Merge pull request #853 from sigstore/fix_tuf_target_paths

Handle targets with path elements

sigstore-java/src/main/java/dev/sigstore/tuf/FileSystemTufStore.java

@@ -21,6 +21,8 @@
 import dev.sigstore.tuf.model.*;
 import java.io.BufferedWriter;
 import java.io.IOException;
+import java.net.URLEncoder;
+import java.nio.charset.StandardCharsets;
 import java.nio.file.Files;
 import java.nio.file.Path;
 import java.util.Optional;
@@ -65,12 +67,14 @@ public String getIdentifier() {
 
   @Override
   public void writeTarget(String targetName, byte[] targetContents) throws IOException {
-    Files.write(targetsCache.resolve(targetName), targetContents);
+    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
+    Files.write(targetsCache.resolve(encoded), targetContents);
   }
 
   @Override
   public byte[] readTarget(String targetName) throws IOException {
-    return Files.readAllBytes(targetsCache.resolve(targetName));
+    var encoded = URLEncoder.encode(targetName, StandardCharsets.UTF_8);
+    return Files.readAllBytes(targetsCache.resolve(encoded));
   }
 
   @Override

sigstore-java/src/main/java/dev/sigstore/tuf/TargetReader.java

@@ -21,7 +21,8 @@
 public interface TargetReader {
 
   /**
-   * Reads a TUF target file from the local TUF store
+   * Reads a TUF target file from the local TUF store. Target names may include path elements and
+   * the storage engine should be consistent when handling writing and reading these.
    *
    * @param targetName the name of the target file to read (e.g. ctfe.pub)
    * @return the content of the file as bytes

sigstore-java/src/main/java/dev/sigstore/tuf/TargetStore.java

@@ -28,7 +28,8 @@ public interface TargetStore extends TargetReader {
   String getIdentifier();
 
   /**
-   * Writes a TUF target to the local target store.
+   * Writes a TUF target to the local target store. Target names may include path elements and the
+   * storage engine should be consistent when handling writing and reading these.
    *
    * @param targetName the name of the target file to write (e.g. ctfe.pub)
    * @param targetContents the content of the target file as bytes

sigstore-java/src/main/java/dev/sigstore/tuf/Updater.java

@@ -26,6 +26,7 @@
 import dev.sigstore.tuf.model.Timestamp;
 import dev.sigstore.tuf.model.TufMeta;
 import java.io.IOException;
+import java.nio.file.Paths;
 import java.security.InvalidKeyException;
 import java.security.NoSuchAlgorithmException;
 import java.security.SignatureException;
@@ -478,12 +479,25 @@ void downloadTargets(Targets targets)
   }
 
   void downloadTarget(String targetName, TargetData targetData) throws IOException {
+    var calculatedName = targetName;
+    var calculatedPath = "";
+    // if target name includes directories then we have to process the path
+    if (targetName.contains("/")) {
+      var targetPath = Paths.get(targetName);
+      calculatedName = targetPath.getFileName().toString();
+      calculatedPath = targetPath.getParent().toString();
+      if (!calculatedPath.endsWith("/")) {
+        calculatedPath = calculatedPath + "/";
+      }
+    }
     // 9) Download target up to length specified in bytes. verify against hash.
     String versionedTargetName;
     if (targetData.getHashes().getSha512() != null) {
-      versionedTargetName = targetData.getHashes().getSha512() + "." + targetName;
+      versionedTargetName =
+          calculatedPath + targetData.getHashes().getSha512() + "." + calculatedName;
     } else {
-      versionedTargetName = targetData.getHashes().getSha256() + "." + targetName;
+      versionedTargetName =
+          calculatedPath + targetData.getHashes().getSha256() + "." + calculatedName;
     }
 
     var targetBytes = targetFetcher.fetchResource(versionedTargetName, targetData.getLength());

tuf-cli/tuf-cli.xfails

@@ -1,5 +1,4 @@
 test_metadata_bytes_match
-test_client_downloads_expected_file_in_sub_dir
 test_duplicate_sig_keyids
 test_unusual_role_name[?]
 test_unusual_role_name[#]