From b793c81739c94dceb4bc0707d633e4da5cea07f8 Mon Sep 17 00:00:00 2001 From: Artiom Baloian Date: Tue, 1 Nov 2016 15:38:40 -0400 Subject: [PATCH] Added simple_settings, now it is a requirement of TuF. Rename conf.py into the settings.py an changed import call. --- dev-requirements.txt | 1 + examples/client/example_client.py | 2 +- requirements.txt | 1 + setup.py | 2 +- tests/aggregate_tests.py | 1 + tests/slow_retrieval_server.py | 2 +- tests/test_arbitrary_package_attack.py | 5 +- tests/test_download.py | 8 +- tests/test_endless_data_attack.py | 10 +- tests/test_extraneous_dependencies_attack.py | 6 +- tests/test_indefinite_freeze_attack.py | 5 +- tests/test_interpose_updater.py | 10 +- tests/test_key_revocation_integration.py | 6 +- tests/test_keydb.py | 3 +- tests/test_log.py | 5 +- tests/test_mix_and_match_attack.py | 5 +- tests/test_replay_attack.py | 6 +- tests/test_repository_lib.py | 12 +- tests/test_slow_retrieval_attack.py | 18 +-- tests/test_updater.py | 22 ++-- .../test_updater_root_rotation_integration.py | 6 +- tests/test_util.py | 17 +-- tuf/README.md | 4 +- tuf/__init__.py | 3 +- tuf/client/README.md | 4 +- tuf/client/updater.py | 36 +++--- tuf/developer_tool.py | 2 +- tuf/download.py | 46 ++++---- tuf/interposition/updater.py | 22 ++-- tuf/keydb.py | 2 +- tuf/keys.py | 104 +++++++++--------- tuf/log.py | 10 +- tuf/pyca_crypto_keys.py | 14 +-- tuf/pycrypto_keys.py | 12 +- tuf/repository_lib.py | 28 ++--- tuf/repository_tool.py | 2 +- tuf/scripts/basic_client.py | 2 +- tuf/scripts/tufcli.py | 2 +- tuf/{conf.py => settings.py} | 4 +- tuf/util.py | 4 +- 40 files changed, 232 insertions(+), 222 deletions(-) rename tuf/{conf.py => settings.py} (98%) diff --git a/dev-requirements.txt b/dev-requirements.txt index 574c7731..cd2ebb3e 100644 --- a/dev-requirements.txt +++ b/dev-requirements.txt @@ -19,6 +19,7 @@ cffi==1.7.0 pycrypto==2.6.1 pynacl==1.0.1 cryptography==1.4.0 +simple-settings==0.10.0 # Testing requirements. The rest of the testing dependencies available in # 'tox.ini' diff --git a/examples/client/example_client.py b/examples/client/example_client.py index be978d84..01224e9b 100755 --- a/examples/client/example_client.py +++ b/examples/client/example_client.py @@ -36,7 +36,7 @@ tuf.log.set_log_level(logging.INFO) # Set the local repository directory containing the metadata files. -tuf.conf.repository_directory = '.' +settings.repository_directory = '.' # Set the repository mirrors. This dictionary is needed by the Updater # class of updater.py. The client will download metadata and target diff --git a/requirements.txt b/requirements.txt index e9ee97df..895721eb 100644 --- a/requirements.txt +++ b/requirements.txt @@ -1,3 +1,4 @@ +simple-settings cryptography pynacl pycrypto diff --git a/setup.py b/setup.py index 8811ae2e..40539fb8 100755 --- a/setup.py +++ b/setup.py @@ -108,7 +108,7 @@ 'Topic :: Security', 'Topic :: Software Development' ], - install_requires = ['iso8601', 'six'], + install_requires = ['iso8601', 'six', 'simple-settings'], packages = find_packages(exclude=['tests']), extras_require = extras, scripts = [ diff --git a/tests/aggregate_tests.py b/tests/aggregate_tests.py index 10650b1b..044515f9 100755 --- a/tests/aggregate_tests.py +++ b/tests/aggregate_tests.py @@ -35,6 +35,7 @@ import unittest import glob import random +from simple_settings import settings # 'unittest2' required for testing under Python < 2.7. if sys.version_info >= (2, 7): diff --git a/tests/slow_retrieval_server.py b/tests/slow_retrieval_server.py index b38ce538..f51c80ed 100755 --- a/tests/slow_retrieval_server.py +++ b/tests/slow_retrieval_server.py @@ -73,7 +73,7 @@ def do_GET(self): # Throttle the file by sending a character every few seconds. # NOTE: The for-loop below completes early if the download file # (len(data)) is small. 'download.py' waits at least - # 'tuf.conf.SLOW_START_GRACE_PERIOD' seconds before triggering a + # 'settings.SLOW_START_GRACE_PERIOD' seconds before triggering a # potential slow retrieval error. for i in range(len(data)): self.wfile.write(data[i].encode('utf-8')) diff --git a/tests/test_arbitrary_package_attack.py b/tests/test_arbitrary_package_attack.py index ed870d67..e244c8a5 100755 --- a/tests/test_arbitrary_package_attack.py +++ b/tests/test_arbitrary_package_attack.py @@ -58,6 +58,7 @@ import tuf.log import tuf.client.updater as updater import tuf.unittest_toolbox as unittest_toolbox +from simple_settings import settings import six @@ -145,9 +146,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', diff --git a/tests/test_download.py b/tests/test_download.py index f82448e9..22b282e3 100755 --- a/tests/test_download.py +++ b/tests/test_download.py @@ -37,7 +37,7 @@ import unittest import tuf -import tuf.conf +from simple_settings import settings import tuf.download as download import tuf.log import tuf.unittest_toolbox as unittest_toolbox @@ -195,9 +195,9 @@ def test__get_opener(self): with open(fake_cacert, 'wt') as file_object: file_object.write('fake cacert') - tuf.conf.ssl_certificates = fake_cacert + settings.ssl_certificates = fake_cacert tuf.download._get_opener('https') - tuf.conf.ssl_certificates = None + settings.ssl_certificates = None @@ -225,7 +225,7 @@ def test_https_connection(self): https_url = 'https://localhost:' + str(port) + '/' + relative_target_filepath # Download the target file using an https connection. - tuf.conf.ssl_certificates = 'ssl_cert.crt' + settings.ssl_certificates = 'ssl_cert.crt' message = 'Downloading target file from https server: ' + https_url logger.info(message) try: diff --git a/tests/test_endless_data_attack.py b/tests/test_endless_data_attack.py index fe063d81..90ed12c2 100755 --- a/tests/test_endless_data_attack.py +++ b/tests/test_endless_data_attack.py @@ -61,7 +61,7 @@ import tuf.unittest_toolbox as unittest_toolbox import tuf.roledb import tuf.keydb - +from simple_settings import settings import six logger = logging.getLogger('tuf.test_endless_data_attack') @@ -148,9 +148,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', @@ -176,7 +176,7 @@ def test_without_tuf(self): # a non-TUF client that does not verify hashes, detect mix-and-mix attacks, # etc.) A tuf client, on the other hand, should only download target files # up to their expected lengths, as explicitly specified in metadata, or - # 'tuf/conf.py' (when retrieving 'timestamp.json' and 'root.json unsafely'.) + # 'tuf/settings.py' (when retrieving 'timestamp.json' and 'root.json unsafely'.) # Test: Download a valid target file from the repository. # Ensure the target file to be downloaded has not already been downloaded, @@ -279,7 +279,7 @@ def test_with_tuf(self): # Does the TUF client download the upper limit of an unsafely fetched # 'timestamp.json'? 'timestamp.json' must not be greater than - # 'tuf.conf.DEFAULT_TIMESTAMP_REQUIRED_LENGTH'. + # 'settings.DEFAULT_TIMESTAMP_REQUIRED_LENGTH'. try: self.repository_updater.refresh() diff --git a/tests/test_extraneous_dependencies_attack.py b/tests/test_extraneous_dependencies_attack.py index 9c6e9b22..aa2a5867 100755 --- a/tests/test_extraneous_dependencies_attack.py +++ b/tests/test_extraneous_dependencies_attack.py @@ -62,7 +62,7 @@ import tuf.roledb import tuf.keydb import tuf.unittest_toolbox as unittest_toolbox - +from simple_settings import settings import six logger = logging.getLogger('tuf.test_extraneous_dependencies_attack') @@ -153,9 +153,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', diff --git a/tests/test_indefinite_freeze_attack.py b/tests/test_indefinite_freeze_attack.py index 87468d93..df0cb104 100755 --- a/tests/test_indefinite_freeze_attack.py +++ b/tests/test_indefinite_freeze_attack.py @@ -67,6 +67,7 @@ import tuf.unittest_toolbox as unittest_toolbox import tuf.roledb import tuf.keydb +from simple_settings import settings import six @@ -161,9 +162,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', diff --git a/tests/test_interpose_updater.py b/tests/test_interpose_updater.py index a673571a..9e347ccf 100755 --- a/tests/test_interpose_updater.py +++ b/tests/test_interpose_updater.py @@ -35,7 +35,7 @@ import tuf import tuf.util -import tuf.conf +from simple_settings import settings import tuf.log import tuf.interposition.updater as updater import tuf.interposition.configuration as configuration @@ -140,9 +140,9 @@ def setUp(self): port = self.SERVER_PORT url_prefix = 'http://localhost:' + str(port) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror': {'url_prefix': url_prefix, 'metadata_path': 'metadata', @@ -394,9 +394,9 @@ def setUp(self): port = self.SERVER_PORT url_prefix = 'http://localhost:' + str(port) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror': {'url_prefix': url_prefix, 'metadata_path': 'metadata', diff --git a/tests/test_key_revocation_integration.py b/tests/test_key_revocation_integration.py index a64e2fab..92bb1260 100755 --- a/tests/test_key_revocation_integration.py +++ b/tests/test_key_revocation_integration.py @@ -53,7 +53,7 @@ import tuf import tuf.log -import tuf.conf +from simple_settings import settings import tuf.roledb import tuf.keydb import tuf.repository_tool as repo_tool @@ -153,9 +153,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', diff --git a/tests/test_keydb.py b/tests/test_keydb.py index 91690fe0..4c8c3494 100755 --- a/tests/test_keydb.py +++ b/tests/test_keydb.py @@ -33,6 +33,7 @@ import tuf.keys import tuf.keydb import tuf.log +from simple_settings import settings logger = logging.getLogger('tuf.test_keydb') @@ -41,7 +42,7 @@ KEYS = [] for junk in range(3): rsa_key = tuf.keys.generate_rsa_key(2048) - rsa_key['keyid_hash_algorithms'] = tuf.conf.REPOSITORY_HASH_ALGORITHMS + rsa_key['keyid_hash_algorithms'] = settings.REPOSITORY_HASH_ALGORITHMS KEYS.append(rsa_key) diff --git a/tests/test_log.py b/tests/test_log.py index 0781b898..c1886b28 100755 --- a/tests/test_log.py +++ b/tests/test_log.py @@ -23,6 +23,7 @@ import tuf import tuf.log +from simple_settings import settings logger = logging.getLogger('tuf.test_log') @@ -67,8 +68,8 @@ def test_set_filehandler_log_level(self): tuf.log.set_log_level(level) # Test that the log level of the file handler cannot be set because - # file logging is disabled (via tuf.conf.ENABLE_FILE_LOGGING). - tuf.conf.ENABLE_FILE_LOGGING = False + # file logging is disabled (via settings.ENABLE_FILE_LOGGING). + settings.ENABLE_FILE_LOGGING = False imp.reload(tuf.log) #self.assertRaises(tuf.ssl_commons.exceptions.Error, tuf.log.set_filehandler_log_level, logging.INFO) diff --git a/tests/test_mix_and_match_attack.py b/tests/test_mix_and_match_attack.py index 5ec01fe1..423f6eb5 100755 --- a/tests/test_mix_and_match_attack.py +++ b/tests/test_mix_and_match_attack.py @@ -60,6 +60,7 @@ import tuf.unittest_toolbox as unittest_toolbox import tuf.roledb import tuf.keydb +from simple_settings import settings import six @@ -155,9 +156,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', diff --git a/tests/test_replay_attack.py b/tests/test_replay_attack.py index 48c26f83..83902e2d 100755 --- a/tests/test_replay_attack.py +++ b/tests/test_replay_attack.py @@ -59,7 +59,7 @@ import tuf.client.updater as updater import tuf.repository_tool as repo_tool import tuf.unittest_toolbox as unittest_toolbox - +from simple_settings import settings import six # The repository tool is imported and logs console messages by default. Disable @@ -154,9 +154,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', diff --git a/tests/test_repository_lib.py b/tests/test_repository_lib.py index 157c8a10..dfc3b3b4 100755 --- a/tests/test_repository_lib.py +++ b/tests/test_repository_lib.py @@ -49,7 +49,7 @@ import tuf.roledb import tuf.keydb import tuf.ssl_crypto.hash -import tuf.conf +from simple_settings import settings import tuf.repository_lib as repo_lib import tuf.repository_tool as repo_tool @@ -760,7 +760,7 @@ def test_write_metadata_file(self): # this case. For testing purposes, root.json should be a hard link to the # consistent metadata file. We should verify that root.json points to # the latest consistent files. - tuf.conf.CONSISTENT_METHOD = 'hard_link' + settings.CONSISTENT_METHOD = 'hard_link' repo_lib.write_metadata_file(root_signable, output_filename, version_number, compression_algorithms, @@ -787,8 +787,8 @@ def test_write_metadata_file(self): self.assertNotEqual(os.stat(output_filename).st_ino, os.stat(first_version_output_file).st_ino) self.assertEqual(os.stat(output_filename).st_ino, os.stat(second_version_output_file).st_ino) - # Test for an improper tuf.conf.CONSISTENT_METHOD string value. - tuf.conf.CONSISTENT_METHOD = 'somebadidea' + # Test for an improper settings.CONSISTENT_METHOD string value. + settings.CONSISTENT_METHOD = 'somebadidea' self.assertRaises(tuf.ssl_commons.exceptions.InvalidConfigurationError, repo_lib.write_metadata_file, root_signable, output_filename, version_number, @@ -797,7 +797,7 @@ def test_write_metadata_file(self): # Try to create a link to root.json when root.json doesn't exist locally. # repository_lib should log a message if this is the case. - tuf.conf.CONSISTENT_METHOD = 'hard_link' + settings.CONSISTENT_METHOD = 'hard_link' os.remove(output_filename) repo_lib.write_metadata_file(root_signable, output_filename, version_number, @@ -805,7 +805,7 @@ def test_write_metadata_file(self): consistent_snapshot=True) # Reset CONSISTENT_METHOD so that subsequent tests work as expected. - tuf.conf.CONSISTENT_METHOD = 'copy' + settings.CONSISTENT_METHOD = 'copy' # Test for unknown compression algorithm. self.assertRaises(tuf.ssl_commons.exceptions.FormatError, repo_lib.write_metadata_file, diff --git a/tests/test_slow_retrieval_attack.py b/tests/test_slow_retrieval_attack.py index e3f45040..8eedd7a7 100755 --- a/tests/test_slow_retrieval_attack.py +++ b/tests/test_slow_retrieval_attack.py @@ -25,7 +25,7 @@ never complete. Test cases included for two types of slow retrievals: data that slowly trickles in, and data that is only returned after a long time delay. TUF prevents slow retrieval attacks by ensuring the download rate - does not fall below a required rate (tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED). + does not fall below a required rate (settings.MIN_AVERAGE_DOWNLOAD_SPEED). Note: There is no difference between 'updates' and 'target' files. """ @@ -64,7 +64,7 @@ import tuf.repository_tool as repo_tool import tuf.roledb import tuf.keydb - +from simple_settings import settings import six logger = logging.getLogger('tuf.test_slow_retrieval_attack') @@ -161,9 +161,9 @@ def setUp(self): # sleep for a total of (target file size) seconds. Add a target file # that contains sufficient number of bytes to trigger a slow retrieval # error. "sufficient number of bytes" assumed to be - # >> 'tuf.conf.SLOW_START_GRACE_PERIOD' bytes. + # >> 'settings.SLOW_START_GRACE_PERIOD' bytes. extra_bytes = 8 - total_bytes = tuf.conf.SLOW_START_GRACE_PERIOD + extra_bytes + total_bytes = settings.SLOW_START_GRACE_PERIOD + extra_bytes repository = repo_tool.load_repository(self.repository_directory) file1_filepath = os.path.join(self.repository_directory, 'targets', @@ -199,9 +199,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', 'targets_path': 'targets', @@ -262,8 +262,8 @@ def test_with_tuf_mode_2(self): server_process = self._start_slow_server('mode_2') client_filepath = os.path.join(self.client_directory, 'file1.txt') - original_average_download_speed = tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED - tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED = 3 + original_average_download_speed = settings.MIN_AVERAGE_DOWNLOAD_SPEED + settings.MIN_AVERAGE_DOWNLOAD_SPEED = 3 try: file1_target = self.repository_updater.target('file1.txt') @@ -289,7 +289,7 @@ def test_with_tuf_mode_2(self): finally: self._stop_slow_server(server_process) - tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED = original_average_download_speed + settings.MIN_AVERAGE_DOWNLOAD_SPEED = original_average_download_speed if __name__ == '__main__': diff --git a/tests/test_updater.py b/tests/test_updater.py index dad6df1e..2d2eb463 100755 --- a/tests/test_updater.py +++ b/tests/test_updater.py @@ -65,7 +65,7 @@ import tuf import tuf.util -import tuf.conf +from simple_settings import settings import tuf.log import tuf.tufformats import tuf.keydb @@ -167,9 +167,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', @@ -219,12 +219,12 @@ def test_1__init__exceptions(self): # 'tuf.client.updater.py' requires that the client's repository directory - # be configured in 'tuf.conf.py'. - tuf.conf.repository_directory = None + # be configured in 'tuf.settings.py'. + settings.repository_directory = None self.assertRaises(tuf.ssl_commons.exceptions.RepositoryError, updater.Updater, 'test_repository', self.repository_mirrors) - # Restore 'tuf.conf.repository_directory' to the original client directory. - tuf.conf.repository_directory = self.client_directory + # Restore 'settings.repository_directory' to the original client directory. + settings.repository_directory = self.client_directory # Test: empty client repository (i.e., no metadata directory). @@ -619,10 +619,10 @@ def test_3__update_metadata(self): # This is the default metadata that we would create for the timestamp role, # because it has no signed metadata for itself. - DEFAULT_TIMESTAMP_FILELENGTH = tuf.conf.DEFAULT_TIMESTAMP_REQUIRED_LENGTH + DEFAULT_TIMESTAMP_FILELENGTH = settings.DEFAULT_TIMESTAMP_REQUIRED_LENGTH # This is the the upper bound length for Targets metadata. - DEFAULT_TARGETS_FILELENGTH = tuf.conf.DEFAULT_TARGETS_REQUIRED_LENGTH + DEFAULT_TARGETS_FILELENGTH = settings.DEFAULT_TARGETS_REQUIRED_LENGTH # Save the versioninfo of 'targets.json,' needed later when re-installing # with _update_metadata(). @@ -754,7 +754,7 @@ def test_3__update_metadata_if_changed(self): # Update 'targets.json' and verify that the client's current 'targets.json' # has been updated. 'timestamp' and 'snapshot' must be manually updated # so that new 'targets' can be recognized. - DEFAULT_TIMESTAMP_FILELENGTH = tuf.conf.DEFAULT_TIMESTAMP_REQUIRED_LENGTH + DEFAULT_TIMESTAMP_FILELENGTH = settings.DEFAULT_TIMESTAMP_REQUIRED_LENGTH self.repository_updater._update_metadata('timestamp', DEFAULT_TIMESTAMP_FILELENGTH) self.repository_updater._update_metadata_if_changed('snapshot', 'timestamp') @@ -1079,7 +1079,7 @@ def test_6_download_target(self): download_filepath = \ os.path.join(destination_directory, target_filepath1.lstrip('/')) self.assertTrue(os.path.exists(download_filepath)) - length, hashes = tuf.util.get_file_details(download_filepath, tuf.conf.REPOSITORY_HASH_ALGORITHMS) + length, hashes = tuf.util.get_file_details(download_filepath, settings.REPOSITORY_HASH_ALGORITHMS) download_targetfileinfo = tuf.tufformats.make_fileinfo(length, hashes) # Add any 'custom' data from the repository's target fileinfo to the diff --git a/tests/test_updater_root_rotation_integration.py b/tests/test_updater_root_rotation_integration.py index f0efa541..08c972e3 100755 --- a/tests/test_updater_root_rotation_integration.py +++ b/tests/test_updater_root_rotation_integration.py @@ -57,7 +57,7 @@ import tuf import tuf.util -import tuf.conf +from simple_settings import settings import tuf.log import tuf.tufformats import tuf.keydb @@ -159,9 +159,9 @@ def setUp(self): url_prefix = \ 'http://localhost:' + str(self.SERVER_PORT) + repository_basepath - # Setting 'tuf.conf.repository_directory' with the temporary client + # Setting 'settings.repository_directory' with the temporary client # directory copied from the original repository files. - tuf.conf.repository_directory = self.client_directory + settings.repository_directory = self.client_directory self.repository_mirrors = {'mirror1': {'url_prefix': url_prefix, 'metadata_path': 'metadata', diff --git a/tests/test_util.py b/tests/test_util.py index 1a99b45f..0afaf5b6 100755 --- a/tests/test_util.py +++ b/tests/test_util.py @@ -38,6 +38,7 @@ import tuf.log import tuf.ssl_crypto.hash import tuf.util +from simple_settings import settings import tuf.unittest_toolbox as unittest_toolbox import six @@ -68,15 +69,15 @@ def test_A1_tempfile_close_temp_file(self): def _extract_tempfile_directory(self, config_temp_dir=None): """ - Takes a directory (essentially specified in the conf.py as + Takes a directory (essentially specified in the settings.py as 'temporary_directory') and substitutes tempfile.TemporaryFile() with tempfile.mkstemp() in order to extract actual directory of the stored tempfile. Returns the config's temporary directory (or default temp directory) and actual directory. """ - # Patching 'tuf.conf.temporary_directory'. - tuf.conf.temporary_directory = config_temp_dir + # Patching 'settings.temporary_directory'. + settings.temporary_directory = config_temp_dir if config_temp_dir is None: # 'config_temp_dir' needs to be set to default. @@ -104,22 +105,22 @@ def _extract_tempfile_directory(self, config_temp_dir=None): def test_A2_tempfile_init(self): # Goal: Verify that temporary files are stored in the appropriate temp - # directory. The location of the temporary files is set in 'tuf.conf.py'. + # directory. The location of the temporary files is set in 'tuf.settings.py'. # Test: Expected input verification. - # Assumed 'tuf.conf.temporary_directory' is 'None' initially. + # Assumed 'settings.temporary_directory' is 'None' initially. temp_file = tuf.util.TempFile() temp_file_directory = os.path.dirname(temp_file.temporary_file.name) self.assertEqual(tempfile.gettempdir(), temp_file_directory) - saved_temporary_directory = tuf.conf.temporary_directory + saved_temporary_directory = settings.temporary_directory temp_directory = self.make_temp_directory() - tuf.conf.temporary_directory = temp_directory + settings.temporary_directory = temp_directory temp_file = tuf.util.TempFile() temp_file_directory = os.path.dirname(temp_file.temporary_file.name) self.assertEqual(temp_directory, temp_file_directory) - tuf.conf.temporary_directory = saved_temporary_directory + settings.temporary_directory = saved_temporary_directory # Test: Unexpected input handling. config_temp_dirs = [self.random_string(), 123, ['a'], {'a':1}] diff --git a/tuf/README.md b/tuf/README.md index 24806759..a5cdb550 100644 --- a/tuf/README.md +++ b/tuf/README.md @@ -84,7 +84,7 @@ The repository tool supports multiple public-key algorithms, such as [RSA](https://en.wikipedia.org/wiki/RSA_%28cryptosystem%29) and [Ed25519](http://ed25519.cr.yp.to/), and multiple cryptography libraries. Which cryptography library to use is determined by the default, or user modified, -settings in [conf.py](conf.py). +settings in [settings.py](settings.py). The [PyCrypto](https://www.dlitz.net/software/pycrypto/) library may be selected to generate RSA keys and @@ -911,7 +911,7 @@ $ python slow_retrieval_server.py 8002 mode_2 The client may now make a request to the slow retrieval server on port 8002. However, before doing so, we'll reduce (for the purposes of this demo) the minimum average download rate allowed and download chunk size. Open the -'conf.py' module and set MIN_AVERAGE_DOWNLOAD_SPEED = 5 and CHUNK_SIZE = 1. +'settings.py' module and set MIN_AVERAGE_DOWNLOAD_SPEED = 5 and CHUNK_SIZE = 1. This should make it so that the client detects the slow retrieval server's delayed streaming. diff --git a/tuf/__init__.py b/tuf/__init__.py index 8b137891..af80bbdd 100755 --- a/tuf/__init__.py +++ b/tuf/__init__.py @@ -1 +1,2 @@ - +import os +os.environ['SIMPLE_SETTINGS'] = "tuf.settings" diff --git a/tuf/client/README.md b/tuf/client/README.md index 29b83d93..9452904f 100644 --- a/tuf/client/README.md +++ b/tuf/client/README.md @@ -54,10 +54,10 @@ can decide how to proceed rather than automatically downloading a new Root file. # from this module. import tuf.client.updater -# The only other module the client interacts with is 'tuf.conf'. The +# The only other module the client interacts with is 'settings'. The # client accesses this module solely to set the repository directory. # This directory will hold the files downloaded from a remote repository. -tuf.conf.repository_directory = 'path/to/local_repository' +settings.repository_directory = 'path/to/local_repository' # Next, the client creates a dictionary object containing the repository # mirrors. The client may download content from any one of these mirrors. diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 36c5aa03..4e7753c7 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -51,10 +51,10 @@ # from this module. import tuf.client.updater - # The only other module the client interacts with is 'tuf.conf'. The + # The only other module the client interacts with is 'settings'. The # client accesses this module solely to set the repository directory. # This directory will hold the files downloaded from a remote repository. - tuf.conf.repository_directory = 'local-repository' + settings.repository_directory = 'local-repository' # Next, the client creates a dictionary object containing the repository # mirrors. The client may download content from any one of these mirrors. @@ -116,7 +116,7 @@ import fnmatch import tuf -import tuf.conf +from simple_settings import settings import tuf.download import tuf.tufformats import tuf.ssl_crypto.hash @@ -238,12 +238,12 @@ def __init__(self, updater_name, repository_mirrors): In order to use an updater, the following directories must already exist locally: - {tuf.conf.repository_directory}/metadata/current - {tuf.conf.repository_directory}/metadata/previous + {settings.repository_directory}/metadata/current + {settings.repository_directory}/metadata/previous and, at a minimum, the root metadata file must exist: - {tuf.conf.repository_directory}/metadata/current/root.json + {settings.repository_directory}/metadata/current/root.json updater_name: @@ -320,13 +320,13 @@ def __init__(self, updater_name, repository_mirrors): self.consistent_snapshot = False # Ensure the repository metadata directory has been set. - if tuf.conf.repository_directory is None: + if settings.repository_directory is None: raise tuf.ssl_commons.exceptions.RepositoryError('The TUF update client module must specify the' ' directory containing the local repository files.' - ' "tuf.conf.repository_directory" MUST be set.') + ' "settings.repository_directory" MUST be set.') # Set the path for the current set of metadata files. - repository_directory = tuf.conf.repository_directory + repository_directory = settings.repository_directory current_path = os.path.join(repository_directory, 'metadata', 'current') # Ensure the current path is valid/exists before saving it. @@ -637,14 +637,14 @@ def refresh(self, unsafely_update_root_if_necessary=True): # The Timestamp role does not have signed metadata about it; otherwise we # would need an infinite regress of metadata. Therefore, we use some # default, but sane, upper file length for its metadata. - DEFAULT_TIMESTAMP_UPPERLENGTH = tuf.conf.DEFAULT_TIMESTAMP_REQUIRED_LENGTH + DEFAULT_TIMESTAMP_UPPERLENGTH = settings.DEFAULT_TIMESTAMP_REQUIRED_LENGTH # The Root role may be updated without knowing its version number if # top-level metadata cannot be safely downloaded (e.g., keys may have been # revoked, thus requiring a new Root file that includes the updated keys) # and 'unsafely_update_root_if_necessary' is True. # We use some default, but sane, upper file length for its metadata. - DEFAULT_ROOT_UPPERLENGTH = tuf.conf.DEFAULT_ROOT_REQUIRED_LENGTH + DEFAULT_ROOT_UPPERLENGTH = settings.DEFAULT_ROOT_REQUIRED_LENGTH # Update the top-level metadata. The _update_metadata_if_changed() and # _update_metadata() calls below do NOT perform an update if there @@ -715,7 +715,7 @@ def _update_root_metadata(self, current_root_metadata, compression_algorithm=Non # Retrieve the latest, remote root.json. latest_root_metadata_file = \ self._get_metadata_file('root', 'root.json', - tuf.conf.DEFAULT_ROOT_REQUIRED_LENGTH, None, + settings.DEFAULT_ROOT_REQUIRED_LENGTH, None, compression_algorithm=compression_algorithm) latest_root_metadata = \ tuf.util.load_json_string(latest_root_metadata_file.read().decode('utf-8')) @@ -734,7 +734,7 @@ def _update_root_metadata(self, current_root_metadata, compression_algorithm=Non # in the latest root.json after running through the intermediates with # _update_metadata(). self.consistent_snapshot = True - self._update_metadata('root', tuf.conf.DEFAULT_ROOT_REQUIRED_LENGTH, version=version, + self._update_metadata('root', settings.DEFAULT_ROOT_REQUIRED_LENGTH, version=version, compression_algorithm=compression_algorithm) @@ -1542,14 +1542,14 @@ def _update_metadata_if_changed(self, metadata_role, # expected role. Note: The Timestamp role is not updated via this # function. if metadata_role == 'snapshot': - upperbound_filelength = tuf.conf.DEFAULT_SNAPSHOT_REQUIRED_LENGTH + upperbound_filelength = settings.DEFAULT_SNAPSHOT_REQUIRED_LENGTH elif metadata_role == 'root': - upperbound_filelength = tuf.conf.DEFAULT_ROOT_REQUIRED_LENGTH + upperbound_filelength = settings.DEFAULT_ROOT_REQUIRED_LENGTH # The metadata is considered Targets (or delegated Targets metadata). else: - upperbound_filelength = tuf.conf.DEFAULT_TARGETS_REQUIRED_LENGTH + upperbound_filelength = settings.DEFAULT_TARGETS_REQUIRED_LENGTH try: self._update_metadata(metadata_role, upperbound_filelength, @@ -2320,7 +2320,7 @@ def _preorder_depth_first_walk(self, target_filepath): current_metadata = self.metadata['current'] role_names = ['targets'] visited_role_names = set() - number_of_delegations = tuf.conf.MAX_NUMBER_OF_DELEGATIONS + number_of_delegations = settings.MAX_NUMBER_OF_DELEGATIONS # Ensure the client has the most up-to-date version of 'targets.json'. # Raise 'tuf.ssl_commons.exceptions.NoWorkingMirrorError' if the changed metadata cannot be @@ -2393,7 +2393,7 @@ def _preorder_depth_first_walk(self, target_filepath): if target is None and number_of_delegations == 0 and len(role_names) > 0: logger.debug(repr(len(role_names)) + ' roles left to visit, ' + 'but allowed to visit at most ' + - repr(tuf.conf.MAX_NUMBER_OF_DELEGATIONS) + ' delegations.') + repr(settings.MAX_NUMBER_OF_DELEGATIONS) + ' delegations.') return target diff --git a/tuf/developer_tool.py b/tuf/developer_tool.py index d00deb15..caa92907 100755 --- a/tuf/developer_tool.py +++ b/tuf/developer_tool.py @@ -44,7 +44,7 @@ import tuf.keys import tuf.sig import tuf.log -import tuf.conf +from simple_settings import settings import tuf.repository_tool import six diff --git a/tuf/download.py b/tuf/download.py index 3c7474e6..fec50f8d 100755 --- a/tuf/download.py +++ b/tuf/download.py @@ -37,7 +37,7 @@ import time import tuf -import tuf.conf +from simple_settings import settings import tuf.ssl_crypto.hash import tuf.util import tuf.tufformats @@ -73,7 +73,7 @@ def safe_download(url, required_length): url: A URL string that represents the location of the file. The URI scheme - component must be one of 'tuf.conf.SUPPORTED_URI_SCHEMES'. + component must be one of 'settings.SUPPORTED_URI_SCHEMES'. required_length: An integer value representing the length of the file. This is an exact @@ -101,17 +101,17 @@ def safe_download(url, required_length): tuf.ssl_crypto.formats.LENGTH_SCHEMA.check_match(required_length) # Ensure 'url' specifies one of the URI schemes in - # 'tuf.conf.SUPPORTED_URI_SCHEMES'. Be default, ['http', 'https'] is + # 'settings.SUPPORTED_URI_SCHEMES'. Be default, ['http', 'https'] is # supported. If the URI scheme of 'url' is empty or "file", files on the # local system can be accessed. Unexpected files may be accessed by # compromised metadata (unlikely to happen if targets.json metadata is signed # with offline keys). parsed_url = six.moves.urllib.parse.urlparse(url) - if parsed_url.scheme not in tuf.conf.SUPPORTED_URI_SCHEMES: + if parsed_url.scheme not in settings.SUPPORTED_URI_SCHEMES: message = \ repr(url) + ' specifies an unsupported URI scheme. Supported ' + \ - ' URI Schemes: ' + repr(tuf.conf.SUPPORTED_URI_SCHEMES) + ' URI Schemes: ' + repr(settings.SUPPORTED_URI_SCHEMES) raise tuf.ssl_commons.exceptions.FormatError(message) return _download_file(url, required_length, STRICT_REQUIRED_LENGTH=True) @@ -137,7 +137,7 @@ def unsafe_download(url, required_length): url: A URL string that represents the location of the file. The URI scheme - component must be one of 'tuf.conf.SUPPORTED_URI_SCHEMES'. + component must be one of 'settings.SUPPORTED_URI_SCHEMES'. required_length: An integer value representing the length of the file. This is an upper @@ -165,17 +165,17 @@ def unsafe_download(url, required_length): tuf.ssl_crypto.formats.LENGTH_SCHEMA.check_match(required_length) # Ensure 'url' specifies one of the URI schemes in - # 'tuf.conf.SUPPORTED_URI_SCHEMES'. Be default, ['http', 'https'] is + # 'settings.SUPPORTED_URI_SCHEMES'. Be default, ['http', 'https'] is # supported. If the URI scheme of 'url' is empty or "file", files on the # local system can be accessed. Unexpected files may be accessed by # compromised metadata (unlikely to happen if targets.json metadata is signed # with offline keys). parsed_url = six.moves.urllib.parse.urlparse(url) - if parsed_url.scheme not in tuf.conf.SUPPORTED_URI_SCHEMES: + if parsed_url.scheme not in settings.SUPPORTED_URI_SCHEMES: message = \ repr(url) + ' specifies an unsupported URI scheme. Supported ' + \ - ' URI Schemes: ' + repr(tuf.conf.SUPPORTED_URI_SCHEMES) + ' URI Schemes: ' + repr(settings.SUPPORTED_URI_SCHEMES) raise tuf.ssl_commons.exceptions.FormatError(message) return _download_file(url, required_length, STRICT_REQUIRED_LENGTH=False) @@ -308,10 +308,10 @@ def _download_fixed_amount_of_data(connection, temp_file, required_length): """ # Tolerate servers with a slow start by ignoring their delivery speed for - # 'tuf.conf.SLOW_START_GRACE_PERIOD' seconds. Set 'seconds_spent_receiving' + # 'settings.SLOW_START_GRACE_PERIOD' seconds. Set 'seconds_spent_receiving' # to negative SLOW_START_GRACE_PERIOD seconds, and begin checking the average # download speed once it is positive. - grace_period = -tuf.conf.SLOW_START_GRACE_PERIOD + grace_period = -settings.SLOW_START_GRACE_PERIOD # Keep track of total bytes downloaded. number_of_bytes_received = 0 @@ -328,7 +328,7 @@ def _download_fixed_amount_of_data(connection, temp_file, required_length): # in the while loop. time.sleep(0.05) data = b'' - read_amount = min(tuf.conf.CHUNK_SIZE, + read_amount = min(settings.CHUNK_SIZE, required_length - number_of_bytes_received) try: @@ -355,14 +355,14 @@ def _download_fixed_amount_of_data(connection, temp_file, required_length): # Measure the average download speed. average_download_speed = number_of_bytes_received / seconds_spent_receiving - if average_download_speed < tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED: + if average_download_speed < settings.MIN_AVERAGE_DOWNLOAD_SPEED: logger.debug('The average download speed dropped below the minimum' - ' average download speed set in conf.py.') + ' average download speed set in settings.py.') break else: logger.debug('The average download speed has not dipped below the' - ' mimimum average download speed set in conf.py.') + ' mimimum average download speed set in settings.py.') # We might have no more data to read. Check number of bytes downloaded. if not data: @@ -411,7 +411,7 @@ def _get_opener(scheme=None): """ if scheme == "https": - assert os.path.isfile(tuf.conf.ssl_certificates) + assert os.path.isfile(settings.ssl_certificates) # If we are going over https, use an opener which will provide SSL # certificate verification. @@ -470,7 +470,7 @@ def _open_connection(url): opener = _get_opener(scheme=parsed_url.scheme) request = _get_request(url) - return opener.open(request, timeout = tuf.conf.SOCKET_TIMEOUT) + return opener.open(request, timeout = settings.SOCKET_TIMEOUT) @@ -608,7 +608,7 @@ def _check_downloaded_length(total_downloaded, required_length, total_downloaded is not equal required_length. tuf.ssl_commons.exceptions.SlowRetrievalError, if the total downloaded was done in in less than - the acceptable download speed (as set in tuf.conf.py). + the acceptable download speed (as set in tuf.settings.py). None. @@ -631,9 +631,9 @@ def _check_downloaded_length(total_downloaded, required_length, # If the average download speed is below a certain threshold, we flag # this as a possible slow-retrieval attack. logger.debug('Average download speed: ' + repr(average_download_speed)) - logger.debug('Minimum average download speed: ' + repr(tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED)) + logger.debug('Minimum average download speed: ' + repr(settings.MIN_AVERAGE_DOWNLOAD_SPEED)) - if average_download_speed < tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED: + if average_download_speed < settings.MIN_AVERAGE_DOWNLOAD_SPEED: raise tuf.ssl_commons.exceptions.SlowRetrievalError(average_download_speed) else: @@ -647,7 +647,7 @@ def _check_downloaded_length(total_downloaded, required_length, # will log a warning anyway. This is useful when we wish to download the # Timestamp or Root metadata, for which we have no signed metadata; so, # we must guess a reasonable required_length for it. - if average_download_speed < tuf.conf.MIN_AVERAGE_DOWNLOAD_SPEED: + if average_download_speed < settings.MIN_AVERAGE_DOWNLOAD_SPEED: raise tuf.ssl_commons.exceptions.SlowRetrievalError(average_download_speed) else: @@ -688,8 +688,8 @@ def connect(self): self._tunnel() # set location of certificate authorities - assert os.path.isfile(tuf.conf.ssl_certificates) - cert_path = tuf.conf.ssl_certificates + assert os.path.isfile(settings.ssl_certificates) + cert_path = settings.ssl_certificates # TODO: Disallow SSLv2. # http://docs.python.org/dev/library/ssl.html#protocol-versions diff --git a/tuf/interposition/updater.py b/tuf/interposition/updater.py index 6dcdeb9b..f6651ff7 100755 --- a/tuf/interposition/updater.py +++ b/tuf/interposition/updater.py @@ -126,7 +126,7 @@ } } - # After creating 'tuf.configuration.json' and the example updater module, run + # After creating 'settingsiguration.json' and the example updater module, run # 'interposition.py'. The urllib calls will be intercepted, and information # about the update process is generated to a log file named 'tuf.log' in the # same directory, which can be reviewed. @@ -148,7 +148,7 @@ import logging import tuf.client.updater -import tuf.conf +from simple_settings import settings import tuf.log import six @@ -198,7 +198,7 @@ class Updater(object): switch_context(): There is an updater object for each network location that is interposed. Context switching is required because there are multiple - 'tuf.client.updater' objects and each one depends on tuf.conf settings + 'tuf.client.updater' objects and each one depends on settings settings that are shared. """ @@ -264,7 +264,7 @@ def __init__(self, configuration): logger.debug('Created temporary directory at ' + repr(self.tempdir)) # Switching context before instantiating updater because updater depends - # on some module (tuf.conf) variables. + # on some module (settings) variables. self.switch_context() # Instantiating a 'tuf.client.updater' object causes all the configurations @@ -396,7 +396,7 @@ def download_target(self, target_filepath): os.path.join(destination_directory, target_filepath.lstrip(os.sep)) # Switch TUF context. Switching context before instantiating updater - # because updater depends on some module (tuf.conf) variables. + # because updater depends on some module (settings) variables. self.switch_context() # Locate the fileinfo of 'target_filepath'. updater.target() searches @@ -626,12 +626,12 @@ def switch_context(self): There is an updater object for each network location that is interposed. Context switching is required because there are multiple - 'tuf.client.updater' objects and each one depends on tuf.conf settings + 'tuf.client.updater' objects and each one depends on settings settings that are shared. For this, two settings are required: - 1. Setting local repository directory in 'tuf.conf'. + 1. Setting local repository directory in 'settings'. 2. Setting the local SSL certificate PEM file. @@ -642,18 +642,18 @@ def switch_context(self): The given configuration's 'repository_directory' and ssl_certificates - settings are set to 'tuf.conf.repository_directory' and - 'tuf.conf.ssl_certificates', respectively. + settings are set to 'settings.repository_directory' and + 'settings.ssl_certificates', respectively. None """ # Set the local repository directory containing the metadata files. - tuf.conf.repository_directory = self.configuration.repository_directory + settings.repository_directory = self.configuration.repository_directory # Set the local SSL certificates PEM file. - tuf.conf.ssl_certificates = self.configuration.ssl_certificates + settings.ssl_certificates = self.configuration.ssl_certificates diff --git a/tuf/keydb.py b/tuf/keydb.py index d5b56a06..9355d458 100755 --- a/tuf/keydb.py +++ b/tuf/keydb.py @@ -116,7 +116,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'): # format, which is the format expected by 'add_key()'. Note: # The 'keyids' returned by format_metadata_to_key() include keyids in # addition to the default keyid listed in 'key_dict'. The additional - # keyids are generated according to tuf.conf.REPOSITORY_HASH_ALGORITHMS. + # keyids are generated according to settings.REPOSITORY_HASH_ALGORITHMS. key_dict, keyids = tuf.keys.format_metadata_to_key(key_metadata) try: diff --git a/tuf/keys.py b/tuf/keys.py index 8817f3fc..62a83cb6 100755 --- a/tuf/keys.py +++ b/tuf/keys.py @@ -19,7 +19,7 @@ is designed to support multiple public-key algorithms, such as RSA and Ed25519, and multiple cryptography libraries. Which cryptography library to use is determined by the default, or user modified, values set in - 'tuf.conf.py' + 'tuf.settings.py' https://en.wikipedia.org/wiki/RSA_(algorithm) http://ed25519.cr.yp.to/ @@ -132,7 +132,7 @@ import tuf # Import the cryptography library settings. -import tuf.conf +from simple_settings import settings # Digest objects needed to generate hashes. import tuf.ssl_crypto.hash @@ -143,8 +143,8 @@ # The hash algorithm used in the generation of the key ID for each unique key. # If multiple hash algorithms is desired for the generation of key IDs, -# 'tuf.conf.REPOSITORY_HASH_ALGORITHMS' can be used. -_KEY_ID_HASH_ALGORITHM = tuf.conf.DEFAULT_HASH_ALGORITHM +# 'settings.REPOSITORY_HASH_ALGORITHMS' can be used. +_KEY_ID_HASH_ALGORITHM = settings.DEFAULT_HASH_ALGORITHM # Recommended RSA key sizes: # http://www.emc.com/emc-plus/rsa-labs/historical/twirl-and-rsa-key-size.htm#table1 @@ -155,9 +155,9 @@ # The crypto libraries to use in 'keys.py', set by default or by the user. # The following cryptography libraries are currently supported: # ['pycrypto', 'pynacl', 'ed25519', 'pyca-cryptography'] -_RSA_CRYPTO_LIBRARY = tuf.conf.RSA_CRYPTO_LIBRARY -_ED25519_CRYPTO_LIBRARY = tuf.conf.ED25519_CRYPTO_LIBRARY -_GENERAL_CRYPTO_LIBRARY = tuf.conf.GENERAL_CRYPTO_LIBRARY +_RSA_CRYPTO_LIBRARY = settings.RSA_CRYPTO_LIBRARY +_ED25519_CRYPTO_LIBRARY = settings.ED25519_CRYPTO_LIBRARY +_GENERAL_CRYPTO_LIBRARY = settings.GENERAL_CRYPTO_LIBRARY def generate_rsa_key(bits=_DEFAULT_RSA_KEY_BITS): @@ -203,11 +203,11 @@ def generate_rsa_key(bits=_DEFAULT_RSA_KEY_BITS): and not at least 2048). tuf.ssl_commons.exceptions.UnsupportedLibraryError, if any of the cryptography libraries specified - in 'tuf.conf.py' are unsupported or unavailable. + in 'tuf.settings.py' are unsupported or unavailable. ValueError, if an exception occurs after calling the RSA key generation routine. 'bits' must be a multiple of 256 if PyCrypto is set via - 'tuf.conf.py'. The 'ValueError' exception is raised by the key generation + 'tuf.settings.py'. The 'ValueError' exception is raised by the key generation function of the cryptography library called. @@ -226,8 +226,8 @@ def generate_rsa_key(bits=_DEFAULT_RSA_KEY_BITS): tuf.ssl_crypto.formats.RSAKEYBITS_SCHEMA.check_match(bits) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified - # in 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.RSA_CRYPTO_LIBRARY'. + # in 'settings', are unsupported or unavailable: + # 'settings.RSA_CRYPTO_LIBRARY'. check_crypto_libraries(['rsa']) # Begin building the RSA key dictionary. @@ -313,8 +313,8 @@ def generate_ed25519_key(): """ # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified - # in 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.ED25519_CRYPTO_LIBRARY'. + # in 'settings', are unsupported or unavailable: + # 'settings.ED25519_CRYPTO_LIBRARY'. check_crypto_libraries(['ed25519']) # Begin building the Ed25519 key dictionary. @@ -439,7 +439,7 @@ def format_keyval_to_metadata(keytype, key_value, private=False): public_key_value = {'public': key_value['public']} return {'keytype': keytype, - 'keyid_hash_algorithms': tuf.conf.REPOSITORY_HASH_ALGORITHMS, + 'keyid_hash_algorithms': settings.REPOSITORY_HASH_ALGORITHMS, 'keyval': public_key_value} @@ -516,7 +516,7 @@ def format_metadata_to_key(key_metadata): keyids = set() keyids.add(default_keyid) - for hash_algorithm in tuf.conf.REPOSITORY_HASH_ALGORITHMS: + for hash_algorithm in settings.REPOSITORY_HASH_ALGORITHMS: keyid = _get_keyid(keytype, key_value, hash_algorithm) keyids.add(keyid) @@ -524,7 +524,7 @@ def format_metadata_to_key(key_metadata): # 'keyid_hash_algorithms' key_dict['keytype'] = keytype key_dict['keyid'] = default_keyid - key_dict['keyid_hash_algorithms'] = tuf.conf.REPOSITORY_HASH_ALGORITHMS + key_dict['keyid_hash_algorithms'] = settings.REPOSITORY_HASH_ALGORITHMS key_dict['keyval'] = key_value return key_dict, keyids @@ -564,7 +564,7 @@ def check_crypto_libraries(required_libraries): """ Public function that ensures the cryptography libraries specified in - 'tuf.conf' are supported and available for each 'required_libraries'. + 'settings' are supported and available for each 'required_libraries'. required_libraries: @@ -573,10 +573,10 @@ def check_crypto_libraries(required_libraries): tuf.ssl_commons.exceptions.UnsupportedLibraryError, if the 'required_libraries' and the libraries - specified in 'tuf.conf' are not supported or unavailable. + specified in 'settings' are not supported or unavailable. - Validates the libraries set in 'tuf.conf'. + Validates the libraries set in 'settings'. None. @@ -589,7 +589,7 @@ def check_crypto_libraries(required_libraries): tuf.ssl_crypto.formats.REQUIRED_LIBRARIES_SCHEMA.check_match(required_libraries) # The checks below all raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the general, - # RSA, and Ed25519 crypto libraries specified in 'tuf.conf.py' are not + # RSA, and Ed25519 crypto libraries specified in 'tuf.settings.py' are not # supported or unavailable. The appropriate error message is added to the # exception. The funcions of this module that depend on user-installed # crypto libraries should call this private function to ensure the called @@ -600,40 +600,40 @@ def check_crypto_libraries(required_libraries): if 'rsa' in required_libraries and _RSA_CRYPTO_LIBRARY not in \ _SUPPORTED_RSA_CRYPTO_LIBRARIES: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_RSA_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.RSA_CRYPTO_LIBRARY" is not ' + ' crypto library specified in "settings.RSA_CRYPTO_LIBRARY" is not ' ' supported.\nSupported crypto libraries: ' + repr(_SUPPORTED_RSA_CRYPTO_LIBRARIES) + '.') if 'ed25519' in required_libraries and _ED25519_CRYPTO_LIBRARY not in \ _SUPPORTED_ED25519_CRYPTO_LIBRARIES: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_ED25519_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.ED25519_CRYPTO_LIBRARY" is not ' + ' crypto library specified in "settings.ED25519_CRYPTO_LIBRARY" is not ' ' supported.\nSupported crypto libraries: ' + repr(_SUPPORTED_ED25519_CRYPTO_LIBRARIES) + '.') if 'general' in required_libraries and _GENERAL_CRYPTO_LIBRARY not in \ _SUPPORTED_GENERAL_CRYPTO_LIBRARIES: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_GENERAL_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.GENERAL_CRYPTO_LIBRARY" is not' + ' crypto library specified in "settings.GENERAL_CRYPTO_LIBRARY" is not' ' supported.\nSupported crypto libraries: ' + repr(_SUPPORTED_GENERAL_CRYPTO_LIBRARIES) + '.') if 'rsa' in required_libraries and _RSA_CRYPTO_LIBRARY not in \ _available_crypto_libraries: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_RSA_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.RSA_CRYPTO_LIBRARY" could not' + ' crypto library specified in "settings.RSA_CRYPTO_LIBRARY" could not' ' be imported. Available libraries: ' + repr(_available_crypto_libraries)) if 'ed25519' in required_libraries and _ED25519_CRYPTO_LIBRARY not in \ _available_crypto_libraries: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_ED25519_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.ED25519_CRYPTO_LIBRARY" could' + ' crypto library specified in "settings.ED25519_CRYPTO_LIBRARY" could' ' not be imported.') if 'general' in required_libraries and _GENERAL_CRYPTO_LIBRARY not in \ _available_crypto_libraries: raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('The ' + repr(_GENERAL_CRYPTO_LIBRARY) + - ' crypto library specified in "tuf.conf.GENERAL_CRYPTO_LIBRARY" could' + ' crypto library specified in "settings.GENERAL_CRYPTO_LIBRARY" could' ' not be imported.') @@ -662,7 +662,7 @@ def create_signature(key_dict, data): http://ed25519.cr.yp.to/ Which signature to generate is determined by the key type of 'key_dict' - and the available cryptography library specified in 'tuf.conf'. + and the available cryptography library specified in 'settings'. >>> ed25519_key = generate_ed25519_key() >>> data = 'The quick brown fox jumps over the lazy dog' @@ -701,7 +701,7 @@ def create_signature(key_dict, data): TypeError, if 'key_dict' contains an invalid keytype. - The cryptography library specified in 'tuf.conf' called to perform the + The cryptography library specified in 'settings' called to perform the actual signing routine. @@ -716,8 +716,8 @@ def create_signature(key_dict, data): tuf.ssl_crypto.formats.ANYKEY_SCHEMA.check_match(key_dict) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified - # in 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.RSA_CRYPTO_LIBRARY' or 'tuf.conf.ED25519_CRYPTO_LIBRARY'. + # in 'settings', are unsupported or unavailable: + # 'settings.RSA_CRYPTO_LIBRARY' or 'settings.ED25519_CRYPTO_LIBRARY'. check_crypto_libraries([key_dict['keytype']]) # Signing the 'data' object requires a private key. @@ -750,7 +750,7 @@ def create_signature(key_dict, data): else: # pragma: no cover raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('Unsupported' - ' "tuf.conf.RSA_CRYPTO_LIBRARY": ' + repr(_RSA_CRYPTO_LIBRARY) + '.') + ' "settings.RSA_CRYPTO_LIBRARY": ' + repr(_RSA_CRYPTO_LIBRARY) + '.') elif keytype == 'ed25519': public = binascii.unhexlify(public.encode('utf-8')) @@ -837,7 +837,7 @@ def verify_signature(key_dict, signature, data): 'signature' is not one supported. - The cryptography library specified in 'tuf.conf' called to do the actual + The cryptography library specified in 'settings' called to do the actual verification. @@ -877,10 +877,10 @@ def verify_signature(key_dict, signature, data): if 'pycrypto' not in _available_crypto_libraries: # pragma: no cover raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('Metadata downloaded from the remote' ' repository listed an RSA signature. "pycrypto" was set' - ' (in conf.py) to generate RSA signatures, but the PyCrypto library' + ' (in settings.py) to generate RSA signatures, but the PyCrypto library' ' is not installed. \n$ pip install PyCrypto, or pip install' ' tuf[tools], or you can try switching your configuration' - ' (tuf.conf.py) to use pyca-cryptography if that is available instead.') + ' (tuf.settings.py) to use pyca-cryptography if that is available instead.') else: valid_signature = tuf.pycrypto_keys.verify_rsa_signature(sig, method, @@ -889,10 +889,10 @@ def verify_signature(key_dict, signature, data): if 'pyca-cryptography' not in _available_crypto_libraries: # pragma: no cover raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('Metadata downloaded from the remote' ' repository listed an RSA signature. "pyca-cryptography" was set' - ' (in conf.py) to generate RSA signatures, but the "cryptography"' + ' (in settings.py) to generate RSA signatures, but the "cryptography"' ' library is not installed. \n$ pip install cryptography, or pip' ' install tuf[tools], or you can try switching your configuration' - ' (tuf/conf.py) to use PyCrypto if that is available instead.') + ' (tuf/settings.py) to use PyCrypto if that is available instead.') else: valid_signature = tuf.pyca_crypto_keys.verify_rsa_signature(sig, method, @@ -900,7 +900,7 @@ def verify_signature(key_dict, signature, data): else: # pragma: no cover raise tuf.ssl_commons.exceptions.UnsupportedLibraryError('Unsupported' - ' "tuf.conf.RSA_CRYPTO_LIBRARY": ' + repr(_RSA_CRYPTO_LIBRARY) + '.') + ' "settings.RSA_CRYPTO_LIBRARY": ' + repr(_RSA_CRYPTO_LIBRARY) + '.') elif keytype == 'ed25519': public = binascii.unhexlify(public.encode('utf-8')) @@ -964,7 +964,7 @@ def import_rsakey_from_encrypted_pem(encrypted_pem, password): tuf.ssl_commons.exceptions.FormatError, if the arguments are improperly formatted. tuf.ssl_commons.exceptions.UnsupportedLibraryError, if any of the cryptography libraries specified - in 'tuf.conf.py' are unsupported or unavailable. + in 'tuf.settings.py' are unsupported or unavailable. None. @@ -983,8 +983,8 @@ def import_rsakey_from_encrypted_pem(encrypted_pem, password): tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(password) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified in - # 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.RSA_CRYPTO_LIBRARY' and 'tuf.conf.GENERAL_CRYPTO_LIBRARY'. + # 'settings', are unsupported or unavailable: + # 'settings.RSA_CRYPTO_LIBRARY' and 'settings.GENERAL_CRYPTO_LIBRARY'. check_crypto_libraries(['rsa', 'general']) # Begin building the RSA key dictionary. @@ -1212,7 +1212,7 @@ def encrypt_key(key_object, password): Derivation Function 1 (PBKDF1) + MD5 to strengthen 'password', encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations by default, but may be overriden in - 'tuf.conf.PBKDF2_ITERATIONS' by the user). + 'settings.PBKDF2_ITERATIONS' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 @@ -1240,7 +1240,7 @@ def encrypt_key(key_object, password): tuf.ssl_commons.exceptions.CryptoError, if 'key_object' cannot be encrypted. tuf.ssl_commons.exceptions.UnsupportedLibraryError, if the general-purpose cryptography library - specified in 'tuf.conf.GENERAL_CRYPTO_LIBRARY' is unsupported. + specified in 'settings.GENERAL_CRYPTO_LIBRARY' is unsupported. Perform crytographic operations using the library specified in @@ -1260,8 +1260,8 @@ def encrypt_key(key_object, password): tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(password) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified in - # 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.GENERAL_CRYPTO_LIBRARY'. + # 'settings', are unsupported or unavailable: + # 'settings.GENERAL_CRYPTO_LIBRARY'. check_crypto_libraries(['general']) # Encrypted string of 'key_object'. The encrypted string may be safely saved @@ -1270,7 +1270,7 @@ def encrypt_key(key_object, password): # Generate an encrypted string of 'key_object' using AES-256-CTR-Mode, where # 'password' is strengthened with PBKDF2-HMAC-SHA256. Ensure the general- - # purpose library specified in 'tuf.conf.GENERAL_CRYPTO_LIBRARY' is supported. + # purpose library specified in 'settings.GENERAL_CRYPTO_LIBRARY' is supported. if _GENERAL_CRYPTO_LIBRARY == 'pycrypto': encrypted_key = \ tuf.pycrypto_keys.encrypt_key(key_object, password) @@ -1306,7 +1306,7 @@ def decrypt_key(encrypted_key, passphrase): Derivation Function 1 (PBKDF1) + MD5 to strengthen 'password', encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations be default, but may be overriden in - 'tuf.conf.py' by the user). + 'tuf.settings.py' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 @@ -1340,7 +1340,7 @@ def decrypt_key(encrypted_key, passphrase): tuf.ssl_commons.exceptions.CryptoError, if 'encrypted_key' cannot be decrypted. tuf.ssl_commons.exceptions.UnsupportedLibraryError, if the general-purpose cryptography library - specified in 'tuf.conf.GENERAL_CRYPTO_LIBRARY' is unsupported. + specified in 'settings.GENERAL_CRYPTO_LIBRARY' is unsupported. Perform crytographic operations using the library specified in @@ -1361,8 +1361,8 @@ def decrypt_key(encrypted_key, passphrase): tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(passphrase) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified in - # 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.GENERAL_CRYPTO_LIBRARY'. + # 'settings', are unsupported or unavailable: + # 'settings.GENERAL_CRYPTO_LIBRARY'. check_crypto_libraries(['general']) # Store and return the decrypted key object. @@ -1372,7 +1372,7 @@ def decrypt_key(encrypted_key, passphrase): # encrypt_key() generates an encrypted string of the TUF key object using # AES-256-CTR-Mode, where 'password' is strengthened with PBKDF2-HMAC-SHA256. # Ensure the general-purpose library specified in - # 'tuf.conf.GENERAL_CRYPTO_LIBRARY' is supported. + # 'settings.GENERAL_CRYPTO_LIBRARY' is supported. if _GENERAL_CRYPTO_LIBRARY == 'pycrypto': key_object = \ tuf.pycrypto_keys.decrypt_key(encrypted_key, passphrase) @@ -1450,8 +1450,8 @@ def create_rsa_encrypted_pem(private_key, passphrase): tuf.ssl_crypto.formats.PASSWORD_SCHEMA.check_match(passphrase) # Raise 'tuf.ssl_commons.exceptions.UnsupportedLibraryError' if the following libraries, specified - # in 'tuf.conf', are unsupported or unavailable: - # 'tuf.conf.GENERAL_CRYPTO_LIBRARY' and 'tuf.conf.RSA_CRYPTO_LIBRARY'. + # in 'settings', are unsupported or unavailable: + # 'settings.GENERAL_CRYPTO_LIBRARY' and 'settings.RSA_CRYPTO_LIBRARY'. check_crypto_libraries(['rsa', 'general']) encrypted_pem = None diff --git a/tuf/log.py b/tuf/log.py index 71336adb..a4fd35d2 100755 --- a/tuf/log.py +++ b/tuf/log.py @@ -69,7 +69,7 @@ import tuf import tuf.tufformats -import tuf.conf +from simple_settings import settings # Setting a handler's log level filters only logging messages of that level # (and above). For example, setting the built-in StreamHandler's log level to @@ -108,12 +108,12 @@ logger.setLevel(_DEFAULT_LOG_LEVEL) # Set the built-in file handler. Messages will be logged to -# 'tuf.conf.LOG_FILENAME', and only those messages with a log level of +# 'settings.LOG_FILENAME', and only those messages with a log level of # '_DEFAULT_LOG_LEVEL'. The log level of messages handled by 'file_handler' -# may be modified with 'set_filehandler_log_level()'. 'tuf.conf.LOG_FILENAME' +# may be modified with 'set_filehandler_log_level()'. 'settings.LOG_FILENAME' # will be opened in append mode. -if tuf.conf.ENABLE_FILE_LOGGING: - file_handler = logging.FileHandler(tuf.conf.LOG_FILENAME) +if settings.ENABLE_FILE_LOGGING: + file_handler = logging.FileHandler(settings.LOG_FILENAME) file_handler.setLevel(_DEFAULT_FILE_LOG_LEVEL) file_handler.setFormatter(formatter) logger.addHandler(file_handler) diff --git a/tuf/pyca_crypto_keys.py b/tuf/pyca_crypto_keys.py index 9c76e883..b9ae1327 100755 --- a/tuf/pyca_crypto_keys.py +++ b/tuf/pyca_crypto_keys.py @@ -132,8 +132,8 @@ import tuf.tufformats # Extract/reference the cryptography library settings. For example: -# 'tuf.conf.RSA_CRYPTO_LIBRARY' -import tuf.conf +# 'settings.RSA_CRYPTO_LIBRARY' +from simple_settings import settings # Import routine to process key files containing JSON data. import tuf.util @@ -160,7 +160,7 @@ # Default PBKDF2 passphrase iterations. The current "good enough" number # of passphrase iterations. We recommend that important keys, such as root, -# be kept offline. 'tuf.conf.PBKDF2_ITERATIONS' should increase as CPU +# be kept offline. 'settings.PBKDF2_ITERATIONS' should increase as CPU # speeds increase, set here at 100,000 iterations by default (in 2013). # Repository maintainers may opt to modify the default setting according to # their security needs and computational restrictions. A strong user password @@ -168,7 +168,7 @@ # derived key+PBDKF2 combination if the key is loaded and re-saved, overriding # any previous iteration setting used by the old '.key'. # https://en.wikipedia.org/wiki/PBKDF2 -_PBKDF2_ITERATIONS = tuf.conf.PBKDF2_ITERATIONS +_PBKDF2_ITERATIONS = settings.PBKDF2_ITERATIONS @@ -675,7 +675,7 @@ def encrypt_key(key_object, password): Based Key Derivation Function 1 (PBKDF1) + MD5 to strengthen 'password', encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations by default, but may be overriden in - 'tuf.conf.PBKDF2_ITERATIONS' by the user). + 'settings.PBKDF2_ITERATIONS' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 @@ -735,7 +735,7 @@ def encrypt_key(key_object, password): # Derive a key (i.e., an appropriate encryption key and not the # user's password) from the given 'password'. Strengthen 'password' with # PBKDF2-HMAC-SHA256 (100K iterations by default, but may be overriden in - # 'tuf.conf.PBKDF2_ITERATIONS' by the user). + # 'settings.PBKDF2_ITERATIONS' by the user). salt, iterations, derived_key = _generate_derived_key(password) # Store the derived key info in a dictionary, the object expected @@ -764,7 +764,7 @@ def decrypt_key(encrypted_key, password): Encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations be default, but may be overriden in - 'tuf.conf.py' by the user). + 'tuf.settings.py' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 diff --git a/tuf/pycrypto_keys.py b/tuf/pycrypto_keys.py index fed5bf78..0d893a27 100755 --- a/tuf/pycrypto_keys.py +++ b/tuf/pycrypto_keys.py @@ -114,7 +114,7 @@ import tuf.tufformats # Extract the cryptography library settings. -import tuf.conf +from simple_settings import settings # Import key files containing json data. import tuf.util @@ -141,7 +141,7 @@ # Default PBKDF2 passphrase iterations. The current "good enough" number # of passphrase iterations. We recommend that important keys, such as root, -# be kept offline. 'tuf.conf.PBKDF2_ITERATIONS' should increase as CPU +# be kept offline. 'settings.PBKDF2_ITERATIONS' should increase as CPU # speeds increase, set here at 100,000 iterations by default (in 2013). # Repository maintainers may opt to modify the default setting according to # their security needs and computational restrictions. A strong user password @@ -149,7 +149,7 @@ # derived key+PBDKF2 combination if the key is loaded and re-saved, overriding # any previous iteration setting used by the old '.key'. # https://en.wikipedia.org/wiki/PBKDF2 -_PBKDF2_ITERATIONS = tuf.conf.PBKDF2_ITERATIONS +_PBKDF2_ITERATIONS = settings.PBKDF2_ITERATIONS def generate_rsa_public_and_private(bits=_DEFAULT_RSA_KEY_BITS): @@ -614,7 +614,7 @@ def encrypt_key(key_object, password): Based Key Derivation Function 1 (PBKDF1) + MD5 to strengthen 'password', encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations by default, but may be overriden in - 'tuf.conf.PBKDF2_ITERATIONS' by the user). + 'settings.PBKDF2_ITERATIONS' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 @@ -673,7 +673,7 @@ def encrypt_key(key_object, password): # Derive a key (i.e., an appropriate encryption key and not the # user's password) from the given 'password'. Strengthen 'password' with # PBKDF2-HMAC-SHA256 (100K iterations by default, but may be overriden in - # 'tuf.conf.PBKDF2_ITERATIONS' by the user). + # 'settings.PBKDF2_ITERATIONS' by the user). salt, iterations, derived_key = _generate_derived_key(password) # Store the derived key info in a dictionary, the object expected @@ -702,7 +702,7 @@ def decrypt_key(encrypted_key, password): Encrypted TUF keys use AES-256-CTR-Mode and passwords strengthened with PBKDF2-HMAC-SHA256 (100K iterations be default, but may be overriden in - 'tuf.conf.py' by the user). + 'tuf.settings.py' by the user). http://en.wikipedia.org/wiki/Advanced_Encryption_Standard http://en.wikipedia.org/wiki/CTR_mode#Counter_.28CTR.29 diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 3ebf6e90..9f00ce55 100755 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -50,7 +50,7 @@ import tuf.keys import tuf.sig import tuf.log -import tuf.conf +from simple_settings import settings import iso8601 import six @@ -829,7 +829,7 @@ def generate_and_write_rsa_keypair(filepath, bits=DEFAULT_RSA_KEY_BITS, as the pass phrase), and store it in 'filepath'. The public key portion of the generated RSA key is stored in <'filepath'>.pub. Which cryptography library performs the cryptographic decryption is determined by the string - set in 'tuf.conf.RSA_CRYPTO_LIBRARY'. PyCrypto currently supported. The + set in 'settings.RSA_CRYPTO_LIBRARY'. PyCrypto currently supported. The PEM private key is encrypted with 3DES and CBC the mode of operation. The password is strengthened with PBKDF1-MD5. @@ -909,7 +909,7 @@ def import_rsa_privatekey_from_file(filepath, password=None): object in 'tuf.ssl_crypto.formats.RSAKEY_SCHEMA' format. Which cryptography library performs the cryptographic decryption is - determined by the string set in 'tuf.conf.RSA_CRYPTO_LIBRARY'. PyCrypto + determined by the string set in 'settings.RSA_CRYPTO_LIBRARY'. PyCrypto currently supported. The PEM private key is encrypted with 3DES and CBC the mode of operation. @@ -975,7 +975,7 @@ def import_rsa_publickey_from_file(filepath): contains a private key, it is discarded. Which cryptography library performs the cryptographic decryption is - determined by the string set in 'tuf.conf.RSA_CRYPTO_LIBRARY'. PyCrypto + determined by the string set in 'settings.RSA_CRYPTO_LIBRARY'. PyCrypto currently supported. If the RSA PEM in 'filepath' contains a private key, it is discarded. @@ -1027,7 +1027,7 @@ def generate_and_write_ed25519_keypair(filepath, password=None): as the pass phrase), and store it in 'filepath'. The public key portion of the generated ED25519 key is stored in <'filepath'>.pub. Which cryptography library performs the cryptographic decryption is determined by the string - set in 'tuf.conf.ED25519_CRYPTO_LIBRARY'. + set in 'settings.ED25519_CRYPTO_LIBRARY'. PyCrypto currently supported. The Ed25519 private key is encrypted with AES-256 and CTR the mode of operation. The password is strengthened with @@ -1049,7 +1049,7 @@ def generate_and_write_ed25519_keypair(filepath, password=None): tuf.ssl_commons.exceptions.CryptoError, if 'filepath' cannot be encrypted. tuf.ssl_commons.exceptions.UnsupportedLibraryError, if 'filepath' cannot be encrypted due to an - invalid configuration setting (i.e., invalid 'tuf.conf.py' setting). + invalid configuration setting (i.e., invalid 'tuf.settings.py' setting). Writes key files to '' and '.pub'. @@ -1074,7 +1074,7 @@ def generate_and_write_ed25519_keypair(filepath, password=None): # Generate a new ED25519 key object and encrypt it. The cryptography library # used is determined by the user, or by default (set in - # 'tuf.conf.ED25519_CRYPTO_LIBRARY'). Raise 'tuf.ssl_commons.exceptions.CryptoError' or + # 'settings.ED25519_CRYPTO_LIBRARY'). Raise 'tuf.ssl_commons.exceptions.CryptoError' or # 'tuf.ssl_commons.exceptions.UnsupportedLibraryError', if 'ed25519_key' cannot be encrypted. ed25519_key = tuf.keys.generate_ed25519_key() encrypted_key = tuf.keys.encrypt_key(ed25519_key, password) @@ -1164,7 +1164,7 @@ def import_ed25519_privatekey_from_file(filepath, password=None): return the key object in 'tuf.ssl_crypto.formats.ED25519KEY_SCHEMA' format. Which cryptography library performs the cryptographic decryption is - determined by the string set in 'tuf.conf.ED25519_CRYPTO_LIBRARY'. PyCrypto + determined by the string set in 'settings.ED25519_CRYPTO_LIBRARY'. PyCrypto currently supported. The TUF private key (may also contain the public part) is encrypted with AES @@ -1187,7 +1187,7 @@ def import_ed25519_privatekey_from_file(filepath, password=None): tuf.ssl_commons.exceptions.CryptoError, if 'filepath' cannot be decrypted. tuf.ssl_commons.exceptions.UnsupportedLibraryError, if 'filepath' cannot be decrypted due to an - invalid configuration setting (i.e., invalid 'tuf.conf.py' setting). + invalid configuration setting (i.e., invalid 'tuf.settings.py' setting). 'password' is used to decrypt the 'filepath' key file. @@ -1349,7 +1349,7 @@ def get_metadata_fileinfo(filename, custom=None): # file information, such as the file's author, version/revision # numbers, etc. filesize, filehashes = \ - tuf.util.get_file_details(filename, tuf.conf.REPOSITORY_HASH_ALGORITHMS) + tuf.util.get_file_details(filename, settings.REPOSITORY_HASH_ALGORITHMS) return tuf.tufformats.make_fileinfo(filesize, filehashes, custom=custom) @@ -2038,12 +2038,12 @@ def write_metadata_file(metadata, filename, version_number, # We provide the option of either (1) creating a link via os.link() to the # consistent file or (2) creating a copy of the consistent file and saving # to its expected filename (e.g., root.json). The option of either - # creating a copy or link should be configurable in tuf.conf.py. - if (tuf.conf.CONSISTENT_METHOD == 'copy'): + # creating a copy or link should be configurable in tuf.settings.py. + if (settings.CONSISTENT_METHOD == 'copy'): logger.debug('Pointing ' + repr(filename) + ' to the consistent snapshot.') shutil.copyfile(written_consistent_filename, written_filename) - elif (tuf.conf.CONSISTENT_METHOD == 'hard_link'): + elif (settings.CONSISTENT_METHOD == 'hard_link'): logger.info('Hard linking ' + repr(written_consistent_filename)) # 'written_filename' must not exist, otherwise os.link() complains. @@ -2057,7 +2057,7 @@ def write_metadata_file(metadata, filename, version_number, else: raise tuf.ssl_commons.exceptions.InvalidConfigurationError('The consistent method specified' - ' in tuf.conf.py is not supported, try either "copy" or "hard_link"') + ' in tuf.settings.py is not supported, try either "copy" or "hard_link"') else: logger.debug('Not creating a consistent snapshot for ' + repr(written_filename)) diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 90c099af..9900f579 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -46,8 +46,8 @@ import tuf.keys import tuf.sig import tuf.log -import tuf.conf import tuf.repository_lib as repo_lib +from simple_settings import settings from tuf.repository_lib import generate_and_write_rsa_keypair from tuf.repository_lib import generate_and_write_ed25519_keypair from tuf.repository_lib import import_rsa_publickey_from_file diff --git a/tuf/scripts/basic_client.py b/tuf/scripts/basic_client.py index 1f5a6c67..55a4758f 100755 --- a/tuf/scripts/basic_client.py +++ b/tuf/scripts/basic_client.py @@ -105,7 +105,7 @@ def update_client(repository_mirror): raise tuf.ssl_commons.exceptions.RepositoryError(message) # Set the local repository directory containing all of the metadata files. - tuf.conf.repository_directory = '.' + settings.repository_directory = '.' # Set the repository mirrors. This dictionary is needed by the Updater # class of updater.py. diff --git a/tuf/scripts/tufcli.py b/tuf/scripts/tufcli.py index 4ac65dc9..6fd98e3e 100755 --- a/tuf/scripts/tufcli.py +++ b/tuf/scripts/tufcli.py @@ -107,7 +107,7 @@ def update_repository(repository_path, command, command_arguments): tuf.tufformats.COMMAND_SCHEMA.check_match(command_arguments) # Set the local repository directory containing all of the metadata files. - tuf.conf.repository_directory = repository_path + settings.repository_directory = repository_path if command == 'init': repository = create_new_repository(repository_path) diff --git a/tuf/conf.py b/tuf/settings.py similarity index 98% rename from tuf/conf.py rename to tuf/settings.py index d13aa135..21d2747f 100755 --- a/tuf/conf.py +++ b/tuf/settings.py @@ -1,6 +1,6 @@ """ - conf.py + settings.py Vladimir Diaz @@ -88,7 +88,7 @@ # The current "good enough" number of PBKDF2 passphrase iterations. # We recommend that important keys, such as root, be kept offline. -# 'tuf.conf.PBKDF2_ITERATIONS' should increase as CPU speeds increase, set here +# 'settings.PBKDF2_ITERATIONS' should increase as CPU speeds increase, set here # at 100,000 iterations by default (in 2013). The repository maintainer may opt # to modify the default setting according to their security needs and # computational restrictions. A strong user password is still important. diff --git a/tuf/util.py b/tuf/util.py index 0acc49b5..4d3969af 100755 --- a/tuf/util.py +++ b/tuf/util.py @@ -36,7 +36,7 @@ import tuf import tuf.ssl_crypto.hash -import tuf.conf +from simple_settings import settings import tuf.tufformats import six @@ -91,7 +91,7 @@ def __init__(self, prefix='tuf_temp_'): # If compression is set then the original file is saved in 'self._orig_file'. self._orig_file = None - temp_dir = tuf.conf.temporary_directory + temp_dir = settings.temporary_directory if temp_dir is not None and tuf.ssl_crypto.formats.PATH_SCHEMA.matches(temp_dir): try: self.temporary_file = tempfile.NamedTemporaryFile(prefix=prefix,