The class has been removed from securesystemslib as its desirable
features are no longer required and its behavioural inconsistencies
with a standard Python file object are confusing. Therefore remove
uses of the class from TUF.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
securesystemslib PR #162 removed implicit encoding of data to bytes
in securesystemslib.keys.[create_signature|verify_signature]
Update to encode data where required.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Since https://github.com/theupdateframework/tuf/pull/781 we
only provide limited protection against slow retrieval attacks.
So far this has only been discussed in above issue and hinted at
by a disabled test and a code comment in that test.
This change adds a corresponding disclaimer to a more prominent
place, i.e. the list of attacks in SECURITY.md.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Co-Authored-By: Trishank K Kuppusamy <33133073+trishankatdatadog@users.noreply.github.com>
Test that client does not rotate beyond a configured upper bound,
i.e. `current_version + MAX_NUMBER_ROOT_ROTATIONS`
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Test that a client whose root is outdated by multiple versions and
who has none of the latest nor next-to-latest root keys can still
update and does so by incrementally verifying all roots until the
most recent one.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
This commit also updates the key loader helper in
test_updater_root_rotation_integration.py to load
the new keys too.
The keys were created (at the root of the repository) like
so:
```
from tuf import repository_tool
repository_tool.generate_and_write_ed25519_keypair(
"tests/repository_data/keystore/root_key2", "password")
repository_tool.generate_and_write_ed25519_keypair(
"tests/repository_data/keystore/root_key3", "password")
```
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
- remove duplicate ROLENAME_SCHEMA and ROLEDICT_SCHEMA
- remove outdated and duplicate ROLE_SCHEMA
Note that this is a quick fix that may be overridden with
refactoring work in #660/#846.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Update astroid from 2.2.5 to 2
Update gitdb2 from 2.0.5 to 2.0.6
Update pylint from 2.3.1 to 2.4.2
Update urllib3 from 1.25.5 to 1.25.6
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
The interposition sub-package was removed in #537.
This commits removes obsolete mentions of 'interposition' from code
comments and documentation.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Pylint now has a "redeclared-assigned-name" check that
gets triggered if we re-use our custom "junk" unused var
name. It does not if we use the "_" default unused var name.
So let's use "_" then.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Remove only wrappers and corresponding tests that don't add any
new functionality, but blindly forward the caller to sslib, where
the same function exists and is tested.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Import some API functions from repository_lib and securesystemslib
directly into repository_tool and developer_tool, instead of
providing them via wrapper.
Also short-circuit some functions that used to point to
securesystemslib through repository_lib.
This reverts parts of 6f7ba76b9b,
which introduced some of the wrappers to appease the linter.
Here we just disable that specific linter check (unused-import).
The advantage of importing over wrapping is:
- no duplication of hardcoded defaults for keyword arguments
- no duplication of docstrings
- less code --> easier maintenance
This should also pave the way for more serious refactoring
of the repository- and developer-tools:
https://github.com/theupdateframework/tuf/issues/840
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Add hint to install `coverage` before using it.
This should be installed via dev-requirements.txt, however it
does not seem to fit in there, because dev-requirements.txt pins
all its dependencies which does not seem to make sense for a
development tool.
Maybe a hierarchy of requirements.txt similar to
06a28987dc
could be established.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Locally merging #880 to fix code style issue (missing whitespace).
Note: the PR had an unwanted documentation patch that is excluded
from this merge.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Before we used pip analysis strategy, which also includes
test/build dependencies in the scan (pylint, bandit, tox, etc...).
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Note that we can't keep the FOSSA_API_TOKEN secret (e.g. via
Travis encrypted or repository setting environment variables),
because those are not available for PRs from forked repository.
Therefor we use a non-confidential push only API token.
For details see https://docs.fossa.com/docs/travisci and
https://docs.fossa.com/docs/api-reference#section-push-only-api-token
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Update cffi from 1.12.2 to 1.12.3
Update cffi from 1.12.2 to 1.12.3
Update configparser from 3.7.4 to 4.0.2
Update cryptography from 2.6.1 to 2.7
Update cryptography from 2.6.1 to 2.7
Update gitpython from 2.1.11 to 3.0.2
Update isort from 4.3.17 to 4.3.21
Update lazy-object-proxy from 1.3.1 to 1.4.2
Update pbr from 5.1.3 to 5.4.3
Update pluggy from 0.9.0 to 0.13.0
Update pyyaml from 5.1 to 5.1.2
Update requests from 2.21.0 to 2.22.0
Update requests from 2.21.0 to 2.22.0
Update stevedore from 1.30.1 to 1.31.0
Update tox from 3.8.6 to 3.14.0
Update virtualenv from 16.4.3 to 16.7.5
Update wrapt from 1.11.1 to 1.11.2
Update certifi from 2019.3.9 to 2019.9.11
Update urllib3 from 1.24.2 to 1.25.3
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>