Merge pull request #1734 from MVrachev/securesystemslib-exceptions

lukpueh · web-flow · commit cb7bd6aff9be · 2022-01-27T16:58:10.000+01:00
Metadata API: Avoid raising securesystemslib exceptions
diff --git a/tests/test_api.py b/tests/test_api.py
@@ -13,8 +13,9 @@
 import sys
 import tempfile
 import unittest
+from copy import copy
 from datetime import datetime, timedelta
-from typing import ClassVar, Dict
+from typing import Any, ClassVar, Dict
 
 from securesystemslib import hash as sslib_hash
 from securesystemslib.interface import (
@@ -51,7 +52,7 @@ class TestMetadata(unittest.TestCase):
     temporary_directory: ClassVar[str]
     repo_dir: ClassVar[str]
     keystore_dir: ClassVar[str]
-    keystore: ClassVar[Dict[str, str]]
+    keystore: ClassVar[Dict[str, Dict[str, Any]]]
 
     @classmethod
     def setUpClass(cls) -> None:
@@ -126,6 +127,16 @@ def test_generic_read(self) -> None:
 
         os.remove(bad_metadata_path)
 
+    def test_md_read_write_file_exceptions(self) -> None:
+        # Test writing to a file with bad filename
+        with self.assertRaises(exceptions.StorageError):
+            Metadata.from_file("bad-metadata.json")
+
+        # Test serializing to a file with bad filename
+        with self.assertRaises(exceptions.StorageError):
+            md = Metadata.from_file(f"{self.repo_dir}/metadata/root.json")
+            md.to_file("")
+
     def test_compact_json(self) -> None:
         path = os.path.join(self.repo_dir, "metadata", "targets.json")
         md_obj = Metadata.from_file(path)
@@ -212,6 +223,17 @@ def test_sign_verify(self) -> None:
         with self.assertRaises(exceptions.UnsignedMetadataError):
             targets_key.verify_signature(md_obj)
 
+    def test_sign_failures(self) -> None:
+        # Test throwing UnsignedMetadataError because of signing problems
+        # related to bad information in the signer.
+        md = Metadata.from_file(f"{self.repo_dir}/metadata/snapshot.json")
+        key_dict = copy(self.keystore[Snapshot.type])
+        key_dict["keytype"] = "rsa"
+        key_dict["scheme"] = "bad_scheme"
+        sslib_signer = SSlibSigner(key_dict)
+        with self.assertRaises(exceptions.UnsignedMetadataError):
+            md.sign(sslib_signer)
+
     def test_verify_failures(self) -> None:
         root_path = os.path.join(self.repo_dir, "metadata", "root.json")
         root = Metadata[Root].from_file(root_path).signed
diff --git a/tuf/api/exceptions.py b/tuf/api/exceptions.py
@@ -10,6 +10,9 @@
 
 #### Repository errors ####
 
+# pylint: disable=unused-import
+from securesystemslib.exceptions import StorageError
+
 
 class RepositoryError(Exception):
     """An error with a repository's state, such as a missing file.
diff --git a/tuf/api/metadata.py b/tuf/api/metadata.py
@@ -183,7 +183,7 @@ def from_file(
                 a (local) FilesystemBackend is used.
 
         Raises:
-            securesystemslib.exceptions.StorageError: The file cannot be read.
+            exceptions.StorageError: The file cannot be read.
             tuf.api.serialization.DeserializationError:
                 The file cannot be deserialized.
 
@@ -275,8 +275,7 @@ def to_file(
         Raises:
             tuf.api.serialization.SerializationError:
                 The metadata object cannot be serialized.
-            securesystemslib.exceptions.StorageError:
-                The file cannot be written.
+            exceptions.StorageError: The file cannot be written.
         """
 
         bytes_data = self.to_bytes(serializer)
@@ -305,9 +304,7 @@ def sign(
         Raises:
             tuf.api.serialization.SerializationError:
                 'signed' cannot be serialized.
-            securesystemslib.exceptions.CryptoError, \
-                    securesystemslib.exceptions.UnsupportedAlgorithmError:
-                Signing errors.
+            exceptions.UnsignedMetadataError: Signing errors.
 
         Returns:
             Securesystemslib Signature object that was added into signatures.
@@ -320,7 +317,14 @@ def sign(
 
             signed_serializer = CanonicalJSONSerializer()
 
-        signature = signer.sign(signed_serializer.serialize(self.signed))
+        bytes_data = signed_serializer.serialize(self.signed)
+
+        try:
+            signature = signer.sign(bytes_data)
+        except Exception as e:
+            raise exceptions.UnsignedMetadataError(
+                "Problem signing the metadata"
+            ) from e
 
         if not append:
             self.signatures.clear()
