MESH-2092 support up to py3.13 - required changed to SSL certs as 3.13 is more security conscious. Pulled out tox config into tox.ini to permit running from pycharm. Use ASDF python versions. Update Sonar version

Author: davidhallam4-nhs

.github/workflows/merge-develop.yml

@@ -66,7 +66,7 @@ jobs:
       - name: provision sonar-scanner
         if: github.actor != 'dependabot[bot]' && (success() || failure())
         run: |
-          export SONAR_VERSION="4.7.0.2747"
+          export SONAR_VERSION="5.0.1.3006"
           wget -q "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_VERSION}.zip" -O sonar-scanner.zip
           unzip -q ./sonar-scanner.zip
           mv ./sonar-scanner-${SONAR_VERSION} ./sonar-scanner

.github/workflows/pull-request.yml

@@ -146,7 +146,7 @@ jobs:
       - name: provision sonar-scanner
         if: github.actor != 'dependabot[bot]' && (success() || failure())
         run: |
-          export SONAR_VERSION="4.7.0.2747"
+          export SONAR_VERSION="5.0.1.3006"
           wget -q "https://binaries.sonarsource.com/Distribution/sonar-scanner-cli/sonar-scanner-cli-${SONAR_VERSION}.zip" -O sonar-scanner.zip
           unzip -q ./sonar-scanner.zip
           mv ./sonar-scanner-${SONAR_VERSION} ./sonar-scanner

.tool-versions

@@ -1,2 +1,2 @@
 poetry 2.1.3
-python 3.10.18 3.9.23 3.11.13 3.12.11 3.13.5
+python 3.13.5 3.12.11 3.11.13 3.10.18 3.9.23

Makefile

@@ -93,7 +93,6 @@ black-check:
 black:
 	poetry run black .
 
-
 coverage-cleanup:
 	rm -f .coverage* || true
 
@@ -121,7 +120,7 @@ tox:
 down:
 	docker compose down --remove-orphans || true
 
-up:
+up: create-test-certs-keys
 	docker compose up -d --remove-orphans --build
 
 coverage-ci: coverage-cleanup coverage-ci-test coverage-report
@@ -134,3 +133,6 @@ check-secrets-all:
 
 export-requirements:
 	poetry export --only main -f requirements.txt --output ./requirements.txt
+
+create-test-certs-keys:
+	./scripts/create-test-certs-keys.sh

mesh_client/__init__.py

@@ -220,7 +220,7 @@ def increment(
         error: Optional[Exception] = None,
         _pool: Optional[ConnectionPool] = None,
         _stacktrace: Optional[TracebackType] = None,
-    ) -> Retry:
+    ) -> "MeshRetry":
         if method != "POST" or not url or not url.endswith("/outbox"):
             return super().increment(method, url, response, error, _pool, _stacktrace)
 

pyproject.toml

@@ -109,36 +109,6 @@ include = '\.pyi?$'
 
 
 
-[tool.tox]
-legacy_tox_ini = """
-[tox]
-envlist = py39,py310,py311,py312,py313
-
-[gh-actions]
-python =
-    3.9: py39
-    3.10: py310
-    3.11: py311
-    3.12: py312
-    3.13: py313
-
-[testenv:.pkg]
-set_env =
-    RELEASE_VERSION=1.2.3
-
-[testenv]
-wheel_build_env = .pkg
-use_develop = true
-package = wheel
-deps =
-    requests>=2.26.0
-    mock
-    pytest
-    pytest-httpserver
-commands =
-    python -m pytest
-
-"""
 
 [tool.coverage.run]
 branch = true
@@ -189,7 +159,7 @@ check_untyped_defs = true
 
 
 [tool.poetry-dynamic-versioning]
-enable = false
+enable = true
 metadata = false
 vcs = "git"
 style = "pep440"

scripts/create-test-certs-keys.sh

@@ -0,0 +1,58 @@
+#!/bin/bash
+
+set -euo pipefail
+
+SCRIPT_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" &> /dev/null && pwd )"
+OUTPUT_DIR="$SCRIPT_DIR/../tests"
+
+######################### CA #########################
+
+echo "Generating CA private key and certificate..."
+
+openssl genpkey -algorithm RSA -out "$OUTPUT_DIR"/ca.key.pem
+
+openssl req -new -x509 -days 73050 -key "$OUTPUT_DIR"/ca.key.pem -out "$OUTPUT_DIR"/ca.cert.pem \
+    -config "$SCRIPT_DIR"/openssl.cnf -extensions v3_ca -subj "/CN=Test Self-Signed CA"
+
+echo "CA certificate and key created successfully."
+
+######################### SERVER #########################
+
+echo "Generating server private key and CSR..."
+
+openssl genpkey -algorithm RSA -out "$OUTPUT_DIR"/server.key.pem
+
+openssl req -new -key "$OUTPUT_DIR"/server.key.pem -out "$OUTPUT_DIR"/server.csr \
+    -config "$SCRIPT_DIR"/openssl.cnf -subj "/CN=localhost/O=Test Server"
+
+echo "Signing the server CSR with the CA certificate..."
+
+openssl x509 -req -in "$OUTPUT_DIR"/server.csr -CA "$OUTPUT_DIR"/ca.cert.pem -CAkey "$OUTPUT_DIR"/ca.key.pem \
+    -CAcreateserial -out "$OUTPUT_DIR"/server.cert.pem -days 73050 -extensions v3_req \
+    -extfile "$SCRIPT_DIR"/openssl.cnf
+
+echo "Server certificate signed successfully."
+
+######################### CLIENT #########################
+
+echo "Generating client private key and CSR..."
+
+openssl genpkey -algorithm RSA -out "$OUTPUT_DIR"/client.key.pem
+
+openssl req -new -key "$OUTPUT_DIR"/client.key.pem -out "$OUTPUT_DIR"/client.csr \
+    -config "$SCRIPT_DIR"/openssl.cnf -subj "/CN=localhost/O=Test Client"
+
+echo "Signing the client CSR with the CA certificate..."
+
+openssl x509 -req -in "$OUTPUT_DIR"/client.csr -CA "$OUTPUT_DIR"/ca.cert.pem -CAkey "$OUTPUT_DIR"/ca.key.pem \
+    -CAcreateserial -out "$OUTPUT_DIR"/client.cert.pem -days 73050 -extensions v3_req \
+    -extfile "$SCRIPT_DIR"/openssl.cnf
+
+echo "Client certificate signed successfully."
+
+######################### COMPLETE #########################
+
+rm -f "$OUTPUT_DIR"/server.csr "$OUTPUT_DIR"/client.csr
+
+echo "Complete."
+

scripts/openssl.cnf

@@ -0,0 +1,28 @@
+[ req ]
+distinguished_name = req_distinguished_name
+prompt = no
+
+[ req_distinguished_name ]
+C = GB
+ST = Test State
+L = Test Locality
+O = Test Org
+CN = Test Self-Signed CA
+
+[ v3_ca ]
+# Extensions for a self-signed CA
+subjectKeyIdentifier = hash
+authorityKeyIdentifier = keyid:always,issuer
+basicConstraints = critical,CA:true
+keyUsage = critical,digitalSignature,keyCertSign,cRLSign
+
+[ v3_req ]
+# Extensions for a server/client certificate
+basicConstraints = CA:false
+keyUsage = digitalSignature, keyEncipherment
+extendedKeyUsage = serverAuth, clientAuth
+subjectAltName = @alt_names
+
+[ alt_names ]
+DNS.1 = localhost
+IP.1 = 127.0.0.1