Add support for force online metadata update #435
Conversation
|
It's best to test this together with repository-service-tuf/repository-service-tuf-api#513 |
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #435 +/- ##
==========================================
Coverage 100.00% 100.00%
==========================================
Files 15 15
Lines 1071 1173 +102
==========================================
+ Hits 1071 1173 +102 ☔ View full report in Codecov by Sentry. |
|
@kairoaraujo it's ready for a review. |
There was a problem hiding this comment.
The feature is nice. Thank you @MVrachev.
I'm adding one specific comment.
| "message": "No online metadata roles given", | ||
| }, | ||
| ) | ||
|
|
There was a problem hiding this comment.
In the API, we allow users to submit offline roles without checking it (example: Root)
In the Worker, we also don't verify it. It will return a task SUCCESS with status True.
I suggest we verify if the role
Note: We can verify Root and Targets now. We have in the settings/redis a setting if the Targets is offline or online key -- for future feature that allows offline targets.
There was a problem hiding this comment.
I changed it and now we only allow online roles and specifically check if targets is an online role.
MVrachev
force-pushed
the
add-metadata-put
branch
2 times, most recently
from
bf35eb3 to
6c80191
Compare
|
Ready for another review. |
MVrachev
force-pushed
the
add-metadata-put
branch
from
f4d74a3 to
9597226
Compare
|
I'm reviewing it now |
| settings_repository = get_worker_settings() | ||
| settings_repository.reload() | ||
| if not settings_repository.get_fresh("TARGETS_ONLINE_KEY", True): | ||
| online_roles = [Snapshot.type, Timestamp.type, "bins"] |
There was a problem hiding this comment.
Shouldn't bins be excluded as well?
I might be missing some details from the workflow - if so, please ignore to not waste time with the comment.
Otherwise, given that bins are delegates and TARGETS_ONLINE_KEY is False, it looks incorrect to have them in the online roles.
There was a problem hiding this comment.
Bins could use the online key.
Even though targets could be offline in the future this doesn't mean we are required to use offline keys for all its delegations. The security properties coming from targets utilizing an offline key wouldn't be lost as when adding, removing or downloading artifact information all requires going through targets first which will be cryptographically signed by an offline key.
| bootstrap = self._settings.get_fresh("BOOTSTRAP") | ||
| if bootstrap is None or "pre-" in bootstrap or "signing-" in bootstrap: | ||
| logging.info( | ||
| "[automatic_version_bump] Bootstrap not completed, skipping..." |
There was a problem hiding this comment.
"No bootstrap or not completed, skipping..."?
There was a problem hiding this comment.
I think Bootstrap not completed could be interpreted by both:
- not started at all
- not signed with threshold of keys
It's good that the user have GET /api/v1/bootstrap to understand that bootstrap is in the process of signing: https://github.com/repository-service-tuf/repository-service-tuf-api/blob/277d73b1610a5ec96c4af4d3ccbc8bdbfc69bcf9/repository_service_tuf_api/bootstrap.py#L128
and GET /api/v1/metadata to get the exact content of this bootstrap.
In conclusion, I don't we need to change the message to a longer now.
MVrachev
force-pushed
the
add-metadata-put
branch
from
a5fc735 to
5848aa4
Compare
Fail early when bootstrap is not completed instead of relly on _run_online_roles_bump to catch this. Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
We handle this case in the API, so there is no need to handle when payload is empty for force_online_metadata_update(). Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Make sure the name it's clear it's only used for custom target delegation. Signed-off-by: Martin Vrachev <[email protected]>
Use the same method to call update_snapshot() with hash bin delegation as we do with custom target delegation. Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
MVrachev
force-pushed
the
add-metadata-put
branch
from
0984391 to
5f42b8e
Compare
|
@kairoaraujo ready to test together with repository-service-tuf/repository-service-tuf-api#513 |
| @@ -1208,6 +1221,116 @@ def bump_online_roles(self, force: Optional[bool] = False) -> bool: | |||
|
|
|||
| return True | |||
|
|
|||
| def _run_force_online_metadata_update(self, roles: List[str]) -> List[str]: | |||
There was a problem hiding this comment.
I'm wondering if the metadata_update is the best name here, as it confuses our process of updating the metadata.
There was a problem hiding this comment.
Well it is actually metadata update...
Hard to get a name correctly...
Add support for force online metadata update
Signed-off-by: Martin Vrachev [email protected]