Add Hashicorp Vault support plus test (WIP)

repository_service_tuf_worker/repository.py

@@ -45,7 +45,7 @@
     get_repository_settings,
     get_worker_settings,
 )
-from repository_service_tuf_worker.interfaces import IKeyVault, IStorage
+from repository_service_tuf_worker.interfaces import IStorage
 from repository_service_tuf_worker.models import (
     rstuf_db,
     targets_crud,
@@ -168,10 +168,6 @@ def refresh_settings(self, worker_settings: Optional[Dynaconf] = None):
         # storage
         IStorage.from_dynaconf(settings)
 
-        # keyvault
-        if settings.get("KEYVAULT_BACKEND"):
-            IKeyVault.from_dynaconf(settings)
-
         self._worker_settings = settings
         return settings
 

repository_service_tuf_worker/services/__init__.py

@@ -4,13 +4,9 @@
 # SPDX-License-Identifier: MIT
 
 from repository_service_tuf_worker.interfaces import (  # noqa
-    IKeyVault,
     IStorage,
     ServiceSettings,
 )
-from repository_service_tuf_worker.services.keyvault.local import (  # noqa
-    LocalKeyVault,
-)
 from repository_service_tuf_worker.services.storage import (  # noqa
     AWSS3,
     LocalStorage,

repository_service_tuf_worker/signer.py

@@ -74,9 +74,7 @@ def from_priv_key_uri(
 
 RSTUF_ONLINE_KEY_URI_FIELD = "x-rstuf-online-key-uri"
 
-# Register non-default securesystemslib file signer
-# secure-systems-lab/securesystemslib#617
-SIGNER_FOR_URI_SCHEME[CryptoSigner.FILE_URI_SCHEME] = CryptoSigner
+
 # Register custom FileNameSigner
 SIGNER_FOR_URI_SCHEME[FileNameSigner.SCHEME] = FileNameSigner
 
@@ -101,6 +99,8 @@ def isolated_env(env: dict[str, str]):
     "AWS_SECRET_ACCESS_KEY",
     "AWS_ENDPOINT_URL",
     "AWS_DEFAULT_REGION",
+    "VAULT_ADDR",
+    "VAULT_TOKEN",
 ]
 
 

requirements-dev.txt

@@ -106,10 +106,10 @@ pydantic-core==2.18.2; python_version >= '3.8'
 pynacl==1.5.0
 pytz==2024.1
 redis==5.0.4; python_version >= '3.7'
-securesystemslib[crypto,pynacl]==0.31.0; python_version ~= '3.8'
+securesystemslib[crypto]==1.0.0; python_version ~= '3.8'
 sqlalchemy==2.0.29; python_version >= '3.7'
 supervisor==4.2.5
-tuf==4.0.0; python_version >= '3.8'
+tuf @ git+https://github.com/theupdateframework/python-tuf@a7b832b88ff3c094aafdd78a72bbcf19a93b0bf0 ; python_version >= '3.8'
 tzdata==2024.1; python_version >= '2'
 vine==5.1.0; python_version >= '3.6'
 watchdog==4.0.0; python_version >= '3.8'

requirements.txt

@@ -39,12 +39,12 @@ pytz==2024.1
 redis==5.0.4; python_version >= '3.7'
 requests==2.31.0; python_version >= '3.7'
 s3transfer==0.10.1; python_version >= '3.8'
-securesystemslib[crypto,pynacl]==0.31.0; python_version ~= '3.8'
+securesystemslib[crypto]==1.0.0; python_version ~= '3.8'
 setuptools==69.5.1; python_version >= '3.8'
 six==1.16.0; python_version >= '2.7' and python_version not in '3.0, 3.1, 3.2, 3.3'
 sqlalchemy==2.0.29; python_version >= '3.7'
 supervisor==4.2.5
-tuf==4.0.0; python_version >= '3.8'
+tuf @ git+https://github.com/theupdateframework/python-tuf@a7b832b88ff3c094aafdd78a72bbcf19a93b0bf0 ; python_version >= '3.8'
 typing-extensions==4.11.0; python_version >= '3.8'
 tzdata==2024.1; python_version >= '2'
 urllib3==2.2.1; python_version >= '3.10'

tests/files/vault/init.sh

@@ -0,0 +1,13 @@
+#!/usr/bin/env bash
+
+vault server -dev -dev-root-token-id="${RSTUF_VAULT_TOKEN}" &
+
+export VAULT_ADDR=${RSTUF_VAULT_ADDR}
+
+until vault status
+do
+    sleep 0.1
+done
+
+vault secrets enable transit
+vault write -force transit/keys/test-key-ed25519 type=ed25519

tests/files/vault/stop.sh

@@ -0,0 +1,3 @@
+#!/usr/bin/env bash
+
+pkill -f "vault server -dev"

tests/unit/conftest.py

@@ -14,14 +14,6 @@
 
 @pytest.fixture()
 def test_repo(monkeypatch: pytest.MonkeyPatch) -> MetadataRepository:
-    from repository_service_tuf_worker.services.keyvault import local
-
-    fake_import_privatekey_from_file = pretend.call_recorder(lambda *a: None)
-    monkeypatch.setattr(
-        local,
-        "import_privatekey_from_file",
-        fake_import_privatekey_from_file,
-    )
     return MetadataRepository.create_service()