derivepassphrase.git

@@ -38,7 +38,11 @@ dependencies = [

     "typing_extensions",

     # We read configuration files in JSON and TOML format.  The latter

     # is unavailable in the Python standard library until Python 3.11.

-    'tomli; python_version < "3.11"'

+    'tomli; python_version < "3.11"',

+    # We use PEP 654 Exception Groups.  Because of compatibility with

+    # Python < 3.11, we cannot use the except* syntax, but rather use

+    # a compatibility library.

+    "exceptiongroup",

 ]

 [project.optional-dependencies]

@@ -30,18 +30,20 @@ from typing import TYPE_CHECKING, cast

 import click

 import click.shell_completion

+import exceptiongroup

 from typing_extensions import Any

 from derivepassphrase import _types, ssh_agent, vault

 from derivepassphrase._internals import cli_messages as _msg

+from derivepassphrase.ssh_agent import socketprovider

 if sys.version_info >= (3, 11):

     import tomllib

 else:

     import tomli as tomllib

+    from exceptiongroup import BaseExceptionGroup

 if TYPE_CHECKING:

-    import socket

     import types

     from collections.abc import (

         Iterator,

@@ -557,7 +559,11 @@ def load_user_config() -> dict[str, Any]:

 def get_suitable_ssh_keys(

-    conn: ssh_agent.SSHAgentClient | socket.socket | None = None, /

+    conn: ssh_agent.SSHAgentClient

+    | _types.SSHAgentSocket

+    | Sequence[str]

+    | None = None,

+    /,

 ) -> Iterator[_types.SSHKeyCommentPair]:

     """Yield all SSH keys suitable for passphrase derivation.

@@ -574,16 +580,26 @@ def get_suitable_ssh_keys(

         derivation.

     Raises:

+        derivepassphrase.ssh_agent.socketprovider.NoSuchProviderError:

+            As per

+            [`ssh_agent.SSHAgentClient.__init__`][ssh_agent.SSHAgentClient].

+            Only applicable if agent auto-discovery is used.

         KeyError:

-            `conn` was `None`, and the `SSH_AUTH_SOCK` environment

-            variable was not found.

+            As per

+            [`ssh_agent.SSHAgentClient.__init__`][ssh_agent.SSHAgentClient].

+            Only applicable if agent auto-discovery is used.

         NotImplementedError:

-            `conn` was `None`, and this Python does not support

-            [`socket.AF_UNIX`][], so the SSH agent client cannot be

-            automatically set up.

+            As per

+            [`ssh_agent.SSHAgentClient.__init__`][ssh_agent.SSHAgentClient],

+            including the mulitple raise as an exception group.  Only

+            applicable if agent auto-discovery is used.

         OSError:

-            `conn` was a socket or `None`, and there was an error

-            setting up a socket connection to the agent.

+            If the connection hint was a socket, then there was an error

+            setting up the socket connection to the agent.

+

+            Otherwise, as per

+            [`ssh_agent.SSHAgentClient.__init__`][ssh_agent.SSHAgentClient].

+            Only applicable if agent auto-discovery is used.

         LookupError:

             No keys usable for passphrase derivation are loaded into the

             SSH agent.

@@ -695,17 +711,132 @@ def prompt_for_selection(

     return 0

+def handle_keyerror(

+    error_callback: Callable[..., NoReturn],

+    warning_callback: Callable[..., None],

+) -> Callable[[BaseExceptionGroup], NoReturn]:

+    """Generate a handler for KeyError in try-except*.

+

+    Returns a function emitting a standard user-facing message.

+

+    """  # noqa: DOC201

+    del warning_callback

+

+    def handle_keyerror(_excgroup: BaseExceptionGroup) -> NoReturn:

+        error_callback(

+            _msg.TranslatedString(_msg.ErrMsgTemplate.NO_SSH_AGENT_FOUND)

+        )

+

+    return handle_keyerror

+

+

+def handle_notimplementederror(

+    error_callback: Callable[..., NoReturn],

+    warning_callback: Callable[..., None],

+) -> Callable[[BaseExceptionGroup], NoReturn]:

+    """Generate a handler for NotImplementedError in try-except*.

+

+    Returns a function emitting a standard user-facing message.

+

+    """  # noqa: DOC201

+

+    def handle_notimplementederror(excgroup: BaseExceptionGroup) -> NoReturn:

+        if excgroup.subgroup(socketprovider.AfUnixNotAvailableError):

+            warning_callback(

+                _msg.TranslatedString(_msg.WarnMsgTemplate.NO_AF_UNIX)

+            )

+        if excgroup.subgroup(

+            socketprovider.TheAnnoyingOsNamedPipesNotAvailableError

+        ):

+            warning_callback(

+                _msg.TranslatedString(

+                    _msg.WarnMsgTemplate.NO_ANNOYING_OS_NAMED_PIPES

+                )

+            )

+        error_callback(

+            _msg.TranslatedString(_msg.ErrMsgTemplate.NO_AGENT_SUPPORT)

+        )

+

+    return handle_notimplementederror

+

+

+def handle_oserror(

+    error_callback: Callable[..., NoReturn],

+    warning_callback: Callable[..., None],

+) -> Callable[[BaseExceptionGroup], NoReturn]:

+    """Generate a handler for OSError in try-except*.

+

+    Returns a function emitting a standard user-facing message.

+

+    """  # noqa: DOC201

+    del warning_callback

+

+    def handle_oserror(excgroup: BaseExceptionGroup) -> NoReturn:

+        for exc in excgroup.exceptions:

+            assert isinstance(exc, OSError)

+            error_callback(

+                _msg.TranslatedString(

+                    _msg.ErrMsgTemplate.CANNOT_CONNECT_TO_AGENT,

+                    error=exc.strerror,

+                    filename=exc.filename,

+                ).maybe_without_filename()

+            )

+        raise AssertionError()

+

+    return handle_oserror

+

+

+def handle_runtimeerror(

+    error_callback: Callable[..., NoReturn],

+    warning_callback: Callable[..., None],

+) -> Callable[[BaseExceptionGroup], NoReturn]:

+    """Generate a handler for RuntimeError in try-except*.

+

+    Returns a function emitting a standard user-facing message.

+

+    """  # noqa: DOC201

+    del warning_callback

+

+    def handle_runtimeerror(excgroup: BaseExceptionGroup) -> NoReturn:

+        for exc in excgroup.exceptions:

+            error_callback(

+                _msg.TranslatedString(

+                    _msg.ErrMsgTemplate.CANNOT_UNDERSTAND_AGENT

+                ),

+                exc_info=exc,

+            )

+        raise AssertionError()

+

+    return handle_runtimeerror

+

+

+def default_error_callback(

+    message: Any,  # noqa: ANN401

+    /,

+    *_args: Any,  # noqa: ANN401

+    **_kwargs: Any,  # noqa: ANN401

+) -> NoReturn:  # pragma: no cover [failsafe]

+    """Calls [`sys.exit`][] on its first argument, ignoring the rest."""

+    sys.exit(message)

+

+

 def select_ssh_key(

-    conn: ssh_agent.SSHAgentClient | socket.socket | None = None,

+    conn: ssh_agent.SSHAgentClient

+    | _types.SSHAgentSocket

+    | Sequence[str]

+    | None = None,

     /,

     *,

     ctx: click.Context | None = None,

+    error_callback: Callable[..., NoReturn] = default_error_callback,

+    warning_callback: Callable[..., None] = lambda *_args: None,

 ) -> bytes | bytearray:

     """Interactively select an SSH key for passphrase derivation.

     Suitable SSH keys are queried from the running SSH agent (see

     [`ssh_agent.SSHAgentClient.list_keys`][]), then the user is prompted

-    interactively (see [`click.prompt`][]) for a selection.

+    interactively (see [`click.prompt`][]) for a selection.  If any

+    error occurs, the user receives an appropriate error message.

     Args:

         conn:

@@ -714,32 +845,52 @@ def select_ssh_key(

         ctx:

             An `click` context, queried for output device properties and

             color preferences when issuing the prompt.

+        error_callback:

+            A callback function for an error message, if any.  The

+            callback function is responsible for aborting this function

+            call after acknowledging, formatting and/or forwarding the

+            error message; it would typically call [`sys.exit`][] or

+            raise an exception of its own, based on the provided error

+            message.

+        warning_callback:

+            A callback function for a warning message, if any.  The

+            callback function is responsible for formatting the warning

+            message and dispatching it into the warning system, if so

+            desired.

     Returns:

         The selected SSH key.

-    Raises:

-        KeyError:

-            `conn` was `None`, and the `SSH_AUTH_SOCK` environment

-            variable was not found.

-        NotImplementedError:

-            `conn` was `None`, and this Python does not support

-            [`socket.AF_UNIX`][], so the SSH agent client cannot be

-            automatically set up.

-        OSError:

-            `conn` was a socket or `None`, and there was an error

-            setting up a socket connection to the agent.

-        IndexError:

-            The user made an invalid or empty selection, or requested an

-            abort.

-        LookupError:

-            No keys usable for passphrase derivation are loaded into the

-            SSH agent.

-        RuntimeError:

-            There was an error communicating with the SSH agent.

-        SSHAgentFailedError:

-            The agent failed to supply a list of loaded keys.

     """

+

+    def handle_lookuperror(_excgroup: BaseExceptionGroup) -> NoReturn:

+        error_callback(

+            _msg.TranslatedString(

+                _msg.ErrMsgTemplate.NO_SUITABLE_SSH_KEYS,

+                PROG_NAME=PROG_NAME,

+            )

+        )

+

+    def handle_sshagentfailederror(excgroup: BaseExceptionGroup) -> NoReturn:

+        for exc in excgroup.exceptions:

+            error_callback(

+                _msg.TranslatedString(

+                    _msg.ErrMsgTemplate.AGENT_REFUSED_LIST_KEYS

+                ),

+                exc_info=exc,

+            )

+        raise AssertionError()

+

+    with exceptiongroup.catch({

+        KeyError: handle_keyerror(error_callback, warning_callback),

+        LookupError: handle_lookuperror,

+        NotImplementedError: handle_notimplementederror(

+            error_callback, warning_callback

+        ),

+        OSError: handle_oserror(error_callback, warning_callback),

+        ssh_agent.SSHAgentFailedError: handle_sshagentfailederror,

+        RuntimeError: handle_runtimeerror(error_callback, warning_callback),

+    }):

         suitable_keys = list(get_suitable_ssh_keys(conn))

     key_listing: list[str] = []

     unstring_prefix = ssh_agent.SSHAgentClient.unstring_prefix

@@ -754,12 +905,19 @@ def select_ssh_key(

         )

         comment_str = comment.decode('UTF-8', errors='replace')

         key_listing.append(f'{keytype} {key_extract}  {comment_str}')

+    try:

         choice = prompt_for_selection(

             key_listing,

             heading='Suitable SSH keys:',

             single_choice_prompt='Use this key?',

             ctx=ctx,

         )

+    except IndexError:

+        error_callback(

+            _msg.TranslatedString(

+                _msg.ErrMsgTemplate.USER_ABORTED_SSH_KEY_SELECTION

+            )

+        )

     return suitable_keys[choice].key

@@ -906,21 +1064,16 @@ def check_for_misleading_passphrase(

             )

-def default_error_callback(

-    message: Any,  # noqa: ANN401

-    /,

-    *_args: Any,  # noqa: ANN401

-    **_kwargs: Any,  # noqa: ANN401

-) -> NoReturn:  # pragma: no cover

-    """Calls [`sys.exit`][] on its first argument, ignoring the rest."""

-    sys.exit(message)

-

-

 def key_to_phrase(

     key: str | Buffer,

     /,

     *,

     error_callback: Callable[..., NoReturn] = default_error_callback,

+    warning_callback: Callable[..., None] = lambda *_args: None,

+    conn: ssh_agent.SSHAgentClient

+    | _types.SSHAgentSocket

+    | Sequence[str]

+    | None = None,

 ) -> bytes:

     """Return the equivalent master passphrase, or abort.

@@ -931,8 +1084,15 @@ def key_to_phrase(

     """

     key = base64.standard_b64decode(key)

-    try:

-        with ssh_agent.SSHAgentClient.ensure_agent_subcontext() as client:

+    with exceptiongroup.catch({  # noqa: SIM117

+        KeyError: handle_keyerror(error_callback, warning_callback),

+        NotImplementedError: handle_notimplementederror(

+            error_callback, warning_callback

+        ),

+        OSError: handle_oserror(error_callback, warning_callback),

+        RuntimeError: handle_runtimeerror(error_callback, warning_callback),

+    }):

+        with ssh_agent.SSHAgentClient.ensure_agent_subcontext(conn) as client:

             try:

                 return vault.Vault.phrase_from_key(key, conn=client)

             except ssh_agent.SSHAgentFailedError as exc:

@@ -957,27 +1117,6 @@ def key_to_phrase(

                     ),

                     exc_info=exc,

                 )

-    except KeyError:

-        error_callback(

-            _msg.TranslatedString(_msg.ErrMsgTemplate.NO_SSH_AGENT_FOUND)

-        )

-    except NotImplementedError:

-        error_callback(

-            _msg.TranslatedString(_msg.ErrMsgTemplate.NO_AGENT_SUPPORT)

-        )

-    except OSError as exc:

-        error_callback(

-            _msg.TranslatedString(

-                _msg.ErrMsgTemplate.CANNOT_CONNECT_TO_AGENT,

-                error=exc.strerror,

-                filename=exc.filename,

-            ).maybe_without_filename()

-        )

-    except RuntimeError as exc:

-        error_callback(

-            _msg.TranslatedString(_msg.ErrMsgTemplate.CANNOT_UNDERSTAND_AGENT),

-            exc_info=exc,

-        )

 def print_config_as_sh_script(

@@ -11,20 +11,22 @@ import json

 import math

 import string

 import warnings

-from typing import TYPE_CHECKING, Generic, TypeVar, cast

+from typing import TYPE_CHECKING, Generic, Protocol, TypeVar, cast

 from typing_extensions import (

     Buffer,

     NamedTuple,

     NotRequired,

+    TypeAlias,

     TypedDict,

     deprecated,

     get_overloads,

     overload,

+    runtime_checkable,

 )

 if TYPE_CHECKING:

-    from collections.abc import Iterator, Sequence

+    from collections.abc import Callable, Iterator, Sequence

     from typing import Literal

     from typing_extensions import (

@@ -878,3 +880,63 @@ class Subcommand(str, enum.Enum):

     __str__ = str.__str__

     __format__ = str.__format__  # type: ignore[assignment]

+

+

+@runtime_checkable

+class SSHAgentSocket(Protocol):

+    """An abstract networking socket connected to an SSH agent.

+

+    The abstract socket supports the [`sendall`][socket.socket.sendall]

+    and a [`recv`][socket.socket.recv] operation, with the same

+    signatures and semantics as for "real" sockets.  The abstract socket

+    also supports use as a context manager, for automatically closing

+    the socket upon exiting the context.

+

+    """

+

+    def __enter__(self) -> Any: ...  # noqa: ANN401

+

+    # mypy/typeshed has a *very* lax annotation of

+    # socket.socket.__exit__, which we need to be compatible with.

+    # *sigh*

+    def __exit__(

+        self,

+        *args: object,

+    ) -> bool | None: ...

+

+    def sendall(self, data: Buffer, flags: int = 0, /) -> None: ...

+

+    def recv(self, data: int, flags: int = 0, /) -> bytes: ...

+

+

+SSHAgentSocketProvider: TypeAlias = 'Callable[[], SSHAgentSocket]'

+"""A callable that provides an SSH agent socket."""

+

+

+class SSHAgentSocketProviderEntry(NamedTuple):

+    """Registry information for the table of SSH agent socket providers.

+

+    Third-party developers can register new socket providers for

+    auto-discovery by setting up an entry point named

+    [`derivepassphrase.ssh_agent_socket_providers`][derivepassphrase.ssh_agent.socketprovider.SocketProvider.ENTRY_POINT_GROUP_NAME],

+    referencing an instance of this class.  Upon startup of the `vault`

+    subsystem, `derivepassphrase` will then add appropriate entries to

+    the registry.

+

+    Attributes:

+        provider: The callable that provides the socket.

+        key: The table key which this entry is registered as.

+        aliases: Other keys that shall point to this entry's key.

+

+    Note:

+        The socket provider registry table uses the key as the key, and

+        the provider as the value. It does not store this info object

+        directly.

+

+    """

+

+    provider: SSHAgentSocketProvider

+    """"""

+    key: str

+    """"""

+    aliases: tuple[str, ...]

@@ -29,7 +29,7 @@ from typing_extensions import (

     Any,

 )

-from derivepassphrase import _internals, _types, exporter, ssh_agent, vault

+from derivepassphrase import _internals, _types, exporter, vault

 from derivepassphrase._internals import cli_helpers, cli_machinery

 from derivepassphrase._internals import cli_messages as _msg

@@ -1049,7 +1049,7 @@ class _VaultContext:  # noqa: PLR0904

                 ).maybe_without_filename(),

             )

-    def run_subop_query_phrase_or_key_change(  # noqa: C901,PLR0912

+    def run_subop_query_phrase_or_key_change(

         self,

         *,

         empty_service_permitted: bool,

@@ -1130,55 +1130,13 @@ class _VaultContext:  # noqa: PLR0904

             )

             raise click.UsageError(str(err_msg))

         if use_key:

-            try:

             settings.maps[0]['key'] = base64.standard_b64encode(

-                    cli_helpers.select_ssh_key(ctx=self.ctx)

-                ).decode('ASCII')

-            except IndexError:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.USER_ABORTED_SSH_KEY_SELECTION

-                    ),

-                )

-            except KeyError:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.NO_SSH_AGENT_FOUND

-                    ),

-                )

-            except LookupError:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.NO_SUITABLE_SSH_KEYS,

-                        PROG_NAME=PROG_NAME,

-                    )

-                )

-            except NotImplementedError:

-                self.err(

-                    _msg.TranslatedString(_msg.ErrMsgTemplate.NO_AGENT_SUPPORT)

-                )

-            except OSError as exc:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.CANNOT_CONNECT_TO_AGENT,

-                        error=exc.strerror,

-                        filename=exc.filename,

-                    ).maybe_without_filename(),

-                )

-            except ssh_agent.SSHAgentFailedError as exc:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.AGENT_REFUSED_LIST_KEYS

-                    ),

-                    exc_info=exc,

-                )

-            except RuntimeError as exc:

-                self.err(

-                    _msg.TranslatedString(

-                        _msg.ErrMsgTemplate.CANNOT_UNDERSTAND_AGENT

-                    ),

-                    exc_info=exc,

+                cli_helpers.select_ssh_key(

+                    ctx=self.ctx,

+                    error_callback=self.err,

+                    warning_callback=self.warning,

                 )

+            ).decode('ASCII')

         elif use_phrase:

             maybe_phrase = cli_helpers.prompt_for_passphrase()

             if not maybe_phrase:

@@ -1414,7 +1372,9 @@ class _VaultContext:  # noqa: PLR0904

         # a key is given.  Finally, if nothing is set, error out.

         if use_key:

             phrase = cli_helpers.key_to_phrase(

-                cast('str', overrides['key']), error_callback=self.err

+                cast('str', overrides['key']),

+                error_callback=self.err,

+                warning_callback=self.warning,

             )

         elif use_phrase:

             phrase = cast('str', overrides['phrase'])

@@ -8,16 +8,19 @@ from __future__ import annotations

 import collections

 import contextlib

-import os

-import socket

-from typing import TYPE_CHECKING, overload

+import sys

+from collections.abc import Sequence

+from typing import TYPE_CHECKING, ClassVar, overload

 from typing_extensions import Never, Self, assert_type

 from derivepassphrase import _types

+if sys.version_info < (3, 11):

+    from exceptiongroup import ExceptionGroup

+

 if TYPE_CHECKING:

-    from collections.abc import Iterable, Iterator, Sequence

+    from collections.abc import Iterable, Iterator

     from collections.abc import Set as AbstractSet

     from types import TracebackType

@@ -29,8 +32,6 @@ __all__ = ('SSHAgentClient',)

 # a 4-byte/32-bit unsigned integer at the beginning.

 HEAD_LEN = 4

-_socket = socket

-

 class TrailingDataError(RuntimeError):

     """The result contained trailing data."""

@@ -78,60 +79,92 @@ class SSHAgentClient:

     """

-    _connection: socket.socket

+    _connection: _types.SSHAgentSocket

+    SOCKET_PROVIDERS: ClassVar = ['native']

-    def __init__(

-        self, /, *, socket: socket.socket | None = None, timeout: int = 125

+    def __init__(  # noqa: C901, PLR0912

+        self,

+        /,

+        *,

+        socket: _types.SSHAgentSocket | Sequence[str] | None = None,

     ) -> None:

         """Initialize the client.

         Args:

             socket:

-                An optional socket, already connected to the SSH agent.

-                If not given, we query the `SSH_AUTH_SOCK` environment

-                variable to auto-discover the correct socket address.

-

-                [We currently only support connecting via UNIX domain

-                sockets][issue13], and only on platforms with support

-                for [`socket.AF_UNIX`][AF_UNIX].

-

-                [issue13]: https://github.com/the-13th-letter/derivepassphrase/issues/13

-                [AF_UNIX]: https://docs.python.org/3/library/socket.html#socket.AF_UNIX

-            timeout:

-                A connection timeout for the SSH agent.  Only used if

-                the socket is not yet connected.  The default value

-                gives ample time for agent connections forwarded via

-                SSH on high-latency networks (e.g. Tor).

+                An optional socket-like object, already connected to the

+                SSH agent, or a list of names of socket providers to try.

+                If not given, we query platform-specific default

+                addresses, if possible.

         Raises:

+            derivepassphrase.ssh_agent.socketprovider.NoSuchProviderError:

+                The list of socket provider names contained an invalid

+                entry.

             KeyError:

-                The `SSH_AUTH_SOCK` environment variable was not found.

+                An expected configuration entry or an expected environment

+                variable is missing.

             NotImplementedError:

-                This Python version does not support UNIX domain

-                sockets, necessary to automatically connect to a running

-                SSH agent via the `SSH_AUTH_SOCK` environment variable.

+                The named socket provider is not functional or not

+                applicable to this `derivepassphrase` installation, e.g.

+                because it is generally not implemented yet, or it requires

+                a specific operating system, or specific system

+                functionality that is not provided by all Python versions,

+                or external packages that are unavailable on this

+                installation.

+

+                This error may be raised multiple times, as an exception

+                group.

             OSError:

                 There was an error setting up a socket connection to the

                 agent.

-        """

-        if socket is not None:

+        """  # noqa: DOC501

+        import socket as _socket  # noqa: PLC0415

+

+        from derivepassphrase.ssh_agent import socketprovider  # noqa: PLC0415

+

+        if isinstance(socket, _socket.socket):

             self._connection = socket

             # Test whether the socket is connected.

             self._connection.getpeername()

+        elif isinstance(socket, str):

+            self._connection = socketprovider.SocketProvider.resolve(socket)()

+        elif socket is None or isinstance(socket, Sequence):

+            if not socket:

+                socket = self.SOCKET_PROVIDERS

+            assert isinstance(socket, Sequence)  # for the type checker

+            excs: list[NotImplementedError] = []

+            providers: list[_types.SSHAgentSocketProvider] = []

+            for candidate in socket:

+                try:

+                    provider = socketprovider.SocketProvider.resolve(candidate)

+                except NotImplementedError as exc:

+                    excs.append(exc)

+                    continue

+                else:

+                    providers.append(provider)

+            for provider in providers:

+                try:

+                    self._connection = provider()

+                except NotImplementedError as exc:

+                    excs.append(exc)

+                    continue

                 else:

-            if not hasattr(_socket, 'AF_UNIX'):

-                msg = (

-                    'This Python version does not support UNIX domain sockets'

+                    break

+            else:

+                msg = 'No supported SSH agent socket provider found.'

+                raise (

+                    ExceptionGroup(msg, excs)

+                    if excs

+                    else NotImplementedError(msg)

                 )

-                raise NotImplementedError(msg)

-            self._connection = _socket.socket(family=_socket.AF_UNIX)

-            if 'SSH_AUTH_SOCK' not in os.environ:

-                msg = 'SSH_AUTH_SOCK environment variable'

-                raise KeyError(msg)

-            ssh_auth_sock = os.environ['SSH_AUTH_SOCK']

-            self._connection.settimeout(timeout)

-            self._connection.connect(ssh_auth_sock)

+        elif isinstance(socket, _types.SSHAgentSocket):

+            self._connection = socket

+        else:  # pragma: no cover [failsafe]

+            assert_type(socket, Never)

+            msg = f'invalid socket object: {socket!r}'

+            raise TypeError(msg)

     def __enter__(self) -> Self:

         """Close socket connection upon context manager completion.

@@ -289,7 +322,10 @@ class SSHAgentClient:

     @contextlib.contextmanager

     def ensure_agent_subcontext(

         cls,

-        conn: SSHAgentClient | socket.socket | None = None,

+        conn: SSHAgentClient

+        | _types.SSHAgentSocket

+        | Sequence[str]

+        | None = None,

     ) -> Iterator[SSHAgentClient]:

         """Return an SSH agent client subcontext.

@@ -307,8 +343,9 @@ class SSHAgentClient:

                 exiting the context, the client is destroyed and the

                 socket is closed.

-                If `None`, construct a client using agent

-                auto-discovery, then enter a context within this

+                If `None`, or a list of names of socket providers, then

+                construct a client according to those connection hints

+                ("auto-discovery"), and enter a context within this

                 client's scope.  After exiting the context, both the

                 client and its socket are destroyed.

@@ -316,16 +353,15 @@ class SSHAgentClient:

             When entering this context, return the SSH agent client.

         Raises:

+            derivepassphrase.ssh_agent.socketprovider.NoSuchProviderError:

+                As per [`__init__`][SSHAgentClient].

             KeyError:

-                `conn` was `None`, and the `SSH_AUTH_SOCK` environment

-                variable was not found.

+                As per [`__init__`][SSHAgentClient], including the

+                multiple raise as an exception group.

             NotImplementedError:

-                `conn` was `None`, and this Python does not support

-                [`socket.AF_UNIX`][], so the SSH agent client cannot be

-                automatically set up.

+                As per [`__init__`][SSHAgentClient].

             OSError:

-                `conn` was a socket or `None`, and there was an error

-                setting up a socket connection to the agent.

+                As per [`__init__`][SSHAgentClient].

         """  # noqa: DOC501

         # TODO(the-13th-letter): Rewrite using structural pattern matching.

@@ -333,7 +369,10 @@ class SSHAgentClient:

         if isinstance(conn, SSHAgentClient):

             with contextlib.nullcontext():

                 yield conn

-        elif isinstance(conn, socket.socket) or conn is None:

+        elif (

+            isinstance(conn, (_types.SSHAgentSocket, str, Sequence))

+            or conn is None

+        ):

             with SSHAgentClient(socket=conn) as client:

                 yield client

         else:  # pragma: no cover [failsafe]

@@ -0,0 +1,334 @@

+# SPDX-FileCopyrightText: 2025 Marco Ricci <software@the13thletter.info>

+#

+# SPDX-License-Identifier: Zlib

+

+"""Machinery for providing sockets connected to SSH agents."""

+

+from __future__ import annotations

+

+import collections

+import ctypes

+import os

+import socket

+from typing import TYPE_CHECKING, ClassVar, cast

+

+if TYPE_CHECKING:

+    from collections.abc import Callable

+

+    from derivepassphrase import _types

+

+__all__ = ('SocketProvider',)

+

+

+class NoSuchProviderError(KeyError):

+    """No such SSH agent socket provider is known."""

+

+

+class AfUnixNotAvailableError(NotImplementedError):

+    """This Python installation does not support socket.AF_UNIX."""

+

+

+class TheAnnoyingOsNamedPipesNotAvailableError(NotImplementedError):

+    """This Python installation does not support Windows named pipes."""

+

+

+class SocketProvider:

+    """Static functionality for providing sockets."""

+

+    @staticmethod

+    def unix_domain_ssh_auth_sock(*, timeout: int = 125) -> socket.socket:

+        """Return a UNIX domain socket connected to `SSH_AUTH_SOCK`.

+

+        Args:

+            timeout:

+                A connection timeout for the SSH agent.  Only used for

+                "true" sockets, and only if the socket is not yet connected.

+                The default value gives ample time for agent connections

+                forwarded via SSH on high-latency networks (e.g. Tor).

+

+        Returns:

+            A connected UNIX domain socket.

+

+        Raises:

+            KeyError:

+                The `SSH_AUTH_SOCK` environment variable was not found.

+            AfUnixNotAvailableError:

+                [This Python version does not support UNIX domain

+                sockets][AF_UNIX], necessary to automatically connect to

+                a running SSH agent via the `SSH_AUTH_SOCK` environment

+                variable.

+

+                [AF_UNIX]: https://docs.python.org/3/library/socket.html#socket.AF_UNIX

+            OSError:

+                There was an error setting up a socket connection to the

+                agent.

+

+        """

+        if not hasattr(socket, 'AF_UNIX'):

+            msg = 'This Python version does not support UNIX domain sockets.'

+            raise AfUnixNotAvailableError(msg)

+        else:  # noqa: RET506  # pragma: unless posix no cover

+            sock = socket.socket(family=socket.AF_UNIX)

+            if 'SSH_AUTH_SOCK' not in os.environ:

+                msg = 'SSH_AUTH_SOCK environment variable'

+                raise KeyError(msg)

+            ssh_auth_sock = os.environ['SSH_AUTH_SOCK']

+            sock.settimeout(timeout)

+            sock.connect(ssh_auth_sock)

+            return sock

+

+    @staticmethod

+    def the_annoying_os_named_pipes() -> _types.SSHAgentSocket:

+        """Return a socket connected to Pageant/OpenSSH on The Annoying OS.

+

+        This may be a write-through socket if the underlying connection

+        to Pageant or OpenSSH does not use an actual network socket to

+        communicate.

+

+        Raises:

+            TheAnnoyingOsNamedPipesNotAvailableError:

+                This functionality is not implemented yet.

+

+        Warning: Not implemented yet

+            This functionality is not implemented yet.  Specifically,

+            [we do not yet support any of the communication mechanisms

+            used by the leading SSH agent

+            implementations.][windows-ssh-agent-support]

+

+            [windows-ssh-agent-support]: https://the13thletter.info/derivepassphrase/0.x/wishlist/windows-ssh-agent-support/

+

+        """

+        if not hasattr(ctypes, 'WinDLL'):

+            msg = 'This Python version does not support Windows named pipes.'

+            raise TheAnnoyingOsNamedPipesNotAvailableError(msg)

+        else:  # noqa: RET506  # pragma: unless the-annoying-os no cover

+            msg = (

+                'Communicating with Pageant or OpenSSH on Windows '

+                'is not implemented yet.'

+            )

+            raise NotImplementedError(msg)

+

+    registry: ClassVar[

+        dict[str, _types.SSHAgentSocketProvider | str | None]

+    ] = {}

+    """A dictionary of callables that provide SSH agent sockets.

+

+    Each entry in the dictionary points either to a callable, a string,

+    or `None`: if a callable, then that callable returns a socket; if

+    a string, then this entry is an alias for that other entry; if

+    `None`, then the entry name is merely registered, but no

+    implementation is available.

+

+    If a callable is not applicable to this platform, Python

+    installation or `derivepassphrase` installation, then it MUST raise

+    [`NotImplementedError`][].  Conversely, if the callable returns

+    a value, or raises any other kind of exception, then the caller MAY

+    assume that this platform, Python installation and

+    `derivepassphrase` installation are sufficient for the callable to

+    be able to return a working socket on this platform.  (The latter

+    may still be dependent on further, external circumstances, such as

+    required configuration settings, or environment variables, or

+    sufficient system resources, etc.)

+

+    (Interpretation of "MUST" and "MAY" as per IETF Best Current

+    Practice #14; see [RFC 2119][] and [RFC 8174][].)

+

+    [RFC 2119]: https://www.rfc-editor.org/info/rfc2119

+    [RFC 8174]: https://www.rfc-editor.org/info/rfc8174

+

+    """

+

+    @classmethod

+    def register(

+        cls,

+        name: str,

+        *aliases: str,

+    ) -> Callable[

+        [_types.SSHAgentSocketProvider], _types.SSHAgentSocketProvider

+    ]:

+        """Register a callable as an SSH agent socket provider (decorator).

+

+        Attempting to re-register an existing alias, or a name with an

+        implementation, with a different implementation is an error.

+

+        Args:

+            name:

+                The principal name under which to register the passed

+                callable.

+            aliases:

+                Alternate names to register as aliases for the principal

+                name.

+

+        Returns:

+            A decorator implementing the above.

+

+        """

+

+        def decorator(

+            f: _types.SSHAgentSocketProvider,

+        ) -> _types.SSHAgentSocketProvider:

+            """Register a callable as an SSH agent socket provider.

+

+            Attempting to re-register an existing alias, or a name with

+            an implementation, with a different implementation is an

+            error.

+

+            Args:

+                f: The callable to decorate/register.

+

+            Returns:

+                The callable.

+

+            Raises:

+                ValueError:

+                    The name or alias is already in use.

+

+            """

+            for alias in [name, *aliases]:

+                try:

+                    existing = cls.resolve(alias)

+                except (NoSuchProviderError, NotImplementedError):

+                    cls.registry[alias] = f if alias == name else name

+                else:

+                    if existing != f:

+                        msg = (

+                            f'The SSH agent socket provider {alias!r} '

+                            f'is already registered.'

+                        )

+                        raise ValueError(msg)

+            return f

+

+        return decorator

+

+    @classmethod

+    def resolve(

+        cls, provider: Callable[[], _types.SSHAgentSocket] | str | None, /

+    ) -> Callable[[], _types.SSHAgentSocket]:

+        """Resolve a socket provider to a proper callable.

+

+        Args:

+            provider: The provider to resolve.

+

+        Returns:

+            The callable indicated by this provider.

+

+        Raises:

+            NoSuchProviderError:

+                The provider is not registered.

+            NotImplementedError:

+                The provider is registered, but is not functional or not

+                applicable to this `derivepassphrase` installation.

+

+        """

+        ret = provider

+        while isinstance(ret, str):

+            try:

+                ret = cls.registry[ret]

+            except KeyError as exc:

+                raise NoSuchProviderError(ret) from exc

+        if ret is None:

+            msg = (

+                f'The {ret!r} socket provider is not functional on or '

+                'not applicable to this derivepassphrase installation.'

+            )

+            raise NotImplementedError(msg)

+        return ret

+

+    ENTRY_POINT_GROUP_NAME = 'derivepassphrase.ssh_agent_socket_providers'

+    """

+    The group name under which [entry

+    points][importlib.metadata.entry_points] for the SSH agent socket

+    provider registry should be recorded.  Each target of such an entry

+    point should be a [`_types.SSHAgentSocketProviderEntry`][] object.

+    """

+

+    @classmethod

+    def _find_all_ssh_agent_socket_providers(cls) -> None:

+        """Find and load all declared SSH agent socket providers.

+

+        Load all [entry points][importlib.metadata.entry_points] in the

+        `derivepassphrase.ssh_agent_socket_providers` group as providers,

+        then register them.  The target of each entry point should be

+        a [`_types.SSHAgentSocketProviderEntry`][] object.

+

+        Raises:

+            AssertionError:

+                The declared SSH agent socket provider was not, in fact,

+                an SSH agent socket provider.

+

+                Alternatively, multiple distributions supplied the same

+                SSH agent socket provider, but with different

+                implementations.

+

+        """

+        import importlib.metadata  # noqa: PLC0415

+

+        origins: dict[str, str | None] = {}

+        entries = collections.ChainMap({}, cls.registry)

+        for entry_point in importlib.metadata.entry_points(

+            group=cls.ENTRY_POINT_GROUP_NAME

+        ):

+            provider_entry = cast(

+                '_types.SSHAgentSocketProviderEntry', entry_point.load()

+            )

+            key = provider_entry.key

+            value = entry_point.value

+            dist = (

+                entry_point.dist.name  # type: ignore[union-attr]

+                if getattr(entry_point, 'dist', None) is not None

+                else None

+            )

+            origin = origins.get(key, 'derivepassphrase')

+            if not callable(provider_entry.provider):

+                msg = (