tuftool: Require flag to download root.json

If the user doesn't provide a root.json require the
--allow-root-download flag before downloading a remote root.json, and
follow it up with a big warning.

Fixes #353

Signed-off-by: Samuel Mendoza-Jonas <samjonas@amazon.com>

workspaces/tuftool/src/download.rs

@@ -27,16 +27,30 @@ pub(crate) struct DownloadArgs {
     #[structopt(short = "t", long = "target-url")]
     target_base_url: String,
 
+    /// Allow downloading the root.json file (unsafe)
+    #[structopt(long)]
+    allow_root_download: bool,
+
     /// Output directory of targets
     indir: PathBuf,
 }
 
+fn root_warning(path: &PathBuf) {
+    #[rustfmt::skip]
+    eprintln!("\
+=================================================================
+WARNING: Downloading root.json to {:?}
+This is unsafe and will not establish trust, use only for testing
+=================================================================",
+    path);
+}
+
 impl DownloadArgs {
     pub(crate) fn run(&self) -> Result<()> {
         // use local root.json or download from repository
         let root_path = if let Some(path) = &self.root {
             PathBuf::from(path)
-        } else {
+        } else if self.allow_root_download {
             let name = if let Some(version) = self.root_version {
                 format!("{}.root.json", version)
             } else {
@@ -53,7 +67,9 @@ impl DownloadArgs {
                 .context(error::UrlParse {
                     url: &self.metadata_base_url,
                 })?;
-            println!("Downloading {} to {:?}", &name, &path);
+
+            root_warning(&path);
+
             let mut f = OpenOptions::new()
                 .write(true)
                 .create(true)
@@ -64,6 +80,9 @@ impl DownloadArgs {
                 .copy_to(&mut f)
                 .context(error::ReqwestCopy)?;
             path
+        } else {
+            eprintln!("No root.json available");
+            std::process::exit(1);
         };
 
         // load repository