secure-systems-lab/securesystemslib#288 changes the key generation
interface functions in such a way that it is clear if a call opens
a blocking prompt, or writes the key unencrypted. To do this two
functions are added per key type:
- `generate_and_write_*_keypair_with_prompt`
- `generate_and_write_unencrypted_*_keypair`
The default `generate_and_write_*_keypair` function now only allows
encrypted keys and only using a passed password. This respects the
principle of secure defaults and least surprise.
sslib#288 furthermore adds a protected
`_generate_and_write_*_keypair`, which is not exposed publicly
because it does not encrypt by default, but is more flexible and
thus convenient e.g. to consume all arguments from a key generation
command line tool such as 'repo.py'.
This commit adds the new public functions to the tuf namespace and
adopts their usage accordingly.
NOTE regarding repo.py:
This commit does not fix any problematic password behavior of
'repo.py' like default passwords, etc. (see #881). It only adopts
the sslib#288 changes to maintain the current behvior, plus
removing one glaringly obsolete password prompt.
NOTE regarding key import:
The securesystemslib private key import functions were also changed
to no longer auto-prompt for decryption passwords , TUF, however,
only exposes custom wrappers (see repository_lib) that do
auto-prompt. sslib#288 changes to the prompt texts are nevertheless
propagated to tuf and reflected in this commit.
Signed-off-by: Lukas Puehringer <lukas.puehringer@nyu.edu>
Provide additional context to clarify where we expect Python 3.6+ to be used
exclusively (new modules) and link to other discussions around the future of
Python 2.7 supporting code.
Signed-off-by: Joshua Lock <jlock@vmware.com>
In order to make decisions about the code and the design explicit and easier
to reference in future we want to record significant architectural decisions.
This commit introduces docs/adr with a template Architectural Decision Record
and index using the [MADR](https://adr.github.io/madr/) format.
It also adds ADR 0000 to document the decisions to use MADR.
Fixes#1141
Signed-off-by: Joshua Lock <jlock@vmware.com>
Commit eb00d14 modified requirements-pinned.txt so that sslib specifiers
are now "[crypto,pynacl]". This happens to match the exact specifiers
used for the sslib git master dependency in tox.ini. This triggers pip
to say:
ERROR: Double requirement given: securesystemslib[crypto,pynacl]==0.16.0
(from -r /home/jku/src/tuf/requirements-pinned.txt (line 12)) (already
in securesystemslib[crypto,pynacl] from
git+http://github.com/secure-systems-lab/securesystemslib.git@master#egg=securesystemslib[crypto,pynacl],
name='securesystemslib')
Avoid this by not setting any specifiers for the sslib git master
dependency in tox.ini: This makes pip happy and we get the git master
version installed. pynacl and crypto are still installed because they
are in requirements-pinned.txt.
Fixes#1184.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
The repo script was the only user and can now do the right thing when
colorama isn't available in the environment.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Instead of using colorama directly for terminal colours, use the
constants in securesystemslib.interface which map to colorama colours
IFF colorama is installed.
This change results in a red password prompt when colorama is installed
and a standard terminal output coloured prompt when colorama is not
installed.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Even though we don't want to promote the usage of [''] as a value
for confined_target_dirs, it's good to test against because we
don't want to introduce a breaking change for our users.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
The field confined_target_dirs from the MIRROR_SCHEMA is
a list of strings. Those strings define the accessible target
paths for that mirror. For one target to be available for that mirror,
its path should have as a prefix at least one of the strings defined
in confined_target_dirs.
That's why when confined_target_dirs is a list with one element empty
string (e.g. ['']) this means all targets files on that mirror are
available and if confined_target_dirs is empty list (e.g. []) this
would be interpreted as none of the target files is available.
This is a confusing API that could easily lead to mistakes.
That's why it's better we promote to not set confined_target_dirs
at all if a user wants targets to be available.
Signed-off-by: Martin Vrachev <mvrachev@vmware.com>
We don't need to lint the code with every version of Python, instead add
an extra tox env which lints once with the latest supported Python version
Signed-off-by: Joshua Lock <jlock@vmware.com>
The Targets constructor takes seven arguments, which violates pylints
default value of five for max-arguments:
R0913: Too many arguments (7/5) (too-many-arguments)
As this feels like a coding style decision that should be made and
documented disable that test for only the Targets constructor until
a coding style decision has been made and documented as a decision
record.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Using an else after a raise results in a refactor message from pylint:
R1720: Unnecessary "elif" after "raise" (no-else-raise)
This is because the raise will exit the block, and pylint suggests that
explicit if's, rather than an if-elif-else, are clearer style. Update the
style of Metadata.verify() to match pylint expectations.
Signed-off-by: Joshua Lock <jlock@vmware.com>
A single letter variable name of 'f' causes pylint to throw a coding style
convention warning:
C0103: Variable name "f" doesn't conform to snake_case naming style
(invalid-name)
Signed-off-by: Joshua Lock <jlock@vmware.com>
Add a minimal pylintrc to lint for new code being developed in tuf/api and
update the tox configuration to ignore tuf/api with the default pylintrc
and run an extra invocation of pylint for just the modules in tuf/api.
Signed-off-by: Joshua Lock <jlock@vmware.com>
Our 'expires' strings are constrained by the ISO8601_DATETIME_SCHEMA
which matches regex '\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}Z'. This can be
parsed with just a datetime.strptime(): iso8601 module is not needed.
* Add formats.expiry_string_to_datetime() helper function
* Modify the 3 locations that used iso8601 and the api/metadata.py usage
of datetime.strptime()
* Remove related unnecessary logger setup
* Add the missing exception documentation to relevant functions (in many
cases the exception is rather unlikely as the schema has been verified
many times before this though...)
Fixes#1065
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
This allows clients to separate
a) missing local repository and
b) error while loading local repository
This is fully backwards-compliant: MissingLocalRepositoryError derives
from RepositoryError and every situation that now results in
MissingLocalRepositoryError used to result in a RepositoryError.
Fixes#1063
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
Filter out:
* DeprecationWarnings for updater module when we are on purpose
testing deprecated methods from updater
* SubjectAltNameWarning for connections to our test server
These warnings are visible with e.g.
python3 test_updater.py
The large change in test_download.py is just indentation into with-block.
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
* Strongly encourage the reader to use Python 3 for creating release
artefacts
* Recommend cleaning the tuf directory before creating the release
Signed-off-by: Joshua Lock <jlock@vmware.com>
This seems to be a common way to handle license files. Also, vendoring
tool fails to handle tuf without a LICENSE file.
Fixes#1160
Signed-off-by: Jussi Kukkonen <jkukkonen@vmware.com>
It's convenient to be able to run unit test scripts directly, rather than
having to pass them as arguments to Python. This is already possible for
several of our unit tests, make it possible for all by setting the execute
bit.
Signed-off-by: Joshua Lock <jlock@vmware.com>
