Save verification options to resource and save if versions have a sig…

… available
safing · Sep 28, 2022 · 44dc8df · 44dc8df
1 parent 77a6ab0
commit 44dc8df
Show file tree

Hide file tree

Showing 2 changed files with 39 additions and 13 deletions.
diff --git a/updater/file.go b/updater/file.go
@@ -1,7 +1,6 @@
 package updater
 
 import (
-	"fmt"
 	"io"
 	"os"
 	"strings"
@@ -58,8 +57,7 @@ func (file *File) SigningMetadata() map[string]string {
 // Verify verifies the given file.
 func (file *File) Verify() ([]*filesig.FileData, error) {
 	// Check if verification is configured.
-	verifOpts := file.resource.registry.GetVerificationOptions(file.resource.Identifier)
-	if verifOpts == nil {
+	if file.resource.VerificationOptions == nil {
 		return nil, ErrVerificationNotConfigured
 	}
 
@@ -68,12 +66,12 @@ func (file *File) Verify() ([]*filesig.FileData, error) {
 		file.storagePath,
 		file.storagePath+filesig.Extension,
 		file.SigningMetadata(),
-		verifOpts.TrustStore,
+		file.resource.VerificationOptions.TrustStore,
 	)
 	if err != nil {
-		switch verifOpts.DiskLoadPolicy {
+		switch file.resource.VerificationOptions.DiskLoadPolicy {
 		case SignaturePolicyRequire:
-			return nil, fmt.Errorf("failed to verify file: %w", err)
+			return nil, err
 		case SignaturePolicyWarn:
 			log.Warningf("%s: failed to verify %s: %s", file.resource.registry.Name, file.storagePath, err)
 		case SignaturePolicyDisable:

diff --git a/updater/resource.go b/updater/resource.go
@@ -10,7 +10,9 @@ import (
 
 	semver "github.com/hashicorp/go-version"
 
+	"github.com/safing/jess/filesig"
 	"github.com/safing/portbase/log"
+	"github.com/safing/portbase/utils"
 )
 
 var devVersion *semver.Version
@@ -49,6 +51,9 @@ type Resource struct {
 	// to download the latest version from the updates servers
 	// specified in the resource registry.
 	SelectedVersion *ResourceVersion
+
+	// VerificationOptions holds the verification options for this resource.
+	VerificationOptions *VerificationOptions
 }
 
 // ResourceVersion represents a single version of a resource.
@@ -63,6 +68,9 @@ type ResourceVersion struct {
 	// Available indicates if this version is available locally.
 	Available bool
 
+	// SigAvailable indicates if the signature of this version is available locally.
+	SigAvailable bool
+
 	// CurrentRelease indicates that this is the current release that should be
 	// selected, if possible.
 	CurrentRelease bool
@@ -132,9 +140,7 @@ func (res *Resource) Export() *Resource {
 		SelectedVersion: res.SelectedVersion,
 	}
 	// Copy Versions slice.
-	for i := 0; i < len(res.Versions); i++ {
-		export.Versions[i] = res.Versions[i]
-	}
+	copy(export.Versions, res.Versions)
 
 	return export
 }
@@ -184,9 +190,10 @@ func (res *Resource) AnyVersionAvailable() bool {
 
 func (reg *ResourceRegistry) newResource(identifier string) *Resource {
 	return &Resource{
-		registry:   reg,
-		Identifier: identifier,
-		Versions:   make([]*ResourceVersion, 0, 1),
+		registry:            reg,
+		Identifier:          identifier,
+		Versions:            make([]*ResourceVersion, 0, 1),
+		VerificationOptions: reg.GetVerificationOptions(identifier),
 	}
 }
 
@@ -230,6 +237,12 @@ func (res *Resource) AddVersion(version string, available, currentRelease, preRe
 	// set flags
 	if available {
 		rv.Available = true
+
+		// If available and signatures are enabled for this resource, check if the
+		// signature is available.
+		if res.VerificationOptions != nil && utils.PathExists(rv.storageSigPath()) {
+			rv.SigAvailable = true
+		}
 	}
 	if currentRelease {
 		rv.CurrentRelease = true
@@ -439,8 +452,13 @@ boundarySearch:
 
 	// Purge everything beyond the purge boundary.
 	for _, rv := range res.Versions[purgeBoundary:] {
-		storagePath := rv.storagePath()
+		// Only remove if resource file is actually available.
+		if !rv.Available {
+			continue
+		}
+
 		// Remove resource file.
+		storagePath := rv.storagePath()
 		err := os.Remove(storagePath)
 		if err != nil {
 			log.Warningf("%s: failed to purge resource %s v%s: %s", res.registry.Name, rv.resource.Identifier, rv.VersionNumber, err)
@@ -507,7 +525,17 @@ func (rv *ResourceVersion) versionedPath() string {
 	return GetVersionedPath(rv.resource.Identifier, rv.VersionNumber)
 }
 
+// versionedSigPath returns the versioned identifier of the file signature.
+func (rv *ResourceVersion) versionedSigPath() string {
+	return GetVersionedPath(rv.resource.Identifier, rv.VersionNumber) + filesig.Extension
+}
+
 // storagePath returns the absolute storage path.
 func (rv *ResourceVersion) storagePath() string {
 	return filepath.Join(rv.resource.registry.storageDir.Path, filepath.FromSlash(rv.versionedPath()))
 }
+
+// storageSigPath returns the absolute storage path of the file signature.
+func (rv *ResourceVersion) storageSigPath() string {
+	return rv.storagePath() + filesig.Extension
+}