Improve URLToPath

[codysoyland]

Summary

Improvements to URLToPath func for wider compatibility.

• handle http:// scheme
• cut out colons
• make filename lowercase
• added tests

Fixes #407

Release Note

Documentation

[haydentherapper]

Does the TUF client require a TLS connection? Is that why stripping off the scheme is OK?

I ask because accessing TUF metadata over HTTP shouldn't be an issue as the metadata is signed (same reason why CA certs/CRLs are served over HTTP sometimes).

The root of trust must be the bundled or provided TUF root, not WebPKI.

[codysoyland]

I think http:// is used in unit tests (see #407).

[haydentherapper]

I'm wondering if this needs more changes, that we can't just drop the scheme and need to plumb through whether or not the connection requires TLS to the TUF client.

[codysoyland]

This is just used for the cache directory name, but I can see how we might want to put the scheme in the directory name. The full URL is passed to go-tuf so I think non-TLS is supported there.

[haydentherapper]

It’s a niche case to support, maybe this is fine and we just document it? I wouldn’t really expect access to a TUF repo over both http and https and needing multiple distinct caches.

[kommendorkapten]

TUF itself does not require TLS, the integrity control is managed via the TUF metadata. Only reason for TLS would be to add confidentiality.

[haydentherapper]

It’s a niche case to support, maybe this is fine and we just document it? I wouldn’t really expect access to a TUF repo over both http and https and needing multiple distinct caches.