Updated delegation information in repository_tool to use different ke…

…ydbs for delegations and add parent_role to roledb entries for delegations Signed-off-by: marinamoore <mnm678@gmail.com>
theupdateframework · Aug 4, 2020 · 1339a13 · 1339a13
1 parent 550fccc
commit 1339a13
Show file tree

Hide file tree

Showing 3 changed files with 21 additions and 9 deletions.
diff --git a/tests/test_updater.py b/tests/test_updater.py
@@ -1171,8 +1171,8 @@ def test_6_get_one_valid_targetinfo(self):
     repository.targets('role4').add_target(foo_package)
 
     repository.targets.load_signing_key(self.role_keys['targets']['private'])
-    repository.targets('role3').load_signing_key(self.role_keys['targets']['private'])
-    repository.targets('role4').load_signing_key(self.role_keys['targets']['private'])
+    repository.targets('role3').load_signing_key(self.role_keys['targets']['private'], 'targets')
+    repository.targets('role4').load_signing_key(self.role_keys['targets']['private'], 'targets')
     repository.snapshot.load_signing_key(self.role_keys['snapshot']['private'])
     repository.timestamp.load_signing_key(self.role_keys['timestamp']['private'])
     repository.writeall()

diff --git a/tuf/developer_tool.py b/tuf/developer_tool.py
@@ -289,7 +289,7 @@ def write(self, write_partial=False):
 
 
 
-  def add_verification_key(self, key, expires=None):
+  def add_verification_key(self, key, expires=None, delegating_rolename='root'):
     """
       <Purpose>
         Function as a thin wrapper call for the project._targets call
@@ -322,7 +322,7 @@ def add_verification_key(self, key, expires=None):
     if len(self.keys) > 0:
       raise securesystemslib.exceptions.Error("This project already contains a key.")
 
-    super(Project, self).add_verification_key(key, expires)
+    super(Project, self).add_verification_key(key, expires, delegating_rolename)
 
 
 

diff --git a/tuf/repository_tool.py b/tuf/repository_tool.py
@@ -682,7 +682,7 @@ def __init__(self):
     self._repository_name = None
 
 
-  def add_verification_key(self, key, expires=None):
+  def add_verification_key(self, key, expires=None, delegating_rolename='root'):
     """
     <Purpose>
       Add 'key' to the role.  Adding a key, which should contain only the
@@ -728,6 +728,12 @@ def add_verification_key(self, key, expires=None):
     # 'securesystemslib.exceptions.FormatError' if any are improperly formatted.
     securesystemslib.formats.ANYKEY_SCHEMA.check_match(key)
 
+    # top level roles go in the default keydb, delegated roles go in the keydb
+    # of their parent role
+    repository_name = self._repository_name
+    if delegating_rolename != 'root':
+      repository_name = repository_name + ' ' + delegating_rolename
+
     # If 'expires' is unset, choose a default expiration for 'key'.  By
     # default, Root, Targets, Snapshot, and Timestamp keys are set to expire
     # 1 year, 3 months, 1 week, and 1 day from the current time, respectively.
@@ -779,7 +785,7 @@ def add_verification_key(self, key, expires=None):
     # Keys may be shared, so do not raise an exception if 'key' has already
     # been loaded.
     try:
-      tuf.keydb.add_key(key, repository_name=self._repository_name)
+      tuf.keydb.add_key(key, repository_name=repository_name)
 
     except tuf.exceptions.KeyAlreadyExistsError:
       logger.warning('Adding a verification key that has already been used.')
@@ -797,7 +803,7 @@ def add_verification_key(self, key, expires=None):
       roleinfo['keyids'].append(keyid)
       roleinfo['previous_keyids'] = previous_keyids
 
-      tuf.roledb.update_roleinfo(self._rolename, roleinfo,
+      tuf.roledb.update_roleinfo(self.rolename, roleinfo,
           repository_name=self._repository_name)
 
 
@@ -2251,7 +2257,8 @@ def _create_delegated_target(self, rolename, keyids, threshold, paths):
     roleinfo = {'name': rolename, 'keyids': keyids, 'signing_keyids': [],
                 'threshold': threshold, 'version': 0,
                 'expires': expiration, 'signatures': [], 'partial_loaded': False,
-                'paths': paths, 'delegations': {'keys': {}, 'roles': []}}
+                'paths': paths, 'delegations': {'keys': {}, 'roles': []},
+                'parent_role' : self._parent_targets_object.rolename}
 
     # The new targets object is added as an attribute to this Targets object.
     new_targets_object = Targets(self._targets_directory, rolename, roleinfo,
@@ -2425,8 +2432,13 @@ def delegate(self, rolename, public_keys, paths, threshold=1,
       del roleinfo['paths']
 
     # Update the public keys of 'new_targets_object'.
+    try:
+      tuf.keydb.create_keydb(self._repository_name + ' ' + self._rolename)
+    except securesystemslib.exceptions.InvalidNameError:
+      # keydb already created
+      pass
     for key in public_keys:
-      new_targets_object.add_verification_key(key)
+      new_targets_object.add_verification_key(key, delegating_rolename=self._rolename)
 
     # Add the new delegation to the top-level 'targets' role object (i.e.,
     # 'repository.targets()').  For example, 'django', which was delegated by