From 88a6ae0ca4aa183137dacd1973624bb79d4a01b1 Mon Sep 17 00:00:00 2001 From: Jussi Kukkonen Date: Mon, 11 Jan 2021 20:29:43 +0200 Subject: [PATCH] imports: Make 'roledb' imports vendoring-compatible Use "from tuf import " instead of "import tuf.": this makes it possible for vendoring tool to vendor tuf. Fix all references to in the code. Signed-off-by: Jussi Kukkonen --- tuf/client/updater.py | 22 ++--- tuf/developer_tool.py | 26 +++--- tuf/repository_lib.py | 110 ++++++++++++------------- tuf/repository_tool.py | 177 ++++++++++++++++++++--------------------- tuf/scripts/repo.py | 29 +++---- tuf/sig.py | 20 ++--- 6 files changed, 192 insertions(+), 192 deletions(-) diff --git a/tuf/client/updater.py b/tuf/client/updater.py index b6b45a0460..c23c45b72d 100755 --- a/tuf/client/updater.py +++ b/tuf/client/updater.py @@ -136,10 +136,10 @@ from tuf import formats from tuf import log from tuf import mirrors +from tuf import roledb import tuf.requests_fetcher import tuf.settings import tuf.keydb -import tuf.roledb import tuf.sig import securesystemslib.exceptions @@ -767,7 +767,7 @@ def __init__(self, repository_name, repository_mirrors, fetcher=None): # Load current and previous metadata. for metadata_set in ['current', 'previous']: - for metadata_role in tuf.roledb.TOP_LEVEL_ROLES: + for metadata_role in roledb.TOP_LEVEL_ROLES: self._load_metadata_from_file(metadata_set, metadata_role) # Raise an exception if the repository is missing the required 'root' @@ -914,7 +914,7 @@ def _rebuild_key_and_role_db(self): tuf.keydb.create_keydb_from_root_metadata(self.metadata['current']['root'], self.repository_name) - tuf.roledb.create_roledb_from_root_metadata(self.metadata['current']['root'], + roledb.create_roledb_from_root_metadata(self.metadata['current']['root'], self.repository_name) @@ -983,11 +983,11 @@ def _import_delegations(self, parent_role): # Add the roles to the role database. for roleinfo in roles_info: try: - # NOTE: tuf.roledb.add_role will take care of the case where rolename + # NOTE: roledb.add_role will take care of the case where rolename # is None. rolename = roleinfo.get('name') logger.debug('Adding delegated role: ' + str(rolename) + '.') - tuf.roledb.add_role(rolename, roleinfo, self.repository_name) + roledb.add_role(rolename, roleinfo, self.repository_name) except exceptions.RoleAlreadyExistsError: logger.warning('Role already exists: ' + rolename) @@ -2237,7 +2237,7 @@ def _delete_metadata(self, metadata_role): # Remove knowledge of the role. if metadata_role in self.metadata['current']: del self.metadata['current'][metadata_role] - tuf.roledb.remove_role(metadata_role, self.repository_name) + roledb.remove_role(metadata_role, self.repository_name) @@ -2341,8 +2341,8 @@ def all_targets(self): # Fetch the targets of the delegated roles. get_rolenames returns # all roles available on the repository. delegated_targets = [] - for role in tuf.roledb.get_rolenames(self.repository_name): - if role in tuf.roledb.TOP_LEVEL_ROLES: + for role in roledb.get_rolenames(self.repository_name): + if role in roledb.TOP_LEVEL_ROLES: continue else: @@ -2477,7 +2477,7 @@ def _targets_of_role(self, rolename, targets=None, skip_refresh=False): targets_of_role = list(targets) logger.debug('Getting targets of role: ' + repr(rolename) + '.') - if not tuf.roledb.role_exists(rolename, self.repository_name): + if not roledb.role_exists(rolename, self.repository_name): raise exceptions.UnknownRoleError(rolename) # We do not need to worry about the target paths being trusted because @@ -2579,7 +2579,7 @@ def targets_of_role(self, rolename='targets'): self._refresh_targets_metadata(refresh_all_delegated_roles=True) - if not tuf.roledb.role_exists(rolename, self.repository_name): + if not roledb.role_exists(rolename, self.repository_name): raise exceptions.UnknownRoleError(rolename) return self._targets_of_role(rolename, skip_refresh=True) @@ -2973,7 +2973,7 @@ def remove_obsolete_targets(self, destination_directory): # Iterate the rolenames and verify whether the 'previous' directory # contains a target no longer found in 'current'. - for role in tuf.roledb.get_rolenames(self.repository_name): + for role in roledb.get_rolenames(self.repository_name): if role.startswith('targets'): if role in self.metadata['previous'] and self.metadata['previous'][role] != None: for target in self.metadata['previous'][role]['targets']: diff --git a/tuf/developer_tool.py b/tuf/developer_tool.py index 14d50f4cdb..256bf626a1 100755 --- a/tuf/developer_tool.py +++ b/tuf/developer_tool.py @@ -42,8 +42,8 @@ from tuf import exceptions from tuf import formats from tuf import log +from tuf import roledb import tuf.keydb -import tuf.roledb import tuf.sig import tuf.repository_lib as repo_lib import tuf.repository_tool @@ -252,12 +252,12 @@ def write(self, write_partial=False): # Raise 'securesystemslib.exceptions.FormatError' if any are improperly formatted. securesystemslib.formats.BOOLEAN_SCHEMA.check_match(write_partial) - # At this point the tuf.keydb and tuf.roledb stores must be fully + # At this point the tuf.keydb and roledb stores must be fully # populated, otherwise write() throwns a 'tuf.Repository' exception if # any of the project roles are missing signatures, keys, etc. # Write the metadata files of all the delegated roles of the project. - delegated_rolenames = tuf.roledb.get_delegated_rolenames(self.project_name, + delegated_rolenames = roledb.get_delegated_rolenames(self.project_name, self.repository_name) for delegated_rolename in delegated_rolenames: @@ -311,7 +311,7 @@ def add_verification_key(self, key, expires=None): securesystemslib.exceptions.Error, if the project already contains a key. - The role's entries in 'tuf.keydb.py' and 'tuf.roledb.py' are updated. + The role's entries in 'tuf.keydb.py' and 'roledb' are updated. None @@ -370,7 +370,7 @@ def status(self): filenames['targets'] = os.path.join(metadata_directory, self.project_name) # Delegated roles. - delegated_roles = tuf.roledb.get_delegated_rolenames(self.project_name, + delegated_roles = roledb.get_delegated_rolenames(self.project_name, self.repository_name) insufficient_keys = [] insufficient_signatures = [] @@ -464,7 +464,7 @@ def _generate_and_write_metadata(rolename, metadata_filename, write_partial, # Retrieve the roleinfo of 'rolename' to extract the needed metadata # attributes, such as version number, expiration, etc. - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + roleinfo = roledb.get_roleinfo(rolename, repository_name) metadata = generate_targets_metadata(targets_directory, roleinfo['paths'], roleinfo['version'], roleinfo['expires'], roleinfo['delegations'], @@ -808,7 +808,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, securesystemslib.formats.ANY_STRING_SCHEMA.check_match(prefix) # Clear the role and key databases since we are loading in a new project. - tuf.roledb.clear_roledb(clear_all=True) + roledb.clear_roledb(clear_all=True) tuf.keydb.clear_keydb(clear_all=True) # Locate metadata filepaths and targets filepath. @@ -878,7 +878,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, project.add_signature(signature) # Update roledb.py containing the loaded project attributes. - roleinfo = tuf.roledb.get_roleinfo(project_name, repository_name) + roleinfo = roledb.get_roleinfo(project_name, repository_name) roleinfo['signatures'].extend(signable['signatures']) roleinfo['version'] = targets_metadata['version'] roleinfo['paths'] = targets_metadata['targets'] @@ -891,7 +891,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, repository_name=repository_name): roleinfo['partial_loaded'] = True - tuf.roledb.update_roleinfo(project_name, roleinfo, mark_role_as_dirty=False, + roledb.update_roleinfo(project_name, roleinfo, mark_role_as_dirty=False, repository_name=repository_name) for key_metadata in targets_metadata['delegations']['keys'].values(): @@ -905,7 +905,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, 'signing_keyids': [], 'signatures': [], 'partial_loaded':False, 'delegations': {'keys':{}, 'roles':[]} } - tuf.roledb.add_role(rolename, roleinfo, repository_name=repository_name) + roledb.add_role(rolename, roleinfo, repository_name=repository_name) # Load the delegated metadata and generate their fileinfo. targets_objects = {} @@ -941,7 +941,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, metadata_object = _strip_prefix_from_targets_metadata(metadata_object, prefix) - roleinfo = tuf.roledb.get_roleinfo(metadata_name, repository_name) + roleinfo = roledb.get_roleinfo(metadata_name, repository_name) roleinfo['signatures'].extend(signable['signatures']) roleinfo['version'] = metadata_object['version'] roleinfo['expires'] = metadata_object['expires'] @@ -958,7 +958,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, roleinfo['partial_loaded'] = True - tuf.roledb.update_roleinfo(metadata_name, roleinfo, + roledb.update_roleinfo(metadata_name, roleinfo, mark_role_as_dirty=False, repository_name=repository_name) # Append to list of elements to avoid reloading repeated metadata. @@ -989,7 +989,7 @@ def load_project(project_directory, prefix='', new_targets_location=None, 'partial_loaded': False, 'delegations': {'keys': {}, 'roles': []}} - tuf.roledb.add_role(rolename, roleinfo, repository_name=repository_name) + roledb.add_role(rolename, roleinfo, repository_name=repository_name) if new_prefix: project.prefix = new_prefix diff --git a/tuf/repository_lib.py b/tuf/repository_lib.py index 47f6c046d6..76c61753d3 100644 --- a/tuf/repository_lib.py +++ b/tuf/repository_lib.py @@ -43,8 +43,8 @@ from tuf import exceptions from tuf import formats from tuf import log +from tuf import roledb import tuf.keydb -import tuf.roledb import tuf.sig import tuf.settings @@ -109,7 +109,7 @@ def _generate_and_write_metadata(rolename, metadata_filename, # Retrieve the roleinfo of 'rolename' to extract the needed metadata # attributes, such as version number, expiration, etc. - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + roleinfo = roledb.get_roleinfo(rolename, repository_name) previous_keyids = roleinfo.get('previous_keyids', []) previous_threshold = roleinfo.get('previous_threshold', 1) signing_keyids = sorted(set(roleinfo['signing_keyids'])) @@ -164,7 +164,7 @@ def _generate_and_write_metadata(rolename, metadata_filename, # Update roledb with the latest delegations info collected during # generate_targets_metadata() - tuf.roledb.update_roleinfo(rolename, roleinfo, + roledb.update_roleinfo(rolename, roleinfo, repository_name=repository_name) @@ -179,16 +179,16 @@ def _generate_and_write_metadata(rolename, metadata_filename, # properly signed). current_version = metadata['version'] if increment_version_number: - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + roleinfo = roledb.get_roleinfo(rolename, repository_name) metadata['version'] = metadata['version'] + 1 roleinfo['version'] = roleinfo['version'] + 1 - tuf.roledb.update_roleinfo(rolename, roleinfo, + roledb.update_roleinfo(rolename, roleinfo, repository_name=repository_name) else: logger.debug('Not incrementing ' + repr(rolename) + '\'s version number.') - if rolename in tuf.roledb.TOP_LEVEL_ROLES and not allow_partially_signed: + if rolename in roledb.TOP_LEVEL_ROLES and not allow_partially_signed: # Verify that the top-level 'rolename' is fully signed. Only a delegated # role should not be written to disk without full verification of its # signature(s), since it can only be considered fully signed depending on @@ -226,9 +226,9 @@ def should_write(): else: # Since new metadata cannot be successfully written, restore the current # version number. - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + roleinfo = roledb.get_roleinfo(rolename, repository_name) roleinfo['version'] = current_version - tuf.roledb.update_roleinfo(rolename, roleinfo, + roledb.update_roleinfo(rolename, roleinfo, repository_name=repository_name) # Note that 'signable' is an argument to tuf.UnsignedMetadataError(). @@ -269,7 +269,7 @@ def _metadata_is_partially_loaded(rolename, signable, repository_name): signatures. If 'rolename' is found to be partially loaded, mark it as partially loaded in - its 'tuf.roledb' roleinfo. This function exists to assist in deciding whether + its 'roledb' roleinfo. This function exists to assist in deciding whether a role's version number should be incremented when write() or write_parital() is called. Return True if 'rolename' was partially loaded, False otherwise. """ @@ -296,8 +296,8 @@ def _check_role_keys(rolename, repository_name): """ # Extract the total number of public and private keys of 'rolename' from its - # roleinfo in 'tuf.roledb'. - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + # roleinfo in 'roledb'. + roleinfo = roledb.get_roleinfo(rolename, repository_name) total_keyids = len(roleinfo['keyids']) threshold = roleinfo['threshold'] total_signatures = len(roleinfo['signatures']) @@ -415,14 +415,14 @@ def _delete_obsolete_metadata(metadata_directory, snapshot_metadata, logger.debug(repr(metadata_role) + ' does not match' ' supported extension ' + repr(METADATA_EXTENSION)) - if metadata_role in tuf.roledb.TOP_LEVEL_ROLES: + if metadata_role in roledb.TOP_LEVEL_ROLES: logger.debug('Not removing top-level metadata ' + repr(metadata_role)) return - # Delete the metadata file if it does not exist in 'tuf.roledb'. + # Delete the metadata file if it does not exist in 'roledb'. # 'repository_tool.py' might have removed 'metadata_name,' # but its metadata file is not actually deleted yet. Do it now. - if not tuf.roledb.role_exists(metadata_role, repository_name): + if not roledb.role_exists(metadata_role, repository_name): logger.info('Removing outdated metadata: ' + repr(metadata_path)) storage_backend.remove(metadata_path) @@ -508,10 +508,10 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): root_metadata = signable['signed'] tuf.keydb.create_keydb_from_root_metadata(root_metadata, repository_name) - tuf.roledb.create_roledb_from_root_metadata(root_metadata, repository_name) + roledb.create_roledb_from_root_metadata(root_metadata, repository_name) - # Load Root's roleinfo and update 'tuf.roledb'. - roleinfo = tuf.roledb.get_roleinfo('root', repository_name) + # Load Root's roleinfo and update 'roledb'. + roleinfo = roledb.get_roleinfo('root', repository_name) roleinfo['consistent_snapshot'] = root_metadata['consistent_snapshot'] roleinfo['signatures'] = [] for signature in signable['signatures']: @@ -534,7 +534,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): _log_warning_if_expires_soon(ROOT_FILENAME, roleinfo['expires'], ROOT_EXPIRES_WARN_SECONDS) - tuf.roledb.update_roleinfo('root', roleinfo, mark_role_as_dirty=False, + roledb.update_roleinfo('root', roleinfo, mark_role_as_dirty=False, repository_name=repository_name) # Ensure the 'consistent_snapshot' field is extracted. @@ -552,8 +552,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for signature in signable['signatures']: repository.timestamp.add_signature(signature, mark_role_as_dirty=False) - # Load Timestamp's roleinfo and update 'tuf.roledb'. - roleinfo = tuf.roledb.get_roleinfo('timestamp', repository_name) + # Load Timestamp's roleinfo and update 'roledb'. + roleinfo = roledb.get_roleinfo('timestamp', repository_name) roleinfo['expires'] = timestamp_metadata['expires'] roleinfo['version'] = timestamp_metadata['version'] @@ -566,7 +566,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): _log_warning_if_expires_soon(TIMESTAMP_FILENAME, roleinfo['expires'], TIMESTAMP_EXPIRES_WARN_SECONDS) - tuf.roledb.update_roleinfo('timestamp', roleinfo, mark_role_as_dirty=False, + roledb.update_roleinfo('timestamp', roleinfo, mark_role_as_dirty=False, repository_name=repository_name) except securesystemslib.exceptions.StorageError as error: @@ -598,8 +598,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for signature in signable['signatures']: repository.snapshot.add_signature(signature, mark_role_as_dirty=False) - # Load Snapshot's roleinfo and update 'tuf.roledb'. - roleinfo = tuf.roledb.get_roleinfo('snapshot', repository_name) + # Load Snapshot's roleinfo and update 'roledb'. + roleinfo = roledb.get_roleinfo('snapshot', repository_name) roleinfo['expires'] = snapshot_metadata['expires'] roleinfo['version'] = snapshot_metadata['version'] @@ -612,7 +612,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): _log_warning_if_expires_soon(SNAPSHOT_FILENAME, roleinfo['expires'], SNAPSHOT_EXPIRES_WARN_SECONDS) - tuf.roledb.update_roleinfo('snapshot', roleinfo, mark_role_as_dirty=False, + roledb.update_roleinfo('snapshot', roleinfo, mark_role_as_dirty=False, repository_name=repository_name) except securesystemslib.exceptions.StorageError as error: @@ -640,8 +640,8 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): for signature in signable['signatures']: repository.targets.add_signature(signature, mark_role_as_dirty=False) - # Update 'targets.json' in 'tuf.roledb.py' - roleinfo = tuf.roledb.get_roleinfo('targets', repository_name) + # Update 'targets.json' in 'roledb' + roleinfo = roledb.get_roleinfo('targets', repository_name) roleinfo['paths'] = targets_metadata['targets'] roleinfo['version'] = targets_metadata['version'] roleinfo['expires'] = targets_metadata['expires'] @@ -656,7 +656,7 @@ def _load_top_level_metadata(repository, top_level_filenames, repository_name): _log_warning_if_expires_soon(TARGETS_FILENAME, roleinfo['expires'], TARGETS_EXPIRES_WARN_SECONDS) - tuf.roledb.update_roleinfo('targets', roleinfo, mark_role_as_dirty=False, + roledb.update_roleinfo('targets', roleinfo, mark_role_as_dirty=False, repository_name=repository_name) # Add the keys specified in the delegations field of the Targets role. @@ -872,7 +872,7 @@ def get_delegated_roles_metadata_filenames(metadata_directory, continue # Skip top-level roles, only interested in delegated roles. - if metadata_name in tuf.roledb.TOP_LEVEL_ROLES: + if metadata_name in roledb.TOP_LEVEL_ROLES: continue # Prevent reloading duplicate versions if consistent_snapshot is True @@ -1039,7 +1039,7 @@ def get_metadata_versioninfo(rolename, repository_name): # types, and that all dict keys are properly named. formats.ROLENAME_SCHEMA.check_match(rolename) - roleinfo = tuf.roledb.get_roleinfo(rolename, repository_name) + roleinfo = roledb.get_roleinfo(rolename, repository_name) versioninfo = {'version': roleinfo['version']} return versioninfo @@ -1195,7 +1195,7 @@ def generate_root_metadata(version, expiration_date, consistent_snapshot, repository_name='default'): """ - Create the root metadata. 'tuf.roledb.py' and 'tuf.keydb.py' + Create the root metadata. 'roledb' and 'tuf.keydb.py' are read and the information returned by these modules is used to generate the root metadata object. @@ -1224,10 +1224,10 @@ def generate_root_metadata(version, expiration_date, consistent_snapshot, securesystemslib.exceptions.Error, if an error is encountered while generating the root metadata object (e.g., a required top-level role not - found in 'tuf.roledb'.) + found in 'roledb'.) - The contents of 'tuf.keydb.py' and 'tuf.roledb.py' are read. + The contents of 'tuf.keydb.py' and 'roledb' are read. A root metadata object, conformant to 'tuf.formats.ROOT_SCHEMA'. @@ -1252,22 +1252,22 @@ def generate_root_metadata(version, expiration_date, consistent_snapshot, # Extract the role, threshold, and keyid information of the top-level roles, # which Root stores in its metadata. The necessary role metadata is generated # from this information. - for rolename in tuf.roledb.TOP_LEVEL_ROLES: + for rolename in roledb.TOP_LEVEL_ROLES: - # If a top-level role is missing from 'tuf.roledb.py', raise an exception. - if not tuf.roledb.role_exists(rolename, repository_name): + # If a top-level role is missing from 'roledb', raise an exception. + if not roledb.role_exists(rolename, repository_name): raise securesystemslib.exceptions.Error(repr(rolename) + ' not in' - ' "tuf.roledb".') + ' "roledb".') # Collect keys from all roles in a list - keyids = tuf.roledb.get_role_keyids(rolename, repository_name) + keyids = roledb.get_role_keyids(rolename, repository_name) for keyid in keyids: key = tuf.keydb.get_key(keyid, repository_name=repository_name) keylist.append(key) # Generate the authentication information Root establishes for each # top-level role. - role_threshold = tuf.roledb.get_role_threshold(rolename, repository_name) + role_threshold = roledb.get_role_threshold(rolename, repository_name) role_metadata = formats.build_dict_conforming_to_schema( formats.ROLE_SCHEMA, keyids=keyids, @@ -1406,9 +1406,9 @@ def generate_targets_metadata(targets_directory, target_files, version, delegations_keys = [] # Update 'keyids' and 'threshold' for each delegated role for role in delegations['roles']: - role['keyids'] = tuf.roledb.get_role_keyids(role['name'], + role['keyids'] = roledb.get_role_keyids(role['name'], repository_name) - role['threshold'] = tuf.roledb.get_role_threshold(role['name'], + role['threshold'] = roledb.get_role_threshold(role['name'], repository_name) # Collect all delegations keys for generating the delegations keydict @@ -1666,8 +1666,8 @@ def generate_snapshot_metadata(metadata_directory, version, expiration_date, # in the roledb are included in the Snapshot metadata. Since the # snapshot and timestamp roles are not listed in snapshot.json, do not # list these roles found in the metadata directory. - if tuf.roledb.role_exists(rolename, repository_name) and \ - rolename not in tuf.roledb.TOP_LEVEL_ROLES: + if roledb.role_exists(rolename, repository_name) and \ + rolename not in roledb.TOP_LEVEL_ROLES: length, hashes = _get_hashes_and_length_if_needed(use_length, use_hashes, os.path.join(metadata_directory, metadata_filename), storage_backend) @@ -2034,9 +2034,9 @@ def _log_status_of_top_level_roles(targets_directory, metadata_directory, # Do the top-level roles contain a valid threshold of signatures? Top-level # metadata is verified in Root -> Targets -> Snapshot -> Timestamp order. # Verify the metadata of the Root role. - dirty_rolenames = tuf.roledb.get_dirty_roles(repository_name) + dirty_rolenames = roledb.get_dirty_roles(repository_name) - root_roleinfo = tuf.roledb.get_roleinfo('root', repository_name) + root_roleinfo = roledb.get_roleinfo('root', repository_name) root_is_dirty = None if 'root' in dirty_rolenames: root_is_dirty = True @@ -2058,12 +2058,12 @@ def _log_status_of_top_level_roles(targets_directory, metadata_directory, return finally: - tuf.roledb.unmark_dirty(['root'], repository_name) - tuf.roledb.update_roleinfo('root', root_roleinfo, + roledb.unmark_dirty(['root'], repository_name) + roledb.update_roleinfo('root', root_roleinfo, mark_role_as_dirty=root_is_dirty, repository_name=repository_name) # Verify the metadata of the Targets role. - targets_roleinfo = tuf.roledb.get_roleinfo('targets', repository_name) + targets_roleinfo = roledb.get_roleinfo('targets', repository_name) targets_is_dirty = None if 'targets' in dirty_rolenames: targets_is_dirty = True @@ -2083,12 +2083,12 @@ def _log_status_of_top_level_roles(targets_directory, metadata_directory, return finally: - tuf.roledb.unmark_dirty(['targets'], repository_name) - tuf.roledb.update_roleinfo('targets', targets_roleinfo, + roledb.unmark_dirty(['targets'], repository_name) + roledb.update_roleinfo('targets', targets_roleinfo, mark_role_as_dirty=targets_is_dirty, repository_name=repository_name) # Verify the metadata of the snapshot role. - snapshot_roleinfo = tuf.roledb.get_roleinfo('snapshot', repository_name) + snapshot_roleinfo = roledb.get_roleinfo('snapshot', repository_name) snapshot_is_dirty = None if 'snapshot' in dirty_rolenames: snapshot_is_dirty = True @@ -2109,12 +2109,12 @@ def _log_status_of_top_level_roles(targets_directory, metadata_directory, return finally: - tuf.roledb.unmark_dirty(['snapshot'], repository_name) - tuf.roledb.update_roleinfo('snapshot', snapshot_roleinfo, + roledb.unmark_dirty(['snapshot'], repository_name) + roledb.update_roleinfo('snapshot', snapshot_roleinfo, mark_role_as_dirty=snapshot_is_dirty, repository_name=repository_name) # Verify the metadata of the Timestamp role. - timestamp_roleinfo = tuf.roledb.get_roleinfo('timestamp', repository_name) + timestamp_roleinfo = roledb.get_roleinfo('timestamp', repository_name) timestamp_is_dirty = None if 'timestamp' in dirty_rolenames: timestamp_is_dirty = True @@ -2135,8 +2135,8 @@ def _log_status_of_top_level_roles(targets_directory, metadata_directory, return finally: - tuf.roledb.unmark_dirty(['timestamp'], repository_name) - tuf.roledb.update_roleinfo('timestamp', timestamp_roleinfo, + roledb.unmark_dirty(['timestamp'], repository_name) + roledb.update_roleinfo('timestamp', timestamp_roleinfo, mark_role_as_dirty=timestamp_is_dirty, repository_name=repository_name) diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py index 498652ab18..6dca4790c2 100755 --- a/tuf/repository_tool.py +++ b/tuf/repository_tool.py @@ -46,7 +46,7 @@ from tuf import exceptions from tuf import formats from tuf import log -import tuf.roledb +from tuf import roledb import tuf.sig import tuf.repository_lib as repo_lib @@ -250,7 +250,7 @@ def __init__(self, repository_directory, metadata_directory, self._use_snapshot_hashes = use_snapshot_hashes try: - tuf.roledb.create_roledb(repository_name) + roledb.create_roledb(repository_name) tuf.keydb.create_keydb(repository_name) except securesystemslib.exceptions.InvalidNameError: @@ -314,7 +314,7 @@ def writeall(self, consistent_snapshot=False, use_existing_fileinfo=False): # formatted. securesystemslib.formats.BOOLEAN_SCHEMA.check_match(consistent_snapshot) - # At this point, tuf.keydb and tuf.roledb must be fully populated, + # At this point, tuf.keydb and roledb must be fully populated, # otherwise writeall() throws a 'tuf.exceptions.UnsignedMetadataError' for # the top-level roles. exception if any of the top-level roles are missing # signatures, keys, etc. @@ -328,12 +328,12 @@ def writeall(self, consistent_snapshot=False, use_existing_fileinfo=False): repo_lib.TIMESTAMP_FILENAME)} snapshot_signable = None - dirty_rolenames = tuf.roledb.get_dirty_roles(self._repository_name) + dirty_rolenames = roledb.get_dirty_roles(self._repository_name) for dirty_rolename in dirty_rolenames: # Ignore top-level roles, they will be generated later in this method. - if dirty_rolename in tuf.roledb.TOP_LEVEL_ROLES: + if dirty_rolename in roledb.TOP_LEVEL_ROLES: continue dirty_filename = os.path.join(self._metadata_directory, @@ -349,7 +349,7 @@ def writeall(self, consistent_snapshot=False, use_existing_fileinfo=False): # metadata file. _generate_and_write_metadata() raises a # 'securesystemslib.exceptions.Error' exception if the metadata cannot be # written. - root_roleinfo = tuf.roledb.get_roleinfo('root', self._repository_name) + root_roleinfo = roledb.get_roleinfo('root', self._repository_name) old_consistent_snapshot = root_roleinfo['consistent_snapshot'] if 'root' in dirty_rolenames or consistent_snapshot != old_consistent_snapshot: repo_lib._generate_and_write_metadata('root', filenames['root'], @@ -384,9 +384,9 @@ def writeall(self, consistent_snapshot=False, use_existing_fileinfo=False): use_timestamp_length=self._use_timestamp_length, use_timestamp_hashes=self._use_timestamp_hashes) - tuf.roledb.unmark_dirty(dirty_rolenames, self._repository_name) + roledb.unmark_dirty(dirty_rolenames, self._repository_name) - # Delete the metadata of roles no longer in 'tuf.roledb'. Obsolete roles + # Delete the metadata of roles no longer in 'roledb'. Obsolete roles # may have been revoked and should no longer have their metadata files # available on disk, otherwise loading a repository may unintentionally # load them. @@ -460,7 +460,7 @@ def write(self, rolename, consistent_snapshot=False, increment_version_number=Tr use_existing_fileinfo=use_existing_fileinfo) # Ensure 'rolename' is no longer marked as dirty after the successful write(). - tuf.roledb.unmark_dirty([rolename], self._repository_name) + roledb.unmark_dirty([rolename], self._repository_name) @@ -536,7 +536,7 @@ def dirty_roles(self): None. """ - logger.info('Dirty roles: ' + str(tuf.roledb.get_dirty_roles(self._repository_name))) + logger.info('Dirty roles: ' + str(roledb.get_dirty_roles(self._repository_name))) @@ -560,7 +560,7 @@ def mark_dirty(self, roles): None. """ - tuf.roledb.mark_dirty(roles, self._repository_name) + roledb.mark_dirty(roles, self._repository_name) @@ -584,7 +584,7 @@ def unmark_dirty(self, roles): None. """ - tuf.roledb.unmark_dirty(roles, self._repository_name) + roledb.unmark_dirty(roles, self._repository_name) @@ -721,8 +721,7 @@ def add_verification_key(self, key, expires=None): expired. - The role's entries in 'tuf.keydb.py' and 'tuf.roledb.py' are - updated. + The role's entries in 'tuf.keydb.py' and 'roledb' are updated. None. @@ -791,19 +790,19 @@ def add_verification_key(self, key, expires=None): logger.warning('Adding a verification key that has already been used.') keyid = key['keyid'] - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) # Save the keyids that are being replaced since certain roles will need to # re-sign metadata with these keys (e.g., root). Use list() to make a copy # of roleinfo['keyids'] to ensure we're modifying distinct lists. previous_keyids = list(roleinfo['keyids']) - # Add 'key' to the role's entry in 'tuf.roledb.py', and avoid duplicates. + # Add 'key' to the role's entry in 'roledb', and avoid duplicates. if keyid not in roleinfo['keyids']: roleinfo['keyids'].append(keyid) roleinfo['previous_keyids'] = previous_keyids - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) @@ -833,7 +832,7 @@ def remove_verification_key(self, key): previously added. - Updates the role's 'tuf.roledb.py' entry. + Updates the role's 'roledb' entry. None. @@ -846,12 +845,12 @@ def remove_verification_key(self, key): securesystemslib.formats.ANYKEY_SCHEMA.check_match(key) keyid = key['keyid'] - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) if keyid in roleinfo['keyids']: roleinfo['keyids'].remove(keyid) - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) else: @@ -883,7 +882,7 @@ def load_signing_key(self, key): securesystemslib.exceptions.Error, if the private key is not found in 'key'. - Updates the role's 'tuf.keydb.py' and 'tuf.roledb.py' entries. + Updates the role's 'tuf.keydb.py' and 'roledb' entries. None. @@ -909,12 +908,12 @@ def load_signing_key(self, key): tuf.keydb.remove_key(key['keyid'], self._repository_name) tuf.keydb.add_key(key, repository_name=self._repository_name) - # Update the role's 'signing_keys' field in 'tuf.roledb.py'. - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + # Update the role's 'signing_keys' field in 'roledb'. + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) if key['keyid'] not in roleinfo['signing_keyids']: roleinfo['signing_keyids'].append(key['keyid']) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) @@ -943,7 +942,7 @@ def unload_signing_key(self, key): previously loaded. - Updates the signing keys of the role in 'tuf.roledb.py'. + Updates the signing keys of the role in 'roledb'. None. @@ -955,8 +954,8 @@ def unload_signing_key(self, key): # 'securesystemslib.exceptions.FormatError' if any are improperly formatted. securesystemslib.formats.ANYKEY_SCHEMA.check_match(key) - # Update the role's 'signing_keys' field in 'tuf.roledb.py'. - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + # Update the role's 'signing_keys' field in 'roledb'. + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) # TODO: Should we consider removing keys from keydb that are no longer # associated with any roles? There could be many no-longer-used keys @@ -964,7 +963,7 @@ def unload_signing_key(self, key): if key['keyid'] in roleinfo['signing_keyids']: roleinfo['signing_keyids'].remove(key['keyid']) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) else: @@ -1004,7 +1003,7 @@ def add_signature(self, signature, mark_role_as_dirty=True): Adds 'signature', if not already added, to the role's 'signatures' field - in 'tuf.roledb.py'. + in 'roledb'. None. @@ -1017,7 +1016,7 @@ def add_signature(self, signature, mark_role_as_dirty=True): securesystemslib.formats.SIGNATURE_SCHEMA.check_match(signature) securesystemslib.formats.BOOLEAN_SCHEMA.check_match(mark_role_as_dirty) - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) # Ensure the roleinfo contains a 'signatures' field. if 'signatures' not in roleinfo: @@ -1027,7 +1026,7 @@ def add_signature(self, signature, mark_role_as_dirty=True): # added. if signature not in roleinfo['signatures']: roleinfo['signatures'].append(signature) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, mark_role_as_dirty, + roledb.update_roleinfo(self.rolename, roleinfo, mark_role_as_dirty, repository_name=self._repository_name) else: @@ -1058,7 +1057,7 @@ def remove_signature(self, signature): added to this role. - Updates the 'signatures' field of the role in 'tuf.roledb.py'. + Updates the 'signatures' field of the role in 'roledb'. None. @@ -1070,12 +1069,12 @@ def remove_signature(self, signature): # 'securesystemslib.exceptions.FormatError' if any are improperly formatted. securesystemslib.formats.SIGNATURE_SCHEMA.check_match(signature) - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) if signature in roleinfo['signatures']: roleinfo['signatures'].remove(signature) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) else: @@ -1106,7 +1105,7 @@ def signatures(self): 'securesystemslib.formats.SIGNATURES_SCHEMA'. """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) signatures = roleinfo['signatures'] return signatures @@ -1134,7 +1133,7 @@ def keys(self): A list of the role's keyids (i.e., keyids of the keys). """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) keyids = roleinfo['keyids'] return keyids @@ -1187,7 +1186,7 @@ def version(self): 'tuf.formats.VERSION_SCHEMA'. """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) version = roleinfo['version'] return version @@ -1224,7 +1223,7 @@ def version(self, version): Modifies the 'version' attribute of the Repository object and updates the - role's version in 'tuf.roledb.py'. + role's version in 'roledb'. None. @@ -1236,10 +1235,10 @@ def version(self, version): # 'securesystemslib.exceptions.FormatError' if any are improperly formatted. formats.METADATAVERSION_SCHEMA.check_match(version) - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) roleinfo['version'] = version - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) @@ -1265,7 +1264,7 @@ def threshold(self): 'tuf.formats.THRESHOLD_SCHEMA'. """ - roleinfo = tuf.roledb.get_roleinfo(self._rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self._rolename, self._repository_name) threshold = roleinfo['threshold'] return threshold @@ -1296,7 +1295,7 @@ def threshold(self, threshold): Modifies the threshold attribute of the Repository object and updates - the roles threshold in 'tuf.roledb.py'. + the roles threshold in 'roledb'. None. @@ -1308,11 +1307,11 @@ def threshold(self, threshold): # 'securesystemslib.exceptions.FormatError' if any are improperly formatted. formats.THRESHOLD_SCHEMA.check_match(threshold) - roleinfo = tuf.roledb.get_roleinfo(self._rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self._rolename, self._repository_name) roleinfo['previous_threshold'] = roleinfo['threshold'] roleinfo['threshold'] = threshold - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) @@ -1336,7 +1335,7 @@ def expiration(self): The role's expiration datetime, a datetime.datetime() object. """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) expires = roleinfo['expires'] return formats.expiry_string_to_datetime(expires) @@ -1392,12 +1391,12 @@ def expiration(self, datetime_object): raise securesystemslib.exceptions.Error(repr(self.rolename) + ' has' ' already expired.') - # Update the role's 'expires' entry in 'tuf.roledb.py'. - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + # Update the role's 'expires' entry in 'roledb'. + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) expires = datetime_object.isoformat() + 'Z' roleinfo['expires'] = expires - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) @@ -1426,7 +1425,7 @@ def signing_keys(self): 'securesystemslib.formats.KEYIDS_SCHEMA'. """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) signing_keyids = roleinfo['signing_keyids'] return signing_keyids @@ -1462,7 +1461,7 @@ class Root(Metadata): tuf.exceptions.FormatError, if the argument is improperly formatted. - A 'root' role is added to 'tuf.roledb.py'. + A 'root' role is added to 'roledb'. None. @@ -1489,7 +1488,7 @@ def __init__(self, repository_name): 'signatures': [], 'version': 0, 'consistent_snapshot': False, 'expires': expiration, 'partial_loaded': False} try: - tuf.roledb.add_role(self._rolename, roleinfo, self._repository_name) + roledb.add_role(self._rolename, roleinfo, self._repository_name) except exceptions.RoleAlreadyExistsError: pass @@ -1530,7 +1529,7 @@ class Timestamp(Metadata): tuf.exceptions.FormatError, if the argument is improperly formatted. - A 'timestamp' role is added to 'tuf.roledb.py'. + A 'timestamp' role is added to 'roledb'. None. @@ -1558,7 +1557,7 @@ def __init__(self, repository_name): 'partial_loaded': False} try: - tuf.roledb.add_role(self.rolename, roleinfo, self._repository_name) + roledb.add_role(self.rolename, roleinfo, self._repository_name) except exceptions.RoleAlreadyExistsError: pass @@ -1593,7 +1592,7 @@ class Snapshot(Metadata): tuf.exceptions.FormatError, if the argument is improperly formatted. - A 'snapshot' role is added to 'tuf.roledb.py'. + A 'snapshot' role is added to 'roledb'. None. @@ -1621,7 +1620,7 @@ def __init__(self, repository_name): 'partial_loaded': False} try: - tuf.roledb.add_role(self._rolename, roleinfo, self._repository_name) + roledb.add_role(self._rolename, roleinfo, self._repository_name) except exceptions.RoleAlreadyExistsError: pass @@ -1678,7 +1677,7 @@ class Targets(Metadata): formatted. - Modifies the roleinfo of the targets role in 'tuf.roledb', or creates + Modifies the roleinfo of the targets role in 'roledb', or creates a default one named 'targets'. @@ -1727,9 +1726,9 @@ def __init__(self, targets_directory, rolename='targets', roleinfo=None, 'partial_loaded': False, 'delegations': {'keys': {}, 'roles': []}} - # Add the new role to the 'tuf.roledb'. + # Add the new role to the 'roledb'. try: - tuf.roledb.add_role(self.rolename, roleinfo, self._repository_name) + roledb.add_role(self.rolename, roleinfo, self._repository_name) except exceptions.RoleAlreadyExistsError: pass @@ -1756,7 +1755,7 @@ def __call__(self, rolename): delegated by this Targets object. - Modifies the roleinfo of the targets role in 'tuf.roledb'. + Modifies the roleinfo of the targets role in 'roledb'. The Targets object of 'rolename'. @@ -1826,7 +1825,7 @@ def add_delegated_role(self, rolename, targets_object): def remove_delegated_role(self, rolename): """ Remove 'rolename' from this Targets object's list of delegated roles. - This method does not update tuf.roledb and others. + This method does not update roledb and others. rolename: @@ -1883,7 +1882,7 @@ def target_files(self): None. """ - target_files = tuf.roledb.get_roleinfo(self._rolename, + target_files = roledb.get_roleinfo(self._rolename, self._repository_name)['paths'] return target_files @@ -1940,7 +1939,7 @@ def add_paths(self, paths, child_rolename): # Ensure that 'child_rolename' exists, otherwise it will not have an entry # in the parent role's delegations field. - if not tuf.roledb.role_exists(child_rolename, self._repository_name): + if not roledb.role_exists(child_rolename, self._repository_name): raise securesystemslib.exceptions.Error(repr(child_rolename) + ' does' ' not exist.') @@ -1953,7 +1952,7 @@ def add_paths(self, paths, child_rolename): # Get the current role's roleinfo, so that its delegations field can be # updated. - roleinfo = tuf.roledb.get_roleinfo(self._rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self._rolename, self._repository_name) # Update the delegated paths of 'child_rolename' to add relative paths. for role in roleinfo['delegations']['roles']: @@ -1967,7 +1966,7 @@ def add_paths(self, paths, child_rolename): else: logger.debug(repr(role['name']) + ' does not match child rolename.') - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) @@ -2014,7 +2013,7 @@ def add_target(self, filepath, custom=None, fileinfo=None): Adds 'filepath' to this role's list of targets. This role's - 'tuf.roledb.py' entry is also updated. + 'roledb' entry is also updated. None. @@ -2051,8 +2050,8 @@ def add_target(self, filepath, custom=None, fileinfo=None): # later calls to write() will fail. self._check_path(filepath) - # Update the role's 'tuf.roledb.py' entry and avoid duplicates. - roleinfo = tuf.roledb.get_roleinfo(self._rolename, self._repository_name) + # Update the role's 'roledb' entry and avoid duplicates. + roleinfo = roledb.get_roleinfo(self._rolename, self._repository_name) if filepath not in roleinfo['paths']: logger.debug('Adding new target: ' + repr(filepath)) @@ -2065,7 +2064,7 @@ def add_target(self, filepath, custom=None, fileinfo=None): else: roleinfo['paths'].update({filepath: {'custom': custom}}) - tuf.roledb.update_roleinfo(self._rolename, roleinfo, + roledb.update_roleinfo(self._rolename, roleinfo, repository_name=self._repository_name) @@ -2115,8 +2114,8 @@ def add_targets(self, list_of_targets): for target in list_of_targets: self._check_path(target) - # Update this Targets 'tuf.roledb.py' entry. - roleinfo = tuf.roledb.get_roleinfo(self._rolename, self._repository_name) + # Update this Targets 'roledb' entry. + roleinfo = roledb.get_roleinfo(self._rolename, self._repository_name) for relative_target in list_of_targets: if relative_target not in roleinfo['paths']: logger.debug('Adding new target: ' + repr(relative_target)) @@ -2124,7 +2123,7 @@ def add_targets(self, list_of_targets): logger.debug('Replacing target: ' + repr(relative_target)) roleinfo['paths'].update({relative_target: {}}) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) @@ -2152,7 +2151,7 @@ def remove_target(self, filepath): repository's targets directory, or not found. - Modifies this Targets 'tuf.roledb.py' entry. + Modifies this Targets 'roledb' entry. None. @@ -2165,10 +2164,10 @@ def remove_target(self, filepath): formats.RELPATH_SCHEMA.check_match(filepath) # Remove 'relative_filepath', if found, and update this Targets roleinfo. - fileinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + fileinfo = roledb.get_roleinfo(self.rolename, self._repository_name) if filepath in fileinfo['paths']: del fileinfo['paths'][filepath] - tuf.roledb.update_roleinfo(self.rolename, fileinfo, + roledb.update_roleinfo(self.rolename, fileinfo, repository_name=self._repository_name) else: @@ -2192,16 +2191,16 @@ def clear_targets(self): None. - Modifies this Targets' 'tuf.roledb.py' entry. + Modifies this Targets' 'roledb' entry. None. """ - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) roleinfo['paths'] = {} - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) @@ -2229,7 +2228,7 @@ def get_delegated_rolenames(self): A list of rolenames. """ - return tuf.roledb.get_delegated_rolenames(self.rolename, self._repository_name) + return roledb.get_delegated_rolenames(self.rolename, self._repository_name) @@ -2267,13 +2266,13 @@ def _update_roledb_delegations(self, keydict, delegations_roleinfo): roles in delegations_roleinfo """ - current_roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + current_roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) current_roleinfo['delegations']['keys'].update(keydict) for roleinfo in delegations_roleinfo: current_roleinfo['delegations']['roles'].append(roleinfo) - tuf.roledb.update_roleinfo(self.rolename, current_roleinfo, + roledb.update_roleinfo(self.rolename, current_roleinfo, repository_name=self._repository_name) @@ -2353,7 +2352,7 @@ def delegate(self, rolename, public_keys, paths, threshold=1, A new Target object is created for 'rolename' that is accessible to the caller (i.e., targets.). The 'tuf.keydb.py' and - 'tuf.roledb.py' stores are updated with 'public_keys'. + 'roledb' stores are updated with 'public_keys'. None. @@ -2446,7 +2445,7 @@ def revoke(self, rolename): Revoke this Targets' 'rolename' delegation. Its 'rolename' attribute is deleted, including the entries in its 'delegations' field and in - 'tuf.roledb'. + 'roledb'. Actual metadata files are not updated, only when repository.write() or repository.write() is called. @@ -2465,7 +2464,7 @@ def revoke(self, rolename): formatted. - The delegations dictionary of 'rolename' is modified, and its 'tuf.roledb' + The delegations dictionary of 'rolename' is modified, and its 'roledb' entry is updated. This Targets' 'rolename' delegation attribute is also deleted. @@ -2480,18 +2479,18 @@ def revoke(self, rolename): formats.ROLENAME_SCHEMA.check_match(rolename) # Remove 'rolename' from this Target's delegations dict. - roleinfo = tuf.roledb.get_roleinfo(self.rolename, self._repository_name) + roleinfo = roledb.get_roleinfo(self.rolename, self._repository_name) for role in roleinfo['delegations']['roles']: if role['name'] == rolename: roleinfo['delegations']['roles'].remove(role) - tuf.roledb.update_roleinfo(self.rolename, roleinfo, + roledb.update_roleinfo(self.rolename, roleinfo, repository_name=self._repository_name) - # Remove 'rolename' from 'tuf.roledb.py'. + # Remove 'rolename' from 'roledb'. try: - tuf.roledb.remove_role(rolename, self._repository_name) + roledb.remove_role(rolename, self._repository_name) # Remove the rolename delegation from the current role. For example, the # 'django' role is removed from repository.targets('django'). del self._delegated_roles[rolename] @@ -2806,7 +2805,7 @@ def delegations(self): tuf.exceptions.UnknownRoleError, if this Targets' rolename - does not exist in 'tuf.roledb'. + does not exist in 'roledb'. None. @@ -3085,7 +3084,7 @@ def load_repository(repository_directory, repository_name='default', # Store the delegations in the form of delegated-delegating role tuples, # starting from the top-level targets: # [('role1', 'targets'), ('role2', 'targets'), ... ] - roleinfo = tuf.roledb.get_roleinfo('targets', repository_name) + roleinfo = roledb.get_roleinfo('targets', repository_name) for role in roleinfo['delegations']['roles']: delegations.append((role, 'targets')) diff --git a/tuf/scripts/repo.py b/tuf/scripts/repo.py index c1bef95f8e..3b1c279736 100755 --- a/tuf/scripts/repo.py +++ b/tuf/scripts/repo.py @@ -151,6 +151,7 @@ from tuf import exceptions from tuf import formats from tuf import log +from tuf import roledb import tuf.repository_tool as repo_tool # 'pip install securesystemslib[crypto,pynacl]' is required for the CLI, @@ -320,7 +321,7 @@ def delegate(parsed_arguments): repository.snapshot.load_signing_key(snapshot_private) repository.timestamp.load_signing_key(timestamp_private) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] repository.writeall(consistent_snapshot=consistent_snapshot) @@ -365,7 +366,7 @@ def revoke(parsed_arguments): repository.snapshot.load_signing_key(snapshot_private) repository.timestamp.load_signing_key(timestamp_private) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] repository.writeall(consistent_snapshot=consistent_snapshot) @@ -533,7 +534,7 @@ def add_verification_key(parsed_arguments): else: repository.timestamp.add_verification_key(imported_pubkey) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] repository.write('root', consistent_snapshot=consistent_snapshot, increment_version_number=False) @@ -578,7 +579,7 @@ def remove_verification_key(parsed_arguments): except securesystemslib.exceptions.Error: print(repr(keypath) + ' is not a trusted key. Skipping.') - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] repository.write('root', consistent_snapshot=consistent_snapshot, increment_version_number=False) @@ -592,7 +593,7 @@ def sign_role(parsed_arguments): repository = repo_tool.load_repository( os.path.join(parsed_arguments.path, REPO_DIR)) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] for keypath in parsed_arguments.sign: @@ -614,7 +615,7 @@ def sign_role(parsed_arguments): else: # TODO: repository_tool.py will be refactored to clean up the following # code, which adds and signs for a non-existent role. - if not tuf.roledb.role_exists(parsed_arguments.role): + if not roledb.role_exists(parsed_arguments.role): # Load the private key keydb and set the roleinfo in roledb so that # metadata can be written with repository.write(). @@ -635,7 +636,7 @@ def sign_role(parsed_arguments): 'signatures': [], 'version': 1, 'expires': expiration, 'delegations': {'keys': {}, 'roles': []}} - tuf.roledb.add_role(parsed_arguments.role, roleinfo, + roledb.add_role(parsed_arguments.role, roleinfo, repository_name=repository._repository_name) # Generate the Targets object of --role, and add it to the top-level @@ -716,7 +717,7 @@ def add_target_to_repo(parsed_arguments, target_path, repo_targets_path, shutil.copy(target_path, os.path.join(repo_targets_path, target_path)) - roleinfo = tuf.roledb.get_roleinfo( + roleinfo = roledb.get_roleinfo( parsed_arguments.role, repository_name=repository._repository_name) # It is assumed we have a delegated role, and that the caller has made @@ -729,7 +730,7 @@ def add_target_to_repo(parsed_arguments, target_path, repo_targets_path, logger.debug('Replacing target: ' + repr(target_path)) roleinfo['paths'].update({target_path: custom}) - tuf.roledb.update_roleinfo(parsed_arguments.role, roleinfo, + roledb.update_roleinfo(parsed_arguments.role, roleinfo, mark_role_as_dirty=True, repository_name=repository._repository_name) @@ -742,10 +743,10 @@ def remove_target_files_from_metadata(parsed_arguments, repository): ' It must be "targets" or a delegated rolename.') else: - # NOTE: The following approach of using tuf.roledb to update the target + # NOTE: The following approach of using roledb to update the target # files will be modified in the future when the repository tool's API is # refactored. - roleinfo = tuf.roledb.get_roleinfo( + roleinfo = roledb.get_roleinfo( parsed_arguments.role, repository._repository_name) for glob_pattern in parsed_arguments.remove: @@ -758,7 +759,7 @@ def remove_target_files_from_metadata(parsed_arguments, repository): ' given path/glob pattern ' + repr(glob_pattern)) continue - tuf.roledb.update_roleinfo( + roledb.update_roleinfo( parsed_arguments.role, roleinfo, mark_role_as_dirty=True, repository_name=repository._repository_name) @@ -783,7 +784,7 @@ def add_targets(parsed_arguments): add_target_to_repo(parsed_arguments, target_path, repo_targets_path, repository) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] if parsed_arguments.role == 'targets': @@ -853,7 +854,7 @@ def remove_targets(parsed_arguments): repository.snapshot.load_signing_key(snapshot_private) repository.timestamp.load_signing_key(timestamp_private) - consistent_snapshot = tuf.roledb.get_roleinfo('root', + consistent_snapshot = roledb.get_roleinfo('root', repository._repository_name)['consistent_snapshot'] repository.writeall(consistent_snapshot=consistent_snapshot) diff --git a/tuf/sig.py b/tuf/sig.py index 221bdfa928..8a69bae7c0 100755 --- a/tuf/sig.py +++ b/tuf/sig.py @@ -53,8 +53,8 @@ import tuf from tuf import exceptions from tuf import formats +from tuf import roledb import tuf.keydb -import tuf.roledb import securesystemslib @@ -71,14 +71,14 @@ def get_signature_status(signable, role=None, repository_name='default', * bad -- Invalid signature * good -- Valid signature from key that is available in 'tuf.keydb', and is - authorized for the passed role as per 'tuf.roledb' (authorization may be + authorized for the passed role as per 'roledb' (authorization may be overwritten by passed 'keyids'). * unknown -- Signature from key that is not available in 'tuf.keydb', or if 'role' is None. * unknown signing schemes -- Signature from key with unknown signing scheme. * untrusted -- Valid signature from key that is available in 'tuf.keydb', - but is not trusted for the passed role as per 'tuf.roledb' or the passed + but is not trusted for the passed role as per 'roledb' or the passed 'keyids'. NOTE: The result may contain duplicate keyids or keyids that reference the @@ -97,7 +97,7 @@ def get_signature_status(signable, role=None, repository_name='default', TUF role string (e.g. 'root', 'targets', 'snapshot' or timestamp). threshold: - Rather than reference the role's threshold as set in tuf.roledb.py, use + Rather than reference the role's threshold as set in roledb, use the given 'threshold' to calculate the signature status of 'signable'. 'threshold' is an integer value that sets the role's threshold value, or the minimum number of signatures needed for metadata to be considered @@ -106,7 +106,7 @@ def get_signature_status(signable, role=None, repository_name='default', keyids: Similar to the 'threshold' argument, use the supplied list of 'keyids' to calculate the signature status, instead of referencing the keyids - in tuf.roledb.py for 'role'. + in roledb for 'role'. securesystemslib.exceptions.FormatError, if 'signable' does not have the @@ -180,7 +180,7 @@ def get_signature_status(signable, role=None, repository_name='default', # Note that if the role is not known, tuf.exceptions.UnknownRoleError # is raised here. if keyids is None: - keyids = tuf.roledb.get_role_keyids(role, repository_name) + keyids = roledb.get_role_keyids(role, repository_name) if keyid not in keyids: untrusted_sigs.append(keyid) @@ -204,7 +204,7 @@ def get_signature_status(signable, role=None, repository_name='default', if threshold is None: # Note that if the role is not known, tuf.exceptions.UnknownRoleError is # raised here. - threshold = tuf.roledb.get_role_threshold( + threshold = roledb.get_role_threshold( role, repository_name=repository_name) else: @@ -234,7 +234,7 @@ def verify(signable, role, repository_name='default', threshold=None, Verify that 'signable' has a valid threshold of authorized signatures identified by unique keyids. The threshold and whether a keyid is authorized is determined by querying the 'threshold' and 'keyids' info for - the passed 'role' in 'tuf.roledb'. Both values can be overwritten by + the passed 'role' in 'roledb'. Both values can be overwritten by passing the 'threshold' or 'keyids' arguments. NOTE: @@ -252,7 +252,7 @@ def verify(signable, role, repository_name='default', threshold=None, TUF role string (e.g. 'root', 'targets', 'snapshot' or timestamp). threshold: - Rather than reference the role's threshold as set in tuf.roledb.py, use + Rather than reference the role's threshold as set in roledb, use the given 'threshold' to calculate the signature status of 'signable'. 'threshold' is an integer value that sets the role's threshold value, or the minimum number of signatures needed for metadata to be considered @@ -261,7 +261,7 @@ def verify(signable, role, repository_name='default', threshold=None, keyids: Similar to the 'threshold' argument, use the supplied list of 'keyids' to calculate the signature status, instead of referencing the keyids - in tuf.roledb.py for 'role'. + in roledb for 'role'. tuf.exceptions.UnknownRoleError, if 'role' is not recognized.