tuftool: Remove KeySource enum, use tough-ssm and KeySource trait

This is a decent set of changes to tuftool. It fully removes the
KeySource enum in source.rs and instead uses the KeySource trait
from tough.

This commit also removes all SSM related code in favor of the
tough-ssm crate (which is a copy of this code).

It also removes the deref.rs file, as it is no longer need because
these features have stabilized in upstream Rust. See:
rust-lang/rust#50264
and
rust-lang/rust#64708

Author: zmrow

tough-ssm/src/lib.rs

@@ -72,9 +72,7 @@ impl KeySource for SsmKeySource {
         &self,
     ) -> std::result::Result<Box<dyn Sign>, Box<dyn std::error::Error + Send + Sync + 'static>>
     {
-        //fn as_sign(&self) -> std::result::Result<Box<dyn Sign>, Self::Error> {
         let data = &self.read()?;
-        //let sign: Box<dyn Sign> = Box::new(parse_keypair(&data).context(error::KeyPairParse)?);
         let sign = Box::new(parse_keypair(&data).context(error::KeyPairParse)?);
         Ok(sign)
     }

tuftool/Cargo.toml

@@ -34,6 +34,7 @@ tempfile = "3.1.0"
 url = "2.1.0"
 walkdir = "2.2.9"
 tough = { version = "0.5.0", path = "../tough", features = ["http"] }
+tough-ssm = { version = "0.1.0", path = "../tough-ssm" }
 tokio = "0.2.13"
 
 [dev-dependencies]

tuftool/src/create.rs

@@ -6,7 +6,7 @@ use crate::error::{self, Result};
 use crate::key::RootKeys;
 use crate::metadata;
 use crate::root_digest::RootDigest;
-use crate::source::KeySource;
+use crate::source::parse_key_source;
 use chrono::{DateTime, Utc};
 use maplit::hashmap;
 use rayon::prelude::*;
@@ -20,6 +20,7 @@ use std::io::Read;
 use std::num::{NonZeroU64, NonZeroUsize};
 use std::path::{Path, PathBuf};
 use structopt::StructOpt;
+use tough::key_source::KeySource;
 use tough::schema::{
     decoded::Decoded, Hashes, Role, Snapshot, SnapshotMeta, Target, Targets, Timestamp,
     TimestampMeta,
@@ -37,8 +38,8 @@ pub(crate) struct CreateArgs {
     jobs: Option<NonZeroUsize>,
 
     /// Key files to sign with
-    #[structopt(short = "k", long = "key", required = true)]
-    keys: Vec<KeySource>,
+    #[structopt(short = "k", long = "key", required = true, parse(try_from_str = parse_key_source))]
+    keys: Vec<Box<dyn KeySource>>,
 
     /// Version of snapshot.json file
     #[structopt(long = "snapshot-version")]

tuftool/src/deref.rs

@@ -6,9 +6,6 @@
 use snafu::{Backtrace, Snafu};
 use std::path::PathBuf;
 
-#[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-use crate::deref::OptionDeref;
-
 pub(crate) type Result<T> = std::result::Result<T, Error>;
 
 #[derive(Debug, Snafu)]
@@ -124,14 +121,6 @@ pub(crate) enum Error {
         backtrace: Backtrace,
     },
 
-    #[snafu(display("{}: {}", path.display(), source))]
-    Key {
-        path: PathBuf,
-        #[snafu(source(from(Error, Box::new)))]
-        #[snafu(backtrace)]
-        source: Box<Self>,
-    },
-
     #[snafu(display("Duplicate key ID: {}", key_id))]
     KeyDuplicate {
         key_id: String,
@@ -150,6 +139,12 @@ pub(crate) enum Error {
         backtrace: Backtrace,
     },
 
+    #[snafu(display("Unable to parse keypair: {}", source))]
+    KeyPairFromKeySource {
+        source: Box<dyn std::error::Error + Send + Sync + 'static>,
+        backtrace: Backtrace,
+    },
+
     #[snafu(display("Unable to match any of the provided keys with root.json"))]
     KeysNotFoundInRoot { backtrace: Backtrace },
 
@@ -200,28 +195,6 @@ pub(crate) enum Error {
         backtrace: Backtrace,
     },
 
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display("Error creating AWS credentials provider: {}", source))]
-    RusotoCreds {
-        source: rusoto_credential::CredentialsError,
-        backtrace: Backtrace,
-    },
-
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display("Unknown AWS region \"{}\": {}", region, source))]
-    RusotoRegion {
-        region: String,
-        source: rusoto_core::region::ParseRegionError,
-        backtrace: Backtrace,
-    },
-
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display("Error creating AWS request dispatcher: {}", source))]
-    RusotoTls {
-        source: rusoto_core::request::TlsError,
-        backtrace: Backtrace,
-    },
-
     #[snafu(display("Failed to sign message"))]
     Sign {
         source: tough::error::Error,
@@ -234,41 +207,6 @@ pub(crate) enum Error {
         backtrace: Backtrace,
     },
 
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display(
-        "Failed to get aws-ssm://{}{}: {}",
-        profile.deref_shim().unwrap_or(""),
-        parameter_name,
-        source,
-    ))]
-    SsmGetParameter {
-        profile: Option<String>,
-        parameter_name: String,
-        source: rusoto_core::RusotoError<rusoto_ssm::GetParameterError>,
-        backtrace: Backtrace,
-    },
-
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display(
-        "Failed to put aws-ssm://{}{}: {}",
-        profile.deref_shim().unwrap_or(""),
-        parameter_name,
-        source,
-    ))]
-    SsmPutParameter {
-        profile: Option<String>,
-        parameter_name: String,
-        source: rusoto_core::RusotoError<rusoto_ssm::PutParameterError>,
-        backtrace: Backtrace,
-    },
-
-    #[cfg(any(feature = "rusoto-native-tls", feature = "rusoto-rustls"))]
-    #[snafu(display("Missing field in SSM response: {}", field))]
-    SsmMissingField {
-        field: &'static str,
-        backtrace: Backtrace,
-    },
-
     #[snafu(display("Target not found: {}", target))]
     TargetNotFound {
         target: String,
@@ -309,6 +247,12 @@ pub(crate) enum Error {
         backtrace: Backtrace,
     },
 
+    #[snafu(display("Failed write: {}", source))]
+    WriteKeySource {
+        source: Box<dyn std::error::Error + Send + Sync + 'static>,
+        backtrace: Backtrace,
+    },
+
     #[snafu(display("Failed writing target data to disk: {}", source))]
     WriteTarget {
         source: std::io::Error,

tuftool/src/error.rs

@@ -13,7 +13,6 @@
 
 mod create;
 mod datetime;
-mod deref;
 mod download;
 mod error;
 mod key;
@@ -23,7 +22,6 @@ mod root;
 mod root_digest;
 mod sign;
 mod source;
-mod ssm;
 
 use crate::error::Result;
 use snafu::{ErrorCompat, OptionExt, ResultExt};

tuftool/src/main.rs

@@ -5,7 +5,7 @@ use crate::datetime::parse_datetime;
 use crate::error::{self, Result};
 use crate::metadata;
 use crate::root_digest::RootDigest;
-use crate::source::KeySource;
+use crate::source::parse_key_source;
 use chrono::{DateTime, Utc};
 use maplit::hashmap;
 use ring::rand::SystemRandom;
@@ -15,6 +15,7 @@ use std::fs::File;
 use std::num::{NonZeroU64, NonZeroUsize};
 use std::path::PathBuf;
 use structopt::StructOpt;
+use tough::key_source::KeySource;
 use tough::schema::{Hashes, Snapshot, SnapshotMeta, Targets, Timestamp, TimestampMeta};
 use tough::{FilesystemTransport, HttpTransport, Limits, Repository, Transport};
 use url::Url;
@@ -42,8 +43,8 @@ pub(crate) struct RefreshArgs {
     jobs: Option<NonZeroUsize>,
 
     /// Key files to sign with
-    #[structopt(short = "k", long = "key", required = true)]
-    keys: Vec<KeySource>,
+    #[structopt(short = "k", long = "key", required = true, parse(try_from_str = parse_key_source))]
+    keys: Vec<Box<dyn KeySource>>,
 
     /// Version of snapshot.json file
     #[structopt(long = "snapshot-version")]

tuftool/src/refresh.rs

@@ -3,7 +3,7 @@
 
 use crate::datetime::parse_datetime;
 use crate::error::{self, Result};
-use crate::source::KeySource;
+use crate::source::parse_key_source;
 use crate::{load_file, write_file};
 use chrono::{DateTime, Timelike, Utc};
 use maplit::hashmap;
@@ -12,6 +12,7 @@ use std::collections::HashMap;
 use std::num::NonZeroU64;
 use std::path::PathBuf;
 use structopt::StructOpt;
+use tough::key_source::KeySource;
 use tough::schema::decoded::{Decoded, Hex};
 use tough::schema::{key::Key, RoleKeys, RoleType, Root, Signed};
 use tough::sign::{parse_keypair, Sign};
@@ -51,7 +52,8 @@ pub(crate) enum Command {
         /// Path to root.json
         path: PathBuf,
         /// The new key
-        key_path: KeySource,
+        #[structopt(parse(try_from_str = parse_key_source))]
+        key_path: Box<dyn KeySource>,
         /// The role to add the key to
         #[structopt(short = "r", long = "role")]
         roles: Vec<RoleType>,
@@ -71,7 +73,8 @@ pub(crate) enum Command {
         /// Path to root.json
         path: PathBuf,
         /// Where to write the new key
-        key_path: KeySource,
+        #[structopt(parse(try_from_str = parse_key_source))]
+        key_path: Box<dyn KeySource>,
         /// Bit length of new key
         #[structopt(short = "b", long = "bits", default_value = "2048")]
         bits: u16,
@@ -181,9 +184,13 @@ impl Command {
         write_file(path, &root)
     }
 
-    fn add_key(path: &PathBuf, roles: &[RoleType], key_path: &KeySource) -> Result<()> {
+    #[allow(clippy::borrowed_box)]
+    fn add_key(path: &PathBuf, roles: &[RoleType], key_path: &Box<dyn KeySource>) -> Result<()> {
         let mut root: Signed<Root> = load_file(path)?;
-        let key_pair = key_path.as_public_key()?;
+        let key_pair = key_path
+            .as_sign()
+            .context(error::KeyPairFromKeySource)?
+            .tuf_key();
         let key_id = hex::encode(add_key(&mut root.signed, roles, key_pair)?);
         clear_sigs(&mut root);
         println!("{}", key_id);
@@ -214,10 +221,11 @@ impl Command {
         write_file(path, &root)
     }
 
+    #[allow(clippy::borrowed_box)]
     fn gen_rsa_key(
         path: &PathBuf,
         roles: &[RoleType],
-        key_path: &KeySource,
+        key_path: &Box<dyn KeySource>,
         bits: u16,
         exponent: u32,
     ) -> Result<()> {
@@ -247,7 +255,9 @@ impl Command {
 
         let key_pair = parse_keypair(stdout.as_bytes()).context(error::KeyPairParse)?;
         let key_id = hex::encode(add_key(&mut root.signed, roles, key_pair.tuf_key())?);
-        key_path.write(&stdout, &key_id)?;
+        key_path
+            .write(&stdout, &key_id)
+            .context(error::WriteKeySource)?;
         clear_sigs(&mut root);
         println!("{}", key_id);
         write_file(path, &root)

tuftool/src/root.rs

@@ -1,12 +1,12 @@
 use crate::error;
 use crate::error::Result;
 use crate::key::RootKeys;
-use crate::source::KeySource;
 use ring::digest::{SHA256, SHA256_OUTPUT_LEN};
 use snafu::ensure;
 use snafu::ResultExt;
 use std::collections::HashMap;
 use std::path::PathBuf;
+use tough::key_source::KeySource;
 use tough::schema::{Root, Signed};
 
 /// Represents a loaded root.json file along with its sha256 digest and size in bytes
@@ -56,10 +56,10 @@ impl RootDigest {
     ///
     /// * An error can occur for io reasons
     ///
-    pub(crate) fn load_keys(&self, keys: &[KeySource]) -> Result<RootKeys> {
+    pub(crate) fn load_keys(&self, keys: &[Box<dyn KeySource>]) -> Result<RootKeys> {
         let mut map = HashMap::new();
         for source in keys {
-            let key_pair = source.as_sign()?;
+            let key_pair = source.as_sign().context(error::KeyPairFromKeySource)?;
             if let Some((keyid, _)) = self
                 .root
                 .keys

tuftool/src/root_digest.rs

@@ -4,13 +4,14 @@
 use crate::error::Result;
 use crate::key::sign_metadata;
 use crate::root_digest::RootDigest;
-use crate::source::KeySource;
+use crate::source::parse_key_source;
 use crate::{load_file, write_file};
 use ring::rand::SystemRandom;
 use serde::{Deserialize, Serialize};
 use std::collections::HashMap;
 use std::path::PathBuf;
 use structopt::StructOpt;
+use tough::key_source::KeySource;
 use tough::schema::{RoleType, Signed};
 
 #[derive(Debug, StructOpt)]
@@ -20,8 +21,8 @@ pub(crate) struct SignArgs {
     root: PathBuf,
 
     /// Key files to sign with
-    #[structopt(short = "k", long = "key")]
-    keys: Vec<KeySource>,
+    #[structopt(short = "k", long = "key", parse(try_from_str = parse_key_source))]
+    keys: Vec<Box<dyn KeySource>>,
 
     /// Metadata file to sign
     metadata_file: PathBuf,