features/security/rotate_online_keys.featureRunning behat features/security/rotate_online_keys.feature results in:
@rugged @security @rotate-online-keys
Feature: Rotate online keys.
In order to keep a TUF systems secure,
As a TUF administrator
I need to be able to rotate online keys reliably.
Background:
Given I reset Rugged
And local Rugged directories exist
And I generate a complete set of Rugged keys
And I generate complete partial root metadata
And I generate signatures of partial root metadata
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_signature.bin --key-type=pem"
And I run the Rugged command "rm -rf /var/rugged/tuf_repo/metadata"
And I run the Rugged command "rugged --debug deploy-root-metadata"
And I run the Rugged command "rugged --debug initialize --local"
And I run the Rugged command "rugged --debug initialize-partial-root-metadata-for-update"
Scenario Outline: Rotate online key and deploy updated root metadata in already-running TUF repo (2.root.json)
When I run the Rugged command "rugged remove-verification-key --yes `cat /var/rugged/tuf_repo/partial/2.root.json | jq .signed.roles.<ROLE>.keyids | jq 'nth(0)' -r`"
And I run the rugged command "rm /var/rugged/verification_keys/<ROLE>/<ROLE>.pub /var/rugged/signing_keys/<ROLE>/<ROLE>"
And I run the Rugged command "rugged generate-keys --local --role=<ROLE>"
And I run the Rugged command "rugged add-verification-key <ROLE> /var/rugged/verification_keys/<ROLE>/<ROLE>.pub"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root_private.pem -out /var/rugged/tuf_repo/tmp/root_new_signature.bin"
And I run the Rugged command "openssl pkeyutl -verify -sigfile /var/rugged/tuf_repo/tmp/root_new_signature.bin -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -inkey /var/rugged/tuf_repo/tmp/root_public.pem -pubin"
And I run the Rugged command "openssl pkeyutl -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -sign -inkey /var/rugged/tuf_repo/tmp/root1_private.pem -out /var/rugged/tuf_repo/tmp/root1_new_signature.bin"
And I run the Rugged command "openssl pkeyutl -verify -sigfile /var/rugged/tuf_repo/tmp/root1_new_signature.bin -in /var/rugged/tuf_repo/partial/signable-2.root.json -rawin -inkey /var/rugged/tuf_repo/tmp/root1_public.pem -pubin"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root_public.pem /var/rugged/tuf_repo/tmp/root_new_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug add-root-signature /var/rugged/tuf_repo/tmp/root1_public.pem /var/rugged/tuf_repo/tmp/root1_new_signature.bin --key-type=pem"
And I run the Rugged command "rugged --debug show-partial-root-metadata"
Then I should get:
"""
Metadata is valid for deployment
"""
When I run the Rugged command "rugged --debug deploy-root-metadata"
Then I should get:
"""
Metadata is valid for deployment.
Deploying partial root metadata (/var/rugged/tuf_repo/partial/2.root.json) into place: /var/rugged/tuf_repo/metadata/2.root.json.
debug: Copying /var/rugged/tuf_repo/partial/2.root.json key to /var/rugged/tuf_repo/metadata/2.root.json.
"""
When I fail to run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
error: UnsignedMetadataError thrown in validate_<ROLE>: <ROLE> was signed by 0/1 keys
error: Metadata for the '<ROLE>' role is not valid.
"""
When I run the Rugged command "rugged refresh-expiry --force"
Then I should get:
"""
Preparing to refresh metadata expiry periods.
Fetching all metadata from targets-worker.
Forcing refresh of all metadata.
Dispatching task to refresh expiring metadata on targets-worker.
Refreshed targets metadata expiry period.
Updated snapshot metadata.
Updated timestamp metadata.
"""
When I run the Rugged command "rugged validate metadata"
Then I should get:
"""
Metadata for the 'root' role is valid.
Metadata for the 'timestamp' role is valid.
Metadata for the 'snapshot' role is valid.
Metadata for the 'targets' role is valid.
"""
Examples:
| ROLE |
| timestamp |
| snapshot |
| targets |
3 scenarios (3 passed)
93 steps (93 passed)