Feature: Command to deploy completed root metadata.

Test results for features/commands/deploy_root_metadata.feature

Running behat features/commands/deploy_root_metadata.feature results in:

@rugged @commands-local @deploy-root-metadata @gitlab-196
Feature: Command to deploy completed root metadata.
  In order to host TUF metadata
  As an administrator
  I need to deploy completed root metadata into a repository

  Background:
    Given I reset Rugged
    And local Rugged directories exist
    And I generate a complete set of Rugged keys
    And I generate complete partial root metadata
    And I generate signatures of partial root metadata

  Scenario: The 'deploy-root-metadata' Rugged command exists.
    When I try to run "sudo sudo -u rugged rugged deploy-root-metadata --help"
    Then I should not get:
      """
      Error: No such command 'deploy-root-metadata'.
      """
    Then I should get:
      """
      Usage: rugged deploy-root-metadata [OPTIONS]
      
        Deploy completed root metadata from partial directory into TUF repo.
      
      Options:
        --help  Show this message and exit.
      """

  Scenario: Throw error if there is no partial root metadata.
    Given I run the Rugged command "rm /var/rugged/tuf_repo/partial/*.root.json"
    And I fail to run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
      No partial root metadata file to deploy: /var/rugged/tuf_repo/partial/1.root.json
      Consider using the 'initialize-partial-root-metadata' or 'initialize-partial-root-metadata-for-update' command to generate partial root metadata.
      """

  Scenario: Throw validation error if partial root metadata is incomplete.
    Given I fail to run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
      Retrieved partial Root metadata for version 1 (1.root.json).
      Metadata is not valid for deployment: /var/rugged/tuf_repo/partial/1.root.json
      Consider using the 'show-partial-root-metadata' command to see invalid components.
      """

  Scenario: Deploy root metadata fails if permissions are bad on the tuf repo
    Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "mkdir -p /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "chmod ugo-w /var/rugged/tuf_repo/metadata"
    And I fail to run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
      Retrieved partial Root metadata for version 1 (1.root.json).
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/1.root.json) into place: /var/rugged/tuf_repo/metadata/1.root.json.
      Copying /var/rugged/tuf_repo/partial/1.root.json key to /var/rugged/tuf_repo/metadata/1.root.json.
      PermissionError thrown in _deploy_partial_root_metadata: [Errno 13] Permission denied: '/var/rugged/tuf_repo/metadata/1.root.json'
      Permission denied while deploying root metadata: /var/rugged/tuf_repo/metadata/1.root.json
      """
    And I should not get:
      """
      Metadata path not found. Creating: 
      """
    And I run the Rugged command "chmod ugo+w /var/rugged/tuf_repo/metadata"

  Scenario: Deploy root metadata in initial TUF repo (1.root.json)
    Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
      Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/1.root.json'.
      Retrieved partial Root metadata for version 1 (1.root.json).
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/1.root.json) into place: /var/rugged/tuf_repo/metadata/1.root.json.
      Metadata path not found. Creating: /var/rugged/tuf_repo/metadata
      Copying /var/rugged/tuf_repo/partial/1.root.json key to /var/rugged/tuf_repo/metadata/1.root.json.
      """
    When I run the Rugged command "rugged --debug initialize --local"
    Then I should get:
      """
      debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/metadata/1.root.json'.
      warning: Initialized 'root' metadata from disk.
      TUF repository initialized.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """

  Scenario: Re-sign and deploy 2.root.json without any key rotation in order to eg. update the expiry date on root metadata.
    Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "rugged --debug deploy-root-metadata"
    And I run the Rugged command "rugged --debug initialize --local"
    When I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug show-partial-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment
      """
    When I run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
      debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """

  Scenario: Add a root key and deploy updated root metadata in already-running TUF repo (2.root.json) without changing online keys
    Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
    And I run the Rugged command "rugged --debug deploy-root-metadata"
    And I run the Rugged command "rugged --debug initialize --local"
    When I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
    And I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
    And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
    And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
    And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
    And I run the Rugged command "rugged --debug show-partial-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment
      """
    When I run the Rugged command "rugged --debug deploy-root-metadata"
    Then I should get:
      """
      Metadata is valid for deployment.
      Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
      debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
      """
    When I run the Rugged command "rugged validate metadata"
    Then I should get:
      """
      Metadata for the 'root' role is valid.
      Metadata for the 'timestamp' role is valid.
      Metadata for the 'snapshot' role is valid.
      Metadata for the 'targets' role is valid.
      """

7 scenarios (7 passed)
97 steps (97 passed)
This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 4.0 International License.
Rugged TUF Server is a trademark of Consensus Enterprises.