Automatically re-run signature checks when KEYS change

Author: alitheg

atr/storage/writers/keys.py

@@ -43,6 +43,7 @@
 import atr.storage as storage
 import atr.storage.outcome as outcome
 import atr.storage.types as types
+import atr.tasks as tasks
 import atr.user as user
 import atr.util as util
 
@@ -226,6 +227,7 @@ async def delete_key(self, fingerprint: str) -> outcome.Outcome[sql.PublicSignin
             )
             for committee_key in sorted(affected_committee_keys):
                 await self._sync_committee_keys_file(committee_key)
+            await self._recheck_committee_drafts(*affected_committee_keys)
             return outcome.Result(key)
         except Exception as e:
             return outcome.Error(e)
@@ -310,6 +312,29 @@ async def _keys_file_text(self, committee: sql.Committee) -> str:
     def _committee_keys_path(self, committee: sql.Committee) -> safe.StatePath:
         return paths.committee_downloads_dir(committee) / "KEYS"
 
+    async def _recheck_committee_drafts(self, *committee_keys: str) -> None:
+        # A KEYS change only invalidates signature checks, so we limit the re-queue to .asc files
+        affected = {committee_key for committee_key in committee_keys if committee_key}
+        if not affected:
+            return
+        drafts = await self.__data.release(
+            phase=sql.ReleasePhase.RELEASE_CANDIDATE_DRAFT,
+            _committee=True,
+        ).all()
+        for draft in drafts:
+            committee = draft.project.committee
+            if (committee is None) or (committee.key not in affected):
+                continue
+            if not draft.latest_revision_number:
+                continue
+            await tasks.draft_checks(
+                self.__asf_uid,
+                draft.safe_project_key,
+                draft.safe_version_key,
+                draft.safe_latest_revision_number,
+                suffix_filter=[".asc"],
+            )
+
     async def _sync_committee_keys_file(self, committee_key: str) -> str | None:
         committee = await self.__data.committee(key=committee_key, _public_signing_keys=True).demand(
             storage.AccessError(f"Committee not found: {committee_key}", status=404)
@@ -439,6 +464,8 @@ async def update_committee_associations(
         for committee_key in sorted(affected):
             await self._sync_committee_keys_file(committee_key)
 
+        await self._recheck_committee_drafts(*affected)
+
         return affected
 
     def __block_model(self, key_block: str, ldap_data: cache.EmailUidLookup) -> types.Key:
@@ -640,6 +667,7 @@ async def associate_fingerprint(self, fingerprint: str) -> outcome.Outcome[types
                 fingerprint=fingerprint,
                 committee_key=self.__committee_key,
             )
+            await self._recheck_committee_drafts(self.__committee_key)
         try:
             autogenerated_outcome = await self.autogenerate_keys_file()
         except Exception as e:
@@ -854,6 +882,8 @@ def replace_with_linked(key: types.Key) -> types.Key:
                 inserted_fingerprints=sorted(key_inserts),
                 linked_fingerprints=sorted(link_inserts),
             )
+        if link_inserts:
+            await self._recheck_committee_drafts(self.__committee_key)
         return outcomes
 
     async def __ensure(
@@ -974,6 +1004,7 @@ async def delete_committee_keys(self) -> tuple[int, int]:
             )
             raise
 
+        await self._recheck_committee_drafts(self.__committee_key)
         return (num_unlinked, num_deleted)
 
 

atr/tasks/__init__.py

@@ -145,6 +145,7 @@ async def draft_checks(
     release_version: safe.VersionKey,
     revision_number: safe.RevisionNumber,
     caller_data: db.Session | None = None,
+    suffix_filter: list[str] | None = None,
 ) -> int:
     """Core logic to analyse a draft revision and queue checks."""
     # Construct path to the specific revision
@@ -172,6 +173,8 @@ async def draft_checks(
             (v for v in release_versions if util.version_sort_key(str(v.version)) < release_version_sortable), None
         )
         for path in relative_paths:
+            if suffix_filter and not str(path).endswith(tuple(suffix_filter)):
+                continue
             await _draft_file_checks(
                 asf_uid,
                 caller_data,

atr/tasks/checks/__init__.py

@@ -472,6 +472,20 @@ async def _resolve_committee_key(release: sql.Release, rel_path: str | None = No
     return release.committee.key
 
 
+async def _resolve_committee_signing_keys(release: sql.Release, rel_path: str | None = None) -> list[str]:
+    if release.committee is None:
+        raise ValueError("Release has no committee")
+    via = sql.validate_instrumented_attribute
+    committee_key = release.committee.key
+    async with db.session() as data:
+        statement = sqlmodel.select(via(sql.KeyLink.key_fingerprint)).where(
+            via(sql.KeyLink.committee_key) == committee_key
+        )
+        result = await data.execute(statement)
+        fingerprints = result.scalars().all()
+    return sorted(fp for fp in fingerprints if fp)
+
+
 async def _resolve_github_tp_sha(release: sql.Release, rel_path: str | None = None) -> str:
     if not release.latest_revision_number:
         return ""
@@ -503,6 +517,7 @@ async def _resolve_unsuffixed_file_hash(release: sql.Release, rel_path: str | No
 _EXTRA_ARG_RESOLVERS: Final[dict[str, Callable[[sql.Release, str | None], Any]]] = {
     "all_files": _resolve_all_files,
     "committee_key": _resolve_committee_key,
+    "committee_signing_keys": _resolve_committee_signing_keys,
     "github_tp_sha": _resolve_github_tp_sha,
     "is_podling": _resolve_is_podling,
     "unsuffixed_file_hash": _resolve_unsuffixed_file_hash,

atr/tasks/checks/signature.py

@@ -31,7 +31,7 @@
 
 # Release policy fields which this check relies on - used for result caching
 INPUT_POLICY_KEYS: Final[list[str]] = []
-INPUT_EXTRA_ARGS: Final[list[str]] = ["committee_key", "unsuffixed_file_hash"]
+INPUT_EXTRA_ARGS: Final[list[str]] = ["committee_key", "committee_signing_keys", "unsuffixed_file_hash"]
 CHECK_VERSION: Final[str] = "3"
 
 

tests/unit/test_keys_writer.py

@@ -63,6 +63,9 @@ def __init__(self, value):
     async def get(self):
         return self._value
 
+    async def all(self):
+        return [self._value]
+
     async def demand(self, error: Exception):
         if self._value is None:
             raise error
@@ -85,6 +88,9 @@ def public_signing_key(self, **_kwargs):
     def committee(self, *, key: str, _public_signing_keys: bool = False):
         return Query(self._committees_after_commit[key])
 
+    def release(self, *_args, **_kwargs):
+        return Query(SimpleNamespace(project=mock.AsyncMock()))
+
 
 @pytest.mark.asyncio
 async def test_database_add_model_audits_inserted_key():