biscuit-python 0.4.0

CHANGELOG.md

@@ -1,17 +1,10 @@
-# 0.4.0-beta.3
+# 0.4.0
 
-- support for third-party blocks
 - biscuit-rust 6.0.0
-
-# 0.4.0-beta.2
-
+- support for third-party blocks (#46, #47)
 - pre-built wheels for python 3.9-3.13
 - pre-built wheels for musl
 
-# 0.4.0-beta.1
-
-- biscuit-rust 6.0.0-beta.3
-
 # 0.3.2
 
 - build wheels for more python versions (#28):

CODE_OF_CONDUCT.md

@@ -0,0 +1,93 @@
+# Community Code of Conduct
+
+**Version 2.0  
+January 1, 2023**
+
+## Our Pledge
+
+In the interest of fostering an open and welcoming environment, we as community members, contributors, Committers[^1], and Project Leads (collectively "Contributors") pledge to make participation in our projects and our community a harassment-free and inclusive experience for everyone.
+
+This Community Code of Conduct ("Code") outlines our behavior expectations as members of our community in all Eclipse Foundation activities, both offline and online. It is not intended to govern scenarios or behaviors outside of the scope of Eclipse Foundation activities. Nor is it intended to replace or supersede the protections offered to all our community members under the law. Please follow both the spirit and letter of this Code and encourage other Contributors to follow these principles into our work. Failure to read or acknowledge this Code does not excuse a Contributor from compliance with the Code.
+
+## Our Standards
+
+Examples of behavior that contribute to creating a positive and professional environment include:
+
+- Using welcoming and inclusive language;
+- Actively encouraging all voices;
+- Helping others bring their perspectives and listening actively. If you find yourself dominating a discussion, it is especially important to encourage other voices to join in;
+- Being respectful of differing viewpoints and experiences;
+- Gracefully accepting constructive criticism;
+- Focusing on what is best for the community;
+- Showing empathy towards other community members;
+- Being direct but professional; and
+- Leading by example by holding yourself and others accountable
+
+Examples of unacceptable behavior by Contributors include:
+
+- The use of sexualized language or imagery;
+- Unwelcome sexual attention or advances;
+- Trolling, insulting/derogatory comments, and personal or political attacks;
+- Public or private harassment, repeated harassment;
+- Publishing others' private information, such as a physical or electronic address, without explicit permission;
+- Violent threats or language directed against another person;
+- Sexist, racist, or otherwise discriminatory jokes and language;
+- Posting sexually explicit or violent material;
+- Sharing private content, such as emails sent privately or non-publicly, or unlogged forums such as IRC channel history;
+- Personal insults, especially those using racist or sexist terms;
+- Excessive or unnecessary profanity;
+- Advocating for, or encouraging, any of the above behavior; and
+- Other conduct which could reasonably be considered inappropriate in a professional setting
+
+## Our Responsibilities
+
+With the support of the Eclipse Foundation employees, consultants, officers, and directors (collectively, the "Staff"), Committers, and Project Leads, the Eclipse Foundation Conduct Committee (the "Conduct Committee") is responsible for clarifying the standards of acceptable behavior. The Conduct Committee takes appropriate and fair corrective action in response to any instances of unacceptable behavior.
+
+## Scope
+
+This Code applies within all Project, Working Group, and Interest Group spaces and communication channels of the Eclipse Foundation (collectively, "Eclipse spaces"), within any Eclipse-organized event or meeting, and in public spaces when an individual is representing an Eclipse Foundation Project, Working Group, Interest Group, or their communities. Examples of representing a Project or community include posting via an official social media account, personal accounts, or acting as an appointed representative at an online or offline event. Representation of Projects, Working Groups, and Interest Groups may be further defined and clarified by Committers, Project Leads, or the Staff.
+
+## Enforcement
+
+Instances of abusive, harassing, or otherwise unacceptable behavior may be reported by contacting the Conduct Committee via conduct@eclipse-foundation.org. All complaints will be reviewed and investigated and will result in a response that is deemed necessary and appropriate to the circumstances. Without the explicit consent of the reporter, the Conduct Committee is obligated to maintain confidentiality with regard to the reporter of an incident. The Conduct Committee is further obligated to ensure that the respondent is provided with sufficient information about the complaint to reply. If such details cannot be provided while maintaining confidentiality, the Conduct Committee will take the respondent‘s inability to provide a defense into account in its deliberations and decisions. Further details of enforcement guidelines may be posted separately.
+
+Staff, Committers and Project Leads have the right to report, remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code, or to block temporarily or permanently any Contributor for other behaviors that they deem inappropriate, threatening, offensive, or harmful. Any such actions will be reported to the Conduct Committee for transparency and record keeping.
+
+Any Staff (including officers and directors of the Eclipse Foundation), Committers, Project Leads, or Conduct Committee members who are the subject of a complaint to the Conduct Committee will be recused from the process of resolving any such complaint.
+
+## Responsibility
+
+The responsibility for administering this Code rests with the Conduct Committee, with oversight by the Executive Director and the Board of Directors. For additional information on the Conduct Committee and its process, please write to <conduct@eclipse-foundation.org>.
+
+## Investigation of Potential Code Violations
+
+All conflict is not bad as a healthy debate may sometimes be necessary to push us to do our best. It is, however, unacceptable to be disrespectful or offensive, or violate this Code. If you see someone engaging in objectionable behavior violating this Code, we encourage you to address the behavior directly with those involved. If for some reason, you are unable to resolve the matter or feel uncomfortable doing so, or if the behavior is threatening or harassing, please report it following the procedure laid out below.
+
+Reports should be directed to <conduct@eclipse-foundation.org>. It is the Conduct Committee’s role to receive and address reported violations of this Code and to ensure a fair and speedy resolution.
+
+The Eclipse Foundation takes all reports of potential Code violations seriously and is committed to confidentiality and a full investigation of all allegations. The identity of the reporter will be omitted from the details of the report supplied to the accused. Contributors who are being investigated for a potential Code violation will have an opportunity to be heard prior to any final determination. Those found to have violated the Code can seek reconsideration of the violation and disciplinary action decisions. Every effort will be made to have all matters disposed of within 60 days of the receipt of the complaint.
+
+## Actions
+Contributors who do not follow this Code in good faith may face temporary or permanent repercussions as determined by the Conduct Committee.
+
+This Code does not address all conduct. It works in conjunction with our [Communication Channel Guidelines](https://www.eclipse.org/org/documents/communication-channel-guidelines/), [Social Media Guidelines](https://www.eclipse.org/org/documents/social_media_guidelines.php), [Bylaws](https://www.eclipse.org/org/documents/eclipse-foundation-be-bylaws-en.pdf), and [Internal Rules](https://www.eclipse.org/org/documents/ef-be-internal-rules.pdf) which set out additional protections for, and obligations of, all contributors. The Foundation has additional policies that provide further guidance on other matters.
+
+It’s impossible to spell out every possible scenario that might be deemed a violation of this Code. Instead, we rely on one another’s good judgment to uphold a high standard of integrity within all Eclipse Spaces. Sometimes, identifying the right thing to do isn’t an easy call. In such a scenario, raise the issue as early as possible.
+
+## No Retaliation
+
+The Eclipse community relies upon and values the help of Contributors who identify potential problems that may need to be addressed within an Eclipse Space. Any retaliation against a Contributor who raises an issue honestly is a violation of this Code. That a Contributor has raised a concern honestly or participated in an investigation, cannot be the basis for any adverse action, including threats, harassment, or discrimination. If you work with someone who has raised a concern or provided information in an investigation, you should continue to treat the person with courtesy and respect. If you believe someone has retaliated against you, report the matter as described by this Code. Honest reporting does not mean that you have to be right when you raise a concern; you just have to believe that the information you are providing is accurate.
+
+False reporting, especially when intended to retaliate or exclude, is itself a violation of this Code and will not be accepted or tolerated.
+
+Everyone is encouraged to ask questions about this Code. Your feedback is welcome, and you will get a response within three business days. Write to <conduct@eclipse-foundation.org>.
+
+## Amendments
+
+The Eclipse Foundation Board of Directors may amend this Code from time to time and may vary the procedures it sets out where appropriate in a particular case.
+
+### Attribution
+
+This Code was inspired by the [Contributor Covenant](https://www.contributor-covenant.org/), version 1.4, available [here](https://www.contributor-covenant.org/version/1/4/code-of-conduct/).
+
+[^1]: Capitalized terms used herein without definition shall have the meanings assigned to them in the Bylaws.

CONTRIBUTING.md

@@ -0,0 +1,31 @@
+# Contributing
+
+This repository is part of the [eclipse-biscuit](https://projects.eclipse.org/projects/technology.biscuit) project. It is licensed under `Apache-2.0` and requires contributors to sign the [Eclipse Contributor Agreement](https://www.eclipse.org/legal/ECA.php) (see #eclipse-contributor-agreement below).
+
+## Before contributing
+
+This is the python implementation of the biscuit specification. All changes pertaining to the specification must be discussed in the [specification repo](https://github.com/eclipse-biscuit/biscuit) first.
+
+Unless you’re fixing a trivial issue, it is a good idea to start by opening an issue, in order to gather feedback about the changes you have in mind.
+
+You can also ask questions on the [implementers matrix chat](https://matrix.to/#/!suybZZpOqChdTNuIVA:matrix.org).
+
+## Project communication
+
+The discussion space is a [matrix chat](https://matrix.to/#/!MXwhyfCFLLCfHSYJxg:matrix.org).
+Updates are also posted on [bluesky](https://bsky.app/profile/biscuitsec.org) and [mastodon](https://hachyderm.io/@biscuitauth).
+
+Security issues can be reported via [github](https://github.com/eclipse-biscuit/biscuit-python/security). 
+
+## Eclipse Contributor Agreement
+
+From the [ECA FAQ](https://www.eclipse.org/legal/eca/faq/):
+
+The purpose of the ECA is to provide a written record that you have agreed to provide your contributions of code and documentation under the licenses used by the Eclipse project(s) you're contributing to. It also makes it clear that you are promising that what you are contributing to Eclipse is code that you wrote, and you have the necessary rights to contribute it to our projects. And finally, it documents a commitment from you that your open source contributions will be permanently on the public record.
+
+In order to sign the ECA, you can follow these steps:
+
+- [Create an account](https://dev.eclipse.org/site_login/createaccount.php) on dev.eclipse.org
+- Open your [Account Settings tab](https://dev.eclipse.org/site_login/myaccount.php#open_tab_accountsettings), enter your GitHub ID and click Update Account
+- Read and [sign the ECA](https://dev.eclipse.org/site_login/myaccount.php#open_tab_cla)
+- Use the exact same email address for your Eclipse account and your commit author.

Cargo.toml

@@ -1,6 +1,6 @@
 [package]
 name = "biscuit-python"
-version = "0.4.0-beta.3"
+version = "0.4.0"
 edition = "2021"
 
 [lib]

README.md

@@ -1,23 +1,15 @@
 # Python bindings for biscuit
 
-This library provides python bindings to the [biscuit_auth](https://docs.rs/biscuit-auth/latest/biscuit_auth/) rust library.
+This library provides python bindings to the [eclipse biscuit_auth](https://docs.rs/biscuit-auth/latest/biscuit_auth/) rust library.
 
 As it is a pre-1.0 version, you can expect some API changes. However, most of the use cases are covered:
 
 - building a token
-- appending a (first-party) block to a token
+- appending a (first-party or third-party) block to a token
 - parsing a token
 - authorizing a token
 - querying an authorizer
 
-Notable missing features are:
-
-- sealing tokens
-- third-party blocks
-- snapshots
-
-There are no blockers for these features, they just have not been properly exposed yet.
-
 ## Documentation
 
 Documentation is available at <https://python.biscuitsec.org>.
@@ -40,4 +32,15 @@ $ source .env/bin/activate
 $ pip install -r requirements-dev.txt
 ```
 
-With that, you should be able to run `maturin develop` to build and install the extension. You can then `import biscuit_auth` in a Python shell to play around, or run `pytest` to run the Python tests.
+With that, you should be able to run `maturin develop` to build and install the extension. You can then `import biscuit_auth` in a Python shell to play around, or run `pytest` to run the Python tests.
+
+## License
+
+Licensed under Apache License, Version 2.0, ([LICENSE-APACHE](LICENSE) or http://www.apache.org/licenses/LICENSE-2.0)
+
+### Contribution
+
+Unless you explicitly state otherwise, any contribution intentionally
+submitted for inclusion in the work by you, as defined in the Apache-2.0
+license, shall be licensed as above, without any additional terms or
+conditions.

SECURITY.md

@@ -0,0 +1,4 @@
+# Security issues reporting
+
+Security issues can be reported via [github](https://github.com/eclipse-biscuit/biscuit-python/security). 
+

release-checklist.md

@@ -0,0 +1,31 @@
+# Release checklist
+
+biscuit-python is part of the [Eclipse Biscuit](https://projects.eclipse.org/projects/technology.biscuit) project and as such needs to conform the eclipse project management guidelines.
+
+Eclipse projects can only be released within the validity period of a release review (they last for 1 year).
+
+## Pre-release
+
+- make sure `README.md`, `CODE_OF_CONDUCT.md`, `SECURITY.md` are present and up-to-date
+- make sure `LICENSE` is present and that all source files are properly annotated with copyright and license information
+- make sure dependency license information is correctly vetted:
+
+```bash
+ cargo tree -e normal --prefix none --no-dedupe | sort -u | grep -v '^[[:space:]]*$'  | grep -v biscuit  | sed -E 's|([^ ]+) v([^ ]+).*|crate/cratesio/-/\1/\2|' | java -jar org.eclipse.dash.licenses-1.1.0.jar - 
+```
+(you’ll need to download the [eclipse dash licenses jar](repo.eclipse.org/content/repositories/dash-licenses/org/eclipse/dash/org.eclipse.dash.licenses/))
+
+This step should be automated at some point.
+
+Note: the python library does not have any dependency so this step is only required for rust dependencies.
+
+## Requesting a release review
+
+If the most recent release review is outdated, we will need to start a new one on the [project governance page](https://projects.eclipse.org/projects/technology.biscuit/governance).
+
+## Actually releasing stuff
+
+- update the version in `Cargo.toml`;
+- update `CHANGELOG.md` (ideally, try to update it in each PR, in an _unreleased_ section to make things easier);
+- merge the PR;
+- tag the new `main` commit, this will trigger the pypi release.