specification icon indicating copy to clipboard operation
specification copied to clipboard

Published 20 hours ago verified publisher icon theupdateframework

Confirm terminating roles logic from spec

Open tedbow opened this issue 3 years ago • 10 comments

In https://github.com/php-tuf/php-tuf we are making sure we have the logic correct around terminating delegations. As we have updated our implementation of the spec from v1.0.9(the release when we started) to the most recent releases we have notice there has been some changes to wording in this area of the spec.

To make sure we get the logic correct for terminating delegations I have created this simple example to make sure our assumptions are correct(actually we don't all have same assumptions these are mine) TUF delegation assumptions

Constraints

term = terminating delegation non-term = non terminating delegation Priority: The roles in each level are ordered from left to right in the order they would appear under [delegations][roles] All roles have paths = [‘assets/*’] (just to provide matches for every role only focus on terminating logic now) Target being searched for = 'assets/always-match.txt’

Expected outcome

Expected role evaluation: Targets -> A > B > C > D

Am I correct?

tedbow avatar Jun 09 '21 15:06 tedbow

Thanks, Ted!

There's still one point of confusion here: the term/non-term labels should apply to the edges, not the nodes.

However, I think your interpretation is correct, as per the spec and the Diplomat paper.

From simulating the code on this graph in my head, I think my tuf-on-a-plane code would correctly not explore E, but would incorrectly explore F.

Any disagreements, @mnm678 and @JustinCappos?

trishankatdatadog avatar Jun 09 '21 22:06 trishankatdatadog

IOW: once you see a terminating delegation anywhere in the graph, the rest of the graph is completely pruned.

trishankatdatadog avatar Jun 09 '21 22:06 trishankatdatadog

There are two ways of interpreting terminating delegations: global vs local pruning. Only one of them is the intended/correct interpretation.

trishankatdatadog avatar Jun 09 '21 22:06 trishankatdatadog

I'm not one of the original authors, but my interpretation of the spec and the Diplomat paper matches the expected outcome suggested here.

joshuagl avatar Jun 10 '21 07:06 joshuagl

I agree this interpretation is correct.

I'm also curious what everyone thinks should happen if there is a threshold delegation to A and F as well. Certainly that is worth a test case...

JustinCappos avatar Jun 11 '21 06:06 JustinCappos

From simulating the code on this graph in my head, I think my tuf-on-a-plane code would correctly not explore E, but would incorrectly explore F.

I read it the same. The loop will need to propagate that there was a terminating delegation up to previous iterations in order to correctly not explore F. It looks like the reference implementation handles this correctly by breaking out of the for loop here (I didn't check the new client).

I'm also curious what everyone thinks should happen if there is a threshold delegation to A and F as well. Certainly that is worth a test case...

In that case, I'd argue that F should be explored (and required for the threshold). But I don't think this behavior is well-defined in the spec.

mnm678 avatar Jun 11 '21 12:06 mnm678

I'm also curious what everyone thinks should happen if there is a threshold delegation to A and F as well. Certainly that is worth a test case...

By threshold delegation, you mean multirole delegation? Agree with @mnm678 that if min_roles_in_agreement >=1 (which I assume is always the case), then, yes, it should backtrack from A and check F, despite any terminating delegation from A. Agree that the spec is underspecified with respect to TAP 3. Also need to think about whether there is any contradiction between terminating delegations and TAP 3.

trishankatdatadog avatar Jun 11 '21 20:06 trishankatdatadog

The spec states that

A terminating delegation for a package causes any further statements about a package that are not made by the delegated party or its descendants to be ignored.

Which by a literal reading does contradict TAP 3. I don't think TAP 3 is supported by 1.0 of the specification, but this is something we should figure out before adding it.

mnm678 avatar Jun 14 '21 17:06 mnm678

Which by a literal reading does contradict TAP 3. I don't think TAP 3 is supported by 1.0 of the specification, but this is something we should figure out before adding it.

In particular, I'd like to see concrete pseudocode added to the spec. Otherwise, readers are likely to get confused.

trishankatdatadog avatar Jun 14 '21 17:06 trishankatdatadog

Thanks everyone for the confirmation. I working on fixing our implementation increasing our test coverage for different cases here https://github.com/php-tuf/php-tuf/pull/216

If anyone is interested we test our client implementation by creating test fixtures with a FixtureBuilder that uses the Python server implementation. For example here is 1 for that PR that creates the above test case https://github.com/php-tuf/php-tuf/blob/tedbow-fix_terminating_2/fixtures/TUFTestFixtureTerminatingDelegation/init.py (BTW @phenaproxima and myself are learning python to create these test fixtures so don't expect great python code 😁)

We then make test case for a given test fixture and given target, whether it should be found and which metadata files the client should retreive/evaluate to determine this. Like this case for role "F" in the example not finding a target because of terminating delegation in "B" https://github.com/php-tuf/php-tuf/blob/tedbow-fix_terminating_2/tests/Client/UpdaterTest.php#L653

tedbow avatar Jun 16 '21 20:06 tedbow