Use TUF metadata to determine version to download when packaging

pkg/packaging/assets/tuf/root.json

@@ -0,0 +1 @@
+{"signed":{"_type":"root","spec_version":"1.0","version":2,"expires":"2024-03-22T21:44:33Z","keys":{"53a3eb57d9f5e755ec73e95429033b78423c9c01cef8c8d4e9911b6fe01198c8":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"344ca850ae47f65f6ffd6e9e6268524a237401000dcb892b9ddad82ca0083a65"}},"73523c7f3dabaea3dac72a6b6c55e6c620d83b8b957028da8107ab28178c71c5":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"a3c0d9907c2123bb7a9cb77e5d511ff471bc577f6ae2ddb6f85184749b2d4f99"}},"bcd5f36e7a357e7fba38b6b7c531f7fcf509eb2da2cfcdfa94bce99ad18a7317":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"8adc59a24b5c044794e002002792a4306bb63337d1f2cec961dbe68ccafdc874"}},"e434c83555ba93337e91c073095a164e4ae66f01a91cf5e8d4228f2382568d19":{"keytype":"ed25519","scheme":"ed25519","keyid_hash_algorithms":["sha256","sha512"],"keyval":{"public":"785323acb700ba835da550c1ac56300cf87890b4367c7cb1c14c1299e5e37075"}}},"roles":{"root":{"keyids":["73523c7f3dabaea3dac72a6b6c55e6c620d83b8b957028da8107ab28178c71c5"],"threshold":1},"snapshot":{"keyids":["bcd5f36e7a357e7fba38b6b7c531f7fcf509eb2da2cfcdfa94bce99ad18a7317"],"threshold":1},"targets":{"keyids":["e434c83555ba93337e91c073095a164e4ae66f01a91cf5e8d4228f2382568d19"],"threshold":1},"timestamp":{"keyids":["53a3eb57d9f5e755ec73e95429033b78423c9c01cef8c8d4e9911b6fe01198c8"],"threshold":1}},"consistent_snapshot":true},"signatures":[{"keyid":"73523c7f3dabaea3dac72a6b6c55e6c620d83b8b957028da8107ab28178c71c5","sig":"bd84882a4358e0b3393ec5f36bbec039d8915ecc1e8c1858c369f8622216ee7d8c89694d843f92a77adda102fc9dec29d57d7e0fa28137a8f854e9eb87745c09"},{"keyid":"bd9bbc72f9a1c7cd5998c94b5a31fedb997315f81758f90dbe393743ec984508","sig":"ac868cb7a3e764cb333059e698ceb65107e8e7e396e83a4cfc3a8bac43d31f40d10e2784612c83257063c6198e6b1edc907219a14e0edcabc6031f0f44fe930e"}]}

pkg/packaging/fetch.go

@@ -2,6 +2,8 @@ package packaging
 
 import (
 	"context"
+	_ "embed"
+	"encoding/json"
 	"errors"
 	"fmt"
 	"io"
@@ -14,7 +16,8 @@ import (
 	"github.com/go-kit/kit/log/level"
 	"github.com/kolide/kit/fsutil"
 	"github.com/kolide/launcher/pkg/contexts/ctxlog"
-
+	"github.com/theupdateframework/go-tuf/client"
+	filejsonstore "github.com/theupdateframework/go-tuf/client/filejsonstore"
 	"go.opencensus.io/trace"
 )
 
@@ -24,7 +27,7 @@ import (
 // succeed.
 //
 // You must specify a localCacheDir, to reuse downloads
-func FetchBinary(ctx context.Context, localCacheDir, name, binaryName, version string, target Target) (string, error) {
+func FetchBinary(ctx context.Context, localCacheDir, name, binaryName, channelOrVersion string, target Target) (string, error) {
 	ctx, span := trace.StartSpan(ctx, "packaging.fetchbinary")
 	defer span.End()
 
@@ -35,19 +38,22 @@ func FetchBinary(ctx context.Context, localCacheDir, name, binaryName, version s
 		return "", errors.New("empty cache dir argument")
 	}
 
-	localBinaryPath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s", name, target.Platform, version), binaryName)
-	localPackagePath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s.tar.gz", name, target.Platform, version))
+	localBinaryPath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s", name, target.Platform, channelOrVersion), binaryName)
+	localPackagePath := filepath.Join(localCacheDir, fmt.Sprintf("%s-%s-%s.tar.gz", name, target.Platform, channelOrVersion))
 
 	// See if a local package exists on disk already. If so, return the cached path
 	if _, err := os.Stat(localBinaryPath); err == nil {
 		return localBinaryPath, nil
 	}
 
-	// If not we have to download the package. First, create download
-	// URI. Notary stores things by name, sans extension. So just strip
-	// it off.
+	// First, create download URI. The download mirror stores binaries by their name, without a file extension,
+	// so strip that off first.
 	baseName := strings.TrimSuffix(name, filepath.Ext(name))
-	url := fmt.Sprintf("https://dl.kolide.co/%s", dlTarPath(baseName, version, string(target.Platform)))
+	downloadPath, err := dlTarPath(baseName, channelOrVersion, string(target.Platform), string(target.Arch))
+	if err != nil {
+		return "", fmt.Errorf("could not get download path: %w", err)
+	}
+	url := fmt.Sprintf("https://dl.kolide.co/%s", downloadPath)
 
 	level.Debug(logger).Log(
 		"msg", "starting download",
@@ -108,6 +114,81 @@ func FetchBinary(ctx context.Context, localCacheDir, name, binaryName, version s
 	return localBinaryPath, nil
 }
 
-func dlTarPath(name, version, platform string) string {
-	return path.Join("kolide", name, platform, fmt.Sprintf("%s-%s.tar.gz", name, version))
+func dlTarPath(name, channelOrVersion, platform, arch string) (string, error) {
+	// Figure out if we're downloading a specific version or a channel
+	isChannel := channelOrVersion == "stable" || channelOrVersion == "beta" || channelOrVersion == "nightly" || channelOrVersion == "alpha"
+
+	if !isChannel {
+		// We're requesting a version, not a channel, so we already know where the download lives.
+		return dlTarPathFromVersion(name, channelOrVersion, platform, arch), nil
+	}
+
+	version, err := getReleaseVersionFromTufRepo(name, channelOrVersion, platform, arch)
+	if err != nil {
+		return "", fmt.Errorf("could not find release version for channel %s: %w", channelOrVersion, err)
+	}
+
+	return dlTarPathFromVersion(name, version, platform, arch), nil
+}
+
+func dlTarPathFromVersion(name, version, platform, arch string) string {
+	return path.Join("kolide", name, platform, arch, fmt.Sprintf("%s-%s.tar.gz", name, version))
+}
+
+//go:embed assets/tuf/root.json
+var rootJson []byte
+
+func getReleaseVersionFromTufRepo(binaryName, channel, platform, arch string) (string, error) {
+	tempDir, err := os.MkdirTemp(os.TempDir(), "tuf")
+	if err != nil {
+		return "", fmt.Errorf("making temp TUF dir: %w", err)
+	}
+	defer os.RemoveAll(tempDir)
+
+	// Ensure that directory permissions are correct, otherwise TUF will fail to initialize. We cannot
+	// have permissions in excess of -rwxr-x---.
+	if err := os.Chmod(tempDir, 0750); err != nil {
+		return "", fmt.Errorf("chmodding local TUF directory %s: %w", tempDir, err)
+	}
+
+	// Set up our local store i.e. point to the directory in our filesystem
+	localStore, err := filejsonstore.NewFileJSONStore(tempDir)
+	if err != nil {
+		return "", fmt.Errorf("could not initialize local TUF store: %w", err)
+	}
+
+	// Set up our remote store i.e. tuf.kolide.com
+	remoteStore, err := client.HTTPRemoteStore("https://tuf.kolide.com", &client.HTTPRemoteOptions{
+		MetadataPath: "/repository",
+	}, http.DefaultClient)
+	if err != nil {
+		return "", fmt.Errorf("could not initialize remote TUF store: %w", err)
+	}
+
+	metadataClient := client.NewClient(localStore, remoteStore)
+	if err := metadataClient.Init(rootJson); err != nil {
+		return "", fmt.Errorf("failed to initialize TUF client with root JSON: %w", err)
+	}
+
+	if _, err := metadataClient.Update(); err != nil {
+		return "", fmt.Errorf("failed to update metadata: %w", err)
+	}
+
+	targetToFind := path.Join(binaryName, platform, arch, channel, "release.json")
+	foundTarget, err := metadataClient.Target(targetToFind)
+	if err != nil {
+		return "", fmt.Errorf("finding target metadata %s: %w", targetToFind, err)
+	}
+
+	var custom struct {
+		Target string `json:"target"`
+	}
+	if err := json.Unmarshal(*foundTarget.Custom, &custom); err != nil {
+		return "", fmt.Errorf("could not unmarshal release file custom metadata: %w", err)
+	}
+
+	targetFilename := filepath.Base(custom.Target)
+
+	// Target looks like <binary>-<version>.tar.gz -- strip off extension and binary name to get version
+	return strings.TrimSuffix(strings.TrimPrefix(targetFilename, fmt.Sprintf(binaryName+"-")), ".tar.gz"), nil
 }