Multiple YubiKeys support

CHANGELOG.md

@@ -10,7 +10,10 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Added
 
-
+- Add key names from config files to metadata during repository setup, following updates to TUF and securesystemslib [(583)]
+- Implement iteration over all inserted YubiKeys during metadata signing [(583)]
+- Implement a `PinManager` class to allow secure pin reuse across API functions and eliminated insecure global pin storage [(583)]
+- Implement removal of keys [(561)]
 - Implement removal and rotation of keys [(561)]
 
 ### Changed
@@ -19,7 +22,7 @@ Transition to the newest version of TUF [(561)]
 
 ### Fixed
 
-
+[563]: https://github.com/openlawlibrary/taf/pull/563
 [561]: https://github.com/openlawlibrary/taf/pull/561
 
 

taf/api/api_workflow.py

@@ -1,6 +1,6 @@
 from contextlib import contextmanager
 from pathlib import Path
-from typing import Dict, List, Optional, Union
+from typing import List, Optional, Union
 
 from taf.api.utils._conf import find_keystore
 from taf.auth_repo import AuthenticationRepository
@@ -79,13 +79,11 @@ def manage_repo_and_signers(
                 keystore_path = find_keystore(auth_repo.path)
             else:
                 keystore_path = Path(keystore)
-            loaded_yubikeys: Dict = {}
             for role in roles_to_load:
                 if not auth_repo.check_if_keys_loaded(role):
                     keystore_signers, yubikey_signers = load_signers(
                         auth_repo,
                         role,
-                        loaded_yubikeys=loaded_yubikeys,
                         keystore=keystore_path,
                         scheme=scheme,
                         prompt_for_keys=prompt_for_keys,

taf/api/dependencies.py

@@ -16,6 +16,7 @@
 from taf.log import taf_logger
 from taf.updater.updater import OperationType, clone_repository
 import taf.updater.updater as updater
+from taf.yubikey.yubikey_manager import PinManager
 
 
 def _add_to_dependencies(
@@ -59,6 +60,7 @@ def _add_to_dependencies(
 @check_if_clean
 def add_dependency(
     path: str,
+    pin_manager: PinManager,
     dependency_name: str,
     branch_name: str,
     out_of_band_commit: str,
@@ -107,7 +109,7 @@ def add_dependency(
     if path is None:
         raise TAFError("Authentication repository's path not provided")
 
-    auth_repo = AuthenticationRepository(path=path)
+    auth_repo = AuthenticationRepository(path=path, pin_manager=pin_manager)
     if not auth_repo.is_git_repository_root:
         taf_logger.error(f"{path} is not a git repository!")
         return
@@ -165,6 +167,7 @@ def add_dependency(
     commit_msg = git_commit_message("add-dependency", dependency_name=dependency_name)
     register_target_files(
         path=path,
+        pin_manager=pin_manager,
         keystore=keystore,
         commit=commit,
         scheme=scheme,
@@ -190,6 +193,7 @@ def add_dependency(
 @check_if_clean
 def remove_dependency(
     path: str,
+    pin_manager: PinManager,
     dependency_name: str,
     keystore: str,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
@@ -218,7 +222,7 @@ def remove_dependency(
     if path is None:
         raise TAFError("Authentication repository's path not provided")
 
-    auth_repo = AuthenticationRepository(path=path)
+    auth_repo = AuthenticationRepository(path=path, pin_manager=pin_manager)
     if not auth_repo.is_git_repository_root:
         print(f"{path} is not a git repository!")
         return
@@ -249,6 +253,7 @@ def remove_dependency(
 
     register_target_files(
         path=path,
+        pin_manager=pin_manager,
         keystore=keystore,
         commit=commit,
         scheme=scheme,

taf/api/keystore.py

@@ -5,7 +5,7 @@
 from taf.models.types import RolesKeysData
 from taf.api.utils._conf import find_taf_directory
 
-from taf.api.roles import _initialize_roles_and_keystore
+from taf.api.roles import initialize_roles_and_keystore
 from taf.keys import get_key_name
 from taf.log import taf_logger
 from taf.models.types import RolesIterator
@@ -80,7 +80,7 @@ def generate_keys(
             keystore = "./keystore"
 
     taf_logger.log("NOTICE", f"Generating keys in {str(Path(keystore).absolute())}")
-    roles_key_infos_dict, keystore, _ = _initialize_roles_and_keystore(
+    roles_key_infos_dict, keystore, _ = initialize_roles_and_keystore(
         roles_key_infos, str(keystore)
     )
 

taf/api/metadata.py

@@ -2,6 +2,7 @@
 from logging import ERROR
 from typing import Dict, List, Optional, Tuple
 from logdecorator import log_on_error
+from taf.yubikey.yubikey_manager import PinManager
 from tuf.api.metadata import Snapshot, Timestamp
 
 from taf.api.utils._git import check_if_clean
@@ -88,6 +89,7 @@ def print_expiration_dates(
 @check_if_clean
 def update_metadata_expiration_date(
     path: str,
+    pin_manager: PinManager,
     roles: List[str],
     interval: Optional[int] = None,
     keystore: Optional[str] = None,
@@ -126,7 +128,7 @@ def update_metadata_expiration_date(
         None
     """
 
-    auth_repo = AuthenticationRepository(path=path)
+    auth_repo = AuthenticationRepository(path=path, pin_manager=pin_manager)
     if start_date is None:
         start_date = datetime.now()
 
@@ -178,6 +180,7 @@ def update_metadata_expiration_date(
 @check_if_clean
 def update_snapshot_and_timestamp(
     path: str,
+    pin_manager: PinManager,
     keystore: Optional[str] = None,
     roles_to_sync: Optional[List[str]] = None,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
@@ -208,7 +211,7 @@ def update_snapshot_and_timestamp(
         None
     """
 
-    auth_repo = AuthenticationRepository(path=path)
+    auth_repo = AuthenticationRepository(path=path, pin_manager=pin_manager)
 
     with manage_repo_and_signers(
         auth_repo,

taf/api/repository.py

@@ -11,7 +11,7 @@
 
 from pathlib import Path
 from taf.api.roles import (
-    _initialize_roles_and_keystore,
+    initialize_roles_and_keystore,
 )
 from taf.api.targets import list_targets, register_target_files
 
@@ -23,6 +23,7 @@
 from taf.tuf.repository import METADATA_DIRECTORY_NAME
 from taf.utils import ensure_pre_push_hook
 from taf.log import taf_logger
+from taf.yubikey.yubikey_manager import PinManager
 
 
 @log_on_start(
@@ -38,6 +39,7 @@
 )
 def create_repository(
     path: str,
+    pin_manager: PinManager,
     keystore: Optional[str] = None,
     roles_key_infos: Optional[str] = None,
     commit: Optional[bool] = False,
@@ -68,14 +70,15 @@ def create_repository(
         keystore_path = find_keystore(path)
         if keystore_path is not None:
             keystore = str(keystore_path)
-    roles_key_infos_dict, keystore, skip_prompt = _initialize_roles_and_keystore(
+    roles_key_infos_dict, keystore, skip_prompt = initialize_roles_and_keystore(
         roles_key_infos, keystore
     )
 
     roles_keys_data = from_dict(roles_key_infos_dict, RolesKeysData)
-    auth_repo = AuthenticationRepository(path=path)
+    auth_repo = AuthenticationRepository(path=path, pin_manager=pin_manager)
     signers, verification_keys = load_sorted_keys_of_new_roles(
         roles=roles_keys_data.roles,
+        auth_repo=auth_repo,
         yubikeys_data=roles_keys_data.yubikeys,
         keystore=keystore,
         skip_prompt=skip_prompt,
@@ -84,8 +87,7 @@ def create_repository(
     if signers is None:
         return
 
-    repository = AuthenticationRepository(path=path)
-    repository.create(roles_keys_data, signers, verification_keys)
+    auth_repo.create(roles_keys_data, signers, verification_keys)
     if commit:
         auth_repo.init_repo()
         commit_msg = git_commit_message("create-repo")