fleetd to start up when TUF signatures are expired (#23102)

#22740

Full QA is still a WIP but this is ready for review.

- [X] Changes file added for user-visible changes in `changes/`,
`orbit/changes/` or `ee/fleetd-chrome/changes`.
See [Changes
files](https://github.com/fleetdm/fleet/blob/main/docs/Contributing/Committing-Changes.md#changes-files)
for more information.
- [X] Added/updated tests
- [X] Manual QA for all new/changed functionality
- For Orbit and Fleet Desktop changes:
- [x] Orbit runs on macOS, Linux and Windows. Check if the orbit
feature/bugfix should only apply to one platform (`runtime.GOOS`).
- [x] Manual QA must be performed in the three main OSs, macOS, Windows
and Linux.
- [x] Auto-update manual QA, from released version of component to new
version (see [tools/tuf/test](../tools/tuf/test/README.md)).

Author: lucasmrod

Makefile

@@ -127,7 +127,8 @@ fleet-dev: fleet
 fleetctl: .prefix .pre-build .pre-fleetctl
 	# Race requires cgo
 	$(eval CGO_ENABLED := $(shell [[ "${GO_BUILD_RACE_ENABLED_VAR}" = "true" ]] && echo 1 || echo 0))
-	CGO_ENABLED=${CGO_ENABLED} go build -race=${GO_BUILD_RACE_ENABLED_VAR} -o build/fleetctl -ldflags ${LDFLAGS_VERSION} ./cmd/fleetctl
+	$(eval FLEETCTL_LDFLAGS := $(shell echo "${LDFLAGS_VERSION} ${EXTRA_FLEETCTL_LDFLAGS}"))
+	CGO_ENABLED=${CGO_ENABLED} go build -race=${GO_BUILD_RACE_ENABLED_VAR} -o build/fleetctl -ldflags="${FLEETCTL_LDFLAGS}" ./cmd/fleetctl
 
 fleetctl-dev: GO_BUILD_RACE_ENABLED_VAR=true
 fleetctl-dev: fleetctl

cmd/fleetctl/preview.go

@@ -827,8 +827,8 @@ func downloadOrbitAndStart(destDir, enrollSecret, address, orbitChannel, osquery
 	updateOpt := update.DefaultOptions
 
 	// Override default channels with the provided values.
-	updateOpt.Targets.SetTargetChannel("orbit", orbitChannel)
-	updateOpt.Targets.SetTargetChannel("osqueryd", osquerydChannel)
+	updateOpt.Targets.SetTargetChannel(constant.OrbitTUFTargetName, orbitChannel)
+	updateOpt.Targets.SetTargetChannel(constant.OsqueryTUFTargetName, osquerydChannel)
 
 	updateOpt.RootDirectory = destDir
 
@@ -843,9 +843,9 @@ func downloadOrbitAndStart(destDir, enrollSecret, address, orbitChannel, osquery
 		return fmt.Errorf("initialize updates: %w", err)
 	}
 
-	orbitPath, err := update.NewDisabled(updateOpt).ExecutableLocalPath("orbit")
+	orbitPath, err := update.NewDisabled(updateOpt).ExecutableLocalPath(constant.OrbitTUFTargetName)
 	if err != nil {
-		return fmt.Errorf("failed to locate executable for orbit: %w", err)
+		return fmt.Errorf("failed to locate executable for %s: %w", constant.OrbitTUFTargetName, err)
 	}
 
 	cmd := exec.Command(orbitPath,

ee/fleetctl/updates.go

@@ -22,33 +22,53 @@ import (
 	"github.com/fleetdm/fleet/v4/server/contexts/ctxerr"
 	"github.com/theupdateframework/go-tuf"
 	"github.com/urfave/cli/v2"
-	"golang.org/x/crypto/ssh/terminal"
+	"golang.org/x/term"
 )
 
 const (
 	// consistentSnapshots are not needed due to the low update frequency of
 	// these repositories.
 	consistentSnapshots = false
 
-	// ~10 years
-	keyExpirationDuration = 10 * 365 * 24 * time.Hour
-
-	// Expirations from
-	// https://github.com/theupdateframework/notary/blob/e87b31f46cdc5041403c64b7536df236d5e35860/docs/best_practices.md#expiration-prevention
-	// ~10 years
-	rootExpirationDuration = 10 * 365 * 24 * time.Hour //nolint:unused,deadcode
-	// ~3 years
-	targetsExpirationDuration = 3 * 365 * 24 * time.Hour
-	// ~3 years
-	snapshotExpirationDuration = 3 * 365 * 24 * time.Hour
-	// 14 days
-	timestampExpirationDuration = 14 * 24 * time.Hour
-
 	decryptionFailedError = "encrypted: decryption failed"
 
 	backupDirectory = ".backup"
 )
 
+// The following are defined as string variables so that we can use/set them in tests and test tooling.
+var (
+	// keyExpirationDuration is used when generating new keys (repository init)
+	// or when rotating the root key.
+	// ~10 years (10 * 365 * 24 hours)
+	keyExpirationDuration = "87600h"
+
+	//
+	// Expirations from
+	// https://github.com/theupdateframework/notary/blob/e87b31f46cdc5041403c64b7536df236d5e35860/docs/best_practices.md#expiration-prevention
+	//
+	// They are defined as string so we can modify them at build time for testing purposes.
+	//
+
+	// rootExpirationDuration is used to set the expiration of root.json when revoking the current root key.
+	// ~10 years (10 * 365 * 24 hours)
+	rootExpirationDuration = "87600h"
+	// targetsExpirationDuration is used to set the expiration of the targets.json signature.
+	// ~3 years (3 * 365 * 24 hours)
+	targetsExpirationDuration = "26280h"
+	// snapshotExpirationDuration is used to set the expiration of the snapshot.json signature.
+	// ~3 years (3 * 365 * 24 hours)
+	snapshotExpirationDuration = "26280h"
+	// timestampExpirationDuration is used to set the expiration of the timestamp.json signature.
+	// 14 days (14 * 24 hours)
+	timestampExpirationDuration = "336h"
+
+	keyExpirationDuration_       = mustParseDuration(keyExpirationDuration)
+	rootExpirationDuration_      = mustParseDuration(rootExpirationDuration)
+	targetsExpirationDuration_   = mustParseDuration(targetsExpirationDuration)
+	snapshotExpirationDuration_  = mustParseDuration(snapshotExpirationDuration)
+	timestampExpirationDuration_ = mustParseDuration(timestampExpirationDuration)
+)
+
 var passHandler = newPassphraseHandler()
 
 func UpdatesCommand() *cli.Command {
@@ -87,6 +107,14 @@ func updatesInitCommand() *cli.Command {
 	}
 }
 
+func mustParseDuration(s string) time.Duration {
+	d, err := time.ParseDuration(s)
+	if err != nil {
+		panic(err)
+	}
+	return d
+}
+
 func updatesInitFunc(c *cli.Context) error {
 	path := c.String("path")
 	store := tuf.FileSystemStore(path, passHandler.getPassphrase)
@@ -134,14 +162,14 @@ func updatesInitFunc(c *cli.Context) error {
 	if err := repo.AddTargetsWithExpires(
 		nil,
 		nil,
-		time.Now().Add(targetsExpirationDuration),
+		time.Now().Add(targetsExpirationDuration_),
 	); err != nil {
 		return fmt.Errorf("initialize targets: %w", err)
 	}
-	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration)); err != nil {
+	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration_)); err != nil {
 		return fmt.Errorf("make snapshot: %w", err)
 	}
-	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration)); err != nil {
+	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration_)); err != nil {
 		return fmt.Errorf("make timestamp: %w", err)
 	}
 
@@ -256,10 +284,10 @@ func updatesAddFunc(c *cli.Context) error {
 			dstPath = filepath.Join(name, platform, tag, name)
 		}
 		switch {
-		case name == "desktop" && platform == "windows":
+		case name == constant.DesktopTUFTargetName && platform == "windows":
 			// This is a special case for the desktop target on Windows.
 			dstPath = filepath.Join(filepath.Dir(dstPath), constant.DesktopAppExecName+".exe")
-		case name == "desktop" && (platform == "linux" || platform == "linux-arm64"):
+		case name == constant.DesktopTUFTargetName && (platform == "linux" || platform == "linux-arm64"):
 			// This is a special case for the desktop target on Linux.
 			dstPath += ".tar.gz"
 		// The convention for Windows extensions is to use the extension `.ext.exe`
@@ -294,16 +322,16 @@ func updatesAddFunc(c *cli.Context) error {
 	if err := repo.AddTargetsWithExpires(
 		paths,
 		meta,
-		time.Now().Add(targetsExpirationDuration),
+		time.Now().Add(targetsExpirationDuration_),
 	); err != nil {
 		return fmt.Errorf("add targets: %w", err)
 	}
 
-	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration)); err != nil {
+	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration_)); err != nil {
 		return fmt.Errorf("make snapshot: %w", err)
 	}
 
-	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration)); err != nil {
+	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration_)); err != nil {
 		return fmt.Errorf("make timestamp: %w", err)
 	}
 
@@ -336,7 +364,7 @@ func updatesTimestampFunc(c *cli.Context) error {
 	}
 
 	if err := repo.TimestampWithExpires(
-		time.Now().Add(timestampExpirationDuration),
+		time.Now().Add(timestampExpirationDuration_),
 	); err != nil {
 		return fmt.Errorf("make timestamp: %w", err)
 	}
@@ -415,7 +443,7 @@ func updatesRotateFunc(c *cli.Context) error {
 	// Delete old keys for role
 	for _, key := range keys {
 		id := key.PublicData().IDs()[0]
-		err := repo.RevokeKeyWithExpires(role, id, time.Now().Add(rootExpirationDuration))
+		err := repo.RevokeKeyWithExpires(role, id, time.Now().Add(rootExpirationDuration_))
 		if err != nil {
 			// go-tuf keeps keys around even after they are revoked from the manifest. We can skip
 			// tuf.ErrKeyNotFound as these represent keys that are not present in the manifest and
@@ -441,15 +469,15 @@ func updatesRotateFunc(c *cli.Context) error {
 
 	// Generate new metadata for each role (technically some of these may not need regeneration
 	// depending on which key was rotated, but there should be no harm in generating new ones for each).
-	if err := repo.AddTargetsWithExpires(nil, nil, time.Now().Add(targetsExpirationDuration)); err != nil {
+	if err := repo.AddTargetsWithExpires(nil, nil, time.Now().Add(targetsExpirationDuration_)); err != nil {
 		return fmt.Errorf("generate targets: %w", err)
 	}
 
-	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration)); err != nil {
+	if err := repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration_)); err != nil {
 		return fmt.Errorf("generate snapshot: %w", err)
 	}
 
-	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration)); err != nil {
+	if err := repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration_)); err != nil {
 		return fmt.Errorf("generate timestamp: %w", err)
 	}
 
@@ -619,7 +647,7 @@ func copyTarget(srcPath, dstPath string) error {
 }
 
 func updatesGenKey(repo *tuf.Repo, role string) error {
-	keyids, err := repo.GenKeyWithExpires(role, time.Now().Add(keyExpirationDuration))
+	keyids, err := repo.GenKeyWithExpires(role, time.Now().Add(keyExpirationDuration_))
 	if err != nil {
 		return fmt.Errorf("generate %s key: %w", role, err)
 	}
@@ -715,7 +743,7 @@ func (p *passphraseHandler) readPassphrase(role string, confirm bool) ([]byte, e
 
 		fmt.Printf("Enter %s key passphrase: ", role)
 		// the int(...) conversion is required as on Windows syscall.Stdin is of type Handle.
-		passphrase, err := terminal.ReadPassword(int(syscall.Stdin)) //nolint:unconvert
+		passphrase, err := term.ReadPassword(int(syscall.Stdin)) //nolint:unconvert
 		fmt.Println()
 		if err != nil {
 			return nil, fmt.Errorf("read password: %w", err)
@@ -727,7 +755,7 @@ func (p *passphraseHandler) readPassphrase(role string, confirm bool) ([]byte, e
 
 		fmt.Printf("Repeat %s key passphrase: ", role)
 		// the int(...) conversion is required as on Windows syscall.Stdin is of type Handle.
-		confirmation, err := terminal.ReadPassword(int(syscall.Stdin)) //nolint:unconvert
+		confirmation, err := term.ReadPassword(int(syscall.Stdin)) //nolint:unconvert
 		fmt.Println()
 		if err != nil {
 			return nil, fmt.Errorf("read password confirmation: %w", err)

ee/fleetctl/updates_test.go

@@ -398,8 +398,8 @@ func TestCommit(t *testing.T) {
 	// Make rotations that change repo
 	require.NoError(t, updatesGenKey(repo, "root"))
 	require.NoError(t, repo.Sign("root.json"))
-	require.NoError(t, repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration)))
-	require.NoError(t, repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration)))
+	require.NoError(t, repo.SnapshotWithExpires(time.Now().Add(mustParseDuration(snapshotExpirationDuration))))
+	require.NoError(t, repo.TimestampWithExpires(time.Now().Add(mustParseDuration(timestampExpirationDuration))))
 	require.NoError(t, repo.Commit())
 
 	// Assert directory has changed after commit.
@@ -437,8 +437,8 @@ func TestRollback(t *testing.T) {
 	// Make rotations that change repo
 	require.NoError(t, updatesGenKey(repo, "root"))
 	require.NoError(t, repo.Sign("root.json"))
-	require.NoError(t, repo.SnapshotWithExpires(time.Now().Add(snapshotExpirationDuration)))
-	require.NoError(t, repo.TimestampWithExpires(time.Now().Add(timestampExpirationDuration)))
+	require.NoError(t, repo.SnapshotWithExpires(time.Now().Add(mustParseDuration(snapshotExpirationDuration))))
+	require.NoError(t, repo.TimestampWithExpires(time.Now().Add(mustParseDuration(timestampExpirationDuration))))
 	require.NoError(t, repo.Commit())
 
 	// Assert directory has NOT changed after rollback.
@@ -456,3 +456,136 @@ func TestRollback(t *testing.T) {
 	roots := getRoots(t, tmpDir)
 	assert.Equal(t, initialRoots, roots)
 }
+
+// TestIntegrationsUpdatesExpiredSignatures is used to test the expected behavior
+// of go-tuf@v0.5.2 methods client.Update and client.Target when signatures are expired (their
+// behavior depends on which of the roles has the expired signature).
+func TestIntegrationsUpdatesExpiredSignatures(t *testing.T) {
+	// Not t.Parallel() due to modifications to environment and global variables.
+
+	setPassphrases(t)
+	const timeToExpire = 5 * time.Second
+
+	for _, tc := range []struct {
+		name                      string
+		overrideKeyExpirationFunc func(t *testing.T)
+		updateMetadataFails       bool
+		lookupFails               bool
+	}{
+		{
+			name: "root expired",
+			overrideKeyExpirationFunc: func(t *testing.T) {
+				oldKeyExpirationDuration := keyExpirationDuration_
+				t.Cleanup(func() {
+					keyExpirationDuration_ = oldKeyExpirationDuration
+				})
+				keyExpirationDuration_ = timeToExpire
+			},
+			// When the root signature is expired both client.Update fails and client.Target fail.
+			updateMetadataFails: true,
+			lookupFails:         true,
+		},
+		{
+			name: "snapshot expired",
+			overrideKeyExpirationFunc: func(t *testing.T) {
+				oldKeyExpirationDuration := snapshotExpirationDuration_
+				t.Cleanup(func() {
+					snapshotExpirationDuration_ = oldKeyExpirationDuration
+				})
+				snapshotExpirationDuration_ = timeToExpire
+			},
+			// When the snapshot signature is expired client.Update does not fail and client.Target does fail.
+			updateMetadataFails: false,
+			lookupFails:         true,
+		},
+		{
+			name: "targets expired",
+			overrideKeyExpirationFunc: func(t *testing.T) {
+				oldKeyExpirationDuration := targetsExpirationDuration_
+				t.Cleanup(func() {
+					targetsExpirationDuration_ = oldKeyExpirationDuration
+				})
+				targetsExpirationDuration_ = timeToExpire
+			},
+			// When the targets signature is expired client.Update does not fail and client.Target does fail.
+			updateMetadataFails: false,
+			lookupFails:         true,
+		},
+		{
+			name: "timestamp expired",
+			overrideKeyExpirationFunc: func(t *testing.T) {
+				oldKeyExpirationDuration := timestampExpirationDuration_
+				t.Cleanup(func() {
+					timestampExpirationDuration_ = oldKeyExpirationDuration
+				})
+				timestampExpirationDuration_ = timeToExpire
+			},
+			// When the timestamp signature is expired client.Update fails and client.Target does not fail.
+			updateMetadataFails: true,
+			lookupFails:         false,
+		},
+	} {
+		t.Run(tc.name, func(t *testing.T) {
+			tc.overrideKeyExpirationFunc(t)
+
+			tmpDir := t.TempDir()
+			err := runUpdatesCommand("init", "--path", tmpDir)
+			require.NoError(t, err)
+
+			roots := getRoots(t, tmpDir)
+
+			// Use the current binary as target for this test so that it is a binary that
+			// is valid for execution on the current system.
+			testPath, err := os.Executable()
+			require.NoError(t, err)
+
+			// Add a dummy target
+			require.NoError(t, runUpdatesCommand("add", "--path", tmpDir, "--target", testPath, "--platform", "macos", "--name", "test", "--version", "1.3.3.7"))
+			assertFileExists(t, filepath.Join(tmpDir, "repository", "targets", "test", "macos", "1.3.3.7", "test"))
+
+			// Run an HTTP server to serve the update metadata
+			server := httptest.NewServer(http.FileServer(http.Dir(filepath.Join(tmpDir, "repository"))))
+			t.Cleanup(server.Close)
+
+			// Initialize an update client
+			localStore, err := filestore.New(filepath.Join(tmpDir, "tuf-metadata.json"))
+			require.NoError(t, err)
+			updater, err := update.NewUpdater(update.Options{
+				RootDirectory: tmpDir,
+				ServerURL:     server.URL,
+				RootKeys:      roots,
+				LocalStore:    localStore,
+				Targets: update.Targets{
+					"test": update.TargetInfo{
+						Platform:   "macos",
+						Channel:    "1.3.3.7",
+						TargetFile: "test",
+					},
+				},
+			})
+			require.NoError(t, err)
+			err = updater.UpdateMetadata()
+			require.NoError(t, err)
+
+			time.Sleep(timeToExpire + 1*time.Second)
+
+			// Expect UpdateMetadata (client.Update) to fail when the signature has expired.
+			err = updater.UpdateMetadata()
+			if tc.updateMetadataFails {
+				require.Error(t, err)
+				require.True(t, update.IsExpiredErr(err))
+			} else {
+				require.NoError(t, err)
+			}
+
+			// Expect Lookup (client.Target) to fail when the signature has expired.
+			_, err = updater.Lookup("test")
+			if tc.lookupFails {
+				require.Error(t, err)
+				require.True(t, update.IsExpiredErr(err))
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

orbit/changes/22740-fleetd-tuf-signature-expirations

@@ -0,0 +1 @@
+* Fixed orbit startup to not exit when "root.json", "snapshot.json", or "targets.json" TUF signatures have expired.