From f05fdd9c054ff72d720b7a8f2fdd89d298aad162 Mon Sep 17 00:00:00 2001 From: Vladimir Diaz Date: Thu, 4 Aug 2016 15:37:49 -0400 Subject: [PATCH] Fix remaining test failures --- tests/test_repository_tool.py | 6 ++-- tests/test_updater.py | 5 ++-- tuf/client/updater.py | 7 +++-- tuf/repository_tool.py | 52 +++++++++++++++-------------------- 4 files changed, 33 insertions(+), 37 deletions(-) diff --git a/tests/test_repository_tool.py b/tests/test_repository_tool.py index 28d093c5..59c50dde 100755 --- a/tests/test_repository_tool.py +++ b/tests/test_repository_tool.py @@ -1087,7 +1087,7 @@ def test_delegate(self): rolename = 'tuf' list_of_targets = [target1_filepath, target2_filepath] threshold = 1 - restricted_paths = [self.targets_directory] + restricted_paths = [self.targets_directory + '/*'] path_hash_prefixes = ['e3a3', '8fae', 'd543'] self.targets_object.delegate(rolename, public_keys, list_of_targets, @@ -1334,7 +1334,7 @@ def test_add_restricted_paths(self): restricted_path = os.path.join(self.targets_directory, 'tuf_files') os.mkdir(restricted_path) - restricted_paths = [restricted_path] + restricted_paths = [restricted_path + '/*'] self.targets_object.add_restricted_paths(restricted_paths, 'tuf') # Retrieve 'targets_object' roleinfo, and verify the roleinfo contains @@ -1344,7 +1344,7 @@ def test_add_restricted_paths(self): targets_object_roleinfo = tuf.roledb.get_roleinfo(self.targets_object.rolename) delegated_role = targets_object_roleinfo['delegations']['roles'][0] - self.assertEqual(['/tuf_files/'], delegated_role['paths']) + self.assertEqual(['/tuf_files/*'], delegated_role['paths']) # Test improperly formatted arguments. diff --git a/tests/test_updater.py b/tests/test_updater.py index 3dc9d601..bdbae451 100755 --- a/tests/test_updater.py +++ b/tests/test_updater.py @@ -969,7 +969,7 @@ def test_6_target(self): # the metadata store) so that it can be found later. filepath, fileinfo = target_files.popitem() target_files[filepath] = fileinfo - + target_fileinfo = self.repository_updater.target(filepath) self.assertTrue(tuf.formats.TARGETFILE_SCHEMA.matches(target_fileinfo)) self.assertEqual(target_fileinfo['filepath'], filepath) @@ -982,7 +982,7 @@ def test_6_target(self): # Test updater.target() backtracking behavior (enabled by default.) targets_directory = os.path.join(self.repository_directory, 'targets') foo_directory = os.path.join(targets_directory, 'foo') - foo_pattern = os.path.join(targets_directory, 'foo*.tar.gz') + foo_pattern = os.path.join(foo_directory, 'foo*.tar.gz') os.makedirs(foo_directory) foo_package = os.path.join(foo_directory, 'foo1.1.tar.gz') @@ -998,6 +998,7 @@ def test_6_target(self): repository.targets.delegate('role3', [self.role_keys['targets']['public']], [foo_package], restricted_paths=[foo_pattern]) + repository.targets.load_signing_key(self.role_keys['targets']['private']) repository.targets('role2').load_signing_key(self.role_keys['targets']['private']) repository.targets('role3').load_signing_key(self.role_keys['targets']['private']) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index 29e01d22..6f0e7ce7 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -2599,9 +2599,8 @@ def target(self, target_filepath): # Raise an exception if the target information could not be retrieved. if target is None: - message = target_filepath + ' not found.' logger.error(target_filepath + ' not found.') - raise tuf.UnknownTargetError(message) + raise tuf.UnknownTargetError(target_filepath + ' not found.') # Otherwise, return the found target. else: @@ -2843,6 +2842,10 @@ def _visit_child_role(self, child_role, target_filepath, parent_delegations): if fnmatch.fnmatch(target_filepath, child_role_path): child_role_is_relevant = True + else: + logger.debug('Target path' + repr(target_filepath) + ' does not' + ' match child role path ' + repr(child_role_path)) + else: # 'role_name' should have been validated when it was downloaded. # The 'paths' or 'path_hash_prefixes' fields should not be missing, diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 2848d6a0..b8587d59 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -1728,22 +1728,22 @@ def target_files(self): - def add_restricted_paths(self, list_of_directory_paths, child_rolename): + def add_restricted_paths(self, restricted_paths, child_rolename): """ - Add 'list_of_directory_paths' to the restricted paths of 'child_rolename'. + Add 'restricted_paths' to the restricted paths of 'child_rolename'. The updater client verifies the target paths specified by child roles, and searches for targets by visiting these restricted paths. A child role may only provide targets specifically listed in the delegations field of the - parent, or a target that falls under a restricted path. + parent, or a target that matches a restricted path. >>> >>> >>> - list_of_directory_paths: - A list of directory paths 'child_rolename' should also be restricted to. + restricted_paths: + A list of paths that 'child_rolename' should be restricted to. child_rolename: The child delegation that requires an update to its restricted paths, @@ -1751,8 +1751,8 @@ def add_restricted_paths(self, list_of_directory_paths, child_rolename): 'unclaimed'). - tuf.Error, if a directory path in 'list_of_directory_paths' is not a - directory, or not under the repository's targets directory. If + tuf.Error, if a restricted path in 'restricted_paths' is not a string + path, doesn't live under the repository's targets directory, or if 'child_rolename' has not been delegated yet. @@ -1766,46 +1766,40 @@ def add_restricted_paths(self, list_of_directory_paths, child_rolename): # Ensure the arguments have the appropriate number of objects and object # types, and that all dict keys are properly named. # Raise 'tuf.FormatError' if there is a mismatch. - tuf.formats.PATHS_SCHEMA.check_match(list_of_directory_paths) + tuf.formats.PATHS_SCHEMA.check_match(restricted_paths) tuf.formats.ROLENAME_SCHEMA.check_match(child_rolename) - # A list of verified paths to be added to the child role's entry in the - # parent's delegations. - directory_paths = [] + # A list of relative and verified paths to be added to the child role's + # entry in the parent's delegations. + relative_paths = [] # Ensure the 'child_rolename' has been delegated, otherwise it will not # have an entry in the parent role's delegations field. if not tuf.roledb.role_exists(child_rolename): raise tuf.Error(repr(child_rolename) + ' has not been delegated.') - # Are the paths in 'list_of_directory_paths' valid? - for directory_path in list_of_directory_paths: - directory_path = os.path.abspath(directory_path) - if not os.path.isdir(directory_path): - raise tuf.Error(repr(directory_path) + ' is not a directory.') - - # Are the paths in the repository's targets directory? Append a trailing - # path separator with os.path.join(path, ''). + for restricted_path in restricted_paths: + # Do the restricted paths fall under the repository's targets directory? + # Append a trailing path separator with os.path.join(path, ''). targets_directory = os.path.join(self._targets_directory, '') - directory_path = os.path.join(directory_path, '') - if not directory_path.startswith(targets_directory): - raise tuf.Error(repr(directory_path) + ' is not under the' + if not restricted_path.startswith(targets_directory): + raise tuf.Error(repr(restricted_path) + ' does not live under the' ' Repository\'s targets directory: ' + repr(self._targets_directory)) - directory_paths.append(directory_path[len(self._targets_directory):]) + relative_paths.append(restricted_path[len(self._targets_directory):]) # Get the current role's roleinfo, so that its delegations field can be # updated. roleinfo = tuf.roledb.get_roleinfo(self._rolename) - # Update the restricted paths of 'child_rolename'. + # Update the restricted paths of 'child_rolename' to add relative paths. for role in roleinfo['delegations']['roles']: if role['name'] == child_rolename: restricted_paths = role['paths'] - for directory_path in directory_paths: - if directory_path not in restricted_paths: - restricted_paths.append(directory_path) + for relative_path in relative_paths: + if relative_path not in restricted_paths: + restricted_paths.append(relative_path) tuf.roledb.update_roleinfo(self._rolename, roleinfo) @@ -2178,7 +2172,7 @@ def delegate(self, rolename, public_keys, list_of_targets, threshold=1, for target in list_of_targets: target = os.path.abspath(target) - if not target.startswith(self._targets_directory+os.sep): + if not target.startswith(self._targets_directory + os.sep): raise tuf.Error(repr(target) + ' is not under the Repository\'s' ' targets directory: ' + repr(self._targets_directory)) @@ -2190,13 +2184,11 @@ def delegate(self, rolename, public_keys, list_of_targets, threshold=1, if restricted_paths is not None: for path in restricted_paths: - path = os.path.abspath(path) + os.sep if not path.startswith(self._targets_directory + os.sep): raise tuf.Error(repr(path) + ' is not under the Repository\'s' ' targets directory: ' +repr(self._targets_directory)) # Append a trailing path separator with os.path.join(path, ''). - path = os.path.join(path, '') relative_restricted_paths.append(path[targets_directory_length:]) # Create a new Targets object for the 'rolename' delegation. An initial