mirror of
https://github.com/theupdateframework/python-tuf
synced 2026-05-24 10:08:28 +00:00
385 lines
16 KiB
Python
Executable file
385 lines
16 KiB
Python
Executable file
#!/usr/bin/env python
|
|
|
|
# Copyright 2012 - 2017, New York University and the TUF contributors
|
|
# SPDX-License-Identifier: MIT OR Apache-2.0
|
|
|
|
"""
|
|
<Program Name>
|
|
test_keydb.py
|
|
|
|
<Author>
|
|
Vladimir Diaz <vladimir.v.diaz@gmail.com>
|
|
|
|
<Started>
|
|
October 2012.
|
|
|
|
<Copyright>
|
|
See LICENSE-MIT OR LICENSE for licensing information.
|
|
|
|
<Purpose>
|
|
Unit test for 'keydb.py'.
|
|
"""
|
|
|
|
# Help with Python 3 compatibility, where the print statement is a function, an
|
|
# implicit relative import is invalid, and the '/' operator performs true
|
|
# division. Example: print 'hello world' raises a 'SyntaxError' exception.
|
|
from __future__ import print_function
|
|
from __future__ import absolute_import
|
|
from __future__ import division
|
|
from __future__ import unicode_literals
|
|
|
|
import unittest
|
|
import logging
|
|
|
|
import tuf
|
|
import tuf.formats
|
|
import securesystemslib.keys
|
|
import securesystemslib.settings
|
|
import tuf.keydb
|
|
import tuf.log
|
|
|
|
logger = logging.getLogger('tuf.test_keydb')
|
|
|
|
|
|
# Generate the three keys to use in our test cases.
|
|
KEYS = []
|
|
for junk in range(3):
|
|
rsa_key = securesystemslib.keys.generate_rsa_key(2048)
|
|
rsa_key['keyid_hash_algorithms'] = securesystemslib.settings.HASH_ALGORITHMS
|
|
KEYS.append(rsa_key)
|
|
|
|
|
|
|
|
class TestKeydb(unittest.TestCase):
|
|
def setUp(self):
|
|
tuf.keydb.clear_keydb(clear_all=True)
|
|
|
|
|
|
|
|
def tearDown(self):
|
|
tuf.keydb.clear_keydb(clear_all=True)
|
|
|
|
|
|
|
|
def test_create_keydb(self):
|
|
# Test condition for normal behaviour.
|
|
repository_name = 'example_repository'
|
|
|
|
# The keydb dictionary should contain only the 'default' repository entry.
|
|
self.assertTrue('default' in tuf.keydb._keydb_dict)
|
|
self.assertEqual(1, len(tuf.keydb._keydb_dict))
|
|
|
|
|
|
tuf.keydb.create_keydb(repository_name)
|
|
self.assertEqual(2, len(tuf.keydb._keydb_dict))
|
|
|
|
# Verify that a keydb cannot be created for a name that already exists.
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.create_keydb, repository_name)
|
|
|
|
# Ensure that the key database for 'example_repository' is deleted so that
|
|
# the key database is returned to its original, default state.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
|
|
|
|
def test_remove_keydb(self):
|
|
# Test condition for expected behaviour.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
|
|
repository_name = 'example_repository'
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.remove_keydb, 'default')
|
|
|
|
tuf.keydb.create_keydb(repository_name)
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
# tuf.keydb.remove_keydb() logs a warning if a keydb for a non-existent
|
|
# repository is specified.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
# Test condition for improperly formatted argument, and unexpected argument.
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_keydb, 123)
|
|
self.assertRaises(TypeError, tuf.keydb.remove_keydb, rsakey, 123)
|
|
|
|
|
|
|
|
def test_clear_keydb(self):
|
|
# Test condition ensuring 'clear_keydb()' clears the keydb database.
|
|
# Test the length of the keydb before and after adding a key.
|
|
self.assertEqual(0, len(tuf.keydb._keydb_dict['default']))
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
tuf.keydb._keydb_dict['default'][keyid] = rsakey
|
|
self.assertEqual(1, len(tuf.keydb._keydb_dict['default']))
|
|
tuf.keydb.clear_keydb()
|
|
self.assertEqual(0, len(tuf.keydb._keydb_dict['default']))
|
|
|
|
# Test condition for unexpected argument.
|
|
self.assertRaises(TypeError, tuf.keydb.clear_keydb, 'default', False, 'unexpected_argument')
|
|
|
|
# Test condition for improperly formatted arguments.
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.clear_keydb, 0)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.clear_keydb, 'default', 0)
|
|
|
|
# Test condition for non-existent repository name.
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.clear_keydb, 'non-existent')
|
|
|
|
# Test condition for keys added to a non-default key database. Unlike the
|
|
# test conditions above, this test makes use of the public functions
|
|
# add_key(), create_keydb(), and get_key() to more easily verify
|
|
# clear_keydb()'s behaviour.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
repository_name = 'example_repository'
|
|
tuf.keydb.create_keydb(repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
|
|
tuf.keydb.add_key(rsakey, keyid, repository_name)
|
|
self.assertEqual(rsakey, tuf.keydb.get_key(keyid, repository_name))
|
|
|
|
tuf.keydb.clear_keydb(repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
|
|
|
|
# Remove 'repository_name' from the key database to revert it back to its
|
|
# original, default state (i.e., only the 'default' repository exists).
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
|
|
|
|
def test_get_key(self):
|
|
# Test conditions using valid 'keyid' arguments.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
tuf.keydb._keydb_dict['default'][keyid] = rsakey
|
|
rsakey2 = KEYS[1]
|
|
keyid2 = KEYS[1]['keyid']
|
|
tuf.keydb._keydb_dict['default'][keyid2] = rsakey2
|
|
|
|
self.assertEqual(rsakey, tuf.keydb.get_key(keyid))
|
|
self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))
|
|
self.assertNotEqual(rsakey2, tuf.keydb.get_key(keyid))
|
|
self.assertNotEqual(rsakey, tuf.keydb.get_key(keyid2))
|
|
|
|
# Test conditions using invalid arguments.
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, None)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, 123)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, ['123'])
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, {'keyid': '123'})
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, '')
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.get_key, keyid, 123)
|
|
|
|
# Test condition using a 'keyid' that has not been added yet.
|
|
keyid3 = KEYS[2]['keyid']
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
|
|
|
|
# Test condition for a key added to a non-default repository.
|
|
repository_name = 'example_repository'
|
|
rsakey3 = KEYS[2]
|
|
tuf.keydb.create_keydb(repository_name)
|
|
tuf.keydb.add_key(rsakey3, keyid3, repository_name)
|
|
|
|
# Test condition for a key added to a non-existent repository.
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.get_key,
|
|
keyid, 'non-existent')
|
|
|
|
# Verify that 'rsakey3' is added to the expected repository name.
|
|
# If not supplied, the 'default' repository name is searched.
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
|
|
self.assertEqual(rsakey3, tuf.keydb.get_key(keyid3, repository_name))
|
|
|
|
# Remove the 'example_repository' so that other test functions have access
|
|
# to a default state of the keydb.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
|
|
|
|
def test_add_key(self):
|
|
# Test conditions using valid 'keyid' arguments.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
rsakey2 = KEYS[1]
|
|
keyid2 = KEYS[1]['keyid']
|
|
rsakey3 = KEYS[2]
|
|
keyid3 = KEYS[2]['keyid']
|
|
self.assertEqual(None, tuf.keydb.add_key(rsakey, keyid))
|
|
self.assertEqual(None, tuf.keydb.add_key(rsakey2, keyid2))
|
|
self.assertEqual(None, tuf.keydb.add_key(rsakey3))
|
|
|
|
self.assertEqual(rsakey, tuf.keydb.get_key(keyid))
|
|
self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))
|
|
self.assertEqual(rsakey3, tuf.keydb.get_key(keyid3))
|
|
|
|
# Test conditions using arguments with invalid formats.
|
|
tuf.keydb.clear_keydb()
|
|
rsakey3['keytype'] = 'bad_keytype'
|
|
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, None, keyid)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, '', keyid)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, ['123'], keyid)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, {'a': 'b'}, keyid)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey, {'keyid': ''})
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey, 123)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey, False)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey, ['keyid'])
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey3, keyid3)
|
|
rsakey3['keytype'] = 'rsa'
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.add_key, rsakey3, keyid3, 123)
|
|
|
|
# Test conditions where keyid does not match the rsakey.
|
|
self.assertRaises(securesystemslib.exceptions.Error, tuf.keydb.add_key, rsakey, keyid2)
|
|
self.assertRaises(securesystemslib.exceptions.Error, tuf.keydb.add_key, rsakey2, keyid)
|
|
|
|
# Test conditions using keyids that have already been added.
|
|
tuf.keydb.add_key(rsakey, keyid)
|
|
tuf.keydb.add_key(rsakey2, keyid2)
|
|
self.assertRaises(securesystemslib.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey)
|
|
self.assertRaises(securesystemslib.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey2)
|
|
|
|
# Test condition for key added to the keydb of a non-default repository.
|
|
repository_name = 'example_repository'
|
|
tuf.keydb.create_keydb(repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3, repository_name)
|
|
tuf.keydb.add_key(rsakey3, keyid3, repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
|
|
self.assertEqual(rsakey3, tuf.keydb.get_key(keyid3, repository_name))
|
|
|
|
# Test condition for key added to the keydb of a non-existent repository.
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.add_key,
|
|
rsakey3, keyid3, 'non-existent')
|
|
|
|
# Reset the keydb to its original, default state. Other test functions
|
|
# expect only the 'default' repository to exist.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
|
|
|
|
def test_remove_key(self):
|
|
# Test conditions using valid keyids.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
rsakey2 = KEYS[1]
|
|
keyid2 = KEYS[1]['keyid']
|
|
rsakey3 = KEYS[2]
|
|
keyid3 = KEYS[2]['keyid']
|
|
tuf.keydb.add_key(rsakey, keyid)
|
|
tuf.keydb.add_key(rsakey2, keyid2)
|
|
tuf.keydb.add_key(rsakey3, keyid3)
|
|
|
|
self.assertEqual(None, tuf.keydb.remove_key(keyid))
|
|
self.assertEqual(None, tuf.keydb.remove_key(keyid2))
|
|
|
|
# Ensure the keys were actually removed.
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid2)
|
|
|
|
# Test for 'keyid' not in keydb.
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid)
|
|
|
|
# Test condition for unknown key argument.
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, '1')
|
|
|
|
# Test condition for removal of keys from a non-default repository.
|
|
repository_name = 'example_repository'
|
|
tuf.keydb.create_keydb(repository_name)
|
|
tuf.keydb.add_key(rsakey, keyid, repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.remove_key, keyid, 'non-existent')
|
|
tuf.keydb.remove_key(keyid, repository_name)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid, repository_name)
|
|
|
|
# Reset the keydb so that subsequent tests have access to the original,
|
|
# default keydb.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
|
|
# Test conditions for arguments with invalid formats.
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, None)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, '')
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, 123)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, ['123'])
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, keyid, 123)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError, tuf.keydb.remove_key, {'bad': '123'})
|
|
self.assertRaises(securesystemslib.exceptions.Error, tuf.keydb.remove_key, rsakey3)
|
|
|
|
|
|
|
|
def test_create_keydb_from_root_metadata(self):
|
|
# Test condition using a valid 'root_metadata' argument.
|
|
rsakey = KEYS[0]
|
|
keyid = KEYS[0]['keyid']
|
|
rsakey2 = KEYS[1]
|
|
keyid2 = KEYS[1]['keyid']
|
|
|
|
keydict = {keyid: rsakey, keyid2: rsakey2}
|
|
|
|
roledict = {'Root': {'keyids': [keyid], 'threshold': 1},
|
|
'Targets': {'keyids': [keyid2, keyid], 'threshold': 1}}
|
|
version = 8
|
|
consistent_snapshot = False
|
|
expires = '1985-10-21T01:21:00Z'
|
|
|
|
root_metadata = tuf.formats.RootFile.make_metadata(version, expires,
|
|
keydict, roledict, consistent_snapshot)
|
|
self.assertEqual(None, tuf.keydb.create_keydb_from_root_metadata(root_metadata))
|
|
tuf.keydb.create_keydb_from_root_metadata(root_metadata)
|
|
|
|
# Ensure 'keyid' and 'keyid2' were added to the keydb database.
|
|
self.assertEqual(rsakey, tuf.keydb.get_key(keyid))
|
|
self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))
|
|
|
|
# Verify that the keydb is populated for a non-default repository.
|
|
repository_name = 'example_repository'
|
|
tuf.keydb.create_keydb_from_root_metadata(root_metadata, repository_name)
|
|
|
|
# Test conditions for arguments with invalid formats.
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, None)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, '')
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, 123)
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, ['123'])
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, {'bad': '123'})
|
|
self.assertRaises(securesystemslib.exceptions.FormatError,
|
|
tuf.keydb.create_keydb_from_root_metadata, root_metadata, 123)
|
|
|
|
# Verify that a keydb cannot be created for a non-existent repository name.
|
|
tuf.keydb.create_keydb_from_root_metadata(root_metadata, 'non-existent')
|
|
|
|
# Remove the 'non-existent' and 'example_repository' key database so that
|
|
# subsequent test functions have access to a default keydb.
|
|
tuf.keydb.remove_keydb(repository_name)
|
|
tuf.keydb.remove_keydb('non-existent')
|
|
|
|
|
|
# Test conditions for correctly formatted 'root_metadata' arguments but
|
|
# containing incorrect keyids or key types. In these conditions, the keys
|
|
# should not be added to the keydb database and a warning should be logged.
|
|
tuf.keydb.clear_keydb()
|
|
|
|
# 'keyid' does not match 'rsakey2'.
|
|
keydict[keyid] = rsakey2
|
|
|
|
# Key with invalid keytype.
|
|
rsakey3 = KEYS[2]
|
|
keyid3 = KEYS[2]['keyid']
|
|
rsakey3['keytype'] = 'bad_keytype'
|
|
keydict[keyid3] = rsakey3
|
|
version = 8
|
|
expires = '1985-10-21T01:21:00Z'
|
|
|
|
root_metadata = tuf.formats.RootFile.make_metadata(version, expires,
|
|
keydict, roledict, consistent_snapshot)
|
|
self.assertEqual(None, tuf.keydb.create_keydb_from_root_metadata(root_metadata))
|
|
|
|
# Ensure only 'keyid2' was added to the keydb database. 'keyid' and
|
|
# 'keyid3' should not be stored.
|
|
self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
|
|
self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
|
|
rsakey3['keytype'] = 'rsa'
|
|
|
|
|
|
|
|
# Run unit test.
|
|
if __name__ == '__main__':
|
|
unittest.main()
|