Commit graph

3751 commits

Author SHA1 Message Date
Martin Vrachev
060d41e114 Test way to disable hash prefixes when download
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-08-18 17:52:17 +03:00
Martin Vrachev
dc1168d0cb Way to disable hash prefix for consistent_snapshot
Currently, if the repository is consistent_snapshot,
Updater will prefix the target filename with the hash
when constructing the download URL.
For some adopters of TUF (like Warehouse) this is not wanted
(warehouse target file paths are "consistent",
even if the filenames are not).

For example, Warehouse doesn't follow what tuf
(the reference implementation and specification) advice for naming
consistent filenames, which is to prefix the filename with the hash
of the files contents.
However, the target filenames it does use are consistent,
only the hash is part of the target's file path
not the target's file name.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-08-17 19:07:19 +03:00
Joshua Lock
85770390e8
Merge pull request #1096 from jku/test-perf-and-reliability-fixes
Test performance and reliability fixes
2020-08-17 11:55:23 +01:00
Joshua Lock
6c8235b9da
Merge pull request #1107 from theupdateframework/dependabot/pip/securesystemslib-colorscryptopynacl--0.16.0
build(deps): bump securesystemslib[colors,crypto,pynacl] from 0.15.0 to 0.16.0
2020-08-17 11:51:58 +01:00
dependabot-preview[bot]
358a40b8e7
build(deps): bump securesystemslib[colors,crypto,pynacl]
Bumps [securesystemslib[colors,crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.15.0 to 0.16.0.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/master/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.15.0...v0.16.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-08-12 10:24:52 +00:00
Jussi Kukkonen
b6661e024a tests: Remove unused imports
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
c7425bec13 test_proxy_use: Error out early if using Python3
proxy_server.py is python2 only, don't try to setup the class as it
leads to a confusing TimeoutError.

This may prevent me from debugging this apparent test failure a third
time.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
fc44652b93 tests: Use localhost consistently
Our tests already expect localhost lookup to work to find test servers:
use it consistently instead of sometimes using 127.0.0.1

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
a22f6182dd tests: increase wait_for_server() default timeout
Travis managed to still timeout with 5 seconds: increasing the timeout
(now that it's not a sleep) doesn't really hurt normal non-VM use cases
so let's bump it to 10 seconds.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
6b1011d748 log: Close the file handler when it's removed
Silences "ResourceWarning: unclosed file"

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
0dfa17038e tests: Remember to close file objects
This silences "ResourceWarning: unclosed file"

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
f468007acd test_download: Use logger for output
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
Jussi Kukkonen
740be9cdb6 tests: Avoid sleep(): make sure servers really start
* Add utility function to wait on a socket until it responds
* Use the function instead of sleeping in tests that need to wait for
  the server to start
* Increase the max timeout to 5 seconds by default (as appveyor builds
  still seem to hit the 3 second mark sometimes)

wait_for_server() functions quite differently depending on OS: Windows
can take 2 seconds to respond with ECONNREFUSED whereas Linux is almost
instant. There might be tricks to be faster on Windows (like setting
a shorter socket timeout) but this was not done here.

This makes a full Linux test run almost 40% faster and should be more
reproducible on every platform.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-10 16:11:33 +03:00
lukpueh
a088b68fa7
Merge pull request #1088 from theupdateframework/dependabot/pip/cryptography-3.0
build(deps): bump cryptography from 2.9.2 to 3.0
2020-08-07 11:31:41 +02:00
Trishank Karthik Kuppusamy
3c946e2f98
Merge pull request #1098 from joshuagl/joshuagl/release-fixes
Fix release related documentation
2020-08-04 16:27:28 -04:00
Joshua Lock
96c00f319a Add tag pushing to RELEASE.md
Ensure someone following the release process pushes the tag they create
and include a tag message matching the common form, rather than requiring
somebody following the steps to figure out what to enter into their editor

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 15:11:21 +01:00
Joshua Lock
32ba3bbcad Fix CHANGELOG formatting
For some reason the first level 3 heading 'Added' was not rendering
correctly. The level 2 heading for 'Fixed' should be level 3.

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 15:10:03 +01:00
lukpueh
7a418a219c
Merge pull request #1094 from joshuagl/joshuagl/v0.13.0
Prepare for a 0.13.0 release
2020-08-04 15:39:52 +02:00
Jussi Kukkonen
1367b79f38 tests: Wait for subprocess kill() to happen
This avoids the need to sleep() before removing the temporary
directories used, and makes sure we don't get
    ResourceWarning: subprocess N is still running
messages. Use subprocess.communicate() instead of wait() if the process
has a pipe (currently the return values are just dropped though).

Practical results should be more reliability and a slightly reduced
test runtime.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-04 16:15:05 +03:00
Joshua Lock
eb1c8d0845 setup.py: add project_urls links
These additional URLs will be displayed on PyPI:
https://packaging.python.org/guides/distributing-packages-using-setuptools/#project-urls

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 11:47:47 +01:00
Joshua Lock
2dc4651136 docs/CHANGELOG.md: update for v0.13.0
Categorise changes by type, per the recommendations at keepachangelog.com

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 11:47:47 +01:00
Joshua Lock
0714632edc docs/RELEASE.md: link to guidance on changelogs
https://keepachangelog.com provides good advice on curating a changelog

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 09:49:12 +01:00
Joshua Lock
f4eb00114f
Merge pull request #1091 from mnm678/check-key-uniqueness
Each key applies to signature threshold once
2020-08-04 09:39:27 +01:00
Joshua Lock
ea958bc568 Prepare 0.13.0 release
Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 09:31:16 +01:00
Joshua Lock
506ae5552d Document release process steps
Write down the expected steps for a maintainer to follow when making a
release of tuf

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-08-04 09:31:16 +01:00
Jussi Kukkonen
dc9c3b2557 download: import tuf.formats before using it
This seems to have only worked because someone else usually imports
formats.

This fixes e.g.
  python3 test_download.py \
     TestDownload.test_download_url_to_tempfileobj

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-03 19:39:07 +03:00
Jussi Kukkonen
94d3175a00 simple-server: Allow address re-use
If a test happens to use the same port as a previous test run
(either by bad luck or hardcoding like TestMultiRepoUpdater) that
happened within a minute, the second run will fail because TCP by
default keeps sockets open for a while.

Avoid this by explicitly saying re-use is fine in this case.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2020-08-03 19:06:27 +03:00
Joshua Lock
0c07311958
Merge pull request #1092 from sechkova/updater_logging
Improve updater and tests logging
2020-07-30 11:40:22 +01:00
Joshua Lock
b9f7cb3aad
Merge pull request #1031 from MVrachev/length-hashes-optional
Make length and hashes optional for timestamp and snapshot roles
2020-07-30 10:58:47 +01:00
Teodora Sechkova
963ed79817
Replace logging.exception calls in Updater()
Using logging.exception logs messages to the root logger and
calls  basicConfig() to add a console handler with a pre-defined
format which breaks the current logging configuration.

Replacing logging.exception with logger.exception which is the
logger for the updater module.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2020-07-29 18:07:03 +03:00
Teodora Sechkova
1a9b7a6fc8
Add NullHandler() to the top-level logger
Adding a do-nothing handler to the top-level 'tuf' logger
in case no other handlers exist (in tests for example).

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2020-07-29 18:01:20 +03:00
marinamoore
ae54c85b22 Each key applies to signature threshold once
This commit ensures that each key will only count toward the signature
threshold once, even if the keys have different keyids.

Signed-off-by: marinamoore <mmoore32@calpoly.edu>
2020-07-28 12:44:21 -07:00
dependabot-preview[bot]
8941656c97
build(deps): bump cryptography from 2.9.2 to 3.0
Bumps [cryptography](https://github.com/pyca/cryptography) from 2.9.2 to 3.0.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/master/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/2.9.2...3.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-07-27 12:30:02 +00:00
Joshua Lock
b265fb9446
Merge pull request #1090 from theupdateframework/dependabot/pip/cffi-1.14.1
build(deps): bump cffi from 1.14.0 to 1.14.1
2020-07-27 13:28:42 +01:00
Joshua Lock
d4ccc27239
Merge pull request #1089 from theupdateframework/dependabot/pip/urllib3-1.25.10
build(deps): bump urllib3 from 1.25.9 to 1.25.10
2020-07-27 13:18:40 +01:00
dependabot-preview[bot]
44fa067e33
build(deps): bump cffi from 1.14.0 to 1.14.1
Bumps [cffi](https://bitbucket.org/cffi/release-doc) from 1.14.0 to 1.14.1.
- [Commits](https://bitbucket.org/cffi/release-doc/commits)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-07-27 10:29:27 +00:00
Martin Vrachev
80818e9ee1 Clarify docstring commets about Mercury paper
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 21:53:25 +03:00
Martin Vrachev
2297c4b501 Test length and hashes in create and load repo
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
e970dfaa83 Optional length and hashes in create and load repo
Add optional parameters in repository_tool.create_new_repository()
and repository_tool.load_repository() so that our users
could control if they want to calculate length and hashes
for snapshot and timestamp roles or not.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
6e37b4f576 Calculate length and hashes only when needed
We want to make sure we are calculating length and hashes only when
at least one of them is needed.
Otherwise, for adoptors of tuf with lots of delegations,
this will cause unnecessary overhead.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
5f6d1ae9c9 Fix snapshot_filename inconsistency usage
First in the generate_timestamp_metadata both "snapshot_filename"
and the constant SNAPSHOT_FILENAME are used which is redundant
and possibly confusing. There should be only one input
for the snapshot file name.

Second, when calling the generate_timestamp_metadata there are
cases when "snapshot_filename" is in reality "snapshot_file_path".
That's what led to the need for the addition of SNAPSHOT_FILENAME
when populating the "meta" field from the TIMESTAMP_SCHEMA.
For the same reason, it seems logical to me to rename snapshot_filename
to snapshot_file_path and explicitly take the snapshot file name
from it.

Third, in the _generate_and_write_metadata function the argument
"filenames" is by default None, but at the same time without check
it's considered that filenames is a dictionary which has a key
"snapshot". This is could be okay if the default "filenames" value
was not None, but in the current situation it's easy to call
"_generate_and_write_metadata" with rolename = timestamp
and forget to populate the filenames dictionary.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
5060706925 Separate targets and snapshot/timestamp schemas
This separation and refactoring is part of the change to
make length and hashes optional for timestamp and snapshot roles.

It separates FILEINFO_SCHEMA into two separate schemas:
TARGETS_FILEINFO_SCHEMA and METADATA_FILEINFO_SCHEMA.
The distinction is needed because as of version 1.0.1 of the tuf
spec targets role has mandatory length and hashes, and
snapshot and timestamp roles have a mandatory version, and optional
length and hashes.
That's why targets can't share the same schemas
as timestamp and snapshot.

Because of that schema distinction, make_fileinfo had to be too
separated into make_targets_fileinfo and make_metadata_fileinfo.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
66a1f3f9e6 Remove redundant targets_filename argument
The argument targets_filename in the generate_snapshot_metadata
is redundant because the places where we are calling
generate_snapshot_metadata is by using the constant
TARGETS_FILENAME or by creating a variable with the same value
of "targets.json".

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
8b9dcb70ad Use targets_filename with its suffix
Right now the targets_filename variable in the
_generate_and_write_metadata and in
generate_snapshot_metadata functions
was used without the.json suffix which is a little misleading.

This wasn't a big issue before because this variable wasn't
actually used as a file name until now.
Now, we need to use it with it's 'json' suffix so we can
calculate the hashes and length for the targets metadata.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
14620b7c3c Add tests for snapshot with hashes or length
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:51 +03:00
Martin Vrachev
98a31b6d3c Make length and hashes optional for snapshot
As per the specification (v1.0.1) length and hashes fields
in snapshot metadata are optional.
The reference implementation should reflect this.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 19:43:15 +03:00
Martin Vrachev
4742a8e335 Add tests for timestamp without hashes or length
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-24 14:13:34 +03:00
Martin Vrachev
51db8316de Make length and hashes optional for timestamp
As per the specification (v1.0.1) length and hashes fields
in timestamp metadata are optional.
The reference implementation should reflect this.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2020-07-23 20:55:56 +03:00
dependabot-preview[bot]
718dfce50e
build(deps): bump urllib3 from 1.25.9 to 1.25.10
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.25.9 to 1.25.10.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/1.25.10/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.25.9...1.25.10)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-07-23 10:28:12 +00:00
Justin Cappos
bba23757fd
Merge pull request #1086 from theupdateframework/trishankkarthik-patch-1
Remove specific adoptions from README
2020-07-21 15:37:32 -04:00