signer: Refactor pushing and get_repo_name

This is shared code between sign and delegate Also refactor get_repo_name(): * move to _common: It will be needed there soon * Add sanity check, comments
jku · Mar 2, 2024 · 92f1933 · 92f1933
1 parent 09bf9fe
commit 92f1933
Show file tree

Hide file tree

Showing 3 changed files with 42 additions and 37 deletions.
diff --git a/signer/tuf_on_ci_sign/_common.py b/signer/tuf_on_ci_sign/_common.py
@@ -10,6 +10,7 @@
 from contextlib import contextmanager
 from datetime import datetime, timedelta
 from tempfile import TemporaryDirectory
+from urllib import parse
 from urllib.request import Request, urlopen
 
 import click
@@ -154,3 +155,38 @@ def application_update_reminder() -> None:
 
     except Exception as e:  # noqa: BLE001
         logger.warning(f"Failed to check current tuf-on-ci-sign version: {e}")
+
+
+def push_changes(user: User, event_name: str) -> None:
+    """Push the event branch to users push remote"""
+    branch = f"{user.push_remote}/{event_name}"
+    msg = f"Press enter to push changes to {branch}"
+    click.prompt(bold(msg), default=True, show_default=False)
+    git_echo(
+        [
+            "push",
+            "--progress",
+            user.push_remote,
+            f"HEAD:refs/heads/{event_name}",
+        ]
+    )
+
+
+def get_repo_name(remote: str) -> str:
+    """Return 'owner/repo' string for given GitHub remote"""
+    url = parse.urlparse(git_expect(["config", "--get", f"remote.{remote}.url"]))
+    owner_repo = url.path[: -len(".git")]
+    # ssh-urls are relative URLs according to urllib: host is actually part of
+    # path. We don't want the host part:
+    _, _, owner_repo = owner_repo.rpartition(":")
+    # http urls on the other hand are not relative: remove the leading /
+    owner_repo = owner_repo.lstrip("/")
+
+    # sanity check
+    owner, slash, repo = owner_repo.partition("/")
+    if not owner or slash != "/" or not repo:
+        raise RuntimeError(
+            "Failed to parse GitHub repository from git URL {url} for remote {remote}"
+        )
+
+    return owner_repo
diff --git a/signer/tuf_on_ci_sign/delegate.py b/signer/tuf_on_ci_sign/delegate.py
@@ -7,7 +7,6 @@
 import os
 import re
 from copy import deepcopy
-from urllib import parse
 
 import click
 from securesystemslib.signer import (
@@ -23,9 +22,10 @@
 from tuf_on_ci_sign._common import (
     application_update_reminder,
     bold,
+    get_repo_name,
     get_signing_key_input,
-    git_echo,
     git_expect,
+    push_changes,
     signing_event,
 )
 from tuf_on_ci_sign._signer_repository import (
@@ -118,20 +118,10 @@ def verify_signers(response: str) -> list[str]:
     return config
 
 
-def _get_repo_name(remote: str):
-    url = parse.urlparse(git_expect(["config", "--get", f"remote.{remote}.url"]))
-    repo = url.path[: -len(".git")]
-    # ssh-urls are relative URLs according to urllib: host is actually part of
-    # path. We don't want the host part:
-    _, _, repo = repo.rpartition(":")
-    # http urls on the other hand are not relative: remove the leading /
-    return repo.lstrip("/")
-
-
 def _sigstore_import(pull_remote: str) -> Key:
     # WORKAROUND: build sigstore key and uri here since there is no import yet
     issuer = "https://token.actions.githubusercontent.com"
-    repo = _get_repo_name(pull_remote)
+    repo = get_repo_name(pull_remote)
 
     id = f"https://github.com/{repo}/.github/workflows/online-sign.yml@refs/heads/main"
     key = SigstoreKey(
@@ -392,17 +382,7 @@ def delegate(verbose: int, push: bool, event_name: str, role: str | None):
                 )
 
             if push:
-                branch = f"{user_config.push_remote}/{event_name}"
-                msg = f"Press enter to push changes to {branch}"
-                click.prompt(bold(msg), default=True, show_default=False)
-                git_echo(
-                    [
-                        "push",
-                        "--progress",
-                        user_config.push_remote,
-                        f"HEAD:refs/heads/{event_name}",
-                    ]
-                )
+                push_changes(user_config, event_name)
             else:
                 # TODO: deal with existing branch?
                 click.echo(f"Creating local branch {event_name}")

diff --git a/signer/tuf_on_ci_sign/sign.py b/signer/tuf_on_ci_sign/sign.py
@@ -9,10 +9,9 @@
 
 from tuf_on_ci_sign._common import (
     application_update_reminder,
-    bold,
     get_signing_key_input,
-    git_echo,
     git_expect,
+    push_changes,
     signing_event,
 )
 from tuf_on_ci_sign._signer_repository import SignerState
@@ -73,17 +72,7 @@ def sign(verbose: int, push: bool, event_name: str):
             git_expect(["add", "metadata"])
             git_expect(["commit", "-m", f"Signed by {user_config.name}", "--signoff"])
             if push:
-                branch = f"{user_config.push_remote}/{event_name}"
-                msg = f"Press enter to push signature(s) to {branch}"
-                click.prompt(bold(msg), default=True, show_default=False)
-                git_echo(
-                    [
-                        "push",
-                        "--progress",
-                        user_config.push_remote,
-                        f"HEAD:refs/heads/{event_name}",
-                    ]
-                )
+                push_changes(user_config, event_name)
             else:
                 # TODO: maybe deal with existing branch?
                 click.echo(f"Creating local branch {event_name}")