDefault(require("fs"));
const path_1 = __importDefault(require("path"));
const tuf_js_1 = require("tuf-js");
const _1 = require(".");
const target_1 = require("./target");
const TUF_SEEDS_PATH = require.resolve('../seeds.json');
const TARGETS_DIR_NAME = 'targets';
class TUFClient {
constructor(options) {
initTufCache(options);
const remote = initRemoteConfig(options);
this.updater = initClient(options.cachePath, remote, options);
const url = new URL(options.mirrorURL);
const repoName = encodeURIComponent(url.host + url.pathname.replace(/\/$/, ''));
const cachePath = path_1.default.join(options.cachePath, repoName);
initTufCache(cachePath);
seedCache({
cachePath,
mirrorURL: options.mirrorURL,
tufRootPath: options.rootPath,
forceInit: options.forceInit,
});
this.updater = initClient({
mirrorURL: options.mirrorURL,
cachePath,
forceCache: options.forceCache,
retry: options.retry,
timeout: options.timeout,
});
}
async refresh() {
return this.updater.refresh();
Expand All @@ -42,53 +59,55 @@ exports.TUFClient = TUFClient;
// created. If the targets directory does not exist, it will be created.
// If the root.json file does not exist, it will be copied from the
// rootPath argument.
function initTufCache({ cachePath, rootPath: tufRootPath, force, }) {
const targetsPath = path_1.default.join(cachePath, 'targets');
const cachedRootPath = path_1.default.join(cachePath, 'root.json');
function initTufCache(cachePath) {
const targetsPath = path_1.default.join(cachePath, TARGETS_DIR_NAME);
if (!fs_1.default.existsSync(cachePath)) {
fs_1.default.mkdirSync(cachePath, { recursive: true });
}
if (!fs_1.default.existsSync(targetsPath)) {
fs_1.default.mkdirSync(targetsPath);
}
// If the root.json file does not exist (or we're forcing re-initialization),
// copy it from the rootPath argument
if (!fs_1.default.existsSync(cachedRootPath) || force) {
fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
}
return cachePath;
}
// Initializes the remote.json file, which contains the URL of the TUF
// repository. If the file does not exist, it will be created. If the file
// exists, it will be parsed and returned.
function initRemoteConfig({ cachePath, mirrorURL, force, }) {
let remoteConfig;
const remoteConfigPath = path_1.default.join(cachePath, 'remote.json');
// If the remote config file exists, read it and parse it (skip if force is
// true)
if (!force && fs_1.default.existsSync(remoteConfigPath)) {
const data = fs_1.default.readFileSync(remoteConfigPath, 'utf-8');
remoteConfig = JSON.parse(data);
}
// If the remote config file does not exist (or we're forcing initialization),
// create it
if (!remoteConfig || force) {
remoteConfig = { mirror: mirrorURL };
fs_1.default.writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig));
// Populates the TUF cache with the initial root.json file. If the root.json
// file does not exist (or we're forcing re-initialization), copy it from either
// the rootPath argument or from one of the repo seeds.
function seedCache({ cachePath, mirrorURL, tufRootPath, forceInit, }) {
const cachedRootPath = path_1.default.join(cachePath, 'root.json');
// If the root.json file does not exist (or we're forcing re-initialization),
// populate it either from the supplied rootPath or from one of the repo seeds.
if (!fs_1.default.existsSync(cachedRootPath) || forceInit) {
if (tufRootPath) {
fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
}
else {
// Load the embedded repo seeds
const seeds = JSON.parse(fs_1.default.readFileSync(TUF_SEEDS_PATH).toString('utf-8'));
const repoSeed = seeds[mirrorURL];
if (!repoSeed) {
throw new _1.TUFError({
code: 'TUF_INIT_CACHE_ERROR',
message: `No root.json found for mirror: ${mirrorURL}`,
});
}
fs_1.default.writeFileSync(cachedRootPath, Buffer.from(repoSeed['root.json'], 'base64'));
// Copy any seed targets into the cache
Object.entries(repoSeed.targets).forEach(([targetName, target]) => {
fs_1.default.writeFileSync(path_1.default.join(cachePath, TARGETS_DIR_NAME, targetName), Buffer.from(target, 'base64'));
});
}
}
return remoteConfig;
}
function initClient(cachePath, remote, options) {
const baseURL = remote.mirror;
function initClient(options) {
const config = {
fetchTimeout: options.timeout,
fetchRetry: options.retry,
};
return new tuf_js_1.Updater({
metadataBaseUrl: baseURL,
targetBaseUrl: `${baseURL}/targets`,
metadataDir: cachePath,
targetDir: path_1.default.join(cachePath, 'targets'),
metadataBaseUrl: options.mirrorURL,
targetBaseUrl: `${options.mirrorURL}/targets`,
metadataDir: options.cachePath,
targetDir: path_1.default.join(options.cachePath, TARGETS_DIR_NAME),
forceCache: options.forceCache,
config,
});
}
6 changes: 3 additions & 3 deletions node_modules/@sigstore/tuf/dist/index.js
Original file line number Diff line number Diff line change
Expand Up @@ -21,7 +21,6 @@ const appdata_1 = require("./appdata");
const client_1 = require("./client");
exports.DEFAULT_MIRROR_URL = 'https://tuf-repo-cdn.sigstore.dev';
const DEFAULT_CACHE_DIR = 'sigstore-js';
const DEFAULT_TUF_ROOT_PATH = '../store/public-good-instance-root.json';
const DEFAULT_RETRY = { retries: 2 };
const DEFAULT_TIMEOUT = 5000;
const TRUSTED_ROOT_TARGET = 'trusted_root.json';
Expand All @@ -45,11 +44,12 @@ function createClient(options) {
/* istanbul ignore next */
return new client_1.TUFClient({
cachePath: options.cachePath || (0, appdata_1.appDataPath)(DEFAULT_CACHE_DIR),
rootPath: options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH),
rootPath: options.rootPath,
mirrorURL: options.mirrorURL || exports.DEFAULT_MIRROR_URL,
retry: options.retry ?? DEFAULT_RETRY,
timeout: options.timeout ?? DEFAULT_TIMEOUT,
force: options.force ?? false,
forceCache: options.forceCache ?? false,
forceInit: options.forceInit ?? options.force ?? false,
});
}
var error_1 = require("./error");
Expand Down
8 changes: 4 additions & 4 deletions node_modules/@sigstore/tuf/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "@sigstore/tuf",
"version": "2.2.0",
"version": "2.3.0",
"description": "Client for the Sigstore TUF repository",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand All @@ -11,7 +11,7 @@
},
"files": [
"dist",
"store"
"seeds.json"
],
"author": "bdehamer@github.com",
"license": "Apache-2.0",
Expand All @@ -29,11 +29,11 @@
"devDependencies": {
"@sigstore/jest": "^0.0.0",
"@tufjs/repo-mock": "^2.0.0",
"@types/make-fetch-happen": "^10.0.0"
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@sigstore/protobuf-specs": "^0.2.1",
"tuf-js": "^2.1.0"
"tuf-js": "^2.2.0"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
Expand Down
1 change: 1 addition & 0 deletions node_modules/@sigstore/tuf/seeds.json

Large diffs are not rendered by default.

This file was deleted.

10 changes: 5 additions & 5 deletions node_modules/tuf-js/dist/config.js
Original file line number Diff line number Diff line change
Expand Up @@ -4,12 +4,12 @@ exports.defaultConfig = void 0;
exports.defaultConfig = {
maxRootRotations: 32,
maxDelegations: 32,
rootMaxLength: 512000,
timestampMaxLength: 16384,
snapshotMaxLength: 2000000,
targetsMaxLength: 5000000,
rootMaxLength: 512000, //bytes
timestampMaxLength: 16384, // bytes
snapshotMaxLength: 2000000, // bytes
targetsMaxLength: 5000000, // bytes
prefixTargetsWithHash: true,
fetchTimeout: 100000,
fetchTimeout: 100000, // milliseconds
fetchRetries: undefined,
fetchRetry: 2,
};
29 changes: 26 additions & 3 deletions node_modules/tuf-js/dist/updater.js
Original file line number Diff line number Diff line change
Expand Up @@ -44,6 +44,7 @@ class Updater {
this.metadataBaseUrl = metadataBaseUrl;
this.targetDir = targetDir;
this.targetBaseUrl = targetBaseUrl;
this.forceCache = options.forceCache ?? false;
const data = this.loadLocalMetadata(models_1.MetadataKind.Root);
this.trustedSet = new store_1.TrustedMetadataStore(data);
this.config = { ...config_1.defaultConfig, ...config };
Expand All @@ -57,8 +58,25 @@ class Updater {
// refresh and load the metadata before downloading the target
// refresh should be called once after the client is initialized
async refresh() {
await this.loadRoot();
await this.loadTimestamp();
// If forceCache is true, try to load the timestamp from local storage
// without fetching it from the remote. Otherwise, load the root and
// timestamp from the remote per the TUF spec.
if (this.forceCache) {
// If anything fails, load the root and timestamp from the remote. This
// should cover any situation where the local metadata is corrupted or
// expired.
try {
await this.loadTimestamp({ checkRemote: false });
}
catch (error) {
await this.loadRoot();
await this.loadTimestamp();
}
}
else {
await this.loadRoot();
await this.loadTimestamp();
}
await this.loadSnapshot();
await this.loadTargets(models_1.MetadataKind.Targets, models_1.MetadataKind.Root);
}
Expand Down Expand Up @@ -143,11 +161,16 @@ class Updater {
}
// Load local and remote timestamp metadata.
// Client workflow 5.4: update timestamp role
async loadTimestamp() {
async loadTimestamp({ checkRemote } = { checkRemote: true }) {
// Load local and remote timestamp metadata
try {
const data = this.loadLocalMetadata(models_1.MetadataKind.Timestamp);
this.trustedSet.updateTimestamp(data);
// If checkRemote is disabled, return here to avoid fetching the remote
// timestamp metadata.
if (!checkRemote) {
return;
}
}
catch (error) {
// continue
Expand Down
6 changes: 3 additions & 3 deletions node_modules/tuf-js/package.json
Original file line number Diff line number Diff line change
@@ -1,6 +1,6 @@
{
"name": "tuf-js",
"version": "2.1.0",
"version": "2.2.0",
"description": "JavaScript implementation of The Update Framework (TUF)",
"main": "dist/index.js",
"types": "dist/index.d.ts",
Expand Down Expand Up @@ -29,8 +29,8 @@
"homepage": "https://github.com/theupdateframework/tuf-js/tree/main/packages/client#readme",
"devDependencies": {
"@tufjs/repo-mock": "2.0.0",
"@types/debug": "^4.1.8",
"@types/make-fetch-happen": "^10.0.1"
"@types/debug": "^4.1.12",
"@types/make-fetch-happen": "^10.0.4"
},
"dependencies": {
"@tufjs/models": "2.0.0",
Expand Down
16 changes: 8 additions & 8 deletions package-lock.json
Original file line number Diff line number Diff line change
Expand Up @@ -97,7 +97,7 @@
"@npmcli/package-json": "^5.0.0",
"@npmcli/promise-spawn": "^7.0.1",
"@npmcli/run-script": "^7.0.3",
"@sigstore/tuf": "^2.2.0",
"@sigstore/tuf": "^2.3.0",
"abbrev": "^2.0.0",
"archy": "~1.0.0",
"cacache": "^18.0.2",
Expand Down Expand Up @@ -2160,13 +2160,13 @@
}
},
"node_modules/@sigstore/tuf": {
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-2.2.0.tgz",
"integrity": "sha512-KKATZ5orWfqd9ZG6MN8PtCIx4eevWSuGRKQvofnWXRpyMyUEpmrzg5M5BrCpjM+NfZ0RbNGOh5tCz/P2uoRqOA==",
"version": "2.3.0",
"resolved": "https://registry.npmjs.org/@sigstore/tuf/-/tuf-2.3.0.tgz",
"integrity": "sha512-S98jo9cpJwO1mtQ+2zY7bOdcYyfVYCUaofCG6wWRzk3pxKHVAkSfshkfecto2+LKsx7Ovtqbgb2LS8zTRhxJ9Q==",
"inBundle": true,
"dependencies": {
"@sigstore/protobuf-specs": "^0.2.1",
"tuf-js": "^2.1.0"
"tuf-js": "^2.2.0"
},
"engines": {
"node": "^16.14.0 || >=18.0.0"
Expand Down Expand Up @@ -15264,9 +15264,9 @@
}
},
"node_modules/tuf-js": {
"version": "2.1.0",
"resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-2.1.0.tgz",
"integrity": "sha512-eD7YPPjVlMzdggrOeE8zwoegUaG/rt6Bt3jwoQPunRiNVzgcCE009UDFJKJjG+Gk9wFu6W/Vi+P5d/5QpdD9jA==",
"version": "2.2.0",
"resolved": "https://registry.npmjs.org/tuf-js/-/tuf-js-2.2.0.tgz",
"integrity": "sha512-ZSDngmP1z6zw+FIkIBjvOp/II/mIub/O7Pp12j1WNsiCpg5R5wAc//i555bBQsE44O94btLt0xM/Zr2LQjwdCg==",
"inBundle": true,
"dependencies": {
"@tufjs/models": "2.0.0",
Expand Down
2 changes: 1 addition & 1 deletion package.json
Original file line number Diff line number Diff line change
Expand Up @@ -59,7 +59,7 @@
"@npmcli/package-json": "^5.0.0",
"@npmcli/promise-spawn": "^7.0.1",
"@npmcli/run-script": "^7.0.3",
"@sigstore/tuf": "^2.2.0",
"@sigstore/tuf": "^2.3.0",
"abbrev": "^2.0.0",
"archy": "~1.0.0",
"cacache": "^18.0.2",
Expand Down
2 changes: 1 addition & 1 deletion test/lib/commands/audit.js
Original file line number Diff line number Diff line change
Expand Up @@ -939,7 +939,7 @@ t.test('audit signatures', async t => {
const opts = {
baseURL: 'https://tuf-repo-cdn.sigstore.dev',
metadataPathPrefix: '',
cachePath: path.join(npm.cache, '_tuf'),
cachePath: path.join(npm.cache, '_tuf', 'tuf-repo-cdn.sigstore.dev'),
}
return tufmock(target, opts)
}
Expand Down