From 33a1996b2bc96856365bf8042fba5fbb698af96c Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 15 May 2024 14:47:20 -0500
Subject: [PATCH 1/4] fix: no such directory error

---
 pkg/tuf/tuf.go | 8 ++++++++
 1 file changed, 8 insertions(+)

diff --git a/pkg/tuf/tuf.go b/pkg/tuf/tuf.go
index 00808c5..48a1e13 100644
--- a/pkg/tuf/tuf.go
+++ b/pkg/tuf/tuf.go
@@ -116,6 +116,14 @@ func (t *TufClient) DownloadTarget(target string, filePath string) (actualFilePa
 		return "", nil, err
 	}
 
+	// check if filePath exists and create the directory if it doesn't
+	if _, err := os.Stat(filepath.Dir(filePath)); os.IsNotExist(err) {
+		err = os.MkdirAll(filepath.Dir(filePath), 0755)
+		if err != nil {
+			return "", nil, fmt.Errorf("failed to create target download directory '%s': %w", filepath.Dir(filePath), err)
+		}
+	}
+
 	// target is available, so let's see if the target is already present locally
 	actualFilePath, data, err = t.updater.FindCachedTarget(targetInfo, filePath)
 	if err != nil {

From 249cf5bcf38e3e9d7f66f9962d1603d845e9bad7 Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 15 May 2024 15:19:13 -0500
Subject: [PATCH 2/4] fix: query

---
 pkg/policy/rego.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policy/rego.go b/pkg/policy/rego.go
index c6851b0..942e630 100644
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -29,7 +29,7 @@ type regoEvaluator struct {
 func NewRegoEvaluator(debug bool) PolicyEvaluator {
 	return &regoEvaluator{
 		debug: debug,
-		query: "data.attest.allow",
+		query: "data.attest.digest",
 	}
 }
 

From a103e0e9d7ecc5d69a8fd4652959f439e9e03eef Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 15 May 2024 15:23:22 -0500
Subject: [PATCH 3/4] revert: query

---
 pkg/policy/rego.go | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/pkg/policy/rego.go b/pkg/policy/rego.go
index 942e630..c6851b0 100644
--- a/pkg/policy/rego.go
+++ b/pkg/policy/rego.go
@@ -29,7 +29,7 @@ type regoEvaluator struct {
 func NewRegoEvaluator(debug bool) PolicyEvaluator {
 	return &regoEvaluator{
 		debug: debug,
-		query: "data.attest.digest",
+		query: "data.attest.allow",
 	}
 }
 

From eddb277d7e28c035856f02990bf2ce618abfeddc Mon Sep 17 00:00:00 2001
From: mrjoelkamp <joel.kamp@docker.com>
Date: Wed, 15 May 2024 16:22:35 -0500
Subject: [PATCH 4/4] feat: add tuf download target tests

---
 pkg/tuf/tuf_test.go | 54 +++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 54 insertions(+)

diff --git a/pkg/tuf/tuf_test.go b/pkg/tuf/tuf_test.go
index dc71a67..9479dcf 100644
--- a/pkg/tuf/tuf_test.go
+++ b/pkg/tuf/tuf_test.go
@@ -2,6 +2,7 @@ package tuf
 
 import (
 	"context"
+	"fmt"
 	"net/http"
 	"net/http/httptest"
 	"os"
@@ -10,6 +11,7 @@ import (
 
 	"github.com/docker/attest/internal/embed"
 	"github.com/stretchr/testify/assert"
+	"github.com/theupdateframework/go-tuf/v2/metadata"
 )
 
 var (
@@ -71,3 +73,55 @@ func TestRootInit(t *testing.T) {
 		assert.Errorf(t, err, "Expected error recreating TUF client with broken root: %v", err)
 	}
 }
+
+func TestDownloadTarget(t *testing.T) {
+	tufPath := CreateTempDir(t, "", "tuf_temp")
+	targetFile := "test.txt"
+	delegatedRole := "test-role"
+	delegatedTargetFile := fmt.Sprintf("%s/%s", delegatedRole, targetFile)
+
+	// Start a test HTTP server to serve data from /test/testdata/tuf/test-repo/ paths
+	server := httptest.NewServer(http.FileServer(http.Dir(HttpTufTestDataPath)))
+	defer server.Close()
+
+	// run local registry
+	registry, regAddr := RunTestRegistry(t)
+	defer func() {
+		if err := registry.Terminate(context.Background()); err != nil {
+			t.Fatalf("failed to terminate container: %s", err) // nolint:gocritic
+		}
+	}()
+	LoadRegistryTestData(t, regAddr, OciTufTestDataPath)
+
+	testCases := []struct {
+		name           string
+		metadataSource string
+		targetsSource  string
+	}{
+		{"http", server.URL + "/metadata", server.URL + "/targets"},
+		{"oci", regAddr.Host + "/tuf-metadata:latest", regAddr.Host + "/tuf-targets"},
+	}
+
+	for _, tc := range testCases {
+		tufClient, err := NewTufClient(embed.DevRoot, tufPath, tc.metadataSource, tc.targetsSource)
+		assert.NoErrorf(t, err, "Failed to create TUF client: %v", err)
+
+		// get trusted tuf metadata
+		trustedMetadata := tufClient.updater.GetTrustedMetadataSet()
+		assert.NotNil(t, trustedMetadata, "Failed to get trusted metadata")
+
+		// download top-level target files
+		targets := trustedMetadata.Targets[metadata.TARGETS].Signed.Targets
+		for _, target := range targets {
+			// download target files
+			_, _, err := tufClient.DownloadTarget(target.Path, filepath.Join(tufPath, "download"))
+			assert.NoErrorf(t, err, "Failed to download target: %v", err)
+		}
+
+		// download delegated target
+		targetInfo, err := tufClient.updater.GetTargetInfo(delegatedTargetFile)
+		assert.NoError(t, err)
+		_, _, err = tufClient.DownloadTarget(targetInfo.Path, filepath.Join(tufPath, targetInfo.Path))
+		assert.NoError(t, err)
+	}
+}