feat: Custom Delegation(Target) Roles (#593)

* fix: add security to Target Roles database - Include rolename as unique to avoid duplications - Include column to set Target Role as active - Implement several CRUD to handle inactive roles Signed-off-by: Kairo Araujo <[email protected]> * feat: Custom Delegated Targets Offline Keys Signed-off-by: Kairo de Araujo <[email protected]> * tests: adjusts tests to for the changes Signed-off-by: Kairo de Araujo <[email protected]> * fix typo 'add' -> 'delete' Co-authored-by: Martin Vrachev <[email protected]> * move log inside the condition Co-authored-by: Martin Vrachev <[email protected]> * Fix some small bugs (return and raise) Co-authored-by: Martin Vrachev <[email protected]> * fixup: linting and add comment Signed-off-by: Kairo de Araujo <[email protected]> * fix wrong naming and invalid comments Co-authored-by: Martin Vrachev <[email protected]> * fixup! fixup: linting and add comment * fix: error handling for metatada still in signing we need to handle the error as StorageError for metadata that still not signed and was never written in the S3 bucket. it needs to return StorageError so the Repository can handle it and try to retrieve from the redis/keyval example error: ``` [2024-09-13 05:10:00,000: INFO/Beat] Scheduler: Sending due task bump_online_roles (app.repository_service_tuf_worker) [2024-09-13 05:10:00,010: INFO/MainProcess] Task app.repository_service_tuf_worker[bump_online_roles] received [2024-09-13 05:10:00,139: ERROR/ForkPoolWorker-8] Task app.repository_service_tuf_worker[bump_online_roles] raised unexpected: NoSuchKey('An error occurred (NoSuchKey) when calling the GetObject operation: The specified key does not exist.') Traceback (most recent call last): File "/usr/local/lib/python3.12/site-packages/celery/app/trace.py", line 453, in trace_task R = retval = fun(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/site-packages/celery/app/trace.py", line 736, in __protected_call__ return self.run(*args, **kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/repository-service-tuf-worker/app.py", line 89, in repository_service_tuf_worker result = repository_action() ^^^^^^^^^^^^^^^^^^^ File "/opt/repository-service-tuf-worker/repository_service_tuf_worker/repository.py", line 1655, in bump_online_roles self._run_online_roles_bump(force=force) File "/opt/repository-service-tuf-worker/repository_service_tuf_worker/repository.py", line 1561, in _run_online_roles_bump role_md: Metadata[Targets] = self._storage_backend.get( ^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/opt/repository-service-tuf-worker/repository_service_tuf_worker/services/storage/awss3.py", line 132, in get s3_object = self._s3_client.get_object( ^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/site-packages/botocore/client.py", line 569, in _api_call return self._make_api_call(operation_name, kwargs) ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^ File "/usr/local/lib/python3.12/site-packages/botocore/client.py", line 1023, in _make_api_call raise error_class(parsed_response, operation_name) botocore. ``` Signed-off-by: Kairo Araujo <[email protected]> --------- Signed-off-by: Kairo Araujo <[email protected]> Signed-off-by: Kairo de Araujo <[email protected]> Signed-off-by: Kairo Araujo <[email protected]> Co-authored-by: Martin Vrachev <[email protected]>
repository-service-tuf · Sep 13, 2024 · 83d8937 · 83d8937
1 parent 3d7529b
commit 83d8937
Show file tree

Hide file tree

Showing 7 changed files with 965 additions and 1,533 deletions.
diff --git a/alembic/versions/4b8d450e8360_initial_version.py b/alembic/versions/4b8d450e8360_initial_version.py
@@ -26,6 +26,7 @@ def upgrade() -> None:
         sa.Column("rolename", sa.String(length=512), nullable=False),
         sa.Column("version", sa.Integer(), nullable=False),
         sa.Column("last_update", sa.DateTime(), nullable=True),
+        sa.Column("active", sa.Boolean(), nullable=False),
         sa.PrimaryKeyConstraint("id"),
     )
     op.create_index(
@@ -34,6 +35,12 @@ def upgrade() -> None:
         ["id"],
         unique=False,
     )
+    op.create_index(
+        op.f("ix_rstuf_target_roles_rolename"),
+        "rstuf_target_roles",
+        ["rolename"],
+        unique=True,
+    )
     op.create_table(
         "rstuf_target_files",
         sa.Column("id", sa.Integer(), nullable=False),

diff --git a/repository_service_tuf_worker/models/targets/crud.py b/repository_service_tuf_worker/models/targets/crud.py
@@ -84,6 +84,23 @@ def read_role_by_rolename(
         db.query(models.RSTUFTargetRoles)
         .filter(
             models.RSTUFTargetRoles.rolename == rolename,
+            models.RSTUFTargetRoles.active == True,  # noqa
+        )
+        .first()
+    )
+
+
+def read_role_deactivated_by_rolename(
+    db: Session, rolename: str
+) -> Optional[models.RSTUFTargetRoles]:
+    """
+    Read a Target role by a given role name.
+    """
+    return (
+        db.query(models.RSTUFTargetRoles)
+        .filter(
+            models.RSTUFTargetRoles.rolename == rolename,
+            models.RSTUFTargetRoles.active == False,  # noqa
         )
         .first()
     )
@@ -93,7 +110,11 @@ def read_all_roles(db: Session) -> List[models.RSTUFTargetRoles]:
     """
     Read a all Target bin roles.
     """
-    return db.query(models.RSTUFTargetRoles).all()
+    return (
+        db.query(models.RSTUFTargetRoles)
+        .filter(models.RSTUFTargetRoles.active == True)  # noqa
+        .all()
+    )
 
 
 def read_roles_joint_files(
@@ -109,6 +130,7 @@ def read_roles_joint_files(
         )
         .join(models.RSTUFTargetFiles)
         .filter(
+            models.RSTUFTargetRoles.active == True,  # noqa
             models.RSTUFTargetRoles.rolename.in_(rolenames),
         )
         .all()
@@ -183,3 +205,18 @@ def update_file_action_to_remove(
     db.refresh(target)
 
     return target
+
+
+def update_role_to_deactivated(
+    db: Session, role: models.RSTUFTargetRoles
+) -> models.RSTUFTargetRoles:
+    """
+    Update Target role `active` to False.
+    """
+    role.active = False
+    role.last_update = datetime.now(timezone.utc)
+    db.add(role)
+    db.commit()
+    db.refresh(role)
+
+    return role
diff --git a/repository_service_tuf_worker/models/targets/models.py b/repository_service_tuf_worker/models/targets/models.py
@@ -36,7 +36,8 @@ class RSTUFTargetFiles(Base):
 class RSTUFTargetRoles(Base):
     __tablename__ = "rstuf_target_roles"
     id = Column(Integer, primary_key=True, index=True)
-    rolename = Column(String, nullable=False)
+    rolename = Column(String, nullable=False, unique=True)
     version = Column(Integer, nullable=False)
+    active = Column(Boolean, default=True, nullable=False)
     last_update = Column(DateTime, default=datetime.now(timezone.utc))
     target_files = relationship(RSTUFTargetFiles, backref="rstuf_target_roles")