make bootstrap required and explicit: callers must pass bootstrap=<root_bytes> or bootstrap=None.
also tighten docs, examples, and tests to reflect the explicit trust anchor choice.
Signed-off-by: 1seal <security@1seal.org>
When application initializes an Updater with bootstrap, it should be
considered the trusted version from that point onwards: Update the
symlink "root.json" already here (even if refresh is never called).
n that Updater instance).
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Even if last root version from remote is not accepted (leading to an
exception in load_root()) we should update the symlink "root.json" in
local cache to point to last good version.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Application may have a "more secure" data store than the metadata cache
is: Allow application to bootstrap the Updater with this more secure
root. This means the Updater must also cache the subsequent root versions
(and not just the last one).
* Store versioned root metadata in local cache
* maintain a non versioned symlink to last known good root
* When loading root metadata, look in local cache too
* Add a 'bootstrap' argument to Updater: this allows
initializing the Updater with known good root metadata
instead of trusting the root.json in cache
Additional changes to current functionality:
* when using bootstrap argument, the initial root is written to cache.
This write happens every time Updater is initialized with bootstrap
* The "root.json" symlink is recreated at the end of every refresh()
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
urllib3 does not handle this but we do want to support proxy users.
The environment variable handling is slightly simplified from the
requests implementation.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
RequestsFetcher should still be public (even if deprecated).
* We don't want to import RequestsFetcher in __init__
(because that requires importing requests)
* but we do want RequestsFetcher to be importable publicly
Move both fetchers out of _internal: that was never the right place for
them anyway: they are public modules.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This also removes RequestsFetcher from tuf.ngclient.__init__.py:
Otherwise we can't drop the requests dependency.
This means RequestsFetcher is not currently public.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
This allows using some more nice annotations from 3.10
while still being compatible with even Python 3.8.
These are all annotation changes, should not modify any functionality.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
this configuration variable controls how many root versions
the client will upgrade in a single refresh(). The idea is to prevent
a malicious repository from filling the disk with root versions.
We want a number that is high enough that a repository should not have
made that many roots in the time that clients take to update the "embedded"
root that the client shipped with ship with.
32 is small enough that a repository could reach it while clients with
v1 embedded in them are still in use. Let's bump to 256: this should be
plenty.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
I'm not sure I agree with not using the parens in
raise SomeError
but being consistent is definitely better than not being consistent.
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* API changes covered:
* keys and interface modules removed
* SSlibSigner removed
* CryptoSigner added: this replaces the removed functionality
* DSSE "signatures" container type changed
* Currently pins a securesystemslib main branch commit:
this shoudl be reverted before merging, when securesystemslib
has made a release
* tests/generated_data/generate_md.py was simplified
* Encrypted test keys in tests/repository_data/keystore were replaced
with the unencrypted PEM versions of the same keys
* The public test keys in tests/repository_data/keystore were removed
as they were not used anymore
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
* application user-agent can be set with UpdaterConfig object
* Setting will affect the default fetcher only
* the application user-agent will be prefixed to the ngclient
default user-agent
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
Minor fixes were needed, the only possibly interesting one is
the one in RequestsFetcher (use "yield from").
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
In RequestsFetcher it makes sense to raise "from e" but in
updater the error we raise is not related to the original
error: use "from None".
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
The internal wrapping interface to case handle deserialization and
verification of traditional metadata vs. simple envelopes inside
trusted metadata set might be a more complicated solution than
necessary.
This removes the interface and instead adds the methods of the interface
implementations as helpers to trusted metadata set, and updates it to
to call one or the other function based on the envelope type
configuration flag.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The flag allows adding other envelope types in the future (unlikely),
or parallel support (`METADATA & SIMPLE`) without breaking the API.
Internally, the flag is now just passed on to TrustedMetadataSet as
mandatory parameter. (Optional parameters make less sense when we
control all the invocations.)
This change requires updating all invocations of TrustedMetadataSet,
including the duplication of a test function.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
