10 changed files with 238 additions and 4 deletions
--- a/.fmf/version
+++ b/.fmf/version
@ -0,0 +1 @@
+1
--- a/.gitignore
+++ b/.gitignore
@ -1,2 +1,63 @@
-SOURCES/cryptography-41.0.7-vendor.tar.bz2
-SOURCES/cryptography-41.0.7.tar.gz
+/results_python-cryptography
+/*.src.rpm
+/cryptography-1.3.1.tar.gz
+/cryptography-1.5.3.tar.gz
+/cryptography-1.7.1.tar.gz
+/cryptography-1.7.2.tar.gz
+/cryptography-1.9.tar.gz
+/cryptography-2.0.2.tar.gz
+/cryptography-2.1.tar.gz
+/cryptography-2.1.3.tar.gz
+/cryptography-2.1.4.tar.gz
+/cryptography-2.2.1.tar.gz
+/cryptography-2.3.tar.gz
+/cryptography-2.5.tar.gz
+/cryptography-2.6.1.tar.gz
+/cryptography-2.7.tar.gz
+/cryptography-2.8.tar.gz
+/cryptography-2.9.tar.gz
+/cryptography-2.9.tar.gz.asc
+/cryptography-3.0.tar.gz
+/cryptography-3.0.tar.gz.asc
+/cryptography-3.1.tar.gz
+/cryptography-3.1.tar.gz.asc
+/cryptography-3.2.tar.gz
+/cryptography-3.2.tar.gz.asc
+/cryptography-3.2.1.tar.gz
+/cryptography-3.2.1.tar.gz.asc
+/cryptography-3.3.1.tar.gz
+/cryptography-3.3.1.tar.gz.asc
+/cryptography-3.4.tar.gz
+/cryptography-3.4.tar.gz.asc
+/cryptography-3.4.1.tar.gz
+/cryptography-3.4.1.tar.gz.asc
+/cryptography-3.4.2.tar.gz
+/cryptography-3.4.2.tar.gz.asc
+/cryptography-3.4.4.tar.gz
+/cryptography-3.4.4.tar.gz.asc
+/cryptography-3.4.5.tar.gz
+/cryptography-3.4.5.tar.gz.asc
+/cryptography-3.4.6.tar.gz
+/cryptography-3.4.6.tar.gz.asc
+/cryptography-3.4.7.tar.gz
+/cryptography-3.4.7-vendor.tar.bz2
+/cryptography-35.0.0.tar.gz
+/cryptography-35.0.0-vendor.tar.bz2
+/cryptography-36.0.0.tar.gz
+/cryptography-36.0.0-vendor.tar.bz2
+/cryptography-37.0.2.tar.gz
+/cryptography-37.0.2-vendor.tar.bz2
+/cryptography-39.0.2.tar.gz
+/cryptography-39.0.2-vendor.tar.bz2
+/cryptography-40.0.0.tar.gz
+/cryptography-40.0.0-vendor.tar.bz2
+/cryptography-40.0.1.tar.gz
+/cryptography-40.0.1-vendor.tar.bz2
+/cryptography-40.0.2.tar.gz
+/cryptography-40.0.2-vendor.tar.bz2
+/cryptography-41.0.3.tar.gz
+/cryptography-41.0.3-vendor.tar.bz2
+/cryptography-41.0.5-vendor.tar.bz2
+/cryptography-41.0.5.tar.gz
+/cryptography-41.0.7.tar.gz
+/cryptography-41.0.7-vendor.tar.bz2
--- a/.python3.12-cryptography.metadata
+++ b/.python3.12-cryptography.metadata
@ -1,2 +0,0 @@
-94ad9fc97d92aae28d40392189655dbf932a1803 SOURCES/cryptography-41.0.7-vendor.tar.bz2
-fd245c3045ca9b3861f794d1a54cf97e629c19bf SOURCES/cryptography-41.0.7.tar.gz
--- a/SOURCES/conftest-skipper.py
+++ b/SOURCES/conftest-skipper.py
--- a/gating.yaml
+++ b/gating.yaml
@ -0,0 +1,7 @@
+--- !Policy
+
+product_versions:
+  - rhel-9
+decision_context: osci_compose_gate
+rules:
+  - !PassingTestCaseRule {test_case_name: osci.brew-build.tier0.functional}
--- a/plan.fmf
+++ b/plan.fmf
@ -0,0 +1,53 @@
+execute:
+  how: tmt
+discover:
+  how: shell
+  dist-git-source: true
+  tests:
+  - name: bundled tests - Prepare part
+    require:
+    - patch
+    - python3.12-pytest
+    - python3.12-cryptography
+    - python3.12-pip
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      rm -rf tests/hypothesis/ tests/test_fernet.py \
+        tests/hazmat/primitives/test_scrypt.py &&
+      cat $TMT_TREE/conftest-skipper.py  >> tests/conftest.py &&
+      sed -i -e 's/ --benchmark-disable//' pyproject.toml &&
+      pip3.12 install pytz==2022.7.1 pytest-subtests==0.11.0
+  - name: unittests-basic
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/test_*.py
+  - name: unittests-x509
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/x509/
+  - name: unittests-hazmat
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 -k 'not test_openssl_memleak' tests/hazmat/backends/ tests/hazmat/bindings/
+  - name: unittests-primitives-aead
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_aead.py
+  - name: unittests-primitives-aes
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_aes.py::TestAESModeCBC \
+            tests/hazmat/primitives/test_aes.py::TestAESModeCTR \
+            tests/hazmat/primitives/test_aes_gcm.py::TestAESModeGCM
+  - name: unittests-primitives-a-e
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      PYTHONPATH=./vectors pytest-3.12 tests/hazmat/primitives/test_arc4.py \
+            tests/hazmat/primitives/test_asym_utils.py \
+            tests/hazmat/primitives/test_[b-e]*.py
+  - name: unittests-primitives-f-z
+    test: |
+      cd $(dirname $TMT_SOURCE_DIR/cryptography-*/tests) &&
+      patch -p1 < $TMT_TREE/raise-an-exception-for-CVE-2023-49083.patch &&
+      PYTHONPATH=./vectors OPENSSL_ENABLE_SHA1_SIGNATURES=yes pytest-3.12 tests/hazmat/primitives/test_[f-z]*.py \
+            tests/hazmat/primitives/twofactor
--- a/SPECS/python3.12-cryptography.spec
+++ b/SPECS/python3.12-cryptography.spec
--- a/SOURCES/raise-an-exception-for-CVE-2023-49083.patch
+++ b/SOURCES/raise-an-exception-for-CVE-2023-49083.patch
--- a/2
+++ b/2
@ -0,0 +1,2 @@
+SHA512 (cryptography-41.0.7.tar.gz) = 9a870d45296de6af1331e73b102226b8269892216cd7bc0adfb2f63ce1ca7021d338effd09182128253d8d8df154bbd19d46c47f10ddac86e739fcbf6df78307
+SHA512 (cryptography-41.0.7-vendor.tar.bz2) = dbf750a1ada4a9330939e3dae8311007a9e25808eb64c124c99981187d1bc04baba3a7d3b838c0cd9491e8350c382fb0f789a11abb21c633f2d78e8aba819b9e
--- a/vendor_rust.py
+++ b/vendor_rust.py
@ -0,0 +1,112 @@
+#!/usr/bin/python3
+"""Vendor PyCA cryptography's Rust crates
+"""
+import argparse
+import os
+import re
+import tarfile
+import tempfile
+import shutil
+import subprocess
+import sys
+
+VENDOR_DIR = "vendor"
+CARGO_TOML = "src/rust/Cargo.toml"
+RE_VERSION = re.compile("Version:\s*(.*)")
+
+parser = argparse.ArgumentParser(description="Vendor Rust packages")
+parser.add_argument(
+    "--spec", default="python-cryptography.spec", help="cryptography source tar bundle"
+)
+
+
+def cargo(cmd, manifest):
+    args = ["cargo", cmd, f"--manifest-path={manifest}"]
+    return subprocess.check_call(
+        args, stdout=subprocess.DEVNULL, stderr=sys.stderr, env={}
+    )
+
+
+def tar_reset(tarinfo):
+    """Reset user, group, mtime, and mode to create reproducible tar"""
+    tarinfo.uid = 0
+    tarinfo.gid = 0
+    tarinfo.uname = "root"
+    tarinfo.gname = "root"
+    tarinfo.mtime = 0
+    if tarinfo.type == tarfile.DIRTYPE:
+        tarinfo.mode = 0o755
+    else:
+        tarinfo.mode = 0o644
+    if tarinfo.pax_headers:
+        raise ValueError(tarinfo.name, tarinfo.pax_headers)
+    return tarinfo
+
+
+def tar_reproducible(tar, basedir):
+    """Create reproducible tar file"""
+
+    content = [basedir]
+    for root, dirs, files in os.walk(basedir):
+        for directory in dirs:
+            content.append(os.path.join(root, directory))
+        for filename in files:
+            content.append(os.path.join(root, filename))
+    content.sort()
+
+    for fn in content:
+        tar.add(fn, filter=tar_reset, recursive=False, arcname=fn)
+
+
+def main():
+    args = parser.parse_args()
+    spec = args.spec
+
+    # change cwd to work in bundle directory
+    here = os.path.dirname(os.path.abspath(spec))
+    os.chdir(here)
+
+    # extract version number from bundle name
+    with open(spec) as f:
+        for line in f:
+            mo = RE_VERSION.search(line)
+            if mo is not None:
+                version = mo.group(1)
+                break
+        else:
+            raise ValueError(f"Cannot find version in {spec}")
+
+    bundle_file = f"cryptography-{version}.tar.gz"
+    vendor_file = f"cryptography-{version}-vendor.tar.bz2"
+
+    # remove existing vendor directory and file
+    if os.path.isdir(VENDOR_DIR):
+        shutil.rmtree(VENDOR_DIR)
+    try:
+        os.unlink(vendor_file)
+    except FileNotFoundError:
+        pass
+
+    print(f"Getting crates for {bundle_file}", file=sys.stderr)
+
+    # extract tar file in tempdir
+    # fetch and vendor Rust crates
+    with tempfile.TemporaryDirectory(dir=here) as tmp:
+        with tarfile.open(bundle_file) as tar:
+            tar.extractall(path=tmp)
+        manifest = os.path.join(tmp, f"cryptography-{version}", CARGO_TOML)
+        cargo("fetch", manifest)
+        cargo("vendor", manifest)
+
+    print("\nCreating tar ball...", file=sys.stderr)
+    with tarfile.open(vendor_file, "x:bz2") as tar:
+        tar_reproducible(tar, VENDOR_DIR)
+
+    # remove vendor dir
+    shutil.rmtree(VENDOR_DIR)
+
+    parser.exit(0, f"Created {vendor_file}\n")
+
+
+if __name__ == "__main__":
+    main()