def test_delegation_class(self):
# empty keys and roles
delegations_dict = {"keys":{}, "roles":[]}
delegations = Delegations.from_dict(delegations_dict.copy())
self.assertEqual(delegations_dict, delegations.to_dict())
# Test some basic missing or broken input
invalid_delegations_dicts = [
{},
{"keys":None, "roles":None},
{"keys":{"foo":0}, "roles":[]},
{"keys":{}, "roles":["foo"]},
]
for d in invalid_delegations_dicts:
with self.assertRaises((KeyError, AttributeError)):
Delegations.from_dict(d)
def add_succinct_roles(self, delegator_name: str, bit_length: int,
name_prefix: str) -> None:
"""Add succinct roles info to a delegator with name "delegator_name".
Note that for each delegated role represented by succinct roles an empty
Targets instance is created.
"""
delegator = self._get_delegator(delegator_name)
if (delegator.delegations is not None
and delegator.delegations.roles is not None):
raise ValueError(
"Can't add a succinct_roles when delegated roles are used")
key, signer = self.create_key()
succinct_roles = SuccinctRoles([], 1, bit_length, name_prefix)
delegator.delegations = Delegations({}, None, succinct_roles)
# Add targets metadata for all bins.
for delegated_name in succinct_roles.get_roles():
self.md_delegates[delegated_name] = Metadata(
Targets(expires=self.safe_expiry))
self.add_signer(delegated_name, signer)
delegator.add_key(key)
def add_delegation(self, delegator_name: str, role: DelegatedRole,
targets: Targets) -> None:
"""Add delegated target role to the repository."""
delegator = self._get_delegator(delegator_name)
if (delegator.delegations is not None
and delegator.delegations.succinct_roles is not None):
raise ValueError("Can't add a role when succinct_roles is used")
# Create delegation
if delegator.delegations is None:
delegator.delegations = Delegations({}, roles={})
assert delegator.delegations.roles is not None
# put delegation last by default
delegator.delegations.roles[role.name] = role
# By default add one new key for the role
key, signer = self.create_key()
delegator.add_key(key, role.name)
self.add_signer(role.name, signer)
# Add metadata for the role
if role.name not in self.md_delegates:
self.md_delegates[role.name] = Metadata(targets, {})
# NOTE: See "Targets delegation" and "Signature thresholds" paragraphs in
# 'basic_repo.py' for more details
for name in ["bin-n", "bins"]:
keys[name] = generate_ed25519_key()
# Targets roles
# -------------
# NOTE: See "Targets" and "Targets delegation" paragraphs in 'basic_repo.py'
# example for more details about the Targets object.
# Create preliminary delegating targets role (bins) and add public key for
# delegated targets (bin_n) to key store. Delegation details are update below.
roles["bins"] = Metadata(Targets(expires=_in(365)))
bin_n_key = Key.from_securesystemslib_key(keys["bin-n"])
roles["bins"].signed.delegations = Delegations(
keys={bin_n_key.keyid: bin_n_key},
roles={},
)
# The hash bin generator yields an ordered list of incremental hash bin names
# (ranges), plus the hash prefixes each bin is responsible for, e.g.:
#
# bin_n_name: 00-07 bin_n_hash_prefixes: 00 01 02 03 04 05 06 07
# 08-0f 08 09 0a 0b 0c 0d 0e 0f
# 10-17 10 11 12 13 14 15 16 17
# ... ...
# f8-ff f8 f9 fa fb fc fd fe ff
assert roles["bins"].signed.delegations.roles is not None
for bin_n_name, bin_n_hash_prefixes in generate_hash_bins():
# Update delegating targets role (bins) with delegation details for each
# delegated targets role (bin_n).
roles["bins"].signed.delegations.roles[bin_n_name] = DelegatedRole(
def test_delegation_serialization(self, test_case_data: str):
case_dict = json.loads(test_case_data)
delegation = Delegations.from_dict(copy.deepcopy(case_dict))
self.assertDictEqual(case_dict, delegation.to_dict())
def test_invalid_delegation_serialization(self,
test_case_data: str) -> None:
case_dict = json.loads(test_case_data)
with self.assertRaises((ValueError, KeyError, AttributeError)):
Delegations.from_dict(case_dict)
# delegatee by authorizing a threshold of cryptographic keys to provide
# signatures for the delegatee metadata. It also provides the corresponding
# public key store.
# The delegation info defined by the delegator further requires the provision
# of a unique delegatee name and constraints about the target files the
# delegatee is responsible for, e.g. a list of path patterns. For details about
# all configuration parameters see
# https://theupdateframework.github.io/specification/latest/#delegations
roles["targets"].signed.delegations = Delegations(
keys={
keys[delegatee_name]["keyid"]:
Key.from_securesystemslib_key(keys[delegatee_name])
},
roles={
delegatee_name:
DelegatedRole(
name=delegatee_name,
keyids=[keys[delegatee_name]["keyid"]],
threshold=1,
terminating=True,
paths=["*.py"],
),
},
)
# Remove target file info from top-level targets (delegatee is now responsible)
del roles["targets"].signed.targets[target_path]
# Increase expiry (delegators should be less volatile)
roles["targets"].signed.expires = _in(365)
# Snapshot + Timestamp + Sign + Persist