From 5e6b83d17629fb8e8ae81638b2056a37364ec703 Mon Sep 17 00:00:00 2001 From: Grégoire Détrez Date: Tue, 28 Jun 2022 16:46:42 +0200 Subject: Allow --sigkey-file to be a symlink Also adds the first tests (using pytest) & a short paragraph to the README on how to run them. --- sigsum-witness.py | 27 +++++++++++++++++++-------- 1 file changed, 19 insertions(+), 8 deletions(-) (limited to 'sigsum-witness.py') diff --git a/sigsum-witness.py b/sigsum-witness.py index 15bfb07..ef63c4c 100755 --- a/sigsum-witness.py +++ b/sigsum-witness.py @@ -386,14 +386,10 @@ def generate_and_store_sigkey(fn): f.write(signing_key.encode(encoder=nacl.encoding.HexEncoder).decode('ascii')) def read_sigkeyfile(fn): - s = os.stat(fn, follow_symlinks=False) - if not S_ISREG(s.st_mode): - return None, (ERR_SIGKEYFILE, - "ERROR: Signing key file {} must be a regular file".format(fn)) - if S_IMODE(s.st_mode) & 0o077 != 0: - return None, (ERR_SIGKEYFILE, - "ERROR: Signing key file {} permissions too lax: {:04o}".format(fn, S_IMODE(s.st_mode))) - + try: + check_sigkeyfile(fn) + except SigKeyFileError as err: + return None, (ERR_SIGKEYFILE, str(err)) with open(fn, 'r') as f: try: signing_key = nacl.signing.SigningKey(f.readline().strip(), nacl.encoding.HexEncoder) @@ -405,6 +401,21 @@ def read_sigkeyfile(fn): return signing_key, None +def check_sigkeyfile(fn): + try: + s = os.stat(fn, follow_symlinks=True) + except FileNotFoundError: + raise SigKeyFileError(f"ERROR: File not found: {fn}") + if not S_ISREG(s.st_mode): + raise SigKeyFileError(f"ERROR: Signing key file {fn} must be a regular file") + if S_IMODE(s.st_mode) & 0o077 != 0: + raise SigKeyFileError(f"ERROR: Signing key file {fn} permissions too lax: {S_IMODE(s.st_mode):04o}") + + +class SigKeyFileError(Exception): + pass + + # Read signature key from file, or generate one and write it to file. def ensure_sigkey(fn): try: -- cgit v1.2.3