Clean up updater metadata update stack #841
Description
tuf.client.updater has Updater objects. These contain a variety of client information, and also use some client information in settings.py. Though some client information lives in settings.py, an Updater object is, basically, a client. You update metadata using an Updater object.
There are a few issues with the stack:
Verification procedure is buried
The stack looks like this, where all functions are methods of Updater except where a module is noted:
- You call
refresh()on an updater object. refresh()calls, for each role,_update_metadata(...)_update_metadata(...)calls_get_metadata_file(...)_get_metadata_file()loops over mirrors and:- calls (misleadingly named)
tuf.download.unsafe_download(...)to get a temp file (max length limit) - calls
_verify_uncompressed_metadata_file(...)to check the file
- calls (misleadingly named)
_get_metadata_file()stops when it has a successfully verified file, and returns it up the stack.
This stack limits the interface so that verification is hidden more deeply: it means that it looks like the only way to obtain a file in the API results in that file being already verified. I do not think this is reasonable here, as it's important for understandability and modularity to avoid this burying of verification.
The stack should, I think, instead look like this:
- You call
refresh()on an updater object. refresh()calls, for each role,update_metadata(...)(now public)update_metadata(...)loops over mirrors and:- calls
get_unverified_metadatato get a temp file (max length limit) - calls
verify_metadata(now public)
- calls
update_metadata(...)stops when it has a successfully verified file, and returns it up the stack.
You should be able to look at the public refresh() and the public update_metadata(...) and have an immediate understanding of what is happening, and naturally know where to make changes to metadata verification. These are high-level functions that are central to an implementation's TUF's specification conformance.