Commit Graph

526 Commits

Author SHA1 Message Date
Levente Polyak
d9e9453d84
feature(keyringctl): write all packet files with full issuer fingerprint
This avoids collision between same issuer using key-id and full
fingerprint in different versions of a packet, like signature.
2021-11-30 22:54:15 +01:00
Levente Polyak
279765b22a
fix(keyringctl): fix system stderr case due to wrongly written test
CalledProcessError returns bytes for our invocations, the fix that
decoded bytes of stdout was purely to make the mocked test happy while
breaking the actual usage. Restore the behavior and fix the wrong mocked
data.
2021-11-30 22:54:14 +01:00
Levente Polyak
cd585f4be2
chore(keyringctl): increase test coverage and fix trust expectations 2021-11-30 22:54:14 +01:00
Levente Polyak
7513e71b3f
chore(keyringctl): add key revocation trust tests 2021-11-30 22:54:14 +01:00
David Runge
a25c267f26
Add more specific coverage configuration
pyproject.toml:
Set specific source for `toolscoverage.paths` (as we only provide one
module).
Set `tools.coverage.run.relative_files` to true (although it is still
bug riddled and does not seem to work as advertized in regards to xml
output: https://github.com/nedbat/coveragepy/issues/963,
https://github.com/nedbat/coveragepy/issues/1147).
Set `tool.coverage.xml.output`, so we don't have to provide it on the
commandline.

Makefile:
Do not provide an output file to the coverage xml call, as we do that in
configuration now.
2021-11-30 22:54:14 +01:00
Levente Polyak
86eb172ac3
chore(keyringctl): add missing type annotations for tests 2021-11-30 22:54:14 +01:00
Levente Polyak
c807a81a57
feature(ci): add testing and coverage data to gitlab ci artifacts 2021-11-30 22:54:14 +01:00
David Runge
b9bbe3f1d4
Also trigger tests and linting on changes to CI
.gitlab-ci.yml:
Also trigger tests and linting on changes to .gitlab-ci.yml.
2021-11-30 22:54:14 +01:00
David Runge
c75c3ee7ee
.gitignore: Add coverage and pycache
.gitignore:
Add .coverage and __pycache__ dirs to ignore.
2021-11-30 22:54:14 +01:00
David Runge
358e840f8f
Add unit tests for util functions
tests/test_util.py:
Add tests for `cwd()`, `natural_sort_path()`, `system()`,
`absolute_path()`, `transform_fd_to_tmpfile()`, `get_cert_paths()`,
`get_parent_cert_paths()` and `contains_fingerprint()`.
2021-11-30 22:54:14 +01:00
David Runge
c1f59488e5
Add unit tests for code calling sequoia
tests/test_sequoia.py:
Add unit tests for `keyring_split()`, `keyring_merge()`,
`packet_split()`, `packet_join()`, `inspect()`, `packet_dump()`,
`packet_dump_field()`, `packet_signature_creation_time()`, and
`latest_certification()`.
2021-11-30 22:54:14 +01:00
David Runge
52e0936524
Add unit test for git integration
tests/test_git.py:
Add unit test for `git_changed_files()`.
2021-11-30 22:54:14 +01:00
David Runge
d969587bf7
Add python-coverage as dependency for contributing
CONTRIBUTING.md:
Add python-coverage to the list of dependencies for testing.
2021-11-30 22:54:13 +01:00
David Runge
f27a7b90c2
Makefile: Use coverage instead of pytest
Makefile:
Run pytest via coverage in `make test` to also generate a coverage
report.
2021-11-30 22:54:13 +01:00
David Runge
c968e7815a
Add python-coverage to test target
.gitlab-ci.yml:
Add python-coverage to test target.
2021-11-30 22:54:13 +01:00
David Runge
a21e6f21fb
Write bytes to stderr when raising during system call
libkeyringctl/util.py:
Change `system()` to write bytes to stderr.buffer, as before
CalledProcessError.stdout had been used, which returns a string.
2021-11-30 22:54:13 +01:00
David Runge
4597fba6ba
Rename test directory to tests
tests/*:
The existing coverage configuration is setup to use/ omit a tests
directory.
2021-11-30 22:54:13 +01:00
Levente Polyak
0ca74e243b
feature(keyringctl): adding basic infrastructure for running tests 2021-11-30 22:54:13 +01:00
Levente Polyak
8ba7dc1dc9
feature(keyringctl): acquire trust status from key assumptions
Rework the whole trust handling by acquiring the trust status from
actual assumptions related to the amount of ownertrust signatures and
revocations.
2021-11-30 22:54:13 +01:00
Levente Polyak
26c7027660
feature(keyringctl): support importing from a piped fd
This feature allows to import from a piped fd like:
> ./keyringctl import --name foobar <(gpg --export foo@bar)

We achieve this even with hidepid by taking the naive approach of
copying the processes fd source to a tempfile and pass around latter.
2021-11-30 22:54:13 +01:00
Levente Polyak
2384d0337b
fix(keyringctl): resolve cert dir per fingerprint and not parent user 2021-11-30 22:54:13 +01:00
Levente Polyak
03d5899f87
fix(keyring): use a single applied revocation to declare a key revoked
Otherwise the PGP trust and revocation status file will not match our
expectations. A single applied revocation to this directory structure
should be checked either way.

We can later create TODO's to have at least two revocations for the keys
that would otherwise be still trusted and then change this value.
2021-11-30 22:54:13 +01:00
Levente Polyak
878752dc13
fix(keyringctl): avoid leaking unclosed file descriptors 2021-11-30 22:54:13 +01:00
Levente Polyak
10d54ac35d
feature(make): adding fmt target to format the project accordingly 2021-11-30 22:54:12 +01:00
Levente Polyak
a9e63edfa8
feature(keyringctl): adding ci command to verify newly added certs
Currently only newly added certificates will be checked against the
expectations as existing keys are not all fully compatible with those
assumptions.  New certificates are determined by using
$CI_MERGE_REQUEST_DIFF_BASE_SHA as the base,
2021-11-30 22:54:12 +01:00
Levente Polyak
9733fbafd8
feature(keyringctl): add verify command to check certificate expectation
This command checks certain expectations using sq and hokey, prints the
results to stdout and potentially exists non successfully.
2021-11-30 22:54:12 +01:00
Levente Polyak
94c3b4c8e9
fix(keyrinctl): yield file not found errors instead of blocking on stdin
Handle missing or wrong certificate paths in a way that does not lead to
a blocking command by reading from stdin. Instead throw either file not
found errors or expect optional outputs.
2021-11-30 22:54:12 +01:00
Levente Polyak
58307c629d
chore(keyringctl): modularize the code for overview and testing 2021-11-30 22:54:12 +01:00
Levente Polyak
f90e860d16
fix(keyringctl): prioritize latest certification per issuer
When importing a non reduced keyring the certifications were not
deterministic for keys that have multiple certifications per issuer.
This was for example the case for self certifications to extend the
expiry time. Before this commit a random certification could remain the
final one which would lead to a non up to date keyring and a potentially
expired key.
2021-11-30 22:54:12 +01:00
Levente Polyak
32469720f8
fix(keyringctl): deterministic assembling order with single packet files
Fix the assembling of a certificate by joining the packets in the
correct order and splitting combined files into individual single
packets per file.
2021-11-30 22:54:12 +01:00
Levente Polyak
4b136dd6f6
feature(keyringctl): enrich inspect to show explicit label for main keys
This helps to identify if a certification issuer comes from a main key
or not.
2021-11-30 22:54:12 +01:00
Levente Polyak
b6c25fa531
chore(keyringctl): de-duplicate username/fprint transform code
We duplicated resolving usernames and fingerprints to actual keyring
paths in multiple places. De-duplicate the code by using dedicated
functions to do this job.
2021-11-30 22:54:12 +01:00
Levente Polyak
cced93480c
fix(keyringctl): avoid walking non existing paths to resolve certs 2021-11-30 22:54:12 +01:00
Levente Polyak
02605edee5
feature(keyringctl): sort list command for alphabetical listing
Only do so when listing all keys, when a filter is provided, like
usernames or fingerprints, keep the order to allow a 1:1 mapping.
2021-11-30 22:54:12 +01:00
Levente Polyak
f3f3a63385
feature(keyringctl): avoid storing pubkey and uids in certifications
We do not need to duplicates packages in certifications and revocations.
Store the packets separated from their parent as those are already
persisted.
2021-11-30 22:54:12 +01:00
Levente Polyak
5249453726
feature(keyringctl): support passing fingerprint as source
This helps make the CLI more useful by listing, exporting or inspecting
a specific fingerprint.
2021-11-30 22:54:11 +01:00
Levente Polyak
6d336828e1
chore(keyringctl): remove docstring types as the signatures cover them
All modern tooling already reads type hinting from the signatures
instead of the docstring and supports annotating the parameter
accordingly. Remove the duplicated data to avoid out of sync
documentation.
2021-11-30 22:54:11 +01:00
Levente Polyak
619f2a3b68
chore(keyringctl): simplify convert usage by moving fingerprint filter 2021-11-30 22:54:11 +01:00
Levente Polyak
fc9ad848ab
chore(keyringctl): simplify trust functions and return trusted/revoked
The API makes more sense to return (trusted,revoked) as the caller can
simply derive all certificates by joining the two sets.

To simplify the functions, some code has been replaced to use helper
methods to flatten the nested loops.
2021-11-30 22:54:11 +01:00
Levente Polyak
e0abfd195c
feature(keyringctl): collect usernames to fingerprints to enrich output
By collecting the matching usernames to all fingerprints we are able to
enrich the output of `inspect` to show the usernames next to the
certifications.
2021-11-30 22:54:11 +01:00
Levente Polyak
2d1eb93a39
chore(keyringctl): move cert depth first search to own function
This way we can reuse the functionality which will allow to simplify a
lot of places that have multiple layers of inflexible nested loops.
2021-11-30 22:54:11 +01:00
Levente Polyak
3776ca942c
fix(keyringctl): preserve keyring split filenames in separated dirs
This aids initial imports of keyrings that contain multiple certificates
by allowing keyring_split to enforce preserving the filenames. This is
achieved by moving each split keyring into unique sub directories where
the original input filename remains unique.
2021-11-30 22:54:11 +01:00
Levente Polyak
090d63ae20
fix(keyringctl): force overwrite packets when persisting
When we import new packet data, always allow overwrites of the final
packet files. This may happen when importing from multiple files that
provide the same packets, which is fine as they should still yield to
the same results.
2021-11-30 22:54:11 +01:00
Levente Polyak
82254e0a36
feature(keyringctl): add inspect command to pretty print certificates
This command prints a new and pretty representation of the certificate
data to visualize the keyring and its signatures.
2021-11-30 22:54:11 +01:00
Levente Polyak
0168ce1db0
feature(keyringctl): add simple command to list all certificates 2021-11-30 22:54:11 +01:00
Levente Polyak
1a8ea8397d
chore(keyringctl): throw exception instead of exit on failed system calls 2021-11-30 22:54:11 +01:00
Levente Polyak
f6e3a4e94b
feature(keyringctl): use build command to create final artifacts
This allows an easy to use cli which invokes the export function to get
the keyring and uses the ownertrust and revoke functions to write all
artifacts into a target directory.
2021-11-30 22:54:10 +01:00
Levente Polyak
77e5b36872
feature(keyringctl): add force parameter to keyring_merge 2021-11-30 22:54:10 +01:00
Levente Polyak
86747ecab7
feature(keyringctl): use the export command purely to export keyrings
This gives more control over the export command that may be useful to
export a single packager to import it into gpg. This will also give more
flexibility to chain this function to the future verify stage.

By default the command exports the whole keyring directory.
2021-11-30 22:54:10 +01:00
Levente Polyak
aa2f2ea497
feature(keyringctl): add dedicated keyring_merge function 2021-11-30 22:54:10 +01:00