fix tests. new product advisories enhancements

devops/trust-repo-template/scripts/revoke-target.sh

@@ -0,0 +1,189 @@
+#!/bin/bash
+# -----------------------------------------------------------------------------
+# revoke-target.sh
+# Sprint: SPRINT_20260125_003_Attestor_trust_workflows_conformance
+# Task: WORKFLOW-002 - Create key rotation workflow script
+# Description: Remove a target from the TUF repository
+# -----------------------------------------------------------------------------
+
+set -euo pipefail
+
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+YELLOW='\033[1;33m'
+NC='\033[0m'
+
+log_info() { echo -e "${GREEN}[INFO]${NC} $1"; }
+log_warn() { echo -e "${YELLOW}[WARN]${NC} $1"; }
+log_error() { echo -e "${RED}[ERROR]${NC} $1"; }
+
+usage() {
+    echo "Usage: $0 <target-name> [options]"
+    echo ""
+    echo "Remove a target from the TUF repository."
+    echo ""
+    echo "Arguments:"
+    echo "  target-name          Name of target to remove (e.g., rekor-key-v1)"
+    echo ""
+    echo "Options:"
+    echo "  --repo DIR           TUF repository directory (default: current directory)"
+    echo "  --archive            Archive target file instead of deleting"
+    echo "  -h, --help           Show this help message"
+    echo ""
+    echo "Example:"
+    echo "  $0 rekor-key-v1 --repo /path/to/tuf --archive"
+    exit 1
+}
+
+TARGET_NAME=""
+REPO_DIR="."
+ARCHIVE=false
+
+while [[ $# -gt 0 ]]; do
+    case $1 in
+        --repo) REPO_DIR="$2"; shift 2 ;;
+        --archive) ARCHIVE=true; shift ;;
+        -h|--help) usage ;;
+        -*)
+            log_error "Unknown option: $1"
+            usage
+            ;;
+        *)
+            if [[ -z "$TARGET_NAME" ]]; then
+                TARGET_NAME="$1"
+            else
+                log_error "Unexpected argument: $1"
+                usage
+            fi
+            shift
+            ;;
+    esac
+done
+
+if [[ -z "$TARGET_NAME" ]]; then
+    log_error "Target name is required"
+    usage
+fi
+
+TARGETS_DIR="$REPO_DIR/targets"
+TARGETS_JSON="$REPO_DIR/targets.json"
+
+if [[ ! -d "$TARGETS_DIR" ]]; then
+    log_error "Targets directory not found: $TARGETS_DIR"
+    exit 1
+fi
+
+if [[ ! -f "$TARGETS_JSON" ]]; then
+    log_error "targets.json not found: $TARGETS_JSON"
+    exit 1
+fi
+
+# Find the target file
+TARGET_FILE=""
+for ext in "" ".pub" ".json" ".pem"; do
+    if [[ -f "$TARGETS_DIR/${TARGET_NAME}${ext}" ]]; then
+        TARGET_FILE="$TARGETS_DIR/${TARGET_NAME}${ext}"
+        break
+    fi
+done
+
+if [[ -z "$TARGET_FILE" ]]; then
+    log_warn "Target file not found in $TARGETS_DIR"
+    log_info "Continuing to remove from targets.json..."
+fi
+
+echo ""
+echo "================================================"
+echo "  TUF Target Revocation"
+echo "================================================"
+echo ""
+log_info "Repository: $REPO_DIR"
+log_info "Target: $TARGET_NAME"
+if [[ -n "$TARGET_FILE" ]]; then
+    log_info "File: $TARGET_FILE"
+fi
+echo ""
+
+log_warn "This will remove the target from the TUF repository."
+log_warn "Clients will no longer be able to fetch this target after sync."
+read -p "Type 'REVOKE' to proceed: " CONFIRM
+if [[ "$CONFIRM" != "REVOKE" ]]; then
+    log_error "Aborted"
+    exit 1
+fi
+
+# Remove or archive the file
+if [[ -n "$TARGET_FILE" ]]; then
+    if [[ "$ARCHIVE" == "true" ]]; then
+        ARCHIVE_DIR="$REPO_DIR/archived"
+        mkdir -p "$ARCHIVE_DIR"
+        TIMESTAMP=$(date -u +%Y%m%d%H%M%S)
+        ARCHIVE_NAME="$(basename "$TARGET_FILE")-revoked-${TIMESTAMP}"
+        mv "$TARGET_FILE" "$ARCHIVE_DIR/$ARCHIVE_NAME"
+        log_info "Archived to: $ARCHIVE_DIR/$ARCHIVE_NAME"
+    else
+        rm -f "$TARGET_FILE"
+        log_info "Deleted: $TARGET_FILE"
+    fi
+fi
+
+# Update targets.json
+if command -v python3 &>/dev/null; then
+    python3 - "$TARGETS_JSON" "$TARGET_NAME" << 'PYTHON_SCRIPT'
+import json
+import sys
+
+targets_json = sys.argv[1]
+target_name = sys.argv[2]
+
+with open(targets_json) as f:
+    data = json.load(f)
+
+# Find and remove the target
+targets = data.get('signed', {}).get('targets', {})
+removed = False
+
+# Try different name variations
+names_to_try = [
+    target_name,
+    f"{target_name}.pub",
+    f"{target_name}.json",
+    f"{target_name}.pem"
+]
+
+for name in names_to_try:
+    if name in targets:
+        del targets[name]
+        removed = True
+        print(f"Removed from targets.json: {name}")
+        break
+
+if not removed:
+    print(f"Warning: Target '{target_name}' not found in targets.json")
+    sys.exit(0)
+
+# Update version
+if 'signed' in data:
+    data['signed']['version'] = data['signed'].get('version', 0) + 1
+
+with open(targets_json, 'w') as f:
+    json.dump(data, f, indent=2)
+
+print(f"Updated: {targets_json}")
+PYTHON_SCRIPT
+else
+    log_warn "Python not available. Manual update of targets.json required."
+    log_warn "Remove the '$TARGET_NAME' entry from $TARGETS_JSON"
+fi
+
+echo ""
+log_info "Target revocation prepared."
+echo ""
+log_warn "NEXT STEPS (REQUIRED):"
+echo "  1. Re-sign targets.json with targets key"
+echo "  2. Update snapshot.json and sign with snapshot key"
+echo "  3. Update timestamp.json and sign with timestamp key"
+echo "  4. Deploy updated metadata to TUF server"
+echo ""
+log_info "Clients will stop trusting '$TARGET_NAME' after their next sync."
+echo ""