def _make_role_metadata_wrapper(root_repo, func):
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
tuf_repo = os.path.join(root_repo, 'tuf_repo')
reg_repo = os.path.join(root_repo, 'reg_repo')
targets_dir = os.path.join(tuf_repo, 'targets')
metadata_dir = os.path.join(tuf_repo, 'metadata')
keystore_dir = os.path.join(tuf_repo, 'keystore')
conf_path = os.path.join(metadata_dir, 'config.cfg')
_get_metadata_directory(metadata_dir)
_get_password('test')
if func.__name__ == 'make_targets_metadata':
shutil.rmtree(targets_dir)
shutil.copytree(reg_repo, targets_dir)
_make_metadata_mock_prompts(targets_dir, conf_path)
else:
_make_metadata_mock_prompts(reg_repo, conf_path)
func(keystore_dir)
keystore.clear_keystore()
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def _make_role_metadata_wrapper(root_repo, func):
expiration = tuf.formats.format_time(time.time() + 86400)
expiration = expiration[0:expiration.rfind(' UTC')]
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
tuf_repo = os.path.join(root_repo, 'tuf_repo')
reg_repo = os.path.join(root_repo, 'reg_repo')
targets_dir = os.path.join(tuf_repo, 'targets')
metadata_dir = os.path.join(tuf_repo, 'metadata')
keystore_dir = os.path.join(tuf_repo, 'keystore')
conf_path = os.path.join(metadata_dir, 'config.cfg')
_get_metadata_directory(metadata_dir)
_get_password(PASSWD)
if func.__name__ == 'make_targets_metadata':
shutil.rmtree(targets_dir)
shutil.copytree(reg_repo, targets_dir)
_make_metadata_mock_prompts(targets_dir, conf_path, expiration)
else:
_make_metadata_mock_prompts(reg_repo, conf_path, expiration)
func(keystore_dir)
keystore.clear_keystore()
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def _make_role_metadata_wrapper(root_repo, func):
expiration = tuf.formats.format_time(time.time()+86400)
expiration = expiration[0:expiration.rfind(' UTC')]
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
tuf_repo = os.path.join(root_repo, 'tuf_repo')
reg_repo = os.path.join(root_repo, 'reg_repo')
targets_dir = os.path.join(tuf_repo, 'targets')
metadata_dir = os.path.join(tuf_repo, 'metadata')
keystore_dir = os.path.join(tuf_repo, 'keystore')
conf_path = os.path.join(metadata_dir, 'config.cfg')
_get_metadata_directory(metadata_dir)
_get_password(PASSWD)
if func.__name__ == 'make_targets_metadata':
shutil.rmtree(targets_dir)
shutil.copytree(reg_repo, targets_dir)
_make_metadata_mock_prompts(targets_dir, conf_path, expiration)
else:
_make_metadata_mock_prompts(reg_repo, conf_path, expiration)
func(keystore_dir)
keystore.clear_keystore()
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def cleanup(root_repo, server_process=None):
if server_process is not None:
if server_process.returncode is None:
server_process.kill()
logger.info('Server terminated.\n')
# Clear the keystore.
keystore.clear_keystore()
# Deconfigure interposition.
interpose_json = os.path.join(root_repo, 'tuf.interposition.json')
if os.path.exists(interpose_json):
tuf.interposition.deconfigure(filename=interpose_json)
# Removing repository directory.
try:
shutil.rmtree(root_repo)
except OSError, e:
pass
def cleanup(root_repo, server_process=None):
if server_process is not None:
if server_process.returncode is None:
server_process.kill()
logger.info('Server terminated.\n')
# Clear the keystore.
keystore.clear_keystore()
# Deconfigure interposition.
interpose_json = os.path.join(root_repo, 'tuf.interposition.json')
if os.path.exists(interpose_json):
tuf.interposition.deconfigure(filename=interpose_json)
# Removing repository directory.
try:
shutil.rmtree(root_repo)
except OSError, e:
pass
def cleanup(root_repo, server_process=None):
global tuf_configurations
if server_process is not None:
if server_process.returncode is None:
server_process.kill()
logger.info('Server terminated.\n')
# Clear the keystore.
keystore.clear_keystore()
# Deconfigure interposition.
if tuf_configurations is not None:
tuf.interposition.deconfigure(tuf_configurations)
tuf_configurations = None
# Removing repository directory.
try:
shutil.rmtree(root_repo)
except OSError, e:
pass
def cleanup(root_repo, server_process=None):
global tuf_configurations
if server_process is not None:
if server_process.returncode is None:
server_process.kill()
logger.info('Server terminated.\n')
# Clear the keystore.
keystore.clear_keystore()
# Deconfigure interposition.
if tuf_configurations is not None:
tuf.interposition.deconfigure(tuf_configurations)
tuf_configurations = None
# Removing repository directory.
try:
shutil.rmtree(root_repo)
except OSError, e:
pass
def test_2__get_role_config_keyids(self):
# SETUP
original_get_password = signercli._get_password
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# Patch '_get_password' method.
self.get_passwords()
# TESTS
for role in self.role_list:
# Test: normal cases.
keystore.clear_keystore()
signercli._get_role_config_keyids(config_filepath, keystore_dir, role)
# Test: incorrect passwords.
keystore.clear_keystore()
role_keyids = self.top_level_role_info[role]['keyids']
for keyid in role_keyids:
saved_pw = self.rsa_passwords[keyid]
self.rsa_passwords[keyid] = self.random_string()
self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
config_filepath, keystore_dir, role)
# Restore the password.
self.rsa_passwords[keyid] = saved_pw
# Test: non-existing config file path.
keystore.clear_keystore()
self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
self.random_path(), keystore_dir, 'release')
# Test: non-existing role.
keystore.clear_keystore()
self.assertRaises(tuf.Error, signercli._get_role_config_keyids,
config_filepath, keystore_dir, 'no_such_role')
# RESTORE
signercli._get_password = original_get_password
def build_server_repository(server_repository_dir, targets_dir):
"""
<Purpose>
'build_server_repository' builds a complete repository based on target
files provided in the 'targets_dir'. Delegated roles are included.
"""
# Save the originals of the functions patched by this function.
# The patched functions will be restored prior to returning.
original_get_metadata = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
original_get_keyids = signercli._get_keyids
server_metadata_dir = os.path.join(server_repository_dir, 'metadata')
keystore_dir = os.path.join(server_repository_dir, 'keystore')
# Remove 'server_metadata_dir' and 'keystore_dir' if they already exist.
if os.path.exists(server_metadata_dir):
shutil.rmtree(server_metadata_dir)
if os.path.exists(keystore_dir):
shutil.rmtree(keystore_dir)
# Make metadata directory inside server repository dir.
os.mkdir(server_metadata_dir)
# Make a keystore directory inside server's repository and populate it.
os.mkdir(keystore_dir)
_create_keystore(keystore_dir)
# Build config file.
build_config = signerlib.build_config_file
top_level_role_info = unittest_toolbox.Modified_TestCase.top_level_role_info
config_filepath = build_config(server_repository_dir, 365, top_level_role_info)
# BUILD ROLE FILES.
# Build root file.
signerlib.build_root_file(config_filepath, role_keyids['root'],
server_metadata_dir)
# Build targets file.
signerlib.build_targets_file(targets_dir, role_keyids['targets'],
server_metadata_dir)
# MAKE DELEGATIONS.
# We will need to patch a few signercli prompts.
# Specifically, signercli.make_delegations() asks user input for:
# metadata directory, delegated targets directory, parent role,
# passwords for parent role's keyids, delegated role's name, and
# the keyid to be assigned to the delegated role. Take a look at
# signercli's make_delegation() to gain bit more insight in what is
# happening.
# 'load_key' is a reference to the 'load_keystore_from_keyfiles function'.
load_keys = keystore.load_keystore_from_keyfiles
# Setup first level delegated role.
delegated_level1 = os.path.join(targets_dir, 'delegated_level1')
delegated_targets_dir = delegated_level1
parent_role = 'targets'
delegated_role_name = 'delegated_role1'
signing_keyids = role_keyids['targets/delegated_role1']
# Patching the 'signercli' prompts.
# Mock method for signercli._get_metadata_directory().
def _mock_get_metadata_directory():
return server_metadata_dir
# Mock method for signercli._prompt().
def _mock_prompt(msg, junk):
if msg.startswith('\nThe directory entered'):
return delegated_targets_dir
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.endswith('\nEnter the delegated role\'s name: '):
return delegated_role_name
else:
error_msg = ('Prompt: '+'\''+msg+'\''+
' did not match any predefined mock prompts.')
sys.exit(error_msg)
# Mock method for signercli._get_password().
def _mock_get_password(msg):
for keyid in unittest_toolbox.Modified_TestCase.rsa_keyids:
if msg.endswith('('+keyid+'): '):
return unittest_toolbox.Modified_TestCase.rsa_passwords[keyid]
# Method to patch signercli._get_keyids()
def _mock_get_keyids(junk):
if signing_keyids:
for keyid in signing_keyids:
password = unittest_toolbox.Modified_TestCase.rsa_passwords[keyid]
# Load the keyfile.
load_keys(keystore_dir, [keyid], [password])
return signing_keyids
# Patch signercli._get_metadata_directory().
signercli._get_metadata_directory = _mock_get_metadata_directory
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyids
# Clear kestore's dictionaries, by detaching them from unittest_toolbox's
# dictionaries.
keystore._keystore = {}
keystore._key_passwords = {}
# Make first level delegation.
signercli.make_delegation(keystore_dir)
# Setup second level delegated role.
delegated_level2 = os.path.join(delegated_level1, 'delegated_level2')
delegated_targets_dir = delegated_level2
parent_role = 'targets/delegated_role1'
delegated_role_name = 'delegated_role2'
signing_keyids = role_keyids['targets/delegated_role1/delegated_role2']
# Clear kestore's dictionaries.
keystore.clear_keystore()
# Make second level delegation.
signercli.make_delegation(keystore_dir)
keystore._keystore = unittest_toolbox.Modified_TestCase.rsa_keystore
keystore._key_passwords = unittest_toolbox.Modified_TestCase.rsa_passwords
# Build release file.
signerlib.build_release_file(role_keyids['release'], server_metadata_dir)
# Build timestamp file.
signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir)
keystore._keystore = {}
keystore._key_passwords = {}
# RESTORE
signercli._get_metadata_directory = original_get_metadata
signercli._prompt = original_prompt
signercli._get_password = original_get_password
signercli._get_keyids = original_get_keyids
def create_delegation(tuf_repo, delegated_targets_path, keyid, keyid_password,
parent_role, new_role_name, expiration_date):
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
original_get_keyids = signercli._get_keyids
# Patch signercli._get_metadata_directory()
_get_metadata_directory(metadata_dir)
# Mock method for signercli._prompt().
def _mock_prompt(msg, junk, targets_path=delegated_targets_path,
parent_role=parent_role, new_role_name=new_role_name,
expiration=expiration_date):
if msg.startswith('\nThe paths entered below should be located'):
return targets_path
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.startswith('\nEnter the delegated role\'s name: '):
return new_role_name
elif msg.startswith('\nCurrent time: '):
return expiration
else:
error_msg = ('Prompt: '+'\''+msg+'\''+
' did not match any predefined mock prompts.')
sys.exit(error_msg)
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Mock method for signercli._get_password().
def _mock_get_password(msg, keyid=keyid, password=keyid_password):
_keyid = keyid[0]
if msg.endswith('('+_keyid+'): '):
return keyid_password
else:
return PASSWD # password for targets' keyid.
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Method to patch signercli._get_keyids()
def _mock_get_keyid(junk, keyid=keyid):
return keyid
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyid
signercli.make_delegation(keystore_dir)
keystore.clear_keystore()
signercli._get_keyids = original_get_keyids
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def test_6_sign_metadata_file(self):
# SETUP
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
# To test this method, an RSA key will be created with
# a password in addition to the existing RSA keys.
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp repository and metadata directories.
repo_dir = self.make_temp_directory()
meta_dir = self.make_temp_directory(repo_dir)
# Create a directory containing target files.
targets_dir, targets_paths = \
self.make_temp_directory_with_data_files(directory=repo_dir)
# Patch signercli._get_metadata_directory().
self.mock_get_metadata_directory(directory=meta_dir)
# Patch signercli._get_password(). Used in _get_role_config_keyids().
self.get_passwords()
# Create keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# Mock method for signercli._prompt().
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=config_filepath)
# Create metadata files.
signercli.make_root_metadata(keystore_dir)
keystore.clear_keystore()
signercli.make_targets_metadata(keystore_dir)
keystore.clear_keystore()
signercli.make_release_metadata(keystore_dir)
keystore.clear_keystore()
signercli.make_timestamp_metadata(keystore_dir)
keystore.clear_keystore()
# Verify if the root, targets and release meta files were created.
root_meta_filepath = os.path.join(meta_dir, 'root.txt')
targets_meta_filepath = os.path.join(meta_dir, 'targets.txt')
release_meta_filepath = os.path.join(meta_dir, 'release.txt')
timestamp_meta_filepath = os.path.join(meta_dir, 'timestamp.txt')
self.assertTrue(os.path.exists(root_meta_filepath))
self.assertTrue(os.path.exists(targets_meta_filepath))
self.assertTrue(os.path.exists(release_meta_filepath))
self.assertTrue(os.path.exists(timestamp_meta_filepath))
# Create a new RSA key, indicate metadata filename.
new_keyid = self.generate_rsakey()
meta_filename = targets_meta_filepath
# Create keystore directory. New key is untouched.
keystore_dir = self.create_temp_keystore_directory(keystore_dicts=True)
# List of keyids to be returned by _get_keyids()
signing_keyids = []
# Method to patch signercli._get_keyids()
def _mock_get_keyids(junk):
return signing_keyids
# Method to patch signercli._prompt().
def _mock_prompt(msg, junk):
return meta_filename
# Patch signercli._get_keyids()
signercli._get_keyids = _mock_get_keyids
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# TESTS
# Test: no loaded keyids.
self.assertRaises(tuf.RepositoryError,
signercli.sign_metadata_file, keystore_dir)
# Load new keyid.
signing_keyids = [new_keyid]
# Test: normal case.
signercli.sign_metadata_file(keystore_dir)
# Verify the change.
self.assertTrue(os.path.exists(targets_meta_filepath))
# Load targets metadata from the file ('targets.txt').
targets_metadata = tuf.util.load_json_file(targets_meta_filepath)
keyid_exists = False
for signature in targets_metadata['signatures']:
if new_keyid == signature['keyid']:
keyid_exists = True
break
self.assertTrue(keyid_exists)
# RESTORE
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def build_server_repository(server_repository_dir, targets_dir):
"""
<Purpose>
'build_server_repository' builds a complete repository based on target
files provided in the 'targets_dir'. Delegated roles are included.
"""
# Save the originals of the functions patched by this function.
# The patched functions will be restored prior to returning.
original_get_metadata = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
original_get_keyids = signercli._get_keyids
# The expiration date for created metadata, required by the 'signercli.py'
# script. The expiration date is set to 259200 seconds ahead of the current
# time. Set all the metadata versions numbers to 1.
expiration_date = tuf.formats.format_time(time.time() + 259200)
expiration_date = expiration_date[0:expiration_date.rfind(' UTC')]
version = 1
server_metadata_dir = os.path.join(server_repository_dir, 'metadata')
keystore_dir = os.path.join(server_repository_dir, 'keystore')
# Remove 'server_metadata_dir' and 'keystore_dir' if they already exist.
if os.path.exists(server_metadata_dir):
shutil.rmtree(server_metadata_dir)
if os.path.exists(keystore_dir):
shutil.rmtree(keystore_dir)
# Make metadata directory inside server repository dir.
os.mkdir(server_metadata_dir)
# Make a keystore directory inside server's repository and populate it.
os.mkdir(keystore_dir)
_create_keystore(keystore_dir)
# Build config file.
build_config = signerlib.build_config_file
top_level_role_info = unittest_toolbox.Modified_TestCase.top_level_role_info
config_filepath = build_config(server_repository_dir, 365,
top_level_role_info)
# BUILD ROLE FILES.
# Build root file.
signerlib.build_root_file(config_filepath, role_keyids['root'],
server_metadata_dir, version)
# Build targets file.
signerlib.build_targets_file([targets_dir], role_keyids['targets'],
server_metadata_dir, version,
expiration_date + ' UTC')
# MAKE DELEGATIONS.
# We will need to patch a few signercli prompts.
# Specifically, signercli.make_delegations() asks user input for:
# metadata directory, delegated targets directory, parent role,
# passwords for parent role's keyids, delegated role's name, and
# the keyid to be assigned to the delegated role. Take a look at
# signercli's make_delegation() to gain bit more insight in what is
# happening.
# 'load_key' is a reference to the 'load_keystore_from_keyfiles function'.
load_keys = keystore.load_keystore_from_keyfiles
# Setup first level delegated role.
delegated_level1 = os.path.join(targets_dir, 'delegated_level1')
delegated_targets_dir = delegated_level1
parent_role = 'targets'
delegated_role_name = 'delegated_role1'
signing_keyids = role_keyids['targets/delegated_role1']
# Patching the 'signercli' prompts.
# Mock method for signercli._get_metadata_directory().
def _mock_get_metadata_directory():
return server_metadata_dir
# Mock method for signercli._prompt().
def _mock_prompt(msg, junk):
if msg.startswith('\nThe paths entered'):
return delegated_targets_dir
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.startswith('\nEnter the delegated role\'s name: '):
return delegated_role_name
elif msg.startswith('\nCurrent time:'):
return expiration_date
else:
error_msg = ('Prompt: ' + '\'' + msg + '\'' +
' did not match any predefined mock prompts.')
sys.exit(error_msg)
# Mock method for signercli._get_password().
def _mock_get_password(msg):
for keyid in unittest_toolbox.Modified_TestCase.rsa_keyids:
if msg.endswith('(' + keyid + '): '):
return unittest_toolbox.Modified_TestCase.rsa_passwords[keyid]
# Method to patch signercli._get_keyids()
def _mock_get_keyids(junk):
if signing_keyids:
for keyid in signing_keyids:
password = unittest_toolbox.Modified_TestCase.rsa_passwords[
keyid]
# Load the keyfile.
load_keys(keystore_dir, [keyid], [password])
return signing_keyids
# Patch signercli._get_metadata_directory().
signercli._get_metadata_directory = _mock_get_metadata_directory
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyids
# Clear kestore's dictionaries, by detaching them from unittest_toolbox's
# dictionaries.
keystore._keystore = {}
keystore._derived_keys = {}
# Make first level delegation.
signercli.make_delegation(keystore_dir)
# Setup second level delegated role.
delegated_level2 = os.path.join(delegated_level1, 'delegated_level2')
delegated_targets_dir = delegated_level2
parent_role = 'targets/delegated_role1'
delegated_role_name = 'delegated_role2'
signing_keyids = role_keyids['targets/delegated_role1/delegated_role2']
# Clear kestore's dictionaries.
keystore.clear_keystore()
# Make second level delegation.
signercli.make_delegation(keystore_dir)
keystore._keystore = unittest_toolbox.Modified_TestCase.rsa_keystore
keystore._derived_keys = unittest_toolbox.Modified_TestCase.rsa_passwords
# Build release file.
signerlib.build_release_file(role_keyids['release'], server_metadata_dir,
version, expiration_date + ' UTC')
# Build timestamp file.
signerlib.build_timestamp_file(role_keyids['timestamp'],
server_metadata_dir, version,
expiration_date + ' UTC')
keystore._keystore = {}
keystore._derived_keys = {}
# RESTORE
signercli._get_metadata_directory = original_get_metadata
signercli._prompt = original_prompt
signercli._get_password = original_get_password
signercli._get_keyids = original_get_keyids
def setUp(self):
"""
The target delegations tree is fixed as such:
targets -> [T1, T2]
T1 -> [T3]
"""
global version
version = version+1
expiration = tuf.formats.format_time(time.time()+86400)
root_repo, url, server_proc, keyids = util_test_tools.init_repo(tuf=True)
# Server side repository.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
# We need to provide clients with a way to reach the tuf repository.
tuf_repo_relpath = os.path.basename(tuf_repo)
tuf_url = url+tuf_repo_relpath
# Add files to the server side repository.
# target1 = 'targets_dir/[random].txt'
# target2 = 'targets_dir/[random].txt'
add_target = util_test_tools.add_file_to_repository
target1_path = add_target(targets_dir, data='target1')
target2_path = add_target(targets_dir, data='target2')
# Target paths relative to the 'targets_dir'.
# Ex: targetX = 'targets/delegator/delegatee.txt'
target1 = os.path.relpath(target1_path, tuf_repo)
target2 = os.path.relpath(target2_path, tuf_repo)
# Relative to repository's targets directory.
target_filepaths = [target1, target2]
# Store in self only the variables relevant for tests.
self.root_repo = root_repo
self.tuf_repo = tuf_repo
self.server_proc = server_proc
self.target_filepaths = target_filepaths
# Targets delegated from A to B.
self.delegated_targets = {}
# Targets actually signed by B.
self.signed_targets = {}
self.mirrors = {
"mirror1": {
"url_prefix": tuf_url,
"metadata_path": "metadata",
"targets_path": "targets",
"confined_target_dirs": [""]
}
}
# Aliases for targets roles.
self.T0 = 'targets'
self.T1 = 'targets/T1'
self.T2 = 'targets/T2'
self.T3 = 'targets/T1/T3'
# Get tracked and assigned targets, and generate targets metadata.
self.make_targets_metadata()
assert hasattr(self, 'T0_metadata')
assert hasattr(self, 'T1_metadata')
assert hasattr(self, 'T2_metadata')
assert hasattr(self, 'T3_metadata')
# Make delegation directories at the server's repository.
metadata_targets_dir = os.path.join(metadata_dir, 'targets')
metadata_T1_dir = os.path.join(metadata_targets_dir, 'T1')
os.makedirs(metadata_T1_dir)
# Delegations metadata paths for the 3 delegated targets roles.
T0_path = os.path.join(metadata_dir, 'targets.txt')
T1_path = os.path.join(metadata_targets_dir, 'T1.txt')
T2_path = os.path.join(metadata_targets_dir, 'T2.txt')
T3_path = os.path.join(metadata_T1_dir, 'T3.txt')
# Generate RSA keys for the 3 delegatees.
key1 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T1')
key2 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T2')
key3 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T3')
# ID for each of the 3 keys.
key1_id = key1['keyid']
key2_id = key2['keyid']
key3_id = key3['keyid']
# ID, in a list, for each of the 3 keys.
key1_ids = [key1_id]
key2_ids = [key2_id]
key3_ids = [key3_id]
# Public-key JSON for each of the 3 keys.
key1_val = tuf.rsa_key.create_in_metadata_format(key1['keyval'])
key2_val = tuf.rsa_key.create_in_metadata_format(key2['keyval'])
key3_val = tuf.rsa_key.create_in_metadata_format(key3['keyval'])
# Create delegation role metadata for each of the 3 delegated targets roles.
make_role_metadata = tuf.formats.make_role_metadata
T1_targets = self.relpath_from_targets(self.delegated_targets[self.T1])
T1_role = make_role_metadata(key1_ids, 1, name=self.T1, paths=T1_targets)
T2_targets = self.relpath_from_targets(self.delegated_targets[self.T2])
T2_role = make_role_metadata(key2_ids, 1, name=self.T2, paths=T2_targets)
T3_targets = self.relpath_from_targets(self.delegated_targets[self.T3])
T3_role = make_role_metadata(key3_ids, 1, name=self.T3, paths=T3_targets)
# Assign 'delegations' object for 'targets':
self.T0_metadata['signed']['delegations'] = {
'keys': {key1_id: key1_val, key2_id: key2_val},
'roles': [T1_role, T2_role]
}
# Assign 'delegations' object for 'targets/T1':
self.T1_metadata['signed']['delegations'] = {
'keys': {key3_id: key3_val},
'roles': [T3_role]
}
sign = signerlib.sign_metadata
write = signerlib.write_metadata_file
# Sign new metadata objects.
T0_signable = sign(self.T0_metadata, keyids, T0_path)
T1_signable = sign(self.T1_metadata, key1_ids, T1_path)
T2_signable = sign(self.T2_metadata, key2_ids, T2_path)
T3_signable = sign(self.T3_metadata, key3_ids, T3_path)
# Save new metadata objects.
write(T0_signable, T0_path)
write(T1_signable, T1_path)
write(T2_signable, T2_path)
write(T3_signable, T3_path)
# Timestamp a new release to reflect latest targets.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
signerlib.build_timestamp_file(keyids, metadata_dir, version, expiration)
# Unload all keys.
keystore.clear_keystore()
def build_server_repository(server_repository_dir, targets_dir):
# Make metadata directory inside client and server repository dir.
server_metadata_dir = os.path.join(server_repository_dir, 'metadata')
os.mkdir(server_metadata_dir)
# Make a keystore directory inside server's repository and populate it.
keystore_dir = os.path.join(server_repository_dir, 'keystore')
os.mkdir(keystore_dir)
create_keystore(keystore_dir)
# Build config file.
build_config = signerlib.build_config_file
config_filepath = build_config(server_repository_dir, 365,
TestCase_Tools.top_level_role_info)
# Role:keyids dictionary.
role_keyids = {}
for role in TestCase_Tools.semi_roledict.keys():
role_keyids[role] = TestCase_Tools.semi_roledict[role]['keyids']
# BUILD ROLE FILES.
# Build root file.
signerlib.build_root_file(config_filepath, role_keyids['root'],
server_metadata_dir)
# Build targets file.
signerlib.build_targets_file(targets_dir, role_keyids['targets'],
server_metadata_dir)
# Build release file.
signerlib.build_release_file(role_keyids['release'], server_metadata_dir)
# Build timestamp file.
signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir)
# MAKE DELEGATIONS.
# We will need to patch a few signercli prompts.
# Specifically, signercli.make_delegations() asks user input for:
# metadata directory, delegated targets directory, parent role,
# passwords for parent role's keyids, delegated role's name, and
# the keyid to be assigned to the delegated role. Take a look at
# signercli's make_delegation() to gain bit more insight in what is
# happening.
# 'load_key' is a reference to the 'load_keystore_from_keyfiles function'.
load_keys = keystore.load_keystore_from_keyfiles
# Setup first level delegated role.
delegated_level1 = os.path.join(targets_dir, 'delegated_level1')
delegated_targets_dir = delegated_level1
parent_role = 'targets'
delegated_role_name = 'delegated_role1'
signing_keyids = role_keyids['targets/delegated_role1']
# Patching the prompts.
# Mock method for signercli._get_metadata_directory().
def _mock_get_metadata_directory():
return server_metadata_dir
# Mock method for signercli._prompt().
def _mock_prompt(msg, junk):
if msg.startswith('\nNOTE: The directory entered'):
return delegated_targets_dir
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.endswith('\nEnter the delegated role\'s name: '):
return delegated_role_name
else:
error_msg = ('Prompt: '+'\''+msg+'\''+
' did not match any predefined mock prompts.')
sys.exit(error_msg)
# Mock method for signercli._get_password().
def _mock_get_password(msg):
for keyid in TestCase_Tools.rsa_keyids:
if msg.endswith('('+keyid+'): '):
return TestCase_Tools.rsa_passwords[keyid]
# Method to patch signercli._get_keyids()
def _mock_get_keyids(junk):
if signing_keyids:
for keyid in signing_keyids:
password = TestCase_Tools.rsa_passwords[keyid]
# Load the keyfile.
load_keys(keystore_dir, [keyid], [password])
return signing_keyids
# Patch signercli._get_metadata_directory().
signercli._get_metadata_directory = _mock_get_metadata_directory
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyids
# Clear kestore's dictionaries, by detaching them from unittest_toolbox's
# dictionaries.
keystore._keystore = {}
keystore._key_passwords = {}
# Make first level delegation.
signercli.make_delegation(keystore_dir)
# Setup first level delegated role.
delegated_level2 = os.path.join(delegated_level1, 'delegated_level2')
delegated_targets_dir = delegated_level2
parent_role = 'targets/delegated_role1'
delegated_role_name = 'delegated_role2'
signing_keyids = role_keyids['targets/delegated_role1/delegated_role2']
# Clear kestore's dictionaries.
keystore.clear_keystore()
# Make second level delegation.
signercli.make_delegation(keystore_dir)
def setUp(self):
"""
The target delegations tree is fixed as such:
targets -> [T1, T2]
T1 -> [T3]
"""
global version
version = version + 1
expiration = tuf.formats.format_time(time.time() + 86400)
root_repo, url, server_proc, keyids = util_test_tools.init_repo(
tuf=True)
# Server side repository.
tuf_repo = os.path.join(root_repo, 'tuf_repo')
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
targets_dir = os.path.join(tuf_repo, 'targets')
# We need to provide clients with a way to reach the tuf repository.
tuf_repo_relpath = os.path.basename(tuf_repo)
tuf_url = url + tuf_repo_relpath
# Add files to the server side repository.
# target1 = 'targets_dir/[random].txt'
# target2 = 'targets_dir/[random].txt'
add_target = util_test_tools.add_file_to_repository
target1_path = add_target(targets_dir, data='target1')
target2_path = add_target(targets_dir, data='target2')
# Target paths relative to the 'targets_dir'.
# Ex: targetX = 'targets/delegator/delegatee.txt'
target1 = os.path.relpath(target1_path, tuf_repo)
target2 = os.path.relpath(target2_path, tuf_repo)
# Relative to repository's targets directory.
target_filepaths = [target1, target2]
# Store in self only the variables relevant for tests.
self.root_repo = root_repo
self.tuf_repo = tuf_repo
self.server_proc = server_proc
self.target_filepaths = target_filepaths
# Targets delegated from A to B.
self.delegated_targets = {}
# Targets actually signed by B.
self.signed_targets = {}
self.mirrors = {
"mirror1": {
"url_prefix": tuf_url,
"metadata_path": "metadata",
"targets_path": "targets",
"confined_target_dirs": [""]
}
}
# Aliases for targets roles.
self.T0 = 'targets'
self.T1 = 'targets/T1'
self.T2 = 'targets/T2'
self.T3 = 'targets/T1/T3'
# Get tracked and assigned targets, and generate targets metadata.
self.make_targets_metadata()
assert hasattr(self, 'T0_metadata')
assert hasattr(self, 'T1_metadata')
assert hasattr(self, 'T2_metadata')
assert hasattr(self, 'T3_metadata')
# Make delegation directories at the server's repository.
metadata_targets_dir = os.path.join(metadata_dir, 'targets')
metadata_T1_dir = os.path.join(metadata_targets_dir, 'T1')
os.makedirs(metadata_T1_dir)
# Delegations metadata paths for the 3 delegated targets roles.
T0_path = os.path.join(metadata_dir, 'targets.txt')
T1_path = os.path.join(metadata_targets_dir, 'T1.txt')
T2_path = os.path.join(metadata_targets_dir, 'T2.txt')
T3_path = os.path.join(metadata_T1_dir, 'T3.txt')
# Generate RSA keys for the 3 delegatees.
key1 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T1')
key2 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T2')
key3 = signerlib.generate_and_save_rsa_key(keystore_dir, 'T3')
# ID for each of the 3 keys.
key1_id = key1['keyid']
key2_id = key2['keyid']
key3_id = key3['keyid']
# ID, in a list, for each of the 3 keys.
key1_ids = [key1_id]
key2_ids = [key2_id]
key3_ids = [key3_id]
# Public-key JSON for each of the 3 keys.
key1_val = tuf.rsa_key.create_in_metadata_format(key1['keyval'])
key2_val = tuf.rsa_key.create_in_metadata_format(key2['keyval'])
key3_val = tuf.rsa_key.create_in_metadata_format(key3['keyval'])
# Create delegation role metadata for each of the 3 delegated targets roles.
make_role_metadata = tuf.formats.make_role_metadata
T1_targets = self.relpath_from_targets(self.delegated_targets[self.T1])
T1_role = make_role_metadata(key1_ids,
1,
name=self.T1,
paths=T1_targets)
T2_targets = self.relpath_from_targets(self.delegated_targets[self.T2])
T2_role = make_role_metadata(key2_ids,
1,
name=self.T2,
paths=T2_targets)
T3_targets = self.relpath_from_targets(self.delegated_targets[self.T3])
T3_role = make_role_metadata(key3_ids,
1,
name=self.T3,
paths=T3_targets)
# Assign 'delegations' object for 'targets':
self.T0_metadata['signed']['delegations'] = {
'keys': {
key1_id: key1_val,
key2_id: key2_val
},
'roles': [T1_role, T2_role]
}
# Assign 'delegations' object for 'targets/T1':
self.T1_metadata['signed']['delegations'] = {
'keys': {
key3_id: key3_val
},
'roles': [T3_role]
}
sign = signerlib.sign_metadata
write = signerlib.write_metadata_file
# Sign new metadata objects.
T0_signable = sign(self.T0_metadata, keyids, T0_path)
T1_signable = sign(self.T1_metadata, key1_ids, T1_path)
T2_signable = sign(self.T2_metadata, key2_ids, T2_path)
T3_signable = sign(self.T3_metadata, key3_ids, T3_path)
# Save new metadata objects.
write(T0_signable, T0_path)
write(T1_signable, T1_path)
write(T2_signable, T2_path)
write(T3_signable, T3_path)
# Timestamp a new release to reflect latest targets.
signerlib.build_release_file(keyids, metadata_dir, version, expiration)
signerlib.build_timestamp_file(keyids, metadata_dir, version,
expiration)
# Unload all keys.
keystore.clear_keystore()
def create_delegation(tuf_repo, delegated_targets_path, keyid, keyid_password,
parent_role, new_role_name, expiration_date):
keystore_dir = os.path.join(tuf_repo, 'keystore')
metadata_dir = os.path.join(tuf_repo, 'metadata')
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
original_get_keyids = signercli._get_keyids
# Patch signercli._get_metadata_directory()
_get_metadata_directory(metadata_dir)
# Mock method for signercli._prompt().
def _mock_prompt(msg,
junk,
targets_path=delegated_targets_path,
parent_role=parent_role,
new_role_name=new_role_name,
expiration=expiration_date):
if msg.startswith('\nThe paths entered below should be located'):
return targets_path
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.startswith('\nEnter the delegated role\'s name: '):
return new_role_name
elif msg.startswith('\nCurrent time: '):
return expiration
else:
error_msg = ('Prompt: ' + '\'' + msg + '\'' +
' did not match any predefined mock prompts.')
sys.exit(error_msg)
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Mock method for signercli._get_password().
def _mock_get_password(msg, keyid=keyid, password=keyid_password):
_keyid = keyid[0]
if msg.endswith('(' + _keyid + '): '):
return keyid_password
else:
return PASSWD # password for targets' keyid.
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Method to patch signercli._get_keyids()
def _mock_get_keyid(junk, keyid=keyid):
return keyid
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyid
signercli.make_delegation(keystore_dir)
keystore.clear_keystore()
signercli._get_keyids = original_get_keyids
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def test_7_make_delegation(self):
# SETUP
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
# Create a temp repository and metadata directories.
repo_dir = self.make_temp_directory()
meta_dir = self.make_temp_directory(directory=repo_dir)
# Create targets directories.
targets_dir, targets_paths =\
self.make_temp_directory_with_data_files(directory=repo_dir)
delegated_targets_dir = os.path.join(targets_dir,'targets',
'delegated_level1')
# Assign parent role and name of the delegated role.
parent_role = 'targets'
delegated_role = 'delegated_role_1'
# Create couple new RSA keys for delegation levels 1 and 2.
new_keyid_1 = self.generate_rsakey()
new_keyid_2 = self.generate_rsakey()
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Patch signercli._get_metadata_directory().
self.mock_get_metadata_directory(directory=meta_dir)
# Patch signercli._get_password(). Get passwords for parent's keyids.
self.get_passwords()
# Create keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# Mock method for signercli._prompt() to generate targets.txt file.
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=config_filepath)
# List of keyids to be returned by _get_keyids()
signing_keyids = [new_keyid_1]
# Load keystore.
load_keystore = keystore.load_keystore_from_keyfiles
# Build the root metadata file (root.txt).
signercli.make_root_metadata(keystore_dir)
# Build targets metadata file (targets.txt).
signercli.make_targets_metadata(keystore_dir)
# Clear kestore's dictionaries.
keystore.clear_keystore()
# Mock method for signercli._prompt().
def _mock_prompt(msg, junk):
if msg.startswith('\nThe directory entered'):
return delegated_targets_dir
elif msg.startswith('\nChoose and enter the parent'):
return parent_role
elif msg.endswith('\nEnter the delegated role\'s name: '):
return delegated_role
else:
error_msg = ('Prompt: '+'\''+msg+'\''+
' did not match any predefined mock prompts.')
self.fail(error_msg)
# Mock method for signercli._get_password().
def _mock_get_password(msg):
for keyid in self.rsa_keyids:
if msg.endswith('('+keyid+'): '):
return self.rsa_passwords[keyid]
# Method to patch signercli._get_keyids()
def _mock_get_keyids(junk):
if signing_keyids:
for keyid in signing_keyids:
password = self.rsa_passwords[keyid]
# Load the keyfile.
load_keystore(keystore_dir, [keyid], [password])
return signing_keyids
# Patch signercli._prompt().
signercli._prompt = _mock_prompt
# Patch signercli._get_password().
signercli._get_password = _mock_get_password
# Patch signercli._get_keyids().
signercli._get_keyids = _mock_get_keyids
# TESTS
# Test: invalid parent role.
# Assign a non-existing parent role.
parent_role = self.random_string()
self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
keystore_dir)
# Restore parent role.
parent_role = 'targets'
# Test: invalid password(s) for parent's keyids.
keystore.clear_keystore()
parent_keyids = self.top_level_role_info[parent_role]['keyids']
for keyid in parent_keyids:
saved_pw = self.rsa_passwords[keyid]
self.rsa_passwords[keyid] = self.random_string()
self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
keystore_dir)
self.rsa_passwords[keyid] = saved_pw
# Test: delegated_keyids == 0.
keystore.clear_keystore()
# Load 0 keyids (== 0).
signing_keyids = []
self.assertRaises(tuf.RepositoryError, signercli.make_delegation,
keystore_dir)
keystore.clear_keystore()
# Restore signing_keyids (== 1).
signing_keyids = [new_keyid_1]
# Test: normal case 1.
# Testing first level delegation.
signercli.make_delegation(keystore_dir)
# Verify delegated metadata file exists.
delegated_meta_file = os.path.join(meta_dir, parent_role,
delegated_role+'.txt')
self.assertTrue(os.path.exists(delegated_meta_file))
# Test: normal case 2.
# Testing second level delegation.
keystore.clear_keystore()
# Make necessary adjustments for the test.
signing_keyids = [new_keyid_2]
delegated_targets_dir = os.path.join(delegated_targets_dir,
'delegated_level2')
parent_role = os.path.join(parent_role, delegated_role)
delegated_role = 'delegated_role_2'
signercli.make_delegation(keystore_dir)
# Verify delegated metadata file exists.
delegated_meta_file = os.path.join(meta_dir, parent_role,
delegated_role+'.txt')
self.assertTrue(os.path.exists(delegated_meta_file))
# Test: normal case 3.
# Testing delegated_keyids > 1.
# Ensure make_delegation() sets 'threshold' = 2 for the delegated role.
keystore.clear_keystore()
# Populate 'signing_keyids' with multiple keys, so the
# the delegated metadata is set to a threshold > 1.
signing_keyids = [new_keyid_1, new_keyid_2]
parent_role = 'targets'
delegated_role = 'delegated_role_1'
signercli.make_delegation(keystore_dir)
# Verify delegated metadata file exists.
delegated_meta_file = os.path.join(meta_dir, parent_role,
delegated_role+'.txt')
self.assertTrue(os.path.exists(delegated_meta_file))
# Verify the threshold value of the delegated metadata file
# by inspecting the parent role's 'delegations' field.
parent_role_file = os.path.join(meta_dir, parent_role+'.txt')
signable = signerlib.read_metadata_file(parent_role_file)
delegated_rolename = parent_role+'/'+delegated_role
threshold = signable['signed']['delegations']['roles']\
[delegated_rolename]['threshold']
self.assertTrue(threshold == 2)
# RESTORE
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def test_2__get_all_config_keyids(self):
# SETUP
original_get_password = signercli._get_password
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build the config file needed by '_get_all_config_keyids.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# 'sample_keyid' used to test invalid keyid.
sample_keyid = self.rsa_keyids[0]
# Patch signercli._get_password()
self.get_passwords()
# TESTS
# Test: an incorrect password.
saved_pw = self.rsa_passwords[sample_keyid]
self.rsa_passwords[sample_keyid] = self.random_string()
self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
config_filepath, keystore_dir)
# Restore the password.
self.rsa_passwords[sample_keyid] = saved_pw
# Test: missing top-level role in the config file.
# Clear keystore's dictionaries.
keystore.clear_keystore()
# Remove a role from 'top_level_role_info' which is used to construct
# config file.
targets_holder = self.top_level_role_info['targets']
del self.top_level_role_info['targets']
# Build config file without 'targets' role.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
config_filepath, keystore_dir)
# Rebuild config file and 'top_level_role_info'.
self.top_level_role_info['targets'] = targets_holder
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Test: non-existing config file path.
keystore.clear_keystore()
self.assertRaises(tuf.Error, signercli._get_all_config_keyids,
self.random_path(), keystore_dir)
# Test: normal case.
keystore.clear_keystore()
signercli._get_all_config_keyids(config_filepath, keystore_dir)
# RESTORE
signercli._get_password = original_get_password
def test_4_make_release_metadata(self):
# SETUP
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
# In order to build release metadata file (release.txt),
# root and targets metadata files (root.txt, targets.txt)
# must exist in the metadata directory.
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp repository and metadata directories.
repo_dir = self.make_temp_directory()
meta_dir = self.make_temp_directory(repo_dir)
# Create a directory containing target files.
targets_dir, targets_paths = \
self.make_temp_directory_with_data_files(directory=repo_dir)
# Patch signercli._get_metadata_directory().
self.mock_get_metadata_directory(directory=meta_dir)
# Patch signercli._get_password(). Used in _get_role_config_keyids().
self.get_passwords()
# Create keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# Mock method for signercli._prompt().
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=config_filepath)
# TESTS
# Test: no root.txt in the metadata dir.
signercli.make_targets_metadata(keystore_dir)
# Verify that 'tuf.RepositoryError' is raised due to a missing root.txt.
keystore.clear_keystore()
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
keystore_dir)
os.remove(os.path.join(meta_dir,'targets.txt'))
keystore.clear_keystore()
# Test: no targets.txt in the metadatadir.
signercli.make_root_metadata(keystore_dir)
keystore.clear_keystore()
# Verify that 'tuf.RepositoryError' is raised due to a missing targets.txt.
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
keystore_dir)
os.remove(os.path.join(meta_dir,'root.txt'))
keystore.clear_keystore()
# Test: normal case.
signercli.make_root_metadata(keystore_dir)
keystore.clear_keystore()
signercli.make_targets_metadata(keystore_dir)
keystore.clear_keystore()
signercli.make_release_metadata(keystore_dir)
keystore.clear_keystore()
# Verify if the root, targets and release meta files were created.
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'targets.txt')))
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'release.txt')))
# Test: invalid config path.
# Supply a non-existing config file path.
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=self.random_path())
self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
keystore_dir)
# Restore the config file path.
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=config_filepath)
# Test: incorrect 'release' passwords.
# Clear keystore's dictionaries.
keystore.clear_keystore()
keyids = self.top_level_role_info['release']['keyids']
for keyid in keyids:
saved_pw = self.rsa_passwords[keyid]
self.rsa_passwords[keyid] = self.random_string()
self.assertRaises(tuf.RepositoryError, signercli.make_release_metadata,
keystore_dir)
self.rsa_passwords[keyid] = saved_pw
# RESTORE
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def test_3_make_root_metadata(self):
# SETUP
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp metadata directory.
meta_dir = self.make_temp_directory()
# Patch signercli._get_metadata_directory().
self.mock_get_metadata_directory(directory=meta_dir)
# Patch signercli._prompt().
self.mock_prompt(config_filepath)
# Patch signercli._get_password().
self.get_passwords()
# Create keystore directory.
keystore_dir = self.create_temp_keystore_directory()
# TESTS
# Test: normal case.
signercli.make_root_metadata(keystore_dir)
# Verify that the root metadata path was created.
self.assertTrue(os.path.exists(os.path.join(meta_dir, 'root.txt')))
# Test: invalid config path.
# Clear keystore's dictionaries.
keystore.clear_keystore()
# Supply a non-existing path to signercli._prompt().
self.mock_prompt(self.random_path())
self.assertRaises(tuf.RepositoryError, signercli.make_root_metadata,
keystore_dir)
# Re-patch signercli._prompt() with valid config path.
self.mock_prompt(config_filepath)
# Test: incorrect 'root' passwords.
# Clear keystore's dictionaries.
keystore.clear_keystore()
keyids = self.top_level_role_info['root']['keyids']
for keyid in keyids:
saved_pw = self.rsa_passwords[keyid]
self.rsa_passwords[keyid] = self.random_string()
self.assertRaises(tuf.RepositoryError, signercli.make_root_metadata,
keystore_dir)
self.rsa_passwords[keyid] = saved_pw
# RESTORE
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
def test_4_change_password(self):
# SETUP
original_get_metadata_directory = signercli._get_metadata_directory
original_prompt = signercli._prompt
original_get_password = signercli._get_password
# Create keystore and repo directories.
keystore_dir = self.create_temp_keystore_directory()
repo_dir = self.make_temp_directory()
# Create temp directory for config file.
config_dir = self.make_temp_directory()
# Build a config file.
config_filepath = signerlib.build_config_file(config_dir, 365,
self.top_level_role_info)
# Create a temp metadata directory.
meta_dir = self.make_temp_directory()
# Patch signercli._get_metadata_directory().
self.mock_get_metadata_directory(directory=meta_dir)
# Patch signercli._prompt().
self.mock_prompt(config_filepath)
# Patch '_get_password' method.
self.get_passwords()
signercli.make_root_metadata(keystore_dir)
# Create a directory containing target files.
targets_dir, targets_paths =\
self.make_temp_directory_with_data_files(directory=repo_dir)
# Mock method for signercli._prompt().
self.make_metadata_mock_prompts(targ_dir=targets_dir,
conf_path=config_filepath)
signercli.make_targets_metadata(keystore_dir)
test_keyid = self.rsa_keyids[0]
self.mock_prompt(test_keyid)
# Specify old password and create a new password.
old_password = self.rsa_passwords[test_keyid]
new_password = self.random_string()
# Mock method for signercli._get_password()
def _mock_get_password(msg, confirm=False, old_pw=old_password,
new_pw=new_password):
if msg.startswith('\nEnter the old password for the keyid: '):
return old_pw
else:
return new_pw
# Patch signercli._get_password.
signercli._get_password = _mock_get_password
# TESTS
# Test: normal case.
signercli.change_password(keystore_dir)
# Verify password change.
self.assertEqual(keystore._key_passwords[test_keyid], new_password)
# Test: non-existing keyid.
keystore.clear_keystore()
self.mock_prompt(self.random_string(15))
self.assertRaises(tuf.RepositoryError, signercli.change_password,
keystore_dir)
# Restore the prompt input to existing keyid.
self.mock_prompt(test_keyid)
# Test: non-existing old password.
keystore.clear_keystore()
old_password = self.random_string()
self.assertRaises(tuf.RepositoryError, signercli.change_password,
keystore_dir)
# RESTORE
signercli._get_password = original_get_password
signercli._prompt = original_prompt
signercli._get_metadata_directory = original_get_metadata_directory
