refactor RepositorySimulator to sign explicitly

[jku]

copying from in #130 (comment)

We probably should modify RepositorySimulator so that it signs metadata explicitly (and not magically at request time as it now does)

Potential design:

• keep mds dictionary for storing the "current metadata working set"
• remove signed_roots, add signed_mds: dict[str, list[bytes]] where key is rolename
• remove publish_root() and bump_root_by_one(), add something like publish(role: str, bump_version: bool = True) that bumps version if requested, makes a copy of roles current metadata from mds, signs it, adds bytes to signed_mds
• fetch_metadata() now looks up data only from signed_mds (and can return old versions)
• There's plenty of potential test changes, every test needs to be reviewed:
  • any test that modifies any targets role likely needs to publish(role) at least once
  • same for any tests that modify timestamp or snapshot without calling update_*() afterwards
  • old metadata versions are now available from repository (this is more realistic so sounds good)
  • anything else?

[AdamKorcz]

Lgtm.

My additional thoughts below and thinking out loud regarding how I would approach this implementation-wise.

remove signed_roots, add signed_mds: dict[str, list[bytes]] where key is rolename

sgtm. And we will look up the version in the same way we do now for root in fetch_metadata:

tuf-conformance/tuf_conformance/repository_simulator.py

Lines 282 to 285 in b8f2205

	if version is None or version > len(self.signed_roots):
	raise ValueError(f"Unknown root version {version}")
	logger.debug("fetched root version %d", version)
	return self.signed_roots[version - 1]

Signing process

I suppose this is part that we want to invoke manually:

tuf-conformance/tuf_conformance/repository_simulator.py

Lines 288 to 295 in b8f2205

	md = self.mds.get(role)
	if md is None:
	raise ValueError(f"Unknown role {role}")
	md.signatures.clear()
	for signer in self.signers[role].values():
	md.sign(signer, append=True)

We should remove this part from fetch_metadata and generalise publish_root to allow us to specifically sign any role:

tuf-conformance/tuf_conformance/repository_simulator.py

Lines 211 to 219 in b8f2205

	def publish_root(self) -> None:
	"""Sign and store a new serialized version of root."""
	root_md = self.mds[Root.type]
	root_md.signatures.clear()
	for signer in self.signers[Root.type].values():
	root_md.sign(signer, append=True)
	self.signed_roots.append(root_md.to_bytes(JSONSerializer()))
	logger.debug("Published root v%d", self.root.version)

I think that is the core of it.

From a test-writing perspective, I think we are covered to maintain a decent UX. The publish design only takes care of signing based on existing signers/keys, and we need a good way to manage these before we publish. IMO we have good enough building blocks for that with repo.add_key().

[jku]

Sounds good

• publish() probably should bump version since typically we want to do that (but maybe it could have a argument for not bumping if there's a lot of need)
• if we want to break the repo in a very offensive way (let's say serve timestamp metadata when client requests snapshot) the test should just modify repo.signed_mds directly
• if there are a lot of tests that want to do this, we can expose more complicated signing from RepositorySimulator (something like sign(self, role: str, signers: list[Signer]) -> bytes maybe that signs the current role with given keys and returns the serialized bytes that the caller can then insert wherever they want)

[jku]

There's plenty of potential test changes, every test needs to be reviewed

• basically any and all metadata changes mean publishing is required
• this may change the expected results: previously it was possible to modify v1 of any role and test that (since no publishing was required) but now we want
  • RepositorySimulator._initialize() to publish v1 of all top level roles
  • the test to publish v2 for any changes it does
  • so the previous expected version v1 may change to v2

This looks like a purely manual review, there's not much we can do to automate.

[AdamKorcz]

Done in #188