1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
|
# Tox (http://tox.testrun.org/) is a tool for running tests
# in multiple virtualenvs. This configuration file will run the
# test suite on all supported python versions. To use it, "pip install tox"
# and then run "tox" from this directory.
[tox]
envlist = lint, py, purepy, py-no-gpg, py-test-gpg-fails
skipsdist = True
[testenv]
install_command =
pip install {opts} {packages}
passenv =
PYKCS11LIB
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-test.txt
commands =
python -m tests.check_gpg_available
coverage run tests/aggregate_tests.py
coverage report -m --fail-under 70
[testenv:purepy]
deps =
commands =
python -m tests.check_gpg_available
python -m tests.check_public_interfaces
[testenv:py-no-gpg]
setenv =
GNUPG = nonexisting-gpg-for-testing
commands =
python -m tests.check_public_interfaces_gpg
[testenv:kms]
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-kms.txt
passenv =
GOOGLE_APPLICATION_CREDENTIALS
commands =
python -m tests.check_kms_signers
[testenv:sigstore]
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-sigstore.txt
commands =
python -m tests.check_sigstore_signer
# Check that importing securesystemslib._gpg.constants doesn't shell out.
[testenv:py-test-gpg-fails]
setenv =
GNUPG = false
commands =
python -c "import securesystemslib._gpg.constants"
[testenv:lint]
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-lint.txt
-r{toxinidir}/requirements-sigstore.txt
lint_dirs = securesystemslib tests
commands =
ruff format --diff {[testenv:lint]lint_dirs}
ruff check {[testenv:lint]lint_dirs}
mypy securesystemslib
zizmor --persona=pedantic -q .
[testenv:fix]
deps = {[testenv:lint]deps}
commands =
ruff check --fix {[testenv:lint]lint_dirs}
ruff format {[testenv:lint]lint_dirs}
# Requires docker running
[testenv:local-aws-kms]
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-aws.txt
localstack
awscli
awscli-local
allowlist_externals =
localstack
bash
setenv =
AWS_ACCESS_KEY_ID = test
AWS_SECRET_ACCESS_KEY = test
AWS_ENDPOINT_URL = http://localhost:4566/
AWS_DEFAULT_REGION = us-east-1
commands_pre =
# Start virtual AWS KMS
localstack start --detached
localstack wait
# Create test keys
bash {toxinidir}/tests/scripts/init-aws-kms.sh
commands =
# Run tests
python -m tests.check_aws_signer
commands_post =
# Stop virtual AWS KMS
localstack stop
# Requires `vault`
# https://developer.hashicorp.com/vault/tutorials/getting-started/getting-started-install
[testenv:local-vault]
deps =
-r{toxinidir}/requirements-pinned.txt
-r{toxinidir}/requirements-vault.txt
allowlist_externals =
bash
setenv =
VAULT_ADDR = http://localhost:8200
VAULT_TOKEN = test-root-token
commands_pre =
bash {toxinidir}/tests/scripts/init-vault.sh
commands =
python -m tests.check_vault_signer
commands_post =
bash {toxinidir}/tests/scripts/stop-vault.sh
|
