Cleanup: extract common logic to add new TUF key

This simply makes the next commit easier; and is good anyway. Signed-off-by: Volodymyr Khoroz <[email protected]>
foundriesio · Aug 11, 2023 · bd229f1 · bd229f1
1 parent 1bc6d1f
commit bd229f1
Show file tree

Hide file tree

Showing 3 changed files with 25 additions and 33 deletions.
diff --git a/subcommands/keys/tuf_updates_add_offline_key.go b/subcommands/keys/tuf_updates_add_offline_key.go
@@ -90,28 +90,21 @@ func doTufUpdatesAddOfflineKey(cmd *cobra.Command, args []string) {
 }
 
 func addOfflineRootKey(root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType) {
-	subcommands.DieNotNil(checkNoTufSigner(root, creds, root.Signed.Roles["root"].KeyIDs))
+	oldKids := root.Signed.Roles["root"].KeyIDs
+	subcommands.DieNotNil(checkNoTufSigner(root, creds, oldKids))
 
 	kp := genTufKeyPair(keyType)
-	root.Signed.Keys[kp.signer.Id] = kp.atsPub
-	root.Signed.Roles["root"].KeyIDs = append(root.Signed.Roles["root"].KeyIDs, kp.signer.Id)
-
-	base := "tufrepo/keys/fioctl-root-" + kp.signer.Id
-	creds[base+".pub"] = kp.atsPubBytes
-	creds[base+".sec"] = kp.atsPrivBytes
+	addOfflineTufKey(root, "root", kp, oldKids, creds)
 	fmt.Println("= New root keyid:", kp.signer.Id)
 }
 
 func addOfflineTargetsKey(root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType, onlineTargetsId string) {
-	subcommands.DieNotNil(checkNoTufSigner(root, creds,
-		subcommands.SliceRemove(root.Signed.Roles["targets"].KeyIDs, onlineTargetsId)))
+	oldKids := root.Signed.Roles["targets"].KeyIDs
+	if len(oldKids) > 1 {
+		subcommands.DieNotNil(checkNoTufSigner(root, creds, subcommands.SliceRemove(oldKids, onlineTargetsId)))
+	}
 
 	kp := genTufKeyPair(keyType)
-	root.Signed.Keys[kp.signer.Id] = kp.atsPub
-	root.Signed.Roles["targets"].KeyIDs = append(root.Signed.Roles["targets"].KeyIDs, kp.signer.Id)
-
-	base := "tufrepo/keys/fioctl-targets-" + kp.signer.Id
-	creds[base+".pub"] = kp.atsPubBytes
-	creds[base+".sec"] = kp.atsPrivBytes
+	addOfflineTufKey(root, "targets", kp, oldKids, creds)
 	fmt.Println("= New targets keyid:", kp.signer.Id)
 }
diff --git a/subcommands/keys/tuf_updates_rotate_offline_key.go b/subcommands/keys/tuf_updates_rotate_offline_key.go
@@ -207,18 +207,14 @@ func doTufUpdatesRotateOfflineTargetsKey(cmd *cobra.Command) {
 func replaceOfflineRootKey(
 	root *client.AtsTufRoot, creds OfflineCreds, keyType TufKeyType,
 ) (TufSigner, OfflineCreds) {
-	oldKey, err := FindOneTufSigner(root, creds, root.Signed.Roles["root"].KeyIDs)
+	oldKids := root.Signed.Roles["root"].KeyIDs
+	oldKey, err := FindOneTufSigner(root, creds, oldKids)
 	subcommands.DieNotNil(err)
-	newKids := subcommands.SliceRemove(root.Signed.Roles["root"].KeyIDs, oldKey.Id)
+	oldKids = subcommands.SliceRemove(oldKids, oldKey.Id)
 
 	kp := genTufKeyPair(keyType)
-	root.Signed.Keys[kp.signer.Id] = kp.atsPub
+	addOfflineTufKey(root, "root", kp, oldKids, creds)
 	root.Signed.Expires = time.Now().AddDate(1, 0, 0).UTC().Round(time.Second) // 1 year validity
-	root.Signed.Roles["root"].KeyIDs = append(newKids, kp.signer.Id)
-
-	base := "tufrepo/keys/fioctl-root-" + kp.signer.Id
-	creds[base+".pub"] = kp.atsPubBytes
-	creds[base+".sec"] = kp.atsPrivBytes
 	return kp.signer, creds
 }
 
@@ -227,21 +223,14 @@ func replaceOfflineTargetsKey(
 ) (TufSigner, OfflineCreds) {
 	// Support first key rotation (no offline targets key yet) for backward-compatibility.
 	oldKids := root.Signed.Roles["targets"].KeyIDs
-	oldOfflineKids := subcommands.SliceRemove(oldKids, onlineTargetsId)
-	if len(oldOfflineKids) > 0 {
-		oldKey, err := FindOneTufSigner(root, creds, oldOfflineKids)
+	if len(oldKids) > 1 {
+		oldKey, err := FindOneTufSigner(root, creds, subcommands.SliceRemove(oldKids, onlineTargetsId))
 		subcommands.DieNotNil(err)
 		oldKids = subcommands.SliceRemove(oldKids, oldKey.Id)
 	}
 
 	kp := genTufKeyPair(keyType)
-	root.Signed.Keys[kp.signer.Id] = kp.atsPub
-	root.Signed.Roles["targets"].KeyIDs = append(oldKids, kp.signer.Id)
-	root.Signed.Roles["targets"].Threshold = 1
-
-	base := "tufrepo/keys/fioctl-targets-" + kp.signer.Id
-	creds[base+".pub"] = kp.atsPubBytes
-	creds[base+".sec"] = kp.atsPrivBytes
+	addOfflineTufKey(root, "targets", kp, oldKids, creds)
 	return kp.signer, creds
 }
 

diff --git a/subcommands/keys/tuf_utils.go b/subcommands/keys/tuf_utils.go
@@ -313,6 +313,16 @@ func findTufSigners(root *client.AtsTufRoot, creds OfflineCreds, keyids []string
 	return matchSigners, nil
 }
 
+func addOfflineTufKey(
+	root *client.AtsTufRoot, role tuf.RoleName, key TufKeyPair, oldKids []string, creds OfflineCreds,
+) {
+	base := fmt.Sprintf("tufrepo/keys/fioctl-%s-%s", role, key.signer.Id)
+	creds[base+".pub"] = key.atsPubBytes
+	creds[base+".sec"] = key.atsPrivBytes
+	root.Signed.Keys[key.signer.Id] = key.atsPub
+	root.Signed.Roles[role].KeyIDs = append(oldKids, key.signer.Id)
+}
+
 func removeUnusedTufKeys(root *client.AtsTufRoot) {
 	var inuse []string
 	for _, role := range root.Signed.Roles {