Transition to the newest version of TUF

taf/api/keystore.py

@@ -4,11 +4,7 @@
 from pathlib import Path
 from taf.models.types import RolesKeysData
 from taf.api.utils._conf import find_taf_directory
-from tuf.repository_tool import (
-    generate_and_write_rsa_keypair,
-    generate_and_write_unencrypted_rsa_keypair,
-)
-from securesystemslib import keys
+
 
 from taf.api.roles import _initialize_roles_and_keystore
 from taf.keys import get_key_name

taf/api/metadata.py

@@ -4,10 +4,10 @@
 from logdecorator import log_on_end, log_on_error
 from taf.api.utils._git import check_if_clean
 from taf.exceptions import TAFError
-from taf.keys import load_signers, load_signing_keys
+from taf.keys import load_signers
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME
 from taf.messages import git_commit_message
-from taf.repository_tool import Repository, is_delegated_role
+from taf.tuf.repository import Repository as TUFRepository, is_delegated_role
 from taf.log import taf_logger
 from taf.auth_repo import AuthenticationRepository
 
@@ -42,7 +42,7 @@ def check_expiration_dates(
     Returns:
         None
     """
-    taf_repo = Repository(path)
+    taf_repo = TUFRepository(path)
 
     if start_date is None:
         start_date = datetime.now()
@@ -122,7 +122,7 @@ def update_metadata_expiration_date(
     if start_date is None:
         start_date = datetime.now()
 
-    taf_repo = Repository(path)
+    taf_repo = TUFRepository(path)
     loaded_yubikeys: Dict = {}
     roles_to_update = []
 
@@ -169,7 +169,7 @@ def update_metadata_expiration_date(
     reraise=True,
 )
 def _update_expiration_date_of_role(
-    auth_repo: Repository,
+    auth_repo: TUFRepository,
     role: str,
     loaded_yubikeys: Dict,
     keystore: str,

taf/api/repository.py

@@ -21,7 +21,6 @@
 import taf.repositoriesdb as repositoriesdb
 from taf.api.utils._conf import find_keystore
 from taf.utils import ensure_pre_push_hook
-from tuf.repository_tool import create_new_repository
 from taf.log import taf_logger
 
 
@@ -74,6 +73,7 @@ def create_repository(
     )
 
     roles_keys_data = from_dict(roles_key_infos_dict, RolesKeysData)
+    # TODO
     repository = create_new_repository(
         str(auth_repo.path), repository_name=auth_repo.name
     )

taf/api/roles.py

@@ -7,22 +7,20 @@
 import json
 from pathlib import Path
 from logdecorator import log_on_end, log_on_error, log_on_start
-from taf.api.utils._roles import _role_obj, create_delegations
+from tuf.api._payload import Targets
+from taf.api.utils._roles import create_delegations
 from taf.messages import git_commit_message
-from tuf.repository_tool import Targets
 from taf.api.utils._git import check_if_clean
 from taf.exceptions import KeystoreError, TAFError
 from taf.models.converter import from_dict
 from taf.models.types import RolesIterator, TargetsRole, compare_roles_data
 from taf.repositoriesdb import REPOSITORIES_JSON_PATH
-from tuf.repository_tool import TARGETS_DIRECTORY_NAME
-import tuf.roledb
 import taf.repositoriesdb as repositoriesdb
 from taf.keys import (
     find_keystore,
     get_key_name,
     get_metadata_key_info,
-    load_signing_keys,
+    load_signers,
     load_sorted_keys_of_new_roles,
 )
 from taf.api.utils._metadata import (
@@ -33,17 +31,15 @@
 from taf.constants import (
     DEFAULT_ROLE_SETUP_PARAMS,
     DEFAULT_RSA_SIGNATURE_SCHEME,
+    TARGETS_DIRECTORY_NAME,
 )
 from taf.keystore import new_public_key_cmd_prompt
-from taf.repository_tool import is_delegated_role
+from taf.tuf.repository import MAIN_ROLES, is_delegated_role
 from taf.utils import get_key_size, read_input_dict, resolve_keystore_path
 from taf.log import taf_logger
 from taf.models.types import RolesKeysData
 
 
-MAIN_ROLES = ["root", "snapshot", "timestamp", "targets"]
-
-
 @log_on_start(DEBUG, "Adding a new role {role:s}", logger=taf_logger)
 @log_on_end(DEBUG, "Finished adding a new role", logger=taf_logger)
 @log_on_error(
@@ -779,7 +775,7 @@ def remove_role(
     if parent_role is None:
         taf_logger.error("Role is not among delegated roles")
         return
-    parent_role_obj = _role_obj(parent_role, auth_repo)
+    parent_role_obj = auth_repo._role_obj(parent_role, auth_repo)
     if not isinstance(parent_role_obj, Targets):
         taf_logger.error(f"Could not find parent targets role of role {role}.")
         return
@@ -973,16 +969,16 @@ def _update_role(
     snapshot and timestamp and writing changes to disk
     """
     loaded_yubikeys: Dict = {}
-    keystore_keys, yubikeys = load_signing_keys(
+    keystore_signers, yubikeys = load_signers(
         auth_repo,
         role,
         loaded_yubikeys,
         keystore,
         scheme=scheme,
         prompt_for_keys=prompt_for_keys,
     )
-    if len(keystore_keys):
-        auth_repo.update_role_keystores(role, keystore_keys, write=False)
+    if len(keystore_signers):
+        auth_repo.update_role_keystores(role, keystore_signers, write=False)
     if len(yubikeys):
         auth_repo.update_role_yubikeys(role, yubikeys, write=False)
 

taf/api/targets.py

@@ -25,8 +25,7 @@
 import taf.repositoriesdb as repositoriesdb
 from taf.log import taf_logger
 from taf.auth_repo import AuthenticationRepository
-from taf.repository_tool import Repository
-from tuf.repository_tool import TARGETS_DIRECTORY_NAME
+from taf.tuf.repository import Repository as TUFRepository
 
 
 @log_on_start(DEBUG, "Adding target repository {target_name:s}", logger=taf_logger)
@@ -327,7 +326,7 @@ def register_target_files(
     roles_key_infos: Optional[str] = None,
     commit: Optional[bool] = True,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
-    taf_repo: Optional[Repository] = None,
+    taf_repo: Optional[TUFRepository] = None,
     write: Optional[bool] = False,
     prompt_for_keys: Optional[bool] = False,
     push: Optional[bool] = True,
@@ -358,7 +357,7 @@ def register_target_files(
     )
     if taf_repo is None:
         path = Path(path).resolve()
-        taf_repo = Repository(str(path))
+        taf_repo = TUFRepository(str(path))
 
     # find files that should be added/modified/removed
     added_targets_data, removed_targets_data = taf_repo.get_all_target_files_state()

taf/api/utils/_metadata.py

@@ -2,9 +2,9 @@
 from typing import Dict, Optional
 from logdecorator import log_on_end, log_on_error, log_on_start
 from taf.exceptions import TAFError
-from taf.keys import load_signing_keys
+from taf.keys import load_signers
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME
-from taf.repository_tool import Repository
+from taf.tuf.repository import Repository as TUFRepository
 from taf.log import taf_logger
 
 
@@ -17,7 +17,7 @@
     reraise=True,
 )
 def update_snapshot_and_timestamp(
-    taf_repo: Repository,
+    taf_repo: TUFRepository,
     keystore: str,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
     write_all: Optional[bool] = True,
@@ -44,7 +44,7 @@ def update_snapshot_and_timestamp(
     loaded_yubikeys: Dict = {}
 
     for role in ("snapshot", "timestamp"):
-        keystore_keys, yubikeys = load_signing_keys(
+        keystore_signers, yubikeys = load_signers(
             taf_repo,
             role,
             loaded_yubikeys,
@@ -55,9 +55,9 @@ def update_snapshot_and_timestamp(
         if len(yubikeys):
             update_method = taf_repo.roles_yubikeys_update_method(role)
             update_method(yubikeys, write=False)
-        if len(keystore_keys):
+        if len(keystore_signers):
             update_method = taf_repo.roles_keystore_update_method(role)
-            update_method(keystore_keys, write=False)
+            update_method(keystore_signers, write=False)
 
     if write_all:
         taf_repo.writeall()
@@ -73,7 +73,7 @@ def update_snapshot_and_timestamp(
     reraise=True,
 )
 def update_target_metadata(
-    taf_repo: Repository,
+    taf_repo: TUFRepository,
     added_targets_data: Dict,
     removed_targets_data: Dict,
     keystore: str,

taf/api/utils/_roles.py

@@ -1,19 +1,21 @@
+from taf.tuf.keys import yubikey_signature_provider
+from taf.tuf.repository import MAIN_ROLES
 import tuf
 from logging import DEBUG, INFO
-from typing import Dict, List, Optional, Union
+from typing import Dict, List, Optional
 from functools import partial
 from logdecorator import log_on_end, log_on_start
-from tuf.repository_tool import Repository as TUFRepository, Targets
 from taf.exceptions import TAFError
 from taf.models.types import RolesIterator
-from tuf.repository_tool import Metadata
 from taf import YubikeyMissingLibrary
 from taf.keys import get_key_name
 from taf.auth_repo import AuthenticationRepository
 from taf.constants import YUBIKEY_EXPIRATION_DATE
-from taf.repository_tool import MAIN_ROLES, Repository, yubikey_signature_provider
+from taf.tuf.repository import Repository as TUFRepository
 from taf.models.types import Role
 from taf.log import taf_logger
+from tuf.api._payload import Targets
+
 
 ykman_installed = True
 try:
@@ -52,7 +54,7 @@ def create_delegations(
     skip_top_role = role.name == "targets"
     try:
         for delegated_role in RolesIterator(role, skip_top_role=skip_top_role):
-            parent_role_obj = _role_obj(delegated_role.parent.name, repository)
+            parent_role_obj = repository._role_obj(delegated_role.parent.name, repository)
             if not isinstance(parent_role_obj, Targets):
                 raise TAFError(
                     f"Could not find parent targets role of role {delegated_role}"
@@ -107,7 +109,7 @@ def setup_role(
     """
     Initialize a new role, add signing and verification keys.
     """
-    role_obj = _role_obj(role.name, repository, parent)
+    role_obj = repository._role_obj(role.name, repository, parent)
     role_obj.threshold = role.threshold
     if not role.is_yubikey:
         if verification_keys is None or signing_keys is None:
@@ -143,32 +145,6 @@ def setup_role(
             tuf.roledb._roledb_dict[repository.name][role.name]["previous_keyids"] = []
 
 
-def _role_obj(
-    role: str,
-    repository: Union[Repository, TUFRepository],
-    parent: Optional[Targets] = None,
-) -> Metadata:
-    """
-    Return role TUF object based on its name
-    """
-    if isinstance(repository, Repository):
-        tuf_repository = repository._repository
-    else:
-        tuf_repository = repository
-    if role == "targets":
-        return tuf_repository.targets
-    elif role == "snapshot":
-        return tuf_repository.snapshot
-    elif role == "timestamp":
-        return tuf_repository.timestamp
-    elif role == "root":
-        return tuf_repository.root
-    else:
-        # return delegated role
-        if parent is None:
-            return tuf_repository.targets(role)
-        return parent(role)
-
 
 def list_roles(repository: AuthenticationRepository) -> List[str]:
     """

taf/api/yubikey.py

@@ -7,7 +7,6 @@
 from taf.api.utils._roles import get_roles_and_paths_of_key
 from taf.auth_repo import AuthenticationRepository
 from taf.exceptions import TAFError
-from tuf.repository_tool import import_rsakey_from_pem
 
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME
 from taf.log import taf_logger

taf/auth_repo.py

@@ -7,17 +7,12 @@
 from collections import defaultdict
 from contextlib import contextmanager
 from pathlib import Path
-from tuf.repository_tool import METADATA_DIRECTORY_NAME
 from taf.git import GitRepository
-from taf.repository_tool import (
-    Repository as TAFRepository,
-    get_role_metadata_path,
-    get_target_path,
-)
+from taf.tuf.repository import METADATA_DIRECTORY_NAME, Repository as TUFRepository, get_role_metadata_path, get_target_path
 from taf.constants import INFO_JSON_PATH
 
 
-class AuthenticationRepository(GitRepository, TAFRepository):
+class AuthenticationRepository(GitRepository, TUFRepository):
 
     LAST_VALIDATED_FILENAME = "last_validated_commit"
     TEST_REPO_FLAG_FILE = "test-auth-repo"

taf/keys.py

@@ -9,13 +9,10 @@
 from taf.models.types import Role, RolesIterator
 from taf.models.models import TAFKey
 from taf.models.types import TargetsRole, MainRoles, UserKeyData
-from taf.repository_tool import Repository
+from taf.tuf.repository import Repository as TUFRepository
 from taf.api.utils._conf import find_keystore
 from taf.tuf.keys import load_signer_from_pem
-from tuf.repository_tool import (
-    generate_and_write_unencrypted_rsa_keypair,
-    generate_and_write_rsa_keypair,
-)
+
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME, RoleSetupParams
 from taf.exceptions import (
     KeystoreError,
@@ -29,11 +26,7 @@
     read_public_key_from_keystore,
 )
 from taf import YubikeyMissingLibrary
-from securesystemslib import keys
-from securesystemslib.interface import (
-    import_rsa_privatekey_from_file,
-    import_rsa_publickey_from_file,
-)
+
 
 from securesystemslib.signer._crypto_signer import CryptoSigner
 
@@ -222,7 +215,7 @@ def _load_signer_from_keystore(
 
 @log_on_start(INFO, "Loading signing keys of '{role:s}'", logger=taf_logger)
 def load_signers(
-    taf_repo: Repository,
+    taf_repo: TUFRepository,
     role: str,
     loaded_yubikeys: Optional[Dict],
     keystore: Optional[str] = None,

taf/keystore.py

@@ -6,17 +6,14 @@
 from typing import Dict, List, Optional
 import click
 import securesystemslib
-from securesystemslib.interface import (
-    import_rsa_publickey_from_file,
-)
-from taf.repository_tool import Repository
 from taf.tuf.keys import load_signer_from_file
-from tuf.repository_tool import import_rsakey_from_pem
 
 from taf.constants import DEFAULT_RSA_SIGNATURE_SCHEME
 from taf.exceptions import KeystoreError
 
-from securesystemslib.securesystemslib.signer._crypto_signer import CryptoSigner
+from taf.tuf.repository import Repository as TUFRepository
+
+from securesystemslib.signer._crypto_signer import CryptoSigner
 
 
 def default_keystore_path() -> str:
@@ -49,7 +46,7 @@ def _from_public_pem(pem: str) -> str:
 def key_cmd_prompt(
     key_name: str,
     role: str,
-    taf_repo: Repository,
+    taf_repo: TUFRepository,
     loaded_keys: Optional[List] = None,
     scheme: Optional[str] = DEFAULT_RSA_SIGNATURE_SCHEME,
 ) -> Optional[Dict]: