Skip to content

Commit

Permalink
Allow TUF metadata to be loaded from a different place than the Compo…
Browse files Browse the repository at this point in the history 
…ser package metadata (#83)
  • Loading branch information
@phenaproxima
phenaproxima authored Sep 28, 2023
1 parent 9e7d5ac commit aaed3fa
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 4 deletions.
14 changes: 11 additions & 3 deletions src/TufValidatedComposerRepository.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -52,9 +52,15 @@ public function __construct(array $repoConfig, IOInterface $io, Config $config,
$this->io = $io;
$url = rtrim($repoConfig['url'], '/');

if (isset($repoConfig['tuf'])) {
if (!empty($repoConfig['tuf'])) {
// TUF metadata can optionally be loaded from a different place than the Composer package metadata.
$metadataUrl = $repoConfig['tuf']['metadata-url'] ?? "$url/metadata/";
if (!str_ends_with($metadataUrl, '/')) {
$metadataUrl .= '/';
}

$this->updater = new ComposerCompatibleUpdater(
new SizeCheckingLoader(new Loader($httpDownloader, "$url/metadata/")),
new SizeCheckingLoader(new Loader($httpDownloader, $metadataUrl)),
// @todo: Write a custom implementation of FileStorage that stores repo keys to user's global composer cache?
$this->initializeStorage($url, $config)
);
Expand All @@ -64,7 +70,9 @@ public function __construct(array $repoConfig, IOInterface $io, Config $config,
// prefixed with that.
$repoConfig['url'] = "$url/targets";

$io->debug("[TUF] Packages from $url are verified with base URL " . $repoConfig['url']);
$io->debug("[TUF] Packages from $url are verified by TUF.");
$io->debug("[TUF] Metadata source: $metadataUrl");
$io->debug("[TUF] Targets source: " . $repoConfig['url']);
} else {
// @todo Usability assessment. Should we output this for other repo types, or not at all?
$io->warning("Authenticity of packages from $url are not verified by TUF.");
Expand Down
4 changes: 3 additions & 1 deletion tests/ComposerCommandsTest.php
View file
Original file line number Diff line number Diff line change
Expand Up @@ -145,7 +145,9 @@ public function testRequireAndRemove(): void
->getErrorOutput();
$this->assertStringContainsString('TUF integration enabled.', $debug);
$this->assertStringContainsString('[TUF] Root metadata for http://localhost:8080 loaded from ', $debug);
$this->assertStringContainsString('[TUF] Packages from http://localhost:8080 are verified with base URL http://localhost:8080/targets', $debug);
$this->assertStringContainsString('[TUF] Packages from http://localhost:8080 are verified by TUF.', $debug);
$this->assertStringContainsString('[TUF] Metadata source: http://localhost:8080/metadata/', $debug);
$this->assertStringContainsString('[TUF] Targets source: http://localhost:8080/targets', $debug);
$this->assertStringContainsString("[TUF] Target 'packages.json' limited to 120 bytes.", $debug);
$this->assertStringContainsString("[TUF] Target 'packages.json' validated.", $debug);
$this->assertStringContainsString("[TUF] Target 'files/packages/8/p2/drupal/token.json' limited to 1379 bytes.", $debug);
Expand Down

0 comments on commit aaed3fa

Please sign in to comment.