secure-systems-lab/securesystemslib#288 changes the key generation
interface functions in such a way that it is clear if a call opens
a blocking prompt, or writes the key unencrypted. To do this two
functions are added per key type:
- `generate_and_write_*_keypair_with_prompt`
- `generate_and_write_unencrypted_*_keypair`
The default `generate_and_write_*_keypair` function now only allows
encrypted keys and only using a passed password. This respects the
principle of secure defaults and least surprise.
sslib#288 furthermore adds a protected
`_generate_and_write_*_keypair`, which is not exposed publicly
because it does not encrypt by default, but is more flexible and
thus convenient e.g. to consume all arguments from a key generation
command line tool such as 'repo.py'.
This commit adds the new public functions to the tuf namespace and
adopts their usage accordingly.
NOTE regarding repo.py:
This commit does not fix any problematic password behavior of
'repo.py' like default passwords, etc. (see #881). It only adopts
the sslib#288 changes to maintain the current behvior, plus
removing one glaringly obsolete password prompt.
NOTE regarding key import:
The securesystemslib private key import functions were also changed
to no longer auto-prompt for decryption passwords , TUF, however,
only exposes custom wrappers (see repository_lib) that do
auto-prompt. sslib#288 changes to the prompt texts are nevertheless
propagated to tuf and reflected in this commit.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Except the UnsignedMetadataError generated by
check_signable_object_format() and log a warning.
When creating metadata objects on the repository side of TUF,
a use case may exist where metadata is generated unsigned on
one machine and signed on another.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
If we run the tuf unit tests with latest, not yet released,
securesyslib changes we will see that one unit test is failing
because the file_prefix argument should confront the PATH_SCHEMA
(which requires a non-empty string) but an empty string value
is passed to it.
That happens, because in tuf/developer_tool.py create_new_project
function the "location_in_repository" arg has a default value of ''
and if not changed when creating a new object of type Project
on line 650 will cause an exception in the __init__ function
because of the file_prefix argument.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Corresponding to the securesyslib changes made in this pr:
https://github.com/secure-systems-lab/securesystemslib/pull/244
which changed the securesyslib.formats.PATH schema to be of type
AnyNonemptystring.
This made the tuf unit tests to fail because there are to places
where functional arguments should comply with the
securesyslib.formats.PATH schema, but have a default value of
an empty string.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Switch to using the new abstract files and directories support in
securesystemslib by taking an object which implements
securesystemslib.storage.StorageBackendInterface in the Repository
constructor, passed in by tuf.repository_tool.create_new_repository() and
tuf.repository_tool.load_repository()
The Updater class in tuf.client.updater does not specify a storage backend
and instead allows the functions in securesystemslib to perform the
default action of instantiating a LocalFilesystemBackend, that is the
updater does not currently support abstract filesystem backends and always
defaults to using local storage.
Finally we drop support for tuf.settings.CONSISTENT_METHOD as it's not as
clear how different copying modes should work when the details of the
underlying storage are abstracted away.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Replace hard-coded logger names with __name__. For the most part this just uses
the standard conventions to create the same logger hierarchy as existed before.
The only real difference is that loggers created for printing during tests are
no longer part of the 'tuf' hierarchy.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Import some API functions from repository_lib and securesystemslib
directly into repository_tool and developer_tool, instead of
providing them via wrapper.
Also short-circuit some functions that used to point to
securesystemslib through repository_lib.
This reverts parts of 6f7ba76b9b,
which introduced some of the wrappers to appease the linter.
Here we just disable that specific linter check (unused-import).
The advantage of importing over wrapping is:
- no duplication of hardcoded defaults for keyword arguments
- no duplication of docstrings
- less code --> easier maintenance
This should also pave the way for more serious refactoring
of the repository- and developer-tools:
https://github.com/theupdateframework/tuf/issues/840
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
TUF specific schemas have moved to tuf.formats, ensure they are used
throughout and remove stray references to no longer supported schemas
in securesystemslib.format
Signed-off-by: Joshua Lock <jlock@vmware.com>
Removal of securesystemslib exceptions that are TUF-specific
occurs in securesystemslib PR #165https://github.com/secure-systems-lab/securesystemslib/pull/165
This commit adapts to those changes. Exceptions that are specific
to TUF should be in TUF and not in securesystemslib. This commit
uses those already-existing TUF exceptions instead of pointing to
securesystemslib exceptions that will be removed.
For example, securesystemslib has no notion of repositories, so
it's ridiculous to have a RepositoryError in securesystemslib and
ridiculous for TUF to use
securesystemslib.exceptions.RepositoryError.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Python3 does not support exception subscripting:
e.g. except ... as e:
e[1] # does not work in Python3
This line of code was presumably not covered by testing,
allowing it to persist.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
These changes simplify logic, removing some try/except structures
that were unnecessary and potentially confusing, and get us back
to passing pylint's test.
pylint 2.0.0 adds try-except-raise tests, to catch immediate
re-raising after catching an exception, outside of some special
cases. See this GitHub comment for more info:
https://github.com/theupdateframework/tuf/pull/770#issuecomment-412993992
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
After seeing the coveralls report I realized the projects were not
relocatable. While this might be convenient for some uses, moving a
project from one place to another might not be optimal. This has been
changed now.
The only place where absolute filepaths are handled now is with flat
project layouts. However, it is possible to overwrite this filepath if
the targets folder is to be changed.
As of the current version, some functions that were provided by the
repository_tool have been moved to the repository_lib module. This
commit fixes those conflicts
Metadata and targets directory names were redeclared in a local
variable. They are now imported from the repository_tool.
I also removed an unnecessary declaration for the targets.json file
expiration since it didn't have anything to do with the developer tools
There is a new entry in tuf.formats.py that represents the layout of the
project.cfg file. This new schema will be used to check for sanity upon
loading the .cfg file in the load_project function
The public key for the whole project used to be stored in a non-standard
way (this means, not as a keydict schema). I migrated the data structure
to a valid keydict schema with the aim of improving code-consistency in
the developer tools.
This will also make schema checks easier
To avoid conflicts in the load_project function, we clear the roledb and
the keydb modules. This ensures that there are no repeated entries from
previous runs.
Project name is now an argument of the project constructor and the
create_new project function.
The project_name field defines the rolename to add to the roledb, the
filename to create and adds a new field to the project.cfg file.
