Merge pull request #588 from endophage/fix_snapshot_expiry

Fix server signed snapshot expiry/regeneration
notaryproject · Feb 25, 2016 · 3a89320 · 3a89320
2 parents 4904c88 + cb2dd07
commit 3a89320
Show file tree

Hide file tree

Showing 6 changed files with 54 additions and 26 deletions.
diff --git a/client/client.go b/client/client.go
@@ -27,13 +27,7 @@ import (
 )
 
 func init() {
-	data.SetDefaultExpiryTimes(
-		map[string]int{
-			"root":     3650,
-			"targets":  1095,
-			"snapshot": 1095,
-		},
-	)
+	data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
 }
 
 // ErrRepoNotInitialized is returned when trying to publish an uninitialized

diff --git a/const.go b/const.go
@@ -1,5 +1,9 @@
 package notary
 
+import (
+	"time"
+)
+
 // application wide constants
 const (
 	// MaxDownloadSize is the maximum size we'll download for metadata if no limit is given
@@ -24,4 +28,23 @@ const (
 	RootKeysSubdir = "root_keys"
 	// NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored
 	NonRootKeysSubdir = "tuf_keys"
+
+	// Day is a duration of one day
+	Day  = 24 * time.Hour
+	Year = 365 * Day
+
+	// NotaryRootExpiry is the duration representing the expiry time of the Root role
+	NotaryRootExpiry      = 10 * Year
+	NotaryTargetsExpiry   = 3 * Year
+	NotarySnapshotExpiry  = 3 * Year
+	NotaryTimestampExpiry = 14 * Day
 )
+
+// NotaryDefaultExpiries is the construct used to configure the default expiry times of
+// the various role files.
+var NotaryDefaultExpiries = map[string]time.Duration{
+	"root":      NotaryRootExpiry,
+	"targets":   NotaryTargetsExpiry,
+	"snapshot":  NotarySnapshotExpiry,
+	"timestamp": NotaryTimestampExpiry,
+}
diff --git a/server/server.go b/server/server.go
@@ -9,6 +9,7 @@ import (
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/distribution/health"
 	"github.com/docker/distribution/registry/auth"
+	"github.com/docker/notary"
 	"github.com/docker/notary/server/handlers"
 	"github.com/docker/notary/tuf/data"
 	"github.com/docker/notary/tuf/signed"
@@ -19,11 +20,7 @@ import (
 )
 
 func init() {
-	data.SetDefaultExpiryTimes(
-		map[string]int{
-			"timestamp": 14,
-		},
-	)
+	data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries)
 }
 
 func prometheusOpts(operation string) prometheus.SummaryOpts {

diff --git a/server/timestamp/timestamp.go b/server/timestamp/timestamp.go
@@ -8,6 +8,7 @@ import (
 	"github.com/docker/notary/tuf/signed"
 
 	"github.com/Sirupsen/logrus"
+	"github.com/docker/notary/server/snapshot"
 	"github.com/docker/notary/server/storage"
 )
 
@@ -49,7 +50,7 @@ func GetOrCreateTimestampKey(gun string, store storage.MetaStore, crypto signed.
 // a new timestamp is generated either because none exists, or because the current
 // one has expired. Once generated, the timestamp is saved in the store.
 func GetOrCreateTimestamp(gun string, store storage.MetaStore, cryptoService signed.CryptoService) ([]byte, error) {
-	snapshot, err := store.GetCurrent(gun, "snapshot")
+	snapshot, err := snapshot.GetOrCreateSnapshot(gun, store, cryptoService)
 	if err != nil {
 		return nil, err
 	}

diff --git a/server/timestamp/timestamp_test.go b/server/timestamp/timestamp_test.go
@@ -52,7 +52,11 @@ func TestGetTimestamp(t *testing.T) {
 	store := storage.NewMemStorage()
 	crypto := signed.NewEd25519()
 
-	snapshot := &data.SignedSnapshot{}
+	snapshot := &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapJSON, _ := json.Marshal(snapshot)
 
 	store.UpdateCurrent("gun", storage.MetaUpdate{Role: "snapshot", Version: 0, Data: snapJSON})
@@ -68,7 +72,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
 	store := storage.NewMemStorage()
 	crypto := signed.NewEd25519()
 
-	snapshot := data.SignedSnapshot{}
+	snapshot := &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapshot.Signed.Version = 0
 	snapJSON, _ := json.Marshal(snapshot)
 
@@ -80,7 +88,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) {
 	ts1, err := GetOrCreateTimestamp("gun", store, crypto)
 	assert.Nil(t, err, "GetTimestamp errored")
 
-	snapshot = data.SignedSnapshot{}
+	snapshot = &data.SignedSnapshot{
+		Signed: data.Snapshot{
+			Expires: data.DefaultExpires(data.CanonicalSnapshotRole),
+		},
+	}
 	snapshot.Signed.Version = 1
 	snapJSON, _ = json.Marshal(snapshot)
 

diff --git a/tuf/data/types.go b/tuf/data/types.go
@@ -12,6 +12,7 @@ import (
 
 	"github.com/Sirupsen/logrus"
 	"github.com/docker/go/canonical/json"
+	"github.com/docker/notary"
 )
 
 // SigAlgorithm for types of signatures
@@ -171,16 +172,16 @@ func NewDelegations() *Delegations {
 	}
 }
 
-// defines number of days in which something should expire
-var defaultExpiryTimes = map[string]int{
-	CanonicalRootRole:      365,
-	CanonicalTargetsRole:   90,
-	CanonicalSnapshotRole:  7,
-	CanonicalTimestampRole: 1,
+// These values are recommended TUF expiry times.
+var defaultExpiryTimes = map[string]time.Duration{
+	CanonicalRootRole:      notary.Year,
+	CanonicalTargetsRole:   90 * notary.Day,
+	CanonicalSnapshotRole:  7 * notary.Day,
+	CanonicalTimestampRole: notary.Day,
 }
 
 // SetDefaultExpiryTimes allows one to change the default expiries.
-func SetDefaultExpiryTimes(times map[string]int) {
+func SetDefaultExpiryTimes(times map[string]time.Duration) {
 	for key, value := range times {
 		if _, ok := defaultExpiryTimes[key]; !ok {
 			logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key)
@@ -192,10 +193,10 @@ func SetDefaultExpiryTimes(times map[string]int) {
 
 // DefaultExpires gets the default expiry time for the given role
 func DefaultExpires(role string) time.Time {
-	var t time.Time
-	if t, ok := defaultExpiryTimes[role]; ok {
-		return time.Now().AddDate(0, 0, t)
+	if d, ok := defaultExpiryTimes[role]; ok {
+		return time.Now().Add(d)
 	}
+	var t time.Time
 	return t.UTC().Round(time.Second)
 }