features/commands/deploy_root_metadata.featureRunning behat features/commands/deploy_root_metadata.feature results in:
@rugged @commands-local @deploy-root-metadata @gitlab-196
Feature: Command to deploy completed root metadata.
In order to host TUF metadata
As an administrator
I need to deploy completed root metadata into a repository
Background:
Given I reset Rugged
And local Rugged directories exist
And I generate a complete set of Rugged keys
And I generate complete partial root metadata
And I generate signatures of partial root metadata
Scenario: The 'deploy-root-metadata' Rugged command exists.
When I try to run "sudo sudo -u rugged rugged deploy-root-metadata --help"
Then I should not get:
"""
Error: No such command 'deploy-root-metadata'.
"""
Then I should get:
"""
Usage: rugged deploy-root-metadata [OPTIONS]
Deploy completed root metadata from partial directory into TUF repo.
Options:
--help Show this message and exit.
"""
Scenario: Throw error if there is no partial root metadata.
Given I run the Rugged command "rm /var/rugged/tuf_repo/partial/*.root.json"
And I fail to run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
No partial root metadata file to deploy: /var/rugged/tuf_repo/partial/1.root.json
Consider using the 'initialize-partial-root-metadata' or 'initialize-partial-root-metadata-for-update' command to generate partial root metadata.
"""
Scenario: Throw validation error if partial root metadata is incomplete.
Given I fail to run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
Retrieved partial Root metadata for version 1 (1.root.json).
Metadata is not valid for deployment: /var/rugged/tuf_repo/partial/1.root.json
Consider using the 'show-partial-root-metadata' command to see invalid components.
"""
Scenario: Deploy root metadata fails if permissions are bad on the tuf repo
Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "mkdir -p /var/rugged/tuf_repo/metadata"
And I run the Rugged command "chmod ugo-w /var/rugged/tuf_repo/metadata"
And I fail to run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
Retrieved partial Root metadata for version 1 (1.root.json).
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/1.root.json) into place: /var/rugged/tuf_repo/metadata/1.root.json.
Copying /var/rugged/tuf_repo/partial/1.root.json key to /var/rugged/tuf_repo/metadata/1.root.json.
PermissionError thrown in _deploy_partial_root_metadata: [Errno 13] Permission denied: '/var/rugged/tuf_repo/metadata/1.root.json'
Permission denied while deploying root metadata: /var/rugged/tuf_repo/metadata/1.root.json
"""
And I should not get:
"""
Metadata path not found. Creating:
"""
And I run the Rugged command "chmod ugo+w /var/rugged/tuf_repo/metadata"
Scenario: Deploy root metadata in initial TUF repo (1.root.json)
Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
And I run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Loading metadata for 'root' from /var/rugged/tuf_repo/partial/1.root.json.
Loaded metadata for 'root' role from '/var/rugged/tuf_repo/partial/1.root.json'.
Retrieved partial Root metadata for version 1 (1.root.json).
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/1.root.json) into place: /var/rugged/tuf_repo/metadata/1.root.json.
Metadata path not found. Creating: /var/rugged/tuf_repo/metadata
Copying /var/rugged/tuf_repo/partial/1.root.json key to /var/rugged/tuf_repo/metadata/1.root.json.
"""
When I run the Rugged command "rugged --debug initialize --local"
Then I should get:
"""
debug: Loaded metadata for 'root' role from '/var/rugged/tuf_repo/metadata/1.root.json'.
warning: Initialized 'root' metadata from disk.
TUF repository initialized.
"""
When I run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
Metadata for the 'timestamp' role is valid.
Metadata for the 'snapshot' role is valid.
Metadata for the 'targets' role is valid.
"""
Scenario: Re-sign and deploy 2.root.json without any key rotation in order to eg. update the expiry date on root metadata.
Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
And I run the Rugged command "rugged --debug deploy-root-metadata"
And I run the Rugged command "rugged --debug initialize --local"
When I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug show-partial-root-metadata"
Then I should get:
"""
Metadata is valid for deployment
"""
When I run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
"""
When I run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
Metadata for the 'timestamp' role is valid.
Metadata for the 'snapshot' role is valid.
Metadata for the 'targets' role is valid.
"""
Scenario: Add a root key and deploy updated root metadata in already-running TUF repo (2.root.json) without changing online keys
Given I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
And I run the Rugged command "rugged --debug deploy-root-metadata"
And I run the Rugged command "rugged --debug initialize --local"
When I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
And I run the Rugged command "openssl genpkey -algorithm ED25519 -out /var/rugged/tuf_repo/tmp/root2_private.pem"
And I run the Rugged command "openssl pkey -in /var/rugged/tuf_repo/tmp/root2_private.pem -pubout -out /var/rugged/tuf_repo/tmp/root2_public.pem"
And I run the Rugged command "rugged add-verification-key root /var/rugged/tuf_repo/tmp/root2_public.pem --key-type=pem"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_signature.bin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_signature.bin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root2_private.pem -out /var/rugged/tuf_repo/tmp/root2_signature.bin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root2_public.pem /var/rugged/tuf_repo/tmp/root2_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug show-partial-root-metadata"
Then I should get:
"""
Metadata is valid for deployment
"""
When I run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
"""
When I run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
Metadata for the 'timestamp' role is valid.
Metadata for the 'snapshot' role is valid.
Metadata for the 'targets' role is valid.
"""
7 scenarios (7 passed)
97 steps (97 passed)