diff --git a/client/client.go b/client/client.go index 29404971b..cbb497713 100644 --- a/client/client.go +++ b/client/client.go @@ -27,13 +27,7 @@ import ( ) func init() { - data.SetDefaultExpiryTimes( - map[string]int{ - "root": 3650, - "targets": 1095, - "snapshot": 1095, - }, - ) + data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries) } // ErrRepoNotInitialized is returned when trying to publish an uninitialized diff --git a/const.go b/const.go index bb1d01c80..566c7f0fb 100644 --- a/const.go +++ b/const.go @@ -1,5 +1,9 @@ package notary +import ( + "time" +) + // application wide constants const ( // MaxDownloadSize is the maximum size we'll download for metadata if no limit is given @@ -24,4 +28,23 @@ const ( RootKeysSubdir = "root_keys" // NonRootKeysSubdir is the subdirectory under PrivDir where non-root private keys are stored NonRootKeysSubdir = "tuf_keys" + + // Day is a duration of one day + Day = 24 * time.Hour + Year = 365 * Day + + // NotaryRootExpiry is the duration representing the expiry time of the Root role + NotaryRootExpiry = 10 * Year + NotaryTargetsExpiry = 3 * Year + NotarySnapshotExpiry = 3 * Year + NotaryTimestampExpiry = 14 * Day ) + +// NotaryDefaultExpiries is the construct used to configure the default expiry times of +// the various role files. +var NotaryDefaultExpiries = map[string]time.Duration{ + "root": NotaryRootExpiry, + "targets": NotaryTargetsExpiry, + "snapshot": NotarySnapshotExpiry, + "timestamp": NotaryTimestampExpiry, +} diff --git a/server/server.go b/server/server.go index 98d1d9c68..2f7ccb580 100644 --- a/server/server.go +++ b/server/server.go @@ -9,6 +9,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/docker/distribution/health" "github.com/docker/distribution/registry/auth" + "github.com/docker/notary" "github.com/docker/notary/server/handlers" "github.com/docker/notary/tuf/data" "github.com/docker/notary/tuf/signed" @@ -19,11 +20,7 @@ import ( ) func init() { - data.SetDefaultExpiryTimes( - map[string]int{ - "timestamp": 14, - }, - ) + data.SetDefaultExpiryTimes(notary.NotaryDefaultExpiries) } func prometheusOpts(operation string) prometheus.SummaryOpts { diff --git a/server/timestamp/timestamp.go b/server/timestamp/timestamp.go index c3aaf9971..2322c11cc 100644 --- a/server/timestamp/timestamp.go +++ b/server/timestamp/timestamp.go @@ -8,6 +8,7 @@ import ( "github.com/docker/notary/tuf/signed" "github.com/Sirupsen/logrus" + "github.com/docker/notary/server/snapshot" "github.com/docker/notary/server/storage" ) @@ -49,7 +50,7 @@ func GetOrCreateTimestampKey(gun string, store storage.MetaStore, crypto signed. // a new timestamp is generated either because none exists, or because the current // one has expired. Once generated, the timestamp is saved in the store. func GetOrCreateTimestamp(gun string, store storage.MetaStore, cryptoService signed.CryptoService) ([]byte, error) { - snapshot, err := store.GetCurrent(gun, "snapshot") + snapshot, err := snapshot.GetOrCreateSnapshot(gun, store, cryptoService) if err != nil { return nil, err } diff --git a/server/timestamp/timestamp_test.go b/server/timestamp/timestamp_test.go index acdf7fe97..fe67456e1 100644 --- a/server/timestamp/timestamp_test.go +++ b/server/timestamp/timestamp_test.go @@ -52,7 +52,11 @@ func TestGetTimestamp(t *testing.T) { store := storage.NewMemStorage() crypto := signed.NewEd25519() - snapshot := &data.SignedSnapshot{} + snapshot := &data.SignedSnapshot{ + Signed: data.Snapshot{ + Expires: data.DefaultExpires(data.CanonicalSnapshotRole), + }, + } snapJSON, _ := json.Marshal(snapshot) store.UpdateCurrent("gun", storage.MetaUpdate{Role: "snapshot", Version: 0, Data: snapJSON}) @@ -68,7 +72,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) { store := storage.NewMemStorage() crypto := signed.NewEd25519() - snapshot := data.SignedSnapshot{} + snapshot := &data.SignedSnapshot{ + Signed: data.Snapshot{ + Expires: data.DefaultExpires(data.CanonicalSnapshotRole), + }, + } snapshot.Signed.Version = 0 snapJSON, _ := json.Marshal(snapshot) @@ -80,7 +88,11 @@ func TestGetTimestampNewSnapshot(t *testing.T) { ts1, err := GetOrCreateTimestamp("gun", store, crypto) assert.Nil(t, err, "GetTimestamp errored") - snapshot = data.SignedSnapshot{} + snapshot = &data.SignedSnapshot{ + Signed: data.Snapshot{ + Expires: data.DefaultExpires(data.CanonicalSnapshotRole), + }, + } snapshot.Signed.Version = 1 snapJSON, _ = json.Marshal(snapshot) diff --git a/tuf/data/types.go b/tuf/data/types.go index 6459b8e66..4de55c4e1 100644 --- a/tuf/data/types.go +++ b/tuf/data/types.go @@ -12,6 +12,7 @@ import ( "github.com/Sirupsen/logrus" "github.com/docker/go/canonical/json" + "github.com/docker/notary" ) // SigAlgorithm for types of signatures @@ -171,16 +172,16 @@ func NewDelegations() *Delegations { } } -// defines number of days in which something should expire -var defaultExpiryTimes = map[string]int{ - CanonicalRootRole: 365, - CanonicalTargetsRole: 90, - CanonicalSnapshotRole: 7, - CanonicalTimestampRole: 1, +// These values are recommended TUF expiry times. +var defaultExpiryTimes = map[string]time.Duration{ + CanonicalRootRole: notary.Year, + CanonicalTargetsRole: 90 * notary.Day, + CanonicalSnapshotRole: 7 * notary.Day, + CanonicalTimestampRole: notary.Day, } // SetDefaultExpiryTimes allows one to change the default expiries. -func SetDefaultExpiryTimes(times map[string]int) { +func SetDefaultExpiryTimes(times map[string]time.Duration) { for key, value := range times { if _, ok := defaultExpiryTimes[key]; !ok { logrus.Errorf("Attempted to set default expiry for an unknown role: %s", key) @@ -192,10 +193,10 @@ func SetDefaultExpiryTimes(times map[string]int) { // DefaultExpires gets the default expiry time for the given role func DefaultExpires(role string) time.Time { - var t time.Time - if t, ok := defaultExpiryTimes[role]; ok { - return time.Now().AddDate(0, 0, t) + if d, ok := defaultExpiryTimes[role]; ok { + return time.Now().Add(d) } + var t time.Time return t.UTC().Round(time.Second) }