Metadata API: Implement threshold verification

[jku]

#1417 is merged so this is good to go

The delegating Metadata (root or targets) verifies that the delegated metadata is signed by required threshold of keys for the delegated role.

This implementation raises UnsignedMetadataError if threshold is not met. Other possible exceptions are programming errors.

Fixes #1306

[sechkova]

Maybe I've become biased after looking at the code in the next-gen client for a while because I couldn't point out any issues :)

I was searching for a way to avoid adding role_name as an argument of verify_delegate but I saw you already opened #1425 about it so +1 from me on that.

[MVrachev]

I didn't found any issues either.
LGTM!

[MVrachev]

Maybe making sure that we have keyval["public"] uniqueness can be done instead in Root and Targets?

[jku]

yeah possible but I'd say it's a separate issue: #1429

[jku]

I only very recently realised the TUF spec does not require the existence of "public" at all -- the three keys defined in the spec all happen to have it but it isn't required.

So this line needs to change. The spec does require that KEYIDs are unique so verify_delegate() will just respect that and will not try to poke into the internals.

[jku]

Also from trishank: "What does this line do? Looks like magic"
My response was:

it returns the first role in delegations with name role_name (or None if no match).

I agree it's not pretty and a bit too clever.
I could do something like this instead:

role = None
for delegated_role in roles:
    if delegated_role.name == role_name:
        role = delegated_role
        break

but that's 5 lines of initialize-then-modify antipattern: not the end of the world but not perfect either.

the real fix is probably #1426 though (make roles a OrderedDict). Then this code becomes readable and efficient:
role = roles.get(role_name)

I think I'd leave it as is ... but if others think that's too clever I'm happy to change to the more verbose one

[joshuagl]

Perhaps add a one-liner comment for less familiar readers?

Find the first role in delegations with name role_name (or None if no match)

[MVrachev]

In our discussion with @jku in issue #1438 we agreed that we should make sure that the metadata is accepted even if it has a couple of invalid keys, but it accommodates the requirement placed by threshold.
I think I don't see a test for that. Do you plan to add one @jku?

[jku]

In our discussion with @jku in issue #1438 we agreed that we should make sure that the metadata is accepted even if it has a couple of invalid keys, but it accommodates the requirement placed by threshold.
I think I don't see a test for that. Do you plan to add one @jku?

I think there are two things that we should definitely test:

• test that Key.verify_signature() raises UnsignedMetadataError (or potentially a derived error) if keys are in any way invalid. This should happen in Handle exceptions in verify #1435, I've added the tests that I think make sense there
• test that verify_delegate() handles UnsignedMetadataErrors coming from Key.verify_signature(): catching that error is fine as long as threshold is eventually reached: this should happen in this PR. It does look like there is no test case with failing signatures that should eventually succeed (because threshold is still reached). That would make sense to add (but it does not need to be about invalid keys in particular).

Soo, yes I guess I plan to add one now...

[jku]

rebased on develop, added a commit to add a tests for

• signature that fails to verify, but overall signatures reach threshold
• threshold that actually contains multiple signatures

This also changes one error type as suggested by teodora

[MVrachev]

Thanks for adding the tests!
Seems good to me!

[jku]

Added a commit that removes the attempt to enforce key contents uniqueness:

• I only very recently realised the TUF spec does not require the existence of "public" key within the Key.keyval dictionary at all -- the three keys defined in the spec all happen to have it but it isn't required.
• We know that the attempt is not protection against maliciously crafted keys anyway: creating multiple representations of the same key is not difficult

Luckily the spec requires that KEYIDs are unique so verify_delegate() will just respect that and will not try to poke into the internals of the keys.

[joshuagl]

This looks good to me. I wonder if the parameter names in verify_delegate could be renamed to more clearly indicate that role_name and delegate are related (an identifier and an instance)?

[joshuagl]

Perhaps add a one-liner comment for less familiar readers?

Find the first role in delegations with name role_name (or None if no match)

[jku]

I chose the more verbose names: it's easy to lose track of where the keys and thresholds really come from and what they are applied on so more verbose seems reasonable.

[jku]

Someone made mypy rules stricter in the mean time 😬 so had to rebase and fix the annotation (no changes in existing commits, only in two new commit).

[joshuagl]

I really like how easy this is to follow, nice work.

[jku]

Yes, agree with all suggestions. I've combined all the improvements from suggestions into one commit.

The changes since last push are

• use if self.signed.delegations is None to make that path clearer as suggested
• Add a test for this specific case (this required modifying the test data)
• tweak comments as suggested

It's minor enough that I don't think this absolutely needs another approval (so I will merge with the one I have) but ... there's not a lot of code that's more critical for TUF so feel free to have another look

[MVrachev]

I looked at the new changes and it seems good to me!

[joshuagl]

LGTM, thanks!