Commit graph

6224 commits

Author SHA1 Message Date
Lukas Pühringer
b3508471dc
Merge pull request #1922 from jku/constructor-defaults
Add default args to Signed constructors
2022-04-04 13:18:21 +02:00
Jussi Kukkonen
8de43ab380
Merge pull request #1940 from theupdateframework/dependabot/github_actions/actions/setup-python-3.1.0
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
2022-04-04 13:52:41 +03:00
Jussi Kukkonen
0d3bb682dd Metadata API: Document constructor default arguments
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-04 13:49:06 +03:00
dependabot[bot]
b0a73e41c6
build(deps): bump actions/setup-python from 3.0.0 to 3.1.0
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 3.0.0 to 3.1.0.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](0ebf233433...9c644ca2ab)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 10:21:57 +00:00
dependabot[bot]
f76b6c7b12
build(deps): bump types-requests from 2.27.15 to 2.27.16
Bumps [types-requests](https://github.com/python/typeshed) from 2.27.15 to 2.27.16.
- [Release notes](https://github.com/python/typeshed/releases)
- [Commits](https://github.com/python/typeshed/commits)

---
updated-dependencies:
- dependency-name: types-requests
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-04-04 10:07:34 +00:00
Jussi Kukkonen
b17ae3fd8f
Merge pull request #1808 from ivanayov/delegated_hash_bins_tests
Add test coverage for delegated hash bins
2022-04-04 12:22:54 +03:00
Jussi Kukkonen
dd3f4fa9bf
Merge pull request #1935 from theupdateframework/dependabot/pip/pylint-2.13.4
build(deps): bump pylint from 2.13.2 to 2.13.4
2022-04-04 11:58:55 +03:00
Jussi Kukkonen
958a2bd3b7
Merge pull request #1936 from jku/refactor-trusted-metadata-set-test
tests: Small refactor of a test
2022-04-01 15:49:59 +03:00
Jussi Kukkonen
0bd8feccf8 tests: Small refactor of a test
Test was supposed to test a threshold that is higher than number of
signatures, but it actually was just using completely unsigned metadata.

This still doesn't test the case where _trusted_ metadata defines a
threshold that new metadata does not reach: only the case where new
metadata defines threshold that it does not meet (this case is covered
in updater tests though).

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-04-01 10:17:06 +03:00
Jussi Kukkonen
434730fc33
Merge pull request #1934 from kairoaraujo/unecessary_import_requests_exceptions
import requests.exceptions is not necessary
2022-03-31 15:48:03 +03:00
Ivana Atanasova
59245a2c2e Add test coverage for delegated hash bins
This change adds tests coverage for `path_hash_prefixes` and
verifies that role names matching specific prefixed successfully
find and download the corresponding metadata files

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-31 15:28:47 +03:00
dependabot[bot]
8c223f5446
build(deps): bump pylint from 2.13.2 to 2.13.4
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.13.2 to 2.13.4.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.13.2...v2.13.4)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-31 10:07:49 +00:00
Kairo de Araujo
b5e42c1c92 import requests.exceptions is not necessary
All calls use requests.* and importing requests.exceptions is not
necessary.

Signed-off-by: Kairo de Araujo <kdearaujo@vmware.com>
2022-03-31 10:58:53 +02:00
Jussi Kukkonen
d36b701bca
Merge pull request #1930 from theupdateframework/dependabot/pip/black-22.3.0
build(deps): bump black from 22.1.0 to 22.3.0
2022-03-29 13:36:48 +03:00
dependabot[bot]
811000f272
build(deps): bump black from 22.1.0 to 22.3.0
Bumps [black](https://github.com/psf/black) from 22.1.0 to 22.3.0.
- [Release notes](https://github.com/psf/black/releases)
- [Changelog](https://github.com/psf/black/blob/main/CHANGES.md)
- [Commits](https://github.com/psf/black/compare/22.1.0...22.3.0)

---
updated-dependencies:
- dependency-name: black
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-29 10:08:45 +00:00
Jussi Kukkonen
71259a3e75
Merge pull request #1925 from theupdateframework/dependabot/pip/mypy-0.942
build(deps): bump mypy from 0.941 to 0.942
2022-03-29 09:14:00 +03:00
dependabot[bot]
e1e8645bac
build(deps): bump mypy from 0.941 to 0.942
Bumps [mypy](https://github.com/python/mypy) from 0.941 to 0.942.
- [Release notes](https://github.com/python/mypy/releases)
- [Commits](https://github.com/python/mypy/compare/v0.941...v0.942)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-28 13:11:23 +00:00
Jussi Kukkonen
3ec455ca8a
Merge pull request #1928 from theupdateframework/dependabot/pip/types-requests-2.27.15
build(deps): bump types-requests from 2.27.14 to 2.27.15
2022-03-28 16:10:29 +03:00
dependabot[bot]
10f7375101
build(deps): bump types-requests from 2.27.14 to 2.27.15
Bumps [types-requests](https://github.com/python/typeshed) from 2.27.14 to 2.27.15.
- [Release notes](https://github.com/python/typeshed/releases)
- [Commits](https://github.com/python/typeshed/commits)

---
updated-dependencies:
- dependency-name: types-requests
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-28 11:49:14 +00:00
Jussi Kukkonen
bde78bcb9f
Merge pull request #1927 from theupdateframework/dependabot/pip/pylint-2.13.2
build(deps): bump pylint from 2.12.2 to 2.13.2
2022-03-28 14:48:41 +03:00
dependabot[bot]
b482886b92
build(deps): bump pylint from 2.12.2 to 2.13.2
Bumps [pylint](https://github.com/PyCQA/pylint) from 2.12.2 to 2.13.2.
- [Release notes](https://github.com/PyCQA/pylint/releases)
- [Changelog](https://github.com/PyCQA/pylint/blob/main/ChangeLog)
- [Commits](https://github.com/PyCQA/pylint/compare/v2.12.2...v2.13.2)

---
updated-dependencies:
- dependency-name: pylint
  dependency-type: direct:production
  update-type: version-update:semver-minor
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-28 10:09:17 +00:00
Lukas Pühringer
57c610df15
Merge pull request #1926 from jku/verify-release-imports
verify_release: Warn about missing requirements
2022-03-28 09:52:19 +02:00
Jussi Kukkonen
bf878ceaa6 verify_release: Warn about missing requirements
This is mostly useful for build module as it's not imported otherwise:
we explicitly call "python -m build" so everything works like in a
real release build.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-25 11:50:15 +02:00
Jussi Kukkonen
81637596ec
Merge pull request #1923 from theupdateframework/dependabot/pip/urllib3-1.26.9
build(deps): bump urllib3 from 1.26.8 to 1.26.9
2022-03-25 09:03:28 +02:00
Jussi Kukkonen
d1c52b5bb5
Merge pull request #1919 from theupdateframework/dependabot/pip/cryptography-36.0.2
build(deps): bump cryptography from 36.0.1 to 36.0.2
2022-03-25 09:03:11 +02:00
Jussi Kukkonen
96b2cd46b5 Metadata API: Set default expires to utcnow()
This means the metadata is by default expired: this seems like a fine
default since we only allow a default value for practical reasons (not
allowing it would mean backwards incompatible API change).

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-24 15:43:06 +02:00
Jussi Kukkonen
d8c0f3b3f3 Metadata API: Be more careful with container args
If argument is an empty container, we want to use the given empty
container. Only create a new container if argument is None.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-24 15:38:53 +02:00
Lukas Pühringer
7da03ee40d
Merge pull request #1913 from jku/verify-release
build: Add verify-release script
2022-03-24 13:50:48 +01:00
Jussi Kukkonen
6819d4174a verify_release: Be specific about expected artifacts
Use a hard-coded list of artifacts that we expect to find in a
release. Specifically check that each of those files matches
the corresponding file in locally built release.

Also add two missing annotations.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-24 14:39:59 +02:00
Jussi Kukkonen
4392574ddf tests: Remove unused variables from generate_md
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-24 14:20:03 +02:00
dependabot[bot]
845441468e
build(deps): bump urllib3 from 1.26.8 to 1.26.9
Bumps [urllib3](https://github.com/urllib3/urllib3) from 1.26.8 to 1.26.9.
- [Release notes](https://github.com/urllib3/urllib3/releases)
- [Changelog](https://github.com/urllib3/urllib3/blob/1.26.9/CHANGES.rst)
- [Commits](https://github.com/urllib3/urllib3/compare/1.26.8...1.26.9)

---
updated-dependencies:
- dependency-name: urllib3
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-24 10:09:26 +00:00
Jussi Kukkonen
8071806e04 examples: Use the constructor default arguments
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-24 10:37:30 +02:00
Jussi Kukkonen
220e854c8e tests: Use the default Metadata constructor args
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-23 17:32:04 +02:00
Jussi Kukkonen
d2f8c99c19 Metadata API: Add default constructor arguments
This allows creating new metadata with less boilerplate:
    root = Metadata(Root())
    targets = Metadata(Targets())

Set reasonable default values for all the arguments -- version to
1, spec_version to current supported version, etc.

Expires does not have a good default value and my original plan was
to require expires argument to be set. That would mean an
incompatible API change though as arguments before expires would be
now optional... So expires now defaults to an arbitrary value of 1
day from moment of creation.

One noteworthy special case is consistent_snapshot where the default
value is True (since that's what we want people to use for new
metadata) but None is also used to imply that metadata does not contain
the field at all.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-23 17:25:40 +02:00
Jussi Kukkonen
65d6503e63 verify_release: Be explicit about PyPI version
We are interested in what pip thinks is the current tuf version: make
that explicit in method naming and comments.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-23 15:22:27 +02:00
Jussi Kukkonen
b7b035aea1
Merge pull request #1758 from ivanayov/updater_api_input_validation
Add tests for Updater input validation
2022-03-23 15:17:48 +02:00
Jussi Kukkonen
05c295987a
Merge pull request #1915 from MVrachev/test-statics-data-generation
Tests: provide a way to generate a simple metadata set
2022-03-23 15:14:46 +02:00
dependabot[bot]
02890d122e
build(deps): bump cryptography from 36.0.1 to 36.0.2
Bumps [cryptography](https://github.com/pyca/cryptography) from 36.0.1 to 36.0.2.
- [Release notes](https://github.com/pyca/cryptography/releases)
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/36.0.1...36.0.2)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-23 12:55:30 +00:00
Lukas Pühringer
b272ac7734
Merge pull request #1918 from lukpueh/pin-direct-test-deps-only
build: pin direct test dependencies only
2022-03-23 13:54:47 +01:00
Lukas Puehringer
ec8a767c10 build: pin direct test dependencies
Fixes #1899
Reverts #1867

In #1867 we started pinning direct and transitive test
dependencies for stable test results, i.e. to not have an unnoticed
update of a used test tool (or their dependencies) break our tests.

This resulted in a dependabot updates inundating our PR tracker,
potentially obfuscating updates, which we care to address with
higher priority.

As a compromise we now only pin direct test dependencies, which
should still give us relatively stable test runs, while reducing
the spam.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-03-23 11:54:01 +01:00
Lukas Puehringer
1e9967b69a Revert "build: pin test requirements for deterministic CI"
This reverts commit 5643cecf68.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-03-23 11:51:37 +01:00
Martin Vrachev
384772efc3 Provide a way to generate a simple repository
I created a new script called "generate_md.py" which can be used
to easily generate a repository. Additionally, I created a new
test file making sure that the locally stored metadata files and
the newly generated metadata roles are the same.
This will allow us to test that we are not changing the metadata
file structure when making changes.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-03-22 18:13:54 +02:00
Martin Vrachev
69cc684230 gitattributes: make all JSON files end with LF
A really specific bug occurred on CI runs on all Windows machines
https://github.com/theupdateframework/python-tuf/runs/5467473050?check_suite_focus=true
where we weren't able to verify that what was generated is the same
as the stored on Git.

After research with Jussi, we found out that the problem comes not
from the content of the file that was generated, but because on Windows
Git proactively replaced all line endings for text files with CRLF symbol
("\r") this made the locally stored JSON files different from the one
generated.

We want to make sure such bugs doesn't occur again and that's why we
disable this behavior for all JSON files.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-03-22 16:42:00 +02:00
Jussi Kukkonen
53bacdf7e3 build: Add verify-release script
verify-release
* Builds a release from current commit
* Notifies if git describe does not match built version
* Notifies if built version is not the latest GitHub or PyPI version
* Asserts that the GitHub and PyPI release artifacts match the built
  release artifacts

This should be useful after release as any developer (or a CI job) can
easily verify that the release matches the sources in git.

Note that the last checks currently fail as the 1.0 build was not
reproducible. They should succeed after next release.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-22 14:47:17 +02:00
Lukas Pühringer
ff770eacd9
Merge pull request #1896 from ofek/modernize-metadata
Update package metadata
2022-03-22 13:15:47 +01:00
Jussi Kukkonen
1d166f0b4e
Merge pull request #1876 from jku/more-details-on-verify-failure
Logging and error message improvements
2022-03-21 14:21:44 +02:00
Jussi Kukkonen
d9f2d9d24a
Merge pull request #1707 from ivanayov/test_expired_metadata
Test expired metadata from cache
2022-03-21 14:19:01 +02:00
Lukas Pühringer
f2e80a82cb
Merge pull request #1843 from ivanayov/metadata_docstrings_imprv_follow_up
Improve docstrings in Metadata API to be more descriptive
2022-03-21 09:31:01 +01:00
Ivana Atanasova
8d4d9af70b Update expired metadata tests logic
This change improves the logic of expired metadata tests, so that
it is explicitly visible what the expiry time and the versions are
and when update/refresh is called in that period

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 22:01:33 +02:00
Ivana Atanasova
d8d0486514 Fix expired metadata tests
This change fixes the expired metadata tests to mock `datetime`
as previously they mocked `time` incorrectly, which did not affect
update methods, as they use `datetime.datetime.utcnow()` to
calculate now

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 19:53:50 +02:00