Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Support 'metadata update' in 'sign_metadata' task (#355)
* Support 'metadata update' in 'sign_metadata' task Implement support for distributed asynchronous root metadata signing in the course of a "metadata update" event. Other than the already supported "bootstrap" signing event, signatures added to root during "metadata update" must validate with keys from trusted OR new root, and meet the signature threshold of trusted AND new root. *Related changes:* - Ignore obsolete "rolename" in sign_metadata payload. We only support root, and check the type when loading "ROOT_SIGNING". - Refactor `_validate_{signature, threshold}` helpers to accept an optional delegator (e.g. trusted root). - Add local `_result` helper to return a "sign metadata"-specific task result. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Fix failing tests for sign_metadata - remove obsolete "test_sign_metadata_root_signing_no_bootstrap" Now, if there is no ongoing "bootstrap", we just assume there is an ongoing "metadata update". - adopt changes in "test_sign_metadata_invalid_role_type" - new expected error message - fail earlier, before consulting with "BOOTSTRAP" state variable Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Add test_sign_metadata__update__invalid_signature Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Add test_sign_metadata__update__invalid_threshold Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Add test_sign_metadata__update__finalize Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Refactor test_sign_metadata__update* and add cases Combine existing sign_metadata/update metadata tests in a single parametrized test method and add additional test cases for different return values from internal `_validate_{signature, threshold}` calls, in order to test correct sage of OR/AND operators: - signature must be valid according to trusted OR new root - threshold must be met according to trusted AND new root Note: The test removes asserts for internal method calls, which don't seem so interesting, as long as we get the expected result. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Address misc review comments in sign_metadata - Use elif instead of elsewhere appropriate - Remove blank line in docstrings - Clarify comment about signature/threshold validation Co-authored-by: Martin Vrachev <martin.vrachev@gmail.com> Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Assert _root_metadata_update result in sign_metadata This is a temporary measure until after _root_metadata_update has been refactored (see code comment) to not fail silently e.g in in tests that mock the argument passed to _root_metadata_update. This commit also updates the related tests to now mock the `_root_metadata_update` result too. As the wrong result would no longer fail silently. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Check 'role' field in 'sign_metadata' payload 'sign_metadata' only supports root, thus the role in the payload is not relevant, and was ignored previously. For consistency, this commit adds a check that the role is indeed root and fails otherwise. This is also tested by adding another column to the test table of test_sign_metadata__update, used to patch the default payload in test runs. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Re-use part of _root_metadata_update Factor out "finalize" part of _root_metadata_update to re-use in sign_metadata. Prior to this commit, sign_metadata would call _root_metadata_update duplicating much of the verification behavior, although it only cared for the finalization part. Now, it can call into the desired subroutine only. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Support partially signed metadata in metadata_update Update `_root_metadata_update` subroutine of `metadata_update` task interface to accept partially signed metadata. If the required threshold is not met, the passed metadata is written to the "ROOT_SIGNING" repository setting and the task returns with a "pending signatures" message Missing signatures can then be added using the `sign_metadata` task interface, which also finalizes the metadata update, as soon as the threshold is reached. NOTE: Currently, there is no sanity check of signatures below the threshold. A useful check might be, that passed metadata has at least 1 initial and only valid signatures, akin to bootstrap. #367 will make this a lot easier. This change also includes a reordering of the validation routine to check the version increment prior to signature threshold. Otherwise, a bad version would only be detected after all signatures have been added. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Rename two boolean variables in sign_metadata Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Change test_sign_metadata__update test style Use test copy pasta instead of @parametrize. Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> * Remove unused mocks in test_sign_metadata__update Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> --------- Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu> Co-authored-by: Martin Vrachev <martin.vrachev@gmail.com> Co-authored-by: Kairo Araujo <kdearaujo@vmware.com>
- Loading branch information