experimental client: Remove mirrors

[jku]

(This is a continuation of and replaces #1368.)

Drop "mirrors" support

New Updater no longer supports downloading each metadata/target file from a list of user-provided mirrors. All downloads are performed from a single url: Default URL prefixes for both metadata and targets can be set in Updater(), and individual target downloads can override the default.

I believe this addresses the comments in #1368 in one way or another. One specific response:

_build_full_url() / try:, download(), verify() loop is repeated a few times. Might it generalise to a helper function?

I've removed a lot of cruft from these functions (including every manual file object close) but have not made a helper except for a more usable download function: I think there will be no need since the functions will be quite tight once all the verification moves to another component that handles the metadata consistency.

Another noteworthy thing is removing some url quoting/checking:

• We definitely have to go through the fs path <-> url conversions with a fine comb but this does not seem like the place: the "relative paths" in this case come from metadata and our code so there should be no need to quote here (as long as get_one_valid_targetinfo() argument is valid)?
• The current client has this weird interaction where get_list_of_mirrors() quotes parts of the url... and _download_file() then unquotes the whole url -- I'm not quite sure what the objective is
• Possibly we just want to document clearly that e.g. get_one_valid_targetinfo() argument must be a valid "path-relative-url" https://url.spec.whatwg.org/#path-relative-url-string (and then test what actually works): I don't want to handle filesystem and OS specific paths in the updater in the places where it can be avoided

If this is controversial I can leave this commit out

[jku]

Note that this means we're now exposing the Updater caller to all kinds
of new exceptions (as NoWorkingMirrorError is no longer an excuse we can
use).

This should be called out as "requires future work"

[joshuagl]

As expected, this simplifies the code a lot. Nice.
I have a question inline on the way we are configuring repositories, proposing we match the semantics of the outgoing mirrors configuration by having a base url to the repository with default relative paths to targets and metadata directories. This seems to work with download_target() being able to replace the entire base url + targets directory join with an optional target_base_url – curious to hear what you think?

We have some issues filed on the fs path <-> URL conversion already (#1018 and #1077). Let's make sure this work is part of the client refactor milestone please, either as a new issue or one (or both) of those issues being moved into the milestone.

There are quite a few TODO docstrings, can we file an issue to complete those and make it part of the appropriate milestone? (Is that 'Experimental client' or 'Client Refactor'?)

All that said, nice clean up. Good work @sechkova and @jku!

[joshuagl]

There's some issues to file (and move into appropriate milestones), then this should be good to merge. We can address the minor items (docstrings, variable names, public vs. private API) here or file issues to tackle them before experimental-client is merged with develop.

[jku]

I've marked issues resolved if I think they are now resolved in this PR.
I've filed #1385 for documenting the module, and updated #1312 for exceptions
All of the other TODOs in updater_rework.py will be handled by #1355.

(The CI failure is sslib master build since we're a bit behind current develop)

[joshuagl]

LGTM, with a few minor comments/questions/suggestions in-line.

I'd like to see some more testing around this, the seek(0) calls especially feel like they require some reassurance that they are matching user expectations.

[joshuagl]

Nit: should this be urllib.parse.urljoin()?

[jku]

yeah, I'll change that

Fact is that the test needs to be rewritten, it's copied from test_updater.py and is horribly complex and full of issues like this for (I assume) Historical Reasons... but I'm trying to limit scope so not fixing anything else here

[joshuagl]

Is this covered by #1385?

[jku]

Yeah that was the idea: The public API will change a bit as we start using the MetadataBundle so let's document after that

[joshuagl]

This took me a couple of attempts to parse, I'm not sure my suggestion is any better though.

Suggested change

	repository_name: directory name (within a local directory
	defined by 'tuf.settings.repositories_directory')
	repository_name: name of the directory used for storing local copies of working files
	for this repository. Created as a child of 'tuf.settings.repositories_directory'.

[jku]

This is better but I'm not changing it as I intend to

• not use tuf.settings for anything at all in near future
• use local_repo_dir as the argument directly -- there's no need for a system wide repositories_directory (at least not one managed by Updater)

this will happen after we have a MetadataBundle #1355 we can use and should be much easier to understand and document

[joshuagl]

Thanks for responding to feedback, LGTM for a merge to experimental-client.