1 files changed, 72 insertions, 42 deletions

diff --git a/deps/npm/node_modules/sigstore/dist/tuf/index.js b/deps/npm/node_modules/sigstore/dist/tuf/index.js
index 1aea238ef3..824bce9105 100644
--- a/deps/npm/node_modules/sigstore/dist/tuf/index.js
+++ b/deps/npm/node_modules/sigstore/dist/tuf/index.js
@@ -1,4 +1,27 @@
 "use strict";
+var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    var desc = Object.getOwnPropertyDescriptor(m, k);
+    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
+      desc = { enumerable: true, get: function() { return m[k]; } };
+    }
+    Object.defineProperty(o, k2, desc);
+}) : (function(o, m, k, k2) {
+    if (k2 === undefined) k2 = k;
+    o[k2] = m[k];
+}));
+var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
+    Object.defineProperty(o, "default", { enumerable: true, value: v });
+}) : function(o, v) {
+    o["default"] = v;
+});
+var __importStar = (this && this.__importStar) || function (mod) {
+    if (mod && mod.__esModule) return mod;
+    var result = {};
+    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
+    __setModuleDefault(result, mod);
+    return result;
+};
 var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
@@ -22,55 +45,62 @@ limitations under the License.
 const fs_1 = __importDefault(require("fs"));
 const path_1 = __importDefault(require("path"));
 const tuf_js_1 = require("tuf-js");
-const trustroot_1 = require("./trustroot");
-async function getTrustedRoot(cacheDir) {
-    initTufCache(cacheDir);
-    const repoMap = initRepoMap(cacheDir);
-    const repoClients = Object.entries(repoMap.repositories).map(([name, urls]) => initClient(name, urls[0], cacheDir));
-    // TODO: Add support for multiple repositories. For now, we just use the first
-    // one (the production Sigstore TUF repository).
-    const fetcher = new trustroot_1.TrustedRootFetcher(repoClients[0]);
-    return fetcher.getTrustedRoot();
+const sigstore = __importStar(require("../types/sigstore"));
+const target_1 = require("./target");
+const TRUSTED_ROOT_TARGET = 'trusted_root.json';
+const DEFAULT_MIRROR_URL = 'https://sigstore-tuf-root.storage.googleapis.com';
+const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json';
+async function getTrustedRoot(cachePath, options = {}) {
+    const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH);
+    const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL;
+    initTufCache(cachePath, tufRootPath);
+    const remote = initRemoteConfig(cachePath, mirrorURL);
+    const repoClient = initClient(cachePath, remote);
+    const trustedRoot = await (0, target_1.getTarget)(repoClient, TRUSTED_ROOT_TARGET);
+    return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot));
 }
 exports.getTrustedRoot = getTrustedRoot;
-// Initializes the root TUF cache directory
-function initTufCache(cacheDir) {
-    if (!fs_1.default.existsSync(cacheDir)) {
-        fs_1.default.mkdirSync(cacheDir, { recursive: true });
+// Initializes the TUF cache directory structure including the initial
+// root.json file. If the cache directory does not exist, it will be
+// created. If the targets directory does not exist, it will be created.
+// If the root.json file does not exist, it will be copied from the
+// rootPath argument.
+function initTufCache(cachePath, tufRootPath) {
+    const targetsPath = path_1.default.join(cachePath, 'targets');
+    const cachedRootPath = path_1.default.join(cachePath, 'root.json');
+    if (!fs_1.default.existsSync(cachePath)) {
+        fs_1.default.mkdirSync(cachePath, { recursive: true });
     }
-}
-// Initializes the repo map (copying it to the cache root dir) and returns the
-// content of the repository map.
-function initRepoMap(rootDir) {
-    const mapDest = path_1.default.join(rootDir, 'map.json');
-    if (!fs_1.default.existsSync(mapDest)) {
-        const mapSrc = require.resolve('../../store/map.json');
-        fs_1.default.copyFileSync(mapSrc, mapDest);
+    if (!fs_1.default.existsSync(targetsPath)) {
+        fs_1.default.mkdirSync(targetsPath);
     }
-    const buf = fs_1.default.readFileSync(mapDest);
-    return JSON.parse(buf.toString('utf-8'));
+    if (!fs_1.default.existsSync(cachedRootPath)) {
+        fs_1.default.copyFileSync(tufRootPath, cachedRootPath);
+    }
+    return cachePath;
 }
-function initClient(name, url, rootDir) {
-    const repoCachePath = path_1.default.join(rootDir, name);
-    const targetCachePath = path_1.default.join(repoCachePath, 'targets');
-    const tufRootDest = path_1.default.join(repoCachePath, 'root.json');
-    // Only copy the TUF trusted root if it doesn't already exist. It's possible
-    // that the cached root has already been updated, so we don't want to roll it
-    // back.
-    if (!fs_1.default.existsSync(tufRootDest)) {
-        const tufRootSrc = require.resolve(`../../store/${name}-root.json`);
-        fs_1.default.mkdirSync(repoCachePath);
-        fs_1.default.copyFileSync(tufRootSrc, tufRootDest);
+// Initializes the remote.json file, which contains the URL of the TUF
+// repository. If the file does not exist, it will be created. If the file
+// exists, it will be parsed and returned.
+function initRemoteConfig(rootDir, mirrorURL) {
+    let remoteConfig;
+    const remoteConfigPath = path_1.default.join(rootDir, 'remote.json');
+    if (fs_1.default.existsSync(remoteConfigPath)) {
+        const data = fs_1.default.readFileSync(remoteConfigPath, 'utf-8');
+        remoteConfig = JSON.parse(data);
     }
-    if (!fs_1.default.existsSync(targetCachePath)) {
-        fs_1.default.mkdirSync(targetCachePath);
+    if (!remoteConfig) {
+        remoteConfig = { mirror: mirrorURL };
+        fs_1.default.writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig));
     }
-    // TODO: Is there some better way to derive the base URL for the targets?
-    // Hard-coding for now based on current Sigstore TUF repo layout.
+    return remoteConfig;
+}
+function initClient(cachePath, remote) {
+    const baseURL = remote.mirror;
     return new tuf_js_1.Updater({
-        metadataBaseUrl: url,
-        targetBaseUrl: `${url}/targets`,
-        metadataDir: repoCachePath,
-        targetDir: targetCachePath,
+        metadataBaseUrl: baseURL,
+        targetBaseUrl: `${baseURL}/targets`,
+        metadataDir: cachePath,
+        targetDir: path_1.default.join(cachePath, 'targets'),
     });
 }