ORNL · frobnitzem · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024 · Oct 9, 2024
diff --git a/.github/workflows/python-package.yml b/.github/workflows/python-package.yml
@@ -0,0 +1,45 @@
+name: Python package
+
+on:
+  push:
+    branches: [ "main" ]
+  pull_request:
+    branches: [ "main" ]
+
+jobs:
+  build:
+
+    runs-on: ${{ matrix.os }}
+    strategy:
+      fail-fast: false
+      matrix:
+        os: ["ubuntu-latest", "macos-latest"]
+        python-version: ["3.9", "3.11"]
+
+    steps:
+    - uses: actions/checkout@v3
+
+    - name: Set up Python ${{ matrix.python-version }}
+      uses: actions/setup-python@v3
+      with:
+        python-version: ${{ matrix.python-version }}
+
+    - name: Install dependencies
+      run: |
+        pip install poetry
+        poetry config virtualenvs.create false
+        poetry install --with test,http
+
+    - name: Test with pytest
+      run: |
+        pytest --cov
+
+    - name: Lint with mypy
+      run: |
+        mypy certified tests
+
+#   - name: Upload coverage to Codecov
+#     if: matrix.python-version == 3.11 && startsWith(matrix.os, 'ubuntu')
+#     uses: codecov/codecov-action@v3
+#     env:
+#       CODECOV_TOKEN: ${{ secrets.CODECOV_TOKEN }}
diff --git a/README.md b/README.md
@@ -1,3 +1,8 @@
+[![CI](https://github.com/ORNL/certified/actions/workflows/python-package.yml/badge.svg)](https://github.com/ORNL/certified/actions)
+[![Docs](https://readthedocs.org/projects/certified/badge/)](https://certified.readthedocs.io)
+<!--[![Coverage](https://codecov.io/github/ORNL/certified/branch/main/graph/badge.svg)](https://app.codecov.io/gh/ORNL/certified)-->
+
+
 # Certified
 
 An idiomatic framework for using certificates
@@ -97,21 +102,25 @@ Documentation was built using [this guide](https://realpython.com/python-project
 
 * v0.9.0
 
-  - [ ] better logging
+  - [X] better logging
 
-  - [ ] simpler introduction methodology
+  - [X] simpler introduction methodology
 
-  - [ ] readthedocs integration
+  - [X] readthedocs integration
+
+  - [X] biscuit examples
 
 * v1.0.0
 
   - [ ] replace httpx with aiohttp. The Request object is awful.
     Test client/server support is bad.
 
-  - [ ] add docs on how to use openssl to decode certificate contents
-
   - [ ] change servers to services where appropriate
 
+* v1.0.2
+
+  - [ ] add docs on how to use openssl to decode certificate contents
+
   - [ ] throw warning if id.crt does not contain the server's
     hostname in SAN (since this will usually result in a connection error
     from SSL)

diff --git a/certified/cert.py b/certified/cert.py
@@ -16,49 +16,20 @@
 import biscuit_auth as bis
 
 import certified.layout as layout
-from .encode import append_pseudonym, rfc4514name, get_is_ca
+from .encode import (
+    append_pseudonym,
+    rfc4514name,
+    get_is_ca,
+)
 from .ca import CA, LeafCert
 from .wrappers import ssl_context, configure_capath
 from .blob import Pstr, PWCallback, Blob
 from .models import TrustedService
 from .serial import pem_to_cert, cert_to_pem, b64_to_cert, cert_to_b64
 from .loki import capture_logs
 
-def fixed_ssl_context(
-    certfile: Pstr,
-    keyfile: Optional[Pstr],
-    password,
-    ssl_version: int,
-    cert_reqs: int,
-    ca_certs: Optional[Pstr],
-    ciphers: Optional[str],
-) -> ssl.SSLContext:
-    ctx = ssl_context(is_client = False)
-    #ctx.verify_mode = ssl.VerifyMode(cert_reqs) # already required by (our) default
-    _logger.info("Using Certified's custom ssl context.")
-
-    if ciphers:
-        ctx.set_ciphers(ciphers)
-
-    ctx.load_cert_chain(certfile, keyfile, password)
-    if ca_certs:
-        ca_cert_path = Path(ca_certs)
-        if not ca_cert_path.exists():
-            ctx.load_verify_locations(cadata=str(ca_certs))
-        elif ca_cert_path.is_dir():
-            _logger.debug("reading certificates in %s to cadata since "
-                    "capath option to load_verify_locations is "
-                    "known not to work", ca_certs)
-            #ctx.load_verify_locations(capath=ca_certs)
-            configure_capath(ctx, ca_cert_path)
-        else:
-            ctx.load_verify_locations(cafile=ca_certs)
-    return ctx
-
-
 try:
     import uvicorn
-    #uvicorn.config.create_ssl_context = fixed_ssl_context
     # https://github.com/encode/uvicorn/discussions/2307
     from uvicorn.protocols.http.h11_impl import RequestResponseCycle
     responseCycleInit = RequestResponseCycle.__init__
@@ -261,20 +232,12 @@ def add_identity(self,
     def lookup_public_key(self, kid : int) -> bis.PublicKey:
         # FIXME: use key serial numbers
         pubkey = self.signer().pubkey.public_bytes_raw()
-        if kid is None:
-            return bis.PublicKey.from_bytes( pubkey )
+        #if kid is None:
+        #    return bis.PublicKey.from_bytes( pubkey )
         return bis.PublicKey.from_bytes( pubkey )
 
-    def biscuit_auth(self, token : str) -> int:
-        biscuit = bis.Biscuit.from_base64(token, self.lookup_public_key)
-        return 1
-        # TODO: check that client certificate SAN matches
-        # the biscuit phrase.
-        authorizer = bis.Authorizer(" time({now}); allow if user($u); ",
-                            {'now': datetime.now(tz = timezone.utc)}
-                     )
-        authorizer.add_token(biscuit)
-        return authorizer.authorize()
+    #def biscuit(self, token : str) -> bis.Biscuit:
+    #    return bis.Biscuit.from_base64(token, self.lookup_public_key)
 
     @classmethod
     def new(cls,

diff --git a/certified/cert_base.py b/certified/cert_base.py
@@ -46,7 +46,7 @@
 
 from .blob import PublicBlob, PrivateBlob, Blob, Pstr, PWCallback
 import certified.encode as encode
-from .encode import CertificateIssuerPrivateKeyTypes
+from .encode import CertificateIssuerPrivateKeyTypes, CertificatePublicKeyTypes
 from .serial import cert_to_pem
 
 class FullCert:
@@ -90,6 +90,10 @@ def save(self, base : Pstr, overwrite = False):
     def certificate(self) -> x509.Certificate:
         return self._certificate
 
+    @property
+    def pubkey(self) -> CertificatePublicKeyTypes:
+        return self._certificate.public_key()
+
     @property
     def cert_pem(self) -> PublicBlob:
         """`Blob`: The PEM-encoded certificate for this CA. Add this to your

diff --git a/certified/encode.py b/certified/encode.py
@@ -37,9 +37,9 @@
 
 class PrivIface:
     def __init__(self, keytype : str) -> None:
-        self.ed : Optional[type[
-                    ed25519.Ed25519PrivateKey|ed448.Ed448PrivateKey
-                ] ] = None
+        self.ed : Optional[type[Union[
+            ed25519.Ed25519PrivateKey,ed448.Ed448PrivateKey
+                ]]] = None
         self.ec : Optional[ Any ] = None
         if keytype == "ed25519":
             self.ed = ed25519.Ed25519PrivateKey