notaryproject · riyazdf · Sep 7, 2017 · Aug 2, 2017 · Aug 31, 2017 · Sep 7, 2017
@@ -35,12 +35,16 @@ func requireValidFixture(t *testing.T, notaryRepo *NotaryRepository) {
 // recursively copies the contents of one directory into another - ignores
 // symlinks
 func recursiveCopy(sourceDir, targetDir string) error {
+	sourceDir, err := filepath.Abs(sourceDir)
+	if err != nil {
+		return err
+	}
 	return filepath.Walk(sourceDir, func(fp string, fi os.FileInfo, err error) error {
 		if err != nil {
 			return err
 		}
 
-		targetFP := filepath.Join(targetDir, strings.TrimPrefix(fp, sourceDir+"/"))
+		targetFP := filepath.Join(targetDir, strings.TrimPrefix(fp, sourceDir))
 
 		if fi.IsDir() {
 			return os.MkdirAll(targetFP, fi.Mode())
@@ -68,7 +72,7 @@ func recursiveCopy(sourceDir, targetDir string) error {
 		if err != nil {
 			return err
 		}
-		return nil
+		return out.Sync()
 	})
 }
 
@@ -91,7 +95,8 @@ func Test0Dot1Migration(t *testing.T) {
 	require.NoError(t, err, "error creating repo: %s", err)
 
 	// check that root_keys and tuf_keys are gone and that all corect keys are present and have the correct headers
-	files, _ := ioutil.ReadDir(filepath.Join(tmpDir, notary.PrivDir))
+	files, err := ioutil.ReadDir(filepath.Join(tmpDir, notary.PrivDir))
+	require.NoError(t, err)
 	require.Equal(t, files[0].Name(), "7fc757801b9bab4ec9e35bfe7a6b61668ff6f4c81b5632af19e6c728ab799599.key")
 	targKey, err := os.OpenFile(filepath.Join(tmpDir, notary.PrivDir, "7fc757801b9bab4ec9e35bfe7a6b61668ff6f4c81b5632af19e6c728ab799599.key"), os.O_RDONLY, notary.PrivExecPerms)
 	require.NoError(t, err)
@@ -220,10 +225,10 @@ func Test0Dot1RepoFormat(t *testing.T) {
 	require.Len(t, targets, 2)
 
 	// Also check that we can add/remove keys by rotating keys
-	oldTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
+	oldTargetsKeys := repo.GetCryptoService().ListKeys(data.CanonicalTargetsRole)
 	require.NoError(t, repo.RotateKey(data.CanonicalTargetsRole, false, nil))
 	require.NoError(t, repo.Publish())
-	newTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
+	newTargetsKeys := repo.GetCryptoService().ListKeys(data.CanonicalTargetsRole)
 
 	require.Len(t, oldTargetsKeys, 1)
 	require.Len(t, newTargetsKeys, 1)
@@ -287,10 +292,10 @@ func Test0Dot3RepoFormat(t *testing.T) {
 	require.Equal(t, data.RoleName("targets/releases"), delegations[0].Name)
 
 	// Also check that we can add/remove keys by rotating keys
-	oldTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
+	oldTargetsKeys := repo.GetCryptoService().ListKeys(data.CanonicalTargetsRole)
 	require.NoError(t, repo.RotateKey(data.CanonicalTargetsRole, false, nil))
 	require.NoError(t, repo.Publish())
-	newTargetsKeys := repo.CryptoService.ListKeys(data.CanonicalTargetsRole)
+	newTargetsKeys := repo.GetCryptoService().ListKeys(data.CanonicalTargetsRole)
 
 	require.Len(t, oldTargetsKeys, 1)
 	require.Len(t, newTargetsKeys, 1)

@@ -45,7 +45,7 @@ type NotaryRepository struct {
 	changelist     changelist.Changelist
 	cache          store.MetadataStore
 	remoteStore    store.RemoteStore
-	CryptoService  signed.CryptoService
+	cryptoService  signed.CryptoService
 	tufRepo        *tuf.Repo
 	invalid        *tuf.Repo // known data that was parsable but deemed invalid
 	roundTrip      http.RoundTripper
@@ -120,7 +120,7 @@ func NewNotaryRepository(baseDir string, gun data.GUN, baseURL string, remoteSto
 		changelist:     cl,
 		cache:          cache,
 		remoteStore:    remoteStore,
-		CryptoService:  cryptoService,
+		cryptoService:  cryptoService,
 		trustPinning:   trustPinning,
 		LegacyVersions: 0, // By default, don't sign with legacy roles
 	}
@@ -182,6 +182,11 @@ func rootCertKey(gun data.GUN, privKey data.PrivateKey) (data.PublicKey, error)
 	return x509PublicKey, nil
 }
 
+// GetCryptoService is the getter for the repository's CryptoService
+func (r *NotaryRepository) GetCryptoService() signed.CryptoService {
+	return r.cryptoService
+}
+
 // initialize initializes the notary repository with a set of rootkeys, root certificates and roles.
 func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.PublicKey, serverManagedRoles ...data.RoleName) error {
 
@@ -234,7 +239,7 @@ func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.Publ
 		return err
 	}
 
-	r.tufRepo = tuf.NewRepo(r.CryptoService)
+	r.tufRepo = tuf.NewRepo(r.GetCryptoService())
 
 	if err := r.tufRepo.InitRoot(
 		rootRole,
@@ -264,7 +269,7 @@ func (r *NotaryRepository) initialize(rootKeyIDs []string, rootCerts []data.Publ
 func (r *NotaryRepository) createNewPublicKeyFromKeyIDs(keyIDs []string) ([]data.PublicKey, error) {
 	publicKeys := []data.PublicKey{}
 
-	privKeys, err := getAllPrivKeys(keyIDs, r.CryptoService)
+	privKeys, err := getAllPrivKeys(keyIDs, r.GetCryptoService())
 	if err != nil {
 		return nil, err
 	}
@@ -298,7 +303,7 @@ func (r *NotaryRepository) publicKeysOfKeyIDs(keyIDs []string, pubKeys []data.Pu
 // forms matching key pairs
 func matchKeyIdsWithPubKeys(r *NotaryRepository, ids []string, pubKeys []data.PublicKey) error {
 	for i := 0; i < len(ids); i++ {
-		privKey, _, err := r.CryptoService.GetPrivateKey(ids[i])
+		privKey, _, err := r.GetCryptoService().GetPrivateKey(ids[i])
 		if err != nil {
 			return fmt.Errorf("could not get the private key matching id %v: %v", ids[i], err)
 		}
@@ -342,13 +347,13 @@ func keyExistsInList(cert data.PublicKey, ids map[string]bool) error {
 
 // InitializeWithCertificate initializes the repository with root keys and their corresponding certificates
 func (r *NotaryRepository) InitializeWithCertificate(rootKeyIDs []string, rootCerts []data.PublicKey,
-	nRepo *NotaryRepository, serverManagedRoles ...data.RoleName) error {
+	serverManagedRoles ...data.RoleName) error {
 
 	// If we explicitly pass in certificate(s) but not key, then look keys up using certificate
 	if len(rootKeyIDs) == 0 && len(rootCerts) != 0 {
 		rootKeyIDs = []string{}
 		availableRootKeyIDs := make(map[string]bool)
-		for _, k := range nRepo.CryptoService.ListKeys(data.CanonicalRootRole) {
+		for _, k := range r.GetCryptoService().ListKeys(data.CanonicalRootRole) {
 			availableRootKeyIDs[k] = true
 		}
 
@@ -376,7 +381,7 @@ func (r *NotaryRepository) initializeRoles(rootKeys []data.PublicKey, localRoles
 	for _, role := range localRoles {
 		// This is currently hardcoding the keys to ECDSA.
 		var key data.PublicKey
-		key, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
+		key, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
 		if err != nil {
 			return
 		}
@@ -928,7 +933,7 @@ func signTargets(updates map[data.RoleName][]byte, repo *tuf.Repo, initialPublis
 // snapshots are supported, if the snapshot metadata fails to load, that's ok.
 // This assumes that bootstrapRepo is only used by Publish() or RotateKey()
 func (r *NotaryRepository) bootstrapRepo() error {
-	b := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
+	b := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), r.trustPinning)
 
 	logrus.Debugf("Loading trusted collection.")
 
@@ -1063,10 +1068,10 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufClient, e
 	minVersion := 1
 	// the old root on disk should not be validated against any trust pinning configuration
 	// because if we have an old root, it itself is the thing that pins trust
-	oldBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
+	oldBuilder := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), trustpinning.TrustPinConfig{})
 
 	// by default, we want to use the trust pinning configuration on any new root that we download
-	newBuilder := tuf.NewRepoBuilder(r.gun, r.CryptoService, r.trustPinning)
+	newBuilder := tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), r.trustPinning)
 
 	// Try to read root from cache first. We will trust this root until we detect a problem
 	// during update which will cause us to download a new root and perform a rotation.
@@ -1080,7 +1085,7 @@ func (r *NotaryRepository) bootstrapClient(checkInitialized bool) (*tufClient, e
 
 		// again, the root on disk is the source of trust pinning, so use an empty trust
 		// pinning configuration
-		newBuilder = tuf.NewRepoBuilder(r.gun, r.CryptoService, trustpinning.TrustPinConfig{})
+		newBuilder = tuf.NewRepoBuilder(r.gun, r.GetCryptoService(), trustpinning.TrustPinConfig{})
 
 		if err := newBuilder.Load(data.CanonicalRootRole, rootJSON, minVersion, false); err != nil {
 			// Ok, the old root is expired - we want to download a new one.  But we want to use the
@@ -1170,7 +1175,7 @@ func (r *NotaryRepository) pubKeyListForRotation(role data.RoleName, serverManag
 	// If no new keys are passed in, we generate one
 	if len(newKeys) == 0 {
 		pubKeyList = make(data.KeyList, 0, 1)
-		pubKey, err = r.CryptoService.Create(role, r.gun, data.ECDSAKey)
+		pubKey, err = r.GetCryptoService().Create(role, r.gun, data.ECDSAKey)
 		pubKeyList = append(pubKeyList, pubKey)
 	}
 	if err != nil {
@@ -1181,7 +1186,7 @@ func (r *NotaryRepository) pubKeyListForRotation(role data.RoleName, serverManag
 	if len(newKeys) > 0 {
 		pubKeyList = make(data.KeyList, 0, len(newKeys))
 		for _, keyID := range newKeys {
-			pubKey = r.CryptoService.GetKey(keyID)
+			pubKey = r.GetCryptoService().GetKey(keyID)
 			if pubKey == nil {
 				return nil, fmt.Errorf("unable to find key: %s", keyID)
 			}
@@ -1204,7 +1209,7 @@ func (r *NotaryRepository) pubKeysToCerts(role data.RoleName, pubKeyList data.Ke
 	}
 
 	for i, pubKey := range pubKeyList {
-		privKey, loadedRole, err := r.CryptoService.GetPrivateKey(pubKey.ID())
+		privKey, loadedRole, err := r.GetCryptoService().GetPrivateKey(pubKey.ID())
 		if err != nil {
 			return nil, err
 		}
@@ -1279,3 +1284,9 @@ func DeleteTrustData(baseDir string, gun data.GUN, URL string, rt http.RoundTrip
 	}
 	return nil
 }
+
+// SetLegacyVersions allows the number of legacy versions of the root
+// to be inspected for old signing keys to be configured.
+func (r NotaryRepository) SetLegacyVersions(n int) {
+	r.LegacyVersions = n
+}