feat: pass logger into repo and client

client/client.go

@@ -5,6 +5,7 @@ import (
 	"encoding/hex"
 	"encoding/json"
 	"io"
+	"log"
 
 	"github.com/theupdateframework/go-tuf/data"
 	"github.com/theupdateframework/go-tuf/util"
@@ -88,6 +89,10 @@ type Client struct {
 	// consistent snapshots (as specified in root.json)
 	consistentSnapshot bool
 
+	// this is an optional log writer.
+	// if nil, uses io.Discard
+	logger *log.Logger
+
 	// MaxDelegations limits by default the number of delegations visited for any
 	// target
 	MaxDelegations int
@@ -96,13 +101,26 @@ type Client struct {
 	MaxRootRotations int
 }
 
-func NewClient(local LocalStore, remote RemoteStore) *Client {
-	return &Client{
+type ClientOpts func(c *Client)
+
+func WithLogger(logger *log.Logger) ClientOpts {
+	return func(c *Client) {
+		c.logger = logger
+	}
+}
+
+func NewClient(local LocalStore, remote RemoteStore, opts ...ClientOpts) *Client {
+	client := &Client{
 		local:            local,
 		remote:           remote,
 		MaxDelegations:   defaultMaxDelegations,
 		MaxRootRotations: defaultMaxRootRotations,
+		logger:           log.New(io.Discard, "", 0),
+	}
+	for _, opt := range opts {
+		opt(client)
 	}
+	return client
 }
 
 // Init initializes a local repository from root metadata.
@@ -452,7 +470,8 @@ func (c *Client) loadAndVerifyRootMeta(rootJSON []byte, ignoreExpiredCheck bool)
 	if err := json.Unmarshal(s.Signed, root); err != nil {
 		return err
 	}
-	ndb := verify.NewDB()
+
+	ndb := verify.NewDB(verify.WithLogger(c.logger))
 	for id, k := range root.Keys {
 		if err := ndb.AddKey(id, k); err != nil {
 			return err
@@ -500,7 +519,7 @@ func (c *Client) verifyRoot(aJSON []byte, bJSON []byte) (*data.Root, error) {
 		return nil, err
 	}
 
-	ndb := verify.NewDB()
+	ndb := verify.NewDB(verify.WithLogger(c.logger))
 	for id, k := range aRoot.Keys {
 		if err := ndb.AddKey(id, k); err != nil {
 			return nil, err

client/delegations.go

@@ -43,7 +43,8 @@ func (c *Client) getTargetFileMeta(target string) (data.TargetFileMeta, error) {
 		}
 
 		if targets.Delegations != nil {
-			delegationsDB, err := verify.NewDBFromDelegations(targets.Delegations)
+			delegationsDB, err := verify.NewDBFromDelegations(targets.Delegations,
+				verify.WithLogger(c.logger))
 			if err != nil {
 				return data.TargetFileMeta{}, err
 			}

pkg/deprecated/deprecated_repo_test.go

@@ -1,11 +1,14 @@
 package deprecated
 
 import (
+	"bytes"
 	"crypto"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/json"
+	"log"
+	"strings"
 	"testing"
 
 	"github.com/secure-systems-lab/go-securesystemslib/cjson"
@@ -34,7 +37,10 @@ func genKey(c *C, r *repo.Repo, role string) []string {
 func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
 	files := map[string][]byte{"foo.txt": []byte("foo")}
 	local := repo.MemoryStore(make(map[string]json.RawMessage), files)
-	r, err := repo.NewRepo(local)
+	var logBytes bytes.Buffer
+	opts := repo.WithLogger(log.New(&logBytes, "", 0))
+
+	r, err := repo.NewRepoWithOpts(local, opts)
 	c.Assert(err, IsNil)
 
 	r.Init(false)
@@ -79,4 +85,7 @@ func (rs *RepoSuite) TestDeprecatedHexEncodedKeysSucceed(c *C) {
 	c.Assert(r.Snapshot(), IsNil)
 	c.Assert(r.Timestamp(), IsNil)
 	c.Assert(r.Commit(), IsNil)
+
+	// Check logs.
+	c.Assert(strings.Contains(logBytes.String(), keys.WarnDeprecatedEcdsaKey), Equals, true)
 }

pkg/keys/deprecated_ecdsa.go

@@ -9,28 +9,44 @@ import (
 	"errors"
 	"fmt"
 	"io"
-	"os"
+	"log"
 
 	"github.com/theupdateframework/go-tuf/data"
 )
 
-func NewDeprecatedEcdsaVerifier() Verifier {
-	return &ecdsaVerifierWithDeprecatedSupport{}
+var (
+	WarnDeprecatedEcdsaKey = "tuf: warning using deprecated ecdsa hex-encoded keys"
+)
+
+func NewDeprecatedEcdsaVerifier(opts ...VerifierOpts) Verifier {
+	verifier := &ecdsaVerifierWithDeprecatedSupport{
+		logger: log.New(io.Discard, "", log.LstdFlags),
+	}
+	for _, opt := range opts {
+		if opt.Logger != nil {
+			verifier.logger = opt.Logger
+		}
+	}
+	return verifier
 }
 
 type ecdsaVerifierWithDeprecatedSupport struct {
 	key *data.PublicKey
 	// This will switch based on whether this is a PEM-encoded key
 	// or a deprecated hex-encoded key.
 	Verifier
+	// This is used to write the deprecated warning to.
+	logger *log.Logger
 }
 
 func (p *ecdsaVerifierWithDeprecatedSupport) UnmarshalPublicKey(key *data.PublicKey) error {
 	p.key = key
 	pemVerifier := &EcdsaVerifier{}
 	if err := pemVerifier.UnmarshalPublicKey(key); err != nil {
 		// Try the deprecated hex-encoded verifier
-		hexVerifier := &deprecatedP256Verifier{}
+		hexVerifier := &deprecatedP256Verifier{
+			logger: p.logger,
+		}
 		if err := hexVerifier.UnmarshalPublicKey(key); err != nil {
 			return err
 		}
@@ -51,6 +67,8 @@ func (p *ecdsaVerifierWithDeprecatedSupport) UnmarshalPublicKey(key *data.Public
 type deprecatedP256Verifier struct {
 	PublicKey data.HexBytes `json:"public"`
 	key       *data.PublicKey
+	// This is used to write the deprecated warning to.
+	logger *log.Logger
 }
 
 func (p *deprecatedP256Verifier) Public() string {
@@ -98,6 +116,6 @@ func (p *deprecatedP256Verifier) UnmarshalPublicKey(key *data.PublicKey) error {
 	}
 
 	p.key = key
-	fmt.Fprintln(os.Stderr, "tuf: warning using deprecated ecdsa hex-encoded keys")
+	p.logger.Print(WarnDeprecatedEcdsaKey)
 	return nil
 }

pkg/keys/deprecated_ecdsa_test.go

@@ -1,13 +1,16 @@
 package keys
 
 import (
+	"bytes"
 	"crypto"
 	"crypto/ecdsa"
 	"crypto/elliptic"
 	"crypto/rand"
 	"crypto/sha256"
 	"encoding/json"
 	"errors"
+	"log"
+	"strings"
 
 	"github.com/theupdateframework/go-tuf/data"
 	. "gopkg.in/check.v1"
@@ -127,3 +130,21 @@ func (DeprecatedECDSASuite) TestMarshalUnmarshalPublicKey(c *C) {
 
 	c.Assert(deprecatedEcdsa.MarshalPublicKey(), DeepEquals, pub)
 }
+
+func (DeprecatedECDSASuite) TestLogMessageWriter(c *C) {
+	signer, err := generatedDeprecatedSigner()
+	c.Assert(err, IsNil)
+
+	pub := signer.PublicData()
+
+	var logBytes bytes.Buffer
+	opts := WithLogger(log.New(&logBytes, "", 0))
+
+	deprecatedEcdsa := NewDeprecatedEcdsaVerifier(opts)
+	err = deprecatedEcdsa.UnmarshalPublicKey(pub)
+	c.Assert(err, IsNil)
+	c.Assert(strings.TrimSuffix(logBytes.String(), "\n"), Equals,
+		WarnDeprecatedEcdsaKey)
+
+	c.Assert(deprecatedEcdsa.MarshalPublicKey(), DeepEquals, pub)
+}

pkg/keys/ecdsa.go

@@ -24,7 +24,7 @@ func init() {
 	SignerMap.Store(data.KeyTypeECDSA_SHA2_P256, newEcdsaSigner)
 }
 
-func NewEcdsaVerifier() Verifier {
+func NewEcdsaVerifier(_ ...VerifierOpts) Verifier {
 	return &EcdsaVerifier{}
 }
 

pkg/keys/ed25519.go

@@ -23,7 +23,7 @@ func NewEd25519Signer() Signer {
 	return &ed25519Signer{}
 }
 
-func NewEd25519Verifier() Verifier {
+func NewEd25519Verifier(_ ...VerifierOpts) Verifier {
 	return &ed25519Verifier{}
 }
 

pkg/keys/keys.go

@@ -3,6 +3,7 @@ package keys
 import (
 	"errors"
 	"fmt"
+	"log"
 	"sync"
 
 	"github.com/theupdateframework/go-tuf/data"
@@ -57,12 +58,20 @@ type Signer interface {
 	SignMessage(message []byte) ([]byte, error)
 }
 
-func GetVerifier(key *data.PublicKey) (Verifier, error) {
+type VerifierOpts struct {
+	Logger *log.Logger
+}
+
+func WithLogger(logger *log.Logger) VerifierOpts {
+	return VerifierOpts{logger}
+}
+
+func GetVerifier(key *data.PublicKey, opts ...VerifierOpts) (Verifier, error) {
 	st, ok := VerifierMap.Load(key.Type)
 	if !ok {
 		return nil, ErrInvalidKey
 	}
-	s := st.(func() Verifier)()
+	s := st.(func(opts ...VerifierOpts) Verifier)(opts...)
 	if err := s.UnmarshalPublicKey(key); err != nil {
 		return nil, fmt.Errorf("tuf: error unmarshalling key: %w", err)
 	}

pkg/keys/rsa.go

@@ -21,7 +21,7 @@ func init() {
 	SignerMap.Store(data.KeyTypeRSASSA_PSS_SHA256, newRsaSigner)
 }
 
-func newRsaVerifier() Verifier {
+func newRsaVerifier(_ ...VerifierOpts) Verifier {
 	return &rsaVerifier{}
 }