-
Notifications
You must be signed in to change notification settings - Fork 275
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
(WIP/Collaboration) rewrites for delegation graph issues #846
Conversation
Plan of action for the next steps: Step 1: Schema updatesSo, I'm changing the schemas in tuf.formats that define data structures in the reference implementation. That's going to break lots of things. I'm almost done, and it's hard to assign something out before that, but I can show you what I have so far in a WIP commit I'll push to this branch in a few minutes and you can plan out changes to make following them. Additional changes might be necessary later, of course, but I expect to have the schemas done before I leave today. We can chat, though, too, and maybe some parallel task will emerge from something one of us thinks of. :) Note that every little thing doesn't need to have its own schema. We want the schema definitions to be succinct and readable, so bouncing around a lot is not ideal. Step 2: RoleDB RewriteAfter the new definitions, one of the main things that needs to happen is that someone needs to go over roledb to see how things need to change based on those schema changes, keeping in mind the stuff that motivated those schema changes (see top post in this PR) Note that there are some comments / TODOs I added / am adding suggesting how things should work. Step 3: updater and repository_lib editsUpdater and repository_lib will need to employ the new roledb code, which in some cases will result in refactoring in that code, and a few API changes. Repository_tool and some other modules may also require similar adjustments. |
The most breaking thing in the last commit (draft of new schema definitions in formats.py) is the removal of ROLEDB_SCHEMA. That was was another internal representation for metadata (the one reorganized such that delegation information was stored under a delegatee). Instead, roledb should use ANYROLE_SCHEMA or the individual metadata roles' schemas as appropriate (e.g. TIMESTAMP_SCHEMA). ROLES_SCHEMA is what will live in roledb._roledb_dict, one for each repository |
Once we're all done, writing metadata will just involve canonicalization, serialization, and signing. It won't require rebuilding roles based on information listed under other roles, for example. That will then mean we can expose that internal representation in roledb (indirectly but pretty transparently) to users of TUF, to allow things like Uptane adding a Timeserver key to root metadata, then telling TUF to write and sign. |
These aid in the roledb rewrite to start to address Issue #660. Also add two minor TODOs. Signed-off-by: Sebastien Awwad <[email protected]>
- Rename and alter some schemas that really address delegations, to make that clear. - Do away with the ROLEDB_SCHEMA, an intermediate metadata format that is not necessary and which incorrectly flattens the delegation graph, and similar schemas. - Rewrite getters/setters in roledb to respect the delegation graph rather than assuming that delegated targets roles have only one delegation pointing to them (see Issue #660). - Add a variety of TODOs for later. - Clarify docstrings as a result of the above. reinterpreting metadata Signed-off-by: Sebastien Awwad <[email protected]>
This is mid-development, but I'm pushing it so that Aditya can see where things are and the general shape of things. Signed-off-by: Sebastien Awwad <[email protected]>
46e33f4
to
6464f7a
Compare
Rebased after merge of #836. |
Warn folks about the larger structures being near the end, make description a bit more readable, highlight matches() and check_match() funcs, emphasize that this module defines the data structures / formats used. Signed-off-by: Sebastien Awwad <[email protected]>
- remove re-definition of rolename_schema - use securesystemslib.formats.PATH_SCHEMA for all paths, rather than using RELPATH_SCHEMA, which implies a distinction that we do not actually make, and checks we do not actually perform. - use INTEGER_NATURAL_SCHEMA for lengths and metadata versions Excludes fileinfo-related adjustments of the above, as those will follow in a separate fileinfo-specific commit. Signed-off-by: Sebastien Awwad <[email protected]>
The misleadingly-named ROLE_SCHEMA was renamed to SIGNING_SCHEMA, but I'm now making it SIGNERS_SCHEMA, which I think is clearer. I also added an example. Signed-off-by: Sebastien Awwad <[email protected]>
Failed to include key and value definitions. Signed-off-by: Sebastien Awwad <[email protected]>
In TUF, we store information about files in a variety of ways. Sometimes, versions are used, and sometimes length and hashes are required. So FILEINFO_SCHEMA will match any of these three new schemas: FILEINFO_IN_TIMESTAMP_SCHEMA, FILEINFO_IN_SNAPSHOT_SCHEMA, and FILEINFO_IN_TARGETS_SCHEMA. This should be more intuitive than the former mess, I think. I also renamed TARGETINFO to LABELED_FILEINFO_SCHEMA, with an explanation. I hope that proves more intuitive as well. Signed-off-by: Sebastien Awwad <[email protected]>
Signed-off-by: Sebastien Awwad <[email protected]>
@adityasaky tells me that he has (on his branch to be PR'd here later) the basic roledb tests working after the schema changes now, so the next step will be looking through repository_lib to make the changes necessary there, guided by test failures. After that (or, possibly during, depending on how far repository_tool's issues extend into repository_lib), it'll be time to deal with After that, we can move on to the client side and |
@adityasaky is working with
That's where the fix for the primary part of #660 lies: providing I suggest that we leave the #841 flattening refactor for later, and just hold our breaths and add new optional keyids and threshold arguments the whole way down the stack from So that's your next task, @adityasaky. :) I'll push to this PR some changes to Aside from this, there will doubtless be other, more minor changes, to match the updated schemas and renamed roledb functions, but I hope those are much easier. |
Great work, guys, keep it up! |
It'll now be a public function used by other modules (tuf.sig), so make it public and improve the name (takes a rolename, not a role): roledb.is_top_level_rolename(). Also bugfix it to handle casing issues. Signed-off-by: Sebastien Awwad <[email protected]>
It previously included information that wasn't really appropriate at this level of the code (about the project as a whole). Add short summary and list the two public functions with short explanations. Signed-off-by: Sebastien Awwad <[email protected]>
- get_signature_status() and verify() will expect EITHER: - keyids AND threshold - a rolename never both. A rolename can be used in place of keyids and threshold only for top-level roles, and keyids and threshold will then be drawn from currently trusted Root metadata. See comments in the code for more. This includes making rolename an optional argument. Now uses tuf.roledb.is_top_level_rolename. - renamed "role" argument to "rolename", which is more correct (since the actual role metadata is another argument...) - Pulled the elaborate argument validation and the retrieval of keyids and threshold from Root metadata into a separate function: _determine_keyids_and_threshold_to_use - perform retrieval of keyids and threshold only from Root metadata, for top-level roles (part of #660) - removed unused generate_rsa_signature - cleaned up the structure of get_signature_status() a bit Tests will break and require fixes. Signed-off-by: Sebastien Awwad <[email protected]>
Pushed changes to Didn't fix |
The keyids and threshold retrieval are already performed above now, so this lingering threshold retrieval is no longer needed. Move the comment about errors it would raise to where that actually would happen now (and refine comment given new functionality). Signed-off-by: Sebastien Awwad <[email protected]>
tuf.sig.generate_rsa_signature and tuf.sig.may_need_new_keys were not necessary and were deleted. This commit removes their tests. Signed-off-by: Sebastien Awwad <[email protected]>
Explain the test conditions. Signed-off-by: Sebastien Awwad <[email protected]>
Signed-off-by: Sebastien Awwad <[email protected]>
@adityasaky |
Great job, guys, your hard work has not gone unnoticed 🙇 Would there be a simple API for users to verify all signatures on a loaded repository? |
Such an API function would depend on this work, but not come as part of it. It's possible to write a function afterwards that loads a repo and verifies all top-level roles, then crawls down the full delegation graph and verifies every edge or reports any unverified edges. (Incidentally, that's the sort of thing that I'll want from a comprehensive |
Got it, thanks! |
@adityasaky Note that Personally, I thought about a 3-mer queue (role, keyids, threshold) instead of a role queue, but there are a few ways to handle this.... Note that part of the task when updating something like this is considering the expectations in edge cases. For example:
|
An error that is raised if someone tries to query a delegation that shouldn't exist (root to a delegated targets role or a delegated targets role to root, say) previously only described one direction, leading to misleading error messages. It now explains both possible causes of the error. Also removes a pdb.set_trace() left over from prior revisions. Signed-off-by: Sebastien Awwad <[email protected]>
Two functions now exist to replace _test_rolename (which was a bit of a misleading name), and these are now used to perform argument testing for roledb functions that query a single role or query information about a delegation from one role to another role. In addition, tests for roledb.get_delegated_paths were also updated, duplicating some of the above for reasons explained in code comments. Signed-off-by: Sebastien Awwad <[email protected]>
Signed-off-by: Sebastien Awwad <[email protected]>
- remove duplicate ROLENAME_SCHEMA and ROLEDICT_SCHEMA - remove outdated and duplicate ROLE_SCHEMA Note that this is a quick fix that may be overridden with refactoring work in theupdateframework#660/theupdateframework#846. Signed-off-by: Lukas Puehringer <[email protected]>
Due to imminent refactor efforts this code is unlikely to merge. |
The core task here is to rewrite roledb, a central TUF module, and the code that uses it.
The primary motivation comes from issue #660, a confusion regarding roles and delegations that has led to a variety of issues in the code.
Additional motivation comes from these principles:
The result of this work should be a codebase that:
tuf.formats
andsecuresystemslib.formats
.build_dict_conforming_to_schema
(or that style of code) wherever reasonable.