diff --git a/endpoints/api/__init__.py b/endpoints/api/__init__.py index 12584e70e..873e21a9a 100644 --- a/endpoints/api/__init__.py +++ b/endpoints/api/__init__.py @@ -416,4 +416,5 @@ import endpoints.api.team import endpoints.api.trigger import endpoints.api.user import endpoints.api.secscan +import endpoints.api.signing diff --git a/endpoints/api/repository.py b/endpoints/api/repository.py index 8cea8a602..9a3c5cc92 100644 --- a/endpoints/api/repository.py +++ b/endpoints/api/repository.py @@ -378,7 +378,7 @@ class Repository(RepositoryParamResource): 'is_organization': repo.namespace_user.organization, 'is_starred': is_starred, 'status_token': repo.badge_token if not is_public else '', - 'trust_enabled': repo.trust_enabled, + 'trust_enabled': features.SIGNING and repo.trust_enabled, } if stats is not None: diff --git a/endpoints/api/signing.py b/endpoints/api/signing.py index aa23b7062..161f87760 100644 --- a/endpoints/api/signing.py +++ b/endpoints/api/signing.py @@ -4,9 +4,10 @@ import logging import features from app import tuf_metadata_api +from data import model from endpoints.api import (require_repo_read, path_param, - RepositoryParamResource, resource, nickname, show_if, - disallow_for_app_repositories) + RepositoryParamResource, resource, nickname, show_if, + disallow_for_app_repositories, NotFound) logger = logging.getLogger(__name__) @@ -21,7 +22,11 @@ class RepositorySignatures(RepositoryParamResource): @nickname('getRepoSignatures') @disallow_for_app_repositories def get(self, namespace, repository): - """ Fetches the list of signed tags for the repository""" + """ Fetches the list of signed tags for the repository. """ + repo = model.repository.get_repository(namespace, repository) + if repo is None or not repo.trust_enabled: + raise NotFound() + tag_data, expiration = tuf_metadata_api.get_default_tags_with_expiration(namespace, repository) return { 'tags': tag_data, diff --git a/endpoints/api/test/test_security.py b/endpoints/api/test/test_security.py index bfcae8b99..a65ca7b0e 100644 --- a/endpoints/api/test/test_security.py +++ b/endpoints/api/test/test_security.py @@ -39,11 +39,11 @@ REPO_PARAMS = {'repository': 'devtable/someapp'} (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'freshuser', 403), (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'reader', 403), (SuperUserRepositoryBuildResource, 'GET', BUILD_PARAMS, None, 'devtable', 404), - + (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'freshuser', 403), (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'reader', 403), - (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 200), - + (RepositorySignatures, 'GET', REPO_PARAMS, {}, 'devtable', 404), + (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, None, 403), (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'freshuser', 403), (RepositoryTrust, 'POST', REPO_PARAMS, {'trust_enabled': True}, 'reader', 403), diff --git a/endpoints/api/test/test_signing.py b/endpoints/api/test/test_signing.py index 93ac94be6..056fdad7f 100644 --- a/endpoints/api/test/test_signing.py +++ b/endpoints/api/test/test_signing.py @@ -30,7 +30,7 @@ def tags_equal(expected, actual): return expected == actual @pytest.mark.parametrize('targets,expected', [ - (VALID_TARGETS, {'tags': VALID_TARGETS, 'expiration': 'expires'}), + (VALID_TARGETS, {'tags': VALID_TARGETS, 'expiration': 'expires'}), ({'bad': 'tags'}, {'tags': {'bad': 'tags'}, 'expiration': 'expires'}), ({}, {'tags': {}, 'expiration': 'expires'}), (None, {'tags': None, 'expiration': 'expires'}), # API returns None on exceptions @@ -39,5 +39,5 @@ def test_get_signatures(targets, expected, client): with patch('endpoints.api.signing.tuf_metadata_api') as mock_tuf: mock_tuf.get_default_tags_with_expiration.return_value = (targets, 'expires') with client_with_identity('devtable', client) as cl: - params = {'repository': 'devtable/repo'} + params = {'repository': 'devtable/trusted'} assert tags_equal(expected, conduct_api_call(cl, RepositorySignatures, 'GET', params, None, 200).json)