Commit graph

3447 commits

Author SHA1 Message Date
pyup-bot
bbad693080 Update asn1crypto from 1.0.1 to 1.1.0
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-15 11:37:33 +02:00
Justin Cappos
6138395114
Merge pull request #921 from lukpueh/bump_version_0.12.0-dev0
Bump version 0.12.0
2019-10-14 15:52:12 -04:00
Lukas Puehringer
9a8e3c9ef9 setup.py/__init__.py: bump version to v0.12.0
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-14 16:47:16 +02:00
Lukas Puehringer
3b77a7d320 CHANGELOG: Add 0.12.0 entry
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-14 16:47:16 +02:00
lukpueh
536fed7358
Merge pull request #934 from lukpueh/update-sslib-0.12.0
Update securesystemslib to 0.12.0
2019-10-14 16:46:05 +02:00
Joshua Lock
78356eff44 Remove uses of securesystemslib.util.TempFile
The class has been removed from securesystemslib as its desirable
features are no longer required and its behavioural inconsistencies
with a standard Python file object are confusing. Therefore remove
uses of the class from TUF.

Signed-off-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-14 12:37:34 +02:00
Joshua Lock
f5c168d4e6 Explicitly encode data passed to securesystemslib.keys
securesystemslib PR #162 removed implicit encoding of data to bytes
in securesystemslib.keys.[create_signature|verify_signature]

Update to encode data where required.

Signed-off-by: Joshua Lock <jlock@vmware.com>
2019-10-14 12:26:31 +02:00
Lukas Puehringer
2342e18e45 Update securesystemslib dependency to 0.12.0
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-14 12:26:26 +02:00
lukpueh
232a4d6097
Merge pull request #928 from lukpueh/add-slow-retrieval-disclaimer
Add disclaimer about limited slow retrieval attack protection
2019-10-11 09:43:51 +02:00
Lukas Puehringer
42a4cee56c Add slow retrieval disclaimer
Since https://github.com/theupdateframework/tuf/pull/781 we
only provide limited protection against slow retrieval attacks.
So far this has only been discussed in above issue and hinted at
by a disabled test and a code comment in that test.

This change adds a corresponding disclaimer to a more prominent
place, i.e. the list of attacks in SECURITY.md.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-Authored-By: Trishank K Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
2019-10-10 16:43:46 +02:00
lukpueh
c097547ab2
Merge pull request #931 from theupdateframework/pyup-scheduled-update-2019-10-07
Scheduled weekly dependency update for week 40
2019-10-08 14:16:13 +02:00
pyup-bot
e75e0a2cc4 Update dependencies
Update asn1crypto from 0.24.0 to 1.0.1
Update gitpython from 3.0.2 to 3.0.3

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-08 09:49:45 +02:00
lukpueh
4f9faf107d
Merge pull request #930 from lukpueh/correctly-rotate-root-test
Add tests for multiple root key rotation
2019-10-08 09:44:10 +02:00
lukpueh
4d7bb69a77 Fix comment in root rotation updater test
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-Authored-By: Trishank K Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
2019-10-08 09:19:36 +02:00
Lukas Puehringer
3604c38c71 Add root rotation bounds updater test
Test that client does not rotate beyond a configured upper bound,
i.e. `current_version + MAX_NUMBER_ROOT_ROTATIONS`

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-07 11:59:40 +02:00
Lukas Puehringer
b0d9f103a2 Add full root rotation updater test
Test that a client whose root is outdated by multiple versions and
who has none of the latest nor next-to-latest root keys can still
update and does so by incrementally verifying all roots until the
most recent one.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-07 11:59:40 +02:00
Lukas Puehringer
250a3f32a6 Add two ed25519 key pairs for updater tests
This commit also updates the key loader helper in
test_updater_root_rotation_integration.py to load
the new keys too.

The keys were created (at the root of the repository) like
so:

```
from tuf import repository_tool
repository_tool.generate_and_write_ed25519_keypair(
    "tests/repository_data/keystore/root_key2", "password")
repository_tool.generate_and_write_ed25519_keypair(
    "tests/repository_data/keystore/root_key3", "password")

```

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-07 11:59:40 +02:00
Lukas Puehringer
3d342e648f Merge pull request #885 from trishankatdatadog:trishankatdatadog/correctly-rotate-root
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-07 11:54:59 +02:00
Trishank K Kuppusamy
fce6fa5b19 Remove space client.updater comment
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-07 11:52:24 +02:00
lukpueh
be601bbcd5
Merge pull request #929 from lukpueh/rm-duplicate-role-schemas
Remove duplicate role-related schemas
2019-10-05 13:06:10 +02:00
Lukas Puehringer
c6ad8e37ec Remove duplicate role-related schemas
- remove duplicate ROLENAME_SCHEMA and ROLEDICT_SCHEMA
- remove outdated and duplicate ROLE_SCHEMA

Note that this is a quick fix that may be overridden with
refactoring work in #660/#846.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-04 17:33:12 +02:00
lukpueh
b4e565f055
Merge pull request #926 from theupdateframework/pyup-scheduled-update-2019-09-30
Scheduled weekly dependency update for week 39
2019-10-02 16:13:06 +02:00
pyup-bot
6a39b04b5c Update dependencies
Update astroid from 2.2.5 to 2
Update gitdb2 from 2.0.5 to 2.0.6
Update pylint from 2.3.1 to 2.4.2
Update urllib3 from 1.25.5 to 1.25.6

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-10-02 14:35:29 +02:00
Justin Cappos
9fde70fbb3
Merge pull request #925 from tanjunchen/fix-up-typo
fix-up some spelling mistakes
2019-09-25 20:32:55 -04:00
chentanjun
04019a1bd8 fix-up some spelling mistakes
Signed-off-by: chentanjun <2799194073@qq.com>
2019-09-26 00:52:21 +08:00
lukpueh
df1c749d56
Merge pull request #919 from lukpueh/refactor-repository-api
Streamline TUFs crypto interface
2019-09-24 17:08:18 +02:00
lukpueh
e3e6542b88
Merge pull request #924 from lukpueh/rm-interposition-docs
Remove obsolete 'interposition' from docs
2019-09-24 16:00:49 +02:00
Lukas Puehringer
5d2898a13c Remove obsolete 'interposition' from docs
The interposition sub-package was removed in #537.
This commits removes obsolete mentions of 'interposition' from code
comments and documentation.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-24 14:31:54 +02:00
lukpueh
b33ac56f71
Merge pull request #923 from lukpueh/fix-pylint-warnings
Fix failing builds due to pylint 2.4.0 update
2019-09-24 14:21:28 +02:00
Lukas Puehringer
3f417b34b8 Use default "_" for consecutive unused var assign
Pylint now has a "redeclared-assigned-name" check that
gets triggered if we re-use our custom "junk" unused var
name. It does not if we use the "_" default unused var name.

So let's use "_" then.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-24 12:52:45 +02:00
Lukas Puehringer
caf750dccc Remove bogus self-assignment
Seems to be an artifact of a feature-removal (compression)
in 8de5c69f39.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-24 12:46:09 +02:00
lukpueh
6b4269c2af
Merge pull request #922 from theupdateframework/pyup-scheduled-update-2019-09-23
Scheduled weekly dependency update for week 38
2019-09-24 12:10:29 +02:00
pyup-bot
002eb82883 Update urllib3 from 1.25.3 to 1.25.5
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-24 11:47:13 +02:00
Lukas Puehringer
2e6a8cd03b Remove some repository_lib wrappers for sslib
Remove only wrappers and corresponding tests that don't add any
new functionality, but blindly forward the caller to sslib, where
the same function exists and is tested.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-18 18:08:54 +02:00
Lukas Puehringer
7306446118 Refactor repository and developer tool API
Import some API functions from repository_lib and securesystemslib
directly into repository_tool and developer_tool, instead of
providing them via wrapper.

Also short-circuit some functions that used to point to
securesystemslib through repository_lib.

This reverts parts of 6f7ba76b9b,
which introduced some of the wrappers to appease the linter.
Here we just disable that specific linter check (unused-import).

The advantage of importing over wrapping is:
- no duplication of hardcoded defaults for keyword arguments
- no duplication of docstrings
- less code --> easier maintenance

This should also pave the way for more serious refactoring
of the repository- and developer-tools:
https://github.com/theupdateframework/tuf/issues/840

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-18 18:08:54 +02:00
lukpueh
21c3285216
Merge pull request #892 from lukpueh/add-fossa-cli
Add fossa cli config for license scanning
2019-09-18 10:32:09 +02:00
lukpueh
f79ee33501
Merge pull request #915 from lukpueh/tox-with-sslib-master
Add sslib master tox build + flesh out test docs
2019-09-18 10:28:05 +02:00
Lukas Puehringer
86257f2729 Add extra installation instruction to contrib doc
Add hint to install `coverage` before using it.

This should be installed via dev-requirements.txt, however it
does not seem to fit in there, because dev-requirements.txt pins
all its dependencies which does not seem to make sense for a
development tool.

Maybe a hierarchy of requirements.txt similar to
06a28987dc
could be established.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-18 10:21:53 +02:00
Lukas Puehringer
48f35fce54 Merge branch 'lixuefeng2-for_format' into develop
Locally merging #880 to fix code style issue (missing whitespace).

Note: the PR had an unwanted documentation patch that is excluded
from this merge.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 13:13:56 +02:00
lixuefeng (Cloud)
5f891e81c8 just format
Signed-off-by: lixuefeng (Cloud) <li.xuefeng@h3c.com>
2019-09-17 13:11:48 +02:00
lukpueh
fdc0bc12a5
Merge pull request #876 from lixuefeng2/develop
Fix code style: add missing whitespace after operators
2019-09-17 12:57:48 +02:00
Lukas Puehringer
1c750ff125 Switch to fossa requirements analysis strategy
Before we used pip analysis strategy, which also includes
test/build dependencies in the scan (pylint, bandit, tox, etc...).

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:52:22 +02:00
Lukas Puehringer
e78b98913e Update fossa badge in README
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:52:22 +02:00
Lukas Puehringer
4907e2e2c7 Add fossa to travis config
Note that we can't keep the FOSSA_API_TOKEN secret (e.g. via
Travis encrypted or repository setting environment variables),
because those are not available for PRs from forked repository.
Therefor we use a non-confidential push only API token.

For details see https://docs.fossa.com/docs/travisci and
https://docs.fossa.com/docs/api-reference#section-push-only-api-token

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:52:16 +02:00
Lukas Puehringer
8ec4a05d8d Add pip analysis strategy to fossa config file
For fossa Python project configruation see:
https://github.com/fossas/fossa-cli/blob/master/docs/integrations/python.md

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:36:17 +02:00
Lukas Puehringer
b3d23a45ab Add auto-generated fossa-cli config file
Generated by running `fossa init`.

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:36:17 +02:00
lukpueh
f6bd090960
Merge pull request #912 from joshuagl/joshuagl/sslcompat
Use TUF specific formats as they have been removed from securesystemslib
2019-09-17 12:20:26 +02:00
lukpueh
824e7dbbaa
Merge pull request #916 from theupdateframework/pyup-scheduled-update-2019-09-16
Scheduled weekly dependency update for week 37
2019-09-17 12:12:49 +02:00
pyup-bot
089afa724f Update bandit from 1.5.1 to 1.6.2
Update cffi from 1.12.2 to 1.12.3

Update cffi from 1.12.2 to 1.12.3

Update configparser from 3.7.4 to 4.0.2

Update cryptography from 2.6.1 to 2.7

Update cryptography from 2.6.1 to 2.7

Update gitpython from 2.1.11 to 3.0.2

Update isort from 4.3.17 to 4.3.21

Update lazy-object-proxy from 1.3.1 to 1.4.2

Update pbr from 5.1.3 to 5.4.3

Update pluggy from 0.9.0 to 0.13.0

Update pyyaml from 5.1 to 5.1.2

Update requests from 2.21.0 to 2.22.0

Update requests from 2.21.0 to 2.22.0

Update stevedore from 1.30.1 to 1.31.0

Update tox from 3.8.6 to 3.14.0

Update virtualenv from 16.4.3 to 16.7.5

Update wrapt from 1.11.1 to 1.11.2

Update certifi from 2019.3.9 to 2019.9.11

Update urllib3 from 1.24.2 to 1.25.3

Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
2019-09-17 12:01:19 +02:00
lukpueh
6a145d027e
Merge pull request #855 from theupdateframework/adjust_to_removals_from_securesystemslib
Adjust to removals from securesystemslib
2019-09-17 11:31:12 +02:00