adding tests and updating functionality to allow roles with too few keys

Signed-off-by: David Lawrence <david.lawrence@docker.com> (github: endophage)

client/client_test.go

@@ -3022,7 +3022,7 @@ func TestRemoveDelegationChangefileApplicable(t *testing.T) {
 	require.NoError(t, applyTargetsChange(repo.tufRepo, changes[2]))
 
 	targetRole = repo.tufRepo.Targets[data.CanonicalTargetsRole]
-	require.Empty(t, targetRole.Signed.Delegations.Roles)
+	require.Len(t, targetRole.Signed.Delegations.Roles, 1)
 	require.Empty(t, targetRole.Signed.Delegations.Keys)
 }
 

client/helpers.go

@@ -4,7 +4,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net/http"
-	"strings"
 	"time"
 
 	"github.com/Sirupsen/logrus"
@@ -116,10 +115,6 @@ func changeTargetsDelegation(repo *tuf.Repo, c changelist.Change) error {
 			removeTUFKeyIDs = append(removeTUFKeyIDs, canonicalToTUFID[canonID])
 		}
 
-		// If we specify the only keys left delete the role, else just delete specified keys
-		if strings.Join(delgRole.ListKeyIDs(), ";") == strings.Join(removeTUFKeyIDs, ";") && len(td.AddKeys) == 0 {
-			return repo.DeleteDelegation(c.Scope())
-		}
 		err = repo.UpdateDelegationKeys(c.Scope(), td.AddKeys, removeTUFKeyIDs, td.NewThreshold)
 		if err != nil {
 			return err

cmd/notary/delegations.go

@@ -32,7 +32,7 @@ var cmdDelegationRemoveTemplate = usageTemplate{
 	Long:  "Remove KeyID(s) from the specified Role delegation in a specific Global Unique Name.",
 }
 
-var cmdDelegationRemoveKeysTemplate = usageTemplate{
+var cmdDelegationPurgeKeysTemplate = usageTemplate{
 	Use:   "purge [ GUN ]",
 	Short: "Remove KeyID(s) from all delegations it is found in.",
 	Long:  "Remove KeyID(s) from all delegations it is found in, for which the signing keys are available. Warnings will be printed for delegations that cannot be updated.",
@@ -58,9 +58,9 @@ func (d *delegationCommander) GetCommand() *cobra.Command {
 	cmd := cmdDelegationTemplate.ToCommand(nil)
 	cmd.AddCommand(cmdDelegationListTemplate.ToCommand(d.delegationsList))
 
-	cmdRemDelgKeys := cmdDelegationRemoveKeysTemplate.ToCommand(d.delegationRemoveKeys)
-	cmdRemDelgKeys.Flags().StringSliceVar(&d.keyIDs, "key", nil, "Delegation keys to be removed from the GUN")
-	cmd.AddCommand(cmdRemDelgKeys)
+	cmdPurgeDelgKeys := cmdDelegationPurgeKeysTemplate.ToCommand(d.delegationPurgeKeys)
+	cmdPurgeDelgKeys.Flags().StringSliceVar(&d.keyIDs, "key", nil, "Delegation keys to be removed from the GUN")
+	cmd.AddCommand(cmdPurgeDelgKeys)
 
 	cmdRemDelg := cmdDelegationRemoveTemplate.ToCommand(d.delegationRemove)
 	cmdRemDelg.Flags().StringSliceVar(&d.paths, "paths", nil, "List of paths to remove")
@@ -75,10 +75,10 @@ func (d *delegationCommander) GetCommand() *cobra.Command {
 	return cmd
 }
 
-func (d *delegationCommander) delegationRemoveKeys(cmd *cobra.Command, args []string) error {
-	if len(args) > 1 {
+func (d *delegationCommander) delegationPurgeKeys(cmd *cobra.Command, args []string) error {
+	if len(args) != 1 {
 		cmd.Usage()
-		return fmt.Errorf("Please provide a Global Unique Name as an argument to remove")
+		return fmt.Errorf("Please provide a single Global Unique Name as an argument to remove")
 	}
 
 	if len(d.keyIDs) == 0 {

cmd/notary/delegations_test.go

@@ -14,23 +14,36 @@ import (
 	"github.com/stretchr/testify/require"
 )
 
-var testTrustDir = "trust_dir"
-
-func setup() *delegationCommander {
+func setup(trustDir string) *delegationCommander {
 	return &delegationCommander{
 		configGetter: func() (*viper.Viper, error) {
 			mainViper := viper.New()
-			mainViper.Set("trust_dir", testTrustDir)
+			mainViper.Set("trust_dir", trustDir)
 			return mainViper, nil
 		},
 		retriever: nil,
 	}
 }
 
-func TestAddInvalidDelegationName(t *testing.T) {
-	// Cleanup after test
-	defer os.RemoveAll(testTrustDir)
+func TestPurgeDelegationKeys(t *testing.T) {
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+
+	cmdr := setup(tmpDir)
+	cmd := cmdr.GetCommand()
+	err = cmdr.delegationPurgeKeys(cmd, []string{})
+	require.Error(t, err)
+
+	err = cmdr.delegationPurgeKeys(cmd, []string{"gun"})
+	require.Error(t, err)
+
+	cmdr.keyIDs = []string{"abc"}
+	err = cmdr.delegationPurgeKeys(cmd, []string{"gun"})
+	require.NoError(t, err)
+}
 
+func TestAddInvalidDelegationName(t *testing.T) {
 	// Setup certificate
 	tempFile, err := ioutil.TempFile("/tmp", "pemfile")
 	require.NoError(t, err)
@@ -41,17 +54,17 @@ func TestAddInvalidDelegationName(t *testing.T) {
 	defer os.Remove(tempFile.Name())
 
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid delegation name (should be prefixed by "targets/")
 	err = commander.delegationAdd(commander.GetCommand(), []string{"gun", "INVALID_NAME", tempFile.Name()})
 	require.Error(t, err)
 }
 
 func TestAddInvalidDelegationCert(t *testing.T) {
-	// Cleanup after test
-	defer os.RemoveAll(testTrustDir)
-
 	// Setup certificate
 	tempFile, err := ioutil.TempFile("/tmp", "pemfile")
 	require.NoError(t, err)
@@ -62,17 +75,17 @@ func TestAddInvalidDelegationCert(t *testing.T) {
 	defer os.Remove(tempFile.Name())
 
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to expired cert
 	err = commander.delegationAdd(commander.GetCommand(), []string{"gun", "targets/delegation", tempFile.Name(), "--paths", "path"})
 	require.Error(t, err)
 }
 
 func TestAddInvalidShortPubkeyCert(t *testing.T) {
-	// Cleanup after test
-	defer os.RemoveAll(testTrustDir)
-
 	// Setup certificate
 	tempFile, err := ioutil.TempFile("/tmp", "pemfile")
 	require.NoError(t, err)
@@ -83,61 +96,73 @@ func TestAddInvalidShortPubkeyCert(t *testing.T) {
 	defer os.Remove(tempFile.Name())
 
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to short RSA key
 	err = commander.delegationAdd(commander.GetCommand(), []string{"gun", "targets/delegation", tempFile.Name(), "--paths", "path"})
 	require.Error(t, err)
 }
 
 func TestRemoveInvalidDelegationName(t *testing.T) {
-	// Cleanup after test
-	defer os.RemoveAll(testTrustDir)
-
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid delegation name (should be prefixed by "targets/")
-	err := commander.delegationRemove(commander.GetCommand(), []string{"gun", "INVALID_NAME", "fake_key_id1", "fake_key_id2"})
+	err = commander.delegationRemove(commander.GetCommand(), []string{"gun", "INVALID_NAME", "fake_key_id1", "fake_key_id2"})
 	require.Error(t, err)
 }
 
 func TestRemoveAllInvalidDelegationName(t *testing.T) {
-	// Cleanup after test
-	defer os.RemoveAll(testTrustDir)
-
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid delegation name (should be prefixed by "targets/")
-	err := commander.delegationRemove(commander.GetCommand(), []string{"gun", "INVALID_NAME"})
+	err = commander.delegationRemove(commander.GetCommand(), []string{"gun", "INVALID_NAME"})
 	require.Error(t, err)
 }
 
 func TestAddInvalidNumArgs(t *testing.T) {
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid number of args (2 instead of 3)
-	err := commander.delegationAdd(commander.GetCommand(), []string{"not", "enough"})
+	err = commander.delegationAdd(commander.GetCommand(), []string{"not", "enough"})
 	require.Error(t, err)
 }
 
 func TestListInvalidNumArgs(t *testing.T) {
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid number of args (0 instead of 1)
-	err := commander.delegationsList(commander.GetCommand(), []string{})
+	err = commander.delegationsList(commander.GetCommand(), []string{})
 	require.Error(t, err)
 }
 
 func TestRemoveInvalidNumArgs(t *testing.T) {
 	// Setup commander
-	commander := setup()
+	tmpDir, err := ioutil.TempDir("/tmp", "notary-cmd-test-")
+	require.NoError(t, err)
+	defer os.RemoveAll(tmpDir)
+	commander := setup(tmpDir)
 
 	// Should error due to invalid number of args (1 instead of 2)
-	err := commander.delegationRemove(commander.GetCommand(), []string{"notenough"})
+	err = commander.delegationRemove(commander.GetCommand(), []string{"notenough"})
 	require.Error(t, err)
 }
 

cmd/notary/integration_test.go

@@ -555,7 +555,8 @@ func TestClientDelegationsInteraction(t *testing.T) {
 	// list delegations - we should see no delegations
 	output, err = runCommand(t, tempDir, "-s", server.URL, "delegation", "list", "gun")
 	require.NoError(t, err)
-	require.Contains(t, output, "No delegations present in this repository.")
+	require.NotContains(t, output, keyID)
+	require.NotContains(t, output, keyID2)
 
 	// add delegation with multiple certs and multiple paths
 	output, err = runCommand(t, tempDir, "delegation", "add", "gun", "targets/delegation", tempFile.Name(), tempFile2.Name(), "--paths", "path1,path2")

tuf/data/roles_test.go

@@ -105,44 +105,61 @@ func TestErrInvalidRole(t *testing.T) {
 }
 
 func TestIsDelegation(t *testing.T) {
-	require.True(t, IsDelegation(path.Join(CanonicalTargetsRole, "level1")))
-	require.True(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, "level1", "level2", "level3")))
-	require.True(t, IsDelegation(path.Join(CanonicalTargetsRole, "under_score")))
-	require.True(t, IsDelegation(path.Join(CanonicalTargetsRole, "hyphen-hyphen")))
-	require.False(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, strings.Repeat("x", 255-len(CanonicalTargetsRole)))))
-
-	require.False(t, IsDelegation(""))
-	require.False(t, IsDelegation(CanonicalRootRole))
-	require.False(t, IsDelegation(path.Join(CanonicalRootRole, "level1")))
-
-	require.False(t, IsDelegation(CanonicalTargetsRole))
-	require.False(t, IsDelegation(CanonicalTargetsRole+"/"))
-	require.False(t, IsDelegation(path.Join(CanonicalTargetsRole, "level1")+"/"))
-	require.False(t, IsDelegation(path.Join(CanonicalTargetsRole, "UpperCase")))
-
-	require.False(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, "directory")+"/../../traversal"))
-
-	require.False(t, IsDelegation(CanonicalTargetsRole+"///test/middle/slashes"))
-
-	require.False(t, IsDelegation(CanonicalTargetsRole+"/./././"))
-
-	require.False(t, IsDelegation(
-		path.Join("  ", CanonicalTargetsRole, "level1")))
-
-	require.False(t, IsDelegation(
-		path.Join("  "+CanonicalTargetsRole, "level1")))
-
-	require.False(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, "level1"+"  ")))
+	f := require.False
+	tr := require.True
+	for val, check := range map[string]func(require.TestingT, bool, ...interface{}){
+		// false checks
+		path.Join(CanonicalTargetsRole, strings.Repeat("x", 255-len(CanonicalTargetsRole))): f,
+		"":                                                                                  f,
+		CanonicalRootRole:                                                                   f,
+		path.Join(CanonicalRootRole, "level1"):                                              f,
+		CanonicalTargetsRole:                                                                f,
+		CanonicalTargetsRole + "/":                                                          f,
+		path.Join(CanonicalTargetsRole, "level1") + "/":                                     f,
+		path.Join(CanonicalTargetsRole, "UpperCase"):                                        f,
+		path.Join(CanonicalTargetsRole, "directory") + "/../../traversal":                   f,
+		CanonicalTargetsRole + "///test/middle/slashes":                                     f,
+		CanonicalTargetsRole + "/./././":                                                    f,
+		path.Join("  ", CanonicalTargetsRole, "level1"):                                     f,
+		path.Join("  "+CanonicalTargetsRole, "level1"):                                      f,
+		path.Join(CanonicalTargetsRole, "level1"+"  "):                                      f,
+		path.Join(CanonicalTargetsRole, "white   space"+"level2"):                           f,
+		path.Join(CanonicalTargetsRole, strings.Repeat("x", 256-len(CanonicalTargetsRole))): f,
+
+		// true checks
+		path.Join(CanonicalTargetsRole, "level1"):                     tr,
+		path.Join(CanonicalTargetsRole, "level1", "level2", "level3"): tr,
+		path.Join(CanonicalTargetsRole, "under_score"):                tr,
+		path.Join(CanonicalTargetsRole, "hyphen-hyphen"):              tr,
+	} {
+		check(t, IsDelegation(val))
+	}
 
-	require.False(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, "white   space"+"level2")))
+}
 
-	require.False(t, IsDelegation(
-		path.Join(CanonicalTargetsRole, strings.Repeat("x", 256-len(CanonicalTargetsRole)))))
+func TestIsWildDelegation(t *testing.T) {
+	f := require.False
+	tr := require.True
+	for val, check := range map[string]func(require.TestingT, bool, ...interface{}){
+		// false checks
+		CanonicalRootRole:      f,
+		CanonicalTargetsRole:   f,
+		CanonicalSnapshotRole:  f,
+		CanonicalTimestampRole: f,
+		"foo":   f,
+		"foo/*": f,
+		path.Join(CanonicalRootRole, "*"):           f,
+		path.Join(CanonicalSnapshotRole, "*"):       f,
+		path.Join(CanonicalTimestampRole, "*"):      f,
+		path.Join(CanonicalTargetsRole, "*", "foo"): f,
+		path.Join(CanonicalTargetsRole, "*", "*"):   f,
+
+		// true checks
+		path.Join(CanonicalTargetsRole, "*"):        tr,
+		path.Join(CanonicalTargetsRole, "foo", "*"): tr,
+	} {
+		check(t, IsWildDelegation(val))
+	}
 }
 
 func TestValidRoleFunction(t *testing.T) {