Move hash method to metadata package and update requirements.

guzman-raphael · guzman-raphael · commit 4c36c210897a · 2020-02-01T00:22:30.000-06:00
diff --git a/datajoint.pub b/datajoint.pub
@@ -0,0 +1,6 @@
+-----BEGIN PUBLIC KEY-----
+MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUMOo2U7YQ1uOrKU/IreM3AQP2
+AXJC3au+S9W+dilxHcJ3e98bRVqrFeOofcGeRPoNc38fiLmLDUiBskJeVrpm29Wo
+AkH6yhZWk1o8NvGMhK4DLsJYlsH6tZuOx9NITKzJuOOH6X1I5Ucs7NOSKnmu7g5g
+WTT5kCgF5QAe5JN8WQIDAQAB
+-----END PUBLIC KEY-----
diff --git a/datajoint/plugin.py b/datajoint/plugin.py
@@ -1,22 +1,7 @@
-import os
 import pkg_resources
-import hashlib
-import base64
 from pathlib import Path
 from cryptography.exceptions import InvalidSignature
-from cryptography.hazmat.backends import default_backend
-from cryptography.hazmat.primitives.serialization import load_pem_public_key
-from cryptography.hazmat.primitives.asymmetric import padding
-from cryptography.hazmat.primitives import hashes
-
-DJ_PUB_KEY = '''
------BEGIN PUBLIC KEY-----
-MIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQDUMOo2U7YQ1uOrKU/IreM3AQP2
-AXJC3au+S9W+dilxHcJ3e98bRVqrFeOofcGeRPoNc38fiLmLDUiBskJeVrpm29Wo
-AkH6yhZWk1o8NvGMhK4DLsJYlsH6tZuOx9NITKzJuOOH6X1I5Ucs7NOSKnmu7g5g
-WTT5kCgF5QAe5JN8WQIDAQAB
------END PUBLIC KEY-----
-'''
+from raphael_python_metadata import hash_pkg, verify
 
 discovered_plugins = {
     entry_point.module_name: dict(plugon=entry_point.name, verified=False)
@@ -25,54 +10,20 @@
 }
 
 
-def hash_pkg(pkgpath):
-    refpath = Path(pkgpath).absolute().parents[0]
-    details = ''
-    details = _update_details_dir(pkgpath, refpath, details)
-    # hash output to prepare for signing
-    return hashlib.sha1('blob {}\0{}'.format(len(details), details).encode()).hexdigest()
-
-
-def _update_details_dir(dirpath, refpath, details):
-    paths = sorted(Path(dirpath).absolute().glob('*'))
-    # walk a directory to collect info
-    for path in paths:
-        if 'pycache' not in str(path):
-            if os.path.isdir(str(path)):
-                details = _update_details_dir(path, refpath, details)
-            else:
-                details = _update_details_file(path, refpath, details)
-    return details
-
-
-def _update_details_file(filepath, refpath, details):
-    if '.sig' not in str(filepath):
-        with open(str(filepath), 'r') as f:
-            data = f.read()
-        # perfrom a SHA1 hash (same as git) that closely matches: git ls-files -s <dirname>
-        mode = 100644
-        hash = hashlib.sha1('blob {}\0{}'.format(len(data),data).encode()).hexdigest()
-        stage_no = 0
-        relative_path = str(filepath.relative_to(refpath))
-        details = '{}{} {} {}\t{}\n'.format(details, mode, hash, stage_no, relative_path)
-    return details
-
-
-def _update_error_stack(module):
+def _update_error_stack(plugin_name):
     try:
-        pkg = pkg_resources.get_distribution(module.__name__)
-        signature = pkg.get_metadata('datajoint.sig')
-        pub_key = load_pem_public_key(bytes(DJ_PUB_KEY, 'UTF-8'), backend=default_backend())
-        data = hash_pkg(module.__path__[0])
-        pub_key.verify(
-            base64.b64decode(signature.encode()),
-            data.encode(),
-            padding.PSS(mgf=padding.MGF1(hashes.SHA256()), salt_length=padding.PSS.MAX_LENGTH),
-            hashes.SHA256())
-        discovered_plugins[module.__name__]['verified'] = True
-        print('DataJoint verified plugin `{}` introduced.'.format(module.__name__))
+        base_name = 'datajoint'
+        base_meta = pkg_resources.get_distribution(base_name)
+        plugin_meta = pkg_resources.get_distribution(plugin_name)
+
+        data = hash_pkg(str(Path(plugin_meta.module_path, plugin_name)))
+        signature = plugin_meta.get_metadata('{}.sig'.format(plugin_name))
+        pubkey_path = str(Path(base_meta.egg_info, '{}.pub'.format(base_name)))
+        verify(pubkey_path, data, signature)
+        discovered_plugins[plugin_name]['verified'] = True
+        print('DataJoint verified plugin `{}` introduced.'.format(plugin_name))
     except (FileNotFoundError, InvalidSignature):
-        print('Unverified plugin `{}` introduced.'.format(module.__name__))
+        print('Unverified plugin `{}` introduced.'.format(plugin_name))
 
 
 def override(plugin_type, context, method_list=None):
@@ -84,7 +35,7 @@ def override(plugin_type, context, method_list=None):
             module = __import__(module_name)
             module_dict = module.__dict__
             # update error stack (if applicable)
-            _update_error_stack(module)
+            _update_error_stack(module.__name__)
             # override based on plugon preference
             if method_list is not None:
                 new_methods = []
diff --git a/local-docker-compose.yml b/local-docker-compose.yml
@@ -32,7 +32,8 @@ services:
     command: >
       /bin/sh -c
        "
-        pip install --user nose nose-cov coveralls ptvsd .;
+        # pip install --user nose nose-cov coveralls ptvsd .;
+        pip install --user nose nose-cov coveralls ptvsd;
         pip freeze | grep datajoint;
         ## You may run the below tests once sh'ed into container i.e. docker exec -it datajoint-python_app_1 sh
         # nosetests -vsw tests --with-coverage --cover-package=datajoint; #run all tests
diff --git a/requirements.txt b/requirements.txt
@@ -8,4 +8,5 @@ networkx
 pydot
 minio
 matplotlib
-cryptography
+cryptography
+raphael_python_metadata
diff --git a/setup.py b/setup.py
@@ -31,5 +31,7 @@
     keywords='database organization',
     packages=find_packages(exclude=['contrib', 'docs', 'tests*']),
     install_requires=requirements,
-    python_requires='~={}.{}'.format(*min_py_version)
+    python_requires='~={}.{}'.format(*min_py_version),
+    setup_requires=['raphael_python_metadata'],
+    pubkey_path='./datajoint.pub'
 )
diff --git a/tests/test_plugin.py b/tests/test_plugin.py
@@ -0,0 +1,31 @@
+# import datajoint.errors as djerr
+# import datajoint.plugin as p
+# import importlib
+
+
+# def test_normal_djerror():
+#     try:
+#         raise djerr.DataJointError
+#     except djerr.DataJointError as e:
+#         assert(e.__cause__ is None)
+
+
+# def test_unverified_djerror():
+#     try:
+#         curr_plugins = p.discovered_plugins
+#         p.discovered_plugins = dict(test_plugin_module=dict(verified=False, plugon='example'))
+#         importlib.reload(djerr)
+#         raise djerr.DataJointError
+#     except djerr.DataJointError as e:
+#         p.discovered_plugins = curr_plugins
+#         importlib.reload(djerr)
+#         assert(e.__cause__ is None)
+#         # p.discovered_plugins = curr_plugins
+#         # importlib.reload(djerr)
+#         # print(isinstance(e.__cause__, djerr.PluginWarning))
+#         # assert(isinstance(e.__cause__, djerr.PluginWarning))
+
+
+# # def test_verified_djerror():
+# #     assert_equal(get_host('hub://fakeservices.datajoint.io/datajoint/travis'),
+# #         'fakeservices.datajoint.io:3306')

Original file line number	Diff line number	Diff line change
`@@ -31,5 +31,7 @@`
`31`	`31`	`keywords='database organization',`
`32`	`32`	`packages=find_packages(exclude=['contrib', 'docs', 'tests*']),`
`33`	`33`	`install_requires=requirements,`
`34`		`- python_requires='~={}.{}'.format(*min_py_version)`
	`34`	`+ python_requires='~={}.{}'.format(*min_py_version),`
	`35`	`+ setup_requires=['raphael_python_metadata'],`
	`36`	`+ pubkey_path='./datajoint.pub'`
`35`	`37`	`)`