Commit graph

1108 commits

Author SHA1 Message Date
Teodora Sechkova
67ff0424e7
Merge pull request #1654 from jku/make-refresh-optional
ngclient: Implicitly call refresh()
2021-11-17 10:50:34 +02:00
Martin Vrachev
29f936b76d Tests: address new pylint warnings
After the recent changes there are a couple of new pylint warnings that
appeared.
They are caused by the new test file that was added
test_updater_top_level_update.py and the limit of public functions was
reached in the TestMetadata class in test_api.py
The warnings should be addressed before enabling all of the linters
on the tests files.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-12 17:10:06 +02:00
Jussi Kukkonen
fa7990c354
Merge pull request #1670 from MVrachev/assert-raises-fix
Tests: self.assertRaises -> with self.assertRaises
2021-11-11 18:51:51 +02:00
Jussi Kukkonen
45f69a2639
Merge pull request #1649 from MVrachev/clarify-root-rotations-test
Clarify key rotations test cases by using keywords
2021-11-11 18:51:25 +02:00
Martin Vrachev
d4187f3186 Address pylint warnings on tests for the new code
Address or disable pylint warnings raised on all test files inside
the "tests/" directory testing the code of the new implementation.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-11 15:39:56 +02:00
Martin Vrachev
2042a54dcf disable black for part of key rotations tests
In order to make the `RootVersion` test cases understandable it's
better if we use keywords and don't split the different RootVersions
into multiple lines.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-11 15:31:04 +02:00
Martin Vrachev
8c6e157519 Tests: test_api split test_sign_verify()
test_sign_verify() is testing too many cases and after the recent
pylint warning about the usage of too many local variables it became
clear it's time to split this test function.

I decided to split it logically as half of the function was about
failures connected with verify.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-10 15:55:34 +02:00
Martin Vrachev
3c80c5bcd0 Tests: self.assertRaises -> with self.assertRaises
Change the instances of "self.assertRaises" to "with self.assertRaises"
as using "self.assertRaises" can lead to long statements separated to
multiline expressions as pointed out by Jussi here:
https://github.com/theupdateframework/python-tuf/pull/1658#discussion_r741725382

On another hand "with self.assertRaises()" looks a lot better:
589ed9e0d4/tests/test_api.py (L131)

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-10 15:27:03 +02:00
Teodora Sechkova
d66c3baf27
RepoSim: remove metadata version check
Except for 'root' role, RepositorySimulator does not
keep previous metadata versions, it always serves the latest
one. The metadata version check during fetch serves mostly
for informative purposes and removing it allows generating test
metadata with mismatching version.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-11-09 16:22:38 +02:00
Teodora Sechkova
8418d5267f
ngtests: Add asserts for expected version
Define _assert_version_equals for checking if the
local metadata file's version is as expected.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-11-09 14:18:24 +02:00
Teodora Sechkova
e51642a290
ngtests: Fix formatiing and linter issues
Fix formatting and some potential linter and typing
errors.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-11-09 14:18:17 +02:00
Teodora Sechkova
8a2c7857ac
ngtests: Add addtional asserts for files on disk
Extend the TestRefresh cases with additional checks
for expected metadata files and their content written
on the file system.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-11-09 14:18:05 +02:00
Teodora Sechkova
954331c8af
ngtests: Add top-level-roles update tests
Add ngclient/updater tests following the top-level-roles metadata
update from the specification (Detailed client workflow)
using RepositorySimulator.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-11-08 17:47:15 +02:00
Martin Vrachev
beb8087bf5 Clarify key rotations test cases by using keywords
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-05 16:46:33 +02:00
Jussi Kukkonen
26213ae576 tests: Add test for implicit refresh()
This is a minimal test case to show the basic functionality:
I'd like to update most of the tests to use the implicit method
but would like to do that when there's less churn in these tests.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-11-03 14:57:23 +02:00
Martin Vrachev
6fe36a00c4 Rename & simplify a couple of tests in test_api.py
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-02 19:31:46 +02:00
Martin Vrachev
2e9ef79762 Apply isort on the tests of the new code
All of the changes included are a result of applying isort
on our tests on the new code.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-02 19:31:25 +02:00
Martin Vrachev
c98b429643 Apply black on the tests of the new code
All of the changes included are a result of applying black
on our tests on the new code.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-11-02 19:30:35 +02:00
Jussi Kukkonen
e817473e3c tests: Add root key rotation tests
Add one test with 1 subtests for various root key rotation situations.

The test data definition format is a bit tricky but I tried to document
that in the test function docstring.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 19:01:23 +03:00
Jussi Kukkonen
ad80bd96c6 tests: Mark RepositorySimulator. create_key() static
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 18:57:12 +03:00
Jussi Kukkonen
fd40dfc094 tests: Refactor simulator signer handling
Store signers with their keyids so they are easier to remove.
The signers structure now looks like:
{
  "role1": {
    "keyidA": SSlibSigner,
    "keyidB": SSlibSigner,
  }
}

Add convenience method for adding a signer.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 18:57:08 +03:00
Jussi Kukkonen
7b8ff220b1
Merge pull request #1604 from jku/ngclient-api-polish
Ngclient api polish
2021-10-27 18:40:49 +03:00
Jussi Kukkonen
d519a413b0 ngclient: Rename get_one_valid_targetinfo()
This is slightly cosmetic but rename get_one_valid_targetinfo to
get_targetinfo:
* The function name is long without any reason: "one" and "valid" are
  always implicit
* shortening makes code (incl. our examples and tests) easier to read
* We're also already changing updater API (compared to legacy) so this
  alone does not break things -- it's also not a difficult "port".

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 09:55:57 +03:00
Jussi Kukkonen
9b761b8620 ngclient: Simplify caching
Remove updated_targets() as it doesn't fit the rest of the API.

In its stead add find_cached_target() which has a similar signature
as download_target(): both accept an optional local filepath as
argument and return full local filepath. In the
find_cached_target() case None is returned if the local file is not the
correct target file.

Updater constructor gets a new optional target_dir argument: This means
client can avoid giving a local filepath as an argument to
find_cached_target()/download_target() -- Updater will then generate a
filename within targets_dir.

A reasonable use pattern (when targets_dir is set in constructor):

    info = updater.get_one_valid_targetinfo("targetname")
    path = updater.find_cached_target(info)
    if path is None:
        path = updater.download_target(info)

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 09:55:57 +03:00
Jussi Kukkonen
cc9f3876c4 tests: Shorten variable names to reasonable length
Otherwise absolutely everything is split on multiple lines.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-27 09:55:57 +03:00
Martin Vrachev
4158272a7a Use TOP_LEVEL_ROLE_NAMES across TUF
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-25 15:58:56 +03:00
Martin Vrachev
9bc55ee568 Metadata API: validate root role names
Validate that root role names are 4 and that they are exactly
"root", "snapshot", "targets" and "timestamp" as described in
the spec:
https://theupdateframework.github.io/specification/latest/#root-role

Additionally, fix the valid_roots dataset, so each of the cases contains
the top metadata role names inside the roles dictionary.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-25 15:58:55 +03:00
Jussi Kukkonen
2206fc917e
Merge pull request #1631 from MVrachev/fix-test-error
Test metadata files: bump expiration date and resign
2021-10-25 11:02:34 +03:00
Martin Vrachev
d3d2f57f3a Test files: bump expiration date and resign
Our newly added metadata files in the
tests/repository_data/fishy_rolenames/metadata directory have an expiry
date until "2021-10-22T11:21:56Z" and today while running the tests on
develop branch I recived this error:
ExpiredMetadataError("Metadata X expired on Fri Oct 22 11:21:56 2021")
when running the tests in tests/test_updater.py file and more precisly
the TestUpdaterRolenames.test_unusual_rolenames() test.

That's why I decided to bump the expiration date to a random time in
the future (October 22-nd 2050) and I had to resign all of the metadata
files.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-23 18:39:22 +03:00
Martin Vrachev
4c81340610 Replace depricated ssl function and fix CI errors
When I tried adding support for Python3.10 we had CI errors due to
test failures: https://github.com/theupdateframework/python-tuf/pull/1610/checks?check_run_id=3861875325
The problem comes from the fact that we start a subprocess
executing simple_https_server.py, but then we fail to communicate the
message we expect from the server process to the main process actually
running the test. We expect our custom message to be the first line
printed from the server process, but instead, a deprecation warning is
printed first about the usage of ssl.wrap_socket(). Our custom message
is printed second.
As of Python 3.7 this function has been deprecated:
https://docs.python.org/3/library/ssl.html#ssl.wrap_socket and for
whatever the reason we didn't get a warning when using it before.

My fix does what is suggested in the warning and replaces the usage of
ssl.wrap_socket() by instantiating a ssl.SSLContext object and then
calling SSLContext.wrap_socket().
This removes the warning.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-21 14:15:29 +03:00
Jussi Kukkonen
677377899e tests: Use spec version from Metadata API
When constructing new metadata from scratch, use the spec version
the API supports.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-13 15:59:56 +03:00
Jussi Kukkonen
7da1f1e41b legacy client: Remove dead code
_fileinfo_has_changed() and _update_fileinfo() have been unused internal
methods since 2016. Remove them.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-13 15:59:56 +03:00
Jussi Kukkonen
98e97e31d9 legacy client: Do local filename encoding in all places
The original commit 051b8229 handled the loading and saving metadata
cases but the legacy client actually checks for the files existence
in various other places:
 * _update_versioninfo() never reads the file but operates differently
   depending on whether the file exists or not
 * _move_current_to_previous() that copies files around
 * MultiRepoUpdater initialization: this only handle root.json so
   is still correct
 * _update_fileinfo() which is dead code

Fix the first two of these cases.
2021-10-13 15:59:56 +03:00
Jussi Kukkonen
f569754f5e tests: Fix a bug in RepoSimulator signer lookup 2021-10-13 15:59:56 +03:00
Jussi Kukkonen
b2b2f21f99 tests: Make sure legacy client copes with unusual rolenames
Make sure rolenames like "../a" won't trick ngclient into creating the
metadata file outside the metadata cache.

The test data was semi-manually created with RepositorySimulator:
this test code could use RepositorySimulator directly instead (like the
ngclient tests do) but that would require some more infrastructural
work.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-13 15:59:56 +03:00
Jussi Kukkonen
1846e28ca3 tests: Test ngclient with unusual rolenames
Add support for adding delegated targets into RepositorySimulator.
Make the metadata URL parsing in RepositorySimulator more robust.

Add a test to make sure "../a" won't trick ngclient into creating the
metadata file outside the metadata cache.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-10-13 15:59:01 +03:00
Martin Vrachev
717eef9bb5 Repo simulator: make delegates() to all_targets()
Modify RepositorySimulator function delegates() to all_targets(), so
that all targets can be traversed and updated with one cycle when
calling update_snapshot() (which is the only use case for now for
delegates()).

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-13 10:40:29 +03:00
Martin Vrachev
f1f76d259f Repository_simulator: add a flag to compute hashes
Add an option to calculate the hashes and length for timestamp/snapshot
meta.
This will help to cover more use cases with the repository simulator.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-13 10:40:29 +03:00
Martin Vrachev
a30425c20d Introduce the idea of trusted/untrusted snapshot
If you do the following steps:
1. call Updater.refresh() and load, verify and cache all metadata files
2. modify timestamp snapshot meta information:
(One or more of hashes or length for snapshot changes here)
3. call Updater.refresh() again
4. root and timestamp will be updated to their latest versions
5. local snapshot will be loaded, but hashes/length will be different
than the ones in timestamp.snapshot_meta and that will prevent loading
6. remote snapshot is loaded and verification starts
then when executing step 6 the rollback checks will not be done because
the old snapshot was not loaded on step 5.

In order to resolve this issue, we are introducing the idea of trusted and
untrusted snapshot.
Trusted snapshot is the locally available cached version. This version has
been verified at least once meaning hashes and length were already checked
against timestamp.snapshot_meta hashes and length.
That's why we can allow loading a trusted snapshot version even if there is a
mismatch between the current timestamp.snapshot_meta hashes/length and
hashes/length inside the trusted snapshot.
Untrusted snapshot is the one downloaded from the web. It hasn't been verified
before and that's why we mandate that timestamp.snapshot_meta hashes and length
should match the hashes and legth calculated on this untrusted version of
snapshot.

As the TrustedMetadataSet doesn't have information which snapshot is trusted or
not, so possibly the best solution is to add a new argument "trusted"
to update_snapshot.
Even though this is ugly as the rest of the update functions doesn't
have such an argument, it seems the best solution as it seems to work
in all cases:
- when loading a local snapshot, we know the data has at some point been
trusted (signatures have been checked): it doesn't need to match hashes
now
- if there is no local snapshot and we're updating from remote, the
remote data must match meta hashes in timestamp
- if there is a local snapshot and we're updating from remote, the remote
data must match meta hashes in timestamp

Lastly, I want to point out that  hash checks for metadata files are not
essential to TUF security guarantees: they are just an additional layer of
security that allows us to avoid even parsing json that could be malicious -
we already know the malicious metadata would be stopped at metadata
verification after the parsing.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-13 10:40:28 +03:00
Martin Vrachev
c3e746a096 Tests: assert that test_targets use hash prefixes
Make sure that hash prefixes are added when downloading a target
through the repository simulator.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-07 15:28:21 +03:00
Martin Vrachev
0d73220dff Use decorator in test_updater_with_simulator
Reuse the decorator defined in tests/utils.py in order
to receive more helpful messages when an assertion
fails in test_tragets().

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-07 15:28:20 +03:00
Martin Vrachev
9989d3c614 Tests: move decorator in utils so it can be reused
Generalize the decorator used in test_metadata_serialization.py and
move it inside tests/utils.py, so it can be reused in other similar
situations.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-07 15:19:50 +03:00
Martin Vrachev
76cf36eb86 Handle consistent targets same as legacy updater
The definition of consistent targets in the spec is ambiguous:
"consistent target files should be written to non-volatile storage
as digest.filename.ext"
Additionally, the specification describes consistent targets when the
client builds the download URL as follows:
"The filename is of the form HASH.FILENAME.EXT".
The issue is about how we interpreted those quotes.
The legacy updater has decided this means a target path "a/b" will
translate to a download url path "a/{HASH}.b".
The ngclient however translates the target path "a/b" to a download url
path "{HASH}.a/b".

We decided we want to follow the same approach taken from the legacy
updater and thus change how we construct the consistent targets.
Additionally, we want to make sure we test for cases when the TARGETPATH
is an empty string or points to a directory.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-10-07 15:19:50 +03:00
Jussi Kukkonen
eeebc41638 ngclient: Don't use target path as local path
Doing so is not always safe and has various other issues
(like target paths "a/../b" and "b" ending up as the same
local path).

Instead URL-encode the target path to make it a plain filename. This
removes any opportunity for path trickery and removes the need to create
the required sub directories (which we were not doing currently, leading
to failed downloads). URL-encoding encodes much more than we really need
but doing so should not hurt: the important thing is that it encodes
all path separators.

Return the actual filepath as return value. I would like to modify the
arguments so caller could decide the filename if they want to. But I
won't do it now because updated_targets() (the caching mechanism)
relies on filenames being chosen by TUF. The plan is to make it
possible for caller to choose the filename though.

This is clearly a "filesystem API break" for anyone depending on the
actual target file names, and does not make sense if we do not plan to
go forward with other updated_targets()/download_target() changes
listed in #1580.

This is part of bigger plan in #1580
Fixes #1571

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-27 11:47:53 +03:00
Jussi Kukkonen
82b09679cc
Merge pull request #1588 from sechkova/session-timeout
ngclient: handle timeout on session.get()
2021-09-27 10:22:54 +03:00
Jussi Kukkonen
59b0b99ba3 tests: Improve the docs on RepositorySimulator
The handling of consistent snapshot was not very clear: try to make
it more obvious what is supported and what is not.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-24 13:41:52 +03:00
Jussi Kukkonen
1fb4204c26 tests: Add target support to RepositorySimulator
* Add very simple targets support into simulator
* Add documentation for the simulator
* Add an example targets test

This might need to be tweaked and/or extended as we add tests but the
implementation should give a good indication of how to extend it.

As an example, non-consistent targets are not yet supported, but
making fetch() check for the consistent_snapshot state and respond
accordingly should be easy.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2021-09-24 13:41:52 +03:00
Teodora Sechkova
7b61ad8538
ngclient: use mock instead of slow_retrieval_server
Instead of starting a dedicated slow_retrieval_server
to test for read timeout in RequestsFetcher, use
unittest.mock to mock the response.raw.read call.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-09-21 14:04:28 +03:00
Teodora Sechkova
119693ff40
ngclient: handle timeout on session.get
RequestsFetcher now handles connect/read timeout
errors on session.get() as it does when reading data.

Adding a test which uses unittest.mock to patch the
session.get method instead of simulating the timeout
with a server.

Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
2021-09-21 14:03:29 +03:00
Martin Vrachev
f00295f147 API CHANGE: ValueError in add/remove key in Root
This is an API change to the exceptions thrown in Root.add_key()
and Root.remove_key().
The reason for that change is that in my opinion the correct exceptions
in these cases should be "ValueError" instead of "KeyError" as
the problems are in the given values - role doesn't exist or
key is not used by a particular role.

Additionally, document the thrown exceptions in "Root.add_key" and
add a test which invokes that exception.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2021-09-21 12:20:09 +03:00