Merge pull request #496 from amazonlinux/recombine-tough

tough: Merge in tough_schema
bottlerocket-os · Nov 8, 2019 · 0fc51ed · 0fc51ed
2 parents cb17aef + 7a78939
commit 0fc51ed
Show file tree

Hide file tree

Showing 30 changed files with 87 additions and 127 deletions.
diff --git a/workspaces/Cargo.lock b/workspaces/Cargo.lock
diff --git a/workspaces/Cargo.toml b/workspaces/Cargo.toml
@@ -26,7 +26,6 @@ members = [
     "updater/block-party",
     "updater/signpost",
     "updater/tough",
-    "updater/tough_schema",
     "updater/update_metadata",
     "updater/updog",
 

diff --git a/workspaces/deny.toml b/workspaces/deny.toml
@@ -50,7 +50,6 @@ skip = [
     { name = "testmigration", licenses = [] },
     { name = "thar-be-settings", licenses = [] },
     { name = "tough", licenses = [] },
-    { name = "tough_schema", licenses = [] },
     { name = "tuftool", licenses = [] },
     { name = "update_metadata", licenses = [] },
     { name = "updog", licenses = [] },

diff --git a/workspaces/tuftool/Cargo.toml b/workspaces/tuftool/Cargo.toml
@@ -30,7 +30,6 @@ sha2 = "0.8.0"
 snafu = { version = "0.5.0", features = ["backtrace-crate"] }
 structopt = "0.3"
 tempfile = "3.1.0"
-tough_schema = { path = "../updater/tough_schema" }
 url = "2.1.0"
 walkdir = "2.2.9"
 tempdir = "0.3.7"

diff --git a/workspaces/tuftool/src/create.rs b/workspaces/tuftool/src/create.rs
@@ -15,10 +15,9 @@ use std::fs::File;
 use std::num::{NonZeroU64, NonZeroUsize};
 use std::path::{Path, PathBuf};
 use structopt::StructOpt;
-use tough_schema::decoded::Decoded;
-use tough_schema::{
-    Hashes, Role, RoleType, Root, Signed, Snapshot, SnapshotMeta, Target, Targets, Timestamp,
-    TimestampMeta,
+use tough::schema::{
+    decoded::Decoded, Hashes, Role, RoleType, Root, Signed, Snapshot, SnapshotMeta, Target,
+    Targets, Timestamp, TimestampMeta,
 };
 use walkdir::WalkDir;
 

diff --git a/workspaces/tuftool/src/error.rs b/workspaces/tuftool/src/error.rs
@@ -139,7 +139,7 @@ pub(crate) enum Error {
     #[snafu(display("Failed to calculate key ID: {}", source))]
     KeyId {
         #[snafu(backtrace)]
-        source: tough_schema::Error,
+        source: tough::schema::Error,
     },
 
     #[snafu(display("Private key rejected: {}", source))]

diff --git a/workspaces/tuftool/src/key.rs b/workspaces/tuftool/src/key.rs
@@ -6,9 +6,9 @@ use ring::signature::{KeyPair as _, RsaKeyPair};
 use serde::Serialize;
 use snafu::ResultExt;
 use std::collections::HashMap;
-use tough_schema::decoded::{Decoded, Hex};
-use tough_schema::key::Key;
-use tough_schema::{Role, RoleType, Root, Signature, Signed};
+use tough::schema::decoded::{Decoded, Hex};
+use tough::schema::key::Key;
+use tough::schema::{Role, RoleType, Root, Signature, Signed};
 
 #[derive(Debug)]
 pub(crate) enum KeyPair {
@@ -49,7 +49,7 @@ impl KeyPair {
     }
 
     pub(crate) fn public_key(&self) -> Key {
-        use tough_schema::key::{RsaKey, RsaScheme};
+        use tough::schema::key::{RsaKey, RsaScheme};
 
         match self {
             KeyPair::Rsa(key_pair) => Key::Rsa {

diff --git a/workspaces/tuftool/src/root.rs b/workspaces/tuftool/src/root.rs
@@ -10,9 +10,8 @@ use std::collections::HashMap;
 use std::num::NonZeroU64;
 use std::path::PathBuf;
 use structopt::StructOpt;
-use tough_schema::decoded::{Decoded, Hex};
-use tough_schema::key::Key;
-use tough_schema::{RoleKeys, RoleType, Root, Signed};
+use tough::schema::decoded::{Decoded, Hex};
+use tough::schema::{key::Key, RoleKeys, RoleType, Root, Signed};
 
 #[derive(Debug, StructOpt)]
 pub(crate) enum Command {

diff --git a/workspaces/tuftool/src/sign.rs b/workspaces/tuftool/src/sign.rs
@@ -7,7 +7,7 @@ use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::PathBuf;
 use structopt::StructOpt;
-use tough_schema::{RoleType, Root, Signed};
+use tough::schema::{RoleType, Root, Signed};
 
 #[derive(Debug, StructOpt)]
 pub(crate) struct SignArgs {

diff --git a/workspaces/tuftool/src/source.rs b/workspaces/tuftool/src/source.rs
@@ -10,7 +10,7 @@ use crate::key::KeyPair;
 use snafu::{OptionExt, ResultExt};
 use std::path::PathBuf;
 use std::str::FromStr;
-use tough_schema::key::Key;
+use tough::schema::key::Key;
 use url::Url;
 
 #[derive(Debug)]

diff --git a/workspaces/updater/tough/Cargo.toml b/workspaces/updater/tough/Cargo.toml
@@ -8,12 +8,16 @@ publish = false
 [dependencies]
 chrono = { version = "0.4.6", features = ["serde"] }
 hex = "0.4.0"
+olpc-cjson = { path = "../olpc-cjson" }
+pem = "0.6.0"
 reqwest = { version = "0.9.17", optional = true, default-features = false }
-serde = "1.0.92"
+ring = "0.16.7"
+serde = { version = "1.0.92", features = ["derive"] }
 serde_json = "1.0.39"
+serde_plain = "0.3.0"
 sha2 = "0.8.0"
 snafu = "0.5.0"
-tough_schema = { path = "../tough_schema" }
+untrusted = "0.7.0"
 url = "2.1.0"
 
 [dev-dependencies]

diff --git a/workspaces/updater/tough/src/datastore.rs b/workspaces/updater/tough/src/datastore.rs
@@ -26,8 +26,9 @@ impl<'a> Datastore<'a> {
             File::create(&path).context(error::DatastoreCreate { path: &path })?,
             value,
         )
-        .context(error::JsonSerialization {
+        .context(error::DatastoreSerialize {
             what: format!("{} in datastore", file),
+            path,
         })
     }
 

diff --git a/workspaces/updater/tough/src/error.rs b/workspaces/updater/tough/src/error.rs
@@ -2,10 +2,10 @@
 
 #![allow(clippy::default_trait_access)]
 
+use crate::schema::RoleType;
 use chrono::{DateTime, Utc};
 use snafu::{Backtrace, Snafu};
 use std::path::PathBuf;
-use tough_schema::RoleType;
 
 /// Alias for `Result<T, Error>`.
 pub type Result<T> = std::result::Result<T, Error>;
@@ -38,6 +38,15 @@ pub enum Error {
         backtrace: Backtrace,
     },
 
+    /// The library failed to serialize an object to JSON to the datastore.
+    #[snafu(display("Failed to serialize {} to JSON at datastore path {}: {}", what, path.display(), source))]
+    DatastoreSerialize {
+        what: String,
+        path: PathBuf,
+        source: serde_json::Error,
+        backtrace: Backtrace,
+    },
+
     /// A metadata file has expired.
     #[snafu(display("{} metadata is expired", role))]
     ExpiredMetadata {
@@ -69,14 +78,6 @@ pub enum Error {
         backtrace: Backtrace,
     },
 
-    /// The library failed to serialize an object to JSON.
-    #[snafu(display("Failed to serialize {} to JSON: {}", what, source))]
-    JsonSerialization {
-        what: String,
-        source: serde_json::Error,
-        backtrace: Backtrace,
-    },
-
     /// A file's maximum size exceeded a limit set by the consumer of this library or the metadata.
     #[snafu(display("Maximum size {} (specified by {}) exceeded", max_size, specifier))]
     MaxSizeExceeded {
@@ -171,14 +172,14 @@ pub enum Error {
     #[snafu(display("Failed to verify {} metadata: {}", role, source))]
     VerifyMetadata {
         role: RoleType,
-        source: tough_schema::Error,
+        source: crate::schema::Error,
         backtrace: Backtrace,
     },
 
     /// The trusted root metadata file could not be verified.
     #[snafu(display("Failed to verify trusted root metadata: {}", source))]
     VerifyTrustedMetadata {
-        source: tough_schema::Error,
+        source: crate::schema::Error,
         backtrace: Backtrace,
     },
 

diff --git a/workspaces/updater/tough/src/lib.rs b/workspaces/updater/tough/src/lib.rs
@@ -16,6 +16,7 @@ mod datastore;
 pub mod error;
 mod fetch;
 mod io;
+pub mod schema;
 mod transport;
 
 #[cfg(feature = "http")]
@@ -25,13 +26,13 @@ pub use crate::transport::{FilesystemTransport, Transport};
 use crate::datastore::Datastore;
 use crate::error::Result;
 use crate::fetch::{fetch_max_size, fetch_sha256};
+use crate::schema::{Role, RoleType, Root, Signed, Snapshot, Timestamp};
 use chrono::{DateTime, Utc};
 use snafu::{ensure, OptionExt, ResultExt};
 use std::borrow::Cow;
 use std::collections::HashMap;
 use std::io::Read;
 use std::path::Path;
-use tough_schema::{Role, RoleType, Root, Signed, Snapshot, Timestamp};
 use url::Url;
 
 /// Repository fetch settings, provided to [`Repository::load`].
@@ -276,8 +277,8 @@ pub struct Target {
     pub length: u64,
 }
 
-impl From<tough_schema::Target> for Target {
-    fn from(target: tough_schema::Target) -> Self {
+impl From<crate::schema::Target> for Target {
+    fn from(target: crate::schema::Target) -> Self {
         Self {
             custom: target.custom,
             sha256: target.hashes.sha256.into_vec(),
@@ -698,7 +699,7 @@ fn load_targets<T: Transport>(
     datastore: &Datastore<'_>,
     max_targets_size: u64,
     metadata_base_url: &Url,
-) -> Result<Signed<tough_schema::Targets>> {
+) -> Result<Signed<crate::schema::Targets>> {
     // 4. Download the top-level targets metadata file, up to either the number of bytes specified
     //    in the snapshot metadata file, or some Z number of bytes. The value for Z is set by the
     //    authors of the application using TUF. For example, Z may be tens of kilobytes. If
@@ -745,7 +746,7 @@ fn load_targets<T: Transport>(
             specifier,
         )?)
     };
-    let targets: Signed<tough_schema::Targets> =
+    let targets: Signed<crate::schema::Targets> =
         serde_json::from_reader(reader).context(error::ParseMetadata {
             role: RoleType::Targets,
         })?;
@@ -781,7 +782,7 @@ fn load_targets<T: Transport>(
     //   it, abort the update cycle, and report the potential rollback attack.
     if let Some(Ok(old_targets)) = datastore
         .reader("targets.json")?
-        .map(serde_json::from_reader::<_, Signed<tough_schema::Targets>>)
+        .map(serde_json::from_reader::<_, Signed<crate::schema::Targets>>)
     {
         if root.signed.verify_role(&old_targets).is_ok() {
             ensure!(

diff --git a/workspaces/updater/tough_schema/src/de.rs → workspaces/updater/tough/src/schema/de.rs b/workspaces/updater/tough_schema/src/de.rs → workspaces/updater/tough/src/schema/de.rs
@@ -1,13 +1,13 @@
-use crate::decoded::{Decoded, Hex};
-use crate::error;
-use crate::key::Key;
+use crate::schema::decoded::{Decoded, Hex};
+use crate::schema::error;
+use crate::schema::key::Key;
 use serde::{de::Error as _, Deserialize, Deserializer};
 use snafu::ensure;
 use std::collections::HashMap;
 use std::fmt;
 
 /// Validates the key ID for each key during deserialization and fails if any don't match.
-pub(crate) fn deserialize_keys<'de, D>(
+pub(super) fn deserialize_keys<'de, D>(
     deserializer: D,
 ) -> Result<HashMap<Decoded<Hex>, Key>, D::Error>
 where
@@ -23,15 +23,14 @@ where
         map: &mut HashMap<Decoded<Hex>, Key>,
     ) -> Result<(), error::Error> {
         let calculated = key.key_id()?;
+        let keyid_hex = hex::encode(&keyid);
         ensure!(
             keyid == calculated,
-            error::HashMismatch {
-                context: "key".to_owned(),
+            error::InvalidKeyId {
+                keyid: &keyid_hex,
                 calculated: hex::encode(&calculated),
-                expected: hex::encode(&keyid),
             }
         );
-        let keyid_hex = hex::encode(&keyid); // appease borrowck
         ensure!(
             map.insert(keyid, key).is_none(),
             error::DuplicateKeyId { keyid: keyid_hex }
@@ -65,7 +64,7 @@ where
 }
 
 /// Deserializes the `_extra` field on roles, skipping the `_type` tag.
-pub(crate) fn extra_skip_type<'de, D>(
+pub(super) fn extra_skip_type<'de, D>(
     deserializer: D,
 ) -> Result<HashMap<String, serde_json::Value>, D::Error>
 where
@@ -78,12 +77,12 @@ where
 
 #[cfg(test)]
 mod tests {
-    use crate::{Root, Signed};
+    use crate::schema::{Root, Signed};
 
     #[test]
     fn duplicate_keyid() {
         assert!(serde_json::from_str::<Signed<Root>>(include_str!(
-            "../tests/data/duplicate-keyid/root.json"
+            "../../tests/data/duplicate-keyid/root.json"
         ))
         .is_err());
     }

diff --git a/...paces/updater/tough_schema/src/decoded.rs → ...paces/updater/tough/src/schema/decoded.rs b/...paces/updater/tough_schema/src/decoded.rs → ...paces/updater/tough/src/schema/decoded.rs
@@ -1,5 +1,5 @@
-use crate::error::{self, Error};
-use crate::spki;
+use crate::schema::error::{self, Error};
+use crate::schema::spki;
 use serde::{de::Error as _, Deserialize, Deserializer, Serialize, Serializer};
 use snafu::ResultExt;
 use std::cmp::Ordering;

diff --git a/workspaces/updater/tough_schema/src/error.rs → workspaces/updater/tough/src/schema/error.rs b/workspaces/updater/tough_schema/src/error.rs → workspaces/updater/tough/src/schema/error.rs
@@ -2,7 +2,7 @@
 
 #![allow(clippy::default_trait_access)]
 
-use crate::RoleType;
+use crate::schema::RoleType;
 use snafu::{Backtrace, Snafu};
 use std::fmt::{self, Debug, Display};
 
@@ -11,24 +11,18 @@ pub type Result<T> = std::result::Result<T, Error>;
 
 /// The error type for this library.
 #[derive(Debug, Snafu)]
-#[snafu(visibility = "pub(crate)")]
+#[snafu(visibility = "pub(super)")]
 pub enum Error {
     /// A duplicate key ID was present in the root metadata.
     #[snafu(display("Duplicate key ID: {}", keyid))]
     DuplicateKeyId { keyid: String },
 
     /// A downloaded target's checksum does not match the checksum listed in the repository
     /// metadata.
-    #[snafu(display(
-        "Hash mismatch for {}: calculated {}, expected {}",
-        context,
-        calculated,
-        expected,
-    ))]
-    HashMismatch {
-        context: String,
+    #[snafu(display("Invalid key ID {}: calculated {}", keyid, calculated))]
+    InvalidKeyId {
+        keyid: String,
         calculated: String,
-        expected: String,
         backtrace: Backtrace,
     },