diff --git a/tests/test_arbitrary_package_attack.py b/tests/test_arbitrary_package_attack.py index a4127c64..1b49a729 100755 --- a/tests/test_arbitrary_package_attack.py +++ b/tests/test_arbitrary_package_attack.py @@ -132,8 +132,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_endless_data_attack.py b/tests/test_endless_data_attack.py index dd5b9016..34928a93 100755 --- a/tests/test_endless_data_attack.py +++ b/tests/test_endless_data_attack.py @@ -134,8 +134,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_extraneous_dependencies_attack.py b/tests/test_extraneous_dependencies_attack.py index 195b0a2e..c945d7bc 100755 --- a/tests/test_extraneous_dependencies_attack.py +++ b/tests/test_extraneous_dependencies_attack.py @@ -141,8 +141,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_formats.py b/tests/test_formats.py index 53fbb579..6f37a532 100755 --- a/tests/test_formats.py +++ b/tests/test_formats.py @@ -261,6 +261,12 @@ def test_schemas(self): 'confined_target_dirs': ['path1/', 'path2/'], 'custom': {'type': 'mirror'}}), + 'MIRROR_SCHEMA_NO_CONFINED_TARGETS': (tuf.formats.MIRROR_SCHEMA, + {'url_prefix': 'http://localhost:8001', + 'metadata_path': 'metadata/', + 'targets_path': 'targets/', + 'custom': {'type': 'mirror'}}), + 'MIRRORDICT_SCHEMA': (tuf.formats.MIRRORDICT_SCHEMA, {'mirror1': {'url_prefix': 'http://localhost:8001', 'metadata_path': 'metadata/', diff --git a/tests/test_indefinite_freeze_attack.py b/tests/test_indefinite_freeze_attack.py index 55cc664b..5b847df3 100755 --- a/tests/test_indefinite_freeze_attack.py +++ b/tests/test_indefinite_freeze_attack.py @@ -148,8 +148,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_key_revocation_integration.py b/tests/test_key_revocation_integration.py index bf13cfe5..420a4f1d 100755 --- a/tests/test_key_revocation_integration.py +++ b/tests/test_key_revocation_integration.py @@ -141,8 +141,7 @@ def setUp(self): self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Creating repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_mirrors.py b/tests/test_mirrors.py index 179d9bcb..f620359f 100755 --- a/tests/test_mirrors.py +++ b/tests/test_mirrors.py @@ -50,8 +50,7 @@ def setUp(self): self.mirrors = \ {'mirror1': {'url_prefix' : 'http://mirror1.com', 'metadata_path' : 'metadata', - 'targets_path' : 'targets', - 'confined_target_dirs' : ['']}, + 'targets_path' : 'targets'}, 'mirror2': {'url_prefix' : 'http://mirror2.com', 'metadata_path' : 'metadata', 'targets_path' : 'targets', diff --git a/tests/test_mix_and_match_attack.py b/tests/test_mix_and_match_attack.py index 45325dca..26b8f77c 100755 --- a/tests/test_mix_and_match_attack.py +++ b/tests/test_mix_and_match_attack.py @@ -140,8 +140,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_multiple_repositories_integration.py b/tests/test_multiple_repositories_integration.py index 58a55e77..ea6b12f1 100755 --- a/tests/test_multiple_repositories_integration.py +++ b/tests/test_multiple_repositories_integration.py @@ -151,13 +151,11 @@ def setUp(self): self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} self.repository_mirrors2 = {'mirror1': {'url_prefix': url_prefix2, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instances. The test cases will use these client # updaters to refresh metadata, fetch target files, etc. diff --git a/tests/test_replay_attack.py b/tests/test_replay_attack.py index 58fdc13f..0658babd 100755 --- a/tests/test_replay_attack.py +++ b/tests/test_replay_attack.py @@ -140,8 +140,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_slow_retrieval_attack.py b/tests/test_slow_retrieval_attack.py index d0d14712..4407b59f 100755 --- a/tests/test_slow_retrieval_attack.py +++ b/tests/test_slow_retrieval_attack.py @@ -217,8 +217,7 @@ def setUp(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Create the repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tests/test_updater.py b/tests/test_updater.py index d00f2741..a9cf90b3 100755 --- a/tests/test_updater.py +++ b/tests/test_updater.py @@ -170,8 +170,7 @@ def setUp(self): self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Creating a repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. @@ -1092,8 +1091,7 @@ def test_6_get_one_valid_targetinfo(self): + str(self.server_process_handler.port) + repository_basepath self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} # Creating a repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. @@ -1391,8 +1389,7 @@ def test_7_updated_targets(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} # Creating a repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. @@ -1519,8 +1516,7 @@ def test_8_remove_obsolete_targets(self): tuf.settings.repositories_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} # Creating a repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. @@ -1890,12 +1886,10 @@ def setUp(self): url_prefix2 = 'http://localhost:' + str(self.SERVER_PORT2) self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} self.repository_mirrors2 = {'mirror1': {'url_prefix': url_prefix2, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} # Create the repository instances. The test cases will use these client # updaters to refresh metadata, fetch target files, etc. diff --git a/tests/test_updater_root_rotation_integration.py b/tests/test_updater_root_rotation_integration.py index a8e74616..04ddc731 100755 --- a/tests/test_updater_root_rotation_integration.py +++ b/tests/test_updater_root_rotation_integration.py @@ -149,8 +149,7 @@ def setUp(self): self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # Creating a repository instance. The test cases will use this client # updater to refresh metadata, fetch target files, etc. diff --git a/tuf/client/README.md b/tuf/client/README.md index 1df239e6..29b838bc 100644 --- a/tuf/client/README.md +++ b/tuf/client/README.md @@ -63,15 +63,14 @@ tuf.settings.repositories_directory = 'path/to/local_repository' # and targets files can be found in the 'metadata' and 'targets' directory, # respectively. If the client wishes to only download target files from # specific directories on the mirror, the 'confined_target_dirs' field -# should be set. In the example, the client has chosen '', which is -# interpreted as no confinement. In other words, the client can download +# should be set. In this example, the client hasn't set confined_target_dirs, +# which is interpreted as no confinement. In other words, the client can download # targets from any directory or subdirectories. If the client had chosen # 'targets1/', they would have been confined to the '/targets/targets1/' # directory on the 'http://localhost:8001' mirror. repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001', 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # The updater may now be instantiated. The Updater class of 'updater.py' # is called with two arguments. The first argument assigns a name to this diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 0d96322a..8270c02e 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -68,15 +68,15 @@ # and targets files can be found in the 'metadata' and 'targets' directory, # respectively. If the client wishes to only download target files from # specific directories on the mirror, the 'confined_target_dirs' field - # should be set. In the example, the client has chosen '', which is - # interpreted as no confinement. In other words, the client can download + # should be set. In this example, the client hasn't set confined_target_dirs, + # which is interpreted as no confinement. + # In other words, the client can download # targets from any directory or subdirectories. If the client had chosen # 'targets1/', they would have been confined to the '/targets/targets1/' # directory on the 'http://localhost:8001' mirror. repository_mirrors = {'mirror1': {'url_prefix': 'http://localhost:8001', 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'targets_path': 'targets'}} # The updater may now be instantiated. The Updater class of 'updater.py' # is called with two arguments. The first argument assigns a name to this @@ -504,8 +504,7 @@ def get_updater(self, repository_name): mirrors[url] = { 'url_prefix': url, 'metadata_path': 'metadata', - 'targets_path': 'targets', - 'confined_target_dirs': ['']} + 'targets_path': 'targets'} try: # NOTE: State (e.g., keys) should NOT be shared across different diff --git a/tuf/formats.py b/tuf/formats.py index c889d133..dc51ba9c 100755 --- a/tuf/formats.py +++ b/tuf/formats.py @@ -405,7 +405,7 @@ url_prefix = securesystemslib.formats.URL_SCHEMA, metadata_path = SCHEMA.Optional(RELPATH_SCHEMA), targets_path = SCHEMA.Optional(RELPATH_SCHEMA), - confined_target_dirs = RELPATHS_SCHEMA, + confined_target_dirs = SCHEMA.Optional(RELPATHS_SCHEMA), custom = SCHEMA.Optional(SCHEMA.Object())) # A dictionary of mirrors where the dict keys hold the mirror's name and diff --git a/tuf/mirrors.py b/tuf/mirrors.py index 0997cd3e..50d32a3b 100755 --- a/tuf/mirrors.py +++ b/tuf/mirrors.py @@ -112,8 +112,10 @@ def get_list_of_mirrors(file_type, file_path, mirrors_dict): # for targets, ensure directory confinement if path_key == 'targets_path': full_filepath = os.path.join(path, file_path) - if not in_confined_directory(full_filepath, - mirror_info['confined_target_dirs']): + confined_target_dirs = mirror_info.get('confined_target_dirs') + # confined_target_dirs is an optional field + if confined_target_dirs and not in_confined_directory(full_filepath, + confined_target_dirs): continue # urllib.quote(string) replaces special characters in string using the %xx diff --git a/tuf/scripts/client.py b/tuf/scripts/client.py index 9d61e976..f9d8c9db 100755 --- a/tuf/scripts/client.py +++ b/tuf/scripts/client.py @@ -117,8 +117,7 @@ def update_client(parsed_arguments): # Set the repository mirrors. This dictionary is needed by the Updater # class of updater.py. repository_mirrors = {'mirror': {'url_prefix': parsed_arguments.repo, - 'metadata_path': 'metadata', 'targets_path': 'targets', - 'confined_target_dirs': ['']}} + 'metadata_path': 'metadata', 'targets_path': 'targets'}} # Create the repository object using the repository name 'repository' # and the repository mirrors defined above.