Skip to content

Commit 41e90a5

Browse files
author
Kairo de Araujo
committed
Replaced the Key signatures dict to Signers
This commit adds a refactoring on the key signature used. Instead of using from Key Storage Service keys as a dictionary, uses that as a ``securesystemslib.signer.Signer``. It gives more flexibility and uses the same data structure across the services, repository and TUF. Signed-off-by: Kairo de Araujo <[email protected]>
1 parent 2117772 commit 41e90a5

File tree

4 files changed

+153
-93
lines changed

4 files changed

+153
-93
lines changed

tests/unit/tuf/test_repository.py

Lines changed: 80 additions & 23 deletions
Original file line numberDiff line numberDiff line change
@@ -100,8 +100,13 @@ def test__create_delegated_targets_roles(self, tuf_repository, monkeypatch):
100100
tuf_repository.load_role = pretend.call_recorder(
101101
lambda role: fake_snapshot_md if role == Snapshot.type else None
102102
)
103-
104103
tuf_repository._store = pretend.call_recorder(lambda *a, **kw: None)
104+
fake_signers = [
105+
pretend.stub(
106+
key_dict={"keyid": "key1"},
107+
sign=pretend.call_recorder(lambda *a: "key1"),
108+
)
109+
]
105110

106111
test_delegate_roles_parameters = [
107112
(
@@ -112,7 +117,7 @@ def test__create_delegated_targets_roles(self, tuf_repository, monkeypatch):
112117
False,
113118
paths=["*/*"],
114119
),
115-
[{"keyid": "key1"}, {"keyid": "key2"}],
120+
fake_signers,
116121
fake_time,
117122
)
118123
]
@@ -149,6 +154,12 @@ def test__create_delegated_targets_roles_with_snapshot_md(
149154
)
150155
)
151156
fake_snapshot_md = pretend.stub(signed=pretend.stub(meta={}))
157+
fake_signers = [
158+
pretend.stub(
159+
key_dict={"keyid": "key1"},
160+
sign=pretend.call_recorder(lambda *a: "key1"),
161+
)
162+
]
152163

153164
tuf_repository.load_role = pretend.call_recorder(
154165
lambda role: fake_snapshot_md if role == Snapshot.type else None
@@ -164,7 +175,7 @@ def test__create_delegated_targets_roles_with_snapshot_md(
164175
False,
165176
paths=["*/*"],
166177
),
167-
[{"keyid": "key1"}, {"keyid": "key2"}],
178+
fake_signers,
168179
fake_time,
169180
)
170181
]
@@ -201,6 +212,12 @@ def test__create_delegated_targets_roles_has_delegations(
201212
)
202213
)
203214
fake_snapshot_md = pretend.stub(signed=pretend.stub(meta={}))
215+
fake_signers = [
216+
pretend.stub(
217+
key_dict={"keyid": "key1"},
218+
sign=pretend.call_recorder(lambda *a: "key1"),
219+
)
220+
]
204221

205222
tuf_repository.load_role = pretend.call_recorder(
206223
lambda role: fake_snapshot_md if role == Snapshot.type else None
@@ -216,7 +233,7 @@ def test__create_delegated_targets_roles_has_delegations(
216233
False,
217234
paths=["*/*"],
218235
),
219-
[{"keyid": "key1"}, {"keyid": "key2"}],
236+
fake_signers,
220237
fake_time,
221238
)
222239
]
@@ -281,10 +298,20 @@ def test_initialization(self, tuf_repository):
281298
),
282299
},
283300
}
301+
fake_signers = [
302+
pretend.stub(
303+
key_dict=fake_key,
304+
sign=pretend.call_recorder(lambda *a: pretend.stub(keyid="key1")),
305+
),
306+
pretend.stub(
307+
key_dict=fake_key,
308+
sign=pretend.call_recorder(lambda *a: pretend.stub(keyid="key2")),
309+
),
310+
]
284311

285312
top_roles_payload = dict()
286313
for role in TOP_LEVEL_ROLE_NAMES:
287-
top_roles_payload[role] = [fake_key, fake_key]
314+
top_roles_payload[role] = fake_signers
288315

289316
tuf_repository.load_role = pretend.call_recorder(lambda *a, **kw: None)
290317
tuf_repository._store = pretend.call_recorder(lambda *a, **kw: None)
@@ -315,9 +342,20 @@ def test_initialization_store_false(self, tuf_repository):
315342
),
316343
},
317344
}
345+
fake_signers = [
346+
pretend.stub(
347+
key_dict=fake_key,
348+
sign=pretend.call_recorder(lambda *a: pretend.stub(keyid="key1")),
349+
),
350+
pretend.stub(
351+
key_dict=fake_key,
352+
sign=pretend.call_recorder(lambda *a: pretend.stub(keyid="key2")),
353+
),
354+
]
355+
318356
top_roles_payload = dict()
319357
for role in TOP_LEVEL_ROLE_NAMES:
320-
top_roles_payload[role] = [fake_key, fake_key]
358+
top_roles_payload[role] = fake_signers
321359

322360
tuf_repository.load_role = pretend.call_recorder(lambda *a, **kw: None)
323361
tuf_repository._store = pretend.call_recorder(lambda *a, **kw: None)
@@ -365,9 +403,15 @@ def test_initialization_threshold_more_than_keys(self, tuf_repository):
365403
),
366404
},
367405
}
406+
fake_signers = [
407+
pretend.stub(
408+
key_dict=fake_key,
409+
sign=pretend.call_recorder(lambda *a: pretend.stub(keyid="key1")),
410+
)
411+
]
368412
top_roles_payload = dict()
369413
for role in TOP_LEVEL_ROLE_NAMES:
370-
top_roles_payload[role] = [fake_key]
414+
top_roles_payload[role] = fake_signers
371415

372416
tuf_repository.load_role = pretend.call_recorder(lambda *a, **kw: None)
373417
tuf_repository._store = pretend.call_recorder(lambda *a, **kw: None)
@@ -409,7 +453,12 @@ def test_delegate_targets_roles(self, tuf_repository):
409453
),
410454
},
411455
}
412-
payload = {"xxxx-yyyy": [fake_key]}
456+
fake_signers = [
457+
pretend.stub(
458+
key_dict=fake_key, sign=pretend.call_recorder(lambda *a: "key1")
459+
)
460+
]
461+
payload = {"xxxx-yyyy": fake_signers}
413462
fake_targets_md = pretend.stub(
414463
signed=pretend.stub(
415464
delegations=None,
@@ -449,7 +498,7 @@ def test_delegate_targets_roles(self, tuf_repository):
449498
rolename="xxxx-yyyy",
450499
role_metadata=fake_targets_md,
451500
role_expires=fake_time,
452-
key_rolename=None,
501+
signers=None,
453502
store=True,
454503
)
455504
]
@@ -463,22 +512,27 @@ def test_delegate_targets_roles(self, tuf_repository):
463512
def test_bump_role_version(self, tuf_repository):
464513
fake_time = datetime.datetime(2019, 6, 16, 9, 5, 1)
465514
fake_new_time = datetime.datetime(2022, 6, 16, 9, 5, 1)
515+
fake_signers = [
516+
pretend.stub(
517+
key_dict={"keyid": "fake_id"},
518+
sign=pretend.call_recorder(lambda *a: "key1"),
519+
)
520+
]
466521
initial_version = 1983
467522
fake_role_metadata = pretend.stub(
468523
signed=pretend.stub(expires=fake_time, version=initial_version),
469524
sign=lambda *a, **kw: None,
470525
)
471526

472527
tuf_repository.key_backend = pretend.stub(
473-
get=pretend.call_recorder(lambda role: [{"key": "key_data"}])
528+
get=pretend.call_recorder(lambda role: fake_signers)
474529
)
475530

476531
result = tuf_repository.bump_role_version(
477-
"fake_role", fake_role_metadata, fake_new_time
532+
"fake_role", fake_role_metadata, fake_new_time, fake_signers
478533
)
479534
assert result.signed.version == initial_version + 1
480535
assert result.signed.expires == fake_new_time
481-
assert tuf_repository.key_backend.get.calls == [pretend.call("fake_role")]
482536

483537
def test_bump_role_version_store_true(self, tuf_repository):
484538
fake_time = datetime.datetime(2019, 6, 16, 9, 5, 1)
@@ -488,17 +542,19 @@ def test_bump_role_version_store_true(self, tuf_repository):
488542
signed=pretend.stub(expires=fake_time, version=initial_version),
489543
sign=lambda *a, **kw: None,
490544
)
545+
fake_signers = [
546+
pretend.stub(
547+
key_dict={"keyid": "fake_id"},
548+
sign=pretend.call_recorder(lambda *a: "key1"),
549+
)
550+
]
491551

492-
tuf_repository.key_backend = pretend.stub(
493-
get=pretend.call_recorder(lambda role: [{"key": "key_data"}])
494-
)
495552
tuf_repository._store = pretend.call_recorder(lambda rolename, role_md: None)
496553
result = tuf_repository.bump_role_version(
497-
"fake_role", fake_role_metadata, fake_new_time, store=True
554+
"fake_role", fake_role_metadata, fake_new_time, fake_signers, store=True
498555
)
499556
assert result.signed.version == initial_version + 1
500557
assert result.signed.expires == fake_new_time
501-
assert tuf_repository.key_backend.get.calls == [pretend.call("fake_role")]
502558
assert tuf_repository._store.calls == [
503559
pretend.call("fake_role", fake_role_metadata)
504560
]
@@ -511,17 +567,18 @@ def test_bump_role_version_with_key_rolename(self, tuf_repository):
511567
signed=pretend.stub(expires=fake_time, version=initial_version),
512568
sign=lambda *a, **kw: None,
513569
)
514-
515-
tuf_repository.key_backend = pretend.stub(
516-
get=pretend.call_recorder(lambda role: [{"key": "key_data"}])
517-
)
570+
fake_signers = [
571+
pretend.stub(
572+
key_dict={"keyid": "fake_id"},
573+
sign=pretend.call_recorder(lambda *a: "key1"),
574+
)
575+
]
518576

519577
result = tuf_repository.bump_role_version(
520-
"fake_role", fake_role_metadata, fake_new_time, "key_role_name"
578+
"fake_role", fake_role_metadata, fake_new_time, fake_signers
521579
)
522580
assert result.signed.version == initial_version + 1
523581
assert result.signed.expires == fake_new_time
524-
assert tuf_repository.key_backend.get.calls == [pretend.call("key_role_name")]
525582

526583
def test_bump_timestamp_version(self, tuf_repository):
527584
fake_time = datetime.datetime(2019, 6, 16, 9, 5, 1)

tests/unit/tuf/test_services.py

Lines changed: 18 additions & 7 deletions
Original file line numberDiff line numberDiff line change
@@ -61,7 +61,7 @@ def test_get(self, db_request, monkeypatch):
6161

6262
root_keyid = service.get("root")
6363

64-
assert root_keyid == [expected_priv_key_dict]
64+
assert root_keyid[0].key_dict == expected_priv_key_dict
6565

6666

6767
class TestLocalStorageService:
@@ -420,10 +420,14 @@ def test_init_repository_already_initialized(self, db_request, monkeypatch):
420420

421421
def test_init_targets_delegation(self, db_request, monkeypatch):
422422
fake_storage = pretend.stub()
423-
fake_key_storage = pretend.stub(
424-
get=pretend.call_recorder(
425-
lambda role: [{"keyid": "key1"}, {"keyid": "key2"}]
423+
fake_signers = [
424+
pretend.stub(
425+
key_dict={"keyid": "fake_id"},
426+
sign=pretend.call_recorder(lambda *a: "key1"),
426427
)
428+
]
429+
fake_key_storage = pretend.stub(
430+
get=pretend.call_recorder(lambda role: fake_signers)
427431
)
428432

429433
fake_time = datetime.datetime(2019, 6, 16, 9, 5, 1)
@@ -463,12 +467,12 @@ def test_init_targets_delegation(self, db_request, monkeypatch):
463467
assert sorted(["targets", "bins"]) == sorted(list(call_args.keys()))
464468
assert len(call_args["targets"]) == 1
465469
assert type(call_args["targets"][0][0]) == services.DelegatedRole
466-
assert call_args["targets"][0][1] == [{"keyid": "key1"}, {"keyid": "key2"}]
470+
assert call_args["targets"][0][1][0].key_dict == {"keyid": "fake_id"}
467471
assert (
468472
len(call_args["bins"]) == 16384
469473
) # PEP458 https://peps.python.org/pep-0458/#metadata-scalability
470474
assert type(call_args["bins"][0][0]) == services.DelegatedRole
471-
assert call_args["bins"][0][1] == [{"keyid": "key1"}, {"keyid": "key2"}]
475+
assert call_args["bins"][0][1][0].key_dict == {"keyid": "fake_id"}
472476
# 1 target + # PEP458 https://peps.python.org/pep-0458/#metadata-scalability
473477
assert len(fake_metadata_repository._set_expiration_for_role.calls) == 16385
474478

@@ -558,8 +562,14 @@ def test_bump_snapshot_specific_snapshot_metadata(self, db_request, monkeypatch)
558562

559563
def test_bump_bin_n_roles(self, db_request, monkeypatch):
560564
fake_storage = pretend.stub()
565+
fake_signers = [
566+
pretend.stub(
567+
key_dict={"keyid": "fake_id"},
568+
sign=pretend.call_recorder(lambda *a: "key1"),
569+
)
570+
]
561571
fake_key_storage = pretend.stub(
562-
get=pretend.call_recorder(lambda role: "fake_key")
572+
get=pretend.call_recorder(lambda role: fake_signers)
563573
)
564574

565575
fake_time = datetime.datetime(2019, 6, 16, 9, 5, 1)
@@ -592,6 +602,7 @@ def test_bump_bin_n_roles(self, db_request, monkeypatch):
592602
),
593603
timestamp_bump_version=pretend.call_recorder(lambda *a, **kw: None),
594604
_set_expiration_for_role=pretend.call_recorder(lambda *a: fake_datetime),
605+
_key_storage_backend=pretend.call_recorder(lambda *a: fake_signers),
595606
)
596607
monkeypatch.setattr(
597608
"warehouse.tuf.services.MetadataRepository",

0 commit comments

Comments
 (0)