diff options
Diffstat (limited to 'deps/npm/node_modules/sigstore/dist/tuf/index.js')
-rw-r--r-- | deps/npm/node_modules/sigstore/dist/tuf/index.js | 114 |
1 files changed, 72 insertions, 42 deletions
diff --git a/deps/npm/node_modules/sigstore/dist/tuf/index.js b/deps/npm/node_modules/sigstore/dist/tuf/index.js index 1aea238ef3..824bce9105 100644 --- a/deps/npm/node_modules/sigstore/dist/tuf/index.js +++ b/deps/npm/node_modules/sigstore/dist/tuf/index.js @@ -1,4 +1,27 @@ "use strict"; +var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + var desc = Object.getOwnPropertyDescriptor(m, k); + if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) { + desc = { enumerable: true, get: function() { return m[k]; } }; + } + Object.defineProperty(o, k2, desc); +}) : (function(o, m, k, k2) { + if (k2 === undefined) k2 = k; + o[k2] = m[k]; +})); +var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) { + Object.defineProperty(o, "default", { enumerable: true, value: v }); +}) : function(o, v) { + o["default"] = v; +}); +var __importStar = (this && this.__importStar) || function (mod) { + if (mod && mod.__esModule) return mod; + var result = {}; + if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k); + __setModuleDefault(result, mod); + return result; +}; var __importDefault = (this && this.__importDefault) || function (mod) { return (mod && mod.__esModule) ? mod : { "default": mod }; }; @@ -22,55 +45,62 @@ limitations under the License. const fs_1 = __importDefault(require("fs")); const path_1 = __importDefault(require("path")); const tuf_js_1 = require("tuf-js"); -const trustroot_1 = require("./trustroot"); -async function getTrustedRoot(cacheDir) { - initTufCache(cacheDir); - const repoMap = initRepoMap(cacheDir); - const repoClients = Object.entries(repoMap.repositories).map(([name, urls]) => initClient(name, urls[0], cacheDir)); - // TODO: Add support for multiple repositories. For now, we just use the first - // one (the production Sigstore TUF repository). - const fetcher = new trustroot_1.TrustedRootFetcher(repoClients[0]); - return fetcher.getTrustedRoot(); +const sigstore = __importStar(require("../types/sigstore")); +const target_1 = require("./target"); +const TRUSTED_ROOT_TARGET = 'trusted_root.json'; +const DEFAULT_MIRROR_URL = 'https://sigstore-tuf-root.storage.googleapis.com'; +const DEFAULT_TUF_ROOT_PATH = '../../store/public-good-instance-root.json'; +async function getTrustedRoot(cachePath, options = {}) { + const tufRootPath = options.rootPath || require.resolve(DEFAULT_TUF_ROOT_PATH); + const mirrorURL = options.mirrorURL || DEFAULT_MIRROR_URL; + initTufCache(cachePath, tufRootPath); + const remote = initRemoteConfig(cachePath, mirrorURL); + const repoClient = initClient(cachePath, remote); + const trustedRoot = await (0, target_1.getTarget)(repoClient, TRUSTED_ROOT_TARGET); + return sigstore.TrustedRoot.fromJSON(JSON.parse(trustedRoot)); } exports.getTrustedRoot = getTrustedRoot; -// Initializes the root TUF cache directory -function initTufCache(cacheDir) { - if (!fs_1.default.existsSync(cacheDir)) { - fs_1.default.mkdirSync(cacheDir, { recursive: true }); +// Initializes the TUF cache directory structure including the initial +// root.json file. If the cache directory does not exist, it will be +// created. If the targets directory does not exist, it will be created. +// If the root.json file does not exist, it will be copied from the +// rootPath argument. +function initTufCache(cachePath, tufRootPath) { + const targetsPath = path_1.default.join(cachePath, 'targets'); + const cachedRootPath = path_1.default.join(cachePath, 'root.json'); + if (!fs_1.default.existsSync(cachePath)) { + fs_1.default.mkdirSync(cachePath, { recursive: true }); } -} -// Initializes the repo map (copying it to the cache root dir) and returns the -// content of the repository map. -function initRepoMap(rootDir) { - const mapDest = path_1.default.join(rootDir, 'map.json'); - if (!fs_1.default.existsSync(mapDest)) { - const mapSrc = require.resolve('../../store/map.json'); - fs_1.default.copyFileSync(mapSrc, mapDest); + if (!fs_1.default.existsSync(targetsPath)) { + fs_1.default.mkdirSync(targetsPath); } - const buf = fs_1.default.readFileSync(mapDest); - return JSON.parse(buf.toString('utf-8')); + if (!fs_1.default.existsSync(cachedRootPath)) { + fs_1.default.copyFileSync(tufRootPath, cachedRootPath); + } + return cachePath; } -function initClient(name, url, rootDir) { - const repoCachePath = path_1.default.join(rootDir, name); - const targetCachePath = path_1.default.join(repoCachePath, 'targets'); - const tufRootDest = path_1.default.join(repoCachePath, 'root.json'); - // Only copy the TUF trusted root if it doesn't already exist. It's possible - // that the cached root has already been updated, so we don't want to roll it - // back. - if (!fs_1.default.existsSync(tufRootDest)) { - const tufRootSrc = require.resolve(`../../store/${name}-root.json`); - fs_1.default.mkdirSync(repoCachePath); - fs_1.default.copyFileSync(tufRootSrc, tufRootDest); +// Initializes the remote.json file, which contains the URL of the TUF +// repository. If the file does not exist, it will be created. If the file +// exists, it will be parsed and returned. +function initRemoteConfig(rootDir, mirrorURL) { + let remoteConfig; + const remoteConfigPath = path_1.default.join(rootDir, 'remote.json'); + if (fs_1.default.existsSync(remoteConfigPath)) { + const data = fs_1.default.readFileSync(remoteConfigPath, 'utf-8'); + remoteConfig = JSON.parse(data); } - if (!fs_1.default.existsSync(targetCachePath)) { - fs_1.default.mkdirSync(targetCachePath); + if (!remoteConfig) { + remoteConfig = { mirror: mirrorURL }; + fs_1.default.writeFileSync(remoteConfigPath, JSON.stringify(remoteConfig)); } - // TODO: Is there some better way to derive the base URL for the targets? - // Hard-coding for now based on current Sigstore TUF repo layout. + return remoteConfig; +} +function initClient(cachePath, remote) { + const baseURL = remote.mirror; return new tuf_js_1.Updater({ - metadataBaseUrl: url, - targetBaseUrl: `${url}/targets`, - metadataDir: repoCachePath, - targetDir: targetCachePath, + metadataBaseUrl: baseURL, + targetBaseUrl: `${baseURL}/targets`, + metadataDir: cachePath, + targetDir: path_1.default.join(cachePath, 'targets'), }); } |