New admin sign: add support for API communication & add tests #579
Conversation
Codecov ReportAll modified and coverable lines are covered by tests ✅
Additional details and impacted files@@ Coverage Diff @@
## main #579 +/- ##
==========================================
- Coverage 98.90% 98.61% -0.29%
==========================================
Files 20 26 +6
Lines 1367 1881 +514
==========================================
+ Hits 1352 1855 +503
- Misses 15 26 +11 ☔ View full report in Codecov by Sentry. |
|
|
||
| if settings.get("SERVER") is None: | ||
| api_server = Prompt.ask("\n[cyan]API[/] URL address") | ||
| settings.SERVER = api_server |
There was a problem hiding this comment.
Do we really need to support 3 ways - settings, arg, prompt - of specifying the server address? It seems like a lot of effort for no usability gain. I suggest to at least remove the prompt.
There was a problem hiding this comment.
I am okay to drop the settings check, but there is something I am missing as a usage for settings.SERVER.
I see we set it in other commands as well such as add artifacts, delete artifacts and import-artifacts.
@kairoaraujo if we set it in one of the commands will it be setup for my next command?
There was a problem hiding this comment.
What is missing in settings.SERVER is the documentation for the user.
As a practical example, I utilize my ~/.rstuf.yml with SERVER defined, which empowers me to effectively not fill the server or address by the prompt every time.
(BTW, @MVrachev, your code works with it, I had to comment to test it)
❯ rstuf admin metadata sign
┏━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┓
┃ Metadata Signing Tool ┃
┗━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━┛
╭─ Error ─────────────────────────────────────────────────────────────────────────────╮
│ {"detail":{"message":"No metadata pending signing available","error":"Requires │
│ bootstrap started. State: None"}} │
╰─────────────────────────────────────────────────────────────────────────────────────╯
The problem here is that we focus on the code and we forgot to document it.
For example, if you setup in the rstuf.yaml
Regarding arg and prompt, prompt is better as it is interactive.
There was a problem hiding this comment.
Regarding arg and prompt, prompt is better as it is interactive
IMO interactivity isn't better per se, and we did have the discussion before, about which inputs should be provided via cli arg, and which via prompt. From what I remember ,you can argue both ways.
pro all prompt: consistent "wizard" ux for all inputs
pro cli args and prompt: inputs like server address, input file path and output file path differ are different types of inputs compared to the rest (keys, threshold, signers etc.) The former can be seen as config parameters to even use the tool, and the latter are what the tool is all about.
I lean towards using cli args for the config inputs, because they are generally easier to develop/maintain and to use. Independently, it's a nice additional feature to support providing these args via config file.
There was a problem hiding this comment.
I think I missed/forgot this discussion.
We should document it in our docs/devel/design.rst
There was a problem hiding this comment.
I think I support @kairoaraujo more on this one as for regular users of rstuf CLI it makes sense to have it configured.
If we want to continue this discussion I don't mind, but I don't feel this pr is the place to do it.
I will add settings.SERVER as an option input for now as that's how we have proceeded until now.
If we agree on something else we need to backtrack, not only for this function but everywhere to be consistent.
|
I addressed all comments and added support for local signing as suggested by @kairoaraujo. |
|
Code coverage fails because of the #581 pr. |
I think it disappears if you rebase on top of the main. |
MVrachev
force-pushed
the
admin2-add-signing-api-support
branch
2 times, most recently
from
e00fb4d
to
3ac2581
Compare
|
Rebased on top of main and fixed UT tests. |
Now, we got an exception that "file out_file_name cannot be found" as we try to open a file that doesn't exist, but it doesn't exist because the execution failed for some reason. Because of that I make sure to check the stderr before opening the file and actually receive a meaningfull error. Additionally, because click merges stdout and stderr by default (see "mix_stderr" argument https://click.palletsprojects.com/en/8.1.x/api/#testing) we receive a error "ValueError: stderr not separately captured" seamingly comming from the subprocess module or another library. To solve this issue I made "mix_stderr" to True. Signed-off-by: Martin Vrachev <[email protected]>
Add support to fetch pending roles for signing and send the result back to the API. Added tests for all cases. Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
Signed-off-by: Martin Vrachev <[email protected]>
MVrachev
force-pushed
the
admin2-add-signing-api-support
branch
from
46795fc
to
1bd4a43
Compare
|
Rebased on top of main. |
kairoaraujo
merged commit dc7a52b
into
repository-service-tuf:main
| @@ -179,11 +179,19 @@ sign (``sign``) | |||
| Usage: rstuf admin metadata sign [OPTIONS] ROOT_IN [PREV_ROOT_IN] | |||
There was a problem hiding this comment.
This now is:
Usage: rstuf admin metadata sign [OPTIONS] [SIGNING_JSON_INPUT_FILE]
| 2) provide a local file using the SIGNING_JSON_INPUT_FILE argument | ||
| When using method 2: | ||
| - 'SIGNING_JSON_INPUT_FILE' must be a file containing the JSON response from the 'GET /api/v1/metadata/sign' API endpoint. | ||
| - '--api_server' will be ignored. |
There was a problem hiding this comment.
The option has a hyphen not an underscore: --api-server
|
|
||
| - '--api_server' will be ignored. |
There was a problem hiding this comment.
See comment about underscore above.
| settings = context.obj["settings"] | ||
| signing_input: Optional[Dict[str, Any]] = None | ||
| if signing_json_input_file: | ||
| signing_input = json.load(signing_json_input_file) # type: ignore |
There was a problem hiding this comment.
minor programming advice: Since you already case handle the presence of an input file, you could add another line to extract the contents of metadata into pending_roles here. Then _get_pending roles wouldn't need the large if/else block and could be responsible for fetching pending_roles from the api only.
|
|
||
| console.print("Saved result to 'sign-payload.json'") | ||
|
|
||
| if not signing_json_input_file: |
There was a problem hiding this comment.
This is not documented, and I'm not sure if it's intuitive. Shouldn't it be possible to also post a locally read and then signed payload to the API?
|
TODO: remove prompt for server if settings.SERVER and api-server miss. Think if we can use default value of setting.SERVER for api-server for admin top-level command |
Description
New admin sign: add support for API communication
Add support to fetch pending roles for signing and send the result
back to the API.
Added tests for all cases.
Related to issue #533
Types of changes
Additional requirements
Code of Conduct
By submitting this PR, you agree to follow our Code of Conduct.