condorcore-keyring/libkeyringctl/ci.py

# SPDX-License-Identifier: GPL-3.0-or-later

from os import environ
from pathlib import Path
from typing import List

from .git import git_changed_files
from .util import get_parent_cert_paths
from .verify import verify


def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:
    """Verify certificates against modern expectations using `sq keyring lint` and hokey

    Currently only newly added certificates will be checked against the expectations as existing
    keys are not all fully compatible with those assumptions.
    New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,

    Parameters
    ----------
    working_dir: A directory to use for temporary files
    keyring_root: The keyring root directory to look up username shorthand sources
    project_root: Path to the root of the git repository
    """

    ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")
    created, deleted, modified = git_changed_files(
        git_path=project_root, base=ci_merge_request_diff_base, paths=[Path("keyring")]
    )

    changed_certificates: List[Path] = list(get_parent_cert_paths(paths=created + deleted + modified))

    verify(
        working_dir=working_dir,
        keyring_root=keyring_root,
        sources=changed_certificates,
        lint_hokey=False,
        lint_sq_keyring=False,
    )

    added_certificates: List[Path] = [
        path for path in changed_certificates if (path / f"{path.name}.asc").relative_to(project_root) in created
    ]
    if added_certificates:
        verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`# SPDX-License-Identifier: GPL-3.0-or-later`

			`from os import environ`
			`from pathlib import Path`
			`from typing import List`

			`from .git import git_changed_files`
feature(keyringctl): acquire trust status from key assumptions Rework the whole trust handling by acquiring the trust status from actual assumptions related to the amount of ownertrust signatures and revocations. 2021-10-29 17:59:23 -05:00			`from .util import get_parent_cert_paths`
feature(keyringctl): verify file structure integrity and packets This moves all verify code to an own module and adds support to check all packet files in the structure for integrity. This is done by parsing assumptions like packet kind, type, issuer and location etc. 2021-11-07 14:54:34 -06:00			`from .verify import verify`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00

			`def ci(working_dir: Path, keyring_root: Path, project_root: Path) -> None:`
feat: Replace sq-keyring-linter with sq >= 0.31.0 2023-07-09 07:33:22 -06:00			"""Verify certificates against modern expectations using `sq keyring lint` and hokey
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00
			`Currently only newly added certificates will be checked against the expectations as existing`
			`keys are not all fully compatible with those assumptions.`
			`New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,`

			`Parameters`
			`----------`
			`working_dir: A directory to use for temporary files`
			`keyring_root: The keyring root directory to look up username shorthand sources`
			`project_root: Path to the root of the git repository`
			`"""`

			`ci_merge_request_diff_base = environ.get("CI_MERGE_REQUEST_DIFF_BASE_SHA")`
feature(keyringctl): rework ci module to execute full lint for new certs 2021-11-08 19:34:14 -06:00			`created, deleted, modified = git_changed_files(`
			`git_path=project_root, base=ci_merge_request_diff_base, paths=[Path("keyring")]`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`)`

feature(keyringctl): rework ci module to execute full lint for new certs 2021-11-08 19:34:14 -06:00			`changed_certificates: List[Path] = list(get_parent_cert_paths(paths=created + deleted + modified))`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00
feature(keyringctl): rework ci module to execute full lint for new certs 2021-11-08 19:34:14 -06:00			`verify(`
			`working_dir=working_dir,`
			`keyring_root=keyring_root,`
			`sources=changed_certificates,`
			`lint_hokey=False,`
			`lint_sq_keyring=False,`
			`)`

			`added_certificates: List[Path] = [`
			`path for path in changed_certificates if (path / f"{path.name}.asc").relative_to(project_root) in created`
			`]`
feature(keyringctl): adding ci command to verify newly added certs Currently only newly added certificates will be checked against the expectations as existing keys are not all fully compatible with those assumptions. New certificates are determined by using $CI_MERGE_REQUEST_DIFF_BASE_SHA as the base, 2021-10-24 15:08:50 -05:00			`if added_certificates:`
			`verify(working_dir=working_dir, keyring_root=keyring_root, sources=added_certificates)`