Commit graph

6224 commits

Author SHA1 Message Date
Jussi Kukkonen
c2edd30669 Metadata API: Make sure Signed.expires is UTC
* Most importantly use strftime() to serialize the datetime
* Force the timezone as UTC when deserializing

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-29 15:34:36 +02:00
Nurgaleev_Mansur_908
048d3b343b fix lint
Signed-off-by: Nurgaleev_Mansur_908 <mansur0158@gmail.com>
2024-02-28 15:29:44 +03:00
Nurgaleev_Mansur_908
93d9f8fa2d fix lint
Signed-off-by: Nurgaleev_Mansur_908 <mansur0158@gmail.com>
2024-02-27 22:13:17 +03:00
Nurgaleev_Mansur_908
53ac05d5d3 change utcnow() to now(timezone.utc)
Signed-off-by: Nurgaleev_Mansur_908 <mansur0158@gmail.com>
2024-02-27 21:57:46 +03:00
Jussi Kukkonen
143a69ba63 CI: Improve pull request template
Trying to make it clearer that
* testing locally is an option
* DCO is required

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-27 16:50:52 +02:00
Jussi Kukkonen
1b03ac240e docs: Improve CONTRIBUTING
* Remove outdated info on linters
* Move DCO info to the top: no-one will find it in the bottom

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-27 16:38:29 +02:00
Jussi Kukkonen
d8a43ac376
Merge pull request #2577 from theupdateframework/dependabot/github_actions/action-dependencies-c371c8bcbb
build(deps): bump the action-dependencies group with 1 update
2024-02-27 16:09:22 +02:00
Lukas Pühringer
c93c9ff10e
Merge pull request #2570 from jku/lint-use-github-output-format
Lint use GitHub output format
2024-02-27 09:13:38 +01:00
dependabot[bot]
62e7221afe
build(deps): bump the action-dependencies group with 1 update
Bumps the action-dependencies group with 1 update: [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish).


Updates `pypa/gh-action-pypi-publish` from 1.8.11 to 1.8.12
- [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases)
- [Commits](2f6f737ca5...e53eb8b103)

---
updated-dependencies:
- dependency-name: pypa/gh-action-pypi-publish
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-27 08:12:31 +00:00
Lukas Pühringer
331863e61d
Merge pull request #2571 from jku/more-lint
lint: Start using ruff ruleset "flake8-bandit"
2024-02-27 09:11:40 +01:00
Lukas Pühringer
27842f79f4
Merge pull request #2574 from theupdateframework/dependabot/pip/test-and-lint-dependencies-cffe165f11
build(deps): bump the test-and-lint-dependencies group with 1 update
2024-02-27 08:58:45 +01:00
Jussi Kukkonen
9fb3789fac
Merge pull request #2575 from theupdateframework/dependabot/github_actions/action-dependencies-72ac0db588
build(deps): bump the action-dependencies group with 1 update
2024-02-27 08:57:02 +02:00
Jussi Kukkonen
dcf670b129
Merge pull request #2576 from theupdateframework/dependabot/pip/dependencies-65297a6c9f
build(deps): bump the dependencies group with 1 update
2024-02-27 08:55:46 +02:00
dependabot[bot]
bad80547fd
build(deps): bump the dependencies group with 1 update
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography).


Updates `cryptography` from 42.0.4 to 42.0.5
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.4...42.0.5)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 21:50:48 +00:00
dependabot[bot]
10917d9cc6
build(deps): bump the action-dependencies group with 1 update
Bumps the action-dependencies group with 1 update: [actions/download-artifact](https://github.com/actions/download-artifact).


Updates `actions/download-artifact` from 4.1.2 to 4.1.3
- [Release notes](https://github.com/actions/download-artifact/releases)
- [Commits](eaceaf801f...87c55149d9)

---
updated-dependencies:
- dependency-name: actions/download-artifact
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: action-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 21:50:43 +00:00
dependabot[bot]
a98556f0a7
build(deps): bump the test-and-lint-dependencies group with 1 update
Bumps the test-and-lint-dependencies group with 1 update: [coverage](https://github.com/nedbat/coveragepy).


Updates `coverage` from 7.4.2 to 7.4.3
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.2...7.4.3)

---
updated-dependencies:
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-26 21:40:03 +00:00
Jussi Kukkonen
009566aa23 lint: Start using ruff ruleset "flake8-bandit"
* Remove bandit
* Add ruff ruleset "flake8-bandit"
* verify_release is now checked by bandit
  * Avoid some asserts as suggested
  * ignore a subprocess.run lint: it seems dumb
* ignore all bandit rules for tests and examples (just like before)

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-23 18:27:29 +02:00
Jussi Kukkonen
d85cde5e8e lint: Use GitHub output format on GitHub
This should enable inline annotations.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-22 15:55:00 +02:00
Lukas Pühringer
52fa73a32d
Merge pull request #2436 from lukpueh/add-dsse
Add basic DSSE equivalent for Metadata API and configurable DSSE support in ngclient
2024-02-22 14:18:13 +01:00
Lukas Puehringer
4005e766b4 Add LengthOrHashMismatchError back to metadata.
22b2726413 claims to add all names
that were moved to the internal _payload module back to metadata.

LengthOrHashMismatchError was not added back. Now it is.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-22 13:48:21 +01:00
Lukas Pühringer
1e8820930e
Update tuf/ngclient/_internal/trusted_metadata_set.py
Co-authored-by: Jussi Kukkonen <jku@goto.fi>
Signed-off-by: Lukas Pühringer <luk.puehringer@gmail.com>
2024-02-22 13:43:44 +01:00
Jussi Kukkonen
3077932a98
Merge pull request #2569 from jku/enable-pycodestyle-in-tests
lint: Enable pycodestyle in tests
2024-02-22 13:37:21 +02:00
Jussi Kukkonen
9dcb0ea9fb
Merge pull request #2561 from jku/fix-diff-hunk-headers
gitattributes: Fix diff hunk headers
2024-02-22 13:37:03 +02:00
Jussi Kukkonen
d787c18f82
Merge pull request #2563 from theupdateframework/dependabot/pip/dependencies-9cb123f56e
build(deps): bump the dependencies group with 1 update
2024-02-21 22:15:41 +02:00
Jussi Kukkonen
c24ad717cf
Merge pull request #2562 from theupdateframework/dependabot/pip/test-and-lint-dependencies-9f6ee09b19
build(deps): bump the test-and-lint-dependencies group with 2 updates
2024-02-21 22:12:44 +02:00
Jussi Kukkonen
56b362ab78 lint: Enable pycodestyle in tests
Only leave E501 (line-too-long) disabled: There is a lot of embedded
test data that is not formatted according to the rules.

Fixes #2568

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-21 22:08:43 +02:00
Lukas Puehringer
b6fa05b01f Revert "examples: support dsse in example client"
This reverts commit b279745886.

... plus related changes from:
 "ngclient: change envelope type config to flag".

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 17:26:02 +01:00
Lukas Puehringer
f5826c0c41 Revert "ci: temporarily lower min coverage (wip)"
This reverts commit b46132ccdcc08b8b3a5c819c04803bfecc62a318.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 17:02:31 +01:00
Lukas Puehringer
0f64cf4c91 tests: add basic tests for dsse support
* Add API tests for SimpleEnvelope
  This is not as comprehensive as Metadata API. The latter also includes
  tests for all payload classes, which should cover the same scenarios as
  if used with SimpleEnvelope.

* Add unit test for newly added simple envelope load helper function in
  trusted metadata set.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 17:02:15 +01:00
Lukas Puehringer
8eb6f08a5c ngclient: replace internal wrapping interface
The internal wrapping interface to case handle deserialization and
verification of traditional metadata vs. simple envelopes inside
trusted metadata set might be a more complicated solution than
necessary.

This removes the interface and instead adds the methods of the interface
implementations as helpers to trusted metadata set, and updates it to
to call one or the other function based on the envelope type
configuration flag.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 17:01:13 +01:00
Lukas Puehringer
1897f9a652 ngclient: change envelope type config to flag
The flag allows adding other envelope types in the future (unlikely),
or parallel support (`METADATA & SIMPLE`) without breaking the API.

Internally, the flag is now just passed on to TrustedMetadataSet as
mandatory parameter. (Optional parameters make less sense when we
control all the invocations.)

This change requires updating all invocations of TrustedMetadataSet,
including the duplication of a test function.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:59:55 +01:00
Lukas Puehringer
8544bbd6f1 Envelope API: rename, add docs, add alias
* Rename Envelope to SimpleEnvelope:
  Envelope should be the generic term in this context for something that
  contains a payload and signatures. SimpleEnvelope is the specific
  DSSE implementation (just like Metadata is the specific traditional
  canonical JSON -based TUF envelope implementation).

* Add SimpleEnvelope class and method docstrings.

* Add convenience alias for ``self.signatures`` mapped to keyids for
  compatibility with Metadata.signatures.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:59:55 +01:00
Lukas Puehringer
01ba0cdb02 ci: temporarily lower min coverage (wip)
This is a poc implementation. If accepted, tests will be added and this
commit can be reverted.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:59:55 +01:00
Lukas Puehringer
b279745886 examples: support dsse in example client
Add `--use-dsse` flag to `download` subcommand of example client, which
can be used to indicate that all metadata is expected to come in a DSSE
envelope.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:59:55 +01:00
Lukas Puehringer
5fab6355ab ngclient: support dsse in Updater
* Add `use_dsse` updater config parameter which indicates, if an updater
  instance expects metadata to come in a DSSE envelope.

* Update TrustedMetadataSet to take an Unwrapper instance.

* Update Updater, to pass an EnvelopeUnwrapper to TrustedMetadataSet, if
  configured with `use_dsse`.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:59:41 +01:00
Lukas Puehringer
d859bac7f8 ngclient: add EnvelopeUnwrapper implementation
Add Unwrapper implementation for DSSE Envelope. The order of
deserialization and signature verification differs from traditional
Metadata.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:35:20 +01:00
Lukas Puehringer
b422afe0a4 Envelope API: add dsse equivalent for Metadata API
Add Envelope class with basic de/serialization methods, currently
hardcoded to JSON.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:34:53 +01:00
Lukas Puehringer
cb9aa4a362 ngclient: use Unwrapper in TrustedMetadataSet
Change TrustedMetadataSet to load and verify metadata using a
MetadataUnwrapper instance.

IMPORTANT NOTES:
* Requires changing the TrustedMetadataSet to store payloads only, which
  is okay, because signatures are no longer needed, after being verified
  at load time.

* Includes a minor re-ordering of validation steps.  That is, the
  version increment for root metadata is now checked after signature
  verification. Preserving the order would require including the check in
  the Unwrapper interface, which is feasible but does not seem correct wrt
  separation of responsibility.

Changes are adopted in updater, tests and _localrepo.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:24:29 +01:00
Lukas Puehringer
48af058953 ngclient: add Unwrapper interface and implementation
Add internal payload unwrapper interface and implementation for payloads
wrapped in Metadata.

This is an abstraction over behavior --  load signature wrapper, verify
signatures over payload, return deserialized payload -- which is common
for relevant signature wrappers (Metadata, DSSE Envelope), but performed
differently / in different order.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:21:02 +01:00
Lukas Puehringer
22b2726413 Metadata API: move inner classes to internal module
Allows to simultanously use those classes in different container /
signature wrapper APIs, e.g. Metadata API and Envelope API (DSSE).

All moved classes are imported into tuf.api.metadata scope for
backwards-compatibility.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2024-02-21 16:20:55 +01:00
dependabot[bot]
811767a5bd
build(deps): bump the dependencies group with 1 update
Bumps the dependencies group with 1 update: [cryptography](https://github.com/pyca/cryptography).


Updates `cryptography` from 42.0.3 to 42.0.4
- [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst)
- [Commits](https://github.com/pyca/cryptography/compare/42.0.3...42.0.4)

---
updated-dependencies:
- dependency-name: cryptography
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-21 15:03:52 +00:00
dependabot[bot]
3900ea704c
build(deps): bump the test-and-lint-dependencies group with 2 updates
Bumps the test-and-lint-dependencies group with 2 updates: [ruff](https://github.com/astral-sh/ruff) and [coverage](https://github.com/nedbat/coveragepy).


Updates `ruff` from 0.2.1 to 0.2.2
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](https://github.com/astral-sh/ruff/compare/v0.2.1...v0.2.2)

Updates `coverage` from 7.4.1 to 7.4.2
- [Release notes](https://github.com/nedbat/coveragepy/releases)
- [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst)
- [Commits](https://github.com/nedbat/coveragepy/compare/7.4.1...7.4.2)

---
updated-dependencies:
- dependency-name: ruff
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
- dependency-name: coverage
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: test-and-lint-dependencies
...

Signed-off-by: dependabot[bot] <support@github.com>
2024-02-21 15:01:51 +00:00
Lukas Pühringer
76f39f52ef
Merge pull request #2558 from NicholasTanz/replaceLintingTools
Replace most linting tools with ruff
2024-02-21 15:59:03 +01:00
Jussi Kukkonen
b5f5957b15 gitattributes: Fix diff hunk headers
Git is really bad at identifying the correct Python function
in the diff hunk headers (this is a change in Metadata.sign()):

    @@ -384,7 +384,7 @@ class Metadata(Generic[T]):

Amazingly there is much better context detection built-in, just not
enabled. The same diff hunk headers with this commit looks like:

    @@ -384,7 +384,7 @@ def sign(

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-21 13:12:57 +02:00
E3E
f156e21537 remove pylint and suppressed inline errors from pylint
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 22:57:53 -05:00
E3E
da38b473bd add pylint ruleset to ruff
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 16:04:06 -05:00
E3E
73842c97b8 reformat docstrings and supress small errors inline
Signed-off-by: E3E <ntanzill@purdue.edu>
2024-02-20 15:19:33 -05:00
Jussi Kukkonen
b5bb27fa94
Merge pull request #2560 from jku/tweak-sign-failure
metadata API: Tweak exception message on sign failure
2024-02-20 15:13:12 +02:00
Jussi Kukkonen
3b65c2217b metadata API: Tweak exception message on sign failure
I still don't know how we should handle failures in signing
(maybe just let all of the weird exceptions raise instead of wrapping
them) but this makes the wrapping error at least a bit more useful.

Signed-off-by: Jussi Kukkonen <jkukkonen@google.com>
2024-02-20 14:39:50 +02:00
Jussi Kukkonen
c4c4de3ff1
Merge pull request #2559 from theupdateframework/dependabot/pip/dependencies-22b2fa18e9
build(deps): bump the dependencies group with 2 updates
2024-02-20 10:07:47 +02:00