Class: Sigstore::TUF::TrustedMetadataSet

Inherits:
Object
  • Object
show all
Includes:
Loggable
Defined in:
lib/sigstore/tuf/trusted_metadata_set.rb

Instance Method Summary collapse

Methods included from Loggable

included, #logger

Constructor Details

#initialize(root_data, envelope_type, reference_time: Time.now.utc) ⇒ TrustedMetadataSet

Returns a new instance of TrustedMetadataSet.



27
28
29
30
31
32
33
34
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 27

def initialize(root_data, envelope_type, reference_time: Time.now.utc)
  @trusted_set = {}
  @reference_time = reference_time
  @envelope_type = envelope_type

  logger.debug { "Loading trusted root" }
  load_trusted_root(root_data)
end

Instance Method Details

#[](role) ⇒ Object 



121
122
123
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 121

def [](role)
  @trusted_set.fetch(role)
end

#include?(type) ⇒ Boolean

Returns:

  • (Boolean) 


117
118
119
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 117

def include?(type)
  @trusted_set.key?(type)
end

#rootObject 



36
37
38
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 36

def root
  @trusted_set.fetch("root") { raise Error::InvalidData, "missing root metadata" }
end

#root=(data) ⇒ Object

Raises:



40
41
42
43
44
45
46
47
48
49
50
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 40

def root=(data)
  raise Error::BadUpdateOrder, "cannot update root after timestamp" if @trusted_set.key?("timestamp")

  metadata, canonical_signed, signatures = load_data(Root, data, root)
  metadata.verify_delegate("root", canonical_signed, signatures)
  raise Error::BadVersionNumber, "root version did not increment by one" if metadata.version != root.version + 1

  @trusted_set["root"] = metadata

  logger.debug { "Updated root v#{metadata.version}" }
end

#snapshotObject 



52
53
54
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 52

def snapshot
  @trusted_set.fetch("snapshot")
end

#snapshot=(data, trusted: false) ⇒ Object

Raises:



88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 88

def snapshot=(data, trusted: false)
  raise Error::BadUpdateOrder, "cannot update snapshot before timestamp" unless @trusted_set.key?("timestamp")
  raise Error::BadUpdateOrder, "cannot update snapshot after targets" if @trusted_set.key?("targets")

  check_final_timestamp

  snapshot_meta = timestamp.snapshot_meta

  snapshot_meta.verify_length_and_hashes(data) unless trusted

  new_snapshot, = load_data(Snapshot, data, root)

  # If an existing trusted snapshot is updated, check for rollback attack
  if include?(Snapshot::TYPE)
    snapshot.meta.each do |filename, file_info|
      new_file_info = new_snapshot.meta[filename]
      raise Error::RepositoryError, "new snapshot is missing info for #{filename}" unless new_file_info

      if new_file_info.version < file_info.version
        raise Error::BadVersionNumber, "expected #{filename} v#{new_file_info.version}, got v#{file_info.version}"
      end
    end
  end

  @trusted_set["snapshot"] = new_snapshot
  logger.debug { "Updated snapshot v#{new_snapshot.version}" }
  check_final_snapshot
end

#timestampObject 



56
57
58
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 56

def timestamp
  @trusted_set.fetch("timestamp")
end

#timestamp=(data) ⇒ Object

Raises:



60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 60

def timestamp=(data)
  raise Error::BadUpdateOrder, "cannot update timestamp after snapshot" if @trusted_set.key?("snapshot")

  if root.expired?(@reference_time)
    raise Error::ExpiredMetadata,
          "final root.json expired at #{root.expires}, is #{@reference_time}"
  end

  metadata, = load_data(Timestamp, data, root)

  if include?(Timestamp::TYPE)
    if metadata.version < timestamp.version
      raise Error::BadVersionNumber,
            "timestamp version less than metadata version"
    end
    raise Error::EqualVersionNumber if metadata.version == timestamp.version

    snapshot_meta = timestamp.snapshot_meta
    new_snapshot_meta = metadata.snapshot_meta
    if new_snapshot_meta.version < snapshot_meta.version
      raise Error::BadVersionNumber, "snapshot version did not increase"
    end
  end

  @trusted_set["timestamp"] = metadata
  check_final_timestamp
end

#update_delegated_targets(data, role, parent_role) ⇒ Object

Raises:



125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
 
# File 'lib/sigstore/tuf/trusted_metadata_set.rb', line 125

def update_delegated_targets(data, role, parent_role)
  raise Error::BadUpdateOrder, "cannot update targets before snapshot" unless @trusted_set.key?("snapshot")

  check_final_snapshot

  delegator = @trusted_set[parent_role]
  logger.debug { "Updating #{role} delegated by #{parent_role.inspect} to #{delegator.class}" }
  raise Error::BadUpdateOrder, "cannot load targets before delegator" unless delegator

  meta = snapshot.meta["#{role}.json"]
  raise Error::RepositoryError, "no metadata for role #{role} in snapshot" unless meta

  meta.verify_length_and_hashes(data)

  new_delegate, = load_data(Targets, data, delegator, role)
  version = new_delegate.version
  raise Error::BadVersionNumber, "expected #{role} v#{meta.version}, got v#{version}" if version != meta.version

  raise Error::ExpiredMetadata, "new #{role} is expired" if new_delegate.expired?(@reference_time)

  @trusted_set[role] = new_delegate
  logger.debug { "Updated #{role} v#{version}" }
  new_delegate
end