Commit graph

6224 commits

Author SHA1 Message Date
Jussi Kukkonen
9cef165dcf
Merge pull request #2289 from jku/requirements-refactor
Requirements refactor
2023-02-06 15:00:36 +02:00
Jussi Kukkonen
70555f6e1b build: shorten requirements file names
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:52:07 +02:00
Jussi Kukkonen
c6dfe0ccab build: Bump isort from 5.11.4 to 5.12.0
New version requires python >=3.8 but that should be ok now with the
refactored requirements files.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:52:07 +02:00
Jussi Kukkonen
690fc2a1ca build: Split lint and test requirements
This way lint tool limitations don't prevent testing on older Python
versions.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:52:03 +02:00
Jussi Kukkonen
33829fdbab build: Move requirements file to a directory
We already have 6 files and I'm planning to add another one: maybe it's
time to move these out of the top level directory.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-06 14:50:47 +02:00
Jussi Kukkonen
ed74563456
Merge pull request #2283 from fridex/pydocstyle
Install pydocstyle for checking docstrings
2023-02-06 14:50:15 +02:00
Fridolin Pokorny
074778e08f
Fix pydocstyle D209
D209: Multi-line docstring closing quotes should be on a separate line

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
2023-02-06 13:23:33 +01:00
Fridolin Pokorny
0cca1d6a96
Install pydocstyle for checking docstrings
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
2023-02-06 13:19:51 +01:00
Jussi Kukkonen
3600532d08
Merge pull request #2291 from theupdateframework/dependabot/pip/pylint-2.16.1
build(deps): bump pylint from 2.16.0 to 2.16.1
2023-02-04 17:37:01 +02:00
Jussi Kukkonen
707dc49999 build: Handle GH release manually
Remove dependency on softprops/action-gh-release: instead do the GitHub
release steps using the GitHub API and github-script.

The only difference should be that release name is not "<tag>-rc" first:
instead the initial release is marked as draft in the API (and shows as
draft in the UI).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-04 17:32:56 +02:00
dependabot[bot]
91c1b72075
build(deps): bump pylint from 2.16.0 to 2.16.1
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.16.0 to 2.16.1.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.16.0...v2.16.1)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-03 10:01:17 +00:00
Jussi Kukkonen
d36c0cfa02 examples: Rename client example directory
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:25:47 +02:00
Jussi Kukkonen
0998c20731 examples: Explain uploader tool in READMEs
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:25:47 +02:00
Jussi Kukkonen
92e03d2d20 examples: Implement the upload API
uploader API has two POST endpoints

/api/delegation/<ROLE>
    Accepts new delegation keys for targetpath "<ROLE>/*" to role <ROLE>.
    This data is not signed in any way: In a real service this action would
    require some external authentication.

    POST content:
        { <KEYID>: <TUF KEY> }

/api/role/<ROLE>
    accepts uploads of new versions of <ROLE> metadata. The metadata
    must be correctly signed by the keys assigned to this delegation.

    POST content:
        TUF targets metadata as json

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:25:43 +02:00
Jussi Kukkonen
69b30ecadc examples: Add uploader tool example
This tool works with the example repository: it can be used to
* Add a delegation (this is an unsafe API corresponding to e.g.
  project creation in PyPI)
* Submit new delegated role version (this requires using signing keys
  already submitted with the delegation)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:21:52 +02:00
Jussi Kukkonen
efcb3cfb80 examples: Add further scaffolding for upload API
The API doesn't modify the repository yet but the data flow is there now.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:21:52 +02:00
Jussi Kukkonen
9ec8459379 examples: Add skeleton API endpoints
Also use ThreadingHTTPServer: Using Chrome utterly breaks the non-threading
server.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-02-02 16:21:52 +02:00
Jussi Kukkonen
d61dbabc78
Merge pull request #2281 from fridex/pydocstyle-d209
Fix pydocstyle D209
2023-02-02 14:33:41 +02:00
Jussi Kukkonen
4eea38da42
Merge pull request #2285 from theupdateframework/dependabot/github_actions/actions/github-script-6.4.0
build(deps): bump actions/github-script from 6.3.3 to 6.4.0
2023-02-02 12:56:21 +02:00
Jussi Kukkonen
21b0f2393b
Merge pull request #2284 from theupdateframework/dependabot/github_actions/github/codeql-action-2.2.1
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1
2023-02-02 12:56:03 +02:00
Jussi Kukkonen
24118dacee
Merge pull request #2288 from theupdateframework/dependabot/pip/pylint-2.16.0
build(deps): bump pylint from 2.15.10 to 2.16.0
2023-02-02 12:51:52 +02:00
dependabot[bot]
6144357c21
build(deps): bump pylint from 2.15.10 to 2.16.0
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.15.10 to 2.16.0.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.15.10...v2.16.0)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-02-02 10:01:35 +00:00
Lukas Pühringer
d2c12f2d14
Merge pull request #2165 from jku/no-key
Move (most of) Key to Securesystemslib
2023-01-31 09:20:44 +01:00
Lukas Pühringer
93b8fb6377
Merge pull request #2279 from fridex/export-targetfile-ngclient
Export TUF TargetFile in ngclient
2023-01-31 09:19:41 +01:00
Lukas Pühringer
daa41a9bc9
Merge pull request #2280 from lukpueh/release-2.1.0
python-tuf 2.1.0
2023-01-30 10:37:39 +01:00
Jussi Kukkonen
8278f3f805 packaging: Depend on securesystemslib 0.26
We need signer.Key which was added in 0.26.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-27 20:45:29 +02:00
dependabot[bot]
f2fff33566
build(deps): bump actions/github-script from 6.3.3 to 6.4.0
Bumps [actions/github-script](https://github.com/actions/github-script) from 6.3.3 to 6.4.0.
- [Release notes](https://github.com/actions/github-script/releases)
- [Commits](d556feaca3...98814c53be)

---
updated-dependencies:
- dependency-name: actions/github-script
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-27 10:05:30 +00:00
dependabot[bot]
49b0385c40
build(deps): bump github/codeql-action from 2.1.39 to 2.2.1
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.39 to 2.2.1.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](a34ca99b46...3ebbd71c74)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-27 10:05:26 +00:00
Fridolin Pokorny
744f75c1e7
Fix pydocstyle D209
Fix multi-line docstring closing quotes should be on a separate line

Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
2023-01-26 16:36:13 +01:00
Lukas Puehringer
9811ac3568 python-tuf 2.1.0
* update changelog
* bump version

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2023-01-26 16:26:38 +01:00
Fridolin Pokorny
524a6b848f
Export TUF TargetFile in ngclient
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
2023-01-26 15:54:44 +01:00
Lukas Pühringer
a6460c60ba
Merge pull request #2278 from fridex/pydocstyle-first-line-period-rebase
Fix pydocstyle D400: first line should end with a period
2023-01-26 15:38:03 +01:00
Fridolin Pokorny
5d347b8707
Fix pydocstyle D400: first line should end with a period
Signed-off-by: Fridolin Pokorny <fridolin.pokorny@datadoghq.com>
2023-01-26 15:33:09 +01:00
Jussi Kukkonen
7f04a6e888
Merge pull request #2276 from jku/securesystemslib-blog
Add new blog post about the signer API
2023-01-26 14:35:43 +02:00
Jussi Kukkonen
388768db3d Add new blog post about the signer API
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-26 11:37:47 +02:00
Lukas Pühringer
e6a3e9ee0b
Merge pull request #2277 from jku/expose-default-fetcher
Expose default fetcher
2023-01-26 09:30:07 +01:00
Jussi Kukkonen
bfd7f2058d
Merge pull request #2275 from theupdateframework/dependabot/pip/coverage-7.1.0
build(deps): bump coverage from 7.0.5 to 7.1.0
2023-01-26 10:01:18 +02:00
Jussi Kukkonen
889b218e7a Add comment explaining public status to the module itself
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-26 09:33:44 +02:00
Jussi Kukkonen
236bc9f070 docs: Tweak API docs to include RequestsFetcher
This only documents the configurable attributes
and not the inherited methods.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-25 16:07:12 +02:00
Jussi Kukkonen
f8a7881c87 Make RequestsFetcher public
This is useful for those who want to use the default fetcher
but modify some attributes

The file itself could be moved to tuf/ngclient/ but this is not done yet
as sigstore-python is using this internal module. Move can be done once
sigstore-python 1.0 is no longer relevant.

Fixes #2268

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-25 15:55:11 +02:00
dependabot[bot]
b0fbc3cfc8
build(deps): bump coverage from 7.0.5 to 7.1.0
Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.0.5 to 7.1.0.
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.0.5...7.1.0)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-25 10:02:03 +00:00
Jussi Kukkonen
d2908c0041
Merge pull request #2269 from theupdateframework/dependabot/github_actions/actions/setup-python-4.5.0
build(deps): bump actions/setup-python from 4.4.0 to 4.5.0
2023-01-24 15:06:10 +02:00
Jussi Kukkonen
cc48e9d5f1
Merge pull request #2274 from theupdateframework/dependabot/github_actions/github/codeql-action-2.1.39
build(deps): bump github/codeql-action from 2.1.38 to 2.1.39
2023-01-19 18:58:02 +02:00
dependabot[bot]
2a250df063
build(deps): bump github/codeql-action from 2.1.38 to 2.1.39
Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.1.38 to 2.1.39.
- [Release notes](https://github.com/github/codeql-action/releases)
- [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md)
- [Commits](515828d974...a34ca99b46)

---
updated-dependencies:
- dependency-name: github/codeql-action
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2023-01-19 10:04:05 +00:00
Jussi Kukkonen
2202a83d82 docs: Remove securesystemslib mock import
We want to document some securesystemslib classes (Key gets documented
with this change already as it's part of the metadata API).

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 17:45:28 +02:00
Jussi Kukkonen
22642ed267 examples: Update one more from_securesystemslib_key() usage
This method is now in SSlibKey

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 15:27:06 +02:00
Jussi Kukkonen
361bbe40f3 metadata: Refactor delegators key and role lookup
Simplify the lookup of delegated keys and roles by moving it to
Targets and Root: this follows the examples set by add_key() and
remove_key().

Most of the methods are trivial but they make sense because this way
the calling code does not have to care if the object is a Targets or a
Root: the same methods work on both.

The new methods are public since they are useful to applications as
well.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 15:26:51 +02:00
Jussi Kukkonen
41b9b5c60b tests: Remove unnecessary ignores
Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 14:31:22 +02:00
Jussi Kukkonen
ed0ec03399 Metadata API: Fix verify_delegate for new Key API
verify_delegate() unfortunately needs an almost complete rewrite
as the Key.verify_signature() API change affects it quite a bit.

Refactoring the role and key lookup into a separate method makes the
code readable again.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 14:31:22 +02:00
Jussi Kukkonen
b55ac25cf5 tests: Fix tests for Key.verify_signature()
Key.verify_signature() API has changed:
* argument is bytes, not metadata
* raised error now comes from securesystemslib

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2023-01-17 14:31:22 +02:00