Skip to content

Commit 7642140

Browse files
mnm678mnm678
committed
Updated delegation information in repository_tool to use different keydbs
for delegations and add parent_role to roledb entries for delegations Signed-off-by: marinamoore <[email protected]>
1 parent 5b57fa0 commit 7642140

File tree

3 files changed

+21
-9
lines changed

3 files changed

+21
-9
lines changed

tests/test_updater.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -1171,8 +1171,8 @@ def test_6_get_one_valid_targetinfo(self):
11711171
repository.targets('role4').add_target(foo_package)
11721172

11731173
repository.targets.load_signing_key(self.role_keys['targets']['private'])
1174-
repository.targets('role3').load_signing_key(self.role_keys['targets']['private'])
1175-
repository.targets('role4').load_signing_key(self.role_keys['targets']['private'])
1174+
repository.targets('role3').load_signing_key(self.role_keys['targets']['private'], 'targets')
1175+
repository.targets('role4').load_signing_key(self.role_keys['targets']['private'], 'targets')
11761176
repository.snapshot.load_signing_key(self.role_keys['snapshot']['private'])
11771177
repository.timestamp.load_signing_key(self.role_keys['timestamp']['private'])
11781178
repository.writeall()

tuf/developer_tool.py

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -289,7 +289,7 @@ def write(self, write_partial=False):
289289

290290

291291

292-
def add_verification_key(self, key, expires=None):
292+
def add_verification_key(self, key, expires=None, delegating_rolename='root'):
293293
"""
294294
<Purpose>
295295
Function as a thin wrapper call for the project._targets call
@@ -322,7 +322,7 @@ def add_verification_key(self, key, expires=None):
322322
if len(self.keys) > 0:
323323
raise securesystemslib.exceptions.Error("This project already contains a key.")
324324

325-
super(Project, self).add_verification_key(key, expires)
325+
super(Project, self).add_verification_key(key, expires, delegating_rolename)
326326

327327

328328

tuf/repository_tool.py

Lines changed: 17 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -682,7 +682,7 @@ def __init__(self):
682682
self._repository_name = None
683683

684684

685-
def add_verification_key(self, key, expires=None):
685+
def add_verification_key(self, key, expires=None, delegating_rolename='root'):
686686
"""
687687
<Purpose>
688688
Add 'key' to the role. Adding a key, which should contain only the
@@ -728,6 +728,12 @@ def add_verification_key(self, key, expires=None):
728728
# 'securesystemslib.exceptions.FormatError' if any are improperly formatted.
729729
securesystemslib.formats.ANYKEY_SCHEMA.check_match(key)
730730

731+
# top level roles go in the default keydb, delegated roles go in the keydb
732+
# of their parent role
733+
repository_name = self._repository_name
734+
if delegating_rolename != 'root':
735+
repository_name = repository_name + ' ' + delegating_rolename
736+
731737
# If 'expires' is unset, choose a default expiration for 'key'. By
732738
# default, Root, Targets, Snapshot, and Timestamp keys are set to expire
733739
# 1 year, 3 months, 1 week, and 1 day from the current time, respectively.
@@ -779,7 +785,7 @@ def add_verification_key(self, key, expires=None):
779785
# Keys may be shared, so do not raise an exception if 'key' has already
780786
# been loaded.
781787
try:
782-
tuf.keydb.add_key(key, repository_name=self._repository_name)
788+
tuf.keydb.add_key(key, repository_name=repository_name)
783789

784790
except tuf.exceptions.KeyAlreadyExistsError:
785791
logger.warning('Adding a verification key that has already been used.')
@@ -797,7 +803,7 @@ def add_verification_key(self, key, expires=None):
797803
roleinfo['keyids'].append(keyid)
798804
roleinfo['previous_keyids'] = previous_keyids
799805

800-
tuf.roledb.update_roleinfo(self._rolename, roleinfo,
806+
tuf.roledb.update_roleinfo(self.rolename, roleinfo,
801807
repository_name=self._repository_name)
802808

803809

@@ -2251,7 +2257,8 @@ def _create_delegated_target(self, rolename, keyids, threshold, paths):
22512257
roleinfo = {'name': rolename, 'keyids': keyids, 'signing_keyids': [],
22522258
'threshold': threshold, 'version': 0,
22532259
'expires': expiration, 'signatures': [], 'partial_loaded': False,
2254-
'paths': paths, 'delegations': {'keys': {}, 'roles': []}}
2260+
'paths': paths, 'delegations': {'keys': {}, 'roles': []},
2261+
'parent_role' : self._parent_targets_object.rolename}
22552262

22562263
# The new targets object is added as an attribute to this Targets object.
22572264
new_targets_object = Targets(self._targets_directory, rolename, roleinfo,
@@ -2425,8 +2432,13 @@ def delegate(self, rolename, public_keys, paths, threshold=1,
24252432
del roleinfo['paths']
24262433

24272434
# Update the public keys of 'new_targets_object'.
2435+
try:
2436+
tuf.keydb.create_keydb(self._repository_name + ' ' + self._rolename)
2437+
except securesystemslib.exceptions.InvalidNameError:
2438+
# keydb already created
2439+
pass
24282440
for key in public_keys:
2429-
new_targets_object.add_verification_key(key)
2441+
new_targets_object.add_verification_key(key, delegating_rolename=self._rolename)
24302442

24312443
# Add the new delegation to the top-level 'targets' role object (i.e.,
24322444
# 'repository.targets()'). For example, 'django', which was delegated by

0 commit comments

Comments
 (0)