From 04b0fcd3451bdb64a52d88f2e6888b9bcd8e8c00 Mon Sep 17 00:00:00 2001 From: Lion Holler Date: Wed, 26 Jun 2024 11:55:51 +0200 Subject: [PATCH 1/5] first steps towards moving to the ruff linter to replace pylint+bandit+black+isort --- mypy.ini | 2 ++ pyproject.toml | 39 ++++++++++++++++----- requirements-lint.txt | 1 + securesystemslib/_gpg/common.py | 7 ++-- securesystemslib/_gpg/constants.py | 2 +- securesystemslib/_gpg/dsa.py | 1 + securesystemslib/_gpg/functions.py | 26 ++++++-------- securesystemslib/_gpg/rsa.py | 7 ++-- securesystemslib/_gpg/util.py | 11 +++--- securesystemslib/dsse.py | 5 ++- securesystemslib/formats.py | 7 ++-- securesystemslib/hash.py | 4 +-- securesystemslib/signer/__init__.py | 1 + securesystemslib/signer/_azure_signer.py | 6 ++-- securesystemslib/signer/_crypto_signer.py | 2 +- securesystemslib/signer/_gpg_signer.py | 2 +- securesystemslib/signer/_hsm_signer.py | 4 +-- securesystemslib/signer/_key.py | 4 +-- securesystemslib/signer/_signer.py | 2 +- securesystemslib/signer/_sigstore_signer.py | 5 ++- securesystemslib/signer/_spx_signer.py | 4 +-- securesystemslib/signer/_utils.py | 2 +- tests/check_aws_signer.py | 4 +-- tests/check_public_interfaces.py | 4 +-- tests/check_public_interfaces_gpg.py | 4 +-- tests/check_vault_signer.py | 4 +-- tests/test_dsse.py | 2 +- tests/test_gpg.py | 36 +++++++++---------- tests/test_hash.py | 28 +++++---------- tests/test_hsm_signer.py | 3 +- tests/test_signer.py | 6 ++-- tox.ini | 9 +++-- 32 files changed, 118 insertions(+), 126 deletions(-) diff --git a/mypy.ini b/mypy.ini index 2b97eb98..4e798575 100644 --- a/mypy.ini +++ b/mypy.ini @@ -5,6 +5,8 @@ files = securesystemslib/storage.py, securesystemslib/_gpg/constants.py +exclude = securesystemslib/_vendor + # Supress error messages until enough modules # are type annotated follow_imports = silent diff --git a/pyproject.toml b/pyproject.toml index d8d7510c..a49153f4 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -70,12 +70,35 @@ include = [ "/.coveragerc", ] -[tool.black] -line-length=80 -extend-exclude="_vendor" +# Ruff section +[tool.ruff] +lint.select = [ + "I", # isort: all + "PL", # pylint: all + "S", # flake8-bandit: all + "N", # pep8-naming: all + "RUF100" # ruff: find unused noqa +] +exclude = ["_vendor"] + +# Same as Black. +line-length = 80 +indent-width = 4 + +[tool.ruff.format] +# Like Black, use double quotes for strings. +quote-style = "double" + +# Like Black, indent with spaces, rather than tabs. +indent-style = "space" + +# Like Black, respect magic trailing commas. +skip-magic-trailing-comma = false + +# Like Black, automatically detect the appropriate line ending. +line-ending = "auto" -[tool.isort] -profile="black" -line_length=80 -known_first_party = ["securesystemslib"] -extend_skip_glob=["*/_vendor/*"] +[tool.ruff.lint.per-file-ignores] +"tests/*" = [ + "S", # bandit: Not running bandit on tests +] \ No newline at end of file diff --git a/requirements-lint.txt b/requirements-lint.txt index 9f857e86..b4f60cd1 100644 --- a/requirements-lint.txt +++ b/requirements-lint.txt @@ -3,3 +3,4 @@ black==24.4.2 isort==5.13.2 pylint==3.2.3 bandit==1.7.9 +ruff==0.4.10 diff --git a/securesystemslib/_gpg/common.py b/securesystemslib/_gpg/common.py index 507f2ecc..a341a364 100644 --- a/securesystemslib/_gpg/common.py +++ b/securesystemslib/_gpg/common.py @@ -449,9 +449,9 @@ def _assign_certified_key_info(bundle): sig_creation_time = tmp_sig_creation_time if validity_period is not None: - bundle[PACKET_TYPE_PRIMARY_KEY]["key"][ - "validity_period" - ] = validity_period + bundle[PACKET_TYPE_PRIMARY_KEY]["key"]["validity_period"] = ( + validity_period + ) return bundle[PACKET_TYPE_PRIMARY_KEY]["key"] @@ -654,6 +654,7 @@ def get_pubkey_bundle(data, keyid): return master_public_key +# ruff: noqa: PLR0912, PLR0915 def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches,too-many-statements data, supported_signature_types=None, diff --git a/securesystemslib/_gpg/constants.py b/securesystemslib/_gpg/constants.py index 58c60174..b9f6faa1 100644 --- a/securesystemslib/_gpg/constants.py +++ b/securesystemslib/_gpg/constants.py @@ -37,7 +37,7 @@ def is_available_gnupg(gnupg: str, timeout: Optional[int] = None) -> bool: gpg_version_cmd = shlex.split(f"{gnupg} --version") try: subprocess.run( # nosec - gpg_version_cmd, + gpg_version_cmd, # noqa: S603 capture_output=True, timeout=timeout, check=True, diff --git a/securesystemslib/_gpg/dsa.py b/securesystemslib/_gpg/dsa.py index b5b88f79..7c3cbab3 100644 --- a/securesystemslib/_gpg/dsa.py +++ b/securesystemslib/_gpg/dsa.py @@ -28,6 +28,7 @@ CRYPTO = False # pylint: disable=wrong-import-position +# ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import util as gpg_util from securesystemslib._gpg.exceptions import PacketParsingError diff --git a/securesystemslib/_gpg/functions.py b/securesystemslib/_gpg/functions.py index 6db99e81..53dfd563 100644 --- a/securesystemslib/_gpg/functions.py +++ b/securesystemslib/_gpg/functions.py @@ -104,24 +104,20 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): keyarg = "" if keyid: - keyarg = ( - "--local-user {}".format( # pylint: disable=consider-using-f-string - keyid - ) + keyarg = "--local-user {}".format( # pylint: disable=consider-using-f-string + keyid ) homearg = "" if homedir: - homearg = ( - "--homedir {}".format( # pylint: disable=consider-using-f-string - homedir - ).replace("\\", "/") - ) + homearg = "--homedir {}".format( # pylint: disable=consider-using-f-string + homedir + ).replace("\\", "/") command = gpg_sign_command(keyarg=keyarg, homearg=homearg) gpg_process = subprocess.run( # nosec - command, + command, # noqa: S603 input=content, check=False, capture_output=True, @@ -283,17 +279,15 @@ def export_pubkey(keyid, homedir=None, timeout=GPG_TIMEOUT): homearg = "" if homedir: - homearg = ( - "--homedir {}".format( # pylint: disable=consider-using-f-string - homedir - ).replace("\\", "/") - ) + homearg = "--homedir {}".format( # pylint: disable=consider-using-f-string + homedir + ).replace("\\", "/") # TODO: Consider adopting command error handling from `create_signature` # above, e.g. in a common 'run gpg command' utility function command = gpg_export_pubkey_command(keyid=keyid, homearg=homearg) gpg_process = subprocess.run( # nosec - command, + command, # noqa: S603 capture_output=True, timeout=timeout, check=True, diff --git a/securesystemslib/_gpg/rsa.py b/securesystemslib/_gpg/rsa.py index 4a17a966..6f57e4a6 100644 --- a/securesystemslib/_gpg/rsa.py +++ b/securesystemslib/_gpg/rsa.py @@ -27,6 +27,7 @@ CRYPTO = False # pylint: disable=wrong-import-position +# ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import util as gpg_util from securesystemslib._gpg.exceptions import PacketParsingError @@ -185,10 +186,8 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): signature_length = len(signature_object["signature"]) if pubkey_length != signature_length: # pragma: no cover zero_pad = "0" * (pubkey_length - signature_length) - signature_object["signature"] = ( - "{}{}".format( # pylint: disable=consider-using-f-string - zero_pad, signature_object["signature"] - ) + signature_object["signature"] = "{}{}".format( # pylint: disable=consider-using-f-string + zero_pad, signature_object["signature"] ) digest = gpg_util.hash_object( diff --git a/securesystemslib/_gpg/util.py b/securesystemslib/_gpg/util.py index a0822c57..85e9fe11 100644 --- a/securesystemslib/_gpg/util.py +++ b/securesystemslib/_gpg/util.py @@ -15,6 +15,9 @@ general-purpose utilities for binary data handling and pgp data parsing """ +# ruff: noqa: PLR2004 +# (disbales "Magic value used in comparison", like on line 150) + import binascii import logging import struct @@ -28,6 +31,7 @@ CRYPTO = False # pylint: disable=wrong-import-position +# ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import constants from securesystemslib._gpg.exceptions import PacketParsingError @@ -100,9 +104,7 @@ def hash_object(headers, algorithm, content): return hasher.finalize() -def parse_packet_header( - data, expected_type=None -): # pylint: disable=too-many-branches +def parse_packet_header(data, expected_type=None): # pylint: disable=too-many-branches # noqa: PLR0912 """ Parse out packet type and header and body lengths from an RFC4880 packet. @@ -235,7 +237,8 @@ def compute_keyid(pubkey_packet_data): raise exceptions.UnsupportedLibraryError(NO_CRYPTO_MSG) hasher = hashing.Hash( - hashing.SHA1(), backend=backends.default_backend() # nosec + hashing.SHA1(), # noqa: S303 + backend=backends.default_backend(), # nosec ) hasher.update(b"\x99") hasher.update(struct.pack(">H", len(pubkey_packet_data))) diff --git a/securesystemslib/dsse.py b/securesystemslib/dsse.py index 61e4975e..9c848de3 100644 --- a/securesystemslib/dsse.py +++ b/securesystemslib/dsse.py @@ -1,5 +1,4 @@ -"""Dead Simple Signing Envelope -""" +"""Dead Simple Signing Envelope""" import logging from typing import Any, Dict, List @@ -64,7 +63,7 @@ def from_dict(cls, data: dict) -> "Envelope": signatures = {} for signature in data["signatures"]: signature["sig"] = b64dec(signature["sig"]).hex() - signature = Signature.from_dict(signature) + signature = Signature.from_dict(signature) # noqa: PLW2901 if signature.keyid in signatures: raise ValueError( f"Multiple signatures found for keyid {signature.keyid}" diff --git a/securesystemslib/formats.py b/securesystemslib/formats.py index ca14a04a..846c6977 100755 --- a/securesystemslib/formats.py +++ b/securesystemslib/formats.py @@ -47,9 +47,7 @@ def _canonical_string_encoder(string): return string -def _encode_canonical( - object, output_function -): # pylint: disable=missing-function-docstring,redefined-builtin +def _encode_canonical(object, output_function): # pylint: disable=missing-function-docstring,redefined-builtin # Helper for encode_canonical. Older versions of json.encoder don't # even let us replace the separators. @@ -90,7 +88,8 @@ def _encode_canonical( def encode_canonical( # pylint: disable=inconsistent-return-statements - object, output_function=None # pylint: disable=redefined-builtin + object, + output_function=None, # pylint: disable=redefined-builtin ): """ diff --git a/securesystemslib/hash.py b/securesystemslib/hash.py index 55c874ed..29864169 100755 --- a/securesystemslib/hash.py +++ b/securesystemslib/hash.py @@ -49,9 +49,7 @@ SUPPORTED_LIBRARIES.append("pyca_crypto") - class PycaDiggestWrapper( - object - ): # pylint: disable=useless-object-inheritance + class PycaDiggestWrapper(object): # pylint: disable=useless-object-inheritance """ A wrapper around `cryptography.hazmat.primitives.hashes.Hash` which adds diff --git a/securesystemslib/signer/__init__.py b/securesystemslib/signer/__init__.py index bc8c1970..b80166c3 100644 --- a/securesystemslib/signer/__init__.py +++ b/securesystemslib/signer/__init__.py @@ -5,6 +5,7 @@ Some implementations are provided by default but more can be added by users. """ +# ruff: noqa: F401 from securesystemslib.signer._aws_signer import AWSSigner from securesystemslib.signer._azure_signer import AzureSigner from securesystemslib.signer._crypto_signer import CryptoSigner diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py index c9941864..067ee1a0 100644 --- a/securesystemslib/signer/_azure_signer.py +++ b/securesystemslib/signer/_azure_signer.py @@ -33,7 +33,7 @@ logger = logging.getLogger(__name__) -class UnsupportedKeyType(Exception): +class UnsupportedKeyType(Exception): # noqa: N818 pass @@ -132,7 +132,7 @@ def _get_signature_algorithm(public_key: Key) -> "SignatureAlgorithm": raise UnsupportedKeyType("Supplied key must be an EC key") # Format is "ecdsa-sha2-nistp256" comps = public_key.scheme.split("-") - if len(comps) != 3: + if len(comps) != 3: # noqa: PLR2004 raise UnsupportedKeyType("Invalid scheme found") if comps[2] == "nistp256": @@ -149,7 +149,7 @@ def _get_hash_algorithm(public_key: "Key") -> str: """Return the hash algorithm used by the public key""" # Format is "ecdsa-sha2-nistp256" comps = public_key.scheme.split("-") - if len(comps) != 3: + if len(comps) != 3: # noqa: PLR2004 raise UnsupportedKeyType("Invalid scheme found") if comps[2] == "nistp256": diff --git a/securesystemslib/signer/_crypto_signer.py b/securesystemslib/signer/_crypto_signer.py index d592d633..88ce2944 100644 --- a/securesystemslib/signer/_crypto_signer.py +++ b/securesystemslib/signer/_crypto_signer.py @@ -1,4 +1,4 @@ -"""Signer implementation for pyca/cryptography signing. """ +"""Signer implementation for pyca/cryptography signing.""" import logging import os diff --git a/securesystemslib/signer/_gpg_signer.py b/securesystemslib/signer/_gpg_signer.py index 9c7f4ce2..dd423af4 100644 --- a/securesystemslib/signer/_gpg_signer.py +++ b/securesystemslib/signer/_gpg_signer.py @@ -1,4 +1,4 @@ -"""Signer implementation for OpenPGP """ +"""Signer implementation for OpenPGP""" import logging from typing import Any, Dict, Optional, Tuple diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py index 9318840a..a933c6fb 100644 --- a/securesystemslib/signer/_hsm_signer.py +++ b/securesystemslib/signer/_hsm_signer.py @@ -64,9 +64,9 @@ _PYKCS11LIB = None -def PYKCS11LIB(): +def PYKCS11LIB(): # noqa: N802 """Pseudo-singleton to load shared library using PYKCS11LIB envvar only once.""" - global _PYKCS11LIB # pylint: disable=global-statement + global _PYKCS11LIB # pylint: disable=global-statement # noqa: PLW0603 if _PYKCS11LIB is None: _PYKCS11LIB = PyKCS11.PyKCS11Lib() _PYKCS11LIB.load() diff --git a/securesystemslib/signer/_key.py b/securesystemslib/signer/_key.py index 9862c218..3475aea9 100644 --- a/securesystemslib/signer/_key.py +++ b/securesystemslib/signer/_key.py @@ -87,7 +87,7 @@ class Key(metaclass=ABCMeta): TypeError: Invalid type for an argument. """ - def __init__( + def __init__( # noqa: PLR0913 self, keyid: str, keytype: str, @@ -200,7 +200,7 @@ def verify_signature(self, signature: Signature, data: bytes) -> None: class SSlibKey(Key): """Key implementation for RSA, Ed25519, ECDSA keys""" - def __init__( + def __init__( # noqa: PLR0913 self, keyid: str, keytype: str, diff --git a/securesystemslib/signer/_signer.py b/securesystemslib/signer/_signer.py index a31433e9..364b18ea 100644 --- a/securesystemslib/signer/_signer.py +++ b/securesystemslib/signer/_signer.py @@ -1,4 +1,4 @@ -"""Signer interface """ +"""Signer interface""" import logging from abc import ABCMeta, abstractmethod diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py index d14358ff..efb87eb7 100644 --- a/securesystemslib/signer/_sigstore_signer.py +++ b/securesystemslib/signer/_sigstore_signer.py @@ -1,5 +1,4 @@ -"""Signer implementation for project sigstore. -""" +"""Signer implementation for project sigstore.""" import json import logging @@ -35,7 +34,7 @@ class SigstoreKey(Key): DEFAULT_KEY_TYPE = "sigstore-oidc" DEFAULT_SCHEME = "Fulcio" - def __init__( + def __init__( # noqa: PLR0913 self, keyid: str, keytype: str, diff --git a/securesystemslib/signer/_spx_signer.py b/securesystemslib/signer/_spx_signer.py index 6d1a744e..6bbc1367 100644 --- a/securesystemslib/signer/_spx_signer.py +++ b/securesystemslib/signer/_spx_signer.py @@ -1,6 +1,4 @@ -"""Signer implementation for project SPHINCS+ post-quantum signature support. - -""" +"""Signer implementation for project SPHINCS+ post-quantum signature support.""" import logging import os diff --git a/securesystemslib/signer/_utils.py b/securesystemslib/signer/_utils.py index 8cd1d62d..09332e6c 100644 --- a/securesystemslib/signer/_utils.py +++ b/securesystemslib/signer/_utils.py @@ -1,4 +1,4 @@ -"""Signer utils for internal use. """ +"""Signer utils for internal use.""" from typing import Any, Dict diff --git a/tests/check_aws_signer.py b/tests/check_aws_signer.py index 8668e73c..54bbf448 100644 --- a/tests/check_aws_signer.py +++ b/tests/check_aws_signer.py @@ -1,6 +1,4 @@ -"""Test AWSSigner - -""" +"""Test AWSSigner""" import unittest diff --git a/tests/check_public_interfaces.py b/tests/check_public_interfaces.py index c79f8cab..1eb52e67 100644 --- a/tests/check_public_interfaces.py +++ b/tests/check_public_interfaces.py @@ -52,9 +52,7 @@ from securesystemslib.signer._sigstore_signer import SigstoreKey -class TestPublicInterfaces( - unittest.TestCase -): # pylint: disable=missing-class-docstring +class TestPublicInterfaces(unittest.TestCase): # pylint: disable=missing-class-docstring @classmethod def setUpClass(cls): cls.temp_dir = tempfile.mkdtemp(dir=os.getcwd()) diff --git a/tests/check_public_interfaces_gpg.py b/tests/check_public_interfaces_gpg.py index aeaa86f5..30e63aa0 100644 --- a/tests/check_public_interfaces_gpg.py +++ b/tests/check_public_interfaces_gpg.py @@ -36,9 +36,7 @@ from securesystemslib.signer import GPGKey, GPGSigner, Signer -class TestPublicInterfacesGPG( - unittest.TestCase -): # pylint: disable=missing-class-docstring +class TestPublicInterfacesGPG(unittest.TestCase): # pylint: disable=missing-class-docstring @classmethod def setUpClass(cls): assert ( diff --git a/tests/check_vault_signer.py b/tests/check_vault_signer.py index d68ca286..e1604cea 100644 --- a/tests/check_vault_signer.py +++ b/tests/check_vault_signer.py @@ -1,6 +1,4 @@ -"""Test VaultSigner - -""" +"""Test VaultSigner""" import unittest diff --git a/tests/test_dsse.py b/tests/test_dsse.py index 02aab7d0..4c7d8d96 100644 --- a/tests/test_dsse.py +++ b/tests/test_dsse.py @@ -1,4 +1,4 @@ -"""Test cases for "metadata.py". """ +"""Test cases for "metadata.py".""" import copy import unittest diff --git a/tests/test_gpg.py b/tests/test_gpg.py index c0707228..6a596aad 100644 --- a/tests/test_gpg.py +++ b/tests/test_gpg.py @@ -78,9 +78,7 @@ class GPGTestUtils: """GPG Test utility class""" @staticmethod - def ignore_not_found_error( - function, path, exc_info - ): # pylint: disable=unused-argument,unused-argument + def ignore_not_found_error(function, path, exc_info): # pylint: disable=unused-argument,unused-argument """Callback that ignores FileNotFoundError""" _, error, _ = exc_info if not isinstance(error, FileNotFoundError): @@ -349,9 +347,9 @@ def test_assign_certified_key_info_errors(self): # Replace primary key id with a non-associated keyid wrong_keyid_bundle = deepcopy(self.raw_key_bundle) - wrong_keyid_bundle[PACKET_TYPE_PRIMARY_KEY]["key"][ - "keyid" - ] = "8465A1E2E0FB2B40ADB2478E18FB3F537E0C8A17" + wrong_keyid_bundle[PACKET_TYPE_PRIMARY_KEY]["key"]["keyid"] = ( + "8465A1E2E0FB2B40ADB2478E18FB3F537E0C8A17" + ) # Remove a byte in user id packet to make signature verification fail invalid_cert_bundle = deepcopy(self.raw_key_bundle) @@ -405,7 +403,9 @@ def test_assign_certified_key_info_expiration(self): # "Test Expiration II" has the primary user ID flag set and therefor has # the highest priority. key = _assign_certified_key_info(self.raw_expired_key_bundle) - self.assertTrue(key["validity_period"] == 87901) # ~ 1 day + self.assertTrue( + key["validity_period"] == 87901 # noqa: PLR2004 + ) # ~ 1 day # Test ambiguity resolution scheme with 2 User IDs # :user ID packet: "Test Expiration III " @@ -420,7 +420,9 @@ def test_assign_certified_key_info_expiration(self): del user_id_items[1] raw_key_bundle[PACKET_TYPE_USER_ID] = OrderedDict(user_id_items) key = _assign_certified_key_info(raw_key_bundle) - self.assertTrue(key["validity_period"] == 87901) # ~ 1 day + self.assertTrue( + key["validity_period"] == 87901 # noqa: PLR2004 + ) # ~ 1 day def test_get_verified_subkeys_errors(self): """Test _get_verified_subkeys errors with manually crafted data based on @@ -501,7 +503,7 @@ def test_get_verified_subkeys(self): subkeys["0ce427fa3f0f50bc83a4a760ed95e1581691db4d"].get( "validity_period" ) - == 175451 + == 175451 # noqa: PLR2004 ) # Test subkey without validity period, i.e. it does not expire @@ -509,7 +511,7 @@ def test_get_verified_subkeys(self): subkeys[ # pylint: disable=singleton-comparison "70cfabf1e2f1dc60ac5c7bca10cd20d3d5bcb6ef" ].get("validity_period") - == None + is None ) def test_get_pubkey_bundle_errors(self): @@ -567,7 +569,7 @@ class TestGPGRSA(unittest.TestCase): unsupported_subkey_keyid = "611A9B648E16F54E8A7FAD5DA51E8CDF3B06524F" expired_key_keyid = "E8AC80C924116DABB51D4B987CB07D6D2C199C7C" - keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" # pylint: disable=invalid-name + keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" # pylint: disable=invalid-name # noqa: N815 @classmethod def setUpClass(self): # pylint: disable=bad-classmethod-argument @@ -612,10 +614,8 @@ def test_export_pubkey(self): # load the equivalent ssh key, and make sure that we get the same RSA key # parameters - ssh_key_basename = ( - "{}.ssh".format( # pylint: disable=consider-using-f-string - self.default_keyid - ) + ssh_key_basename = "{}.ssh".format( # pylint: disable=consider-using-f-string + self.default_keyid ) ssh_key_path = os.path.join(self.gnupg_home, ssh_key_basename) with open(ssh_key_path, "rb") as fp: @@ -786,10 +786,8 @@ def test_export_pubkey(self): our_exported_key = dsa_create_pubkey(key_data) # load same key, pre-exported with 3rd-party tooling - pem_key_basename = ( - "{}.pem".format( # pylint: disable=consider-using-f-string - self.default_keyid - ) + pem_key_basename = "{}.pem".format( # pylint: disable=consider-using-f-string + self.default_keyid ) pem_key_path = os.path.join(self.gnupg_home, pem_key_basename) with open(pem_key_path, "rb") as fp: diff --git a/tests/test_hash.py b/tests/test_hash.py index fa91e2ae..f768cd44 100755 --- a/tests/test_hash.py +++ b/tests/test_hash.py @@ -29,8 +29,8 @@ if ( - not "hashlib" # pylint: disable=unneeded-not - in securesystemslib.hash.SUPPORTED_LIBRARIES + "hashlib" # pylint: disable=unneeded-not + not in securesystemslib.hash.SUPPORTED_LIBRARIES ): logger.warning("Not testing hashlib: could not be imported.") @@ -46,9 +46,7 @@ def _is_supported_combination(library, algorithm): return False return True - def _run_with_all_algos_and_libs( - self, test_func - ): # pylint: disable=missing-function-docstring + def _run_with_all_algos_and_libs(self, test_func): # pylint: disable=missing-function-docstring algorithms = [ "sha224", "sha256", @@ -73,9 +71,7 @@ def _run_with_all_hash_libraries(self, test_func, algorithm): algorithm, ) - def _do_algorithm_update( - self, library, algorithm - ): # pylint: disable=missing-function-docstring + def _do_algorithm_update(self, library, algorithm): # pylint: disable=missing-function-docstring expected = { "blake2b": [ "786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce", @@ -169,9 +165,7 @@ def _do_unsupported_algorithm(self, library, algorithm): def test_digest_size(self): self._run_with_all_algos_and_libs(self._do_digest_size) - def _do_digest_size( - self, library, algorithm - ): # pylint: disable=missing-function-docstring + def _do_digest_size(self, library, algorithm): # pylint: disable=missing-function-docstring digest_sizes = { "sha224": 28, "sha256": 32, @@ -189,9 +183,7 @@ def _do_digest_size( def test_update_filename(self): self._run_with_all_algos_and_libs(self._do_update_filename) - def _do_update_filename( - self, library, algorithm - ): # pylint: disable=missing-function-docstring + def _do_update_filename(self, library, algorithm): # pylint: disable=missing-function-docstring data = "abcdefgh" * 4096 fd, filename = tempfile.mkstemp() try: @@ -214,9 +206,7 @@ def _do_update_filename( def test_update_filename_normalize(self): self._run_with_all_algos_and_libs(self._do_update_filename_normalize) - def _do_update_filename_normalize( - self, library, algorithm - ): # pylint: disable=missing-function-docstring + def _do_update_filename_normalize(self, library, algorithm): # pylint: disable=missing-function-docstring data = b"ab\r\nd\nf\r" * 4096 normalized_data = data.replace(b"\r\n", b"\n").replace(b"\r", b"\n") fd, filename = tempfile.mkstemp() @@ -240,9 +230,7 @@ def _do_update_filename_normalize( def test_update_file_obj(self): self._run_with_all_algos_and_libs(self._do_update_file_obj) - def _do_update_file_obj( - self, library, algorithm - ): # pylint: disable=missing-function-docstring + def _do_update_file_obj(self, library, algorithm): # pylint: disable=missing-function-docstring data = "abcdefgh" * 4096 file_obj = io.StringIO() file_obj.write(data) diff --git a/tests/test_hsm_signer.py b/tests/test_hsm_signer.py index 6248e0c4..7beb20de 100644 --- a/tests/test_hsm_signer.py +++ b/tests/test_hsm_signer.py @@ -1,5 +1,4 @@ -"""Test HSMSigner -""" +"""Test HSMSigner""" import os import shutil diff --git a/tests/test_signer.py b/tests/test_signer.py index fb8b583e..fe7d0fc7 100644 --- a/tests/test_signer.py +++ b/tests/test_signer.py @@ -1,4 +1,4 @@ -"""Test cases for "signer.py". """ +"""Test cases for "signer.py".""" import copy import os @@ -209,7 +209,7 @@ def test_key_verify_signature(self): }, ) - sig = Signature.from_dict( + sig = Signature.from_dict( # noqa: PLW2901 { "keyid": keyid, "sig": sig, @@ -345,7 +345,6 @@ def _from_file(path): self.assertEqual(key.keyid, "abcdef") def test_verify_invalid_keytype_scheme(self): - rsa = "-----BEGIN PUBLIC KEY-----\nMIIBojANBgkqhkiG9w0BAQEFAAOCAY8AMIIBigKCAYEAsDqUoiFJZX+5gm5pyI1l\nVc/N3yjJVOIl9GyiK0mRyzV3IzUQzhjq8nhk0eLfzXw2XwIAYOJC6dR/tGRG4JDx\nJkez5FFH4zLosr/XzT7CG5zxJ3kKICLD1v9rZQr5ZgARQDOpkxzPz46rGnE0sHd7\nMpnpPMScA1pMIzwM1RoPS4ntZipI1cl9M7HMQ6mkBp8/DNKCqaDWixJqaGgWrhhK\nhI/1mzBliMKriNxPKSCGVlOk/QpZft+y1fs42s0DMd5BOFBo+ZcoXLYRncg9S3A2\nxx/jT69Bt3ceiAZqnp7f6M+ZzoUifSelaoL7QIYg/GkEl+0oxTD0yRphGiCKwn9c\npSbn7NgnbjqSgIMeEtlf/5Coyrs26pyFf/9GbusddPSxxxwIJ/7IJuF7P1Yy0WpZ\nkMeY83h9n2IdnEYi+rpdbLJPQd7Fpu2xrdA3Fokj8AvCpcmxn8NIXZuK++r8/xsE\nAUL30HH7dgVn50AvdPaJnqAORT3OlabW0DK9prcwKnyzAgMBAAE=\n-----END PUBLIC KEY-----" ed25519 = ( "50a5768a7a577483c28e57a6742b4d2170b9be628a961355ef127c45f2aefdc5" @@ -627,7 +626,6 @@ def setUpClass(cls): def test_init(self): """Test CryptoSigner constructor.""" for keytype, private_key in zip(["rsa", "ecdsa", "ed25519"], self.keys): - # Init w/o public key (public key is created from private key) signer = CryptoSigner(private_key) self.assertEqual(keytype, signer.public_key.keytype) diff --git a/tox.ini b/tox.ini index 2493fb02..f612e283 100644 --- a/tox.ini +++ b/tox.ini @@ -64,13 +64,12 @@ deps = -r{toxinidir}/requirements-pinned.txt -r{toxinidir}/requirements-lint.txt -r{toxinidir}/requirements-sigstore.txt +lint_dirs = securesystemslib tests commands = - black --check --diff . - isort --check --diff . + ruff format --diff {[testenv:lint]lint_dirs} + ruff check {[testenv:lint]lint_dirs} - pylint -j 0 --rcfile=pylintrc securesystemslib tests - bandit --recursive securesystemslib --exclude _vendor - mypy + mypy {[testenv:lint]lint_dirs} # Requires docker running [testenv:local-aws-kms] From cb086ea697a274e6a4fb6a80fdeb71eecf39e712 Mon Sep 17 00:00:00 2001 From: Lion Holler Date: Wed, 26 Jun 2024 15:55:17 +0200 Subject: [PATCH 2/5] inline comments removed, requirements-lint.txt updated, dependabot updated, E501 suppressed, mypy.ini file list removed --- .github/dependabot.yml | 5 +- mypy.ini | 4 -- pylintrc | 54 --------------------- pyproject.toml | 28 ++++------- requirements-lint.txt | 4 -- securesystemslib/__init__.py | 1 - securesystemslib/_gpg/common.py | 51 ++++++++++--------- securesystemslib/_gpg/constants.py | 4 +- securesystemslib/_gpg/dsa.py | 3 -- securesystemslib/_gpg/eddsa.py | 6 +-- securesystemslib/_gpg/exceptions.py | 8 ++- securesystemslib/_gpg/functions.py | 24 ++++----- securesystemslib/_gpg/rsa.py | 5 +- securesystemslib/_gpg/util.py | 14 +++--- securesystemslib/formats.py | 6 +-- securesystemslib/hash.py | 16 ++---- securesystemslib/signer/_azure_signer.py | 1 - securesystemslib/signer/_gpg_signer.py | 8 +-- securesystemslib/signer/_hsm_signer.py | 6 +-- securesystemslib/signer/_sigstore_signer.py | 4 -- securesystemslib/signer/_spx_signer.py | 4 +- securesystemslib/storage.py | 28 +++-------- 22 files changed, 80 insertions(+), 204 deletions(-) delete mode 100644 pylintrc diff --git a/.github/dependabot.yml b/.github/dependabot.yml index de034550..37f5bb9d 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -14,12 +14,9 @@ updates: test-and-lint-dependencies: # Python dependencies that are only pinned to ensure test reproducibility patterns: - - "bandit" - - "black" + - "ruff" - "coverage" - - "isort" - "mypy" - - "pylint" dependencies: # Python (developer) runtime dependencies. Also any new dependencies not # caught by earlier groups diff --git a/mypy.ini b/mypy.ini index 4e798575..09dcde40 100644 --- a/mypy.ini +++ b/mypy.ini @@ -1,9 +1,5 @@ [mypy] warn_unused_configs = True -files = - securesystemslib/signer/*.py, - securesystemslib/storage.py, - securesystemslib/_gpg/constants.py exclude = securesystemslib/_vendor diff --git a/pylintrc b/pylintrc deleted file mode 100644 index 95165049..00000000 --- a/pylintrc +++ /dev/null @@ -1,54 +0,0 @@ -# Pylint section - -# Minimal pylint configuration file for Secure Systems Lab Python Style Guide: -# https://github.com/secure-systems-lab/code-style-guidelines -# -# Based on Google Python Style Guide pylintrc and pylint defaults: -# https://google.github.io/styleguide/pylintrc -# http://pylint.pycqa.org/en/latest/technical_reference/features.html -[MASTER] -ignore = _vendor - -[message_control] -# Disable the message, report, category or checker with the given id(s). -# NOTE: To keep this config as short as possible we only disable checks that -# are currently in conflict with our code. If new code displeases the linter -# (for good reasons) consider updating this config file, or disable checks with. -disable = - fixme, - too-few-public-methods, - too-many-arguments, - format, - duplicate-code - -[basic] -good-names = i,j,k,v,e,f,fn,fp,_type,_ -# Regexes for allowed names are copied from the Google pylintrc -# NOTE: Pylint captures regex name groups such as 'snake_case' or 'camel_case'. -# If there are multiple groups it enfoces the prevalent naming style inside -# each modules. Names in the exempt capturing group are ignored. -function-rgx = ^(?:(?PsetUp|tearDown|setUpModule|tearDownModule)|(?P_?[A-Z][a-zA-Z0-9]*)|(?P_?[a-z][a-z0-9_]*))$ -method-rgx = (?x)^(?:(?P_[a-z0-9_]+__|runTest|setUp|tearDown|setUpTestCase|tearDownTestCase|setupSelf|tearDownClass|setUpClass|(test|assert)_*[A-Z0-9][a-zA-Z0-9_]*|next)|(?P_{0,2}[A-Z][a-zA-Z0-9_]*)|(?P_{0,2}[a-z][a-z0-9_]*))$ -argument-rgx = ^[a-z][a-z0-9_]*$ -attr-rgx = ^_{0,2}[a-z][a-z0-9_]*$ -class-attribute-rgx = ^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$ -class-rgx = ^_?[A-Z][a-zA-Z0-9]*$ -const-rgx = ^(_?[A-Z][A-Z0-9_]*|__[a-z0-9_]+__|_?[a-z][a-z0-9_]*)$ -inlinevar-rgx = ^[a-z][a-z0-9_]*$ -module-rgx = ^(_?[a-z][a-z0-9_]*|__init__)$ -no-docstring-rgx = (__.*__|main|test.*|.*test|.*Test)$ -variable-rgx = ^[a-z][a-z0-9_]*$ -docstring-min-length = 10 - -[logging] -logging-format-style=old - -[miscellaneous] -notes=TODO - -[STRING] -check-quote-consistency=yes - -[TYPECHECK] -generated-members=shake_128s.* -ignored-modules=PyKCS11 diff --git a/pyproject.toml b/pyproject.toml index a49153f4..8d4ed4cc 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -73,11 +73,16 @@ include = [ # Ruff section [tool.ruff] lint.select = [ - "I", # isort: all - "PL", # pylint: all - "S", # flake8-bandit: all - "N", # pep8-naming: all - "RUF100" # ruff: find unused noqa + "E", # ruff default + "F", # ruff default + "I", # isort: all + "PL", # pylint: all + "S", # flake8-bandit: all + "N", # pep8-naming: all + "RUF100" # ruff: find unused noqa +] +lint.ignore = [ + "E501" # ignore line-too-long ] exclude = ["_vendor"] @@ -85,19 +90,6 @@ exclude = ["_vendor"] line-length = 80 indent-width = 4 -[tool.ruff.format] -# Like Black, use double quotes for strings. -quote-style = "double" - -# Like Black, indent with spaces, rather than tabs. -indent-style = "space" - -# Like Black, respect magic trailing commas. -skip-magic-trailing-comma = false - -# Like Black, automatically detect the appropriate line ending. -line-ending = "auto" - [tool.ruff.lint.per-file-ignores] "tests/*" = [ "S", # bandit: Not running bandit on tests diff --git a/requirements-lint.txt b/requirements-lint.txt index b4f60cd1..8d13db0f 100644 --- a/requirements-lint.txt +++ b/requirements-lint.txt @@ -1,6 +1,2 @@ mypy==1.10.0 -black==24.4.2 -isort==5.13.2 -pylint==3.2.3 -bandit==1.7.9 ruff==0.4.10 diff --git a/securesystemslib/__init__.py b/securesystemslib/__init__.py index e0482f96..6434de92 100755 --- a/securesystemslib/__init__.py +++ b/securesystemslib/__init__.py @@ -1,4 +1,3 @@ -# pylint: disable=missing-module-docstring import logging __version__ = "1.1.0" diff --git a/securesystemslib/_gpg/common.py b/securesystemslib/_gpg/common.py index a341a364..8914dd7b 100644 --- a/securesystemslib/_gpg/common.py +++ b/securesystemslib/_gpg/common.py @@ -105,7 +105,7 @@ def parse_pubkey_payload(data): ptr += 1 if version_number not in SUPPORTED_PUBKEY_PACKET_VERSIONS: raise PacketVersionNotSupportedError( - "Pubkey packet version '{}' not supported, must be one of {}".format( # pylint: disable=consider-using-f-string + "Pubkey packet version '{}' not supported, must be one of {}".format( version_number, SUPPORTED_PUBKEY_PACKET_VERSIONS ) ) @@ -130,7 +130,7 @@ def parse_pubkey_payload(data): # as described in section 5.2.3.21. if algorithm not in SUPPORTED_SIGNATURE_ALGORITHMS: raise SignatureAlgorithmNotSupportedError( - "Signature algorithm '{}' not " # pylint: disable=consider-using-f-string + "Signature algorithm '{}' not " "supported, please verify that your gpg configuration is creating " "either DSA, RSA, or EdDSA signatures (see RFC4880 9.1. Public-Key " "Algorithms).".format(algorithm) @@ -216,7 +216,7 @@ def parse_pubkey_bundle(data): and not key_bundle[PACKET_TYPE_PRIMARY_KEY]["key"] ): raise PacketParsingError( - "First packet must be a primary key ('{}'), " # pylint: disable=consider-using-f-string + "First packet must be a primary key ('{}'), " "got '{}'.".format(PACKET_TYPE_PRIMARY_KEY, packet_type) ) @@ -282,7 +282,7 @@ def parse_pubkey_bundle(data): else: log.info( - "Ignoring gpg key packet '{}', we only handle packets of " # pylint: disable=logging-format-interpolation,consider-using-f-string + "Ignoring gpg key packet '{}', we only handle packets of " "types '{}' (see RFC4880 4.3. Packet Tags).".format( packet_type, [ @@ -297,8 +297,8 @@ def parse_pubkey_bundle(data): # Both errors might be raised in parse_packet_header and in this loop except (PacketParsingError, IndexError) as e: - raise PacketParsingError( # pylint: disable=raise-missing-from - "Invalid public key data at position {}: {}.".format( # pylint: disable=consider-using-f-string + raise PacketParsingError( + "Invalid public key data at position {}: {}.".format( position, e ) ) @@ -369,7 +369,7 @@ def _assign_certified_key_info(bundle): # TODO: Revise exception taxonomy: # It's okay to ignore some exceptions (unsupported algorithms etc.) but # we should blow up if a signature is malformed (missing subpackets). - except Exception as e: # pylint: disable=broad-except + except Exception as e: log.info(e) continue @@ -377,7 +377,7 @@ def _assign_certified_key_info(bundle): signature["keyid"] ): log.info( - "Ignoring User ID certificate issued by '{}'.".format( # pylint: disable=logging-format-interpolation,consider-using-f-string + "Ignoring User ID certificate issued by '{}'.".format( signature["keyid"] ) ) @@ -392,7 +392,7 @@ def _assign_certified_key_info(bundle): if not is_valid: log.info( - "Ignoring invalid User ID self-certificate issued " # pylint: disable=logging-format-interpolation,consider-using-f-string + "Ignoring invalid User ID self-certificate issued " "by '{}'.".format(signature["keyid"]) ) continue @@ -493,7 +493,7 @@ def _get_verified_subkeys(bundle): ) # TODO: Revise exception taxonomy - except Exception as e: # pylint: disable=broad-except + except Exception as e: log.info(e) continue @@ -523,7 +523,7 @@ def _get_verified_subkeys(bundle): key_binding_signatures.append(signature) # TODO: Revise exception taxonomy - except Exception as e: # pylint: disable=broad-except + except Exception as e: log.info(e) continue # NOTE: As per the V4 key structure diagram in RFC4880 section 12.1., a @@ -535,7 +535,7 @@ def _get_verified_subkeys(bundle): # an *embedded primary key binding signature*. if len(key_binding_signatures) != 1: log.info( - "Ignoring subkey '{}' due to wrong amount of key binding " # pylint: disable=logging-format-interpolation,consider-using-f-string + "Ignoring subkey '{}' due to wrong amount of key binding " "signatures ({}), must be exactly 1.".format( subkey["keyid"], len(key_binding_signatures) ) @@ -550,7 +550,7 @@ def _get_verified_subkeys(bundle): if not is_valid: log.info( - "Ignoring subkey '{}' due to invalid key binding signature.".format( # pylint: disable=logging-format-interpolation,consider-using-f-string + "Ignoring subkey '{}' due to invalid key binding signature.".format( subkey["keyid"] ) ) @@ -610,8 +610,9 @@ def get_pubkey_bundle(data, keyid): """ if not data: raise KeyNotFoundError( - "Could not find gpg key '{}' in empty exported key " # pylint: disable=consider-using-f-string - "data.".format(keyid) + "Could not find gpg key '{}' in empty exported key " "data.".format( + keyid + ) ) # Parse out master key and subkeys (enriched and verified via certificates @@ -631,7 +632,7 @@ def get_pubkey_bundle(data, keyid): if public_key and public_key["keyid"].endswith(keyid.lower()): if idx > 1: log.debug( - "Exporting master key '{}' including subkeys '{}' for" # pylint: disable=logging-format-interpolation,consider-using-f-string + "Exporting master key '{}' including subkeys '{}' for" " passed keyid '{}'.".format( master_public_key["keyid"], ", ".join(list(sub_public_keys.keys())), @@ -642,9 +643,7 @@ def get_pubkey_bundle(data, keyid): else: raise KeyNotFoundError( - "Could not find gpg key '{}' in exported key data.".format( # pylint: disable=consider-using-f-string - keyid - ) + "Could not find gpg key '{}' in exported key data.".format(keyid) ) # Add subkeys dictionary to master pubkey "subkeys" field if subkeys exist @@ -655,7 +654,7 @@ def get_pubkey_bundle(data, keyid): # ruff: noqa: PLR0912, PLR0915 -def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches,too-many-statements +def parse_signature_packet( data, supported_signature_types=None, supported_hash_algorithms=None, @@ -725,7 +724,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches ptr += 1 if version_number not in SUPPORTED_SIGNATURE_PACKET_VERSIONS: raise ValueError( - "Signature version '{}' not supported, must be one of " # pylint: disable=consider-using-f-string + "Signature version '{}' not supported, must be one of " "{}.".format(version_number, SUPPORTED_SIGNATURE_PACKET_VERSIONS) ) @@ -738,7 +737,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches if signature_type not in supported_signature_types: raise ValueError( - "Signature type '{}' not supported, must be one of {} " # pylint: disable=consider-using-f-string + "Signature type '{}' not supported, must be one of {} " "(see RFC4880 5.2.1. Signature Types).".format( signature_type, supported_signature_types ) @@ -749,7 +748,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches if signature_algorithm not in SUPPORTED_SIGNATURE_ALGORITHMS: raise ValueError( - "Signature algorithm '{}' not " # pylint: disable=consider-using-f-string + "Signature algorithm '{}' not " "supported, please verify that your gpg configuration is creating " "either DSA, RSA, or EdDSA signatures (see RFC4880 9.1. Public-Key " "Algorithms).".format(signature_algorithm) @@ -763,7 +762,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches if hash_algorithm not in supported_hash_algorithms: raise ValueError( - "Hash algorithm '{}' not supported, must be one of {}" # pylint: disable=consider-using-f-string + "Hash algorithm '{}' not supported, must be one of {}" " (see RFC4880 9.4. Hash Algorithms).".format( hash_algorithm, supported_hash_algorithms ) @@ -863,7 +862,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches # Fail if keyid and short keyid are specified but don't match if keyid and not keyid.endswith(short_keyid): # pragma: no cover raise ValueError( - "This signature packet seems to be corrupted. The key ID " # pylint: disable=consider-using-f-string + "This signature packet seems to be corrupted. The key ID " "'{}' of the 'Issuer' subpacket must match the lower 64 bits of the " "fingerprint '{}' of the 'Issuer Fingerprint' subpacket (see RFC4880 " "and rfc4880bis-06 5.2.3.28. Issuer Fingerprint).".format( @@ -887,7 +886,7 @@ def parse_signature_packet( # pylint: disable=too-many-locals,too-many-branches signature = handler.get_signature_params(data[ptr:]) signature_data = { - "keyid": "{}".format(keyid), # pylint: disable=consider-using-f-string + "keyid": "{}".format(keyid), "other_headers": binascii.hexlify(data[:other_headers_ptr]).decode( "ascii" ), diff --git a/securesystemslib/_gpg/constants.py b/securesystemslib/_gpg/constants.py index b9f6faa1..bb225655 100644 --- a/securesystemslib/_gpg/constants.py +++ b/securesystemslib/_gpg/constants.py @@ -20,7 +20,7 @@ import logging import os import shlex -import subprocess # nosec +import subprocess from typing import List, Optional log = logging.getLogger(__name__) @@ -36,7 +36,7 @@ def is_available_gnupg(gnupg: str, timeout: Optional[int] = None) -> bool: gpg_version_cmd = shlex.split(f"{gnupg} --version") try: - subprocess.run( # nosec + subprocess.run( gpg_version_cmd, # noqa: S603 capture_output=True, timeout=timeout, diff --git a/securesystemslib/_gpg/dsa.py b/securesystemslib/_gpg/dsa.py index 7c3cbab3..3b9d1fd7 100644 --- a/securesystemslib/_gpg/dsa.py +++ b/securesystemslib/_gpg/dsa.py @@ -27,14 +27,11 @@ except ImportError: CRYPTO = False -# pylint: disable=wrong-import-position # ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import util as gpg_util from securesystemslib._gpg.exceptions import PacketParsingError -# pylint: enable=wrong-import-position - def create_pubkey(pubkey_info): """ diff --git a/securesystemslib/_gpg/eddsa.py b/securesystemslib/_gpg/eddsa.py index e3365a90..7d194ff0 100644 --- a/securesystemslib/_gpg/eddsa.py +++ b/securesystemslib/_gpg/eddsa.py @@ -79,7 +79,7 @@ def get_pubkey_params(data): # See 9.2. ECC Curve OID if curve_oid != ED25519_PUBLIC_KEY_OID: raise PacketParsingError( - "bad ed25519 curve OID '{}', expected {}'".format( # pylint: disable=consider-using-f-string + "bad ed25519 curve OID '{}', expected {}'".format( curve_oid, ED25519_PUBLIC_KEY_OID ) ) @@ -90,7 +90,7 @@ def get_pubkey_params(data): if public_key_len != ED25519_PUBLIC_KEY_LENGTH: raise PacketParsingError( - "bad ed25519 MPI length '{}', expected {}'".format( # pylint: disable=consider-using-f-string + "bad ed25519 MPI length '{}', expected {}'".format( public_key_len, ED25519_PUBLIC_KEY_LENGTH ) ) @@ -100,7 +100,7 @@ def get_pubkey_params(data): if public_key_prefix != ED25519_PUBLIC_KEY_PREFIX: raise PacketParsingError( - "bad ed25519 MPI prefix '{}', expected '{}'".format( # pylint: disable=consider-using-f-string + "bad ed25519 MPI prefix '{}', expected '{}'".format( public_key_prefix, ED25519_PUBLIC_KEY_PREFIX ) ) diff --git a/securesystemslib/_gpg/exceptions.py b/securesystemslib/_gpg/exceptions.py index ee9e9bd7..53f48c55 100644 --- a/securesystemslib/_gpg/exceptions.py +++ b/securesystemslib/_gpg/exceptions.py @@ -38,11 +38,9 @@ class SignatureAlgorithmNotSupportedError(Exception): pass -class KeyExpirationError(Exception): # pylint: disable=missing-class-docstring +class KeyExpirationError(Exception): def __init__(self, key): - super( # pylint: disable=super-with-arguments - KeyExpirationError, self - ).__init__() + super(KeyExpirationError, self).__init__() self.key = key def __str__(self): @@ -55,7 +53,7 @@ def __str__(self): validity_period = expiration_time - creation_time return ( - "GPG key '{}' created on '{:%Y-%m-%d %H:%M} UTC' with validity " # pylint: disable=consider-using-f-string + "GPG key '{}' created on '{:%Y-%m-%d %H:%M} UTC' with validity " "period '{}' expired on '{:%Y-%m-%d %H:%M} UTC'.".format( self.key["keyid"], creation_time, diff --git a/securesystemslib/_gpg/functions.py b/securesystemslib/_gpg/functions.py index 53dfd563..040cc51e 100644 --- a/securesystemslib/_gpg/functions.py +++ b/securesystemslib/_gpg/functions.py @@ -17,7 +17,7 @@ """ import logging -import subprocess # nosec +import subprocess import time from securesystemslib import exceptions @@ -104,19 +104,15 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): keyarg = "" if keyid: - keyarg = "--local-user {}".format( # pylint: disable=consider-using-f-string - keyid - ) + keyarg = "--local-user {}".format(keyid) homearg = "" if homedir: - homearg = "--homedir {}".format( # pylint: disable=consider-using-f-string - homedir - ).replace("\\", "/") + homearg = "--homedir {}".format(homedir).replace("\\", "/") command = gpg_sign_command(keyarg=keyarg, homearg=homearg) - gpg_process = subprocess.run( # nosec + gpg_process = subprocess.run( command, # noqa: S603 input=content, check=False, @@ -129,7 +125,7 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): # https://lists.gnupg.org/pipermail/gnupg-devel/2005-December/022559.html if gpg_process.returncode != 0: raise OSError( - "Command '{}' returned " # pylint: disable=consider-using-f-string + "Command '{}' returned " "non-zero exit status '{}', stderr was:\n{}.".format( gpg_process.args, gpg_process.returncode, @@ -149,7 +145,7 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): # test environments. if not signature["keyid"]: # pragma: no cover log.warning( - "The created signature does not include the hashed subpacket" # pylint: disable=logging-format-interpolation,consider-using-f-string + "The created signature does not include the hashed subpacket" " '33' (full keyid). You probably have a gpg version <{}." " We will export the public keys associated with the short keyid to" " compute the full keyid.".format(FULLY_SUPPORTED_MIN_VERSION) @@ -177,7 +173,7 @@ def create_signature(content, keyid=None, homedir=None, timeout=GPG_TIMEOUT): # If there is still no full keyid something went wrong if not signature["keyid"]: # pragma: no cover raise ValueError( - "Full keyid could not be determined for signature '{}'".format( # pylint: disable=consider-using-f-string + "Full keyid could not be determined for signature '{}'".format( signature ) ) @@ -279,14 +275,12 @@ def export_pubkey(keyid, homedir=None, timeout=GPG_TIMEOUT): homearg = "" if homedir: - homearg = "--homedir {}".format( # pylint: disable=consider-using-f-string - homedir - ).replace("\\", "/") + homearg = "--homedir {}".format(homedir).replace("\\", "/") # TODO: Consider adopting command error handling from `create_signature` # above, e.g. in a common 'run gpg command' utility function command = gpg_export_pubkey_command(keyid=keyid, homearg=homearg) - gpg_process = subprocess.run( # nosec + gpg_process = subprocess.run( command, # noqa: S603 capture_output=True, timeout=timeout, diff --git a/securesystemslib/_gpg/rsa.py b/securesystemslib/_gpg/rsa.py index 6f57e4a6..83993c1e 100644 --- a/securesystemslib/_gpg/rsa.py +++ b/securesystemslib/_gpg/rsa.py @@ -26,14 +26,11 @@ except ImportError: CRYPTO = False -# pylint: disable=wrong-import-position # ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import util as gpg_util from securesystemslib._gpg.exceptions import PacketParsingError -# pylint: enable=wrong-import-position - def create_pubkey(pubkey_info): """ @@ -186,7 +183,7 @@ def verify_signature(signature_object, pubkey_info, content, hash_algorithm_id): signature_length = len(signature_object["signature"]) if pubkey_length != signature_length: # pragma: no cover zero_pad = "0" * (pubkey_length - signature_length) - signature_object["signature"] = "{}{}".format( # pylint: disable=consider-using-f-string + signature_object["signature"] = "{}{}".format( zero_pad, signature_object["signature"] ) diff --git a/securesystemslib/_gpg/util.py b/securesystemslib/_gpg/util.py index 85e9fe11..b384d837 100644 --- a/securesystemslib/_gpg/util.py +++ b/securesystemslib/_gpg/util.py @@ -30,7 +30,6 @@ except ImportError: CRYPTO = False -# pylint: disable=wrong-import-position # ruff: noqa: E402 from securesystemslib import exceptions from securesystemslib._gpg import constants @@ -104,7 +103,7 @@ def hash_object(headers, algorithm, content): return hasher.finalize() -def parse_packet_header(data, expected_type=None): # pylint: disable=too-many-branches # noqa: PLR0912 +def parse_packet_header(data, expected_type=None): # noqa: PLR0912 """ Parse out packet type and header and body lengths from an RFC4880 packet. @@ -208,8 +207,9 @@ def parse_packet_header(data, expected_type=None): # pylint: disable=too-many-b if expected_type is not None and packet_type != expected_type: raise PacketParsingError( - "Expected packet " # pylint: disable=consider-using-f-string - "{}, but got {} instead!".format(expected_type, packet_type) + "Expected packet " "{}, but got {} instead!".format( + expected_type, packet_type + ) ) return packet_type, header_len, body_len, header_len + body_len @@ -238,7 +238,7 @@ def compute_keyid(pubkey_packet_data): hasher = hashing.Hash( hashing.SHA1(), # noqa: S303 - backend=backends.default_backend(), # nosec + backend=backends.default_backend(), ) hasher.update(b"\x99") hasher.update(struct.pack(">H", len(pubkey_packet_data))) @@ -348,8 +348,8 @@ def get_hashing_class(hash_algorithm_id): return hashing_class[hash_algorithm_id] except KeyError: - raise ValueError( # pylint: disable=raise-missing-from - "Hash algorithm '{}' not supported, must be one of '{}' " # pylint: disable=consider-using-f-string + raise ValueError( + "Hash algorithm '{}' not supported, must be one of '{}' " "(see RFC4880 9.4. Hash Algorithms).".format( hash_algorithm_id, supported_hashing_algorithms ) diff --git a/securesystemslib/formats.py b/securesystemslib/formats.py index 846c6977..202f4ede 100755 --- a/securesystemslib/formats.py +++ b/securesystemslib/formats.py @@ -47,7 +47,7 @@ def _canonical_string_encoder(string): return string -def _encode_canonical(object, output_function): # pylint: disable=missing-function-docstring,redefined-builtin +def _encode_canonical(object, output_function): # Helper for encode_canonical. Older versions of json.encoder don't # even let us replace the separators. @@ -87,9 +87,9 @@ def _encode_canonical(object, output_function): # pylint: disable=missing-funct raise exceptions.FormatError("I cannot encode " + repr(object)) -def encode_canonical( # pylint: disable=inconsistent-return-statements +def encode_canonical( object, - output_function=None, # pylint: disable=redefined-builtin + output_function=None, ): """ diff --git a/securesystemslib/hash.py b/securesystemslib/hash.py index 29864169..6549ea61 100755 --- a/securesystemslib/hash.py +++ b/securesystemslib/hash.py @@ -49,7 +49,7 @@ SUPPORTED_LIBRARIES.append("pyca_crypto") - class PycaDiggestWrapper(object): # pylint: disable=useless-object-inheritance + class PycaDiggestWrapper(object): """ A wrapper around `cryptography.hazmat.primitives.hashes.Hash` which adds @@ -95,9 +95,7 @@ def digest_size(self): def digest(self): digest_obj_copy = self._digest_obj.copy() - digest = ( # pylint: disable=redefined-outer-name - self._digest_obj.finalize() - ) + digest = self._digest_obj.finalize() self._digest_obj = digest_obj_copy return digest @@ -165,7 +163,7 @@ def digest(algorithm=DEFAULT_HASH_ALGORITHM, hash_library=DEFAULT_HASH_LIBRARY): # If so, return the digest object. if hash_library == "hashlib" and hash_library in SUPPORTED_LIBRARIES: try: - if algorithm == "blake2b-256": # pylint: disable=no-else-return + if algorithm == "blake2b-256": return hashlib.new("blake2b", digest_size=32) else: return hashlib.new(algorithm) @@ -173,9 +171,7 @@ def digest(algorithm=DEFAULT_HASH_ALGORITHM, hash_library=DEFAULT_HASH_LIBRARY): except (ValueError, TypeError): # ValueError: the algorithm value was unknown # TypeError: unexpected argument digest_size (on old python) - raise exceptions.UnsupportedAlgorithmError( # pylint: disable=raise-missing-from - algorithm - ) + raise exceptions.UnsupportedAlgorithmError(algorithm) # Was a pyca_crypto digest object requested and is it supported? elif hash_library == "pyca_crypto" and hash_library in SUPPORTED_LIBRARIES: @@ -186,9 +182,7 @@ def digest(algorithm=DEFAULT_HASH_ALGORITHM, hash_library=DEFAULT_HASH_LIBRARY): ) except KeyError: - raise exceptions.UnsupportedAlgorithmError( # pylint: disable=raise-missing-from - algorithm - ) + raise exceptions.UnsupportedAlgorithmError(algorithm) # The requested hash library is not supported. else: diff --git a/securesystemslib/signer/_azure_signer.py b/securesystemslib/signer/_azure_signer.py index 067ee1a0..9bafe3ab 100644 --- a/securesystemslib/signer/_azure_signer.py +++ b/securesystemslib/signer/_azure_signer.py @@ -188,7 +188,6 @@ def from_priv_key_uri( return cls(az_key_uri, public_key) @classmethod - # pylint: disable=too-many-locals def import_(cls, az_vault_name: str, az_key_name: str) -> Tuple[str, Key]: """Load key and signer details from KMS diff --git a/securesystemslib/signer/_gpg_signer.py b/securesystemslib/signer/_gpg_signer.py index dd423af4..c0bde10a 100644 --- a/securesystemslib/signer/_gpg_signer.py +++ b/securesystemslib/signer/_gpg_signer.py @@ -42,12 +42,8 @@ def to_dict(self) -> Dict: def verify_signature(self, signature: Signature, data: bytes) -> None: try: if not gpg.verify_signature( - GPGSigner._sig_to_legacy_dict( # pylint: disable=protected-access - signature - ), - GPGSigner._key_to_legacy_dict( # pylint: disable=protected-access - self - ), + GPGSigner._sig_to_legacy_dict(signature), + GPGSigner._key_to_legacy_dict(self), data, ): raise exceptions.UnverifiedSignatureError( diff --git a/securesystemslib/signer/_hsm_signer.py b/securesystemslib/signer/_hsm_signer.py index a933c6fb..ffa1f273 100644 --- a/securesystemslib/signer/_hsm_signer.py +++ b/securesystemslib/signer/_hsm_signer.py @@ -19,7 +19,6 @@ _KEY_TYPE_ECDSA = "ecdsa" -# pylint: disable=wrong-import-position CRYPTO_IMPORT_ERROR = None try: from cryptography.hazmat.primitives import serialization @@ -52,13 +51,12 @@ ASN1_IMPORT_ERROR = None try: - from asn1crypto.keys import ( # pylint: disable=import-error + from asn1crypto.keys import ( ECDomainParameters, ECPoint, ) except ImportError: ASN1_IMPORT_ERROR = "'asn1crypto' required" -# pylint: enable=wrong-import-position _PYKCS11LIB = None @@ -66,7 +64,7 @@ def PYKCS11LIB(): # noqa: N802 """Pseudo-singleton to load shared library using PYKCS11LIB envvar only once.""" - global _PYKCS11LIB # pylint: disable=global-statement # noqa: PLW0603 + global _PYKCS11LIB # noqa: PLW0603 if _PYKCS11LIB is None: _PYKCS11LIB = PyKCS11.PyKCS11Lib() _PYKCS11LIB.load() diff --git a/securesystemslib/signer/_sigstore_signer.py b/securesystemslib/signer/_sigstore_signer.py index efb87eb7..c800611c 100644 --- a/securesystemslib/signer/_sigstore_signer.py +++ b/securesystemslib/signer/_sigstore_signer.py @@ -58,7 +58,6 @@ def to_dict(self) -> Dict: return self._to_dict() def verify_signature(self, signature: Signature, data: bytes) -> None: - # pylint: disable=import-outside-toplevel,import-error try: from sigstore.errors import VerificationError as SigstoreVerifyError from sigstore.models import Bundle @@ -154,7 +153,6 @@ def from_priv_key_uri( public_key: Key, secrets_handler: Optional[SecretsHandler] = None, ) -> "SigstoreSigner": - # pylint: disable=import-outside-toplevel try: from sigstore.oidc import IdentityToken, Issuer, detect_credential except ImportError as e: @@ -232,7 +230,6 @@ def import_via_auth(cls) -> Tuple[str, SigstoreKey]: Returns a private key URI (for Signer.from_priv_key_uri()) and a public key. This method always uses the interactive authentication. """ - # pylint: disable=import-outside-toplevel try: from sigstore.oidc import Issuer except ImportError as e: @@ -257,7 +254,6 @@ def sign(self, payload: bytes) -> Signature: NOTE: The relevant data is in `unrecognized_fields["bundle"]`. """ - # pylint: disable=import-outside-toplevel try: from sigstore.sign import SigningContext except ImportError as e: diff --git a/securesystemslib/signer/_spx_signer.py b/securesystemslib/signer/_spx_signer.py index 6bbc1367..a6711039 100644 --- a/securesystemslib/signer/_spx_signer.py +++ b/securesystemslib/signer/_spx_signer.py @@ -59,9 +59,7 @@ def from_bytes(cls, public: bytes) -> "SpxKey": scheme = cls.DEFAULT_SCHEME keyval = {"public": public.hex()} - keyid = compute_default_keyid( # pylint: disable=protected-access - keytype, scheme, keyval - ) + keyid = compute_default_keyid(keytype, scheme, keyval) return cls(keyid, keytype, scheme, keyval) def to_dict(self) -> Dict[str, Any]: diff --git a/securesystemslib/storage.py b/securesystemslib/storage.py index 3ab851d0..6f490272 100644 --- a/securesystemslib/storage.py +++ b/securesystemslib/storage.py @@ -200,10 +200,7 @@ def get(self, filepath: str) -> Iterator[BinaryIO]: file_object = open(filepath, "rb") yield file_object except OSError: - raise exceptions.StorageError( # pylint: disable=raise-missing-from - "Can't open %s" # pylint: disable=consider-using-f-string - % filepath - ) + raise exceptions.StorageError("Can't open %s" % filepath) finally: if file_object is not None: file_object.close() @@ -247,10 +244,7 @@ def put( destination_file.flush() os.fsync(destination_file.fileno()) except OSError: - raise exceptions.StorageError( # pylint: disable=raise-missing-from - "Can't write file %s" # pylint: disable=consider-using-f-string - % filepath - ) + raise exceptions.StorageError("Can't write file %s" % filepath) def remove(self, filepath: str) -> None: try: @@ -260,19 +254,13 @@ def remove(self, filepath: str) -> None: PermissionError, OSError, ): # pragma: no cover - raise exceptions.StorageError( # pylint: disable=raise-missing-from - "Can't remove file %s" # pylint: disable=consider-using-f-string - % filepath - ) + raise exceptions.StorageError("Can't remove file %s" % filepath) def getsize(self, filepath: str) -> int: try: return os.path.getsize(filepath) except OSError: - raise exceptions.StorageError( # pylint: disable=raise-missing-from - "Can't access file %s" # pylint: disable=consider-using-f-string - % filepath - ) + raise exceptions.StorageError("Can't access file %s" % filepath) def create_folder(self, filepath: str) -> None: try: @@ -289,15 +277,11 @@ def create_folder(self, filepath: str) -> None: ) else: raise exceptions.StorageError( - "Can't create folder at %s" # pylint: disable=consider-using-f-string - % filepath + "Can't create folder at %s" % filepath ) def list_folder(self, filepath: str) -> List[str]: try: return os.listdir(filepath) except FileNotFoundError: - raise exceptions.StorageError( # pylint: disable=raise-missing-from - "Can't list folder at %s" # pylint: disable=consider-using-f-string - % filepath - ) + raise exceptions.StorageError("Can't list folder at %s" % filepath) From 4e437b13f0bdaec63b10e1a541466f10664eda84 Mon Sep 17 00:00:00 2001 From: Lion Holler Date: Wed, 26 Jun 2024 16:00:44 +0200 Subject: [PATCH 3/5] inline pylint comments removed from tests --- tests/__init__.py | 1 - tests/check_gpg_available.py | 2 +- tests/check_public_interfaces.py | 3 +-- tests/check_public_interfaces_gpg.py | 3 +-- tests/test_formats.py | 2 +- tests/test_gpg.py | 40 +++++++++++++--------------- tests/test_hash.py | 16 +++++------ tests/test_hsm_signer.py | 2 +- tests/test_signer.py | 5 +--- tests/test_storage.py | 4 +-- 10 files changed, 34 insertions(+), 44 deletions(-) diff --git a/tests/__init__.py b/tests/__init__.py index ab3a77c9..2912eeae 100755 --- a/tests/__init__.py +++ b/tests/__init__.py @@ -6,7 +6,6 @@ """ # Increase gpg subprocess timeout -- Windows CI fails frequently with default 10s. -# pylint: disable=protected-access import securesystemslib._gpg.constants securesystemslib._gpg.constants.GPG_TIMEOUT = 120 diff --git a/tests/check_gpg_available.py b/tests/check_gpg_available.py index 7c6b7640..f259bcad 100644 --- a/tests/check_gpg_available.py +++ b/tests/check_gpg_available.py @@ -35,7 +35,7 @@ class TestGpgAvailable(unittest.TestCase): def test_gpg_available(self): """Test that GPG is available.""" self.assertTrue( - securesystemslib._gpg.constants.have_gpg() # pylint: disable=protected-access + securesystemslib._gpg.constants.have_gpg() ) diff --git a/tests/check_public_interfaces.py b/tests/check_public_interfaces.py index 1eb52e67..0259a5ea 100644 --- a/tests/check_public_interfaces.py +++ b/tests/check_public_interfaces.py @@ -32,7 +32,6 @@ import tempfile import unittest -# pylint: disable=protected-access import securesystemslib._gpg.constants import securesystemslib._gpg.util import securesystemslib.exceptions @@ -52,7 +51,7 @@ from securesystemslib.signer._sigstore_signer import SigstoreKey -class TestPublicInterfaces(unittest.TestCase): # pylint: disable=missing-class-docstring +class TestPublicInterfaces(unittest.TestCase): @classmethod def setUpClass(cls): cls.temp_dir = tempfile.mkdtemp(dir=os.getcwd()) diff --git a/tests/check_public_interfaces_gpg.py b/tests/check_public_interfaces_gpg.py index 30e63aa0..ff82dfb2 100644 --- a/tests/check_public_interfaces_gpg.py +++ b/tests/check_public_interfaces_gpg.py @@ -36,7 +36,7 @@ from securesystemslib.signer import GPGKey, GPGSigner, Signer -class TestPublicInterfacesGPG(unittest.TestCase): # pylint: disable=missing-class-docstring +class TestPublicInterfacesGPG(unittest.TestCase): @classmethod def setUpClass(cls): assert ( @@ -148,7 +148,6 @@ def test_gpg_verify(self): for key, sig in key_signature_pairs: self.assertTrue(verify_signature(sig, key, data)) - # pylint: disable=protected-access GPGSigner._key_from_legacy_dict(key).verify_signature( GPGSigner._sig_from_legacy_dict(sig), data ) diff --git a/tests/test_formats.py b/tests/test_formats.py index bbbea91f..081c684e 100755 --- a/tests/test_formats.py +++ b/tests/test_formats.py @@ -20,7 +20,7 @@ import securesystemslib.formats -class TestFormats(unittest.TestCase): # pylint: disable=missing-class-docstring +class TestFormats(unittest.TestCase): def test_encode_canonical(self): # Test conditions for valid arguments. encode = securesystemslib.formats.encode_canonical diff --git a/tests/test_gpg.py b/tests/test_gpg.py index 6a596aad..1ebddb37 100644 --- a/tests/test_gpg.py +++ b/tests/test_gpg.py @@ -22,7 +22,6 @@ import tempfile import unittest -# pylint: disable=wrong-import-position from collections import OrderedDict from copy import deepcopy from unittest.mock import patch @@ -71,14 +70,12 @@ parse_subpacket_header, ) -# pylint: enable=wrong-import-position - class GPGTestUtils: """GPG Test utility class""" @staticmethod - def ignore_not_found_error(function, path, exc_info): # pylint: disable=unused-argument,unused-argument + def ignore_not_found_error(function, path, exc_info): """Callback that ignores FileNotFoundError""" _, error, _ = exc_info if not isinstance(error, FileNotFoundError): @@ -196,7 +193,7 @@ class TestCommon(unittest.TestCase): """Test common functions of the securesystemslib._gpg module.""" @classmethod - def setUpClass(self): # pylint: disable=bad-classmethod-argument + def setUpClass(self): gpg_keyring_path = os.path.join( os.path.dirname(os.path.realpath(__file__)), "gpg_keyrings", "rsa" ) @@ -293,7 +290,6 @@ def test_parse_pubkey_bundle(self): self.raw_key_bundle[PACKET_TYPE_PRIMARY_KEY]["packet"] ) - # pylint: disable=unsubscriptable-object parsed_raw_packet = parse_pubkey_payload( bytearray( self.raw_key_bundle[PACKET_TYPE_PRIMARY_KEY]["packet"][ @@ -372,7 +368,7 @@ def test_assign_certified_key_info_errors(self): msg = str(mock_log.info.call_args[0][0]) self.assertTrue( expected_msg in msg, - "'{}' not in '{}'".format( # pylint: disable=consider-using-f-string + "'{}' not in '{}'".format( expected_msg, msg ), ) @@ -489,7 +485,7 @@ def test_get_verified_subkeys_errors(self): msg = str(mock_log.info.call_args[0][0]) self.assertTrue( expected_msg in msg, - "'{}' not in '{}'".format( # pylint: disable=consider-using-f-string + "'{}' not in '{}'".format( expected_msg, msg ), ) @@ -508,7 +504,7 @@ def test_get_verified_subkeys(self): # Test subkey without validity period, i.e. it does not expire self.assertTrue( - subkeys[ # pylint: disable=singleton-comparison + subkeys[ "70cfabf1e2f1dc60ac5c7bca10cd20d3d5bcb6ef" ].get("validity_period") is None @@ -552,7 +548,7 @@ def test_parse_signature_packet_errors(self): parse_signature_packet(data) self.assertTrue( expected_error_str in str(ctx.exception), - "'{}' not in '{}'".format( # pylint: disable=consider-using-f-string + "'{}' not in '{}'".format( expected_error_str, str(ctx.exception) ), ) @@ -569,10 +565,10 @@ class TestGPGRSA(unittest.TestCase): unsupported_subkey_keyid = "611A9B648E16F54E8A7FAD5DA51E8CDF3B06524F" expired_key_keyid = "E8AC80C924116DABB51D4B987CB07D6D2C199C7C" - keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" # pylint: disable=invalid-name # noqa: N815 + keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" @classmethod - def setUpClass(self): # pylint: disable=bad-classmethod-argument + def setUpClass(self): # Create directory to run the tests without having everything blow up self.working_dir = os.getcwd() @@ -589,7 +585,7 @@ def setUpClass(self): # pylint: disable=bad-classmethod-argument os.chdir(self.test_dir) @classmethod - def tearDownClass(self): # pylint: disable=bad-classmethod-argument + def tearDownClass(self): """Change back to initial working dir and remove temp test directory.""" os.chdir(self.working_dir) shutil.rmtree( @@ -614,7 +610,7 @@ def test_export_pubkey(self): # load the equivalent ssh key, and make sure that we get the same RSA key # parameters - ssh_key_basename = "{}.ssh".format( # pylint: disable=consider-using-f-string + ssh_key_basename = "{}.ssh".format( self.default_keyid ) ssh_key_path = os.path.join(self.gnupg_home, ssh_key_basename) @@ -712,7 +708,7 @@ def test_create_signature_with_expired_key(self): expected = "returned non-zero exit status '2'" self.assertTrue( expected in str(ctx.exception), - "{} not in {}".format( # pylint: disable=consider-using-f-string + "{} not in {}".format( expected, ctx.exception ), ) @@ -737,8 +733,8 @@ def test_verify_signature_with_expired_key(self): ) self.assertTrue( expected == str(ctx.exception), - "\nexpected: {}" # pylint: disable=consider-using-f-string - "\ngot: {}".format( # pylint: disable=consider-using-f-string + "\nexpected: {}" + "\ngot: {}".format( expected, ctx.exception ), ) @@ -752,7 +748,7 @@ class TestGPGDSA(unittest.TestCase): default_keyid = "C242A830DAAF1C2BEF604A9EF033A3A3E267B3B1" @classmethod - def setUpClass(self): # pylint: disable=bad-classmethod-argument + def setUpClass(self): # Create directory to run the tests without having everything blow up self.working_dir = os.getcwd() self.test_dir = os.path.realpath(tempfile.mkdtemp()) @@ -767,7 +763,7 @@ def setUpClass(self): # pylint: disable=bad-classmethod-argument os.chdir(self.test_dir) @classmethod - def tearDownClass(self): # pylint: disable=bad-classmethod-argument + def tearDownClass(self): """Change back to initial working dir and remove temp test directory.""" os.chdir(self.working_dir) shutil.rmtree( @@ -786,7 +782,7 @@ def test_export_pubkey(self): our_exported_key = dsa_create_pubkey(key_data) # load same key, pre-exported with 3rd-party tooling - pem_key_basename = "{}.pem".format( # pylint: disable=consider-using-f-string + pem_key_basename = "{}.pem".format( self.default_keyid ) pem_key_path = os.path.join(self.gnupg_home, pem_key_basename) @@ -849,7 +845,7 @@ class TestGPGEdDSA(unittest.TestCase): default_keyid = "4E630F84838BF6F7447B830B22692F5FEA9E2DD2" @classmethod - def setUpClass(self): # pylint: disable=bad-classmethod-argument + def setUpClass(self): # Create directory to run the tests without having everything blow up self.working_dir = os.getcwd() self.test_dir = os.path.realpath(tempfile.mkdtemp()) @@ -864,7 +860,7 @@ def setUpClass(self): # pylint: disable=bad-classmethod-argument os.chdir(self.test_dir) @classmethod - def tearDownClass(self): # pylint: disable=bad-classmethod-argument + def tearDownClass(self): """Change back to initial working dir and remove temp test directory.""" os.chdir(self.working_dir) shutil.rmtree( diff --git a/tests/test_hash.py b/tests/test_hash.py index f768cd44..b491fbb3 100755 --- a/tests/test_hash.py +++ b/tests/test_hash.py @@ -29,13 +29,13 @@ if ( - "hashlib" # pylint: disable=unneeded-not + "hashlib" not in securesystemslib.hash.SUPPORTED_LIBRARIES ): logger.warning("Not testing hashlib: could not be imported.") -class TestHash(unittest.TestCase): # pylint: disable=missing-class-docstring +class TestHash(unittest.TestCase): @staticmethod def _is_supported_combination(library, algorithm): blake_algos = ["blake2b", "blake2b-256", "blake2s"] @@ -46,7 +46,7 @@ def _is_supported_combination(library, algorithm): return False return True - def _run_with_all_algos_and_libs(self, test_func): # pylint: disable=missing-function-docstring + def _run_with_all_algos_and_libs(self, test_func): algorithms = [ "sha224", "sha256", @@ -71,7 +71,7 @@ def _run_with_all_hash_libraries(self, test_func, algorithm): algorithm, ) - def _do_algorithm_update(self, library, algorithm): # pylint: disable=missing-function-docstring + def _do_algorithm_update(self, library, algorithm): expected = { "blake2b": [ "786a02f742015903c6c6fd852552d272912f4740e15847618a86e217f71f5419d25e1031afee585313896444934eb04b903a685b1448b755d56f701afe9be2ce", @@ -165,7 +165,7 @@ def _do_unsupported_algorithm(self, library, algorithm): def test_digest_size(self): self._run_with_all_algos_and_libs(self._do_digest_size) - def _do_digest_size(self, library, algorithm): # pylint: disable=missing-function-docstring + def _do_digest_size(self, library, algorithm): digest_sizes = { "sha224": 28, "sha256": 32, @@ -183,7 +183,7 @@ def _do_digest_size(self, library, algorithm): # pylint: disable=missing-functi def test_update_filename(self): self._run_with_all_algos_and_libs(self._do_update_filename) - def _do_update_filename(self, library, algorithm): # pylint: disable=missing-function-docstring + def _do_update_filename(self, library, algorithm): data = "abcdefgh" * 4096 fd, filename = tempfile.mkstemp() try: @@ -206,7 +206,7 @@ def _do_update_filename(self, library, algorithm): # pylint: disable=missing-fu def test_update_filename_normalize(self): self._run_with_all_algos_and_libs(self._do_update_filename_normalize) - def _do_update_filename_normalize(self, library, algorithm): # pylint: disable=missing-function-docstring + def _do_update_filename_normalize(self, library, algorithm): data = b"ab\r\nd\nf\r" * 4096 normalized_data = data.replace(b"\r\n", b"\n").replace(b"\r", b"\n") fd, filename = tempfile.mkstemp() @@ -230,7 +230,7 @@ def _do_update_filename_normalize(self, library, algorithm): # pylint: disable= def test_update_file_obj(self): self._run_with_all_algos_and_libs(self._do_update_file_obj) - def _do_update_file_obj(self, library, algorithm): # pylint: disable=missing-function-docstring + def _do_update_file_obj(self, library, algorithm): data = "abcdefgh" * 4096 file_obj = io.StringIO() file_obj.write(data) diff --git a/tests/test_hsm_signer.py b/tests/test_hsm_signer.py index 7beb20de..377409bb 100644 --- a/tests/test_hsm_signer.py +++ b/tests/test_hsm_signer.py @@ -5,7 +5,7 @@ import tempfile import unittest -from asn1crypto.keys import ( # pylint: disable=import-error +from asn1crypto.keys import ( ECDomainParameters, NamedCurve, ) diff --git a/tests/test_signer.py b/tests/test_signer.py index fe7d0fc7..db6d6902 100644 --- a/tests/test_signer.py +++ b/tests/test_signer.py @@ -76,7 +76,6 @@ def test_sslib_key_from_dict_invalid(self): Key.from_dict("aa", keydict) def test_key_verify_signature(self): - # pylint: disable=too-many-locals ed25519_keyid = ( "fc3920f44a1deec695ed9327f70513909a36f51ad19774167ddf28a12f8bbbed" ) @@ -369,7 +368,7 @@ def test_verify_invalid_keytype_scheme(self): for keytype, scheme, val in test_data: key = SSlibKey("fake", keytype, scheme, {"public": val}) with self.assertRaises(ValueError): - key._verify( # pylint: disable=protected-access + key._verify( b"fakesig", b"fakedata" ) @@ -511,7 +510,6 @@ def test_gpg_signer_load_with_bad_key(self): def test_gpg_signature_legacy_data_structure(self): """Test custom fields and legacy data structure in gpg signatures.""" - # pylint: disable=protected-access _, public_key = GPGSigner.import_( self.signing_subkey_keyid, self.gnupg_home ) @@ -527,7 +525,6 @@ def test_gpg_signature_legacy_data_structure(self): def test_gpg_key_legacy_data_structure(self): """Test legacy data structure conversion in gpg keys.""" - # pylint: disable=protected-access _, public_key = GPGSigner.import_( self.signing_subkey_keyid, self.gnupg_home ) diff --git a/tests/test_storage.py b/tests/test_storage.py index 772690e9..ea35ebb4 100644 --- a/tests/test_storage.py +++ b/tests/test_storage.py @@ -26,14 +26,14 @@ from securesystemslib.exceptions import StorageError -class TestStorage(unittest.TestCase): # pylint: disable=missing-class-docstring +class TestStorage(unittest.TestCase): def setUp(self): self.storage_backend = securesystemslib.storage.FilesystemBackend() self.temp_dir = tempfile.mkdtemp(dir=os.getcwd()) self.filepath = os.path.join(self.temp_dir, "testfile") with open(self.filepath, "wb") as test: test.write(b"testing") - self.fileobj = open( # pylint: disable=consider-using-with + self.fileobj = open( self.filepath, "rb" ) From 31c88475bbd25eae1d03f52bab6aedc006642a01 Mon Sep 17 00:00:00 2001 From: Lion Holler Date: Wed, 26 Jun 2024 16:06:35 +0200 Subject: [PATCH 4/5] reformatted files --- tests/check_gpg_available.py | 4 +--- tests/test_gpg.py | 34 +++++++++++----------------------- tests/test_hash.py | 5 +---- tests/test_signer.py | 4 +--- tests/test_storage.py | 4 +--- 5 files changed, 15 insertions(+), 36 deletions(-) diff --git a/tests/check_gpg_available.py b/tests/check_gpg_available.py index f259bcad..7cc29e93 100644 --- a/tests/check_gpg_available.py +++ b/tests/check_gpg_available.py @@ -34,9 +34,7 @@ class TestGpgAvailable(unittest.TestCase): def test_gpg_available(self): """Test that GPG is available.""" - self.assertTrue( - securesystemslib._gpg.constants.have_gpg() - ) + self.assertTrue(securesystemslib._gpg.constants.have_gpg()) if __name__ == "__main__": diff --git a/tests/test_gpg.py b/tests/test_gpg.py index 1ebddb37..d7da5d01 100644 --- a/tests/test_gpg.py +++ b/tests/test_gpg.py @@ -26,6 +26,7 @@ from copy import deepcopy from unittest.mock import patch +# ruff: noqa: I001 import cryptography.hazmat.primitives.hashes as hashing from cryptography.hazmat import backends from cryptography.hazmat.primitives import serialization @@ -368,9 +369,7 @@ def test_assign_certified_key_info_errors(self): msg = str(mock_log.info.call_args[0][0]) self.assertTrue( expected_msg in msg, - "'{}' not in '{}'".format( - expected_msg, msg - ), + "'{}' not in '{}'".format(expected_msg, msg), ) def test_assign_certified_key_info_expiration(self): @@ -485,9 +484,7 @@ def test_get_verified_subkeys_errors(self): msg = str(mock_log.info.call_args[0][0]) self.assertTrue( expected_msg in msg, - "'{}' not in '{}'".format( - expected_msg, msg - ), + "'{}' not in '{}'".format(expected_msg, msg), ) def test_get_verified_subkeys(self): @@ -504,9 +501,9 @@ def test_get_verified_subkeys(self): # Test subkey without validity period, i.e. it does not expire self.assertTrue( - subkeys[ - "70cfabf1e2f1dc60ac5c7bca10cd20d3d5bcb6ef" - ].get("validity_period") + subkeys["70cfabf1e2f1dc60ac5c7bca10cd20d3d5bcb6ef"].get( + "validity_period" + ) is None ) @@ -565,7 +562,7 @@ class TestGPGRSA(unittest.TestCase): unsupported_subkey_keyid = "611A9B648E16F54E8A7FAD5DA51E8CDF3B06524F" expired_key_keyid = "E8AC80C924116DABB51D4B987CB07D6D2C199C7C" - keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" + keyid_768C43 = "7B3ABB26B97B655AB9296BD15B0BD02E1C768C43" # noqa: N815 @classmethod def setUpClass(self): @@ -610,9 +607,7 @@ def test_export_pubkey(self): # load the equivalent ssh key, and make sure that we get the same RSA key # parameters - ssh_key_basename = "{}.ssh".format( - self.default_keyid - ) + ssh_key_basename = "{}.ssh".format(self.default_keyid) ssh_key_path = os.path.join(self.gnupg_home, ssh_key_basename) with open(ssh_key_path, "rb") as fp: keydata = fp.read() @@ -708,9 +703,7 @@ def test_create_signature_with_expired_key(self): expected = "returned non-zero exit status '2'" self.assertTrue( expected in str(ctx.exception), - "{} not in {}".format( - expected, ctx.exception - ), + "{} not in {}".format(expected, ctx.exception), ) def test_verify_signature_with_expired_key(self): @@ -733,10 +726,7 @@ def test_verify_signature_with_expired_key(self): ) self.assertTrue( expected == str(ctx.exception), - "\nexpected: {}" - "\ngot: {}".format( - expected, ctx.exception - ), + "\nexpected: {}" "\ngot: {}".format(expected, ctx.exception), ) @@ -782,9 +772,7 @@ def test_export_pubkey(self): our_exported_key = dsa_create_pubkey(key_data) # load same key, pre-exported with 3rd-party tooling - pem_key_basename = "{}.pem".format( - self.default_keyid - ) + pem_key_basename = "{}.pem".format(self.default_keyid) pem_key_path = os.path.join(self.gnupg_home, pem_key_basename) with open(pem_key_path, "rb") as fp: keydata = fp.read() diff --git a/tests/test_hash.py b/tests/test_hash.py index b491fbb3..27936feb 100755 --- a/tests/test_hash.py +++ b/tests/test_hash.py @@ -28,10 +28,7 @@ logger = logging.getLogger(__name__) -if ( - "hashlib" - not in securesystemslib.hash.SUPPORTED_LIBRARIES -): +if "hashlib" not in securesystemslib.hash.SUPPORTED_LIBRARIES: logger.warning("Not testing hashlib: could not be imported.") diff --git a/tests/test_signer.py b/tests/test_signer.py index db6d6902..056ec95f 100644 --- a/tests/test_signer.py +++ b/tests/test_signer.py @@ -368,9 +368,7 @@ def test_verify_invalid_keytype_scheme(self): for keytype, scheme, val in test_data: key = SSlibKey("fake", keytype, scheme, {"public": val}) with self.assertRaises(ValueError): - key._verify( - b"fakesig", b"fakedata" - ) + key._verify(b"fakesig", b"fakedata") class TestSigner(unittest.TestCase): diff --git a/tests/test_storage.py b/tests/test_storage.py index ea35ebb4..7bc42675 100644 --- a/tests/test_storage.py +++ b/tests/test_storage.py @@ -33,9 +33,7 @@ def setUp(self): self.filepath = os.path.join(self.temp_dir, "testfile") with open(self.filepath, "wb") as test: test.write(b"testing") - self.fileobj = open( - self.filepath, "rb" - ) + self.fileobj = open(self.filepath, "rb") def tearDown(self): self.fileobj.close() From 833d86a1bc0b80dccbf51c07675a527a87876c58 Mon Sep 17 00:00:00 2001 From: Lion Holler Date: Thu, 27 Jun 2024 12:24:50 +0200 Subject: [PATCH 5/5] removed pylintrc from sdist include in pyproject.toml --- pyproject.toml | 1 - 1 file changed, 1 deletion(-) diff --git a/pyproject.toml b/pyproject.toml index 8d4ed4cc..096ed02e 100644 --- a/pyproject.toml +++ b/pyproject.toml @@ -64,7 +64,6 @@ include = [ "/securesystemslib", "/requirements*.txt", "/tox.ini", - "/pylintrc", "/mypy.ini", "/CHANGELOG.md", "/.coveragerc",