Commit graph

3557 commits

Author SHA1 Message Date
Joshua Lock
1f0cb9cd52 Add new setting for file hashing algorithms
Using securesystemslib.settings.HASH_ALGORITHMS is undersirable, because
it binds tuf to an implementation detail of the underlying library.
In this specific instance of file hashing algorithms it's even more
undesirable because it's overloading the intended use of the setting
which is "algorithm(s) [...] used to generate key IDs".

Add a new setting tuf.settings.FILE_HASH_ALGORITHMS, with a default
value of ['sha256', 'sha512'] (that matches the current value of
securesystemslib.settings.HASH_ALGORITHMS), to be used for file
hashing operations in tuf.

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-03-05 17:55:38 +00:00
lukpueh
679348ffcf
Merge pull request #990 from theupdateframework/dependabot/pip/pycparser-2.20
build(deps): bump pycparser from 2.19 to 2.20
2020-03-05 14:43:14 +01:00
dependabot-preview[bot]
fe7c852293
build(deps): bump pycparser from 2.19 to 2.20
Bumps [pycparser](https://github.com/eliben/pycparser) from 2.19 to 2.20.
- [Release notes](https://github.com/eliben/pycparser/releases)
- [Changelog](https://github.com/eliben/pycparser/blob/master/CHANGES)
- [Commits](https://github.com/eliben/pycparser/compare/release_v2.19...release_v2.20)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-03-05 10:34:58 +00:00
lukpueh
bb94304eb8
Merge pull request #985 from lukpueh/quickfix-win-py27-tests
Fix failing AppVeyor Python2.7 tests
2020-03-03 12:04:53 +01:00
lukpueh
83d6ded134
Merge pull request #987 from theupdateframework/dependabot/pip/securesystemslib-colorscryptopynacl--0.14.2
build(deps): bump securesystemslib[colors,crypto,pynacl] from 0.14.0 to 0.14.2
2020-02-28 14:03:50 +01:00
dependabot-preview[bot]
797ccf0ac4
build(deps): bump securesystemslib[colors,crypto,pynacl]
Bumps [securesystemslib[colors,crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.14.0 to 0.14.2.
- [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases)
- [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/master/CHANGELOG.md)
- [Commits](https://github.com/secure-systems-lab/securesystemslib/compare/v0.14.0...v0.14.2)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-27 10:52:32 +00:00
Lukas Puehringer
842f843210 Remove duplicate testing simple_server.py
tests/simple_server.py was copied to tuf/scripts/ to "make testing
easier" (cf84d3f51f), although with
the current test setup the original (and recently patched to fix an
Windows/Py2 test issue) test simple_server.py can be used just as
well.

This commit:
- removes tuf/scripts/simple_server.py
  Note: that version slightly differed from the original test
  server, probably due to demands by the linter that is only executed
  on the tuf core code and not on the tests. However, for the testing
  purposes of simple_server.py these changes (i.e., `SystemRandom()`,
  `if __name__ =='__main__':`) are not necessary.
- updates the tests that used tuf.scripts.simple_server to instead
  use tests.simple_server,
- updates setup.py to not install the simple_server module as
  script, when installing tuf, as it is only a testing script and
  not meant for end-user usage.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-25 14:55:36 +01:00
Lukas Puehringer
7dbb30ae10 Fix failing AppVeyor Python2.7 tests
Since #885 the tests in TestUpdater and TestKeyRevocation fail on
Appveyor Python 2.7 builds. After some live debugging, it turns out
that the tests fail due to the extra amount of http requests to
the simple http server (see tests/simple_server.py) that were
added in #885.

The simple server runs in a subprocess and is re-used for the
entire TestCase. After a certain amount of requests it becomes
unresponsive. Note that neither the subprocess exits (ps -W), nor
does the port get closed (netstat -a). It just doesn't serve the
request, making it time out and fail the test.

The following script can be used to reproduce the issue (run in
tests directory):

```python
import subprocess
import requests
import random

counter = 0

port = random.randint(30000, 45000)
command = ['python', 'simple_server.py', str(port)]
server_process = subprocess.Popen(command, stderr=subprocess.PIPE)
url = 'http://localhost:'+str(port) + '/'

sess = requests.Session()

try:
  while True:
    sess.get(url, timeout=3)
    counter +=1

finally:
  print(counter)
  server_process.kill()
```

It fails repeatedly on the 69th request, but only if
`stderr=subprocess.PIPE` is passed to Popen. Given that for each
request the simple server writes about ~60 characters to stderr,
e.g. ...
```
127.0.0.1 - - [24/Feb/2020 12:01:23] "GET / HTTP/1.1" 200 -
```
... it looks a lot like a full pipe buffer of size 4096. Note that the
`bufsize` argument to Popen does not change anything.

As a simple work around we silence the test server on
Windows/Python2 to not fill the buffer.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-24 16:32:26 +01:00
lukpueh
a044d23eef
Merge pull request #984 from theupdateframework/dependabot/pip/requests-2.23.0
build(deps): bump requests from 2.22.0 to 2.23.0
2020-02-24 09:32:22 +01:00
lukpueh
c20888407e
Merge pull request #980 from theupdateframework/dependabot/pip/idna-2.9
build(deps): bump idna from 2.8 to 2.9
2020-02-24 09:31:21 +01:00
dependabot-preview[bot]
9c8e4ff609
build(deps): bump requests from 2.22.0 to 2.23.0
Bumps [requests](https://github.com/psf/requests) from 2.22.0 to 2.23.0.
- [Release notes](https://github.com/psf/requests/releases)
- [Changelog](https://github.com/psf/requests/blob/master/HISTORY.md)
- [Commits](https://github.com/psf/requests/compare/v2.22.0...v2.23.0)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-20 10:37:20 +00:00
dependabot-preview[bot]
d055487ef2
build(deps): bump idna from 2.8 to 2.9
Bumps [idna](https://github.com/kjd/idna) from 2.8 to 2.9.
- [Release notes](https://github.com/kjd/idna/releases)
- [Changelog](https://github.com/kjd/idna/blob/master/HISTORY.rst)
- [Commits](https://github.com/kjd/idna/compare/v2.8...v2.9)

Signed-off-by: dependabot-preview[bot] <support@dependabot.com>
2020-02-19 10:50:05 +00:00
lukpueh
42f4c3f7a9
Merge pull request #982 from lukpueh/revise-requirements
Revise requirements files again
2020-02-19 11:48:46 +01:00
lukpueh
4254482e32
Merge pull request #981 from joshuagl/joshuagl/tweak
Add colorama to dependencies installed in the tutorial
2020-02-19 10:38:08 +01:00
Lukas Puehringer
730e4d8b97 Revise requirements files again
Follows up on #978, which had the following problems:
- too many requirements files (cc @trishankatdatadog ;)
- used extra tooling around pip-compile that
  - didn't take into account requirement markers (see comments
    in requirements.txt in this commit), and
  - confused Dependabot, which expects the hashed requirements
    file in a certain format, as pip-compile would generate it
    without custom tooling (see #979).

This commit restructures the requirements files as follows:

- Merges requirements-tox.txt and requirements-test.txt. The
  separation was semantically correct but operationally irrelevant.
- Removes the hashed requirements file, which doesn't add much
  security, especially with PEP 458 on the way (see python/peps#1306),
  but extra maintenance (see notes about requirements.txt in #978
  and about Dependabot above)
- Manually adds environment markers to requirements-pinned.txt (see
  comments in requirements.txt in this commit).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-18 16:11:31 +01:00
Joshua Lock
eaefbd9fda Add securesystemslib[color] to packages installed in the tutorial
colorama is now an optional dependency for securesystemslib, and so isn't
installed by default. However, the repo script uses colorama and doesn't
handle its absence - add securesystemslib[colors] to ensure colorama is
installed.

Signed-off-by: Joshua Lock <jlock@vmware.com>
2020-02-18 15:05:13 +00:00
lukpueh
797d55600b
Merge pull request #978 from lukpueh/revise-requirements
Revise requirements files and remove pyup
2020-02-11 13:32:09 +01:00
Lukas Puehringer
1844295a39 Update requirements files comments
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-Authored-By: Joshua Lock <jlock@vmware.com>
2020-02-07 16:21:44 +01:00
Lukas Puehringer
6186e075d4 Add Dependabot status badge
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-07 12:45:34 +01:00
Lukas Puehringer
1a826cb4b0 Fix tests that use non-public sslib module
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-06 17:40:29 +01:00
Lukas Puehringer
08f50ab075 Remove pyup config and badges
The PyUp GitHub integration for TUF stopped working a few days
ago. Instead of troubleshooting, I'm seizing the opportunity to
replace it with Dependabot, which has shown to work well in the
in-toto org.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-06 17:35:59 +01:00
Lukas Puehringer
15d1e933a0 Restructure requirements files
* Use suffixed instead of prefixed sub-requirements files to group
  them alphabetically in the file tree.
* Layer requirements files akin to the in-toto project
  (see in-toto/in-toto#294). The hierarchy is:

  - *requirements.in*
    tuf runtime requirements, including optional requirements
    (pynacl and cyrptography)

  - *requirements-pinned.txt*
    pinned tuf runtime requirements, including optional
    and transitive (1 level deep) requirements and their hashes.

    The file is generated semi-automatically using pip-compile
    and a bash script (see document header), based off of
    requirements.in, combining requirements from all supported
    Python versions.

    This file should be auto-updated, by e.g. dependabot, and be used
    for ci/cd tests, to catch issues with new dependencies.

  - *requirements-test.txt*
    additional test runtime requirements

  - *requirements-tox.txt*
    combines requirements.txt, requirements-test.txt and additional
    test tools (for linting and coverage), i.e. everything that is
    needed in each tox environment to run the tests.

  - *requirements-dev.txt*
    lists tox for local development and testing, and also
    requirements-tox.txt and tuf in editable mode to run
    the test suite or individual tests directly.

  - *requirements.txt*
    requirements-pinned.txt with the hashes of the dependencies
    as reported by pip at the time of creating the file.
    NOTE: this is not used for testing or  dev-install because pip
    doesn't allow mixed (with and without hashes) installations.

    This file should also be auto-updated, by e.g. dependabot.

* Removes an obsolete version constraint on coverage

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-02-06 17:35:51 +01:00
Justin Cappos
15414c6735
Merge pull request #975 from theupdateframework/bump0.12.2
release: 0.12.2
2020-01-10 16:08:05 -05:00
Santiago Torres
bea6496dc2
release: 0.12.2
Signed-off-by: Santiago Torres <santiago@archlinux.org>
2020-01-10 15:43:44 -05:00
Santiago Torres
2977188139
Merge pull request #974 from lukpueh/fix-signature-threshold
Fix signature threshold
2020-01-10 15:19:16 -05:00
Lukas Puehringer
67a3a7ab92 Update docs and comments in sig.py and test_sig.py
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-01-10 11:26:07 +01:00
Lukas Puehringer
a0397c7c82 Fix signature threshold verification
Prior to this commit metadadata signature verification as provided
by `tuf.sig.verify()` and used e.g. in `tuf.client.updater` counted
multiple signatures with identical authorized keyids each
separately towards the threshold. This behavior practically
subverts the signature thresholds check.

This commit fixes the issue by counting identical authorized keyids
only once towards the threshold.

The commit further clarifies the behavior of the relevant functions
in the `sig` module, i.e. `get_signature_status` and `verify` in
their respective docstrings. And adds tests for those functions and
also for the client updater.

---

NOTE: With this commit signatures with different authorized keyids
still each count separately towards the threshold, even if the
keyids identify the same key. If this behavior is not desired, I
propose the following fix instead. It verifies uniqueness of keys
(and not keyids):

```
diff --git a/tuf/sig.py b/tuf/sig.py
index ae9bae15..5392e596 100755
--- a/tuf/sig.py
+++ b/tuf/sig.py
@@ -303,7 +303,14 @@ def verify(signable, role, repository_name='default', threshold=None,
   if threshold is None or threshold <= 0: #pragma: no cover
     raise securesystemslib.exceptions.Error("Invalid threshold: " + repr(threshold))

-  return len(good_sigs) >= threshold
+  # Different keyids might point to the same key
+  # To be safe, check against unique public key values
+  unique_good_sig_keys = set()
+  for keyid in good_sigs:
+    key = tuf.keydb.get_key(keyid, repository_name)
+    unique_good_sig_keys.add(key["keyval"]["public"])
+
+  return len(unique_good_sig_keys) >= threshold

```

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2020-01-09 18:54:47 +01:00
mnm678
b913d88ad4
Merge pull request #972 from mnm678/thread-safety
Explain concurrency limitation
2020-01-07 18:18:17 -05:00
marinamoore
9e5a7c6905 Clarified location
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
2020-01-07 10:40:46 -08:00
marinamoore
5e0156f16b Add note to readme explaining that thread safety is not provided
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
2020-01-03 17:04:38 -08:00
Trishank Karthik Kuppusamy
a6314a0ea2
Merge pull request #970 from cavokz/develop
Fix typo in section "Release Verification"
2019-12-23 10:39:53 -05:00
Domenico Andreoli
feaf88e33b Fix typo in section "Release Verification"
Signed-off-by: Domenico Andreoli <domenico.andreoli@linux.com>
2019-12-20 10:06:44 +01:00
lukpueh
530d4a8eef
Merge pull request #775 from theupdateframework/add_tutorial_regression_test
Fix TUTORIAL.md and add regression testing for future issues
2019-12-16 15:48:54 +01:00
Lukas Puehringer
fc74cf229b test: Misc update in test_tutorial
- Add missing remove_target call from "Delegate to Hashed Bins"
  section
- Add comments to dirty_roles output assertion

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
cb8a4c459f test: Install mock in appveyor on Python 2.7
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
da26e9adcd doc: Revert accidental space deletion in tutorial
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
7e8b7e5db1 doc: Explicitly mark roles dirty in tutorial
TUF does not reliably mark roles as dirty whose metadata needs
to be re-generated.

Only roles that have changed are marked as dirty, but sometimes
roles metadata needs to be updated, although the role wasn't
changed directly (see #958).

Furthermore, the tutorial assumes at one point that the reader
leaves and re-enter the interpreter session, being forced to reload the
signing keys, roles that later need to be re-written, are marked as
dirty. If the reader does not leave the interpreter, the roles are
not marked as dirty (see #964).

To not confuse the reader with flawed state-keeping, and to never
write an inconsistent repository to disk, the tutorial lets the
reader explicitly mark all roles that need to be re-written as
"dirty".

This can be changed once above issues are fixed.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
031bd1b482 test: Assert tutorial delegate_hashed_bins output
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
fc23496e38 doc: Update "Delegate to Hashed Bins" in tutorial
Explain and show output of delegate_hashed_bins() function call in
tutorial snippet.

Also update the subsequent comment for better continuity.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
5a8dbd42cb doc: Update delegation section in tutorial
- Ask the reader to ignore a misleading warning about the location of
  a delegation path pattern.
  The comment may be removed when fixing the warning in
  theupdateframework/tuf#963.

- Comment out text that has become obsolete when commenting out
  the "Revoke Delegated Role" section (in an earlier commit).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
lukpueh
9375885389 docs: Fix typos in tutorial code snippet comments
Co-Authored-By: Joshua Lock <jlock@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
e6ddac9ed5 test: Update setuptools for appveyor builds
This should fix the following build error:

error in tuf setup command: 'tests_require' must be a string or
list of strings containing valid project/version requirement
specifiers; Expected version spec in mock; python_version < "3.3"
at ; python_version < "3.3"

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
de9851f113 test: Adopt tutorial changes in test_tutorial.py
Add, remove and update function calls to match code snippets in
tutorial.

This commit also adds tests for outputs of `repo.status()` and
`repo.dirty_roles()` functions.
Note that the compare-to strings need to be constructed
programatically, akin to how they are constructed in the relevant
functions, in order to avoid issues with unicode prefixes in
Python2/3, e.g.
    "Dirty roles: ['root']"
vs  "Dirty roles: [u'root']"

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
dc7bb9661e test: Add mock test dependency for Py <3.3
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
647f712f06 roledb: Make get_dirty_roles() return sorted list
roledb.get_dirty_roles(repo_name) returns the list representation
of the global _dirty_roles[repo_name] set. To make the return value
deterministic this commit sorts the list before returning it.

The commit also removes calls to sorted on the return value of
get_dirty_roles in test_roledb.py and test_repository_tool.py.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
e7d3dd4181 test: Run tutorial tests in a temporary directory
Instead of keeping track of files created during the tutorial and
removing them afterwards, this commit updates the test case to
create and change into a temporary directory in setUp and
change back and remove the tempdir in tearDown.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
512c62daa3 doc: Update "How to Perform an Update" in tutorial
- Change directory names to what cli tool repo.py expects
- Remove unrelated "tufenv" note
- Mention that `tuf` must be installed

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
bb6a32ae27 doc: Comment out "Consistent Snapshots" snippet
The text above the snippet explains the basic idea of "consistent
snapshots" and how to generate them with `write` and `writeall`.

The commands in the snippet just leave the repo in an inconsistent
state (see comment).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
ca8e9cc53a doc: Fix repo.dirty_roles() output in tutorial
- Fix expected output
- Update comments
- Add a few additional calls, to help the reader understand the
  repo state
- Also see theupdateframework/tuf#958

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00
Lukas Puehringer
bd813d86a5 doc: Update delegation-related tutorial sections
In "Targets" section:
- Remove `repository.targets('<delegated rolename>').add_target(...)`
  command, because it is not copy-pastable and delegations
  have not yet been covered at that point.
- Update the "remove targets" snippet to remove the previously added
  "myproject/file4.txt" instead of "file3.txt", because we will add
  "myproject/file4.txt" to the delegated "unclaimed" role in the
  Delegation section.

In "Delegation" section:
- Change "unclaimed" delegation pattern from 'foo*.tgz', for which
  no file exists in the tutorial, to 'myproject/*.txt'.
- Add "myproject/file4.txt" to the delegated unclaimed targets role
- Remove the command that updates the version of the "unclaimed"
  role, because this should not be done manually, and the add_target
  call shows just as well how to access delegated roles.
- Comment out the revoke delgated role section, leaving a TODO note
  for required updates (should be ticketized).

In "Delegate to Hashed Bins":
- Add call to remove target "myproject/file4.txt" from "unclaimed",
  because it is further delgated to hashed bins
- Add dirty_roles() call to show all the newly created bins
- Add mark_dirty() and writeall() calls to create a consistent
  state of the repo

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-12-16 15:16:24 +01:00