From d0e3d2aecacfb559f23aac994d8eebde25b7efc3 Mon Sep 17 00:00:00 2001 From: Volodymyr Khoroz Date: Fri, 11 Aug 2023 16:26:21 +0300 Subject: [PATCH] Feature: track TUF key ownership Signed-off-by: Volodymyr Khoroz --- client/foundries_tuf_root.go | 7 +++++++ subcommands/keys/tuf_utils.go | 13 +++++++++++++ 2 files changed, 20 insertions(+) diff --git a/client/foundries_tuf_root.go b/client/foundries_tuf_root.go index 942ffb6c..1d6af088 100644 --- a/client/foundries_tuf_root.go +++ b/client/foundries_tuf_root.go @@ -26,12 +26,19 @@ type RootChangeReason struct { Message string `json:"message"` Timestamp time.Time `json:"timestamp"` } + +type RootKeyOwner struct { + PolisId string `json:"polis-id"` + CreatedAt time.Time `json:"created-at"` +} + type AtsRootMeta struct { tuf.SignedCommon Consistent bool `json:"consistent_snapshot"` Keys map[string]AtsKey `json:"keys"` Roles map[tuf.RoleName]*tuf.RootRole `json:"roles"` Reason *RootChangeReason `json:"x-changelog,omitempty"` + KeyOwners map[string]RootKeyOwner `json:"x-key-owners,omitempty"` } type AtsTufRoot struct { diff --git a/subcommands/keys/tuf_utils.go b/subcommands/keys/tuf_utils.go index e366e780..4b234d8c 100644 --- a/subcommands/keys/tuf_utils.go +++ b/subcommands/keys/tuf_utils.go @@ -14,8 +14,10 @@ import ( "io" "os" "strings" + "time" canonical "github.com/docker/go/canonical/json" + "github.com/spf13/viper" tuf "github.com/theupdateframework/notary/tuf/data" "github.com/foundriesio/fioctl/client" @@ -321,6 +323,17 @@ func addOfflineTufKey( creds[base+".sec"] = key.atsPrivBytes root.Signed.Keys[key.signer.Id] = key.atsPub root.Signed.Roles[role].KeyIDs = append(oldKids, key.signer.Id) + + factory := viper.GetString("factory") + user, err := api.UserAccessDetails(factory, "self") + subcommands.DieNotNil(err) + if root.Signed.KeyOwners == nil { + root.Signed.KeyOwners = make(map[string]client.RootKeyOwner) + } + root.Signed.KeyOwners[key.signer.Id] = client.RootKeyOwner{ + PolisId: user.PolisId, + CreatedAt: time.Unix(time.Now().Unix(), 0).UTC(), // Strip millis + } } func removeUnusedTufKeys(root *client.AtsTufRoot) {