new API: test containers for zero or more elements

[MVrachev]

Fixes #1485

Description of the changes being introduced by the pull request:

Test metadata (de)serialization with input data containing containers with zero or more elements.

Here is the status for the different use cases:

Root:

• many keys: added
• many roles: added

Root role keyids:

• many keids: already added in Metadata API: preserve Role.keyids order #1481

MetaFile hashes:

• many hashes: already tested
• zero hashes: added. Testing as invalid test case.

Timestamp meta:

• zero elements: already tested
• many elements: added

Snapshot meta:

• zero items: added
• many items: added

Delegation:

• many keys: added
• many keyids: added

Delegation role:

• many paths: already tested
• many path_hash_path_prefixes: already tested

Delegation roles:

• zero roles: added
• multiple roles: added

Targets targets:

• zero items: already tested
• multiple items: added

Additional tests are added for containers with 0 or more elements for some specific cases.
Those tests are needed to cover use cases when syntactically as
standalone objects the metadata classes and their helper classes defined
in tuf/api/metadata.py are valid even if they cannot be verified.

An example where an object is valid, but cannot be verified is
if we have a Role instance with an empty list of "keyids".
This instance is valid and can be created, but cannot be verified
because there is a requirement that the threshold should be above
1, meaning that there should be at least 1 element inside the "keyids"
list to complete successful threshold verification.

The situation is the same for the rest of the tests I am adding to this
commit:

• Root object without keys
• Root object without roles
• DelegationRole object with empty "keyids"
• DelegationRole object with an empty list of "paths"
• DelegationRole object with an empty list of "path_hash_prefixes"
  all of these objects can be instantiated, but cannot complete successfully
  threshold verification.

Signed-off-by: Martin Vrachev mvrachev@vmware.com

Please verify and check that the pull request fulfills the following
requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[jku]

According to the spec having an empty container for any of these cases ... is not allowed

is this really true? 😮

[jku]

some potential test cases

• timestamp meta with multiple items
• timestamp meta with no items
• snapshot meta with multiple items
• delegation with multiple roles
• targets targets with multiple items
• targets roles with multiple items

or do I misunderstand the scope of the PR?

[MVrachev]

@jku I had to rebase, but 92dc844 is unchanged.

The new commits are 75b2c21 and 033e069.

[MVrachev]

According to the spec having an empty container for any of these cases ... is not allowed

is this really true? 😮

• Root keys are not allowed to be empty, because it's required that at least one element is inside it - the key used to sign the root metadata file itself.

• Root roles are not allowed to be empty, because it's required that there should be information for at least one role - the root role.

• Root role keyids are not allowed to be empty, because it's required that threshold should be at least 1 (see Metadata API: Add simple threshold validation #1450) and as a consequence, there should be at least a threshold number of elements in keyids

• Delegation keys and Delegation roles
  For those two it's a little harder and probably my statement is wrong.
  This use case is valid:

"delegations": {
     "keys": {}
     "roles": {}

for which by the way we are not testing. I included a test.
The problem comes if Delegation keys are empty, then means there shouldn't be any roles.
So, maybe my assumption is not correct.

But still, where do you think we should test for that?

• DelegationRole keyids cannot be empty because every role needs at least one key to be verified because the threshold is >= 1.

I am wrong about those two:

• DelegationRole paths and DelegationRole path_hash_prefixes
  I am already testing for them.

Do you think I should modify my commit message with more info as I did here?

[jku]

I think you may be mixing "is this a syntactically valid metadata" with "can this metadata file be used successfully in every part of the update process".

I mean when you say things like:

Root role keyids are not allowed to be empty, because it's required that threshold should be at least 1

from the perspective of the file format and the containing metadata, keyids and threshold are not related. The spec does not say metadata files can't exist with a role that has less keys than the corresponding threshold. Yes, we happen to know that those keys then can't possibly verify that roles metadata when needed but the metadata that contains this role is still valid.

[jku]

For Root roles specifically there is a spec mention (with a weird reference to "key list" but the intent seems clear: roles dictionary must contain these 4 or 5 items):

A role for each of "root", "snapshot", "timestamp", and "targets" MUST be specified in the key list. The role of "mirror" is OPTIONAL.

This we should test for in Root construction time I guess.

[jku]

can you explain this?

[MVrachev]

Yes. I noticed we don't do validation on Timestamp.meta.
According to the spec, the value of Timestamp.meta called "METAFILES" is:

METAFILES is the same as described for the snapshot.json file.
In the case of the timestamp.json file, this MUST only include a
description of the snapshot.json file.

That's why in order to include validation for meta no matter if we create objects with Timestamp.from_dict()
or with the constructor like Timestamp() I moved the meta validation and object creation inside __init__.

[jku]

I don't agree with this change.

• it's not in line with all other constructors that do take actual objects and not json-like dicts
• It's going to make the API for creating a new Timestamp from scratch worse (caller feeds in json-like dicts instead of well defined objects).
• It makes annotations useless: we should get rid of all Any that we can, not add more

I'm fine with you not doing this validation at all right now: we could just wait for the snapshot_meta discussion to reach a conclusion first

[MVrachev]

Now with the new discussion about snapshot_meta I agree that we shouldn't hurry and add validation.
Will remove the commit.

[MVrachev]

I had to rebase on top of develop.
Additionally I:

• added a new commit with tests for those valid cases, but which we cannot verify in a trusted set.
• squashed to similar commits together
• updated my commits and pr descriptions
• had another look through the spec to see if we are missing something and it seems everything is okay.

After a discussion with @jku about his words

I think you may be mixing "is this a syntactically valid metadata" with "can this metadata file be used successfully in every part of the update process".
I mean when you say things like:

Root role keyids are not allowed to be empty, because it's required that threshold should be at least 1

from the perspective of the file format and the containing metadata, keyids and threshold are not related. The spec does not say metadata files can't exist with a role that has less keys than the corresponding threshold. Yes, we happen to know that those keys then can't possibly verify that roles metadata when needed but the metadata that contains this role is still valid.

I realized he is right and standalone objects in those cases can exist and are valid, but cannot be verified.
That's why I created a new commit explaining that.

For Root roles specifically there is a spec mention (with a weird reference to "key list" but the intent seems clear: roles dictionary must contain these 4 or 5 items):
A role for each of "root", "snapshot", "timestamp", and "targets" MUST be specified in the key list. The role of "mirror" is OPTIONAL.
This we should test for in Root construction time I guess.

There is a separate issue for that #1516.

[jku]

LGTM (apart from the Timestamp constructor api change which I disagree with), thanks.

some of the targets test data are getting quite big ... but personally I still prefer parsing this sort of multiple lines of json in my head: at least every case is understandable without external context -- opinions may vary though

[jku]

I don't agree with this change.

• it's not in line with all other constructors that do take actual objects and not json-like dicts
• It's going to make the API for creating a new Timestamp from scratch worse (caller feeds in json-like dicts instead of well defined objects).
• It makes annotations useless: we should get rid of all Any that we can, not add more

I'm fine with you not doing this validation at all right now: we could just wait for the snapshot_meta discussion to reach a conclusion first

[MVrachev]

@jku updated the pr by dropping the timestamp meta validation commit and removing multiple metafiles in timestamp test.

[jku]

Thanks!