Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[WIP] Use separate keydb for delegated targets #1095

Closed
wants to merge 10 commits into from
Closed

[WIP] Use separate keydb for delegated targets #1095

wants to merge 10 commits into from

Conversation

mnm678
Copy link
Contributor

@mnm678 mnm678 commented Aug 3, 2020

Fixes issue: part 3 of #1084

To implement TAP 12, this pr adds separate keydbs for each delegating instance. This means that the roles delegated to by root will use one keydb, the roles delegated to by targets will use a different one, and so on.

To do so, this pr introduces keydb.create_keydb_from_targets_metadata to make a new keydb for all roles delegated to by a targets metadata file and adds a parent_role field to the roledb to keep track of what keydb should be used when verifying a role.

@trishankatdatadog
Copy link
Member

trishankatdatadog commented Aug 3, 2020
edited
Loading

This is awesome, thanks, Marina!

I'm a bit ambivalent about continuing to use the global key dictionary, even if isolated by repositories. Ideally, this should be done recursively. I understand we need to make progress, but I'm also hesitant about adding code we will eventually need to rewrite anyway.

It's a difficult problem. Thoughts @lukpueh @joshuagl @JustinCappos ?

mnm678 and others added 9 commits August 4, 2020 13:15
@mnm678
This WIP commit creates a separate keydb for each delegating instance.
6f7c541 
This means that all roles delegated to by root will look for keys
from the root metadata, roles delegated to by targets will look for
keys in targets metadata, and so on.

This commit adds this functionality to the keydb and ensures that
these separate keydbs are created and used for storing keys. It
requires a future change to the roledb to store the delegating role
and further testing.

Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
This commit adds the parent_role field to roledb.
043c056 
This field can be used by delegated targets to determine
which role delegated to them, and thus which keys should
be used to verify the role.

Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Bug fixes for the per client keydb
de40f85 
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Update tests for local keydb.
1c121e3 
The repository keydb will no longer store keys for delegated
roles. Instead look for these keys in delegated keydbs.

Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Fix minor issues for pylint
e9a59f5 
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Bug fixes
4d866c4 
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
use correct keydb when loading keys
e0c50c0 
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Add parent_role in targets.delegate
5b57fa0 
Signed-off-by: marinamoore <mmoore32@calpoly.edu>
@mnm678
Updated delegation information in repository_tool to use different ke…
7642140 
…ydbs

for delegations and add parent_role to roledb entries for delegations

Signed-off-by: marinamoore <mnm678@gmail.com>
@mnm678
Add delegating_rolename to sig.py
7f4fd5c 
Signed-off-by: marinamoore <mnm678@gmail.com>
@trishankatdatadog
Copy link
Member

@mnm678 would you please kindly mark this as a draft PR until ready? Thanks!

@mnm678 mnm678 marked this pull request as draft August 4, 2020 20:32
@lukpueh
Copy link
Member

lukpueh commented Aug 18, 2020

In a recent TAP meeting we agreed that it might be better to not rework keydb, but instead hold off the implementation of TAP 12 until we have better key handling infrastructure, as e.g. discussed in #1060 (comment). Should we close here, @mnm678?

@mnm678
Copy link
Contributor Author

mnm678 commented Aug 18, 2020

Yes, I'll close this and we can revisit the TAP 12 implementation in the future.

@mnm678 mnm678 closed this Aug 18, 2020
@mnm678 mnm678 mentioned this pull request Sep 28, 2020
Open
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@mnm678 @trishankatdatadog @lukpueh