* Added module docs and a simple example
* Experimented with sphinx linking for classes and methods
(it's pretty ugly in source format)
* Small improvements in the methods docs
Fixes#1385
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
The current situation with the TrustedMetadataSet testing is that
we don't have a mnimimal amount of unit tests testing the different
branches in the various API functionality in the class.
This commit proposes simple unit tests covering almost all of the
branches in the API functions and increasing the unit test coverage
(as reported from the "coverage" tool) from 74 % to 97 %.
The code could be complicated at places, because the different
branches in the update_* functions depend on other metadata classes
as well.
Still, I hope we can find a way and simplify the code.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Metadata.to_bytes() is missing from the API and that is now becoming
annoying when writing the tests.
I think it makes sense to add:
it'll complete the serializing counterparts to from_bytes()/from_file().
We can also reuse to_bytes() in to_file() and that way ensure we don't
import the JSONSerializer locally twice.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Updated/removed documented commands and comments which were referencing Python2. Also updated links to documentation referencing Python2 docs (unchanged where needed)
Signed-off-by: Samuel Gregorovic <samuelgregorovic@gmail.com>
Signed-off-by: samuelgregorovic <samuelgregorovic@gmail.com>
We made Role.keyids a set because the keyids are supposed
to be unique and this still makes sense.
However, the data should also preserve order
(when deserialized and serialized) and currently, it does not.
This is fairly serious since writing signed data potentially modifies
the data (making the signature invalid).
The simplest solution (as proposed by Teodora) is to sort the
set during serialization and that would ensure the order of the items.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Rename required_length argument in fetcher to
max_length to better match its purpose.
Docstring improvements.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
* Rename arguments so connection between the role name and the
metadata is stronger.
* Also add a comment on the list comprehension + next() trick.
* Add return value annotation
* Raise early if delegations is None to make the flow more obvious
(and modify test case so we have coverage for the new case)
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Make download_file and download_bytes functions part of
the FetcherInterface class. Remove download.py module.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Add missing type annotations in download.py, fetcher.py
and requests_fetcher.py
Update docstrings to match the new style.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
It allows us to remove the disable of pylint consider-using-with
warning and does not require any manual file closing.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Remove format checking of download_file() parameters.
The function is internal and receives trusted input from
updater.py.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Remove the strict length check in download.py and
check only if an upper bowndary is exceeded.
Exact length is not known for some metadata files
during download. The check makes the code unnecessarily
complicated and is better suited for the later metadata
verification step.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
The average download speed check does not achieve its
purpose of protecting against slow retrieval attacks.
Such protection is highly dependent on the networking
stack which could be user-provided and not under
tuf's control.
The slow retrieval attack protection has been removed
from the specification for similar reasons.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
After a discussion with Jussi, we realized that there are a couple of
places where we don't want to allow unrecognized fields because the
they are sensitive dictionaries and the specification requires an items
of certain types inside them.
The places where we don't want to allow unrecognized fields are
"keys", "roles", "meta", "hashes" or "targets".
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
A while ago we decided that it's best to research each of the individuals
attributes one by one and identify what level of validation it needs
compared to how we use it:
https://github.com/theupdateframework/tuf/pull/1366#issuecomment-829288790.
This work is ongoing and there are a couple of commits already merged
for this:
- 6c5d970799
- f20664d2fc
- 41afb1e134
We want to be able to test the attributes validation against known bad
values.
The way we want to do that is with table testing we have added
using decorators for our metadata classes defined in New API:
https://github.com/theupdateframework/tuf/pull/1416.
This gives us an easy way to add new cases for each of the attributes and
not depend on external files.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
In pr https://github.com/theupdateframework/tuf/pull/1449 we introduced
Key validation and there decided to raise "ValueError" if one of
keyid, scheme, keyval or keytype is not a string.
That seems like a mistake given that in the python docs it's written:
"Passing arguments of the wrong type
(e.g. passing a list when an int is expected) should result
in a TypeError, but passing arguments with the wrong value
(e.g. a number outside expected boundaries) should result
in a ValueError."
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Stop using the settings module and add the RequestsFetcher
specific config as instance attributes.
Users of the requests-based fetcher implementation can
modify them after instantiating a RequestsFetcher
object if needed.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Since configuration constants are now part of a
config class, make them lower case. This also avoids
pylint's invalid-name error for class attributes.
Remove the 'default' prefix as they are now configurable
options.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Replace Updater._check_file_lenght and Updater._check_hashes_obj
with TargetFile.verify_length_and_hashes.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Currently, we require that the keyval attribute in the Key class
is a dictionary and has "public" as a key, otherwise, we throw
KeyError or ValueError.
This requirement is too strict given that in the spec for KEYVAL it's
only said that KEYVAL is:
"A dictionary containing the public portion of the key."
See: https://theupdateframework.github.io/specification/latest/index.html#keyval
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Add a config module containing a dataclass
UpdaterConfig with all client settings.
Initialize updater with default settings
if no other condig is provided.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Use MetaFile.verify_length_and_hashes during snapshot
and targets verification in TrustedMetadataSet.
Remove pylint: disable=too-many-branches.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
There was an attempt at ensuring key content uniqueness in
verify_delegate() by making sure the values corresponding to "public"
keys in Key.keyval dictionaries are unique. This had two issues:
* it wasn't a security measure: it's not difficult to produce two
different "public" values of the same key content
* Spec does not actually guarantee the existence of "public" key in
the keyval dictionary (the three keys included in the spec just all
happen to have it)
Luckily the spec does require KEYIDs to be unique so we do not need to
do all this: Just count keyids of keys with verified signatures. Keep
building a Set of keyids as a belt-and-suspenders strategy: Role keyids
are currently guaranteed to be unique but we'd notice here if they
weren't.
Add a logger call for failed verifys: this might useful to figure out
which keys exactly are the issue when a delegate can not be verified.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Make sure verify_delegate() succeeds when threshold is reached even if
some signatures fail to verify.
Make sure higher threshold (2/2) works.
Change error type for "Call is valid only on delegator metadata" error.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>