Remove kinto signer (#600)

* Replace kinto-signer by canonicaljson-rs

* Upgrade to 0.2.0

* Fix requirements

Dockerfile

@@ -15,10 +15,8 @@ RUN apt-get update && \
 COPY ./requirements /app/requirements
 COPY ./checks/remotesettings/requirements.txt /app/checks/remotesettings/requirements.txt
 
-# No deps on the remotesettings requirements because it includes kinto-signer,
-# which depends on Pyramid. We don't want all of Pyramid.
 RUN pip install --progress-bar=off -r requirements/default.txt && \
-    pip install --progress-bar=off --no-deps -r checks/remotesettings/requirements.txt
+    pip install --progress-bar=off -r checks/remotesettings/requirements.txt
 
 COPY . /app
 

Makefile

@@ -16,8 +16,7 @@ INSTALL_STAMP := $(VENV)/.install.stamp
 install: $(INSTALL_STAMP) $(COMMIT_HOOK)
 $(INSTALL_STAMP): $(PYTHON) requirements/dev.txt requirements/constraints.txt requirements/default.txt checks/remotesettings/requirements.txt
 	$(PIP_INSTALL) -Ur requirements/default.txt -c requirements/constraints.txt
-	# No deps because this includes kinto-signer, which depends on Pyramid. We don't want all of Pyramid
-	$(PIP_INSTALL) --no-deps -Ur checks/remotesettings/requirements.txt
+	$(PIP_INSTALL) -Ur checks/remotesettings/requirements.txt
 	$(PIP_INSTALL) -Ur requirements/dev.txt
 	touch $(INSTALL_STAMP)
 

checks/remotesettings/requirements.txt

@@ -72,9 +72,6 @@ cffi==1.14.3 \
 pycparser==2.20 \
     --hash=sha256:7582ad22678f0fcd81102833f60ef8d0e57288b6b5fb00323d101be910e35705 \
     --hash=sha256:2d475327684562c3a96cc71adf7dc8c4f0565175cf86b6d7a404ff4c771f15f0
-kinto-signer==7.0.0 \
-    --hash=sha256:d23e5c8e8af5431ab58eb5f423beefa2b0b8ae88b8ac5054c3bde062ccdb3ab3 \
-    --hash=sha256:94038dc699bb5a2a064608a4df66fb3a18468fef5c4a0057ea62409b35acd986
 websockets==8.1 \
     --hash=sha256:3762791ab8b38948f0c4d281c8b2ddfa99b7e510e46bd8dfa942a5fff621068c \
     --hash=sha256:3db87421956f1b0779a7564915875ba774295cc86e81bc671631379371af1170 \
@@ -106,3 +103,6 @@ soupsieve==1.9.5 \
 autograph-utils==0.1.1 \
     --hash=sha256:0ab3d81096caf8896804af72a18ff5ee76e4f54a90b647727af4c562aeed8c08 \
     --hash=sha256:24b89422eb1274f361024ab1be6cd0b310d5a52fbd2d1fc336c35f1af2910898
+canonicaljson-rs==0.3.0 \
+    --hash=sha256:9d8fb412ba9819190d5d07b1b8b01a1a17705fa0487b5253ec78668f263962cc \
+    --hash=sha256:cf73fa7e041557da507dc2f35277d155d75f0eece57fb1cc76e81bd2ea091e1f

checks/remotesettings/validate_signatures.py

@@ -4,11 +4,12 @@
 The errors are returned for each concerned collection.
 """
 import logging
+import operator
 import time
 from typing import List
 
+import canonicaljson
 from autograph_utils import MemoryCache, SignatureVerifier, decode_mozilla_hash
-from kinto_signer.serializer import canonical_json
 
 from poucave.typings import CheckResult
 from poucave.utils import ClientSession, run_parallel
@@ -40,7 +41,12 @@ async def validate_signature(verifier, metadata, records, timestamp):
     x5u = signature["x5u"]
     signature = signature["signature"]
 
-    data = canonical_json(records, timestamp).encode("utf-8")
+    data = canonicaljson.dumps(
+        {
+            "data": sorted(records, key=operator.itemgetter("id")),
+            "last_modified": str(timestamp),
+        }
+    ).encode("utf-8")
 
     return await verifier.verify(data, signature, x5u)