Fix firewall rules #204
Merged
Fix firewall rules #204
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
FYI: these failures appear to be due to the set operator using a different |
|
@JustinCappos requested that @awwad review more in-toto pull requests, so I'll add Sebastien to the list of reviewers. For now, I need to focus on fixing Windows-related issues for the TUF project. |
Noted, and thanks! @awwad welcome aboard! |
SantiagoTorres
force-pushed
the
fix-firewall-rules
branch
from
119570f
to
3aa9329
Compare
- The pinned version number was wrong - Added mention to the obsolete settings removal.
The verification behavior didn't behave as a firewall, as described in the documentation. Instead, it used to throw a verification exception if sctrict matching didn't happen. Update the behavior of the in_toto_verify routines, as well as the specific subroutines to match the expected behavior.
Verifylib was changed in the parent commit. Update the tests to match this behavior by, mostly, removing the expected exception raises and adding "DISALLOW *" rules where necessary.
During the test of the modify rules, it is possible that the returned queues are in different order than they came in (this is due to the converstion to a set and back). Sort the queues before comparing the two queues to ensure the contents are compared, and not their order. Likewise, declare the elements in artifact queues alfabetically to make sure the comparison stands.
|
So if I understand correctly, with this PR merged, if you have some rule set wherein rule 1 reads: |
|
Also, with this construction (rule verifier functions adjust the input to remove what they've matched), none of the hash mismatch info gets reported anywhere -- neither trickles up in an exception that's caught somewhere nor logged. Is that okay in this context? Is that going to be regrettable eventually? In any case, the PR seems sane. |
test_fail_hash_not_eual -> test_fail_hash_not_equal Signed-off-by: Sebastien Awwad <sebastien.awwad@gmail.com>
awwad
approved these changes
Apr 27, 2018
|
wow, sorry for some reason I missed this PR review.
Yes, this is pretty much it. We're trying to have DISALLOW be the only rule that fails, where the others match and process. That's the behavior we had described in the specification.
We were worried about this too, but it's a shared issue on firewall-like semantics. I don't think we can make much about it (yet).
Thanks a lot! Merging :) |
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Oct 24, 2018
Update code documentation for verifylib functions related to rule verification, to align with changes introduced by in-toto#204.
This was referenced Oct 24, 2018
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
3 tasks
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
pushed a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Update code documentation for verifylib functions related to rule verification, to align with changes introduced by in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
3 tasks
SantiagoTorres
pushed a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
SantiagoTorres
pushed a commit
to michizhou/in-toto
that referenced
this pull request
Nov 8, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 10, 2018
# This is the 1st commit message: Updated rule verification error messages and error workflow Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204. # The commit message in-toto#2 will be skipped: # MAINT: update license to apache 2.0 # The commit message in-toto#3 will be skipped: # Adopt license change in setup.py # # Update setup.py to adopt recent license change # from MIT to Apache-2.0 # The commit message in-toto#4 will be skipped: # Adopt license change in debian/copyright # # Update debian/copyright to adopt recent license change # from MIT to Apache-2.0
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 10, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 12, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 12, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 30, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 30, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 30, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Nov 30, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Dec 3, 2018
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Feb 27, 2019
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
michizhou
added a commit
to michizhou/in-toto
that referenced
this pull request
Mar 5, 2019
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
lukpueh
added a commit
to lukpueh/in-toto
that referenced
this pull request
Mar 11, 2019
This commit includes several changes to `verify_item_rules` and
the from there called `verify_*_rule` functions (plus corresponding
tests):
- Harmonization of artifact queue modification
Before, `verify_item_rules` used a material queue, a product queue
and an artifact queue to keep track of the artifacts, consumed in
the course of verifying all rules (of a type of an item). These
queues were modified in different places (in different functions
passed to by reference) and then re-assigned to each other,
sometimes as copy, sometimes as reference, which led to unexpected
states of queues.
This commit removes the materials and products queue (the generic
artifacts queue is enough for keeping track of consumed artifacts).
It further focuses all artifact queue updates in a single place in
`verify_item_rules` and changes the `verify_*_rule` functions to
return the consumed artifacts instead of the updated queue, which
also aligns with the pseudo code in the specification. This change
should make the rule processing a lot more transparent to the
reader.
- Additional code simplifications
This commit also makes better use of set operations in
`verify_*_rule` functions and removes clutter like
- redundant rule unpacking code
- unnecessary `if/else`s related to "materials" and "products"
- unnecessarily long variable names
the `source_` prefix only makes sense in the scope of the match
rule, where there is also a destination.
The commit also updates and simplifies a lot of related code
comments and docstrings.
- Full adoption of in-toto#204
Remove raised exceptions in `verify_match_rule` and
`verify_delete_rule`, where they should just not consume the
corresponding artifacts.
- Rethink tests
Some of them were still tailored to pre-in-toto#204 logic. This commit
makes them more meaningful (and table driven).
- Adopt queue traceback
There is only one queue now.
3 tasks
lukpueh
pushed a commit
to lukpueh/in-toto
that referenced
this pull request
Mar 22, 2019
Modified the rule verification error messages to be more specific about which artifacts failed to match which given rules. Also restructured error workflow to only allow the DISALLOW rule the power to fail overall rule verification, with the other rules only able to remove artifacts from queues on success or leave the queue unchanged on failure, in alignment with in-toto#204.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Please fill in the fields below to submit a pull request. The more information
that is provided, the better.
Fixes issue #:
None, this issue was brought up from conversations with potential integrators
Description of the changes being introduced by the pull request:
The current behavior of the artifact rules throw exceptions when an element in the filtered queue doesn't match the target. For example, if a file
foois being checked for aMODIFYrule then aVerificationErrorwill be raised iffoois indeed not modified. This is not how firewalls behave.Instead,
fooshould just remain in the queue and expected to be matched by other rules later down the line. The only rule that should throw an error is aDISALLOWrule when artifacts are matched.Please verify and check that the pull request fulfills the following
requirements:
This is still somewhat of a WIP branch, as I'd like to have some feedback from @vladimir-v-diaz and @lukpueh (if possible)