Merge pull request #121 from pvarki/conventional_commits

Enforce Conventional commits, add deployment name to pfx filename, add endpoint for OIDC self reg token request

Author: rambo

.pre-commit-config.yaml

@@ -2,9 +2,18 @@
 # See https://pre-commit.com/hooks.html for more hooks
 default_language_version:
     python: python3.11
+default_install_hook_types:
+  - pre-commit
+  - commit-msg
 repos:
+-   repo: https://github.com/compilerla/conventional-pre-commit
+    rev: v4.0.0
+    hooks:
+      - id: conventional-pre-commit
+        stages: [commit-msg]
+        args: []
 -   repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.4.0
+    rev: v5.0.0
     hooks:
     -   id: no-commit-to-branch
     -   id: check-executables-have-shebangs
@@ -22,29 +31,29 @@ repos:
         args:
         - --autofix
 -   repo: https://github.com/psf/black
-    rev: 23.7.0
+    rev: 25.1.0
     hooks:
     -   id: black
         language_version: python3
 -   repo: https://github.com/pre-commit/mirrors-mypy
-    rev: v1.5.1
+    rev: v1.15.0
     hooks:
     -   id: mypy
         language: system
 -   repo: https://github.com/pycqa/pylint
-    rev: v2.17.5
+    rev: v3.3.6
     hooks:
     -   id: pylint
         language: system
 -   repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.5.0
+    rev: v1.5.5
     hooks:
     -   id: forbid-crlf
     -   id: remove-crlf
     -   id: forbid-tabs
     -   id: remove-tabs
 -   repo: https://github.com/PyCQA/bandit
-    rev: 1.7.5
+    rev: 1.8.3
     hooks:
     - id: bandit
       args: ["--skip=B101"]
@@ -53,7 +62,7 @@ repos:
     hooks:
     -   id: rst-linter
 -   repo: https://github.com/Yelp/detect-secrets
-    rev: v1.4.0
+    rev: v1.5.0
     hooks:
     -   id: detect-secrets
         language: system

README.rst

@@ -236,7 +236,7 @@ pre-commit considerations
 
 If working in Docker instead of native env you need to run the pre-commit checks in docker too::
 
-    docker exec -i rasenmaeher_api_devel /bin/bash -c "pre-commit install"
+    docker exec -i rasenmaeher_api_devel /bin/bash -c "pre-commit install --install-hooks"
     docker exec -i rasenmaeher_api_devel /bin/bash -c "pre-commit run --all-files"
 
 You need to have the container running, see above. Or alternatively use the docker run syntax but using
@@ -290,7 +290,7 @@ TLDR:
 - Install project deps and pre-commit hooks::
 
     poetry install
-    pre-commit install
+    pre-commit install --install-hooks
     pre-commit run --all-files
 
 - Ready to go.

poetry.lock

@@ -99,10 +99,10 @@ psycopg2 = "^2.9"
 pytest = "^7.4"
 coverage = "^7.3"
 pytest-cov = "^4.1"
-pylint = "^2.17"
-black = "^23.7"
-bandit = "^1.7"
-mypy = "^1.5"
+pylint = "^3.3"
+black = "^25.1"
+bandit = "^1.8"
+mypy = "^1.15"
 pre-commit = "^3.3"
 pytest-asyncio = ">=0.23,<1.0" # caret behaviour on 0.x is to lock to 0.x.*
 bump2version = "^1.0"

pyproject.toml

@@ -1,2 +1,3 @@
-""" python-rasenmaeher-api """
+"""python-rasenmaeher-api"""
+
 __version__ = "1.6.4"  # NOTE Use `bump2version --config-file patch` to bump versions correctly

src/rasenmaeher_api/__init__.py

@@ -1,4 +1,5 @@
 """This needs to be separated to avoid circular imports"""
+
 import logging
 
 import aiohttp
@@ -18,7 +19,7 @@ async def anon_sign_csr(csr: str, bundle: bool = True) -> str:
     params: csr
     returns: certificate
     """
-    async with (await anon_session()) as session:
+    async with await anon_session() as session:
         url = f"{ocsprest_base()}/api/v1/csr/sign"
         payload = {"certificate_request": csr, "profile": "client", "bundle": bundle}
         try:

src/rasenmaeher_api/cfssl/anoncsr.py

@@ -1,4 +1,5 @@
 """Base helpers etc"""
+
 from typing import Any, Mapping, Union, List, cast
 import logging
 import ssl

src/rasenmaeher_api/cfssl/base.py

@@ -1,4 +1,5 @@
 """mTLS stuff, needs to be away from base to avoid cyclic imports"""
+
 import logging
 
 import aiohttp

src/rasenmaeher_api/cfssl/mtls.py

@@ -1,4 +1,5 @@
 """Private apis"""
+
 from typing import Union, Optional, Any, Dict
 import asyncio
 import logging
@@ -26,7 +27,7 @@ async def post_ocsprest(
     """Do a POST with the mTLS client"""
     if timeout is None:
         timeout = RMSettings.singleton().cfssl_timeout
-    async with (await mtls_session()) as session:
+    async with await mtls_session() as session:
         try:
             LOGGER.debug("POSTing to {}, payload={}".format(url, send_payload))
             async with session.post(url, data=send_payload, timeout=aiohttp.ClientTimeout(total=timeout)) as response:
@@ -54,7 +55,7 @@ async def sign_csr(csr: str, bundle: bool = True) -> str:
     params: csr, whether to return cert of full bundle
     returns: certificate as PEM
     """
-    async with (await mtls_session()) as session:
+    async with await mtls_session() as session:
         url = f"{ocsprest_base()}/api/v1/csr/sign"
         payload = {"certificate_request": csr, "profile": "client", "bundle": bundle}
         try:
@@ -76,7 +77,7 @@ async def sign_ocsp(cert: str, status: str = "good") -> Any:
     Call ocspsign endpoint
     """
 
-    async with (await mtls_session()) as session:
+    async with await mtls_session() as session:
         url = f"{base_url()}/api/v1/cfssl/ocspsign"
         payload = {"certificate": cert, "status": status}
         try:
@@ -129,7 +130,7 @@ async def revoke_serial(serialno: str, authority_key_id: str, reason: ReasonType
     Reason must be one of the enumerations of cryptography.x509.ReasonFlags or it's string values (see REASONS_BY_VALUE)
     """
     reason = validate_reason(reason)
-    async with (await mtls_session()) as session:
+    async with await mtls_session() as session:
         url = f"{base_url()}/api/v1/cfssl/revoke"
         payload = {
             "serial": serialno,
@@ -168,7 +169,7 @@ async def certadd_pem(pem: Union[str, Path], status: str = "good") -> Any:
     if not kid:
         raise ValueError("Cannot resolve authority_key_id from the cert")
 
-    async with (await mtls_session()) as session:
+    async with await mtls_session() as session:
         url = f"{base_url()}/api/v1/cfssl/certadd"
         payload = {
             "pem": pem,

src/rasenmaeher_api/cfssl/private.py

@@ -1,4 +1,5 @@
 """Public things, CA cert, CRL etc"""
+
 from typing import Dict, Any
 import logging
 import base64
@@ -28,7 +29,7 @@ async def get_ca() -> str:
     returns: CA certificate
     """
 
-    async with (await anon_session()) as session:
+    async with await anon_session() as session:
         url = f"{base_url()}/api/v1/cfssl/info"
         payload: Dict[str, Any] = {}
         # PONDER: Why does this need to be a POST ??
@@ -42,7 +43,7 @@ async def get_ca() -> str:
 async def get_ocsprest_crl(suffix: str) -> bytes:
     """Fetch CRL from OCSPREST"""
 
-    async with (await anon_session()) as session:
+    async with await anon_session() as session:
         url = f"{ocsprest_base()}/api/v1/crl/{suffix}"
         try:
             async with session.get(url) as response:
@@ -59,7 +60,7 @@ async def get_crl() -> bytes:
     returns: DER binary encoded Certificate Revocation List
     """
 
-    async with (await anon_session()) as session:
+    async with await anon_session() as session:
         url = f"{base_url()}/api/v1/cfssl/crl"
         try:
             async with session.get(url, params={"expiry": CRL_LIFETIME}, timeout=default_timeout()) as response:
@@ -78,7 +79,7 @@ async def get_bundle(cert: str) -> str:
     # FIXME: This is not a good way but I don't have a better one right now either
     # Force OCSP refresh before getting the bundle so we hopefully get all we need
     await refresh_ocsp()
-    async with (await anon_session()) as session:
+    async with await anon_session() as session:
         url = f"{base_url()}/api/v1/cfssl/bundle"
         payload: Dict[str, Any] = {"certificate": cert, "flavor": "optimal"}
         try: