The delegating Metadata (root or targets) verifies that the delegated
metadata is signed by required threshold of keys for the delegated
role.
Calling the function on non-delegator-metadata or giving a rolename
that is not actually delegated by the delegator is considered a
programming error and ValueError is raised.
If the threshold is not reached, UnsignedMetadataError is raised.
Tweak type annotation of Delegations.keys to match the one for
Root.keys (so they can be assigned to same local variable).
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
* updated_targets() both takes and returns a list
* download_target() argument can come from either
updated_targets() or get_one_valid_targetinfo()
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
TrustedMetadataSet is a long name but
* it better describes the main feature
* the name isn't used in too many places
Change the variable names "bundle" -> "trusted_set"
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Document why deleting the timestamp and snapshot files
is not needed to recover from a fast-forward attack.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
This is a new client library implementation using the Metadata API
(the only "old" file used is exceptions.py)
* Functional but largely still untested
* Requires work before it can replace tuf.client but should be good
enough to include in the repo
The major changes compared to current client so far are:
* Use of Metadata API
* Major simplification in the way downloads are handled due to removing
mirrors support
* Separating tracking of valid metadata into a separate component
* There's no MultiRepoUpdater
We do not expect other major changes (in the sense of moving large
amounts of code) but do plan to possibly improve the client API. The
API has already changed so this is not going to be a 1:1 compatible
implementation, but porting should not be difficult.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Start building the next-gen client: Copy existing components from the
current client.
All of these files have some changes compared to the already existing
copies (because ngclient uses the same linting rules as Metadata API).
* download.py is likely to see major changes in the future.
* requests_fetcher is likely to see some minor changes (like allowing
compression)
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Try to make errors derive from RepositoryError if they can be the
result of malicious or malfunctioning remote repository: The idea
here is that client can handle just RepositoryError instead of
individual errors (as it cannot do anything about any of them).
Also improve variable naming.
This is backwards compatible.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
We have merged ADR 8 allowing for unrecognized fields and we have
added tests for that which are too specific and not scalable.
Now, I use table testing which we have used initially in https://github.com/theupdateframework/tuf/pull/1416
to test unrecognized fields support in a cleaner and much more readable
way.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
There are no longer any files in TUF that came from Thandy, and
so the dual license is no longer required.
Signed-off-by: Marina Moore <mnm678@gmail.com>
We've been returning Signature objects since 49aa0fc167.
Also add a test case that does something with the returned signature.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
report an error whenever a function with type annotations calls a
function defined without annotations.
Also include exceptions.py in mypy checks.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
exceptions.py is used from metadata.py: Annotating it is required if we
want to enable "no_untyped_call" in mypy.
The only change is UnsignedMetadataError: I would have removed argument
"signable" altogether but figured this is not worth breaking API. So
now "signable" is still not used for anything but it is now optional.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
We're quite close to being able to enable only "strict = True" but not
quite there. In the mean time enable some useful individual settings.
disallow_untyped_defs:
report an error whenever code contains a function definition
without type annotations
warn_redundant_casts:
report an error whenever code uses an unnecessary cast
warn_unused_ignores:
report an error whenever code uses an unnecessary # type: ignore
comment
warn_unreachable:
report an error whenever code is determined to be unreachable or
redundant
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Explain the ways a delegation can happen: Do not try to cover the
complete process (specification should do that) but offer enough
details that the complexity is not completely hidden from the viewer.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Try to keep dostrings and comments to the point, avoid mentioning
details if they are not necessary or are likely to become outdated
and try to minimize number of comment lines.
Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
The idea of this commit is to separate (de)serialization testing outside
test_api.py and make sure we are testing from_dict/to_dict for all
possible valid data for all classes.
Jussi in his comment here:
https://github.com/theupdateframework/tuf/issues/1391#issuecomment-849390669
proposed using decorators when creating comprehensive testing
for metadata serialization.
The main problems he pointed out is that:
1) there is a lot of code needed to generate the data for each case
2) the test implementation scales badly when you want to add new
cases for your tests, then you would have to add code as well
3) the dictionary format is not visible - we are loading external files
and assuming they are not changed and valid
In this change, I am using a decorator with an argument that complicates
the implementation of the decorator and requires three nested functions,
but the advantages are that we are resolving the above three problems:
1) we don't need new code when adding a new test case
2) a small amount of hardcoded data is required for each new test
3) the dictionaries are all in the test module without the need of
creating new directories and copying data.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Securesystemslib digest() and digest_fileobject()
calls raise sslib specific exceptions that need to be
handled and re-raised as TUF exceptions.
Updated tests in test_api.py accordingly.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Changes tests/repository_data/keystore/root_key3* to be an ecdsa key,
created and encrypted with the generate_ecdsa_key and
encrypt_key methods of securesystemslib.keys.
The test_updater_root_rotation_integration.py test
tests both repotool and updater.
Signed-off-by: Velichka Atanasova <avelichka@vmware.com>
- valid length: greater than zero
- valid hashes: a non-empty dictionary of type Dict[str, str]
Checking the validity of hash algorithms is not part
of the metadata input validation and is done by
securesystemslib during hash verification.
Signed-off-by: Teodora Sechkova <tsechkova@vmware.com>
Test unknown signature algorithm/scheme.
Also shorten the incorrect (but syntactically valid) signature a bit.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Aim to only raise UnsignedMetadataError from verify_signature().
Some of the situations could be things like UnsupportedAlgorithmError
-- where the underlying reason may be a missing dependency -- but it
seems impossible for a client to know whether it's that or whether it
is broken or malicious server side.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>