From 0330ea47550945c9bc60c0765d6e9357e5349aba Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 10 Jul 2024 17:21:56 -0500
Subject: [PATCH] feat: add EmbeddedRoot type

---
 internal/embed/root.go            | 39 ++++++++++++++++++++-----------
 pkg/attest/example_verify_test.go |  2 +-
 pkg/mirror/example_mirror_test.go |  2 +-
 pkg/mirror/metadata_test.go       |  6 ++---
 pkg/mirror/mirror.go              |  2 +-
 pkg/mirror/targets_test.go        |  6 ++---
 pkg/tuf/example_registry_test.go  |  2 +-
 pkg/tuf/registry_test.go          |  2 +-
 pkg/tuf/tuf.go                    |  6 ++---
 pkg/tuf/tuf_test.go               | 26 ++++++++++-----------
 10 files changed, 53 insertions(+), 40 deletions(-)

diff --git a/internal/embed/root.go b/internal/embed/root.go
index 047c4ff..e80b75b 100644
--- a/internal/embed/root.go
+++ b/internal/embed/root.go
@@ -6,26 +6,39 @@ import (
 )
 
 //go:embed embedded-roots/1.root-dev.json
-var DevRoot []byte
+var devRoot []byte
 
 //go:embed embedded-roots/1.root-staging.json
-var StagingRoot []byte
+var stagingRoot []byte
 
 //go:embed embedded-roots/1.root.json
-var ProdRoot []byte
+var prodRoot []byte
 
-var DefaultRoot = ProdRoot
+var defaultRoot = prodRoot
 
-func GetRootBytes(root string) ([]byte, error) {
+type RootName string
+type EmbeddedRoot struct {
+	Data []byte
+	Name RootName
+}
+
+var (
+	RootDev     = EmbeddedRoot{Data: devRoot, Name: "dev"}
+	RootStaging = EmbeddedRoot{Data: stagingRoot, Name: "staging"}
+	RootProd    = EmbeddedRoot{Data: prodRoot, Name: "prod"}
+	RootDefault = EmbeddedRoot{Data: defaultRoot, Name: ""}
+)
+
+func GetRootFromName(root string) (*EmbeddedRoot, error) {
 	switch root {
-	case "dev":
-		return DevRoot, nil
-	case "staging":
-		return StagingRoot, nil
-	case "prod":
-		return ProdRoot, nil
-	case "":
-		return DefaultRoot, nil
+	case string(RootDev.Name):
+		return &RootDev, nil
+	case string(RootStaging.Name):
+		return &RootStaging, nil
+	case string(RootProd.Name):
+		return &RootProd, nil
+	case string(RootDefault.Name):
+		return &RootDefault, nil
 	default:
 		return nil, fmt.Errorf("invalid tuf root: %s", root)
 	}
diff --git a/pkg/attest/example_verify_test.go b/pkg/attest/example_verify_test.go
index 6f5571a..d13e589 100644
--- a/pkg/attest/example_verify_test.go
+++ b/pkg/attest/example_verify_test.go
@@ -21,7 +21,7 @@ func createTufClient(outputPath string) (*tuf.TufClient, error) {
 	// metadataURI := "https://docker.github.io/tuf-staging/metadata"
 	// targetsURI := "https://docker.github.io/tuf-staging/targets"
 
-	return tuf.NewTufClient(embed.StagingRoot, outputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+	return tuf.NewTufClient(embed.RootStaging.Data, outputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
 }
 
 func ExampleVerify_remote() {
diff --git a/pkg/mirror/example_mirror_test.go b/pkg/mirror/example_mirror_test.go
index 2b9cea8..c2924b0 100644
--- a/pkg/mirror/example_mirror_test.go
+++ b/pkg/mirror/example_mirror_test.go
@@ -29,7 +29,7 @@ func ExampleNewTufMirror() {
 	// configure TUF mirror
 	metadataURI := "https://docker.github.io/tuf-staging/metadata"
 	targetsURI := "https://docker.github.io/tuf-staging/targets"
-	m, err := mirror.NewTufMirror(embed.StagingRoot, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+	m, err := mirror.NewTufMirror(embed.RootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
 	if err != nil {
 		panic(err)
 	}
diff --git a/pkg/mirror/metadata_test.go b/pkg/mirror/metadata_test.go
index 03b722c..ee85b2d 100644
--- a/pkg/mirror/metadata_test.go
+++ b/pkg/mirror/metadata_test.go
@@ -21,7 +21,7 @@ func TestGetTufMetadataMirror(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	tufMetadata, err := m.getTufMetadataMirror(server.URL + "/metadata")
@@ -39,7 +39,7 @@ func TestGetMetadataManifest(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	img, err := m.GetMetadataManifest(server.URL + "/metadata")
@@ -78,7 +78,7 @@ func TestGetDelegatedMetadataMirrors(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	delegations, err := m.GetDelegatedMetadataMirrors()
diff --git a/pkg/mirror/mirror.go b/pkg/mirror/mirror.go
index e66749b..6050ff0 100644
--- a/pkg/mirror/mirror.go
+++ b/pkg/mirror/mirror.go
@@ -16,7 +16,7 @@ import (
 
 func NewTufMirror(root []byte, tufPath, metadataURL, targetsURL string, versionChecker tuf.VersionChecker) (*TufMirror, error) {
 	if root == nil {
-		root = embed.DefaultRoot
+		root = embed.RootDefault.Data
 	}
 	tufClient, err := tuf.NewTufClient(root, tufPath, metadataURL, targetsURL, versionChecker)
 	if err != nil {
diff --git a/pkg/mirror/targets_test.go b/pkg/mirror/targets_test.go
index 2ff296b..d7f8c0e 100644
--- a/pkg/mirror/targets_test.go
+++ b/pkg/mirror/targets_test.go
@@ -27,7 +27,7 @@ func TestGetTufTargetsMirror(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	targets, err := m.GetTufTargetMirrors()
@@ -61,7 +61,7 @@ func TestTargetDelegationMetadata(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	tm, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	tm, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	targets, err := tm.TufClient.LoadDelegatedTargets("test-role", "targets")
@@ -74,7 +74,7 @@ func TestGetDelegatedTargetMirrors(t *testing.T) {
 	defer server.Close()
 
 	path := test.CreateTempDir(t, "", "tuf_temp")
-	m, err := NewTufMirror(embed.DevRoot, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
+	m, err := NewTufMirror(embed.RootDev.Data, path, server.URL+"/metadata", server.URL+"/targets", tuf.NewMockVersionChecker())
 	assert.NoError(t, err)
 
 	mirrors, err := m.GetDelegatedTargetMirrors()
diff --git a/pkg/tuf/example_registry_test.go b/pkg/tuf/example_registry_test.go
index df34c83..a1b4821 100644
--- a/pkg/tuf/example_registry_test.go
+++ b/pkg/tuf/example_registry_test.go
@@ -21,7 +21,7 @@ func ExampleNewTufClient_registry() {
 	metadataURI := "registry-1.docker.io/docker/tuf-metadata:latest"
 	targetsURI := "registry-1.docker.io/docker/tuf-targets"
 
-	registryClient, err := tuf.NewTufClient(embed.StagingRoot, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
+	registryClient, err := tuf.NewTufClient(embed.RootStaging.Data, tufOutputPath, metadataURI, targetsURI, tuf.NewMockVersionChecker())
 	if err != nil {
 		panic(err)
 	}
diff --git a/pkg/tuf/registry_test.go b/pkg/tuf/registry_test.go
index 31787b7..0cb62d6 100644
--- a/pkg/tuf/registry_test.go
+++ b/pkg/tuf/registry_test.go
@@ -52,7 +52,7 @@ func TestRegistryFetcher(t *testing.T) {
 	delegatedDir := CreateTempDir(t, dir, delegatedRole)
 	delegatedTargetFile := fmt.Sprintf("%s/%s", delegatedRole, targetFile)
 
-	cfg, err := config.New(metadataRepo, embed.DevRoot)
+	cfg, err := config.New(metadataRepo, embed.RootDev.Data)
 	assert.NoError(t, err)
 
 	cfg.Fetcher = NewRegistryFetcher(metadataRepo, metadataImgTag, targetsRepo)
diff --git a/pkg/tuf/tuf.go b/pkg/tuf/tuf.go
index 96316a1..f3af13e 100644
--- a/pkg/tuf/tuf.go
+++ b/pkg/tuf/tuf.go
@@ -229,7 +229,7 @@ func ensureTrailingSlash(url string) string {
 	return url + "/"
 }
 
-// GetEmbeddedTufRootBytes returns the embedded TUF root based on the given root name
-func GetEmbeddedTufRootBytes(root string) ([]byte, error) {
-	return embed.GetRootBytes(root)
+// GetEmbeddedTufRoot returns the embedded TUF root based on the given root name
+func GetEmbeddedTufRoot(root string) (*embed.EmbeddedRoot, error) {
+	return embed.GetRootFromName(root)
 }
diff --git a/pkg/tuf/tuf_test.go b/pkg/tuf/tuf_test.go
index 6f55fcd..dc3a569 100644
--- a/pkg/tuf/tuf_test.go
+++ b/pkg/tuf/tuf_test.go
@@ -65,17 +65,17 @@ func TestRootInit(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		_, err := NewTufClient(embed.DevRoot, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
+		_, err := NewTufClient(embed.RootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
 		assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
 
 		// recreation should work with same root
-		_, err = NewTufClient(embed.DevRoot, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
+		_, err = NewTufClient(embed.RootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
 		assert.NoErrorf(t, err, "Failed to recreate TUF client: %v", err)
 
 		_, err = NewTufClient([]byte("broken"), tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
 		assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err)
 
-		_, err = NewTufClient(embed.DevRoot, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker)
+		_, err = NewTufClient(embed.RootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysBadVersionChecker)
 		assert.Errorf(t, err, "Expected error creating TUF client with bad attest version: %v", err)
 	}
 }
@@ -111,7 +111,7 @@ func TestDownloadTarget(t *testing.T) {
 	}
 
 	for _, tc := range testCases {
-		tufClient, err := NewTufClient(embed.DevRoot, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
+		tufClient, err := NewTufClient(embed.RootDev.Data, tufPath, tc.metadataSource, tc.targetsSource, alwaysGoodVersionChecker)
 		assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
 
 		// get trusted tuf metadata
@@ -135,22 +135,22 @@ func TestDownloadTarget(t *testing.T) {
 }
 
 func TestGetEmbeddedTufRootBytes(t *testing.T) {
-	dev, err := GetEmbeddedTufRootBytes("dev")
+	dev, err := GetEmbeddedTufRoot("dev")
 	assert.NoError(t, err)
 
-	staging, err := GetEmbeddedTufRootBytes("staging")
+	staging, err := GetEmbeddedTufRoot("staging")
 	assert.NoError(t, err)
-	assert.NotEqual(t, dev, staging)
+	assert.NotEqual(t, dev.Data, staging.Data)
 
-	prod, err := GetEmbeddedTufRootBytes("prod")
+	prod, err := GetEmbeddedTufRoot("prod")
 	assert.NoError(t, err)
-	assert.NotEqual(t, dev, prod)
-	assert.NotEqual(t, staging, prod)
+	assert.NotEqual(t, dev.Data, prod.Data)
+	assert.NotEqual(t, staging.Data, prod.Data)
 
-	def, err := GetEmbeddedTufRootBytes("")
+	def, err := GetEmbeddedTufRoot("")
 	assert.NoError(t, err)
-	assert.Equal(t, def, prod)
+	assert.Equal(t, def.Data, prod.Data)
 
-	_, err = GetEmbeddedTufRootBytes("invalid")
+	_, err = GetEmbeddedTufRoot("invalid")
 	assert.Error(t, err)
 }