TUF specific schemas have moved to tuf.formats, ensure they are used
throughout and remove stray references to no longer supported schemas
in securesystemslib.format
Signed-off-by: Joshua Lock <jlock@vmware.com>
Removal of securesystemslib exceptions that are TUF-specific
occurs in securesystemslib PR #165https://github.com/secure-systems-lab/securesystemslib/pull/165
This commit adapts to those changes. Exceptions that are specific
to TUF should be in TUF and not in securesystemslib. This commit
uses those already-existing TUF exceptions instead of pointing to
securesystemslib exceptions that will be removed.
For example, securesystemslib has no notion of repositories, so
it's ridiculous to have a RepositoryError in securesystemslib and
ridiculous for TUF to use
securesystemslib.exceptions.RepositoryError.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Re-generate metadata to adopt spec version format change, using
`generate_project_data.py`:
```
cd tests/repository_data && rm -rf project
python generate_project_data.py
```
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Updates SPEC_VERSION definition in tuf/__init__.py, test files and
docstring in formats.build_dict_conforming_to_schema.
Test metadata will be updated in separate commits.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Add schemas KEYDB_SCHEMA, SIGNATURESTATUS_SCHEMA and
VERSIONINFO_SCHEMA, removed in
secure-systems-lab/securesystemslib#165 as TUF specific, and adopt
usage accordingly.
NOTE: The usefulness of these schemas may be assessed in a
different PR.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Coverage used to be configured to omit certain directories while
reporting.
This commit slightly optimizes coverage to already omit those
directories while measuring coverage.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This commit partially reverts the workaround introduced by
157167e0cc. Instead of patching the
path, we configure tox to install TUF in editable mode, which makes
the tests run against the same files as if the path were patched.
This makes it so that coverage records paths that it can then
normalize when sending them to coveralls.io (see .travis.yml).
See af22701140
for detailed background information.
As a consequence we can now skip building of sdist and installing it
into a virtual env directory in tox.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This replicates behavior of unittest's `discover` method, and
allows `coverage` and the tool that posts coverage reports to
coveralls.io, i.e. `coveralls`, to record the correct paths and
left-strip the parts leading to the project directory.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Raise an error if it's not a schema.Object instance (not just
if it's not a schema.Schema instance).
Also adds a test for this.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in tuf.formats.build_dict_conforming_to_schema
Populate _type with the expected value for the given schema, and
populate spec_version with tuf.SPECIFICATION_VERSION. Do this only
when the values are not provided, and support overriding them.
Also adds testing for the above and takes advantage of the above
in repository_lib's _generate metadata functions.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
tuf.formats.make_role_metadata concerned itself with exclusivity checks
for paths and path_hash_prefixes, but no code actually used it for
relevant data. It's yet another custom metadata writer replaced by
build_dict_conforming_to_schema.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Specification version now only lives in tuf/__init__.py, and will only be
derived from there.
Specification version info is no longer in tuf.formats, where it was
previously moved from tuf.updater, since this was redundant.
Also finally corrects spec version testing in test_updater.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
and generate more friendly errors. Prior to this, a test in
test_updater.py was written in such a way to not actually be
testing whether or not specification version checking was
working correctly -- the error updater.py raised if a specification
version number was not supported was the same as would be raised
if a role version was not the expected version, and, amusingly,
the test could not distinguish between these two scenarios and
was providing the wrong role version......
Specification version mismatch now raises a particular error:
UnsupportedSpecificationError.
The specification version supported by this code is now also all
in one place, tuf.formats rather than tuf.updater.
Related error messages and testing were improved (with some
edge cases closed).
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Thanks go to @lukpueh for this helpful tip.
After merge, stdout should only appear if a test has failed. This
functionality is provided by `unittest.TextTestRunner` argument `buffer=True`.
This functions like the `--buffer` command line argument listed here:
https://docs.python.org/3/library/unittest.html#command-line-options
std out is discarded if a test succeeds.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
This adds to PR #799; please see that for details. In short,
tests sometimes fail on slow test systems (primarily on AppVeyor)
if we don't have long enough delays.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
on AppVeyor during automatic testing. Also explains a bit better
the reason for those delays, in the comments adjacent to them.
AppVeyor was occasionally laggy enough that spawning a separate
server process didn't happen fast enough for the included delays,
so connection attempts in the tests occasionally failed.
This lengthens a few 0.3s delays that I've seen pop up in test
failures to 2s delays, along with a few others for good measure.
Sadly, this slows testing a bit.... I'll keep an eye out for more
of these.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
After seeing some AppVeyor failures, I've increased the wait after
starting test HTTP, HTTPS, and proxy servers from 0.5s to 1s, to make
it less likely that tests will fail because the servers weren't done
starting up yet.
After some review comments by @aaaaalbert, I've tightened the logic
in aggregate_tests.py around which tests to skip unless a certain
Python version is running, and added some consistency checks.
This also involved a bit of clarification of comments and variable
names.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
to make sure that the test uses the intended certificate. (There's some
indirect indication that the updated environment variable might not always
have been used.)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
that draws from sys.executable (the currently running Python interpreter)
instead of assuming 'python' is correct. Use this function instead of having
many individual subprocess calls written out. Slightly simplifies code, too.
This should eventually be moved to a common test module instead of appearing
in two places in the test code.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- two reversions to unnecessary changes
- some typo fixes
- capitalization of HTTP/S where reasonable
- commenting out code section with ''' rather than #
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in test_download.py. In the process, added another test cert
and generalized the server process killer in test_download.py.
Additionally, I added another expected-to-be-good certificate
that was generated in the same way as the new bad certificates
(but for their individual flaws of course). This is because
the new certs aren't exactly like the old good cert, so that
we have another cert to test against in case the way the
certs were generated turns out to matter at some point in the
future.
Also slightly increased a start-servers delay in the test
in response to one test system taking too long and seeing
connection issues. Probably not helped by the number of
processes. Clarified a related comment in the test code.
Also made a note that environment variable cleanup would be
good to add to test_download.py, either copied from or moved
somewhere accessible from test_proxy_use.py
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- if it is provided, don't require the certificate filename to be
provided as an absolute path
- raise an error if the provided certificate filename does not
point to an existing file, rather than just printing and
ignoring (to avoid possible future diagnostic headaches)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Added Python version checking and changed behavior
in Python2.7.9+ to use custom certificate for target server
inherited from command line argument.
In Python versions < 2.7.9, proxy_server.py does not perform certificate
validation of the target server. As that is not part of what the current
tests using this script require, that is currently OK. In Python
versions > 2.7.9 (SSLContext was added in 2.7.9), the same code actually does
check the certificate, using the system's trusted CAs. As a result, since we
are using custom certificates, we need to either disable certificate
checking in 2.7.9 or load the specific CA for target test server, using the
SSLContext and create_default_context functionality also added in 2.7.9. It
is easier to do the latter, so the behavior in 2.7.9+ is to check the cert
and below 2.7.9 is not to. Note that we do not support Python < 2.7.
SSLContext is also available in all Python3 versions that we support.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
as that set of tests is now redundant, and depended on Twisted,
which we need not depend on.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
add more explanatory comments in test_proxy.use,
and prepare for rename of proxy2.py to proxy_server.py in next
commit (separate so that the rename can be seen as such).
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- move some configuration values up to the module level (proxy certs
dir, proxy ca key and cert, general certs dir).
- add explanatory comments for these values
- create the proxy's host-specific client certificates directory
if it does not yet exist.
- note that the module is not thread-safe
- fix a Windows-incompatible line (explicit path separator)
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- client makes HTTPS connection to proxy; proxy makes HTTP
connection to target server
- client makes HTTPS connection to proxy; proxy makes HTTPS
connection to target server
Added functionality to the proxy2.py script to allow it to
take and use a certificate to use to validate the target
server.
Also added clarifying comments in test_proxy_use.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
Fixes a typo in arg processing for test script proxy2.py.
Also removes an outdated comment and clarifies another.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
for proxy testing. Also update the test scripts to point to
the new location of ssl certificates and ssl keys.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
in proxy2. And use it to run both relaying and intercepting proxies.
True: normal HTTP proxy. Support HTTP & HTTPS connections to target server
False: intercepting MITM transparent HTTPS proxy. Makes own TLS connections
and has its own cert; must be trusted by the client and is able to
modify requests.
Also perform some cleanup of test_proxy_use.py
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
- adds inaz2/proxy2.py, copied code.
- adds dev dependency on twisted for a simple proxy test
- adds a new test module, test_proxy_use, and runs those tests only in
Python2.7 (as proxy2 only supports Python2.7) using new logic in
aggregate_tests.py.
Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
