Exceptions in metadata API, especially verify()

[jku]

I've just tried verifying metadata using the new API. I wanted to do this:

if md.verify(key):
    print("yay")

but it looks like I'll end up with

from securesystemslib import exceptions as sslib_exceptions
from tuf import exceptions
from tuf.api import serialization

try:
    if md.verify(key):
        print("yay")
except (
    exceptions.Error, 
    sslib_exceptions.FormatError,
    serialization.SerializationError, 
    sslib_exceptions.CryptoError,
    sslib_exceptions.UnsupportedAlgorithmError
):
    # 🤷
    pass        

It feels like we could do better.

This issue is about exceptions handling in general but I'm fine if the solutions are case-by-case (like maybe verify specifically just does not need to throw at all).

Some specific issues:

• It feels like in most cases bleeding these securesystemslib errors through the API is wrong: I don't really want to handle them in my client code and I don't think we should expect client developers to know how to do that
• why are serialization errors defined in a different place than other errors? should serialization errors at least derive from generic exceptions.Error so I could pass all TUF errors with a single line if I want to (like I think makes sense with verify())

[jku]

I think a way forward is to just review all case individually and afterwards try to come up with generic rules.

I think there are cases where we do want to throw but do not want to document it: these are "internal error" cases that should not happen and that users cannot realistically prepare for. These should be documented in code though

The other group of errors here are the ones that are a result of malformed or unexpected metadata: I think these should all fall under one top-level exception so at least clients can handle that by outright refusing to handle the metadata.

• SerializationError:

  • should not require me to import a file I don't otherwise need but maybe that's fine because ...
  • I think this is an internal error of the Serializer (as in we do not know of a case where it should happen: this is very different from e.g. Metadata.from_dict() where SerializationError is what happens if metadata is broken in any way). Maybe we should not list this in verify() documentation
  • Proposal: Remove mentions from Metadata API docs as internal errors

• Error:

  • this happens if zero signatures were found for key. Is this an error? I feel like this is just return false -- or at least similar to the case where none of the signatures match (in which case we return false)
  • this also happens if there are multiple keyids but that would mean spec violation...
  • Proposal:
    • zero signatures for keyid should result in return false
    • we should file an issue if Metadata does not enforce keyid uniqueness.
    • we should consider multiple keyids case in verify() an internal error: throw but don't document?

• CryptoError,

  • SSLib throws this if keyid does not match the one in signature. In Metadata.verify() this would be an internal error
  • Proposal: internal error, let it get raised but don't document as exception to handle

• FormatError

  • SSLib throws if keydict or signature are not properly formatted
  • Metadata should ensure keydict is valid but I'm not sure it can validate signature (without actually running verify on loading the metadata)
  • keydict validity would be an internal error. If signature is not properly formatted should that just mean return false -- this feels a bit wrong though?
  • Proposal: throw a tuf.exceptions.FormatError : there's something unexpected in the data we got

• UnsupportedAlgorithmError

  • SSLib throws if the keydict is unsupported. SSLib could provide a cheap function to check this on Metadata creation but I'm not sure it's worth it
  • Proposal: throw a tuf.exceptions.FormatError : there's something unexpected in the data we got (it could also be an installation error with missing deps -- but we can't know so can only report the message)

[jku]

I'm limiting this more to verify() for now -- we should be more conscious about the errors in general but... one issue at a time I guess?