Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add basic DSSE equivalent for Metadata API and configurable DSSE support in ngclient #2436

Merged
merged 16 commits into from
Feb 22, 2024

Conversation

lukpueh
Copy link
Member

@lukpueh lukpueh commented Aug 9, 2023

EDIT 2023/08/21: Rebased a.o. on top of #2361
EDIT 2023/10/12:

EDIT 2024/02/21:

  • Rebase
  • Remove client example changes and demo

Fixes #2385

Notes for reviewer

  • The largest chunk of the diff is a pure code move (503680a)
  • The commit messages provide detailed information about changes, but not all changes end up in the final diff
  • There is a demo included below

Background
The search for a common container abstraction for DSSE envelope and traditional Metadata has been unsuccessful in the past (see #2246, #2292). Some reasons are:

  • Although, they look very similar, their usage patterns are different enough to make any common abstraction overly complex
  • The life time of the container is too short to justify an overly complex solution.
  • Even though application logic can be mostly agnostic to the container format. There are certain moments, where a deliberate decision for a container format should be made.

Summary of changes

  • Adds basic DSSE equivalent for Metadata API called SimpleEnvelope API
  • Make ngclient Updater configurable to deserialise TUF payloads either using Metadata API or SimpleEnvelope API

Demo (removed in b6fa05b)

# Install python-tuf with dsse support
git clone https://github.com/lukpueh/tuf -b add-dsse
cd tuf && pip install -r requirements/dev.txt

# Create and serve a simple static dsse demo repo
curl https://gist.githubusercontent.com/lukpueh/91224e528af5332ef9c779075cf71e06/raw/eb9e5dc1943710fff938674f0eb144b1b9a7edd4/serve_simple_dsse_repo.py \
    | python -

# Run example client in another terminal (same env and dir)
cd examples/client
./client tofu
./client download --use-dsse file1.txt

@lukpueh lukpueh requested a review from jku August 11, 2023 08:18
@lukpueh lukpueh marked this pull request as ready for review August 21, 2023 12:49
@lukpueh lukpueh force-pushed the add-dsse branch 2 times, most recently from f8b2ad1 to c96ec55 Compare October 12, 2023 10:34
@lukpueh
Copy link
Member Author

lukpueh commented Oct 12, 2023

@jku: This is good for another round of review. The last 5 commits update the PR as we discussed (see commit messages for details). Remaining things I'd like to ticketize:

  • Server-side tooling
    We should figure out how we want to support DSSE in our repo-side tooling, e.g. repository simulator (for tests) and repository abstraction (used in examples). Supporting both simultaneously, as ngclient does with this PR, might not be worth the effort. Also, if we find a solution for repo abstraction first, maybe we can use that in repo simulator.

  • API (Docs)
    Currently, payload classes (Signed, Root, Targets), etc. are imported into both Metadata API and Envelope API, to preserve backwards compatibility of Metadata API and make both APIs fully independently usable. If we keep it that way, we need to figure out if we want to document those classes in both namespaces on readthedocs.

@lukpueh lukpueh requested review from jku and removed request for jku October 12, 2023 11:20
Copy link
Member

@jku jku left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think this is good to go.

  • I can't yet see how the repository side will work out with Envelope but I also don't think we will find out without merging this and then someone trying it out -- I suspect that unlike ngclient repositories are going to support Metadata or DSSE, not both.
  • TrustedMetadataSet refactor is a good idea even without the rest of the PR
  • Testing is lacking but I guess the first step towards improving that would be to write a RepositorySimulator for DSSE (or make the existing one support DSSE)

Thanks for the rewrites, I think it looks impressive:

$ git diff --stat origin/develop...lukpueh/add-dsse -- tuf/
...
2074 insertions(+), 1813 deletions(-)

examples/client/client Outdated Show resolved Hide resolved
tuf/api/dsse.py Show resolved Hide resolved
tests/test_trusted_metadata_set.py Show resolved Hide resolved
@lukpueh
Copy link
Member Author

lukpueh commented Feb 8, 2024

Thanks for the rewrites, I think it looks impressive:

Thanks for the review! Your comments sound reasonable. Let me push another commit and ping for one last look.

$ git diff --stat origin/develop...lukpueh/add-dsse -- tuf/
...
2074 insertions(+), 1813 deletions(-)

Yes, sorry about that. I'm happy to move the initial commit, which is a pure code move, to a separate PR. Then it's a little less intimidating.

git diff --stat 503680a
...
 9 files changed, 564 insertions(+), 160 deletions(-)

@jku
Copy link
Member

jku commented Feb 8, 2024

I pasted the stats as a positive thing: 250 added LOC for this is not bad :)

Sure, the _payload.py code move and especially the TrustedMetadataSet refactor could have been separate PRs but I think they're fine here.

Copy link
Member

@trishankatdatadog trishankatdatadog left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like excellent work (as usual), thanks, Lukas!

Do you think it might be worthwhile to drop support for Canonical JSON as an envelope, and make it DSSE-only by default going forward? We might need a MAJOR release for that and some deprecation notice. Then again, shouldn't people be free to support whatever envelope they like (e.g., JOSE)?

SIMPLE: Dead Simple Signing Envelope. (experimental)
"""

METADATA = 1
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
METADATA = 1
CJSON = 1

"""

METADATA = 1
SIMPLE = 2
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
SIMPLE = 2
DSSE = 2

@lukpueh
Copy link
Member Author

lukpueh commented Feb 15, 2024

Thanks for the comments, Trishank!

Do you think it might be worthwhile to drop support for Canonical JSON as an envelope, and make it DSSE-only by default going forward?

That would be nice, but I fear it would be extremely disruptive for any existing TUF user, if python-tuf (most notably ngclient) just stops supporting the cjson metadata wrapper.

Then again, shouldn't people be free to support whatever envelope they like (e.g., JOSE)?

I thinks so yes. Right now users can choose between "Envelope API" (dsse) or "Metadata API" (cjson) and configure the client to expect one or the other. I'm unsure if python-tuf can/should be changed to support arbitrary wrappers. I tried but couldn't find a good design for that.

@jku
Copy link
Member

jku commented Feb 15, 2024

Then again, shouldn't people be free to support whatever envelope they like (e.g., JOSE)?

This has two really major disadvantages:

  • each new option increases software complexity (which is bad for multiple reasons)
  • each new option lowers chances of interoperability (an area where TUF has traditionally had significant issues)

These are downsides for DSSE as well, but DSSE balances that by improving other aspects of TUF (deserialization safety and ease of implementation).

The interop argument is also why dropping support for the TUF metadata format is unlikely to be a real option for a very long time.

@trishankatdatadog
Copy link
Member

Agreed with both of you, and trust that there is no good common API for CJSON and DSSE (let alone other envelopes) in python-tuf right now. We can push down support for other envelopes to other implementations, or later if need be here.

Allows to simultanously use those classes in different container /
signature wrapper APIs, e.g. Metadata API and Envelope API (DSSE).

All moved classes are imported into tuf.api.metadata scope for
backwards-compatibility.

Signed-off-by: Lukas Puehringer <[email protected]>
Add internal payload unwrapper interface and implementation for payloads
wrapped in Metadata.

This is an abstraction over behavior --  load signature wrapper, verify
signatures over payload, return deserialized payload -- which is common
for relevant signature wrappers (Metadata, DSSE Envelope), but performed
differently / in different order.

Signed-off-by: Lukas Puehringer <[email protected]>
Change TrustedMetadataSet to load and verify metadata using a
MetadataUnwrapper instance.

IMPORTANT NOTES:
* Requires changing the TrustedMetadataSet to store payloads only, which
  is okay, because signatures are no longer needed, after being verified
  at load time.

* Includes a minor re-ordering of validation steps.  That is, the
  version increment for root metadata is now checked after signature
  verification. Preserving the order would require including the check in
  the Unwrapper interface, which is feasible but does not seem correct wrt
  separation of responsibility.

Changes are adopted in updater, tests and _localrepo.

Signed-off-by: Lukas Puehringer <[email protected]>
Add Envelope class with basic de/serialization methods, currently
hardcoded to JSON.

Signed-off-by: Lukas Puehringer <[email protected]>
Add Unwrapper implementation for DSSE Envelope. The order of
deserialization and signature verification differs from traditional
Metadata.

Signed-off-by: Lukas Puehringer <[email protected]>
@coveralls
Copy link

coveralls commented Feb 21, 2024

Pull Request Test Coverage Report for Build 8004729617

Warning: This coverage report may be inaccurate.

This pull request's base commit is no longer the HEAD commit of its target branch. This means it includes changes from outside the original pull request, including, potentially, unrelated coverage changes.

Details

  • -10 of 800 (98.75%) changed or added relevant lines in 6 files are covered.
  • No unchanged relevant lines lost coverage.
  • Overall coverage decreased (-0.08%) to 97.725%

Changes Missing Coverage Covered Lines Changed/Added Lines %
tuf/ngclient/updater.py 15 16 93.75%
tuf/ngclient/_internal/trusted_metadata_set.py 72 74 97.3%
tuf/api/_payload.py 644 651 98.92%
Totals Coverage Status
Change from base Build 7991070707: -0.08%
Covered Lines: 1463
Relevant Lines: 1488

💛 - Coveralls

* Add `use_dsse` updater config parameter which indicates, if an updater
  instance expects metadata to come in a DSSE envelope.

* Update TrustedMetadataSet to take an Unwrapper instance.

* Update Updater, to pass an EnvelopeUnwrapper to TrustedMetadataSet, if
  configured with `use_dsse`.

Signed-off-by: Lukas Puehringer <[email protected]>
Add `--use-dsse` flag to `download` subcommand of example client, which
can be used to indicate that all metadata is expected to come in a DSSE
envelope.

Signed-off-by: Lukas Puehringer <[email protected]>
This is a poc implementation. If accepted, tests will be added and this
commit can be reverted.

Signed-off-by: Lukas Puehringer <[email protected]>
* Rename Envelope to SimpleEnvelope:
  Envelope should be the generic term in this context for something that
  contains a payload and signatures. SimpleEnvelope is the specific
  DSSE implementation (just like Metadata is the specific traditional
  canonical JSON -based TUF envelope implementation).

* Add SimpleEnvelope class and method docstrings.

* Add convenience alias for ``self.signatures`` mapped to keyids for
  compatibility with Metadata.signatures.

Signed-off-by: Lukas Puehringer <[email protected]>
The flag allows adding other envelope types in the future (unlikely),
or parallel support (`METADATA & SIMPLE`) without breaking the API.

Internally, the flag is now just passed on to TrustedMetadataSet as
mandatory parameter. (Optional parameters make less sense when we
control all the invocations.)

This change requires updating all invocations of TrustedMetadataSet,
including the duplication of a test function.

Signed-off-by: Lukas Puehringer <[email protected]>
The internal wrapping interface to case handle deserialization and
verification of traditional metadata vs. simple envelopes inside
trusted metadata set might be a more complicated solution than
necessary.

This removes the interface and instead adds the methods of the interface
implementations as helpers to trusted metadata set, and updates it to
to call one or the other function based on the envelope type
configuration flag.

Signed-off-by: Lukas Puehringer <[email protected]>
* Add API tests for SimpleEnvelope
  This is not as comprehensive as Metadata API. The latter also includes
  tests for all payload classes, which should cover the same scenarios as
  if used with SimpleEnvelope.

* Add unit test for newly added simple envelope load helper function in
  trusted metadata set.

Signed-off-by: Lukas Puehringer <[email protected]>
This reverts commit b46132c.

Signed-off-by: Lukas Puehringer <[email protected]>
This reverts commit b279745.

... plus related changes from:
 "ngclient: change envelope type config to flag".

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh
Copy link
Member Author

lukpueh commented Feb 21, 2024

@jku, I addressed your comments and rebased on a pretty different develop compared to before.

Here are two git command that might be helpful to re-review and make sure I didn't mess up while resolving conflicts

# Check if the diffs to develop before and after the rebase roughly match 
git range-diff 6fed68b..c96ec55 develop..add-dsse

# Check if all new metadata.py changes indeed moved to _payload.py
git diff develop:tuf/api/metadata.py tuf/api/_payload.py

Timestamp,
VerificationResult,
)
from tuf.api.exceptions import UnsignedMetadataError
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

tuf-api.metadata.LengthOrHashMismatchError doesn't exist anymore but maybe that's fine

Copy link
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good eyes! Can't remember, if I left it out on purpose or forgot. Let me re-export it, just to be safe.

tuf/ngclient/_internal/trusted_metadata_set.py Outdated Show resolved Hide resolved
lukpueh and others added 2 commits February 22, 2024 13:43
Co-authored-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Lukas Pühringer <[email protected]>
22b2726 claims to add all names
that were moved to the internal _payload module back to metadata.

LengthOrHashMismatchError was not added back. Now it is.

Signed-off-by: Lukas Puehringer <[email protected]>
@lukpueh lukpueh merged commit 52fa73a into theupdateframework:develop Feb 22, 2024
23 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Support DSSE in client and metadata API.
4 participants