1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
|
"use strict";
var __importDefault = (this && this.__importDefault) || function (mod) {
return (mod && mod.__esModule) ? mod : { "default": mod };
};
Object.defineProperty(exports, "__esModule", { value: true });
exports.SuccinctRoles = exports.DelegatedRole = exports.Role = exports.TOP_LEVEL_ROLE_NAMES = void 0;
const crypto_1 = __importDefault(require("crypto"));
const minimatch_1 = __importDefault(require("minimatch"));
const util_1 = __importDefault(require("util"));
const error_1 = require("./error");
const utils_1 = require("./utils");
exports.TOP_LEVEL_ROLE_NAMES = [
'root',
'targets',
'snapshot',
'timestamp',
];
/**
* Container that defines which keys are required to sign roles metadata.
*
* Role defines how many keys are required to successfully sign the roles
* metadata, and which keys are accepted.
*/
class Role {
constructor(options) {
const { keyIDs, threshold, unrecognizedFields } = options;
if (hasDuplicates(keyIDs)) {
throw new error_1.ValueError('duplicate key IDs found');
}
if (threshold < 1) {
throw new error_1.ValueError('threshold must be at least 1');
}
this.keyIDs = keyIDs;
this.threshold = threshold;
this.unrecognizedFields = unrecognizedFields || {};
}
equals(other) {
if (!(other instanceof Role)) {
return false;
}
return (this.threshold === other.threshold &&
util_1.default.isDeepStrictEqual(this.keyIDs, other.keyIDs) &&
util_1.default.isDeepStrictEqual(this.unrecognizedFields, other.unrecognizedFields));
}
toJSON() {
return {
keyids: this.keyIDs,
threshold: this.threshold,
...this.unrecognizedFields,
};
}
static fromJSON(data) {
const { keyids, threshold, ...rest } = data;
if (!utils_1.guard.isStringArray(keyids)) {
throw new TypeError('keyids must be an array');
}
if (typeof threshold !== 'number') {
throw new TypeError('threshold must be a number');
}
return new Role({
keyIDs: keyids,
threshold,
unrecognizedFields: rest,
});
}
}
exports.Role = Role;
function hasDuplicates(array) {
return new Set(array).size !== array.length;
}
/**
* A container with information about a delegated role.
*
* A delegation can happen in two ways:
* - ``paths`` is set: delegates targets matching any path pattern in ``paths``
* - ``pathHashPrefixes`` is set: delegates targets whose target path hash
* starts with any of the prefixes in ``pathHashPrefixes``
*
* ``paths`` and ``pathHashPrefixes`` are mutually exclusive: both cannot be
* set, at least one of them must be set.
*/
class DelegatedRole extends Role {
constructor(opts) {
super(opts);
const { name, terminating, paths, pathHashPrefixes } = opts;
this.name = name;
this.terminating = terminating;
if (opts.paths && opts.pathHashPrefixes) {
throw new error_1.ValueError('paths and pathHashPrefixes are mutually exclusive');
}
this.paths = paths;
this.pathHashPrefixes = pathHashPrefixes;
}
equals(other) {
if (!(other instanceof DelegatedRole)) {
return false;
}
return (super.equals(other) &&
this.name === other.name &&
this.terminating === other.terminating &&
util_1.default.isDeepStrictEqual(this.paths, other.paths) &&
util_1.default.isDeepStrictEqual(this.pathHashPrefixes, other.pathHashPrefixes));
}
isDelegatedPath(targetFilepath) {
if (this.paths) {
return this.paths.some((pathPattern) => isTargetInPathPattern(targetFilepath, pathPattern));
}
if (this.pathHashPrefixes) {
const hasher = crypto_1.default.createHash('sha256');
const pathHash = hasher.update(targetFilepath).digest('hex');
return this.pathHashPrefixes.some((pathHashPrefix) => pathHash.startsWith(pathHashPrefix));
}
return false;
}
toJSON() {
const json = {
...super.toJSON(),
name: this.name,
terminating: this.terminating,
};
if (this.paths) {
json.paths = this.paths;
}
if (this.pathHashPrefixes) {
json.path_hash_prefixes = this.pathHashPrefixes;
}
return json;
}
static fromJSON(data) {
const { keyids, threshold, name, terminating, paths, path_hash_prefixes, ...rest } = data;
if (!utils_1.guard.isStringArray(keyids)) {
throw new TypeError('keyids must be an array of strings');
}
if (typeof threshold !== 'number') {
throw new TypeError('threshold must be a number');
}
if (typeof name !== 'string') {
throw new TypeError('name must be a string');
}
if (typeof terminating !== 'boolean') {
throw new TypeError('terminating must be a boolean');
}
if (utils_1.guard.isDefined(paths) && !utils_1.guard.isStringArray(paths)) {
throw new TypeError('paths must be an array of strings');
}
if (utils_1.guard.isDefined(path_hash_prefixes) &&
!utils_1.guard.isStringArray(path_hash_prefixes)) {
throw new TypeError('path_hash_prefixes must be an array of strings');
}
return new DelegatedRole({
keyIDs: keyids,
threshold,
name,
terminating,
paths,
pathHashPrefixes: path_hash_prefixes,
unrecognizedFields: rest,
});
}
}
exports.DelegatedRole = DelegatedRole;
// JS version of Ruby's Array#zip
const zip = (a, b) => a.map((k, i) => [k, b[i]]);
function isTargetInPathPattern(target, pattern) {
const targetParts = target.split('/');
const patternParts = pattern.split('/');
if (patternParts.length != targetParts.length) {
return false;
}
return zip(targetParts, patternParts).every(([targetPart, patternPart]) => (0, minimatch_1.default)(targetPart, patternPart));
}
/**
* Succinctly defines a hash bin delegation graph.
*
* A ``SuccinctRoles`` object describes a delegation graph that covers all
* targets, distributing them uniformly over the delegated roles (i.e. bins)
* in the graph.
*
* The total number of bins is 2 to the power of the passed ``bit_length``.
*
* Bin names are the concatenation of the passed ``name_prefix`` and a
* zero-padded hex representation of the bin index separated by a hyphen.
*
* The passed ``keyids`` and ``threshold`` is used for each bin, and each bin
* is 'terminating'.
*
* For details: https://github.com/theupdateframework/taps/blob/master/tap15.md
*/
class SuccinctRoles extends Role {
constructor(opts) {
super(opts);
const { bitLength, namePrefix } = opts;
if (bitLength <= 0 || bitLength > 32) {
throw new error_1.ValueError('bitLength must be between 1 and 32');
}
this.bitLength = bitLength;
this.namePrefix = namePrefix;
// Calculate the suffix_len value based on the total number of bins in
// hex. If bit_length = 10 then number_of_bins = 1024 or bin names will
// have a suffix between "000" and "3ff" in hex and suffix_len will be 3
// meaning the third bin will have a suffix of "003".
this.numberOfBins = Math.pow(2, bitLength);
// suffix_len is calculated based on "number_of_bins - 1" as the name
// of the last bin contains the number "number_of_bins -1" as a suffix.
this.suffixLen = (this.numberOfBins - 1).toString(16).length;
}
equals(other) {
if (!(other instanceof SuccinctRoles)) {
return false;
}
return (super.equals(other) &&
this.bitLength === other.bitLength &&
this.namePrefix === other.namePrefix);
}
/***
* Calculates the name of the delegated role responsible for 'target_filepath'.
*
* The target at path ''target_filepath' is assigned to a bin by casting
* the left-most 'bit_length' of bits of the file path hash digest to
* int, using it as bin index between 0 and '2**bit_length - 1'.
*
* Args:
* target_filepath: URL path to a target file, relative to a base
* targets URL.
*/
getRoleForTarget(targetFilepath) {
const hasher = crypto_1.default.createHash('sha256');
const hasherBuffer = hasher.update(targetFilepath).digest();
// can't ever need more than 4 bytes (32 bits).
const hashBytes = hasherBuffer.subarray(0, 4);
// Right shift hash bytes, so that we only have the leftmost
// bit_length bits that we care about.
const shiftValue = 32 - this.bitLength;
const binNumber = hashBytes.readUInt32BE() >>> shiftValue;
// Add zero padding if necessary and cast to hex the suffix.
const suffix = binNumber.toString(16).padStart(this.suffixLen, '0');
return `${this.namePrefix}-${suffix}`;
}
*getRoles() {
for (let i = 0; i < this.numberOfBins; i++) {
const suffix = i.toString(16).padStart(this.suffixLen, '0');
yield `${this.namePrefix}-${suffix}`;
}
}
/***
* Determines whether the given ``role_name`` is in one of
* the delegated roles that ``SuccinctRoles`` represents.
*
* Args:
* role_name: The name of the role to check against.
*/
isDelegatedRole(roleName) {
const desiredPrefix = this.namePrefix + '-';
if (!roleName.startsWith(desiredPrefix)) {
return false;
}
const suffix = roleName.slice(desiredPrefix.length, roleName.length);
if (suffix.length != this.suffixLen) {
return false;
}
// make sure the suffix is a hex string
if (!suffix.match(/^[0-9a-fA-F]+$/)) {
return false;
}
const num = parseInt(suffix, 16);
return 0 <= num && num < this.numberOfBins;
}
toJSON() {
const json = {
...super.toJSON(),
bit_length: this.bitLength,
name_prefix: this.namePrefix,
};
return json;
}
static fromJSON(data) {
const { keyids, threshold, bit_length, name_prefix, ...rest } = data;
if (!utils_1.guard.isStringArray(keyids)) {
throw new TypeError('keyids must be an array of strings');
}
if (typeof threshold !== 'number') {
throw new TypeError('threshold must be a number');
}
if (typeof bit_length !== 'number') {
throw new TypeError('bit_length must be a number');
}
if (typeof name_prefix !== 'string') {
throw new TypeError('name_prefix must be a string');
}
return new SuccinctRoles({
keyIDs: keyids,
threshold,
bitLength: bit_length,
namePrefix: name_prefix,
unrecognizedFields: rest,
});
}
}
exports.SuccinctRoles = SuccinctRoles;
|
