chore: merge feature/tuf-repository and resovle conflicts

.github/workflows/ci.yml

@@ -32,10 +32,10 @@ jobs:
       matrix:
         python-version: ${{ fromJSON(needs.set_python_versions.outputs.all_versions) }}
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #@v4
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #@v5
         with:
           python-version: ${{ matrix.python-version }}
 
@@ -68,10 +68,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #@v4
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #@v5
         with:
           # build it on the minimum version
           python-version: ${{ fromJSON(needs.set_python_versions.outputs.all_versions)[0] }}
@@ -117,14 +117,14 @@ jobs:
     steps:
 
       - name: Checkout Repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 #@v4
 
       - name: Get Upload URL
         id: get_upload_url
         run: echo "${{ github.event.release.upload_url  }}"
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@0b93645e9fea7318ecaed2b359559ac225c90a2b #@v5
         with:
           # the newest python that we support
           python-version: ${{ needs.set_python_versions.outputs.last_version }}

CHANGELOG.md

@@ -9,17 +9,29 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Added
 
+- Transition to the newest version of TUF [(561)]
 - Implement removal of keys [(561)]
-- Implement full partial update. Store last validated commit per repo ([559)])
 
 ### Changed
 
-- Transition to the newest version of TUF [(561)]
-
 ### Fixed
 
-
 [561]: https://github.com/openlawlibrary/taf/pull/561
+
+## [0.33.0]
+
+### Added
+
+- Add tests for `get_last_remote_commit` and `reset_to_commit` ([573])
+- Remove unused optional parameter from _yk_piv_ctrl ([572])
+- Implement full partial update. Store last validated commit per repo ([559)])
+
+### Changed
+
+### Fixed
+
+[573]: https://github.com/openlawlibrary/taf/pull/573
+[572]: https://github.com/openlawlibrary/taf/pull/572
 [559]: https://github.com/openlawlibrary/taf/pull/559
 
 
@@ -57,7 +69,6 @@ and this project adheres to [Semantic Versioning][semver].
 
 ### Fixed
 
-
 [564]: https://github.com/openlawlibrary/taf/pull/564
 
 ## [0.32.1] - 11/01/2024
@@ -1379,7 +1390,8 @@ and this project adheres to [Semantic Versioning][semver].
 
 [keepachangelog]: https://keepachangelog.com/en/1.0.0/
 [semver]: https://semver.org/spec/v2.0.0.html
-[unreleased]: https://github.com/openlawlibrary/taf/compare/v0.32.4...HEAD
+[unreleased]: https://github.com/openlawlibrary/taf/compare/v0.33.0...HEAD
+[0.33.0]: https://github.com/openlawlibrary/taf/compare/v0.32.4...v0.33.0
 [0.32.4]: https://github.com/openlawlibrary/taf/compare/v0.32.3...v0.32.4
 [0.32.3]: https://github.com/openlawlibrary/taf/compare/v0.32.2...v0.32.3
 [0.32.2]: https://github.com/openlawlibrary/taf/compare/v0.32.1...v0.32.2

docs/developers/repository-classes.md

@@ -87,7 +87,9 @@ regardless of whether there are `metadata` files located at `path/metadata`. In
 metadata and target files from mediums other than the local file system. TUF enables such flexibility by allowing
 custom implementations of the `StorageBackendInterface`. These implementations can redefine how metadata and target
 files are read and written. To instantiate a `MetadataRepository` class with a custom storage interface, use the
-`storage` keyword argument. If not specified, TUF's default `FilesystemBackend` will be used.
+`storage` keyword argument. If not specified, TUF's default `FilesystemBackend` will be used. The other available
+option is `GitStorageBackend`. This implementation loads data from a specific commit if the commit is specified,
+or from the filesystem if the commit is `None`, by extending `FilesystemBackend`.
 
 This class is used extensively to implement API functions.
 

setup.py

@@ -1,7 +1,7 @@
 from setuptools import find_packages, setup
 
 PACKAGE_NAME = "taf"
-VERSION = "0.32.4"
+VERSION = "0.33.0"
 AUTHOR = "Open Law Library"
 AUTHOR_EMAIL = "[email protected]"
 DESCRIPTION = "Implementation of archival authentication"

taf/api/api_workflow.py

@@ -41,6 +41,28 @@ def manage_repo_and_signers(
     commit_msg: Optional[str] = None,
     no_commit_warning: Optional[bool] = True,
 ):
+    """
+    A context manager that loads all signers and adds them to the specified authentication repository's
+    signers cache. This allows for the execution of other methods without having to update the
+    signers cache manually. Optionally, at the end, the context manager commits and pushes all changes made
+    to the authentication repository and handles cleanup in case of an error.
+
+    Arguments:
+        auth_repo (AuthenticationRepository): Already instantiated authentication repository.
+        roles (Optional[List[str]]): List of roles that are expected to be updated.
+        keystore (Optional[Union[str, Path]]): Path to the keystore containing signing keys.
+        scheme (Optional[str]): The signature scheme.
+        prompt_for_keys (Optional[bool]): If True, prompts for keys if not found. Defaults to False.
+        paths_to_reset_on_error (Optional[List[Union[str, Path]]]): Paths to reset if an error occurs.
+        load_roles (Optional[bool]): If True, loads signing keys of the roles specified using the argument of the same name.
+        load_parents (Optional[bool]): If true, loads sining keys of the specified roles' parents.
+        load_snapshot_and_timestamp (Optional[bool]): If True, loads snapshot and timestamp signing keys.
+        commit (Optional[bool]): If True, commits changes to the repository.
+        push (Optional[bool]): If True, pushes changes to the remote repository.
+        commit_key (Optional[str]): Commit key from `messages.py`
+        commit_msg (Optional[str]): The message to use for commits.
+        no_commit_warning (Optional[bool]): If True, suppresses warnings when not committing.
+    """
     try:
         roles_to_load = set()
         if roles:
@@ -71,7 +93,7 @@ def manage_repo_and_signers(
                     auth_repo.add_signers_to_cache({role: keystore_signers})
                     auth_repo.add_signers_to_cache({role: yubikey_signers})
         yield
-        if auth_repo.something_to_commit() and commit:
+        if commit and auth_repo.something_to_commit():
             if not commit_msg and commit_key:
                 commit_msg = git_commit_message(commit_key)
             auth_repo.commit_and_push(commit_msg=commit_msg, push=push)

taf/api/metadata.py

@@ -94,6 +94,7 @@ def update_metadata_expiration_date(
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
     start_date: Optional[datetime] = None,
     commit: Optional[bool] = True,
+    commit_msg: Optional[str] = None,
     prompt_for_keys: Optional[bool] = False,
     push: Optional[bool] = True,
     update_snapshot_and_timestamp: Optional[bool] = True,
@@ -113,6 +114,7 @@ def update_metadata_expiration_date(
         start_date (optional): Date to which expiration interval is added.
             Set to today if not specified.
         commit (optional): Indicates if the changes should be committed and pushed automatically.
+        commit_msg (optional): Custom commit messages.
         prompt_for_keys (optional): Whether to ask the user to enter their key if it is not located inside the keystore directory.
         push (optional): Flag specifying whether to push to remote
 
@@ -128,17 +130,14 @@ def update_metadata_expiration_date(
     if start_date is None:
         start_date = datetime.now()
 
-    commit_msg = git_commit_message("update-expiration-dates", roles=",".join(roles))
+    commit_msg = commit_msg or git_commit_message(
+        "update-expiration-dates", roles=",".join(roles)
+    )
 
     # update the order, snapshot has to be updated before timestamp
     # and all other roles have to be updated before snapshot
     # all other roles can be updated in any order
 
-    if len(roles) == 1 and Timestamp.type in roles:
-        update_snapshot_and_timestamp = False
-    if Timestamp.type in roles and Snapshot.type in roles:
-        update_snapshot_and_timestamp = True
-
     update_snapshot_expiration_date = Snapshot.type in roles
     update_timestamp_expiration_date = Timestamp.type in roles
 
@@ -153,18 +152,82 @@ def update_metadata_expiration_date(
         commit_msg=commit_msg,
         push=push,
     ):
-        if update_snapshot_and_timestamp:
-            if update_snapshot_expiration_date:
-                auth_repo.add_to_open_metadata(Snapshot.type)
-            if update_timestamp_expiration_date:
-                auth_repo.add_to_open_metadata(Timestamp.type)
+        if update_snapshot_expiration_date:
+            auth_repo.add_to_open_metadata([Snapshot.type])
+        if update_timestamp_expiration_date:
+            auth_repo.add_to_open_metadata([Timestamp.type])
 
         for role in roles:
             auth_repo.set_metadata_expiration_date(
                 role, start_date=start_date, interval=interval
             )
 
-        auth_repo.clear_open_metadata()
+        auth_repo.remove_from_open_metadata([Snapshot.type])
+        # it is important to update snapshot first
+
+        if (update_snapshot_expiration_date or update_snapshot_and_timestamp) and not (
+            len(roles) == 1 and update_timestamp_expiration_date
+        ):
+            auth_repo.do_snapshot(force=True)
+
+        auth_repo.remove_from_open_metadata([Timestamp.type])
+        if update_timestamp_expiration_date or update_snapshot_and_timestamp:
+            auth_repo.do_timestamp(force=True)
+
+
+@check_if_clean
+def update_snapshot_and_timestamp(
+    path: str,
+    keystore: Optional[str] = None,
+    roles_to_sync: Optional[List[str]] = None,
+    scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
+    commit: Optional[bool] = True,
+    commit_msg: Optional[str] = None,
+    prompt_for_keys: Optional[bool] = False,
+    push: Optional[bool] = True,
+    update_expiration_dates: Optional[bool] = True,
+) -> None:
+    """
+    Update expiration snapshot and timestamp
+
+    Arguments:
+        path: Authentication repository's location.
+        keystore (optional): Keystore directory's path
+        scheme (optional): Signature scheme.
+        commit (optional): Indicates if the changes should be committed and pushed automatically.
+        commit_msg (optional): Custom commit messages.
+        prompt_for_keys (optional): Whether to ask the user to enter their key if it is not located inside the keystore directory.
+        push (optional): Flag specifying whether to push to remote
+        update_expiration_dates (optional): Flag specifying whether to update expiration dates
+
+    Side Effects:
+        Updates metadata files, saves changes to disk and commits changes
+        unless no_commit is set to True.
 
-        if update_snapshot_and_timestamp:
+    Returns:
+        None
+    """
+
+    auth_repo = AuthenticationRepository(path=path)
+
+    with manage_repo_and_signers(
+        auth_repo,
+        [],
+        keystore,
+        scheme,
+        prompt_for_keys,
+        load_snapshot_and_timestamp=True,
+        commit=commit,
+        commit_msg=commit_msg,
+        push=push,
+    ):
+        if update_expiration_dates:
+            auth_repo.add_to_open_metadata([Snapshot.type, Timestamp.type])
+            for role in [Snapshot.type, Timestamp.type]:
+                auth_repo.set_metadata_expiration_date(role)
+            auth_repo.clear_open_metadata()
+        if roles_to_sync:
+            auth_repo.sync_snapshot_with_roles(roles_to_sync)
+            auth_repo.do_timestamp(force=True)
+        else:
             auth_repo.update_snapshot_and_timestamp()

taf/api/roles.py

@@ -135,7 +135,7 @@ def add_role(
             skip_prompt=skip_prompt,
             certs_dir=auth_repo.certs_dir,
         )
-        auth_repo.create_delegated_role([new_role], signers)
+        auth_repo.create_delegated_roles([new_role], signers)
         auth_repo.add_new_roles_to_snapshot([new_role.name])
         auth_repo.do_timestamp()
 
@@ -300,7 +300,7 @@ def add_multiple_roles(
             )
             all_signers.update(signers)
 
-        auth_repo.create_delegated_role(roles_to_add_data, all_signers)
+        auth_repo.create_delegated_roles(roles_to_add_data, all_signers)
         auth_repo.add_new_roles_to_snapshot(roles_to_add)
         auth_repo.do_timestamp()
 
@@ -449,16 +449,16 @@ def revoke_signing_key(
         (
             removed_from_roles,
             not_added_roles,
-            less_than_threshold_roless,
+            less_than_threshold_roles,
         ) = auth_repo.revoke_metadata_key(key_id=key_id, roles=roles)
         if not_added_roles:
             taf_logger.log(
                 "NOTICE",
                 f"Key is not a signing key of role(s) {', '.join(not_added_roles)}",
             )
-        if less_than_threshold_roless:
+        if less_than_threshold_roles:
             taf_logger.warning(
-                f"Cannot remove key from {', '.join(less_than_threshold_roless)}. Number of keys must be greater or equal to thresholds"
+                f"Cannot remove key from {', '.join(less_than_threshold_roles)}. Number of keys must be greater or equal to thresholds"
             )
 
         if len(removed_from_roles):
@@ -473,10 +473,10 @@ def rotate_signing_key(
     roles: Optional[List[str]] = None,
     keystore: Optional[str] = None,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
-    commit: Optional[bool] = True,
     prompt_for_keys: Optional[bool] = False,
     push: Optional[bool] = True,
-    commit_msg: Optional[str] = None,
+    revoke_commit_msg: Optional[str] = None,
+    add_commit_msg: Optional[str] = None,
 ) -> None:
     """
     Rotate signing key. Remove it from one or more roles and add a new signing key.
@@ -494,7 +494,8 @@ def rotate_signing_key(
         prompt_for_keys (optional): Whether to ask the user to enter their key if it is not located inside the keystore directory.
         commit (optional): Indicates if the changes should be committed and pushed automatically.
         push (optional): Flag specifying whether to push to remote.
-        commit_msg(optional): Commit message. Will be necessary to enter it if not provided.
+        revoke_commit_msg(optional): First commit message, when revokig the specified key. Will be necessary to enter it if not provided.
+        add_commit_msg(optional): Second commit message, when addug a new signing key. Will be necessary to enter it if not provided.
     Side Effects:
         Updates metadata files (parents of the affected roles, snapshot and timestamp).
         Writes changes to disk.
@@ -516,9 +517,10 @@ def rotate_signing_key(
             roles=roles,
             keystore=keystore,
             scheme=scheme,
-            commit=commit,
+            commit=True,
             prompt_for_keys=prompt_for_keys,
             push=False,
+            commit_msg=revoke_commit_msg,
         )
 
         add_signing_key(
@@ -527,10 +529,10 @@ def rotate_signing_key(
             pub_key=pub_key,
             keystore=keystore,
             scheme=scheme,
-            commit=commit,
+            commit=True,
             prompt_for_keys=prompt_for_keys,
             push=push,
-            commit_msg=commit_msg,
+            commit_msg=add_commit_msg,
         )