Use TUF exceptions instead of SSL exceptions where appropriate

Removal of securesystemslib exceptions that are TUF-specific
occurs in securesystemslib PR #165
secure-systems-lab/securesystemslib#165

This commit adapts to those changes.  Exceptions that are specific
to TUF should be in TUF and not in securesystemslib.  This commit
uses those already-existing TUF exceptions instead of pointing to
securesystemslib exceptions that will be removed.

For example, securesystemslib has no notion of repositories, so
it's ridiculous to have a RepositoryError in securesystemslib and
ridiculous for TUF to use
securesystemslib.exceptions.RepositoryError.

Signed-off-by: Sebastien Awwad <[email protected]>

Author: awwad

tests/test_developer_tool.py

@@ -170,7 +170,7 @@ def test_create_new_project(self):
       developer_tool.create_new_project(project_name, metadata_directory,
           location_in_repository, targets_directory, project_key)
 
-    except (OSError, securesystemslib.exceptions.RepositoryError):
+    except (OSError, tuf.exceptions.RepositoryError):
       pass
 
     developer_tool.METADATA_DIRECTORY_NAME = valid_metadata_directory_name

tests/test_keydb.py

@@ -132,12 +132,12 @@ def test_clear_keydb(self):
     keyid = KEYS[0]['keyid']
     repository_name = 'example_repository'
     tuf.keydb.create_keydb(repository_name)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
     tuf.keydb.add_key(rsakey, keyid, repository_name)
     self.assertEqual(rsakey, tuf.keydb.get_key(keyid, repository_name))
 
     tuf.keydb.clear_keydb(repository_name)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid, repository_name)
 
     # Remove 'repository_name' from the key database to revert it back to its
     # original, default state (i.e., only the 'default' repository exists).
@@ -169,7 +169,7 @@ def test_get_key(self):
 
     # Test condition using a 'keyid' that has not been added yet.
     keyid3 = KEYS[2]['keyid']
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
 
     # Test condition for a key added to a non-default repository.
     repository_name = 'example_repository'
@@ -183,7 +183,7 @@ def test_get_key(self):
 
     # Verify that 'rsakey3' is added to the expected repository name.
     # If not supplied, the 'default' repository name is searched.
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
     self.assertEqual(rsakey3, tuf.keydb.get_key(keyid3, repository_name))
 
     # Remove the 'example_repository' so that other test functions have access
@@ -231,15 +231,15 @@ def test_add_key(self):
     # Test conditions using keyids that have already been added.
     tuf.keydb.add_key(rsakey, keyid)
     tuf.keydb.add_key(rsakey2, keyid2)
-    self.assertRaises(securesystemslib.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey)
-    self.assertRaises(securesystemslib.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey2)
+    self.assertRaises(tuf.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey)
+    self.assertRaises(tuf.exceptions.KeyAlreadyExistsError, tuf.keydb.add_key, rsakey2)
 
     # Test condition for key added to the keydb of a non-default repository.
     repository_name = 'example_repository'
     tuf.keydb.create_keydb(repository_name)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3, repository_name)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3, repository_name)
     tuf.keydb.add_key(rsakey3, keyid3, repository_name)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
     self.assertEqual(rsakey3, tuf.keydb.get_key(keyid3, repository_name))
 
     # Test condition for key added to the keydb of a non-existent repository.
@@ -268,22 +268,22 @@ def test_remove_key(self):
     self.assertEqual(None, tuf.keydb.remove_key(keyid2))
 
     # Ensure the keys were actually removed.
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid2)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid2)
 
     # Test for 'keyid' not in keydb.
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid)
 
     # Test condition for unknown key argument.
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, '1')
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.remove_key, '1')
 
     # Test condition for removal of keys from a non-default repository.
     repository_name = 'example_repository'
     tuf.keydb.create_keydb(repository_name)
     tuf.keydb.add_key(rsakey, keyid, repository_name)
     self.assertRaises(securesystemslib.exceptions.InvalidNameError, tuf.keydb.remove_key, keyid, 'non-existent')
     tuf.keydb.remove_key(keyid, repository_name)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid, repository_name)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.remove_key, keyid, repository_name)
 
     # Reset the keydb so that subsequent tests have access to the original,
     # default keydb.
@@ -390,8 +390,8 @@ def test_create_keydb_from_root_metadata(self):
     # Ensure only 'keyid2' was added to the keydb database.  'keyid' and
     # 'keyid3' should not be stored.
     self.assertEqual(rsakey2, tuf.keydb.get_key(keyid2))
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
-    self.assertRaises(securesystemslib.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid)
+    self.assertRaises(tuf.exceptions.UnknownKeyError, tuf.keydb.get_key, keyid3)
     rsakey3['keytype'] = 'rsa'
 
 

tests/test_mix_and_match_attack.py

@@ -240,7 +240,7 @@ def test_with_tuf(self):
       self.repository_updater.targets_of_role('role1')
 
     # Verify that the specific
-    # 'securesystemslib.exceptions.BadVersionNumberError' exception is raised by
+    # 'tuf.exceptions.BadVersionNumberError' exception is raised by
     # each mirror.
     except tuf.exceptions.NoWorkingMirrorError as exception:
       for mirror_url, mirror_error in six.iteritems(exception.mirror_errors):
@@ -249,8 +249,8 @@ def test_with_tuf(self):
 
         # Verify that 'role1.json' is the culprit.
         self.assertEqual(url_file.replace('\\', '/'), mirror_url)
-        self.assertTrue(isinstance(mirror_error,
-                        securesystemslib.exceptions.BadVersionNumberError))
+        self.assertTrue(isinstance(
+            mirror_error, tuf.exceptions.BadVersionNumberError))
 
     else:
       self.fail('TUF did not prevent a mix-and-match attack.')

tests/test_repository_lib.py

@@ -866,7 +866,7 @@ def test_create_tuf_client_directory(self):
 
 
     # Test invalid argument (i.e., client directory already exists.)
-    self.assertRaises(securesystemslib.exceptions.RepositoryError,
+    self.assertRaises(tuf.exceptions.RepositoryError,
         repo_lib.create_tuf_client_directory, repository_directory,
         client_directory)
 
@@ -882,7 +882,7 @@ def test_create_tuf_client_directory(self):
     # Creation of the '/' directory is forbidden on all supported OSs.  The '/'
     # argument to create_tuf_client_directory should cause it to re-raise a
     # non-errno.EEXIST exception.
-    self.assertRaises((OSError, securesystemslib.exceptions.RepositoryError),
+    self.assertRaises((OSError, tuf.exceptions.RepositoryError),
         repo_lib.create_tuf_client_directory, repository_directory, '/')
 
     # Restore the metadata directory name in repo_lib.
@@ -1035,7 +1035,7 @@ def test__load_top_level_metadata(self):
 
     # Remove the required Root file and verify that an exception is raised.
     os.remove(os.path.join(metadata_directory, 'root.json'))
-    self.assertRaises(securesystemslib.exceptions.RepositoryError,
+    self.assertRaises(tuf.exceptions.RepositoryError,
         repo_lib._load_top_level_metadata, repository, filenames,
         repository_name)
 

tests/test_repository_tool.py

@@ -250,7 +250,7 @@ def test_writeall(self):
     repository.status()
 
     # Verify that status() does not raise
-    # 'securesystemslib.exceptions.InsufficientKeysError' if a top-level role
+    # 'tuf.exceptions.InsufficientKeysError' if a top-level role
     # does not contain a threshold of keys.
     targets_roleinfo = tuf.roledb.get_roleinfo('targets', repository_name)
     old_threshold = targets_roleinfo['threshold']
@@ -266,7 +266,7 @@ def test_writeall(self):
         repository_name=repository_name)
 
     # Verify that status() does not raise
-    # 'securesystemslib.exceptions.InsufficientKeysError' if a delegated role
+    # 'tuf.exceptions.InsufficientKeysError' if a delegated role
     # does not contain a threshold of keys.
     role1_roleinfo = tuf.roledb.get_roleinfo('role1', repository_name)
     old_role1_threshold = role1_roleinfo['threshold']
@@ -971,7 +971,7 @@ def test_call(self):
     self.assertTrue(isinstance(targets_object('role1'), repo_tool.Targets))
 
     # Test invalid (i.e., non-delegated) rolename argument.
-    self.assertRaises(securesystemslib.exceptions.UnknownRoleError, targets_object, 'unknown_role')
+    self.assertRaises(tuf.exceptions.UnknownRoleError, targets_object, 'unknown_role')
 
     # Test improperly formatted argument.
     self.assertRaises(securesystemslib.exceptions.FormatError, targets_object, 1)
@@ -1741,7 +1741,7 @@ def test_load_repository(self):
     root_filepath = os.path.join(repository_directory,
         repo_tool.METADATA_STAGED_DIRECTORY_NAME, 'root.json')
     os.remove(root_filepath)
-    self.assertRaises(securesystemslib.exceptions.RepositoryError,
+    self.assertRaises(tuf.exceptions.RepositoryError,
         repo_tool.load_repository, repository_directory)
 
 

tests/test_updater.py

@@ -719,23 +719,23 @@ def test_3__update_metadata(self):
 
     except tuf.exceptions.NoWorkingMirrorError as e:
       for mirror_error in six.itervalues(e.mirror_errors):
-        assert isinstance(mirror_error, securesystemslib.exceptions.BadVersionNumberError)
+        assert isinstance(mirror_error, tuf.exceptions.BadVersionNumberError)
 
     else:
       self.fail(
           'Expected a NoWorkingMirrorError composed of BadVersionNumberErrors')
 
     # Verify that the specific exception raised is correct for the previous
     # case.  The version number is checked, so the specific error in
-    # this case should be 'securesystemslib.exceptions.BadVersionNumberError'.
+    # this case should be 'tuf.exceptions.BadVersionNumberError'.
     try:
       self.repository_updater._update_metadata('targets',
                                                DEFAULT_TARGETS_FILELENGTH,
                                                88)
 
     except tuf.exceptions.NoWorkingMirrorError as e:
       for mirror_error in six.itervalues(e.mirror_errors):
-        assert isinstance(mirror_error, securesystemslib.exceptions.BadVersionNumberError)
+        assert isinstance(mirror_error, tuf.exceptions.BadVersionNumberError)
 
     else:
       self.fail(

tuf/client/updater.py

@@ -963,7 +963,7 @@ def _import_delegations(self, parent_role):
             key['keyid'] = key_id
             tuf.keydb.add_key(key, keyid=None, repository_name=self.repository_name)
 
-        except securesystemslib.exceptions.KeyAlreadyExistsError:
+        except tuf.exceptions.KeyAlreadyExistsError:
           pass
 
         except (securesystemslib.exceptions.FormatError, securesystemslib.exceptions.Error):
@@ -1530,7 +1530,7 @@ def _get_metadata_file(self, metadata_role, remote_filename,
           # Verify that the downloaded version matches the version expected by
           # the caller.
           if version_downloaded != expected_version:
-            raise securesystemslib.exceptions.BadVersionNumberError('Downloaded'
+            raise tuf.exceptions.BadVersionNumberError('Downloaded'
               ' version number: ' + repr(version_downloaded) + '.  Version'
               ' number MUST be: ' + repr(expected_version))
 

tuf/developer_tool.py

@@ -351,7 +351,7 @@ def status(self):
         try:
           _check_role_keys(delegated_role, self.repository_name)
 
-        except securesystemslib.exceptions.InsufficientKeysError:
+        except tuf.exceptions.InsufficientKeysError:
           insufficient_keys.append(delegated_role)
           continue
 
@@ -380,7 +380,7 @@ def status(self):
       try:
         _check_role_keys(self.rolename, self.repository_name)
 
-      except securesystemslib.exceptions.InsufficientKeysError as e:
+      except tuf.exceptions.InsufficientKeysError as e:
         logger.info(str(e))
         return
 
@@ -944,7 +944,7 @@ def load_project(project_directory, prefix='', new_targets_location=None,
         try:
           tuf.keydb.add_key(key_object, repository_name=repository_name)
 
-        except securesystemslib.exceptions.KeyAlreadyExistsError:
+        except tuf.exceptions.KeyAlreadyExistsError:
           pass
 
       for role in metadata_object['delegations']['roles']:

tuf/keydb.py

@@ -141,7 +141,7 @@ def create_keydb_from_root_metadata(root_metadata, repository_name='default'):
       # Although keyid duplicates should *not* occur (unique dict keys), log a
       # warning and continue.  Howerver, 'key_dict' may have already been
       # adding to the keydb elsewhere.
-      except securesystemslib.exceptions.KeyAlreadyExistsError as e: # pragma: no cover
+      except tuf.exceptions.KeyAlreadyExistsError as e: # pragma: no cover
         logger.warning(e)
         continue
 
@@ -256,7 +256,7 @@ def add_key(key_dict, keyid=None, repository_name='default'):
 
     securesystemslib.exceptions.Error, if 'keyid' does not match the keyid for 'rsakey_dict'.
 
-    securesystemslib.exceptions.KeyAlreadyExistsError, if 'rsakey_dict' is found in the key database.
+    tuf.exceptions.KeyAlreadyExistsError, if 'rsakey_dict' is found in the key database.
 
     securesystemslib.exceptions.InvalidNameError, if 'repository_name' does not exist in the key
     database.
@@ -295,7 +295,7 @@ def add_key(key_dict, keyid=None, repository_name='default'):
   # available in the key database before returning.
   keyid = key_dict['keyid']
   if keyid in _keydb_dict[repository_name]:
-    raise securesystemslib.exceptions.KeyAlreadyExistsError('Key: ' + keyid)
+    raise tuf.exceptions.KeyAlreadyExistsError('Key: ' + keyid)
 
   _keydb_dict[repository_name][keyid] = copy.deepcopy(key_dict)
 
@@ -320,7 +320,7 @@ def get_key(keyid, repository_name='default'):
   <Exceptions>
     securesystemslib.exceptions.FormatError, if the arguments do not have the correct format.
 
-    securesystemslib.exceptions.UnknownKeyError, if 'keyid' is not found in the keydb database.
+    tuf.exceptions.UnknownKeyError, if 'keyid' is not found in the keydb database.
 
     securesystemslib.exceptions.InvalidNameError, if 'repository_name' does not exist in the key
     database.
@@ -351,7 +351,7 @@ def get_key(keyid, repository_name='default'):
     return copy.deepcopy(_keydb_dict[repository_name][keyid])
 
   except KeyError:
-    raise securesystemslib.exceptions.UnknownKeyError('Key: ' + keyid)
+    raise tuf.exceptions.UnknownKeyError('Key: ' + keyid)
 
 
 
@@ -374,7 +374,7 @@ def remove_key(keyid, repository_name='default'):
   <Exceptions>
     securesystemslib.exceptions.FormatError, if the arguments do not have the correct format.
 
-    securesystemslib.exceptions.UnknownKeyError, if 'keyid' is not found in key database.
+    tuf.exceptions.UnknownKeyError, if 'keyid' is not found in key database.
 
     securesystemslib.exceptions.InvalidNameError, if 'repository_name' does not exist in the key
     database.
@@ -404,7 +404,7 @@ def remove_key(keyid, repository_name='default'):
     del _keydb_dict[repository_name][keyid]
 
   else:
-    raise securesystemslib.exceptions.UnknownKeyError('Key: ' + keyid)
+    raise tuf.exceptions.UnknownKeyError('Key: ' + keyid)