diff --git a/endpoints/api/test/test_signing.py b/endpoints/api/test/test_signing.py index a0320d015..31f37d632 100644 --- a/endpoints/api/test/test_signing.py +++ b/endpoints/api/test/test_signing.py @@ -8,37 +8,47 @@ from endpoints.api.signing import RepositorySignatures from test.fixtures import * -VALID_TARGETS = { - 'latest': { - 'hashes': { - 'sha256': 'mLmxwTyUrqIRDaz8uaBapfrp3GPERfsDg2kiMujlteo=' - }, - 'length': 1500 - }, - 'test_tag': { - 'hashes': { - 'sha256': '1234123' - }, - 'length': 50 +VALID_TARGETS_MAP = { + "targets/ci": { + "targets": { + "latest": { + "hashes": { + "sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ=" + }, + "length": 2111 + } + }, + "expiration": "2020-05-22T10:26:46.618176424-04:00" + }, + "targets": { + "targets": { + "latest": { + "hashes": { + "sha256": "2Q8GLEgX62VBWeL76axFuDj/Z1dd6Zhx0ZDM6kNwPkQ=" + }, + "length": 2111 + } + }, + "expiration": "2020-05-22T10:26:01.953414888-04:00"} } -} + def tags_equal(expected, actual): - expected_tags = expected.get('tags') - actual_tags = actual.get('tags') + expected_tags = expected.get('delegations') + actual_tags = actual.get('delegations') if expected_tags and actual_tags: return Counter(expected_tags) == Counter(actual_tags) return expected == actual -@pytest.mark.parametrize('targets,expected', [ - (VALID_TARGETS, {'tags': VALID_TARGETS, 'expiration': 'expires'}), - ({'bad': 'tags'}, {'tags': {'bad': 'tags'}, 'expiration': 'expires'}), - ({}, {'tags': {}, 'expiration': 'expires'}), - (None, {'tags': None, 'expiration': 'expires'}), # API returns None on exceptions +@pytest.mark.parametrize('targets_map,expected', [ + (VALID_TARGETS_MAP, {'delegations': VALID_TARGETS_MAP}), + ({'bad': 'tags'}, {'delegations': {'bad': 'tags'}}), + ({}, {'delegations': {}}), + (None, {'delegations': None}), # API returns None on exceptions ]) -def test_get_signatures(targets, expected, client): +def test_get_signatures(targets_map, expected, client): with patch('endpoints.api.signing.tuf_metadata_api') as mock_tuf: - mock_tuf.get_default_tags_with_expiration.return_value = (targets, 'expires') + mock_tuf.get_all_tags_with_expiration.return_value = targets_map with client_with_identity('devtable', client) as cl: params = {'repository': 'devtable/trusted'} assert tags_equal(expected, conduct_api_call(cl, RepositorySignatures, 'GET', params, None, 200).json) diff --git a/util/tufmetadata/api.py b/util/tufmetadata/api.py index 25d066634..410509cef 100644 --- a/util/tufmetadata/api.py +++ b/util/tufmetadata/api.py @@ -11,7 +11,7 @@ from data.database import CloseForLongOperation from util.abchelpers import nooper from util.failover import failover, FailoverException from util.security.instancekeys import InstanceKeys -from util.security.registry_jwt import build_context_and_subject, generate_bearer_token, QUAY_TUF_ROOT +from util.security.registry_jwt import build_context_and_subject, generate_bearer_token, QUAY_TUF_ROOT, SIGNER_TUF_ROOT DEFAULT_HTTP_HEADERS = {'Connection': 'close'} @@ -150,16 +150,21 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface): if not targets_file: targets_file = 'targets.json' + + targets_name = targets_file + if targets_name.endswith('.json'): + targets_name = targets_name[:-5] if not targets_map: targets_map = {} signed = self._get_signed(namespace, repository, targets_file) if not signed: - return None + targets_map[targets_name] = None + return targets_map if signed.get('targets'): - targets_map[targets_file] = { + targets_map[targets_name] = { 'targets': signed.get('targets'), 'expiration': signed.get('expires'), } @@ -167,7 +172,7 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface): delegation_names = [role.get('name') for role in signed.get('delegations').get('roles')] for delegation in delegation_names: - targets_map = self.get_all_tags_with_expiration(namespace, repository, targets_file=delegation, targets_map=targets_map) + targets_map = self.get_all_tags_with_expiration(namespace, repository, targets_file=delegation + '.json', targets_map=targets_map) return targets_map @@ -235,7 +240,7 @@ class ImplementedTUFMetadataAPI(TUFMetadataAPIInterface): 'name': gun, 'actions': actions, }] - context, subject = build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=QUAY_TUF_ROOT) + context, subject = build_context_and_subject(user=None, token=None, oauthtoken=None, tuf_root=SIGNER_TUF_ROOT) token = generate_bearer_token(self._config["SERVER_HOSTNAME"], subject, context, access, TOKEN_VALIDITY_LIFETIME_S, self._instance_keys) return {'Authorization': 'Bearer %s' % token} diff --git a/util/tufmetadata/test/test_tufmetadata.py b/util/tufmetadata/test/test_tufmetadata.py index 8f73290e4..24eb3bdb0 100644 --- a/util/tufmetadata/test/test_tufmetadata.py +++ b/util/tufmetadata/test/test_tufmetadata.py @@ -177,7 +177,7 @@ def test_get_default_tags(response_code, response_body, expected): (200, valid_targets_with_delegation, valid_delegation, { 'targets/devs': { 'targets': valid_delegation['signed']['targets'], 'expiration': valid_delegation['signed']['expires']}}), - (200, {'garbage': 'data'}, {'garbage': 'data'}, None) + (200, {'garbage': 'data'}, {'garbage': 'data'}, {'garbage': 'data'}) ]) def test_get_all_tags(response_code, response_body1, response_body2, expected): app = Flask(__name__)