offline mode added to TrustedMetadataSet

omartounsi7 · emilejbm · commit 2f9680b8f3cb · 2023-05-27T14:39:19.000-04:00
Signed-off-by: Emile Baez <ebaezmunne@gmail.com> fixed error Signed-off-by: Emile Baez <ebaezmunne@gmail.com> nglclient updater refresh method checks for offline mode reformat of Jussi's lazy refresh closed PR. Addition of checking for offline flag passed in from client. Will try to load from local metadata if either is set. If offline is set and local metadata is expired or not available, ExpiredMetadataError will be raised. Tests added for offline being set with and without valid local metadata. (needs review). Signed-off-by: Emile Baez <ebaezmunne@gmail.com> refresh method fix. 164 tests pass, 3 warnings Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump ossf/scorecard-action from 2.1.2 to 2.1.3 Bumps [ossf/scorecard-action](https://github.com/ossf/scorecard-action) from 2.1.2 to 2.1.3. - [Release notes](https://github.com/ossf/scorecard-action/releases) - [Changelog](https://github.com/ossf/scorecard-action/blob/main/RELEASE.md) - [Commits](ossf/scorecard-action@e38b190...80e868c) --- updated-dependencies: - dependency-name: ossf/scorecard-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump pylint from 2.17.1 to 2.17.2 Bumps [pylint](https://github.com/PyCQA/pylint) from 2.17.1 to 2.17.2. - [Release notes](https://github.com/PyCQA/pylint/releases) - [Commits](pylint-dev/pylint@v2.17.1...v2.17.2) --- updated-dependencies: - dependency-name: pylint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump pypa/gh-action-pypi-publish from 1.8.3 to 1.8.5 Bumps [pypa/gh-action-pypi-publish](https://github.com/pypa/gh-action-pypi-publish) from 1.8.3 to 1.8.5. - [Release notes](https://github.com/pypa/gh-action-pypi-publish/releases) - [Commits](pypa/gh-action-pypi-publish@48b317d...0bf742b) --- updated-dependencies: - dependency-name: pypa/gh-action-pypi-publish dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump mypy from 1.1.1 to 1.2.0 Bumps [mypy](https://github.com/python/mypy) from 1.1.1 to 1.2.0. - [Release notes](https://github.com/python/mypy/releases) - [Commits](python/mypy@v1.1.1...v1.2.0) --- updated-dependencies: - dependency-name: mypy dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump coverage from 7.2.2 to 7.2.3 Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.2.2 to 7.2.3. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](coveragepy/coveragepy@7.2.2...7.2.3) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump github/codeql-action from 2.2.9 to 2.2.11 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.9 to 2.2.11. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@04df126...d186a2a) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump actions/github-script from 6.4.0 to 6.4.1 Bumps [actions/github-script](https://github.com/actions/github-script) from 6.4.0 to 6.4.1. - [Release notes](https://github.com/actions/github-script/releases) - [Commits](actions/github-script@98814c5...d7906e4) --- updated-dependencies: - dependency-name: actions/github-script dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> Removed lazy refresh config Signed-off-by: Emerson Rounds <65183924+emboman13@users.noreply.github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> Removed lazy refresh configuration option Signed-off-by: Emerson Rounds <65183924+emboman13@users.noreply.github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> Removed lazy refresh tests and updated offline tests Signed-off-by: Emerson Rounds <65183924+emboman13@users.noreply.github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump cryptography from 40.0.1 to 40.0.2 Bumps [cryptography](https://github.com/pyca/cryptography) from 40.0.1 to 40.0.2. - [Release notes](https://github.com/pyca/cryptography/releases) - [Changelog](https://github.com/pyca/cryptography/blob/main/CHANGELOG.rst) - [Commits](pyca/cryptography@40.0.1...40.0.2) --- updated-dependencies: - dependency-name: cryptography dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump actions/checkout from 3.5.0 to 3.5.2 Bumps [actions/checkout](https://github.com/actions/checkout) from 3.5.0 to 3.5.2. - [Release notes](https://github.com/actions/checkout/releases) - [Changelog](https://github.com/actions/checkout/blob/main/CHANGELOG.md) - [Commits](actions/checkout@8f4b7f8...8e5e7e5) --- updated-dependencies: - dependency-name: actions/checkout dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump github/codeql-action from 2.2.11 to 2.2.12 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.11 to 2.2.12. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@d186a2a...7df0ce3) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> disabled expiry checks in offline mode. updated testing Signed-off-by: Emile Baez <ebaezmunne@gmail.com> NetworkUnavailableError exception added More descriptive exception added for offline mode error case. Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump securesystemslib[crypto,pynacl] from 0.27.0 to 0.28.0 Bumps [securesystemslib[crypto,pynacl]](https://github.com/secure-systems-lab/securesystemslib) from 0.27.0 to 0.28.0. - [Release notes](https://github.com/secure-systems-lab/securesystemslib/releases) - [Changelog](https://github.com/secure-systems-lab/securesystemslib/blob/main/CHANGELOG.md) - [Commits](secure-systems-lab/securesystemslib@v0.27.0...v0.28.0) --- updated-dependencies: - dependency-name: securesystemslib[crypto,pynacl] dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump actions/setup-python from 4.5.0 to 4.6.0 Bumps [actions/setup-python](https://github.com/actions/setup-python) from 4.5.0 to 4.6.0. - [Release notes](https://github.com/actions/setup-python/releases) - [Commits](actions/setup-python@d27e3f3...57ded4d) --- updated-dependencies: - dependency-name: actions/setup-python dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump github/codeql-action from 2.2.12 to 2.3.0 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.2.12 to 2.3.0. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@7df0ce3...b2c19fb) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump pylint from 2.17.2 to 2.17.3 Bumps [pylint](https://github.com/PyCQA/pylint) from 2.17.2 to 2.17.3. - [Release notes](https://github.com/PyCQA/pylint/releases) - [Commits](pylint-dev/pylint@v2.17.2...v2.17.3) --- updated-dependencies: - dependency-name: pylint dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> Removed vestigial code from updater Signed-off-by: Emerson Rounds <65183924+emboman13@users.noreply.github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> Removed unused error Signed-off-by: Emerson Rounds <65183924+emboman13@users.noreply.github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump coverage from 7.2.3 to 7.2.4 Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.2.3 to 7.2.4. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](coveragepy/coveragepy@7.2.3...7.2.4) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump github/codeql-action from 2.3.0 to 2.3.2 Bumps [github/codeql-action](https://github.com/github/codeql-action) from 2.3.0 to 2.3.2. - [Release notes](https://github.com/github/codeql-action/releases) - [Changelog](https://github.com/github/codeql-action/blob/main/CHANGELOG.md) - [Commits](github/codeql-action@b2c19fb...f3feb00) --- updated-dependencies: - dependency-name: github/codeql-action dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump requests from 2.28.2 to 2.29.0 Bumps [requests](https://github.com/psf/requests) from 2.28.2 to 2.29.0. - [Release notes](https://github.com/psf/requests/releases) - [Changelog](https://github.com/psf/requests/blob/main/HISTORY.md) - [Commits](psf/requests@v2.28.2...v2.29.0) --- updated-dependencies: - dependency-name: requests dependency-type: direct:production update-type: version-update:semver-minor ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> build(deps): bump coverage from 7.2.4 to 7.2.5 Bumps [coverage](https://github.com/nedbat/coveragepy) from 7.2.4 to 7.2.5. - [Release notes](https://github.com/nedbat/coveragepy/releases) - [Changelog](https://github.com/nedbat/coveragepy/blob/master/CHANGES.rst) - [Commits](coveragepy/coveragepy@7.2.4...7.2.5) --- updated-dependencies: - dependency-name: coverage dependency-type: direct:production update-type: version-update:semver-patch ... Signed-off-by: dependabot[bot] <support@github.com> Signed-off-by: Emile Baez <ebaezmunne@gmail.com> offline mode added to TrustedMetadataSet creation of TrustedMetadataSet object can take additional argument that describes whether client wants to be in offline mode. Code linted according to tox -e lint. Signed-off-by: Emile Baez <ebaezmunne@gmail.com>
diff --git a/.github/workflows/_test.yml b/.github/workflows/_test.yml
@@ -12,10 +12,10 @@ jobs:
 
     steps:
       - name: Checkout TUF
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
       - name: Set up Python 3.x
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: 3.x
           cache: 'pip'
@@ -56,10 +56,10 @@ jobs:
 
     steps:
       - name: Checkout TUF
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
       - name: Set up Python ${{ matrix.python-version }}
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: ${{ matrix.python-version }}
           cache: 'pip'
@@ -101,7 +101,7 @@ jobs:
         run: touch requirements.txt
 
       - name: Set up Python
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: '3.x'
           cache: 'pip'
diff --git a/.github/workflows/cd.yml b/.github/workflows/cd.yml
@@ -18,12 +18,12 @@ jobs:
     needs: test
     steps:
       - name: Checkout release tag
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
         with:
           ref: ${{ github.event.workflow_run.head_branch }}
 
       - name: Set up Python
-        uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+        uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: '3.x'
 
@@ -59,7 +59,7 @@ jobs:
 
       - id: gh-release
         name: Publish GitHub release draft
-        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
         with:
           script: |
             fs = require('fs')
@@ -102,13 +102,13 @@ jobs:
       - name: Publish binary wheel and source tarball on PyPI
         # Only attempt pypi upload in upstream repository
         if: github.repository == 'theupdateframework/python-tuf'
-        uses: pypa/gh-action-pypi-publish@48b317d84d5f59668bb13be49d1697e36b3ad009
+        uses: pypa/gh-action-pypi-publish@0bf742be3ebe032c25dd15117957dc15d0cfc38d
         with:
           user: __token__
           password: ${{ secrets.PYPI_API_TOKEN }}
 
       - name: Finalize GitHub release
-        uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+        uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
         with:
           script: |
             github.rest.repos.updateRelease({
diff --git a/.github/workflows/codeql-analysis.yml b/.github/workflows/codeql-analysis.yml
@@ -22,12 +22,12 @@ jobs:
 
     steps:
     - name: Checkout repository
-      uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+      uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+      uses: github/codeql-action/init@f3feb00acb00f31a6f60280e6ace9ca31d91c76a
       with:
         languages: 'python'
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+      uses: github/codeql-action/analyze@f3feb00acb00f31a6f60280e6ace9ca31d91c76a
diff --git a/.github/workflows/dependency-review.yml b/.github/workflows/dependency-review.yml
@@ -15,6 +15,6 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - name: 'Checkout Repository'
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
       - name: 'Dependency Review'
         uses: actions/dependency-review-action@f46c48ed6d4f1227fb2d9ea62bf6bcbed315589e
diff --git a/.github/workflows/maintainer-permissions-reminder.yml b/.github/workflows/maintainer-permissions-reminder.yml
@@ -13,7 +13,7 @@ jobs:
     name: File issue to review maintainer permissions
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/github-script@98814c53be79b1d30f795b907e553d8679345975
+    - uses: actions/github-script@d7906e4ad0b1822421a7e6a35d5ca353c962f410
       with:
         script: |
           await github.rest.issues.create({
diff --git a/.github/workflows/scorecards.yml b/.github/workflows/scorecards.yml
@@ -21,10 +21,10 @@ jobs:
 
     steps:
       - name: "Checkout code"
-        uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
+        uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
 
       - name: "Run analysis"
-        uses: ossf/scorecard-action@e38b1902ae4f44df626f11ba0734b14fb91f8f86
+        uses: ossf/scorecard-action@80e868c13c90f172d68d1f4501dee99e2479f7af
         with:
           results_file: results.sarif
           # sarif format required by upload-sarif action
@@ -34,6 +34,6 @@ jobs:
           publish_results: true
 
       - name: "Upload to code-scanning dashboard"
-        uses: github/codeql-action/upload-sarif@04df1262e6247151b5ac09cd2c303ac36ad3f62b
+        uses: github/codeql-action/upload-sarif@f3feb00acb00f31a6f60280e6ace9ca31d91c76a
         with:
           sarif_file: results.sarif
diff --git a/.github/workflows/specification-version-check.yml b/.github/workflows/specification-version-check.yml
@@ -14,8 +14,8 @@ jobs:
     outputs:
       version: ${{ steps.get-version.outputs.version }}
     steps:
-      - uses: actions/checkout@8f4b7f84864484a7bf31766abe9204da3cbe65b3
-      - uses: actions/setup-python@d27e3f3d7c64b4bbf8e4abfb9b63b83e846e0435
+      - uses: actions/checkout@8e5e7e5ab8b370d6c329ec480221332ada57f0ab
+      - uses: actions/setup-python@57ded4d7d5e986d7296eab16560982c6dd7c923b
         with:
           python-version: "3.x"
       - id: get-version
diff --git a/requirements/lint.txt b/requirements/lint.txt
@@ -8,7 +8,7 @@
 # are pinned to prevent unexpected linting failures when tools update)
 black==23.3.0
 isort==5.12.0
-pylint==2.17.1
-mypy==1.1.1
+pylint==2.17.3
+mypy==1.2.0
 bandit==1.7.5
 pydocstyle==6.3.0
diff --git a/requirements/pinned.txt b/requirements/pinned.txt
@@ -1,10 +1,10 @@
 certifi==2022.12.7        # via requests
 cffi==1.15.1              # via cryptography, pynacl
 charset-normalizer==3.1.0 # via requests
-cryptography==40.0.1      # via securesystemslib
+cryptography==40.0.2      # via securesystemslib
 idna==3.4                 # via requests
 pycparser==2.21           # via cffi
 pynacl==1.5.0             # via securesystemslib
-requests==2.28.2
-securesystemslib[crypto,pynacl]==0.27.0
+requests==2.29.0
+securesystemslib[crypto,pynacl]==0.28.0
 urllib3==1.26.15           # via requests
diff --git a/requirements/test.txt b/requirements/test.txt
@@ -4,4 +4,4 @@
 -r pinned.txt
 
 # coverage measurement
-coverage==7.2.2
+coverage==7.2.5
diff --git a/tests/test_updater_top_level_update.py b/tests/test_updater_top_level_update.py
@@ -739,6 +739,79 @@ def test_load_metadata_from_cache(self, wrapped_open: MagicMock) -> None:
         expected_calls = [("root", 2), ("timestamp", None)]
         self.assertListEqual(self.sim.fetch_tracker.metadata, expected_calls)
 
+    @patch.object(datetime, "datetime", wraps=datetime.datetime)
+    def test_refresh_with_offline(self, mock_time: Mock) -> None:
+        # make v1 metadata expire a little earlier
+        self.sim.timestamp.expires = self.sim.safe_expiry - datetime.timedelta(
+            days=7
+        )
+        self.sim.targets.expires = self.sim.safe_expiry - datetime.timedelta(
+            days=5
+        )
+        # offline is not set and there is no metadata
+        self.sim.fetch_tracker.metadata.clear()
+        with patch("datetime.datetime", mock_time):
+            updater = self._init_updater()
+            updater.config.offline = False
+            try:
+                updater.refresh()
+            except ExpiredMetadataError:
+                self.assertTrue(True)
+
+        # Make sure local metadata is available
+        updater = self._init_updater()
+        updater.refresh()
+        updater.config.offline = False
+
+        # Clean up fetch tracker data
+        self.sim.fetch_tracker.metadata.clear()
+        # Create timestamp v2 in repository
+        self.sim.timestamp.version += 1
+        self.sim.timestamp.expires = self.sim.safe_expiry
+
+        # Offline flag is set and local metadata is valid (should continue)
+        updater = self._init_updater()
+        updater.config.offline = True
+        updater.refresh()
+        self.assertListEqual(self.sim.fetch_tracker.metadata, [])
+        # Clean up fetch tracker data
+        self.sim.fetch_tracker.metadata.clear()
+        # create targets v2 in repository
+        self.sim.targets.version += 1
+        self.sim.targets.expires = self.sim.safe_expiry
+        self.sim.update_snapshot()
+
+        # Offline flag is set and local metadata is expired. New timestamp
+        # is available but should raise MetaDataError.
+        mock_time.utcnow.return_value = (
+            self.sim.safe_expiry - datetime.timedelta(days=6)
+        )
+
+        with patch("datetime.datetime", mock_time):
+            updater = self._init_updater()
+            updater.config.offline = True
+            try:
+                updater.refresh()
+            except ExpiredMetadataError:
+                self.assertFalse(False)
+
+        # Clean up fetch tracker data
+        self.sim.fetch_tracker.metadata.clear()
+
+        # Offline flag is not set (vanilla refresh)
+        with patch("datetime.datetime", mock_time):
+            updater = self._init_updater()
+            updater.config.offline = False
+            updater.refresh()
+
+        expected_calls = [
+            ("root", 2),
+            ("timestamp", None),
+            ("snapshot", 2),
+            ("targets", 2),
+        ]
+        self.assertListEqual(self.sim.fetch_tracker.metadata, expected_calls)
+
     @patch.object(datetime, "datetime", wraps=datetime.datetime)
     def test_expired_metadata(self, mock_time: Mock) -> None:
         """Verifies that expired local timestamp/snapshot can be used for
diff --git a/tuf/ngclient/_internal/trusted_metadata_set.py b/tuf/ngclient/_internal/trusted_metadata_set.py
@@ -78,20 +78,22 @@ class TrustedMetadataSet(abc.Mapping):
     to update the metadata with the caller making decisions on what is updated.
     """
 
-    def __init__(self, root_data: bytes):
+    def __init__(self, root_data: bytes, is_offline: bool = False):
         """Initialize ``TrustedMetadataSet`` by loading trusted root metadata.
 
         Args:
             root_data: Trusted root metadata as bytes. Note that this metadata
                 will only be verified by itself: it is the source of trust for
                 all metadata in the ``TrustedMetadataSet``
+            is_offline: Defines whether the client wants to be offline or not.
 
         Raises:
             RepositoryError: Metadata failed to load or verify. The actual
                 error type and content will contain more details.
         """
         self._trusted_set: Dict[str, Metadata] = {}
         self.reference_time = datetime.datetime.utcnow()
+        self.offline = is_offline
 
         # Load and validate the local root metadata. Valid initial trusted root
         # metadata is required
@@ -203,7 +205,10 @@ def update_timestamp(self, data: bytes) -> Metadata[Timestamp]:
             raise RuntimeError("Cannot update timestamp after snapshot")
 
         # client workflow 5.3.10: Make sure final root is not expired.
-        if self.root.signed.is_expired(self.reference_time):
+        if (
+            self.root.signed.is_expired(self.reference_time)
+            and not self.offline
+        ):
             raise exceptions.ExpiredMetadataError("Final root.json is expired")
         # No need to check for 5.3.11 (fast forward attack recovery):
         # timestamp/snapshot can not yet be loaded at this point
@@ -246,7 +251,7 @@ def update_timestamp(self, data: bytes) -> Metadata[Timestamp]:
         logger.debug("Updated timestamp v%d", new_timestamp.signed.version)
 
         # timestamp is loaded: raise if it is not valid _final_ timestamp
-        self._check_final_timestamp()
+        self._check_final_timestamp() if not self.offline else None
 
         return new_timestamp
 
@@ -257,7 +262,9 @@ def _check_final_timestamp(self) -> None:
             raise exceptions.ExpiredMetadataError("timestamp.json is expired")
 
     def update_snapshot(
-        self, data: bytes, trusted: Optional[bool] = False
+        self,
+        data: bytes,
+        trusted: Optional[bool] = False,
     ) -> Metadata[Snapshot]:
         """Verify and load ``data`` as new snapshot metadata.
 
@@ -294,7 +301,7 @@ def update_snapshot(
         logger.debug("Updating snapshot")
 
         # Snapshot cannot be loaded if final timestamp is expired
-        self._check_final_timestamp()
+        self._check_final_timestamp() if not self.offline else None
 
         snapshot_meta = self.timestamp.signed.snapshot_meta
 
@@ -347,7 +354,10 @@ def update_snapshot(
     def _check_final_snapshot(self) -> None:
         """Raise if snapshot is expired or meta version does not match."""
 
-        if self.snapshot.signed.is_expired(self.reference_time):
+        if (
+            self.snapshot.signed.is_expired(self.reference_time)
+            and not self.offline
+        ):
             raise exceptions.ExpiredMetadataError("snapshot.json is expired")
         snapshot_meta = self.timestamp.signed.snapshot_meta
         if self.snapshot.signed.version != snapshot_meta.version:
@@ -426,7 +436,10 @@ def update_delegated_targets(
                 f"Expected {role_name} v{meta.version}, got v{version}."
             )
 
-        if new_delegate.signed.is_expired(self.reference_time):
+        if (
+            new_delegate.signed.is_expired(self.reference_time)
+            and not self.offline
+        ):
             raise exceptions.ExpiredMetadataError(f"New {role_name} is expired")
 
         self._trusted_set[role_name] = new_delegate
diff --git a/tuf/ngclient/config.py b/tuf/ngclient/config.py
@@ -33,3 +33,4 @@ class UpdaterConfig:
     snapshot_max_length: int = 2000000  # bytes
     targets_max_length: int = 5000000  # bytes
     prefix_targets_with_hash: bool = True
+    offline: bool = False
diff --git a/tuf/ngclient/updater.py b/tuf/ngclient/updater.py
@@ -101,9 +101,11 @@ def __init__(
 
         # Read trusted local root metadata
         data = self._load_local_metadata(Root.type)
-        self._trusted_set = trusted_metadata_set.TrustedMetadataSet(data)
         self._fetcher = fetcher or requests_fetcher.RequestsFetcher()
         self.config = config or UpdaterConfig()
+        self._trusted_set = trusted_metadata_set.TrustedMetadataSet(
+            data, self.config.offline
+        )
 
     def refresh(self) -> None:
         """Refresh top-level metadata.
@@ -129,6 +131,17 @@ def refresh(self) -> None:
             DownloadError: Download of a metadata file failed in some way
         """
 
+        if self.config.offline:
+            # Try loading only local data
+            data = self._load_local_metadata(Timestamp.type)
+            self._trusted_set.update_timestamp(data)
+            data = self._load_local_metadata(Snapshot.type)
+            self._trusted_set.update_snapshot(data, trusted=True)
+            data = self._load_local_metadata(Targets.type)
+            self._trusted_set.update_delegated_targets(
+                data, Targets.type, Root.type
+            )
+            return
         self._load_root()
         self._load_timestamp()
         self._load_snapshot()
