chore: update code comments, license year and init testing (theupdate…

…framework#3)

* docs: add comments describing the different types

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: add golangci and codeql

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: begin adding tests

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: add licence notice

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: update licence year to 2023

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: fix linting error

Signed-off-by: Radoslav Dimitrov <[email protected]>

* chore: temp limit ci to ubuntu so we don't waste GHA resources

Signed-off-by: Radoslav Dimitrov <[email protected]>

Signed-off-by: Radoslav Dimitrov <[email protected]>

.github/workflows/ci.yml

@@ -0,0 +1,21 @@
+# Copyright 2022-2023 VMware, Inc.
+#
+# This product is licensed to you under the BSD-2 license (the "License").
+# You may not use this product except in compliance with the BSD-2 License.
+# This product may include a number of subcomponents with separate copyright
+# notices and license terms. Your use of these subcomponents is subject to
+# the terms and conditions of the subcomponent's license, as noted in the
+# LICENSE file.
+#
+# SPDX-License-Identifier: BSD-2-Clause
+on:
+  pull_request:
+  push:
+    branches:
+      - "master"
+    tags:
+      - "v*"
+name: CI
+jobs:
+  tests:
+    uses: ./.github/workflows/tests.yml

.github/workflows/codeql-analysis.yml

@@ -0,0 +1,70 @@
+# For most projects, this workflow file will not need changing; you simply need
+# to commit it to your repository.
+#
+# You may wish to alter this file to override the set of languages analyzed,
+# or to provide custom queries or build logic.
+#
+# ******** NOTE ********
+# We have attempted to detect the languages in your repository. Please check
+# the `language` matrix defined below to confirm you have the correct set of
+# supported CodeQL languages.
+#
+name: "CodeQL"
+
+on:
+  push:
+    branches: [ master ]
+  pull_request:
+    # The branches below must be a subset of the branches above
+    branches: [ master ]
+  schedule:
+    - cron: '25 14 * * 6'
+
+jobs:
+  analyze:
+    name: Analyze
+    runs-on: ubuntu-latest
+    permissions:
+      actions: read
+      contents: read
+      security-events: write
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [ 'go' ]
+        # CodeQL supports [ 'cpp', 'csharp', 'go', 'java', 'javascript', 'python', 'ruby' ]
+        # Learn more about CodeQL language support at https://git.io/codeql-language-support
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v3
+
+    # Initializes the CodeQL tools for scanning.
+    - name: Initialize CodeQL
+      uses: github/codeql-action/init@v2
+      with:
+        languages: ${{ matrix.language }}
+        # If you wish to specify custom queries, you can do so here or in a config file.
+        # By default, queries listed here will override any specified in a config file.
+        # Prefix the list here with "+" to use these queries and those in the config file.
+        # queries: ./path/to/local/query, your-org/your-repo/queries@main
+
+    # Autobuild attempts to build any compiled languages  (C/C++, C#, or Java).
+    # If this step fails, then you should remove it and run the build manually (see below)
+    - name: Autobuild
+      uses: github/codeql-action/autobuild@v2
+
+    # ℹ️ Command-line programs to run using the OS shell.
+    # 📚 https://git.io/JvXDl
+
+    # ✏️ If the Autobuild fails above, remove it and uncomment the following three lines
+    #    and modify them (or add more) to build your code if your project
+    #    uses a compiled language
+
+    #- run: |
+    #   make bootstrap
+    #   make release
+
+    - name: Perform CodeQL Analysis
+      uses: github/codeql-action/analyze@v2

.github/workflows/tests.yml

@@ -0,0 +1,68 @@
+# Copyright 2022-2023 VMware, Inc.
+#
+# This product is licensed to you under the BSD-2 license (the "License").
+# You may not use this product except in compliance with the BSD-2 License.
+# This product may include a number of subcomponents with separate copyright
+# notices and license terms. Your use of these subcomponents is subject to
+# the terms and conditions of the subcomponent's license, as noted in the
+# LICENSE file.
+#
+# SPDX-License-Identifier: BSD-2-Clause
+on:
+  workflow_call:
+name: Tests
+jobs:
+  get-go-versions:
+    name: Collect available Go versions
+    runs-on: ubuntu-latest
+    outputs:
+      matrix: ${{ steps.versions.outputs.matrix }}
+    steps:
+      - uses: actions/checkout@v3
+      - uses: arnested/go-version-action@b556f8d91b644164318c709d28b9083eaf0c064d
+        id: versions
+
+  run:
+    strategy:
+      fail-fast: false # Keep running if one leg fails.
+      matrix:
+        os: [ubuntu-latest] # , macos-latest, windows-latest] Enable later so we don't waste github actions resources
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v3
+
+      - name: Setup - Go ${{ matrix.go-version }}
+        uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+        with:
+          go-version: ${{ matrix.go-version }}
+
+      - name: Run tests
+        run: go test -race -covermode atomic -coverprofile='profile.cov' ./...
+
+      - name: Send coverage
+        uses: shogo82148/actions-goveralls@31ee804b8576ae49f6dc3caa22591bc5080e7920
+        with:
+          path-to-profile: profile.cov
+          flag-name: Go-${{ matrix.go-version }}
+          parallel: true
+
+  golangci:
+    strategy:
+      matrix:
+        go-version: ${{ fromJSON(needs.get-go-versions.outputs.matrix) }}
+        os: [ubuntu-latest] # , macos-latest, windows-latest] Enable later so we don't waste github actions resources
+    runs-on: ${{ matrix.os }}
+    needs: get-go-versions
+    steps:
+      - uses: actions/setup-go@c4a742cab115ed795e34d4513e2cf7d472deb55f
+        with:
+          go-version: ${{ matrix.go-version }}
+      - uses: actions/checkout@v3
+      - name: golangci-lint
+        uses: golangci/golangci-lint-action@07db5389c99593f11ad7b44463c2d4233066a9b1
+        with:
+          version: v1.49
+          args: --timeout 5m --verbose

.golangci.yml

@@ -0,0 +1,26 @@
+# Copyright 2022-2023 VMware, Inc.
+#
+# This product is licensed to you under the BSD-2 license (the "License").
+# You may not use this product except in compliance with the BSD-2 License.
+# This product may include a number of subcomponents with separate copyright
+# notices and license terms. Your use of these subcomponents is subject to
+# the terms and conditions of the subcomponent's license, as noted in the
+# LICENSE file.
+#
+# SPDX-License-Identifier: BSD-2-Clause
+run:
+  # Lint using Go 1.17, since some linters are disabled by default for Go 1.18
+  # until generics are supported.
+  # See https://github.com/golangci/golangci-lint/issues/2649
+  go: "1.17"
+
+linters:
+  disable-all: true
+  enable:
+    - staticcheck
+    - gofmt
+    - govet
+    - gosimple
+    - unused
+    - typecheck
+    - forbidigo

LICENSE

@@ -1,4 +1,4 @@
-Copyright 2022 VMware, Inc.
+Copyright 2022-2023 VMware, Inc.
 
 The BSD-2-Clause license (the "License") set forth below applies to all parts of the go-tuf-metadata project. You may not use this file except in compliance with the License.
 

NOTES.md

@@ -9,3 +9,6 @@
 * Revisit the design - should we use generics or just 4 different types for each metadata?
 * Investigate whether depending on `sigstore/signatures` can cause dependency cycle and if so, how to avoid it?
 * Add support for storing/loading metadata and target files from AWS S3 buckets
+* Make sure keys can be unmarshalled - https://github.com/theupdateframework/go-tuf/issues/363#issuecomment-1227340241
+* Revisit logging
+* Searching through delegations

NOTICE

@@ -1,4 +1,4 @@
-Copyright 2022 VMware, Inc.
+Copyright 2022-2023 VMware, Inc.
 
 This product is licensed to you under the BSD-2 license (the "License").
 You may not use this product except in compliance with the BSD-2 License.

examples/client/client_example.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

examples/repository/basic_repository.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.
@@ -74,7 +74,7 @@ func main() {
 	// hash and length of this file at the local path. In addition, it specifies the
 	// 'target path', which a client uses to locate the target file relative to a
 	// configured mirror base URL.
-	// 	   |----base URL---||--------target path--------|
+	//     |----base URL---||--------target path--------|
 	// e.g. tuf-examples.org/examples/basic_repository.py
 	targetPath, localPath := helperGetPathForTarget("basic_repository.go")
 	targetFileInfo, err := metadata.TargetFile().FromFile(localPath, "sha256")

go.mod

@@ -6,15 +6,18 @@ require (
 	github.com/secure-systems-lab/go-securesystemslib v0.4.0
 	github.com/sigstore/sigstore v1.5.0
 	github.com/sirupsen/logrus v1.9.0
+	github.com/stretchr/testify v1.8.1
 	golang.org/x/crypto v0.5.0
 	golang.org/x/exp v0.0.0-20221208152030-732eee02a75a
 )
 
 require (
+	github.com/davecgh/go-spew v1.1.1 // indirect
 	github.com/golang/protobuf v1.5.2 // indirect
 	github.com/google/go-containerregistry v0.12.1 // indirect
 	github.com/letsencrypt/boulder v0.0.0-20221109233200-85aa52084eaf // indirect
 	github.com/opencontainers/go-digest v1.0.0 // indirect
+	github.com/pmezard/go-difflib v1.0.0 // indirect
 	github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 // indirect
 	github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 // indirect
 	golang.org/x/net v0.5.0 // indirect

go.sum

@@ -38,8 +38,13 @@ github.com/sigstore/sigstore v1.5.0/go.mod h1:fRAaZ9xXh7ZQ0GJqZdpmNJ3pemuHBu2PgI
 github.com/sirupsen/logrus v1.9.0 h1:trlNQbNUG3OdDrDil03MCb1H2o9nJ1x4/5LYw7byDE0=
 github.com/sirupsen/logrus v1.9.0/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/stretchr/objx v0.1.0/go.mod h1:HFkY916IF+rwdDfMAkV7OtwuqBVzrE8GR6GFx+wExME=
+github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSSt89Yw=
+github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
+github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1 h1:w7B6lhMri9wdJUVmEZPGGhZzrYTPvgJArz7wNPgYKsk=
+github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
 github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4 h1:1i/Afw3rmaR1gF3sfVkG2X6ldkikQwA9zY380LrR5YI=
 github.com/theupdateframework/go-tuf v0.5.2-0.20220930112810-3890c1e7ace4/go.mod h1:vAqWV3zEs89byeFsAYoh/Q14vJTgJkHwnnRCWBBBINY=
 github.com/titanous/rocacheck v0.0.0-20171023193734-afe73141d399 h1:e/5i7d4oYZ+C1wj2THlRK+oAhjeS/TRQwMfkIuet3w0=

metadata/config/config.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

metadata/fetcher/fetcher.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

metadata/keys.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

metadata/metadata.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

metadata/metadata_test.go

@@ -0,0 +1,54 @@
+// Copyright 2022-2023 VMware, Inc.
+//
+// This product is licensed to you under the BSD-2 license (the "License").
+// You may not use this product except in compliance with the BSD-2 License.
+// This product may include a number of subcomponents with separate copyright
+// notices and license terms. Your use of these subcomponents is subject to
+// the terms and conditions of the subcomponent's license, as noted in the
+// LICENSE file.
+//
+// SPDX-License-Identifier: BSD-2-Clause
+
+package metadata
+
+import (
+	"testing"
+	"time"
+
+	"github.com/stretchr/testify/assert"
+)
+
+func TestRootDefaultValues(t *testing.T) {
+	// without setting expiration
+	root := Root()
+	assert.NotNil(t, root)
+	assert.GreaterOrEqual(t, []time.Time{time.Now().UTC()}[0], root.Signed.Expires)
+
+	// setting expiration
+	expire := time.Now().AddDate(0, 0, 2).UTC()
+	root = Root(expire)
+	assert.NotNil(t, root)
+	assert.Equal(t, expire, root.Signed.Expires)
+
+	// Type
+	assert.Equal(t, ROOT, root.Signed.Type)
+
+	// SpecVersion
+	assert.Equal(t, SPECIFICATION_VERSION, root.Signed.SpecVersion)
+
+	// Version
+	assert.Equal(t, int64(1), root.Signed.Version)
+
+	// Threshold and KeyIDs for Roles
+	for _, role := range []string{ROOT, SNAPSHOT, TARGETS, TIMESTAMP} {
+		assert.Equal(t, 1, root.Signed.Roles[role].Threshold)
+		assert.Equal(t, []string{}, root.Signed.Roles[role].KeyIDs)
+	}
+
+	// Keys
+	assert.Equal(t, map[string]*Key{}, root.Signed.Keys)
+
+	// Consistent snapshot
+	assert.True(t, root.Signed.ConsistentSnapshot)
+
+}

metadata/repository/repository.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.

metadata/trustedmetadata/trustedmetadata.go

@@ -1,4 +1,4 @@
-// Copyright 2022 VMware, Inc.
+// Copyright 2022-2023 VMware, Inc.
 //
 // This product is licensed to you under the BSD-2 license (the "License").
 // You may not use this product except in compliance with the BSD-2 License.
@@ -66,7 +66,7 @@ func (trusted *TrustedMetadata) loadTrustedRoot(rootData []byte) error {
 	}
 	// save root if verified
 	trusted.Root = newRoot
-	log.Debugf("Loaded trusted root v", trusted.Root.Signed.Version)
+	log.Debugf("Loaded trusted root v%d", trusted.Root.Signed.Version)
 	return nil
 }