def create_delegation(tuf_repo, delegated_targets_path, keyid, keyid_password, parent_role, new_role_name): keystore_dir = os.path.join(tuf_repo, 'keystore') metadata_dir = os.path.join(tuf_repo, 'metadata') # Patch signercli._get_metadata_directory() _get_metadata_directory(metadata_dir) # Mock method for signercli._prompt(). def _mock_prompt(msg, junk, targets_path=delegated_targets_path, parent_role=parent_role, new_role_name=new_role_name): if msg.startswith('\nThe directory entered'): return targets_path elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.endswith('\nEnter the delegated role\'s name: '): return new_role_name else: error_msg = ('Prompt: '+'\''+msg+'\''+ ' did not match any predefined mock prompts.') sys.exit(error_msg) # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Mock method for signercli._get_password(). def _mock_get_password(msg, keyid=keyid, password=keyid_password): _keyid = keyid[0] if msg.endswith('('+_keyid+'): '): return keyid_password else: return 'test' # password for targets' keyid. # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Method to patch signercli._get_keyids() def _mock_get_keyid(junk, keyid=keyid): return keyid # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyid signercli.make_delegation(keystore_dir)
def build_server_repository(server_repository_dir, targets_dir): """ <Purpose> 'build_server_repository' builds a complete repository based on target files provided in the 'targets_dir'. Delegated roles are included. """ # Save the originals of the functions patched by this function. # The patched functions will be restored prior to returning. original_get_metadata = signercli._get_metadata_directory original_prompt = signercli._prompt original_get_password = signercli._get_password original_get_keyids = signercli._get_keyids server_metadata_dir = os.path.join(server_repository_dir, 'metadata') keystore_dir = os.path.join(server_repository_dir, 'keystore') # Remove 'server_metadata_dir' and 'keystore_dir' if they already exist. if os.path.exists(server_metadata_dir): shutil.rmtree(server_metadata_dir) if os.path.exists(keystore_dir): shutil.rmtree(keystore_dir) # Make metadata directory inside server repository dir. os.mkdir(server_metadata_dir) # Make a keystore directory inside server's repository and populate it. os.mkdir(keystore_dir) _create_keystore(keystore_dir) # Build config file. build_config = signerlib.build_config_file top_level_role_info = unittest_toolbox.Modified_TestCase.top_level_role_info config_filepath = build_config(server_repository_dir, 365, top_level_role_info) # BUILD ROLE FILES. # Build root file. signerlib.build_root_file(config_filepath, role_keyids['root'], server_metadata_dir) # Build targets file. signerlib.build_targets_file(targets_dir, role_keyids['targets'], server_metadata_dir) # MAKE DELEGATIONS. # We will need to patch a few signercli prompts. # Specifically, signercli.make_delegations() asks user input for: # metadata directory, delegated targets directory, parent role, # passwords for parent role's keyids, delegated role's name, and # the keyid to be assigned to the delegated role. Take a look at # signercli's make_delegation() to gain bit more insight in what is # happening. # 'load_key' is a reference to the 'load_keystore_from_keyfiles function'. load_keys = keystore.load_keystore_from_keyfiles # Setup first level delegated role. delegated_level1 = os.path.join(targets_dir, 'delegated_level1') delegated_targets_dir = delegated_level1 parent_role = 'targets' delegated_role_name = 'delegated_role1' signing_keyids = role_keyids['targets/delegated_role1'] # Patching the 'signercli' prompts. # Mock method for signercli._get_metadata_directory(). def _mock_get_metadata_directory(): return server_metadata_dir # Mock method for signercli._prompt(). def _mock_prompt(msg, junk): if msg.startswith('\nThe directory entered'): return delegated_targets_dir elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.endswith('\nEnter the delegated role\'s name: '): return delegated_role_name else: error_msg = ('Prompt: '+'\''+msg+'\''+ ' did not match any predefined mock prompts.') sys.exit(error_msg) # Mock method for signercli._get_password(). def _mock_get_password(msg): for keyid in unittest_toolbox.Modified_TestCase.rsa_keyids: if msg.endswith('('+keyid+'): '): return unittest_toolbox.Modified_TestCase.rsa_passwords[keyid] # Method to patch signercli._get_keyids() def _mock_get_keyids(junk): if signing_keyids: for keyid in signing_keyids: password = unittest_toolbox.Modified_TestCase.rsa_passwords[keyid] # Load the keyfile. load_keys(keystore_dir, [keyid], [password]) return signing_keyids # Patch signercli._get_metadata_directory(). signercli._get_metadata_directory = _mock_get_metadata_directory # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyids # Clear kestore's dictionaries, by detaching them from unittest_toolbox's # dictionaries. keystore._keystore = {} keystore._key_passwords = {} # Make first level delegation. signercli.make_delegation(keystore_dir) # Setup second level delegated role. delegated_level2 = os.path.join(delegated_level1, 'delegated_level2') delegated_targets_dir = delegated_level2 parent_role = 'targets/delegated_role1' delegated_role_name = 'delegated_role2' signing_keyids = role_keyids['targets/delegated_role1/delegated_role2'] # Clear kestore's dictionaries. keystore.clear_keystore() # Make second level delegation. signercli.make_delegation(keystore_dir) keystore._keystore = unittest_toolbox.Modified_TestCase.rsa_keystore keystore._key_passwords = unittest_toolbox.Modified_TestCase.rsa_passwords # Build release file. signerlib.build_release_file(role_keyids['release'], server_metadata_dir) # Build timestamp file. signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir) keystore._keystore = {} keystore._key_passwords = {} # RESTORE signercli._get_metadata_directory = original_get_metadata signercli._prompt = original_prompt signercli._get_password = original_get_password signercli._get_keyids = original_get_keyids
def create_delegation(tuf_repo, delegated_targets_path, keyid, keyid_password, parent_role, new_role_name, expiration_date): keystore_dir = os.path.join(tuf_repo, 'keystore') metadata_dir = os.path.join(tuf_repo, 'metadata') original_get_metadata_directory = signercli._get_metadata_directory original_prompt = signercli._prompt original_get_password = signercli._get_password original_get_keyids = signercli._get_keyids # Patch signercli._get_metadata_directory() _get_metadata_directory(metadata_dir) # Mock method for signercli._prompt(). def _mock_prompt(msg, junk, targets_path=delegated_targets_path, parent_role=parent_role, new_role_name=new_role_name, expiration=expiration_date): if msg.startswith('\nThe paths entered below should be located'): return targets_path elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.startswith('\nEnter the delegated role\'s name: '): return new_role_name elif msg.startswith('\nCurrent time: '): return expiration else: error_msg = ('Prompt: '+'\''+msg+'\''+ ' did not match any predefined mock prompts.') sys.exit(error_msg) # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Mock method for signercli._get_password(). def _mock_get_password(msg, keyid=keyid, password=keyid_password): _keyid = keyid[0] if msg.endswith('('+_keyid+'): '): return keyid_password else: return PASSWD # password for targets' keyid. # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Method to patch signercli._get_keyids() def _mock_get_keyid(junk, keyid=keyid): return keyid # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyid signercli.make_delegation(keystore_dir) keystore.clear_keystore() signercli._get_keyids = original_get_keyids signercli._get_password = original_get_password signercli._prompt = original_prompt signercli._get_metadata_directory = original_get_metadata_directory
def build_server_repository(server_repository_dir, targets_dir): """ <Purpose> 'build_server_repository' builds a complete repository based on target files provided in the 'targets_dir'. Delegated roles are included. """ # Save the originals of the functions patched by this function. # The patched functions will be restored prior to returning. original_get_metadata = signercli._get_metadata_directory original_prompt = signercli._prompt original_get_password = signercli._get_password original_get_keyids = signercli._get_keyids # The expiration date for created metadata, required by the 'signercli.py' # script. The expiration date is set to 259200 seconds ahead of the current # time. Set all the metadata versions numbers to 1. expiration_date = tuf.formats.format_time(time.time() + 259200) expiration_date = expiration_date[0:expiration_date.rfind(' UTC')] version = 1 server_metadata_dir = os.path.join(server_repository_dir, 'metadata') keystore_dir = os.path.join(server_repository_dir, 'keystore') # Remove 'server_metadata_dir' and 'keystore_dir' if they already exist. if os.path.exists(server_metadata_dir): shutil.rmtree(server_metadata_dir) if os.path.exists(keystore_dir): shutil.rmtree(keystore_dir) # Make metadata directory inside server repository dir. os.mkdir(server_metadata_dir) # Make a keystore directory inside server's repository and populate it. os.mkdir(keystore_dir) _create_keystore(keystore_dir) # Build config file. build_config = signerlib.build_config_file top_level_role_info = unittest_toolbox.Modified_TestCase.top_level_role_info config_filepath = build_config(server_repository_dir, 365, top_level_role_info) # BUILD ROLE FILES. # Build root file. signerlib.build_root_file(config_filepath, role_keyids['root'], server_metadata_dir, version) # Build targets file. signerlib.build_targets_file([targets_dir], role_keyids['targets'], server_metadata_dir, version, expiration_date + ' UTC') # MAKE DELEGATIONS. # We will need to patch a few signercli prompts. # Specifically, signercli.make_delegations() asks user input for: # metadata directory, delegated targets directory, parent role, # passwords for parent role's keyids, delegated role's name, and # the keyid to be assigned to the delegated role. Take a look at # signercli's make_delegation() to gain bit more insight in what is # happening. # 'load_key' is a reference to the 'load_keystore_from_keyfiles function'. load_keys = keystore.load_keystore_from_keyfiles # Setup first level delegated role. delegated_level1 = os.path.join(targets_dir, 'delegated_level1') delegated_targets_dir = delegated_level1 parent_role = 'targets' delegated_role_name = 'delegated_role1' signing_keyids = role_keyids['targets/delegated_role1'] # Patching the 'signercli' prompts. # Mock method for signercli._get_metadata_directory(). def _mock_get_metadata_directory(): return server_metadata_dir # Mock method for signercli._prompt(). def _mock_prompt(msg, junk): if msg.startswith('\nThe paths entered'): return delegated_targets_dir elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.startswith('\nEnter the delegated role\'s name: '): return delegated_role_name elif msg.startswith('\nCurrent time:'): return expiration_date else: error_msg = ('Prompt: ' + '\'' + msg + '\'' + ' did not match any predefined mock prompts.') sys.exit(error_msg) # Mock method for signercli._get_password(). def _mock_get_password(msg): for keyid in unittest_toolbox.Modified_TestCase.rsa_keyids: if msg.endswith('(' + keyid + '): '): return unittest_toolbox.Modified_TestCase.rsa_passwords[keyid] # Method to patch signercli._get_keyids() def _mock_get_keyids(junk): if signing_keyids: for keyid in signing_keyids: password = unittest_toolbox.Modified_TestCase.rsa_passwords[ keyid] # Load the keyfile. load_keys(keystore_dir, [keyid], [password]) return signing_keyids # Patch signercli._get_metadata_directory(). signercli._get_metadata_directory = _mock_get_metadata_directory # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyids # Clear kestore's dictionaries, by detaching them from unittest_toolbox's # dictionaries. keystore._keystore = {} keystore._derived_keys = {} # Make first level delegation. signercli.make_delegation(keystore_dir) # Setup second level delegated role. delegated_level2 = os.path.join(delegated_level1, 'delegated_level2') delegated_targets_dir = delegated_level2 parent_role = 'targets/delegated_role1' delegated_role_name = 'delegated_role2' signing_keyids = role_keyids['targets/delegated_role1/delegated_role2'] # Clear kestore's dictionaries. keystore.clear_keystore() # Make second level delegation. signercli.make_delegation(keystore_dir) keystore._keystore = unittest_toolbox.Modified_TestCase.rsa_keystore keystore._derived_keys = unittest_toolbox.Modified_TestCase.rsa_passwords # Build release file. signerlib.build_release_file(role_keyids['release'], server_metadata_dir, version, expiration_date + ' UTC') # Build timestamp file. signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir, version, expiration_date + ' UTC') keystore._keystore = {} keystore._derived_keys = {} # RESTORE signercli._get_metadata_directory = original_get_metadata signercli._prompt = original_prompt signercli._get_password = original_get_password signercli._get_keyids = original_get_keyids
def build_server_repository(server_repository_dir, targets_dir): # Make metadata directory inside client and server repository dir. server_metadata_dir = os.path.join(server_repository_dir, 'metadata') os.mkdir(server_metadata_dir) # Make a keystore directory inside server's repository and populate it. keystore_dir = os.path.join(server_repository_dir, 'keystore') os.mkdir(keystore_dir) create_keystore(keystore_dir) # Build config file. build_config = signerlib.build_config_file config_filepath = build_config(server_repository_dir, 365, TestCase_Tools.top_level_role_info) # Role:keyids dictionary. role_keyids = {} for role in TestCase_Tools.semi_roledict.keys(): role_keyids[role] = TestCase_Tools.semi_roledict[role]['keyids'] # BUILD ROLE FILES. # Build root file. signerlib.build_root_file(config_filepath, role_keyids['root'], server_metadata_dir) # Build targets file. signerlib.build_targets_file(targets_dir, role_keyids['targets'], server_metadata_dir) # Build release file. signerlib.build_release_file(role_keyids['release'], server_metadata_dir) # Build timestamp file. signerlib.build_timestamp_file(role_keyids['timestamp'], server_metadata_dir) # MAKE DELEGATIONS. # We will need to patch a few signercli prompts. # Specifically, signercli.make_delegations() asks user input for: # metadata directory, delegated targets directory, parent role, # passwords for parent role's keyids, delegated role's name, and # the keyid to be assigned to the delegated role. Take a look at # signercli's make_delegation() to gain bit more insight in what is # happening. # 'load_key' is a reference to the 'load_keystore_from_keyfiles function'. load_keys = keystore.load_keystore_from_keyfiles # Setup first level delegated role. delegated_level1 = os.path.join(targets_dir, 'delegated_level1') delegated_targets_dir = delegated_level1 parent_role = 'targets' delegated_role_name = 'delegated_role1' signing_keyids = role_keyids['targets/delegated_role1'] # Patching the prompts. # Mock method for signercli._get_metadata_directory(). def _mock_get_metadata_directory(): return server_metadata_dir # Mock method for signercli._prompt(). def _mock_prompt(msg, junk): if msg.startswith('\nNOTE: The directory entered'): return delegated_targets_dir elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.endswith('\nEnter the delegated role\'s name: '): return delegated_role_name else: error_msg = ('Prompt: '+'\''+msg+'\''+ ' did not match any predefined mock prompts.') sys.exit(error_msg) # Mock method for signercli._get_password(). def _mock_get_password(msg): for keyid in TestCase_Tools.rsa_keyids: if msg.endswith('('+keyid+'): '): return TestCase_Tools.rsa_passwords[keyid] # Method to patch signercli._get_keyids() def _mock_get_keyids(junk): if signing_keyids: for keyid in signing_keyids: password = TestCase_Tools.rsa_passwords[keyid] # Load the keyfile. load_keys(keystore_dir, [keyid], [password]) return signing_keyids # Patch signercli._get_metadata_directory(). signercli._get_metadata_directory = _mock_get_metadata_directory # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyids # Clear kestore's dictionaries, by detaching them from unittest_toolbox's # dictionaries. keystore._keystore = {} keystore._key_passwords = {} # Make first level delegation. signercli.make_delegation(keystore_dir) # Setup first level delegated role. delegated_level2 = os.path.join(delegated_level1, 'delegated_level2') delegated_targets_dir = delegated_level2 parent_role = 'targets/delegated_role1' delegated_role_name = 'delegated_role2' signing_keyids = role_keyids['targets/delegated_role1/delegated_role2'] # Clear kestore's dictionaries. keystore.clear_keystore() # Make second level delegation. signercli.make_delegation(keystore_dir)
def create_delegation(tuf_repo, delegated_targets_path, keyid, keyid_password, parent_role, new_role_name, expiration_date): keystore_dir = os.path.join(tuf_repo, 'keystore') metadata_dir = os.path.join(tuf_repo, 'metadata') original_get_metadata_directory = signercli._get_metadata_directory original_prompt = signercli._prompt original_get_password = signercli._get_password original_get_keyids = signercli._get_keyids # Patch signercli._get_metadata_directory() _get_metadata_directory(metadata_dir) # Mock method for signercli._prompt(). def _mock_prompt(msg, junk, targets_path=delegated_targets_path, parent_role=parent_role, new_role_name=new_role_name, expiration=expiration_date): if msg.startswith('\nThe paths entered below should be located'): return targets_path elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.startswith('\nEnter the delegated role\'s name: '): return new_role_name elif msg.startswith('\nCurrent time: '): return expiration else: error_msg = ('Prompt: ' + '\'' + msg + '\'' + ' did not match any predefined mock prompts.') sys.exit(error_msg) # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Mock method for signercli._get_password(). def _mock_get_password(msg, keyid=keyid, password=keyid_password): _keyid = keyid[0] if msg.endswith('(' + _keyid + '): '): return keyid_password else: return PASSWD # password for targets' keyid. # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Method to patch signercli._get_keyids() def _mock_get_keyid(junk, keyid=keyid): return keyid # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyid signercli.make_delegation(keystore_dir) keystore.clear_keystore() signercli._get_keyids = original_get_keyids signercli._get_password = original_get_password signercli._prompt = original_prompt signercli._get_metadata_directory = original_get_metadata_directory
def test_7_make_delegation(self): # SETUP original_get_metadata_directory = signercli._get_metadata_directory original_prompt = signercli._prompt original_get_password = signercli._get_password # Create a temp repository and metadata directories. repo_dir = self.make_temp_directory() meta_dir = self.make_temp_directory(directory=repo_dir) # Create targets directories. targets_dir, targets_paths =\ self.make_temp_directory_with_data_files(directory=repo_dir) delegated_targets_dir = os.path.join(targets_dir,'targets', 'delegated_level1') # Assign parent role and name of the delegated role. parent_role = 'targets' delegated_role = 'delegated_role_1' # Create couple new RSA keys for delegation levels 1 and 2. new_keyid_1 = self.generate_rsakey() new_keyid_2 = self.generate_rsakey() # Create temp directory for config file. config_dir = self.make_temp_directory() # Build a config file. config_filepath = signerlib.build_config_file(config_dir, 365, self.top_level_role_info) # Patch signercli._get_metadata_directory(). self.mock_get_metadata_directory(directory=meta_dir) # Patch signercli._get_password(). Get passwords for parent's keyids. self.get_passwords() # Create keystore directory. keystore_dir = self.create_temp_keystore_directory() # Mock method for signercli._prompt() to generate targets.txt file. self.make_metadata_mock_prompts(targ_dir=targets_dir, conf_path=config_filepath) # List of keyids to be returned by _get_keyids() signing_keyids = [new_keyid_1] # Load keystore. load_keystore = keystore.load_keystore_from_keyfiles # Build the root metadata file (root.txt). signercli.make_root_metadata(keystore_dir) # Build targets metadata file (targets.txt). signercli.make_targets_metadata(keystore_dir) # Clear kestore's dictionaries. keystore.clear_keystore() # Mock method for signercli._prompt(). def _mock_prompt(msg, junk): if msg.startswith('\nThe directory entered'): return delegated_targets_dir elif msg.startswith('\nChoose and enter the parent'): return parent_role elif msg.endswith('\nEnter the delegated role\'s name: '): return delegated_role else: error_msg = ('Prompt: '+'\''+msg+'\''+ ' did not match any predefined mock prompts.') self.fail(error_msg) # Mock method for signercli._get_password(). def _mock_get_password(msg): for keyid in self.rsa_keyids: if msg.endswith('('+keyid+'): '): return self.rsa_passwords[keyid] # Method to patch signercli._get_keyids() def _mock_get_keyids(junk): if signing_keyids: for keyid in signing_keyids: password = self.rsa_passwords[keyid] # Load the keyfile. load_keystore(keystore_dir, [keyid], [password]) return signing_keyids # Patch signercli._prompt(). signercli._prompt = _mock_prompt # Patch signercli._get_password(). signercli._get_password = _mock_get_password # Patch signercli._get_keyids(). signercli._get_keyids = _mock_get_keyids # TESTS # Test: invalid parent role. # Assign a non-existing parent role. parent_role = self.random_string() self.assertRaises(tuf.RepositoryError, signercli.make_delegation, keystore_dir) # Restore parent role. parent_role = 'targets' # Test: invalid password(s) for parent's keyids. keystore.clear_keystore() parent_keyids = self.top_level_role_info[parent_role]['keyids'] for keyid in parent_keyids: saved_pw = self.rsa_passwords[keyid] self.rsa_passwords[keyid] = self.random_string() self.assertRaises(tuf.RepositoryError, signercli.make_delegation, keystore_dir) self.rsa_passwords[keyid] = saved_pw # Test: delegated_keyids == 0. keystore.clear_keystore() # Load 0 keyids (== 0). signing_keyids = [] self.assertRaises(tuf.RepositoryError, signercli.make_delegation, keystore_dir) keystore.clear_keystore() # Restore signing_keyids (== 1). signing_keyids = [new_keyid_1] # Test: normal case 1. # Testing first level delegation. signercli.make_delegation(keystore_dir) # Verify delegated metadata file exists. delegated_meta_file = os.path.join(meta_dir, parent_role, delegated_role+'.txt') self.assertTrue(os.path.exists(delegated_meta_file)) # Test: normal case 2. # Testing second level delegation. keystore.clear_keystore() # Make necessary adjustments for the test. signing_keyids = [new_keyid_2] delegated_targets_dir = os.path.join(delegated_targets_dir, 'delegated_level2') parent_role = os.path.join(parent_role, delegated_role) delegated_role = 'delegated_role_2' signercli.make_delegation(keystore_dir) # Verify delegated metadata file exists. delegated_meta_file = os.path.join(meta_dir, parent_role, delegated_role+'.txt') self.assertTrue(os.path.exists(delegated_meta_file)) # Test: normal case 3. # Testing delegated_keyids > 1. # Ensure make_delegation() sets 'threshold' = 2 for the delegated role. keystore.clear_keystore() # Populate 'signing_keyids' with multiple keys, so the # the delegated metadata is set to a threshold > 1. signing_keyids = [new_keyid_1, new_keyid_2] parent_role = 'targets' delegated_role = 'delegated_role_1' signercli.make_delegation(keystore_dir) # Verify delegated metadata file exists. delegated_meta_file = os.path.join(meta_dir, parent_role, delegated_role+'.txt') self.assertTrue(os.path.exists(delegated_meta_file)) # Verify the threshold value of the delegated metadata file # by inspecting the parent role's 'delegations' field. parent_role_file = os.path.join(meta_dir, parent_role+'.txt') signable = signerlib.read_metadata_file(parent_role_file) delegated_rolename = parent_role+'/'+delegated_role threshold = signable['signed']['delegations']['roles']\ [delegated_rolename]['threshold'] self.assertTrue(threshold == 2) # RESTORE signercli._get_password = original_get_password signercli._prompt = original_prompt signercli._get_metadata_directory = original_get_metadata_directory