Update securesystemslib 1.0.0 (WIP)

* Update securesystemslib 1.0.0 in requirements*.txt files
  -> requires pinning a dev version of tuf

  TODO: - adopt in Pipfile (I tried, but `pipenv lock` was taking
	  way too long for my taste)
	- update tuf when theupdateframework/python-tuf#2617 is
	  released

* Remove local keyvault service, which makes heavy use of legacy
  securesystemslib interfaces, which are no longer available in 1.0.0.
  TODO: - adopt in docs, config, etc
	- consider removing obsolete IKeyVault

* Remove keyvault initialisation in MetadatRepository, which
  would try to load local key vault in tests, given the current configs
  (see TODO above)

* Adopt removal in tests, just enough, so that they pass.
  TODO: - check if the tests still make sense

* Drop registration of CryptoSigner and use its new uri scheme "file2"
  in SignerStore.
  "file2" can be used like "file", but only for non-encrypted key files,
  which is all we care for in the worker.
  "file2" can also be used like "fn"  from the custom "FileNameSigner",
  i.e. with a directory specified via envvar.

  TODO: - consider only using "file2" and dropping the custom
          "FileNameSigner" (or only using it to ovverride the scheme
	  name and the envvar name)

Signed-off-by: Lukas Puehringer <[email protected]>

repository_service_tuf_worker/repository.py

@@ -45,7 +45,7 @@
     get_repository_settings,
     get_worker_settings,
 )
-from repository_service_tuf_worker.interfaces import IKeyVault, IStorage
+from repository_service_tuf_worker.interfaces import IStorage
 from repository_service_tuf_worker.models import (
     rstuf_db,
     targets_crud,
@@ -168,10 +168,6 @@ def refresh_settings(self, worker_settings: Optional[Dynaconf] = None):
         # storage
         IStorage.from_dynaconf(settings)
 
-        # keyvault
-        if settings.get("KEYVAULT_BACKEND"):
-            IKeyVault.from_dynaconf(settings)
-
         self._worker_settings = settings
         return settings
 

repository_service_tuf_worker/services/__init__.py

@@ -4,13 +4,9 @@
 # SPDX-License-Identifier: MIT
 
 from repository_service_tuf_worker.interfaces import (  # noqa
-    IKeyVault,
     IStorage,
     ServiceSettings,
 )
-from repository_service_tuf_worker.services.keyvault.local import (  # noqa
-    LocalKeyVault,
-)
 from repository_service_tuf_worker.services.storage import (  # noqa
     AWSS3,
     LocalStorage,

repository_service_tuf_worker/signer.py

@@ -74,9 +74,7 @@ def from_priv_key_uri(
 
 RSTUF_ONLINE_KEY_URI_FIELD = "x-rstuf-online-key-uri"
 
-# Register non-default securesystemslib file signer
-# secure-systems-lab/securesystemslib#617
-SIGNER_FOR_URI_SCHEME[CryptoSigner.FILE_URI_SCHEME] = CryptoSigner
+
 # Register custom FileNameSigner
 SIGNER_FOR_URI_SCHEME[FileNameSigner.SCHEME] = FileNameSigner
 

requirements-dev.txt

@@ -106,10 +106,10 @@ pydantic-core==2.18.2; python_version >= '3.8'
 pynacl==1.5.0
 pytz==2024.1
 redis==5.0.4; python_version >= '3.7'
-securesystemslib[crypto,pynacl]==0.31.0; python_version ~= '3.8'
+securesystemslib[crypto]==1.0.0; python_version ~= '3.8'
 sqlalchemy==2.0.29; python_version >= '3.7'
 supervisor==4.2.5
-tuf==4.0.0; python_version >= '3.8'
+tuf @ git+https://github.com/theupdateframework/python-tuf@a7b832b88ff3c094aafdd78a72bbcf19a93b0bf0 ; python_version >= '3.8'
 tzdata==2024.1; python_version >= '2'
 vine==5.1.0; python_version >= '3.6'
 watchdog==4.0.0; python_version >= '3.8'

requirements.txt

@@ -39,12 +39,12 @@ pytz==2024.1
 redis==5.0.4; python_version >= '3.7'
 requests==2.31.0; python_version >= '3.7'
 s3transfer==0.10.1; python_version >= '3.8'
-securesystemslib[crypto,pynacl]==0.31.0; python_version ~= '3.8'
+securesystemslib[crypto]==1.0.0; python_version ~= '3.8'
 setuptools==69.5.1; python_version >= '3.8'
 six==1.16.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
 sqlalchemy==2.0.29; python_version >= '3.7'
 supervisor==4.2.5
-tuf==4.0.0; python_version >= '3.8'
+tuf @ git+https://github.com/theupdateframework/python-tuf@a7b832b88ff3c094aafdd78a72bbcf19a93b0bf0 ; python_version >= '3.8'
 typing-extensions==4.11.0; python_version >= '3.8'
 tzdata==2024.1; python_version >= '2'
 urllib3==2.2.1; python_version >= '3.10'

tests/unit/conftest.py

@@ -14,14 +14,6 @@
 
 @pytest.fixture()
 def test_repo(monkeypatch: pytest.MonkeyPatch) -> MetadataRepository:
-    from repository_service_tuf_worker.services.keyvault import local
-
-    fake_import_privatekey_from_file = pretend.call_recorder(lambda *a: None)
-    monkeypatch.setattr(
-        local,
-        "import_privatekey_from_file",
-        fake_import_privatekey_from_file,
-    )
     return MetadataRepository.create_service()