Support delegations in client

[raphaelgavache]

This PR adds the support of delegations in the client

Notable changes

• support delegations in client.Download, following spec 1.0.19 section 5.6
• root is no longer required in the snapshot meta

Notes

• ignore the commit Add TUF3 php test, this commit only imports test files
• copied TUF3 files from php fixtures to test delegations logic

Follow ups

• add chained root downloading to comply with spec and add other fixtures from php

Review walkthrough

1. data/types.go data/types_test.go

• delegations fields are added to the structs with JSON support
• MatchesPath matches a file to a delegation with the support of Paths and PathHashPrefixes

2. verify/db.go

• reuse DB struct verifiers to verify delegated roles from a parent Targets keys
• delegationsVerifier is added to bypass specific logic dedicated to the 4 top roles

3. client/client.go

• client.Download will now try to fetch FileMeta through the graph of delegations if it's not already cached. Previous pattern was check cache, check local top level Targets. New pattern is check cache, check local top level Targets, check local delegations, download missing delegations.
• root is no longer required in snapshot
• MaxDelegations parameter is introduced to bound a search in the delegations

4. client/delegations.go client/delegations_test.go

• getTargetFileMeta implements the delegation search logic

[trishankatdatadog]

Thanks, @raphaelgavache!

Would you please summarize the changes over the source code, so that we know what to expect while reviewing?

[ethan-lowman-dd]

Thanks Raphael. Here's a first batch of comments. I hope to complete a first pass by tomorrow.

[raphaelgavache]

Thanks Ethan, the delegation verifier code is now a lot cleaner!
I'll apply your other comments tomorrow morning and add an error when both Paths and PathsPrefixes are set to stick to the spec

[trishankatdatadog]

Thanks for your review, @ethan-lowman-dd!

@raphaelgavache: does this implement a single-pass (i.e., look for only one target at a time) or a multi-pass (i.e., look for multiple targets at once) approach to delegations?

[raphaelgavache]

It's the single-pass one that searches for one target at a time

[coveralls]

Pull Request Test Coverage Report for Build 1046833689

• 200 of 235 (85.11%) changed or added relevant lines in 7 files are covered.
• 1 unchanged line in 1 file lost coverage.
• Overall coverage increased (+2.0%) to 69.354%

---

Changes Missing Coverage	Covered Lines	Changed/Added Lines	%
client/client.go	23	24	95.83%
verify/db.go	26	28	92.86%
data/types.go	29	33	87.88%
verify/verify.go	6	11	54.55%
client/errors.go	0	7	0.0%
client/delegations.go	112	128	87.5%

Files with Coverage Reduction	New Missed Lines	%
verify/db.go	1	85.9%

Totals
Change from base Build 987132054:	2.0%
Covered Lines:	1772
Relevant Lines:	2555

---

💛 - Coveralls

[trishankatdatadog]

As a sanity-check, can we cross-check for correctness against this recursive implementation?

[ethan-lowman-dd]

See this branch for the proposed changes from today.

[trishankatdatadog]

first set of comments

[trishankatdatadog]

second round of comments

[trishankatdatadog]

LGTM, the code is super nice!

@joshuagl and @asraa can you pls help review? 🙂

[trishankatdatadog]

@raphaelgavache, one more thing: can you check whether you match paths using glob-style matching?

Meanwhile, I will read your tests to check for correctness...

[hosseinsia]

Shouldn't this be the responsibility of the user to download the very first root.json from a secure channel?

[trishankatdatadog]

Hmm, looks like @mnm678 and @asraa are not maintainers of go-tuf, which is not cool! We should fix this. I'm going to go ahead and merge this in the interesting of unblocking this PR, which has been through extensive review. Thanks again everyone, especially @raphaelgavache!

[raphaelgavache]

Thank you for the reviews!