New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add support for succinct roles (TAP 15) #2010
Add support for succinct roles (TAP 15) #2010
Conversation
I know the code is a lot, but a big chunk of it is testing. |
Pull Request Test Coverage Report for Build 2514955908
💛 - Coveralls |
417d0ef
to
3147692
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall this looks like a good direction I think and code does not seem to have issues (bugs). I have left some individual code comments (no bugs or anything, just opinions). These are the concerns:
- this adds a large amount of new API, 10 new methods or something like that: let's focus on whether all of that is actually used and needed, whether it needs to be public API and whether there are other options to adding the API (ie the
add_key()
case). I've left some comments - this is also an API change: I think it's one we want to do but let's take changes seriously
I've not checked if the test coverage is "complete": let's figure out the API size first.
Documenting some possible options WRT
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is really great, @MVrachev. I left a few comments inline, but nothing big a deal.
I also have a few more naming suggestions for SuccinctRoles
methods, to consolidate with the rest of the API...
get_bin_name --> get_role(_for_index)
get_all_bin_names --> get_roles
find_bin --> get_role_for_target
is_bin --> is delegated_role
... and for Delegations
:
get_all_delegations -> get_roles_for_target
What do you think?
I understand where you come from and why those changes make sense for you. After I update the pr with your docstring suggestions would you have a look again and tell me if you think those changes are still worth it? |
d11f86b
to
4a8c9de
Compare
I have addressed all of your comments @jku and @lukpueh. Also, I have mentioned in the commit messages about the breaking API changes and also updated the pr description with information about them. The pr is smaller by a big margin and it's ready for another review. |
My idea was to point out exactly that connection, i.e. that a bin is a delegated targets role. But I won't insist. I'm fine with the names you picked as well. What about my other suggestion I'm a bit pedantic about this, because roles and delegations are confused so often. |
Hmm... more and more when I think about it probably you have some point here. Will rename the methods as you have suggested here:
About |
cda9c08
to
391c8a3
Compare
I followed @lukpueh advice and did the following renames:
EDIT: I forced pushed once more to fix the commit message mentioning the old methods name. |
391c8a3
to
a1fb89c
Compare
Looks good. The only thing that sticks out to me is the key API.
this looks ok to me -- it's easy to notice with static checks and we could even add a specific error message
... but I hadn't thought about this one all the way through: both argument types are str here. It really is the most annoying kind of API change, very easy to mess up. |
Maybe this could be useful. Preventing users from mistaking the arguments order.
Yea... if only the types were different. I was thinking if we can use the insider knowledge we have about I hope we can make this API change as still there aren't so many users, especially in the 1.0.0 version of python-tuf and calls like |
I don't think we have any insider knowledge about it -- theoretically it's a hash but
|
@lukpueh any thoughts? |
I think there's still several possibilities here that wouldn't require surprisingly breaking applications:
|
This would be an okay solution.
I'm not sure about this one. It is definitely unidiomatic (~> surprising). And the code to do this would likely stain the otherwise elegant metadata module.
I like this suggestion best, at least the first part. But I'd rather not have a So what about replacing Some consistency considerations:
Couldn't think of anything else. |
Yes, agreed that providing the old deprecated method isn't terribly important if using the new method is basically a copy-paste fix |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great tests, @MVrachev. I just reviewed:
docs/api/tuf.api.metadata.supporting.rst
docs/repository-library-design.md
examples/repo_example/hashed_bin_delegation.py
tests/test_api.py
tests/test_metadata_eq_.py
I'll review the rest tomorrow.
I think If we decide to do a rename to |
Yes, you are right that probably some summary of my changes will be good. What I did ca be summarized like this:
|
a4890dc
to
c27c2c2
Compare
I have updated the pr by making |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think I'm happy with this -- left some nitpicks but they're not critical. The main question I have is documentation:
- The documentation currently does not make it clear that this feature is not a TUF specification feature: maybe it should?
As TODO items (that might exist already):
- we should improve the succinct delegation docs and update the example script -- this is something we should do before we release this
- for completeness, actual download tests should contain succinct delegations: it may make sense to refactor the download tests at that point
Add zero padding to bin names inside SuccinctRoles. Zero padding ensures that the bin names always have the same length. This characteristic is implied in the example given by TAP 15 where the third bin is named "alice.hbd-03". For context read TAP 15: https://github.com/theupdateframework/taps/blob/master/tap15.md Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
c27c2c2
to
381ad6c
Compare
Updated the pr with the following changes:
|
381ad6c
to
1f55240
Compare
Accepted @jku suggested how to document that |
Yes, looks good to me. Thanks everyone! The rough plan here is:
@lukpueh, would you like to do a final review of the PR as the system thinks your review is pending? Checking "merge without waiting for requirements to be met" makes me feel criminal... @MVrachev would you mind having a last look to identify any issues we may need to file for future work?
|
We have an issue #1909 where we keep track of that stuff. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM! 💯
Add two helper methods in SuccinctRoles. Those methods proved useful in the testing code, but I believe they have a potential value for production code as well. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Clarify explicitly that exactly one of "paths" and "path_hash_prefixes" must be set inside DelegatedRole. Also simplify the check for "paths" and "path_hash_prefixes". Finally, add a test case inside the "test_metadata_serialization.py" test file about wrong keyids type for "Role" serialization. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
This commit contains 2 API changes in "Delegations" class from tuf/api/metadata.py: 1. roles argment is made optional 2. unrecognized_fields argument becomes the 4-th rather than the 3-rd as it used to be In this commit, I add support for succinct_roles roles inside Delegations class. This change is related to TAP 15 proposal. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Here is the list of all breaking API changes: 1) The "role" and "key" arguments in "Root.add_key()" are in reverse order - "key" becomes first and "role" second. 2) "Root.remove_key()" has been renamed to "Root.revoke_key()". 3) The "role" and "keyid" arguments in "Root.revoke_key()" are in reverse order - "keyid" becomes first and "role" second. 4) The "role" and "key" arguments in "Targets.add_key()" are in reverse order - "key" becomes first and "role" second. 5) "Targets.remove_key()" has been renamed to "Targets.revoke_key()". 6) The "role" and "keyid" arguments in "Targets.revoke_key()" are in reverse order - "keyid" becomes first and "role" second. 7) In both methods "Targets.add_key()" and "Targets.revoke_key()" the "role" argument becomes an optional with a default value of None. Those changes are made in an effort to make those methods logical for both cases when standard roles and succinct_roles are used. The "Root" API change was done in order to preserve naming and argument order consistency with "Targets" API. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Add support for Targets using delegation with succinct_roles. For that purpose, we needed a method that can add succinct_roles information with its all corresponding bins to the target metadata and self.md_delegates attribute in RepositorySimulator. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Test traversing the delegation tree when there is a Targets using a delegation with succinct roles. Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
1f55240
to
c6488f0
Compare
Related to the previous pr: #1948 and issue #1909
This pr includes 11 breaking changes:
In
Delegations
class fromtuf/api/metadata.py
:as it used to be
In
Root
class fromtuf/api/metadata.py
:order - "key" becomes first and "role" second.
reverse order - "keyid" becomes first and "role" second.
In
Targets
class fromtuf/api/metadata.py
:order - "key" becomes first and "role" second
reverse order - "keyid" becomes first and "role" second.
"role" argument becomes an optional with a default value of None
Those changes are made in an effort to make those two methods logical
for both cases when standard roles and succinct_roles are used.
Description of the changes being introduced by the pull request:
TAP 15 was created on June 23-rd 2020 and was last modified on July 6-th 2020.
Since then the TAP has been put to
draft
status meaning it needs a prototype implementation before it's accepted as a future specification change.Given that this TAP underlines an efficient way of handling succinct hash bin delegations, meaning it would be really useful when
python-tuf
is integrated intoWarehouse
, it's logical that we should not only create a prototype but directly work to integrate it inpython-tuf
.The outcome of the TAP 15 implementation is
succinct_roles
.examples/
showcasing howsuccinct_roles
can be utilized in practice.This pr covers points 1 and 2.
Point 3 will be done in another pr.
Please verify and check that the pull request fulfills the following
requirements: