Skip to content

Commit

Permalink
Merge pull request #1025 from freedomofpress/683-avoid-assert
Browse files Browse the repository at this point in the history 
Stop using assert in validate_config.py
  • Loading branch information
@zenmonkeykstop
zenmonkeykstop authored May 9, 2024
2 parents 0d0f197 + cabba12 commit d686790
Showing 1 changed file with 49 additions and 34 deletions.
83 changes: 49 additions & 34 deletions files/validate_config.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -41,20 +41,20 @@ def __init__(self, config_base_dir=None):
self.validate_existing_size()

def confirm_config_file_exists(self):
try:
assert os.path.exists(self.config_filepath)
except AssertionError:
if not os.path.exists(self.config_filepath):
msg = "Config file does not exist: {}".format(self.config_filepath)
msg += "Create from config.json.example"
raise AssertionError(msg)
raise ValidationError(msg)

def confirm_environment_valid(self):
"""
The 'environment' config item is required to determine
whether prod or dev URLs are used for installing packages.
"""
assert "environment" in self.config
assert self.config["environment"] in ("prod", "dev", "staging")
if "environment" not in self.config:
raise ValidationError
if self.config["environment"] not in ("prod", "dev", "staging"):
raise ValidationError

def confirm_onion_config_valid(self):
"""
Expand All @@ -71,20 +71,27 @@ def confirm_onion_config_valid(self):
raise

def confirm_onion_v3_url(self):
assert "hidserv" in self.config
assert "hostname" in self.config["hidserv"]
assert re.match(TOR_V3_HOSTNAME_REGEX, self.config["hidserv"]["hostname"])
if "hidserv" not in self.config:
raise ValidationError
if "hostname" not in self.config["hidserv"]:
raise ValidationError
if not re.match(TOR_V3_HOSTNAME_REGEX, self.config["hidserv"]["hostname"]):
raise ValidationError

def confirm_onion_v3_auth(self):
assert "hidserv" in self.config
assert "key" in self.config["hidserv"]
assert re.match(TOR_V3_AUTH_REGEX, self.config["hidserv"]["key"])
if "hidserv" not in self.config:
raise ValidationError
if "key" not in self.config["hidserv"]:
raise ValidationError
if not re.match(TOR_V3_AUTH_REGEX, self.config["hidserv"]["key"]):
raise ValidationError

def confirm_submission_privkey_file(self):
"""
Import privkey into temporary keyring, to validate.
"""
assert os.path.exists(self.secret_key_filepath)
if not os.path.exists(self.secret_key_filepath):
raise ValidationError
gpg_cmd = ["gpg", "--import", self.secret_key_filepath]
result = False
with tempfile.TemporaryDirectory() as d:
Expand All @@ -98,21 +105,30 @@ def confirm_submission_privkey_file(self):
except subprocess.CalledProcessError:
# suppress error since "result" is checked next
pass
assert result, "GPG private key is not valid: {}".format(self.secret_key_filepath)

if not result:
raise ValidationError(
"GPG private key is not valid: {}".format(self.secret_key_filepath)
)

def confirm_submission_privkey_fingerprint(self):
assert "submission_key_fpr" in self.config
assert re.match("^[a-fA-F0-9]{40}$", self.config["submission_key_fpr"])
if "submission_key_fpr" not in self.config:
raise ValidationError
if not re.match("^[a-fA-F0-9]{40}$", self.config["submission_key_fpr"]):
raise ValidationError
gpg_cmd = ["gpg2", "--show-keys", self.secret_key_filepath]
try:
out = subprocess.check_output(gpg_cmd, stderr=subprocess.STDOUT).decode(
sys.stdout.encoding
)
match = " {}".format(self.config["submission_key_fpr"])
assert re.search(match, out), "Configured fingerprint does not match key!"
if not re.search(match, out):
raise ValidationError("Configured fingerprint does not match key!")

except subprocess.CalledProcessError as e:
assert False, "Key validation failed: {}".format(e.output.decode(sys.stdout.encoding))
raise ValidationError(
"Key validation failed: {}".format(e.output.decode(sys.stdout.encoding))
)

def read_config_file(self):
with open(self.config_filepath, "r") as f:
Expand All @@ -122,31 +138,30 @@ def read_config_file(self):
def validate_existing_size(self):
"""This method checks for existing private volume size and new
values in the config.json"""
assert "vmsizes" in self.config
assert "sd_app" in self.config["vmsizes"]
assert "sd_log" in self.config["vmsizes"]

assert isinstance(
self.config["vmsizes"]["sd_app"], int
), "Private volume size of sd-app must be an integer value."
assert isinstance(
self.config["vmsizes"]["sd_log"], int
), "Private volume size of sd-log must be an integer value."
if "vmsizes" not in self.config:
raise ValidationError
if "sd_app" not in self.config["vmsizes"]:
raise ValidationError
if "sd_log" not in self.config["vmsizes"]:
raise ValidationError

if not isinstance(self.config["vmsizes"]["sd_app"], int):
raise ValidationError("Private volume size of sd-app must be an integer value.")
if not isinstance(self.config["vmsizes"]["sd_log"], int):
raise ValidationError("Private volume size of sd-log must be an integer value.")

app = Qubes()
if "sd-app" in app.domains:
vm = app.domains["sd-app"]
vol = vm.volumes["private"]
assert (
vol.size <= self.config["vmsizes"]["sd_app"] * 1024 * 1024 * 1024
), "sd-app private volume is already bigger than configuration."
if not (vol.size <= self.config["vmsizes"]["sd_app"] * 1024 * 1024 * 1024):
raise ValidationError("sd-app private volume is already bigger than configuration.")

if "sd-log" in app.domains:
vm = app.domains["sd-log"]
vol = vm.volumes["private"]
assert (
vol.size <= self.config["vmsizes"]["sd_log"] * 1024 * 1024 * 1024
), "sd-log private volume is already bigger than configuration."
if not (vol.size <= self.config["vmsizes"]["sd_log"] * 1024 * 1024 * 1024):
raise ValidationError("sd-log private volume is already bigger than configuration.")


if __name__ == "__main__":
Expand Down

0 comments on commit d686790

Please sign in to comment.