Commit graph

6224 commits

Author SHA1 Message Date
Ivana Atanasova
cab99f58b6 Verify validation is performed from local metadata
This change verifies that when local metadata has expired, it is
still used to verify new metadata that's pulled from remote

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 19:53:50 +02:00
Ivana Atanasova
15c8d80b8a Test expired metadata from cache
This tests that an expired timestamp/snapshot/targets when loaded
from cache is not stored as final but is used to verify the new
timestamp

Fixes #1681

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 19:53:50 +02:00
Ivana Atanasova
e26363cf6a Add tests for Updater input validation
This test covers `targetinfo`, `target_path`, `target_base_url`,
`metadata_dir` and `filepath` input validation of the `Updater`
methods

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 18:59:05 +02:00
Ivana Atanasova
e71aa4a7d7 Improve Signer docstrings in Metadata API
Change to @lukpueh proposal with more clarification on why and how
the `securesystemslib.signer.Signer` interface is used

Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 18:32:25 +02:00
Ivana Atanasova
db7fbb21fa Improve docstrings in Metadata API to be more descritpive
This change updates some parts of the Metadata API docstrings
that did not give enough details and context

Fixes #1600

Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
2022-03-18 18:32:25 +02:00
Ofek Lev
98db711cca Update package metadata
Signed-off-by: Ofek Lev <ofekmeister@gmail.com>
2022-03-18 11:30:07 -04:00
Lukas Pühringer
9c8622d125
Merge pull request #1908 from MVrachev/update-spec-ver
Use spec version from tuf/api/metadata in examples
2022-03-17 16:37:59 +01:00
Martin Vrachev
06118843ca Use spec version from tuf/api/metadata in examples
Replace the hardcoded specification version with the one defined inside
tuf/api/metadata.py

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-03-17 15:41:05 +02:00
Jussi Kukkonen
8ac7167f8d
Merge pull request #1900 from joshuagl/joshuagl/build-nits
Minor, mostly packaging, clean-ups
2022-03-11 14:19:59 +02:00
Joshua Lock
150bfd0eec gitignore: fix directory patterns
Fix the directory ignore patterns to ignore the entire directories,
including child directories.
https://git-scm.com/docs/gitignore#_pattern_format

Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-03-09 11:54:15 +00:00
Joshua Lock
22fee97dc3 setup: remove upper bound limit on python_requires
Setting upper bound version constraints in libraries is a source of
problems for users of those libraries, see:
https://iscinumpy.dev/post/bound-version-constraints/

The intent of the python-tuf version constraint is to ensure we're
using a version of Python which supports all the features we rely
on, this is a better fit for a lower limit.

Suggested-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-03-09 11:53:55 +00:00
Joshua Lock
430bdf5750 test: use tox isolated environments
Enable tox isolated environments to perform build operations in a virtual
environment.
See https://tox.wiki/en/latest/config.html#conf-isolated_build

Co-Authored-By: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-03-09 11:53:49 +00:00
Joshua Lock
0d2f6951a7 Remove redundant comment about version
The version is no longer duplicated in setup.cfg (since 5155ba74), so remove
redundant TODO suggesting folks update in two places.

Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
2022-03-09 11:53:13 +00:00
Jussi Kukkonen
e7037cf8c4
Merge pull request #1860 from MVrachev/serialization-bytes-array
Metadata test full serialization cycle
2022-03-07 11:14:31 +02:00
Jussi Kukkonen
29e4e63d46
Merge pull request #1895 from jku/single-source-version
Single source version number
2022-03-04 13:32:26 +02:00
Jussi Kukkonen
bf511ec0c6 docs: Update release docs
* version number is single sourced now
* Mention that using pip against test.pypi.org is unsafe
* Fix some filenames in the examples

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-03 16:04:08 +02:00
Jussi Kukkonen
5155ba7431 build: Single source version number
As of setuptools 46.4.0, one can accomplish single source version
number with
    version = attr: package.__version__
in setup.cfg: As long as setuptools simplified AST parser is able to
read the file, this works without actually importing anything.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-03-03 15:30:13 +02:00
Jussi Kukkonen
248dabddd8
Merge pull request #1892 from theupdateframework/dependabot/github_actions/actions/checkout-3
build(deps): bump actions/checkout from 2.4.0 to 3
2022-03-02 14:54:15 +02:00
dependabot[bot]
38b5e07f62
build(deps): bump actions/checkout from 2.4.0 to 3
Bumps [actions/checkout](https://github.com/actions/checkout) from 2.4.0 to 3.
- [Release notes](https://github.com/actions/checkout/releases)
- [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md)
- [Commits](ec3a7ce113...a12a3943b4)

---
updated-dependencies:
- dependency-name: actions/checkout
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-02 10:21:30 +00:00
Jussi Kukkonen
0504866236
Merge pull request #1891 from theupdateframework/dependabot/github_actions/actions/setup-python-3
build(deps): bump actions/setup-python from 2.3.2 to 3
2022-03-01 16:05:31 +02:00
dependabot[bot]
311120a192
build(deps): bump actions/setup-python from 2.3.2 to 3
Bumps [actions/setup-python](https://github.com/actions/setup-python) from 2.3.2 to 3.
- [Release notes](https://github.com/actions/setup-python/releases)
- [Commits](7f80679172...0ebf233433)

---
updated-dependencies:
- dependency-name: actions/setup-python
  dependency-type: direct:production
  update-type: version-update:semver-major
...

Signed-off-by: dependabot[bot] <support@github.com>
2022-03-01 10:21:10 +00:00
Lukas Pühringer
84486191fe
Merge pull request #1887 from jku/remove-blog-header-links
docs: Clean up blog header
2022-03-01 09:47:24 +01:00
Jussi Kukkonen
a74f7a1762
Merge pull request #1775 from MVrachev/validation-during-serialization
Add  a "validate" argument option to JSONSerializer.

The argument defaults to false: by default serialization works exactly as before.
2022-02-28 15:57:43 +02:00
Martin Vrachev
6ea5372edb Take order into account for certain cases
After we have dropped OrderedDict in e3b267e2e0
we are relying on python3.7+ default behavior to preserve the insertion
order, but there is one caveat.
When comparing dictionaries the order is still irrelevant compared to
OrderedDict. For example:
>>> OrderedDict([(1,1), (2,2)]) == OrderedDict([(2,2), (1,1)])
False
>>> dict([(1,1), (2,2)]) == dict([(2,2), (1,1)])
True

There are two special attributes, defined in the specification, where
the order makes a difference when comparing two objects:
- Metadata.signatures
- Targets.delegations.roles.
We want to make sure that the order in those two cases makes a
difference when comparing two objects and that's why those changes
are required inside two __eq__ implementations.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-02-28 14:42:06 +02:00
Martin Vrachev
a17ceda4e5 Add "validation" arg in JSONSerializer
If the "validation" argument is set then when
serializing the metadata object will be validated.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-02-28 14:42:06 +02:00
Martin Vrachev
5d24956ded Test __eq__ implementation for all classes
Test the "__eq__" implementation for all classes defined in
tuf/api/metadata.py
The tests are many but simple. The idea is to test each of the metadata
classes one by one and with this to make sure there are no possible
cases missed.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-02-28 14:42:06 +02:00
Martin Vrachev
30a707c297 Add __eq__ to classes in Metadata API
By adding __eq__ we can compare that two objects are equal.
That will be useful when adding validation API call.

One bug I have found during testing is that I don't check if the type
of "other" in the __eq__ implementations are the expected ones.
I assumed that when comparing "root == obj" if "obj" is None that
automatically the result will be false.
Later after a mypy warning, I realized we should implement the __eq__
methods to accept "Any" type as other and we should check manually
that "other" is the expected type.

Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
2022-02-28 14:42:04 +02:00
Jussi Kukkonen
45e8898d4a docs: Clean up blog header
Minima theme by default adds all files in blog root (docs/) as links in
the header. This looks ridiculous in our case: let's just have a link to
blog front page.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-28 12:01:06 +02:00
Lukas Pühringer
a75abe36f0
Merge pull request #1886 from jku/add-development-blog
Add development blog
2022-02-28 10:39:36 +01:00
Jussi Kukkonen
5ee575ef33 docs: Add a new 200px icon
Also rename the existing icon so differences are obvious.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-25 10:54:08 +02:00
Jussi Kukkonen
e78ffc18f9 docs: Add a blog post
This is https://ssl.engineering.nyu.edu/blog/2022-02-21-tuf-1_0_0
only slightly modified (the logo would break the excerpts in the index
page so I moved it a bit).

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-24 16:12:34 +02:00
Jussi Kukkonen
92c7721d02 docs: Add blog configuration
Add config for GitHub Pages so that we can use it as a project blog.
* _config.yml is jekyll configuration
* index.md contains description and title for the blog main page.
* Any files matching "_posts/YYYY-MM-DD-TITLE.md" are considered posts

The Github Pages configuration only allows "/" or "/docs/" as the Jekyll
root directory: The clutter in docs/ is annoying but otherwise this is a
very easy setup.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-24 16:07:18 +02:00
Lukas Pühringer
84c632ee8d
Merge pull request #1867 from lukpueh/update-req-pinned
build: pin test requirements for deterministic CI
2022-02-22 11:04:02 +01:00
Jussi Kukkonen
fc1558bfd4 Metadata API: Log details of verify error
We don't want to error out from the whole verify_delegate() process if
e.g. a single key fails to load but we do want to provide details for
debugging in the unexpected failure cases.

This means "example_client -vv  download file1.txt" fails like this:

    Found trusted root in /home/jku/.local/share/python-tuf-client-example
    INFO:tuf.api.metadata:Key
4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed
to verify sig: Failed to load PEM key bogus-key-content-here
    INFO:tuf.api.metadata:Key 4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed to verify root
    Failed to download target x: root was signed by 0/1 keys

Fixes #1875

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-21 16:35:49 +02:00
Jussi Kukkonen
d4814e86d8 Metadata API: Add messages to serialization errors
We can't really add any details but this at least means
printing the error works.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-21 16:04:55 +02:00
Jussi Kukkonen
03d023219b
Merge pull request #1873 from jku/1.0.0-release
1.0.0 release
2022-02-21 12:41:44 +02:00
Jussi Kukkonen
46f5bb7470 python-tuf version 1.0.0 \o/
* Update Changelog
* Update version numbers

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-18 15:24:33 +02:00
Jussi Kukkonen
70466ae234 __init__.py: Remove unused constant
Metadata API defines a specification version it supports already,
and that one is updated to the actual specification version we
produce.

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-18 15:24:33 +02:00
Lukas Puehringer
b678de8c8b doc: reword announcement about upcoming 1.0.0
Change docs in preparation of close v1.0.0 release.

- Remove important notice about upcoming 1.0.0 release from README
- Reword 1.0.0-ANNOUNCEMENT.md to not sound outdated after release

Co-authored-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-18 15:23:37 +02:00
Lukas Pühringer
fc9b42fa5d
Merge pull request #1871 from lukpueh/rm-authors-txt
doc: update acknowledgements and rm AUHTORS.txt
2022-02-16 13:29:09 +01:00
Lukas Pühringer
217a508b35
Merge pull request #1870 from jku/github-script-v6
github: Update github-script to 6.0.0
2022-02-16 11:40:02 +01:00
Lukas Puehringer
c5e787c328 CI: remind to update contributor acknowledgement
Add optional task to  maintainer permission review reminder
checklist that suggests to also update the list of significant
contributors in README.md#acknowledgements.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-16 11:09:25 +01:00
Lukas Puehringer
5845c8992c doc: update acknowledgements and rm AUHTORS.txt
Update README.md#Acknowledgements
- Reword to acknowledge maintainer contributions as well
- Remove names that are mentioned in maintainers document
- Remove duplicate Konstantin Andrianov
  Santiago Torres-Arias, Sebastien Awwad, Trishank Kuppusamy,
  Vladimir Diaz)
- Add new significant contributors
  (Ivana Atanasova, Kairo de Araujo, Martin Vrachev)

Remove unmaintained AUTHORS.txt, which lists many individuals and
organisations that are/were not affiliated with 'python-tuf', but
other projects in the TUF ecosystem (Thandy, Notary, etc.) and
thus is not suited for this repository.
-> theupdateframework.io#38

Caveats:
- Significant contributors means  top ~20 committers sorted by
  commit count (`git shortlog -s`).
- The Acknowledgements section might miss significant contributors,
  if they contributed by other means than git commits in this repo.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-16 11:01:18 +01:00
Jussi Kukkonen
d806b62e03 github: Update github-script to 6.0.0
The big change is runtime update from nodejs 12 to nodejs 16: does not
seem to affect us.

Dependabot got confused so this update is done manually to v6.0.0
release commit:
https://github.com/actions/github-script/releases/tag/v6.0.0

Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
2022-02-16 10:13:41 +02:00
Lukas Pühringer
0b64056ca4
Merge pull request #1868 from lukpueh/minor-doc-updates
doc: minor updates in readme and reference docs
2022-02-15 14:55:52 +01:00
Lukas Puehringer
7a13933af6 doc: remove note about unstable API in RTD docs
The API is no longer unstable.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-15 13:46:19 +01:00
Lukas Puehringer
24561bc4bb doc: minor readme updates
- Add generic opening sentence that says what TUF actually does.
- Add link to #tuf channel on CNCF slack to contact section

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-15 13:46:12 +01:00
Lukas Puehringer
5643cecf68 build: pin test requirements for deterministic CI
Configures tox to use a pinned requirements file for deterministic
CI builds, i.e. our CI shouldn't start failing because of an
incompatible upstream release of any of our testing tools:

NOTE: pinned tuf runtime requirements were already were already
used for test builds before (included via `-r
requirements-pinned.txt` in 'requirements-test.txt'). Now they are
explicitly listed in 'requirements-test-pinnned.txt'.

'requirements-test-pinnned.txt' was generated semi-automatically by
running pip-compile over 'requirements-test.txt' for each
supported/tested Python version (see snippet below) and manually
merging the resulting per-Python version requirements files into
one, adding environment markers as needed.

```
for ver in 3.7.12 3.8.12 3.9.9 3.10.0; do
  pyenv virtualenv ${ver} tuf-env-${ver}
  pyenv activate tuf-env-${ver}
  python3 -m pip install -U pip pip-tools
  pip-compile --no-header --annotation-style line \
      -o requirements-test-pinned-${ver}.txt \
      requirements-test.txt
  pyenv deactivate
  pyenv uninstall -f tuf-env-${ver}
done
```

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2022-02-15 12:27:49 +01:00
Jussi Kukkonen
7dc057adab
Merge pull request #1865 from lukpueh/update-req-pinned
dep: update pinned requirements
2022-02-14 14:12:26 +02:00
Jussi Kukkonen
899b762119
Merge pull request #1853 from lukpueh/update-install-docs
doc: update installation documentation
2022-02-14 14:10:37 +02:00