Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
targets_roleinfo['threshold'] = old_threshold
tuf.roledb.update_roleinfo('targets', targets_roleinfo,
repository_name=repository_name)
# Verify that status() does not raise
# 'tuf.exceptions.InsufficientKeysError' if a delegated role
# does not contain a threshold of keys.
role1_roleinfo = tuf.roledb.get_roleinfo('role1', repository_name)
old_role1_threshold = role1_roleinfo['threshold']
role1_roleinfo['threshold'] = 10
tuf.roledb.update_roleinfo('role1', role1_roleinfo,
repository_name=repository_name)
repository.status()
# Restore role1's threshold.
role1_roleinfo = tuf.roledb.get_roleinfo('role1', repository_name)
role1_roleinfo['threshold'] = old_role1_threshold
tuf.roledb.update_roleinfo('role1', role1_roleinfo,
repository_name=repository_name)
# Verify status() does not raise 'tuf.exceptions.UnsignedMetadataError' if any of the
# the top-level roles. Test that 'root' is improperly signed.
repository.root.unload_signing_key(root_privkey)
repository.root.load_signing_key(targets_privkey)
repository.status()
repository.targets('role1').unload_signing_key(role1_privkey)
repository.targets('role1').load_signing_key(targets_privkey)
repository.status()
# Reset Root and 'role1', and verify Targets.
repository.root.unload_signing_key(targets_privkey)
os.path.join(self.repository_directory, 'metadata'))
# The client performs a refresh of top-level metadata to get the latest
# changes.
self.repository_updater.refresh()
# Verify that the client is able to recognize that a new set of keys have
# been added to the Snapshot role.
# First, has 'snapshot_keyid' been removed?
snapshot_roleinfo = tuf.roledb.get_roleinfo('snapshot', self.repository_name)
self.assertTrue(snapshot_keyid not in snapshot_roleinfo['keyids'])
# Second, is Snapshot's new key correct? The new key should be
# Timestamp's.
self.assertEqual(len(snapshot_roleinfo['keyids']), 1)
timestamp_roleinfo = tuf.roledb.get_roleinfo('timestamp', self.repository_name)
self.assertEqual(snapshot_roleinfo['keyids'], timestamp_roleinfo['keyids'])
project = developer_tool.load_project(local_tmp)
# Check against backup.
self.assertEqual(list(project.target_files.keys()), list(targets_backup.keys()))
new_delegations = tuf.roledb.get_delegated_rolenames(project.project_name)
self.assertEqual(new_delegations, delegations_backup)
self.assertEqual(project.layout_type, layout_type_backup)
self.assertEqual(project.keys, keys_backup)
self.assertEqual(project('delegation').keys, delegation_keys_backup)
self.assertEqual(project.prefix, prefix_backup)
self.assertEqual(project.project_name, name_backup)
roleinfo = tuf.roledb.get_roleinfo(project.project_name)
self.assertEqual(roleinfo['partial_loaded'], True)
# Load_signing_keys.
project('delegation').load_signing_key(delegation_private_key)
project.status()
project.load_signing_key(project_private_key)
# Backup everything.
# + backup targets.
targets_backup = project.target_files
_generate_and_write_metadata('snapshot', snapshot_filename,
targets_directory, metadata_directory, False, filenames,
repository_name=repository_name)
_log_status('snapshot', signable, repository_name)
except tuf.exceptions.UnsignedMetadataError as e:
_log_status('snapshot', e.signable, repository_name)
return
finally:
tuf.roledb.unmark_dirty(['snapshot'], repository_name)
tuf.roledb.update_roleinfo('snapshot', snapshot_roleinfo,
mark_role_as_dirty=snapshot_is_dirty, repository_name=repository_name)
# Verify the metadata of the Timestamp role.
timestamp_roleinfo = tuf.roledb.get_roleinfo('timestamp', repository_name)
timestamp_is_dirty = None
if 'timestamp' in dirty_rolenames:
timestamp_is_dirty = True
else:
timestamp_is_dirty = False
filenames = {'snapshot': snapshot_filename}
try:
signable, timestamp_filename = \
_generate_and_write_metadata('timestamp', timestamp_filename,
targets_directory, metadata_directory, False, filenames,
repository_name=repository_name)
_log_status('timestamp', signable, repository_name)
except tuf.exceptions.UnsignedMetadataError as e:
Updates the role's 'tuf.roledb.py' entry.
None.
"""
# Does 'key' have the correct format?
# Ensure the arguments have the appropriate number of objects and object
# types, and that all dict keys are properly named.
# Raise 'tuf.FormatError' if any are improperly formatted.
tuf.formats.ANYKEY_SCHEMA.check_match(key)
keyid = key['keyid']
roleinfo = tuf.roledb.get_roleinfo(self.rolename)
if keyid in roleinfo['keyids']:
roleinfo['keyids'].remove(keyid)
tuf.roledb.update_roleinfo(self._rolename, roleinfo)
repository.targets.load_signing_key(targets_private)
# Load the top-level keys for Snapshot and Timestamp to make a new release.
# Automatically making a new release can be disabled via --no_release.
if not parsed_arguments.no_release:
snapshot_private = import_privatekey_from_file(
os.path.join(parsed_arguments.path, KEYSTORE_DIR, SNAPSHOT_KEY_NAME),
parsed_arguments.snapshot_pw)
timestamp_private = import_privatekey_from_file(
os.path.join(parsed_arguments.path, KEYSTORE_DIR,
TIMESTAMP_KEY_NAME), parsed_arguments.timestamp_pw)
repository.snapshot.load_signing_key(snapshot_private)
repository.timestamp.load_signing_key(timestamp_private)
consistent_snapshot = tuf.roledb.get_roleinfo('root',
repository._repository_name)['consistent_snapshot']
repository.writeall(consistent_snapshot=consistent_snapshot)
# Move staged metadata directory to "live" metadata directory.
write_to_live_repo(parsed_arguments)
Adds 'signature', if not already added, to the role's 'signatures' field
in 'tuf.roledb.py'.
None.
"""
# Does 'signature' have the correct format?
# Ensure the arguments have the appropriate number of objects and object
# types, and that all dict keys are properly named.
# Raise 'tuf.FormatError' if any are improperly formatted.
tuf.formats.SIGNATURE_SCHEMA.check_match(signature)
roleinfo = tuf.roledb.get_roleinfo(self.rolename)
# Ensure the roleinf contains a 'signatures' field.
if 'signatures' not in roleinfo:
roleinfo['signatures'] = []
# Update the role's roleinfo by adding 'signature', if it has not been
# added.
if signature not in roleinfo['signatures']:
roleinfo['signatures'].append(signature)
tuf.roledb.update_roleinfo(self.rolename, roleinfo)
# Update the required top-level roles, Snapshot and Timestamp, to make a new
# release. Automatically making a new release can be disabled via
# --no_release.
if not parsed_arguments.no_release:
snapshot_private = import_privatekey_from_file(
os.path.join(parsed_arguments.path, KEYSTORE_DIR, SNAPSHOT_KEY_NAME),
parsed_arguments.snapshot_pw)
timestamp_private = import_privatekey_from_file(
os.path.join(parsed_arguments.path, KEYSTORE_DIR,
TIMESTAMP_KEY_NAME), parsed_arguments.timestamp_pw)
repository.snapshot.load_signing_key(snapshot_private)
repository.timestamp.load_signing_key(timestamp_private)
consistent_snapshot = tuf.roledb.get_roleinfo('root',
repository._repository_name)['consistent_snapshot']
repository.writeall(consistent_snapshot=consistent_snapshot)
# Move staged metadata directory to "live" metadata directory.
write_to_live_repo(parsed_arguments)
# Raise 'tuf.FormatError' if any are improperly formatted.
tuf.formats.BOOLEAN_SCHEMA.check_match(write_partial)
# At this point the tuf.keydb and tuf.roledb stores must be fully
# populated, otherwise write() throwns a 'tuf.Repository' exception if
# any of the top-level roles are missing signatures, keys, etc.
filenames = get_metadata_filenames(self._metadata_directory)
root_filename = filenames[ROOT_FILENAME]
targets_filename = filenames[TARGETS_FILENAME]
release_filename = filenames[RELEASE_FILENAME]
timestamp_filename = filenames[TIMESTAMP_FILENAME]
# Write the metadata files of all the delegated roles.
delegated_roles = tuf.roledb.get_delegated_rolenames('targets')
for delegated_role in delegated_roles:
roleinfo = tuf.roledb.get_roleinfo(delegated_role)
write_delegated_metadata_file(self._repository_directory,
self._targets_directory,
delegated_role, roleinfo, write_partial)
# Generate the 'root.txt' metadata file.
# _generate_and_write_metadata() raises a 'tuf.Error' exception if the
# metadata cannot be written.
_generate_and_write_metadata('root', filenames, write_partial,
self._targets_directory,
self._metadata_directory)
# Generate the 'targets.txt' metadata file.
_generate_and_write_metadata('targets', filenames, write_partial,
self._targets_directory,
self._metadata_directory)
# Verify that the top-level roles contain a valid number of public keys and
# that their corresponding private keys have been loaded.
for rolename in ['root', 'targets', 'snapshot', 'timestamp']:
try:
_check_role_keys(rolename, repository_name)
except securesystemslib.exceptions.InsufficientKeysError as e:
logger.info(str(e))
# Do the top-level roles contain a valid threshold of signatures? Top-level
# metadata is verified in Root -> Targets -> Snapshot -> Timestamp order.
# Verify the metadata of the Root role.
dirty_rolenames = tuf.roledb.get_dirty_roles(repository_name)
root_roleinfo = tuf.roledb.get_roleinfo('root', repository_name)
root_is_dirty = None
if 'root' in dirty_rolenames:
root_is_dirty = True
else:
root_is_dirty = False
try:
signable, root_filename = \
_generate_and_write_metadata('root', root_filename, targets_directory,
metadata_directory, repository_name=repository_name)
_log_status('root', signable, repository_name)
# 'tuf.exceptions.UnsignedMetadataError' raised if metadata contains an
# invalid threshold of signatures. log the valid/threshold message, where
# valid < threshold.