This allows creating new metadata with less boilerplate:
root = Metadata(Root())
targets = Metadata(Targets())
Set reasonable default values for all the arguments -- version to
1, spec_version to current supported version, etc.
Expires does not have a good default value and my original plan was
to require expires argument to be set. That would mean an
incompatible API change though as arguments before expires would be
now optional... So expires now defaults to an arbitrary value of 1
day from moment of creation.
One noteworthy special case is consistent_snapshot where the default
value is True (since that's what we want people to use for new
metadata) but None is also used to imply that metadata does not contain
the field at all.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Fixes#1899
Reverts #1867
In #1867 we started pinning direct and transitive test
dependencies for stable test results, i.e. to not have an unnoticed
update of a used test tool (or their dependencies) break our tests.
This resulted in a dependabot updates inundating our PR tracker,
potentially obfuscating updates, which we care to address with
higher priority.
As a compromise we now only pin direct test dependencies, which
should still give us relatively stable test runs, while reducing
the spam.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
I created a new script called "generate_md.py" which can be used
to easily generate a repository. Additionally, I created a new
test file making sure that the locally stored metadata files and
the newly generated metadata roles are the same.
This will allow us to test that we are not changing the metadata
file structure when making changes.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
A really specific bug occurred on CI runs on all Windows machines
https://github.com/theupdateframework/python-tuf/runs/5467473050?check_suite_focus=true
where we weren't able to verify that what was generated is the same
as the stored on Git.
After research with Jussi, we found out that the problem comes not
from the content of the file that was generated, but because on Windows
Git proactively replaced all line endings for text files with CRLF symbol
("\r") this made the locally stored JSON files different from the one
generated.
We want to make sure such bugs doesn't occur again and that's why we
disable this behavior for all JSON files.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
This change improves the logic of expired metadata tests, so that
it is explicitly visible what the expiry time and the versions are
and when update/refresh is called in that period
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This change fixes the expired metadata tests to mock `datetime`
as previously they mocked `time` incorrectly, which did not affect
update methods, as they use `datetime.datetime.utcnow()` to
calculate now
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This change verifies that when local metadata has expired, it is
still used to verify new metadata that's pulled from remote
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This tests that an expired timestamp/snapshot/targets when loaded
from cache is not stored as final but is used to verify the new
timestamp
Fixes#1681
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This test covers `targetinfo`, `target_path`, `target_base_url`,
`metadata_dir` and `filepath` input validation of the `Updater`
methods
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
Change to @lukpueh proposal with more clarification on why and how
the `securesystemslib.signer.Signer` interface is used
Co-authored-by: Lukas Pühringer <luk.puehringer@gmail.com>
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
This change updates some parts of the Metadata API docstrings
that did not give enough details and context
Fixes#1600
Signed-off-by: Ivana Atanasova <iyovcheva@vmware.com>
Fix the directory ignore patterns to ignore the entire directories,
including child directories.
https://git-scm.com/docs/gitignore#_pattern_format
Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
Setting upper bound version constraints in libraries is a source of
problems for users of those libraries, see:
https://iscinumpy.dev/post/bound-version-constraints/
The intent of the python-tuf version constraint is to ensure we're
using a version of Python which supports all the features we rely
on, this is a better fit for a lower limit.
Suggested-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
Enable tox isolated environments to perform build operations in a virtual
environment.
See https://tox.wiki/en/latest/config.html#conf-isolated_build
Co-Authored-By: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
The version is no longer duplicated in setup.cfg (since 5155ba74), so remove
redundant TODO suggesting folks update in two places.
Co-authored-by: Ofek Lev <ofekmeister@gmail.com>
Signed-off-by: Joshua Lock <jlock@vmware.com>
* version number is single sourced now
* Mention that using pip against test.pypi.org is unsafe
* Fix some filenames in the examples
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
As of setuptools 46.4.0, one can accomplish single source version
number with
version = attr: package.__version__
in setup.cfg: As long as setuptools simplified AST parser is able to
read the file, this works without actually importing anything.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
After we have dropped OrderedDict in e3b267e2e0
we are relying on python3.7+ default behavior to preserve the insertion
order, but there is one caveat.
When comparing dictionaries the order is still irrelevant compared to
OrderedDict. For example:
>>> OrderedDict([(1,1), (2,2)]) == OrderedDict([(2,2), (1,1)])
False
>>> dict([(1,1), (2,2)]) == dict([(2,2), (1,1)])
True
There are two special attributes, defined in the specification, where
the order makes a difference when comparing two objects:
- Metadata.signatures
- Targets.delegations.roles.
We want to make sure that the order in those two cases makes a
difference when comparing two objects and that's why those changes
are required inside two __eq__ implementations.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Test the "__eq__" implementation for all classes defined in
tuf/api/metadata.py
The tests are many but simple. The idea is to test each of the metadata
classes one by one and with this to make sure there are no possible
cases missed.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
By adding __eq__ we can compare that two objects are equal.
That will be useful when adding validation API call.
One bug I have found during testing is that I don't check if the type
of "other" in the __eq__ implementations are the expected ones.
I assumed that when comparing "root == obj" if "obj" is None that
automatically the result will be false.
Later after a mypy warning, I realized we should implement the __eq__
methods to accept "Any" type as other and we should check manually
that "other" is the expected type.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
Minima theme by default adds all files in blog root (docs/) as links in
the header. This looks ridiculous in our case: let's just have a link to
blog front page.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Add config for GitHub Pages so that we can use it as a project blog.
* _config.yml is jekyll configuration
* index.md contains description and title for the blog main page.
* Any files matching "_posts/YYYY-MM-DD-TITLE.md" are considered posts
The Github Pages configuration only allows "/" or "/docs/" as the Jekyll
root directory: The clutter in docs/ is annoying but otherwise this is a
very easy setup.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
We don't want to error out from the whole verify_delegate() process if
e.g. a single key fails to load but we do want to provide details for
debugging in the unexpected failure cases.
This means "example_client -vv download file1.txt" fails like this:
Found trusted root in /home/jku/.local/share/python-tuf-client-example
INFO:tuf.api.metadata:Key
4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed
to verify sig: Failed to load PEM key bogus-key-content-here
INFO:tuf.api.metadata:Key 4e777de0d275f9d28588dd9a1606cc748e548f9e22b6795b7cb3f63f98035fcb failed to verify root
Failed to download target x: root was signed by 0/1 keys
Fixes#1875
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
