derivepassphrase.git

@@ -13,7 +13,6 @@ import collections

 import copy

 import enum

 import functools

-import importlib

 import inspect

 import json

 import logging

@@ -38,7 +37,6 @@ from typing_extensions import (

     Any,

     ParamSpec,

     Self,

-    assert_never,

     override,

 )

@@ -1473,45 +1471,6 @@ def derivepassphrase_export(ctx: click.Context, /) -> None:

     return None

-def _load_data(

-    fmt: Literal['v0.2', 'v0.3', 'storeroom'],

-    path: str | bytes | os.PathLike[str],

-    key: bytes,

-) -> Any:  # noqa: ANN401

-    contents: bytes

-    module: types.ModuleType

-    # Use match/case here once Python 3.9 becomes unsupported.

-    if fmt == 'v0.2':

-        module = importlib.import_module(

-            'derivepassphrase.exporter.vault_native'

-        )

-        if module.STUBBED:

-            raise ModuleNotFoundError

-        with open(path, 'rb') as infile:

-            contents = base64.standard_b64decode(infile.read())

-        return module.export_vault_native_data(

-            contents, key, try_formats=['v0.2']

-        )

-    elif fmt == 'v0.3':  # noqa: RET505

-        module = importlib.import_module(

-            'derivepassphrase.exporter.vault_native'

-        )

-        if module.STUBBED:

-            raise ModuleNotFoundError

-        with open(path, 'rb') as infile:

-            contents = base64.standard_b64decode(infile.read())

-        return module.export_vault_native_data(

-            contents, key, try_formats=['v0.3']

-        )

-    elif fmt == 'storeroom':

-        module = importlib.import_module('derivepassphrase.exporter.storeroom')

-        if module.STUBBED:

-            raise ModuleNotFoundError

-        return module.export_storeroom_data(path, key)

-    else:  # pragma: no cover

-        assert_never(fmt)

-

-

 @derivepassphrase_export.command(

     'vault',

     context_settings={'help_option_names': ['-h', '--help']},

@@ -1578,7 +1537,7 @@ def derivepassphrase_export_vault(

     ctx: click.Context,

     /,

     *,

-    path: str | bytes | os.PathLike[str],

+    path: str | bytes | os.PathLike[str] | None,

     formats: Sequence[Literal['v0.2', 'v0.3', 'storeroom']] = (),

     key: str | bytes | None = None,

 ) -> None:

@@ -1595,24 +1554,22 @@ def derivepassphrase_export_vault(

     """

     logger = logging.getLogger(PROG_NAME)

     if path in {'VAULT_PATH', b'VAULT_PATH'}:

-        path = exporter.get_vault_path()

-    if key is None:

-        key = exporter.get_vault_key()

-    elif isinstance(key, str):  # pragma: no branch

+        path = None

+    if isinstance(key, str):  # pragma: no branch

         key = key.encode('utf-8')

     for fmt in formats:

         try:

-            config = _load_data(fmt, path, key)

+            config = exporter.export_vault_config_data(path, key, format=fmt)

         except (

             IsADirectoryError,

             NotADirectoryError,

-            ValueError,

+            exporter.NotAVaultConfigError,

             RuntimeError,

         ):

             logger.info(

                 _msg.TranslatedString(

                     _msg.InfoMsgTemplate.CANNOT_LOAD_AS_VAULT_CONFIG,

-                    path=path,

+                    path=path or exporter.get_vault_path(),

                     fmt=fmt,

                 ),

                 extra={'color': ctx.color},

@@ -6,16 +6,49 @@

 from __future__ import annotations

+import importlib

 import os

+from typing import TYPE_CHECKING, Protocol

 import derivepassphrase as dpp

+if TYPE_CHECKING:

+    from collections.abc import Callable

+    from typing import Any

+

+    from typing_extensions import Buffer

+

 __author__ = dpp.__author__

 __version__ = dpp.__version__

 __all__ = ()

+INVALID_VAULT_NATIVE_CONFIGURATION_FORMAT = (

+    'Invalid vault native configuration format: {fmt!r}'

+)

+

+

+class NotAVaultConfigError(ValueError):

+    """The `path` does not hold a `format`-type vault configuration."""

+

+    def __init__(

+        self,

+        path: str | bytes,

+        format: str | None = None,  # noqa: A002

+    ) -> None:

+        self.path = path

+        self.format = format

+

+    def __str__(self) -> str:  # pragma: no cover

+        formatted_format = (

+            f'vault {self.format} configuration'

+            if self.format

+            else 'vault configuration'

+        )

+        return f'Not a {formatted_format}: {self.path!r}'

+

+

 def get_vault_key() -> bytes:

     """Automatically determine the vault(1) master key/password.

@@ -70,3 +103,123 @@ def get_vault_path() -> str | bytes | os.PathLike:

         msg = 'Cannot determine home directory'

         raise RuntimeError(msg)

     return result

+

+

+class ExportVaultConfigDataFunction(Protocol):  # pragma: no cover

+    def __call__(

+        self,

+        path: str | bytes | os.PathLike | None = None,

+        key: str | Buffer | None = None,

+        *,

+        format: str,  # noqa: A002

+    ) -> Any: ...  # noqa: ANN401

+

+

+_export_vault_config_data_registry: dict[

+    str,

+    ExportVaultConfigDataFunction,

+] = {}

+

+

+def register_export_vault_config_data_handler(

+    *names: str,

+) -> Callable[[ExportVaultConfigDataFunction], ExportVaultConfigDataFunction]:

+    if not names:

+        msg = 'No names given to export_data handler registry'

+        raise ValueError(msg)

+    if '' in names:

+        msg = 'Cannot register export_data handler under an empty name'

+        raise ValueError(msg)

+

+    def wrapper(

+        f: ExportVaultConfigDataFunction,

+    ) -> ExportVaultConfigDataFunction:

+        for name in names:

+            if name in _export_vault_config_data_registry:

+                msg = f'export_data handler already registered: {name!r}'

+                raise ValueError(msg)

+            _export_vault_config_data_registry[name] = f

+        return f

+

+    return wrapper

+

+

+def find_vault_config_data_handlers() -> None:

+    """Find all export handlers for vault config data.

+

+    (This function is idempotent.)

+

+    Raises:

+        ModuleNotFoundError:

+            A required module was not found.

+

+    """

+    # Defer imports (and handler registrations) to avoid circular

+    # imports.  The modules themselves contain function definitions that

+    # register themselves automatically with

+    # `_export_vault_config_data_registry`.

+    importlib.import_module('derivepassphrase.exporter.storeroom')

+    importlib.import_module('derivepassphrase.exporter.vault_native')

+

+

+def export_vault_config_data(

+    path: str | bytes | os.PathLike | None = None,

+    key: str | Buffer | None = None,

+    *,

+    format: str,  # noqa: A002

+) -> Any:  # noqa: ANN401

+    """Export the full vault-native configuration stored in `path`.

+

+    Args:

+        path:

+            The path to the vault configuration file or directory.  If

+            not given, then query [`get_vault_path`][] for the correct

+            value.

+        key:

+            Encryption key/password for the configuration file or

+            directory, usually the username, or passed via the

+            `VAULT_KEY` environment variable.  If not given, then query

+            [`exporter.get_vault_key`][] for the value.

+        format:

+            The format to attempt parsing as.  Must be `v0.2`, `v0.3` or

+            `storeroom`.

+

+    Returns:

+        The vault configuration, as recorded in the configuration file.

+

+        This may or may not be a valid configuration according to

+        `vault` or `derivepassphrase`.

+

+    Raises:

+        IsADirectoryError:

+            The requested format requires a configuration file, but

+            `path` points to a directory instead.

+        NotADirectoryError:

+            The requested format requires a configuration directory, but

+            `path` points to something else instead.

+        OSError:

+            There was an OS error while accessing the configuration

+            file/directory.

+        RuntimeError:

+            Something went wrong during data collection, e.g. we

+            encountered unsupported or corrupted data in the

+            configuration file/directory.

+        json.JSONDecodeError:

+            An internal JSON data structure failed to parse from disk.

+            The configuration file/directory is probably corrupted.

+        exporter.NotAVaultConfigError:

+            The file/directory contents are not in the claimed

+            configuration format.

+        ValueError:

+            The requested format is invalid.

+        ModuleNotFoundError:

+            The requested format requires support code, which failed to

+            load because of missing Python libraries.

+

+    """

+    find_vault_config_data_handlers()

+    handler = _export_vault_config_data_registry.get(format)

+    if handler is None:

+        msg = INVALID_VAULT_NATIVE_CONFIGURATION_FORMAT.format(fmt=format)

+        raise ValueError(msg)

+    return handler(path, key, format=format)

@@ -20,10 +20,13 @@ should *not* be used or relied on.

 """

+# ruff: noqa: S303

+

 from __future__ import annotations

 import base64

 import fnmatch

+import importlib

 import json

 import logging

 import os

@@ -43,14 +46,7 @@ if TYPE_CHECKING:

     from typing_extensions import Buffer

 else:

     try:

-        from cryptography.hazmat.primitives import (

-            ciphers,

-            hashes,

-            hmac,

-            padding,

-        )

-        from cryptography.hazmat.primitives.ciphers import algorithms, modes

-        from cryptography.hazmat.primitives.kdf import pbkdf2

+        importlib.import_module('cryptography')

     except ModuleNotFoundError as exc:

         class _DummyModule:  # pragma: no cover

@@ -67,6 +63,15 @@ else:

         algorithms = modes = pbkdf2 = _DummyModule(exc)

         STUBBED = True

     else:

+        from cryptography.hazmat.primitives import (

+            ciphers,

+            hashes,

+            hmac,

+            padding,

+        )

+        from cryptography.hazmat.primitives.ciphers import algorithms, modes

+        from cryptography.hazmat.primitives.kdf import pbkdf2

+

         STUBBED = False

 STOREROOM_MASTER_KEYS_UUID = b'35b7c7ed-f71e-4adf-9051-02fb0f1e0e17'

@@ -616,27 +621,35 @@ def _store(config: dict[str, Any], path: str, json_contents: bytes) -> None:

         config[path_parts[-1]] = contents

+@exporter.register_export_vault_config_data_handler('storeroom')

 def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

-    storeroom_path: str | bytes | os.PathLike | None = None,

-    master_keys_key: str | Buffer | None = None,

+    path: str | bytes | os.PathLike | None = None,

+    key: str | Buffer | None = None,

+    *,

+    format: str = 'storeroom',  # noqa: A002

 ) -> dict[str, Any]:

     """Export the full configuration stored in the storeroom.

     Args:

-        storeroom_path:

-            Path to the storeroom; usually `~/.vault`.  If not given,

-            then query [`exporter.get_vault_path`][] for the value.

-        master_keys_key:

-            Encryption key/password for the master keys, usually the

-            username, or passed via the `VAULT_KEY` environment

-            variable.  If not given, then query

-            [`exporter.get_vault_key`][] for the value.

+        path:

+            The path to the vault configuration directory.  If not

+            given, then query [`exporter.get_vault_path`][] for the

+            correct value.

+        key:

+            Encryption key/password for the (master keys file in the)

+            configuration directory, usually the username, or passed via

+            the `VAULT_KEY` environment variable.  If not given, then

+            query [`exporter.get_vault_key`][] for the value.

+        format:

+            The format to attempt parsing as.  If specified, must be

+            `storeroom`.

     Returns:

-        The full configuration, as stored in the storeroom.

+        The vault configuration, as recorded in the configuration

+        directory.

-        This may or may not be a valid configuration according to vault

-        or derivepassphrase.

+        This may or may not be a valid configuration according to

+        `vault` or `derivepassphrase`.

     Raises:

         RuntimeError:

@@ -645,17 +658,34 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

         json.JSONDecodeError:

             An internal JSON data structure failed to parse from disk.

             The storeroom is probably corrupted.

+        exporter.NotAVaultConfigError:

+            The directory does contain not a storeroom.

+        ValueError:

+            The requested format is invalid.

     """

-    if storeroom_path is None:

-        storeroom_path = exporter.get_vault_path()

-    if master_keys_key is None:

-        master_keys_key = exporter.get_vault_key()

-    elif not isinstance(master_keys_key, str):

-        master_keys_key = memoryview(master_keys_key).toreadonly().cast('c')

-    with open(

-        os.path.join(os.fsdecode(storeroom_path), '.keys'), encoding='utf-8'

-    ) as master_keys_file:

+    # Trigger import errors if necessary.

+    importlib.import_module('cryptography')

+    if path is None:

+        path = exporter.get_vault_path()

+    if key is None:

+        key = exporter.get_vault_key()

+    if format != 'storeroom':  # pragma: no cover

+        msg = exporter.INVALID_VAULT_NATIVE_CONFIGURATION_FORMAT.format(

+            fmt=format

+        )

+        raise ValueError(msg)

+    try:

+        master_keys_file = open(  # noqa: SIM115

+            os.path.join(os.fsdecode(path), '.keys'),

+            encoding='utf-8',

+        )

+    except FileNotFoundError as exc:

+        raise exporter.NotAVaultConfigError(

+            os.fsdecode(path),

+            format='storeroom',

+        ) from exc

+    with master_keys_file:

         header = json.loads(master_keys_file.readline())

         if header != {'version': 1}:

             msg = 'bad or unsupported keys version header'

@@ -675,16 +705,14 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

         _msg.TranslatedString(_msg.InfoMsgTemplate.PARSING_MASTER_KEYS_DATA)

     )

     encrypted_keys_iterations = 2 ** (10 + (encrypted_keys_params & 0x0F))

-    master_keys_keys = derive_master_keys_keys(

-        master_keys_key, encrypted_keys_iterations

-    )

+    master_keys_keys = derive_master_keys_keys(key, encrypted_keys_iterations)

     master_keys = decrypt_master_keys_data(encrypted_keys, master_keys_keys)

     config_structure: dict[str, Any] = {}

     json_contents: dict[str, bytes] = {}

     # Use glob.glob(..., root_dir=...) here once Python 3.9 becomes

     # unsupported.

-    storeroom_path_str = os.fsdecode(storeroom_path)

+    storeroom_path_str = os.fsdecode(path)

     valid_hashdirs = [

         hashdir_name

         for hashdir_name in os.listdir(storeroom_path_str)

@@ -699,7 +727,7 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

         )

         bucket_contents = [

             bytes(item)

-            for item in decrypt_bucket_file(file, master_keys, root_dir=storeroom_path)

+            for item in decrypt_bucket_file(file, master_keys, root_dir=path)

         ]

         bucket_index = json.loads(bucket_contents.pop(0))

         for pos, item in enumerate(bucket_index):

@@ -716,12 +744,12 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

     logger.info(

         _msg.TranslatedString(_msg.InfoMsgTemplate.ASSEMBLING_CONFIG_STRUCTURE)

     )

-    for path, json_content in sorted(json_contents.items()):

-        if path.endswith('/'):

+    for item_path, json_content in sorted(json_contents.items()):

+        if item_path.endswith('/'):

             logger.debug(

                 _msg.TranslatedString(

                     _msg.DebugMsgTemplate.POSTPONING_DIRECTORY_CONTENTS_CHECK,

-                    path=path,

+                    path=item_path,

                     contents=json_content.decode('utf-8'),

                 )

             )

@@ -734,33 +762,33 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

                     f'{json_content!r}'

                 )

                 raise RuntimeError(msg)

-            dirs_to_check[path] = json_payload

+            dirs_to_check[item_path] = json_payload

             logger.debug(

                 _msg.TranslatedString(

                     _msg.DebugMsgTemplate.SETTING_CONFIG_STRUCTURE_CONTENTS_EMPTY_DIRECTORY,

-                    path=path,

+                    path=item_path,

                 ),

             )

-            _store(config_structure, path, b'{}')

+            _store(config_structure, item_path, b'{}')

         else:

             logger.debug(

                 _msg.TranslatedString(

                     _msg.DebugMsgTemplate.SETTING_CONFIG_STRUCTURE_CONTENTS,

-                    path=path,

+                    path=item_path,

                     value=json_content.decode('utf-8'),

                 ),

             )

-            _store(config_structure, path, json_content)

+            _store(config_structure, item_path, json_content)

     logger.info(

         _msg.TranslatedString(

             _msg.InfoMsgTemplate.CHECKING_CONFIG_STRUCTURE_CONSISTENCY,

         )

     )

     # Sorted order is important; see `maybe_obj` below.

-    for _dir, namelist in sorted(dirs_to_check.items()):

-        namelist = [x.rstrip('/') for x in namelist]  # noqa: PLW2901

+    for dir_, namelist_ in sorted(dirs_to_check.items()):

+        namelist = [x.rstrip('/') for x in namelist_]

         obj: dict[Any, Any] = config_structure

-        for part in _dir.split('/'):

+        for part in dir_.split('/'):

             if part:

                 # Because we iterate paths in sorted order, parent

                 # directories are encountered before child directories.

@@ -771,17 +799,17 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

                 # this, so we need to use assertions anyway.

                 maybe_obj = obj.get(part)

                 assert isinstance(maybe_obj, dict), (

-                    f'Cannot traverse storage path {_dir!r}'

+                    f'Cannot traverse storage path {dir_!r}'

                 )

                 obj = maybe_obj

         if set(obj.keys()) != set(namelist):

-            msg = f'Object key mismatch for path {_dir!r}'

+            msg = f'Object key mismatch for path {dir_!r}'

             raise RuntimeError(msg)

         logger.debug(

             _msg.TranslatedString(

                 _msg.DebugMsgTemplate.DIRECTORY_CONTENTS_CHECK_OK,

-                path=_dir,

-                contents=json.dumps(namelist),

+                path=dir_,

+                contents=json.dumps(namelist_),

             )

         )

     return config_structure

@@ -789,5 +817,5 @@ def export_storeroom_data(  # noqa: C901,PLR0912,PLR0914,PLR0915

 if __name__ == '__main__':

     logging.basicConfig(level=('DEBUG' if os.getenv('DEBUG') else 'WARNING'))

-    config_structure = export_storeroom_data()

+    config_structure = export_storeroom_data(format='storeroom')

     print(json.dumps(config_structure, indent=2, sort_keys=True))  # noqa: T201

@@ -21,12 +21,16 @@ should *not* be used or relied on.

 """

+# ruff: noqa: S303

+

 from __future__ import annotations

 import abc

 import base64

+import importlib

 import json

 import logging

+import os

 import warnings

 from typing import TYPE_CHECKING

@@ -34,7 +38,6 @@ from derivepassphrase import _cli_msg as _msg

 from derivepassphrase import exporter, vault

 if TYPE_CHECKING:

-    from collections.abc import Sequence

     from typing import Any

     from typing_extensions import Buffer

@@ -47,16 +50,7 @@ if TYPE_CHECKING:

     from cryptography.hazmat.primitives.kdf import pbkdf2

 else:

     try:

-        from cryptography import exceptions as crypt_exceptions

-        from cryptography import utils as crypt_utils

-        from cryptography.hazmat.primitives import (

-            ciphers,

-            hashes,

-            hmac,

-            padding,

-        )

-        from cryptography.hazmat.primitives.ciphers import algorithms, modes

-        from cryptography.hazmat.primitives.kdf import pbkdf2

+        importlib.import_module('cryptography')

     except ModuleNotFoundError as exc:

         class _DummyModule:  # pragma: no cover

@@ -74,6 +68,17 @@ else:

         algorithms = modes = pbkdf2 = _DummyModule(exc)

         STUBBED = True

     else:

+        from cryptography import exceptions as crypt_exceptions

+        from cryptography import utils as crypt_utils

+        from cryptography.hazmat.primitives import (

+            ciphers,

+            hashes,

+            hmac,

+            padding,

+        )

+        from cryptography.hazmat.primitives.ciphers import algorithms, modes

+        from cryptography.hazmat.primitives.kdf import pbkdf2

+

         STUBBED = False

 __all__ = ('export_vault_native_data',)

@@ -427,80 +432,69 @@ class VaultNativeV02ConfigParser(VaultNativeConfigParser):

         ).decryptor()

+@exporter.register_export_vault_config_data_handler('v0.2', 'v0.3')

 def export_vault_native_data(

-    contents: Buffer | None = None,

+    path: str | bytes | os.PathLike | None = None,

     key: str | Buffer | None = None,

     *,

-    try_formats: Sequence[str] = ('v0.3', 'v0.2'),

+    format: str,  # noqa: A002

 ) -> Any:  # noqa: ANN401

     """Export the full configuration stored in vault native format.

     Args:

-        contents:

-            The binary encrypted contents of the vault configuration

-            file.  If not given, then query

-            [`exporter.get_vault_path`][] for the correct filename and

-            read the contents from there.

-

-            Note: On disk, these are usually stored in base64-encoded

-            form, not in the "raw" form as needed here.

+        path:

+            The path to the vault configuration file.  If not given,

+            then query [`exporter.get_vault_path`][] for the correct

+            value.

         key:

             Encryption key/password for the configuration file, usually

             the username, or passed via the `VAULT_KEY` environment

             variable.  If not given, then query

             [`exporter.get_vault_key`][] for the value.

-        try_formats:

-            A sequence of formats to try out, in order.  Each key must

-            be one of `v0.2` or `v0.3`.

+        format:

+            The format to attempt parsing as.  Must be `v0.2` or `v0.3`.

     Returns:

         The vault configuration, as recorded in the configuration file.

-        This may or may not be a valid configuration according to vault

-        or derivepassphrase.

+        This may or may not be a valid configuration according to

+        `vault` or `derivepassphrase`.

     Raises:

-        RuntimeError:

-            Something went wrong during data collection, e.g. we

-            encountered unsupported or corrupted data in the storeroom.

         json.JSONDecodeError:

             An internal JSON data structure failed to parse from disk.

-            The storeroom is probably corrupted.

+            The encrypted configuration is probably corrupted.

+        exporter.NotAVaultConfigError:

+            The (encrypted) contents are not in the claimed

+            configuration format.

         ValueError:

-            The requested formats to try out are invalid, or the

-            encrypted contents aren't in any of the attempted

-            configuration formats.

+            The requested format is invalid.

     """

-    if contents is None:

-        with open(exporter.get_vault_path(), 'rb') as infile:

+    # Trigger import errors if necessary.

+    importlib.import_module('cryptography')

+    if path is None:

+        path = exporter.get_vault_path()

+    with open(path, 'rb') as infile:

         contents = base64.standard_b64decode(infile.read())

     if key is None:

         key = exporter.get_vault_key()

-    stored_exception: Exception | None = None

-    for config_format in try_formats:

-        # Use match/case here once Python 3.9 becomes unsupported.

-        if config_format == 'v0.2':

-            try:

-                return VaultNativeV02ConfigParser(contents, key)()

-            except ValueError as exc:

-                exc.__context__ = stored_exception

-                stored_exception = exc

-        elif config_format == 'v0.3':

-            try:

-                return VaultNativeV03ConfigParser(contents, key)()

-            except ValueError as exc:

-                exc.__context__ = stored_exception

-                stored_exception = exc

-        else:  # pragma: no cover

-            msg = (

-                f'Invalid vault native configuration format: {config_format!r}'

+    parser_class: type[VaultNativeConfigParser] | None = {

+        'v0.2': VaultNativeV02ConfigParser,

+        'v0.3': VaultNativeV03ConfigParser,

+    }.get(format)

+    if parser_class is None:  # pragma: no cover

+        msg = exporter.INVALID_VAULT_NATIVE_CONFIGURATION_FORMAT.format(

+            fmt=format

         )

         raise ValueError(msg)

-    msg = (

-        f'Not a valid vault native configuration. (We tried: {try_formats!r}.)'

-    )

-    raise stored_exception or ValueError(msg)

+    try:

+        return parser_class(contents, key)()

+    except ValueError as exc:

+        raise exporter.NotAVaultConfigError(

+            os.fsdecode(path),

+            format=format,

+        ) from exc

 if __name__ == '__main__':

@@ -7,6 +7,7 @@ from __future__ import annotations

 import base64

 import contextlib

 import json

+import os

 from typing import TYPE_CHECKING

 import click.testing

@@ -15,7 +16,7 @@ import pytest

 from hypothesis import strategies

 import tests

-from derivepassphrase import cli

+from derivepassphrase import _types, cli, exporter

 from derivepassphrase.exporter import storeroom, vault_native

 cryptography = pytest.importorskip('cryptography', minversion='38.0')

@@ -35,6 +36,8 @@ if TYPE_CHECKING:

     from collections.abc import Callable

     from typing import Any

+    from typing_extensions import Buffer, Literal

+

 class TestCLI:

     def test_200_path_parameter(self, monkeypatch: pytest.MonkeyPatch) -> None:

@@ -165,6 +168,31 @@ class TestCLI:

         ), 'expected error exit and known error message'

         assert tests.CANNOT_LOAD_CRYPTOGRAPHY not in result.stderr

+    def test_302a_vault_config_invalid_just_a_directory(

+        self,

+        monkeypatch: pytest.MonkeyPatch,

+        caplog: pytest.LogCaptureFixture,

+    ) -> None:

+        runner = click.testing.CliRunner(mix_stderr=False)

+        with tests.isolated_vault_exporter_config(

+            monkeypatch=monkeypatch,

+            runner=runner,

+            vault_config='',

+            vault_key=tests.VAULT_MASTER_KEY,

+        ):

+            os.remove('.vault')

+            os.mkdir('.vault')

+            result_ = runner.invoke(

+                cli.derivepassphrase_export_vault,

+                ['.vault'],

+            )

+        result = tests.ReadableResult.parse(result_)

+        assert result.error_exit(

+            error="Cannot parse '.vault' as a valid vault-native config",

+            record_tuples=caplog.record_tuples,

+        ), 'expected error exit and known error message'

+        assert tests.CANNOT_LOAD_CRYPTOGRAPHY not in result.stderr

+

     def test_403_invalid_vault_config_bad_signature(

         self,

         monkeypatch: pytest.MonkeyPatch,

@@ -201,10 +229,14 @@ class TestCLI:

             vault_key=tests.VAULT_MASTER_KEY,

         ):

-            def _load_data(*_args: Any, **_kwargs: Any) -> None:

+            def export_vault_config_data(*_args: Any, **_kwargs: Any) -> None:

                 return None

-            monkeypatch.setattr(cli, '_load_data', _load_data)

+            monkeypatch.setattr(

+                exporter,

+                'export_vault_config_data',

+                export_vault_config_data,

+            )

             result_ = runner.invoke(

                 cli.derivepassphrase_export_vault,

                 ['.vault'],

@@ -218,20 +250,28 @@ class TestCLI:

 class TestStoreroom:

+    @pytest.mark.parametrize('path', ['.vault', None])

     @pytest.mark.parametrize(

-        ['path', 'key'],

+        'key',

         [

-            ('.vault', tests.VAULT_MASTER_KEY),

-            ('.vault', None),

-            (None, tests.VAULT_MASTER_KEY),

-            (None, None),

+            None,

+            pytest.param(tests.VAULT_MASTER_KEY, id='str'),

+            pytest.param(tests.VAULT_MASTER_KEY.encode('ascii'), id='bytes'),

+            pytest.param(

+                bytearray(tests.VAULT_MASTER_KEY.encode('ascii')),

+                id='bytearray',

+            ),

+            pytest.param(

+                memoryview(tests.VAULT_MASTER_KEY.encode('ascii')),

+                id='memoryview',

+            ),

         ],

     )

     def test_200_export_data_path_and_keys_type(

         self,

         monkeypatch: pytest.MonkeyPatch,

         path: str | None,

-        key: str | None,

+        key: str | Buffer | None,

     ) -> None:

         runner = click.testing.CliRunner(mix_stderr=False)

         with tests.isolated_vault_exporter_config(

@@ -437,8 +477,80 @@ class TestVaultNativeConfig:

             == result

         )

+    @pytest.mark.parametrize(

+        ['config', 'format', 'result'],

+        [

+            pytest.param(

+                tests.VAULT_V02_CONFIG,

+                'v0.2',

+                tests.VAULT_V02_CONFIG_DATA,

+                id='V02_CONFIG-v0.2',

+            ),

+            pytest.param(

+                tests.VAULT_V02_CONFIG,

+                'v0.3',

+                exporter.NotAVaultConfigError,

+                id='V02_CONFIG-v0.3',

+            ),

+            pytest.param(

+                tests.VAULT_V03_CONFIG,

+                'v0.2',

+                exporter.NotAVaultConfigError,

+                id='V03_CONFIG-v0.2',

+            ),

+            pytest.param(

+                tests.VAULT_V03_CONFIG,

+                'v0.3',

+                tests.VAULT_V03_CONFIG_DATA,

+                id='V03_CONFIG-v0.3',

+            ),

+        ],

+    )

     def test_201_export_vault_native_data_no_arguments(

-        self, monkeypatch: pytest.MonkeyPatch

+        self,

+        monkeypatch: pytest.MonkeyPatch,

+        config: str,

+        format: Literal['v0.2', 'v0.3'],

+        result: _types.VaultConfig | type[Exception],

+    ) -> None:

+        runner = click.testing.CliRunner(mix_stderr=False)

+        with tests.isolated_vault_exporter_config(

+            monkeypatch=monkeypatch,

+            runner=runner,

+            vault_config=config,

+            vault_key=tests.VAULT_MASTER_KEY,

+        ):

+            if isinstance(result, type):

+                with pytest.raises(result):

+                    vault_native.export_vault_native_data(None, format=format)

+            else:

+                parsed_config = vault_native.export_vault_native_data(

+                    None, format=format

+                )

+                assert parsed_config == result

+

+    @pytest.mark.parametrize('path', ['.vault', None])

+    @pytest.mark.parametrize(

+        'key',

+        [

+            None,

+            pytest.param(tests.VAULT_MASTER_KEY, id='str'),

+            pytest.param(tests.VAULT_MASTER_KEY.encode('ascii'), id='bytes'),

+            pytest.param(

+                bytearray(tests.VAULT_MASTER_KEY.encode('ascii')),

+                id='bytearray',

+            ),

+            pytest.param(

+                memoryview(tests.VAULT_MASTER_KEY.encode('ascii')),

+                id='memoryview',

+            ),

+        ],

+    )

+    def test_202_export_data_path_and_keys_type(

+        self,

+        monkeypatch: pytest.MonkeyPatch,

+        path: str | None,

+        key: str | Buffer | None,

     ) -> None:

         runner = click.testing.CliRunner(mix_stderr=False)

         with tests.isolated_vault_exporter_config(

@@ -5,6 +5,7 @@

 from __future__ import annotations

 import os

+from typing import TYPE_CHECKING, Any

 import click.testing

 import pytest

@@ -12,6 +13,9 @@ import pytest

 import tests

 from derivepassphrase import cli, exporter

+if TYPE_CHECKING:

+    from typing_extensions import Buffer

+

 class Test001ExporterUtils:

     @pytest.mark.parametrize(

@@ -82,6 +86,33 @@ class Test001ExporterUtils:

                 os.path.realpath(exporter.get_vault_path())

             ) == os.path.realpath(os.path.expanduser(expected))

+    def test_220_register_export_vault_config_data_handler(

+        self, monkeypatch: pytest.MonkeyPatch

+    ) -> None:

+        def handler(  # pragma: no cover

+            path: str | bytes | os.PathLike | None = None,

+            key: str | Buffer | None = None,

+            *,

+            format: str,

+        ) -> Any:

+            del path, key

+            raise ValueError(format)

+

+        registry = {'dummy': handler}

+        monkeypatch.setattr(

+            exporter, '_export_vault_config_data_registry', registry

+        )

+        dec = exporter.register_export_vault_config_data_handler(

+            'name1',

+            'name2',

+        )

+        assert dec(handler) == handler

+        assert registry == {

+            'dummy': handler,

+            'name1': handler,

+            'name2': handler,

+        }

+

     def test_300_get_vault_key_without_envs(

         self, monkeypatch: pytest.MonkeyPatch

     ) -> None:

@@ -101,6 +132,59 @@ class Test001ExporterUtils:

         ):

             exporter.get_vault_path()

+    @pytest.mark.parametrize(

+        ['namelist', 'err_pat'],

+        [

+            pytest.param((), '[Nn]o names given', id='empty'),

+            pytest.param(

+                ('name1', '', 'name2'),

+                '[Uu]nder an empty name',

+                id='empty-string',

+            ),

+            pytest.param(

+                ('dummy', 'name1', 'name2'),

+                '[Aa]lready registered',

+                id='existing',

+            ),

+        ],

+    )

+    def test_320_register_export_vault_config_data_handler_errors(

+        self,

+        monkeypatch: pytest.MonkeyPatch,

+        namelist: tuple[str, ...],

+        err_pat: str,

+    ) -> None:

+        def handler(  # pragma: no cover

+            path: str | bytes | os.PathLike | None = None,

+            key: str | Buffer | None = None,

+            *,

+            format: str,

+        ) -> Any:

+            del path, key

+            raise ValueError(format)

+

+        registry = {'dummy': handler}

+        monkeypatch.setattr(

+            exporter, '_export_vault_config_data_registry', registry

+        )

+        with pytest.raises(ValueError, match=err_pat):

+            exporter.register_export_vault_config_data_handler(*namelist)(

+                handler

+            )

+

+    def test_321_export_vault_config_data_bad_handler(

+        self, monkeypatch: pytest.MonkeyPatch

+    ) -> None:

+        monkeypatch.setattr(exporter, '_export_vault_config_data_registry', {})

+        monkeypatch.setattr(

+            exporter, 'find_vault_config_data_handlers', lambda: None

+        )

+        with pytest.raises(

+            ValueError,

+            match=r'Invalid vault native configuration format',

+        ):

+            exporter.export_vault_config_data(format='v0.3')

+

 class Test002CLI:

     def test_300_invalid_format(