Merge pull request #94 from jku/fix-artifacts-in-delegations

repo: Fix tuf-on-ci-status when artifacts are added to delegates

Author: jku

repo/tuf_on_ci/status.py

@@ -55,6 +55,7 @@ def _find_changed_roles(known_good_dir: str, signing_event_dir: str) -> set[str]
 def _find_changed_target_roles(
     known_good_targets_dir: str, targets_dir: str
 ) -> set[str]:
+    """Compare two artifact directories, return rolenames that have artifacts changes"""
     files = (
         glob("*", root_dir=targets_dir)
         + glob("*/*", root_dir=targets_dir)
@@ -65,17 +66,23 @@ def _find_changed_target_roles(
     for filepath in files:
         f1 = os.path.join(targets_dir, filepath)
         f2 = os.path.join(known_good_targets_dir, filepath)
+
+        # subdirs are allowed to exist, appear and disappear
         if os.path.isdir(f1) and os.path.isdir(f2):
             continue
+        if os.path.isdir(f1) and not os.path.exists(f2):
+            continue
+        if not os.path.exists(f1) and os.path.isdir(f2):
+            continue
 
         try:
             if filecmp.cmp(f1, f2, shallow=False):
                 continue
         except FileNotFoundError:
             pass
 
-        # found a changed target, add rolename to list. "targets" is a special case
-        rolename, _, _ = filepath.rpartition(filepath)
+        # found a changed artifact, add rolename to set. "targets" is a special case
+        rolename, _, _ = filepath.rpartition("/")
         if not rolename:
             rolename = "targets"
         changed_roles.add(rolename)

tests/e2e.sh

@@ -144,16 +144,14 @@ signer_init()
 
 signer_add_delegation()
 {
-    # run tuf-on-ci-delegate to change root signer from user1 to user2:
+    # run tuf-on-ci-delegate to add a new delegated role
     USER1=$1
     EVENT=$2
 
     SIGNER_DIR="$WORK_DIR/$TEST_NAME/$USER1"
     SIGNER_GIT="$SIGNER_DIR/git"
     export SOFTHSM2_CONF="$SIGNER_DIR/softhsm2.conf"
 
-    # user1 needs to eventually sign, but after this, there's on open invitation
-    # for user2, so signing does not happen here
     INPUT=(
         "delegated"         # select role to modify
         "1"                 # Configure role delegated? [1: configure signers]
@@ -357,6 +355,27 @@ signer_modify_targets()
     git push --quiet origin $EVENT
 }
 
+signer_add_delegated_target()
+{
+    USER=$1
+    EVENT=$2
+
+    SIGNER_DIR="$WORK_DIR/$TEST_NAME/$USER"
+    SIGNER_GIT="$SIGNER_DIR/git"
+    export SOFTHSM2_CONF="$SIGNER_DIR/softhsm2.conf"
+
+    cd $SIGNER_GIT
+
+    # Make target file changes, push to remote signing event branch
+    git fetch --quiet origin
+    git switch --quiet -C $EVENT origin/main
+    mkdir -p targets/delegated
+    echo "file1" > targets/delegated/file1.txt
+    git add targets/delegated/file1.txt
+    git commit  --quiet -m "Add a delegated target file"
+    git push --quiet origin $EVENT
+}
+
 non_signer_change_online_delegation()
 {
     # run tuf-on-ci-delegate: creates a commit, pushes it to remote branch
@@ -642,6 +661,42 @@ test_target_changes()
     echo "OK"
 }
 
+test_target_changes_in_delegations()
+{
+    echo -n "Target files in delegated roles... "
+    setup_test "target_files_in_delegated_roles"
+
+    # user1: create repo, add a delegated role
+    signer_init user1 sign/initial
+    signer_add_delegation user1 sign/initial
+
+    # merge successful signing event, create snapshot
+    repo_merge sign/initial
+    repo_online_sign
+
+    # second signing event: Any user adds target to delegated role
+    # Signing-event requires a signature from user1
+    signer_add_delegated_target user2 sign/new-delegated-target
+    repo_status_fail sign/new-delegated-target
+    signer_sign user1 sign/new-delegated-target
+
+    # merge successful signing event, create snapshot
+    repo_merge sign/new-delegated-target
+    repo_online_sign
+
+    repo_publish
+
+    # Verify test result
+    # ECDSA signatures are not deterministic: wipe all sigs so diffing is easy
+    for t in ${PUBLISH_DIR}/metadata/*.json; do
+        strip_signatures $t
+    done
+    # the resulting metadata should match expected metadata exactly
+    diff -r $SCRIPT_DIR/expected/target-files-in-delegated-roles/ $PUBLISH_DIR
+
+    echo "OK"
+}
+
 test_root_key_rotation()
 {
     echo -n "Root key rotation... "
@@ -716,4 +771,5 @@ test_delegated_role
 test_online_bumps
 test_multi_user_signing
 test_target_changes
+test_target_changes_in_delegations
 test_root_key_rotation

tests/expected/target-files-in-delegated-roles/metadata/1.root.json

@@ -0,0 +1,65 @@
+{
+ "signatures": [
+  {
+   "keyid": "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999",
+   "sig": "XXX"
+  }
+ ],
+ "signed": {
+  "_type": "root",
+  "consistent_snapshot": true,
+  "expires": "2022-02-03T01:02:03Z",
+  "keys": {
+   "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999": {
+    "keytype": "ecdsa",
+    "keyval": {
+     "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
+    },
+    "scheme": "ecdsa-sha2-nistp384",
+    "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
+   },
+   "fa47289": {
+    "keytype": "ed25519",
+    "keyval": {
+     "public": "fa472895c9756c2b9bcd1440bf867d0fa5c4edee79e9792fa9822be3dd6fcbb3"
+    },
+    "scheme": "ed25519",
+    "x-tuf-on-ci-online-uri": "envvar:LOCAL_TESTING_KEY"
+   }
+  },
+  "roles": {
+   "root": {
+    "keyids": [
+     "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999"
+    ],
+    "threshold": 1
+   },
+   "snapshot": {
+    "keyids": [
+     "fa47289"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 365,
+    "x-tuf-on-ci-signing-period": 60
+   },
+   "targets": {
+    "keyids": [
+     "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999"
+    ],
+    "threshold": 1
+   },
+   "timestamp": {
+    "keyids": [
+     "fa47289"
+    ],
+    "threshold": 1,
+    "x-tuf-on-ci-expiry-period": 2,
+    "x-tuf-on-ci-signing-period": 1
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 1,
+  "x-tuf-on-ci-expiry-period": 365,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

tests/expected/target-files-in-delegated-roles/metadata/1.targets.json

@@ -0,0 +1,42 @@
+{
+ "signatures": [
+  {
+   "keyid": "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999",
+   "sig": "XXX"
+  }
+ ],
+ "signed": {
+  "_type": "targets",
+  "delegations": {
+   "keys": {
+    "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999": {
+     "keytype": "ecdsa",
+     "keyval": {
+      "public": "-----BEGIN PUBLIC KEY-----\nMHYwEAYHKoZIzj0CAQYFK4EEACIDYgAEJ3pswWmx9Bx2VBcpqaooQFA7dQnhRafh\ntj942eg086x6EMHdfgdox9TbwGm7sU2sn/gyjyDr1ez8Ld2ORnyYJ8cAlegfTqNq\nE0eSrLrb+YpzQJxLwh6qWcSngF99Unft\n-----END PUBLIC KEY-----\n"
+     },
+     "scheme": "ecdsa-sha2-nistp384",
+     "x-tuf-on-ci-keyowner": "@tuf-on-ci-user1"
+    }
+   },
+   "roles": [
+    {
+     "keyids": [
+      "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999"
+     ],
+     "name": "delegated",
+     "paths": [
+      "delegated/*"
+     ],
+     "terminating": true,
+     "threshold": 1
+    }
+   ]
+  },
+  "expires": "2022-02-03T01:02:03Z",
+  "spec_version": "1.0.31",
+  "targets": {},
+  "version": 1,
+  "x-tuf-on-ci-expiry-period": 365,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

tests/expected/target-files-in-delegated-roles/metadata/2.delegated.json

@@ -0,0 +1,24 @@
+{
+ "signatures": [
+  {
+   "keyid": "95da323daa78f7b2557ae91e23be619ff932f9aec035abd4e40301405b363999",
+   "sig": "XXX"
+  }
+ ],
+ "signed": {
+  "_type": "targets",
+  "expires": "2022-02-03T01:02:03Z",
+  "spec_version": "1.0.31",
+  "targets": {
+   "delegated/file1.txt": {
+    "hashes": {
+     "sha256": "ecdc5536f73bdae8816f0ea40726ef5e9b810d914493075903bb90623d97b1d8"
+    },
+    "length": 6
+   }
+  },
+  "version": 2,
+  "x-tuf-on-ci-expiry-period": 365,
+  "x-tuf-on-ci-signing-period": 60
+ }
+}

tests/expected/target-files-in-delegated-roles/metadata/2.snapshot.json

@@ -0,0 +1,22 @@
+{
+ "signatures": [
+  {
+   "keyid": "fa47289",
+   "sig": "XXX"
+  }
+ ],
+ "signed": {
+  "_type": "snapshot",
+  "expires": "2022-02-03T01:02:03Z",
+  "meta": {
+   "delegated.json": {
+    "version": 2
+   },
+   "targets.json": {
+    "version": 1
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 2
+ }
+}

tests/expected/target-files-in-delegated-roles/metadata/timestamp.json

@@ -0,0 +1,19 @@
+{
+ "signatures": [
+  {
+   "keyid": "fa47289",
+   "sig": "XXX"
+  }
+ ],
+ "signed": {
+  "_type": "timestamp",
+  "expires": "2021-02-05T01:02:03Z",
+  "meta": {
+   "snapshot.json": {
+    "version": 2
+   }
+  },
+  "spec_version": "1.0.31",
+  "version": 2
+ }
+}

tests/expected/target-files-in-delegated-roles/targets/delegated/ecdc5536f73bdae8816f0ea40726ef5e9b810d914493075903bb90623d97b1d8.file1.txt

@@ -0,0 +1 @@
+file1