Transition to the newest version of TUF

taf/api/api_workflow.py

@@ -5,7 +5,7 @@
 from taf.api.utils._conf import find_keystore
 from taf.auth_repo import AuthenticationRepository
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME
-from taf.exceptions import CommandValidationError, InvalidRepositoryError, TAFError
+from taf.exceptions import CommandValidationError, InvalidRepositoryError, SigningError, TAFError
 from taf.git import GitRepository
 from taf.keys import load_signers
 from taf.log import taf_logger
@@ -26,6 +26,7 @@ def manage_repo_and_signers(
     push=True,
     commit_key=None,
     commit_msg=None,
+    no_commit_warning=True,
 ):
     try:
         if roles:
@@ -43,28 +44,29 @@ def manage_repo_and_signers(
                 roles_to_load.add("snapshot")
                 roles_to_load.add("timestamp")
 
-            for role in roles_to_load:
-                keystore_signers, yubikeys = load_signers(
-                    auth_repo,
-                    role,
-                    loaded_yubikeys=loaded_yubikeys,
-                    keystore=keystore_path,
-                    scheme=scheme,
-                    prompt_for_keys=prompt_for_keys,
-                )
-                auth_repo.load_signers({role: keystore_signers})
+                for role in roles_to_load:
+                    keystore_signers, yubikeys = load_signers(
+                        auth_repo,
+                        role,
+                        loaded_yubikeys=loaded_yubikeys,
+                        keystore=keystore_path,
+                        scheme=scheme,
+                        prompt_for_keys=prompt_for_keys,
+                    )
+                    auth_repo.load_signers({role: keystore_signers})
         yield
         if auth_repo.something_to_commit() and commit:
             if not commit_msg and commit_key:
                 commit_msg = git_commit_message(commit_key)
             auth_repo.commit_and_push(commit_msg=commit_msg, push=push)
-        else:
+        elif not no_commit_warning:
             taf_logger.log("NOTICE", "\nPlease commit manually\n")
 
-    except CommandValidationError:
-        pass
     except Exception as e:
         taf_logger.error(f"An error occurred: {e}")
         if auth_repo.is_git_repository:
-            auth_repo.clean_and_reset()
+            # restore metadata, leave targets as they might have been modified by the user
+            # TODO flag for also resetting targets?
+            # also update the CLI error handling
+            auth_repo.restore(["metadata"])
         raise TAFError from e

taf/api/targets.py

@@ -6,6 +6,7 @@
 from collections import defaultdict
 from pathlib import Path
 from logdecorator import log_on_end, log_on_error, log_on_start
+from taf.api.api_workflow import manage_repo_and_signers
 from taf.api.utils._metadata import (
     update_snapshot_and_timestamp,
     update_target_metadata,
@@ -326,8 +327,8 @@ def register_target_files(
     roles_key_infos: Optional[str] = None,
     commit: Optional[bool] = True,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
-    taf_repo: Optional[TUFRepository] = None,
-    write: Optional[bool] = False,
+    auth_repo: Optional[AuthenticationRepository] = None,
+    update_snapshot_and_timestamp: Optional[bool] = True,
     prompt_for_keys: Optional[bool] = False,
     push: Optional[bool] = True,
     no_commit_warning: Optional[bool] = True,
@@ -340,7 +341,7 @@ def register_target_files(
         path: Authentication repository's path.
         keystore: Location of the keystore files.
         roles_key_infos: A dictionary whose keys are role names, while values contain information about the keys.
-        scheme (optional): Signing scheme. Set to rsa-pkcs1v15-sha256 by default.
+    scheme (optional): Signing scheme. Set to rsa-pkcs1v15-sha256 by default.
         taf_repo (optional): If taf repository is already initialized, it can be passed and used.
         write (optional): Write metadata updates to disk if set to True
         commit (optional): Indicates if the changes should be committed and pushed automatically.
@@ -352,34 +353,47 @@ def register_target_files(
     Returns:
         True if there were targets that were updated, False otherwise
     """
+
+    # find files that should be added/modified/removed
+
+    if auth_repo is None:
+        auth_repo = AuthenticationRepository(path=path)
+
+    added_targets_data, removed_targets_data = auth_repo.get_all_target_files_state()
+    if not added_targets_data and not removed_targets_data:
+        taf_logger.log("NOTICE", "No updated targets")
+        return False
+
+    all_updated_targets = list(added_targets_data.keys()) if added_targets_data else []
+    if removed_targets_data:
+        all_updated_targets.extend(list(removed_targets_data.keys()))
+
+    roles_and_targets = defaultdict(list)
+    for path in all_updated_targets:
+        roles_and_targets[auth_repo.get_role_from_target_paths([path])].append(path)
+
     _, keystore, _ = _initialize_roles_and_keystore(
         roles_key_infos, keystore, enter_info=False
     )
-    if taf_repo is None:
-        path = Path(path).resolve()
-        taf_repo = TUFRepository(str(path))
 
-    # find files that should be added/modified/removed
-    added_targets_data, removed_targets_data = taf_repo.get_all_target_files_state()
-    updated = update_target_metadata(
-        taf_repo,
-        added_targets_data,
-        removed_targets_data,
+    with manage_repo_and_signers(
+        auth_repo,
+        set(roles_and_targets.keys()),
         keystore,
-        scheme=scheme,
-        write=write,
-        prompt_for_keys=prompt_for_keys,
-    )
-
-    if updated and write:
-        if commit:
-            auth_repo = AuthenticationRepository(path=taf_repo.path)
-            commit_msg = git_commit_message("update-targets")
-            auth_repo.commit_and_push(commit_msg=commit_msg, push=push)
-        elif not no_commit_warning:
-            taf_logger.log("NOTICE", "\nPlease commit manually\n")
-
-    return updated
+        scheme,
+        prompt_for_keys,
+        load_snapshot_and_timestamp=update_snapshot_and_timestamp,
+        load_parents=False,
+        load_roles=True,
+        commit=commit,
+        push=push,
+        commit_key="update-targets",
+        no_commit_warning=no_commit_warning,
+    ):
+        for role, targets in roles_and_targets.items():
+            auth_repo.update_target_role(role, targets)
+        if update_snapshot_and_timestamp:
+            auth_repo.update_snapshot_and_timestamp()
 
 
 @log_on_start(DEBUG, "Removing target repository {target_name:s}", logger=taf_logger)

taf/git.py

@@ -1466,6 +1466,11 @@ def reset_to_commit(
         if hard:
             self._git(f"reset {flag} HEAD")
 
+    def restore(
+        self, subdirectories: str
+    ) -> None:
+        self._git(f"restore {' '.join(subdirectories)}")
+
     def update_branch_refs(self, branch: str, commit: str) -> None:
         # Update the local branch reference to the specific commit
         self._git(f"update-ref refs/heads/{branch} {commit}")

taf/tools/cli/__init__.py

@@ -46,7 +46,8 @@ def wrapper(*args, **kwargs):
                 path = kwargs["path"]
                 repo = GitRepository(path=path)
                 if repo.is_git_repository:
-                    repo.clean_and_reset()
+                    repo.restore(["metadata"])
+                    # repo.clean_and_reset()
                 if remove_dir_on_error:
                     shutil.rmtree(path, onerror=on_rm_error)
 

taf/tools/targets/__init__.py

@@ -159,7 +159,7 @@ def sign(path, keystore, keys_description, scheme, prompt_for_keys, no_commit):
                 keystore=keystore,
                 roles_key_infos=keys_description,
                 scheme=scheme,
-                write=True,
+                update_snapshot_and_timestamp=True,
                 prompt_for_keys=prompt_for_keys,
                 commit=not no_commit
             )

taf/tuf/repository.py

@@ -265,8 +265,7 @@ def add_target_files_to_role(self, added_data: Dict[str, Dict]) -> None:
         """
         self.modify_targets(added_data=added_data)
 
-        self.do_snapshot()
-        self.do_timestamp()
+
 
     def add_path_to_delegated_role(self, role: str, paths: List[str]) -> bool:
         """
@@ -530,6 +529,18 @@ def create_delegated_role(self, roles_data: List[TargetsRole], signers: Dict[str
                 added_roles.append(role_data.name)
         return added_roles, existing_roles
 
+    def _create_target_object(self, filesystem_path: str, target_path: str, custom: Optional[Dict]):
+        target_file = TargetFile.from_file(
+            target_file_path=target_path,
+            local_path=filesystem_path,
+            hash_algorithms=["sha256", "sha512"],
+        )
+        if custom:
+            unrecognized_fields = {
+                "custom": custom
+            }
+            target_file.unrecognized_fields=unrecognized_fields
+        return target_file
 
     def delete_unregistered_target_files(self, targets_role="targets"):
         """
@@ -680,10 +691,12 @@ def get_all_target_files_state(self):
             _, hashes = get_file_details(str(target_file))
             # register only new or changed files
             if hashes.get(HASH_FUNCTION) != self.get_target_file_hashes(file_name):
+                custom = self.get_target_file_custom_data(file_name)
                 added_target_files[file_name] = {
                     "target": target_file.read_text(),
-                    "custom": self.get_target_file_custom_data(file_name),
                 }
+                if custom:
+                     added_target_files[file_name]["custom"] = custom
 
         # removed files
         for file_name in signed_target_files - fs_target_files:
@@ -841,7 +854,10 @@ def get_target_file_custom_data(self, target_path: str) -> Optional[Dict]:
         """
         try:
             role = self.get_role_from_target_paths([target_path])
-            return self.get_targets_of_role(role)[target_path].custom
+            target_obj = self.get_targets_of_role(role).get(target_path)
+            if target_obj:
+                return target_obj.custom
+            return None
         except KeyError:
             raise TAFError(f"Target {target_path} does not exist")
 
@@ -851,7 +867,10 @@ def get_target_file_hashes(self, target_path, hash_func=HASH_FUNCTION):
         """
         try:
             role = self.get_role_from_target_paths([target_path])
-            hashes = self.get_targets_of_role(role)[target_path].hashes
+            targets_of_role = self.get_targets_of_role(role)
+            if target_path not in targets_of_role:
+                return None, None
+            hashes = targets_of_role[target_path].hashes
             if hash_func not in hashes:
                 raise TAFError(f"Invalid hashing algorithm {hash_func}")
             return hashes[hash_func]
@@ -1330,6 +1349,24 @@ def sort_roles_targets_for_filenames(self):
             roles_targets.setdefault(role, []).append(target_file)
         return roles_targets
 
+    def update_target_role(self, role: str, target_paths: Dict):
+        if not self.check_if_role_exists(role):
+            raise TAFError(f"Role {role} does not exist")
+        self.verify_signers_loaded([role])
+        removed_paths = []
+        target_files = []
+        for target_path in target_paths:
+            full_path = self.path / TARGETS_DIRECTORY_NAME / target_path
+            # file removed, removed from te role
+            if not full_path.is_file():
+                removed_paths.append(target_path)
+            else:
+                custom_data = self.get_target_file_custom_data(target_path)
+                target_file = self._create_target_object(full_path, target_path, custom_data)
+                target_files.append(target_file)
+
+        self._modify_tarets_role(target_files, removed_paths, role)
+
     def update_role(self, role_name: str, signers: List[CryptoSigner]):
         self._load_signers(role_name, signers)
         with self.eidt(role_name) as role: