Make the vault UUID and CHARSETS attributes public
Marco Ricci

Marco Ricci commited on 2025-01-29 15:28:07
Zeige 6 geänderte Dateien mit 40 Einfügungen und 40 Löschungen.


They are constants, they are not priviledged information, and having to
keep indirectly referring to them instead of directly is rather
irritating.
... ...
@@ -215,8 +215,8 @@ class VaultNativeConfigParser(abc.ABC):
215 215
     ) -> bytes:
216 216
         """Generate a key from a password.
217 217
 
218
-        Uses PBKDF2 with HMAC-SHA1, with the vault UUID as a fixed salt
219
-        value.
218
+        Uses PBKDF2 with HMAC-SHA1, with [vault.Vault.UUID][] as a fixed
219
+        salt value.
220 220
 
221 221
         Args:
222 222
             password:
... ...
@@ -246,7 +246,7 @@ class VaultNativeConfigParser(abc.ABC):
246 246
         raw_key = pbkdf2.PBKDF2HMAC(
247 247
             algorithm=hashes.SHA1(),
248 248
             length=key_size // 2,
249
-            salt=vault.Vault._UUID,  # noqa: SLF001
249
+            salt=vault.Vault.UUID,
250 250
             iterations=iterations,
251 251
         ).derive(bytes(password))
252 252
         result_key = raw_key.hex().lower().encode('ASCII')
... ...
@@ -254,7 +254,7 @@ class VaultNativeConfigParser(abc.ABC):
254 254
             _msg.TranslatedString(
255 255
                 _msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL,
256 256
                 password=password,
257
-                salt=vault.Vault._UUID,  # noqa: SLF001
257
+                salt=vault.Vault.UUID,
258 258
                 iterations=iterations,
259 259
                 key_size=key_size // 2,
260 260
                 algorithm='sha1',
... ...
@@ -12,7 +12,7 @@ import hashlib
12 12
 import hmac
13 13
 import math
14 14
 import types
15
-from typing import TYPE_CHECKING
15
+from typing import TYPE_CHECKING, Final
16 16
 
17 17
 from typing_extensions import TypeAlias, assert_type
18 18
 
... ...
@@ -49,18 +49,18 @@ class Vault:
49 49
 
50 50
     """
51 51
 
52
-    _UUID = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
52
+    UUID: Final = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7'
53 53
     """A tag used by vault in the bit stream generation."""
54
-    _CHARSETS = types.MappingProxyType(
54
+    CHARSETS: Final = types.MappingProxyType(
55 55
         collections.OrderedDict([
56 56
             ('lower', b'abcdefghijklmnopqrstuvwxyz'),
57 57
             ('upper', b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'),
58 58
             (
59 59
                 'alpha',
60 60
                 (
61
-                    # _CHARSETS['lower']
61
+                    # CHARSETS['lower']
62 62
                     b'abcdefghijklmnopqrstuvwxyz'
63
-                    # _CHARSETS['upper']
63
+                    # CHARSETS['upper']
64 64
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
65 65
                 ),
66 66
             ),
... ...
@@ -68,11 +68,11 @@ class Vault:
68 68
             (
69 69
                 'alphanum',
70 70
                 (
71
-                    # _CHARSETS['lower']
71
+                    # CHARSETS['lower']
72 72
                     b'abcdefghijklmnopqrstuvwxyz'
73
-                    # _CHARSETS['upper']
73
+                    # CHARSETS['upper']
74 74
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
75
-                    # _CHARSETS['number']
75
+                    # CHARSETS['number']
76 76
                     b'0123456789'
77 77
                 ),
78 78
             ),
... ...
@@ -82,15 +82,15 @@ class Vault:
82 82
             (
83 83
                 'all',
84 84
                 (
85
-                    # _CHARSETS['lower']
85
+                    # CHARSETS['lower']
86 86
                     b'abcdefghijklmnopqrstuvwxyz'
87
-                    # _CHARSETS['upper']
87
+                    # CHARSETS['upper']
88 88
                     b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'
89
-                    # _CHARSETS['number']
89
+                    # CHARSETS['number']
90 90
                     b'0123456789'
91
-                    # _CHARSETS['space']
91
+                    # CHARSETS['space']
92 92
                     b' '
93
-                    # _CHARSETS['symbol']
93
+                    # CHARSETS['symbol']
94 94
                     b'!"#$%&\'()*+,./:;<=>?@[\\]^{|}~-_'
95 95
                 ),
96 96
             ),
... ...
@@ -160,7 +160,7 @@ class Vault:
160 160
         self._phrase = self._get_binary_string(phrase)
161 161
         self._length = length
162 162
         self._repeat = repeat
163
-        self._allowed = bytearray(self._CHARSETS['all'])
163
+        self._allowed = bytearray(self.CHARSETS['all'])
164 164
         self._required: list[bytes] = []
165 165
 
166 166
         def subtract_or_require(
... ...
@@ -174,12 +174,12 @@ class Vault:
174 174
                 for _ in range(count):
175 175
                     self._required.append(characters)
176 176
 
177
-        subtract_or_require(lower, self._CHARSETS['lower'])
178
-        subtract_or_require(upper, self._CHARSETS['upper'])
179
-        subtract_or_require(number, self._CHARSETS['number'])
180
-        subtract_or_require(space, self._CHARSETS['space'])
181
-        subtract_or_require(dash, self._CHARSETS['dash'])
182
-        subtract_or_require(symbol, self._CHARSETS['symbol'])
177
+        subtract_or_require(lower, self.CHARSETS['lower'])
178
+        subtract_or_require(upper, self.CHARSETS['upper'])
179
+        subtract_or_require(number, self.CHARSETS['number'])
180
+        subtract_or_require(space, self.CHARSETS['space'])
181
+        subtract_or_require(dash, self.CHARSETS['dash'])
182
+        subtract_or_require(symbol, self.CHARSETS['symbol'])
183 183
         if len(self._required) > self._length:
184 184
             msg = 'requested passphrase length too short'
185 185
             raise ValueError(msg)
... ...
@@ -297,8 +297,8 @@ class Vault:
297 297
                 primitive.  If a string, then the UTF-8 encoding of the
298 298
                 string is used.
299 299
             service:
300
-                A vault service name.  Will be suffixed with
301
-                `Vault._UUID`, and then used as the salt value for
300
+                A vault service name.  Will be suffixed with the
301
+                [`UUID`][], and then used as the salt value for
302 302
                 PBKDF2.  If a string, then the UTF-8 encoding of the
303 303
                 string is used.
304 304
             length:
... ...
@@ -335,7 +335,7 @@ class Vault:
335 335
         """
336 336
         phrase = cls._get_binary_string(phrase)
337 337
         assert isinstance(phrase, bytes)
338
-        salt = cls._get_binary_string(service) + cls._UUID
338
+        salt = cls._get_binary_string(service) + cls.UUID
339 339
         return hashlib.pbkdf2_hmac(
340 340
             hash_name='sha1',
341 341
             password=phrase,
... ...
@@ -526,9 +526,9 @@ class Vault:
526 526
         """Obtain the master passphrase from a configured SSH key.
527 527
 
528 528
         vault allows the usage of certain SSH keys to derive a master
529
-        passphrase, by signing the vault UUID with the SSH key.  The key
530
-        type must ensure that signatures are deterministic (perhaps only
531
-        in conjunction with the given SSH agent).
529
+        passphrase, by signing the vault [`UUID`][] with the SSH key.
530
+        The key type must ensure that signatures are deterministic
531
+        (perhaps only in conjunction with the given SSH agent).
532 532
 
533 533
         Args:
534 534
             key:
... ...
@@ -538,8 +538,8 @@ class Vault:
538 538
                 [`ssh_agent.SSHAgentClient.ensure_agent_subcontext`][].
539 539
 
540 540
         Returns:
541
-            The signature of the vault UUID under this key, unframed but
542
-            encoded in base64.
541
+            The signature of the vault [`UUID`][] under this key,
542
+            unframed but encoded in base64.
543 543
 
544 544
         Raises:
545 545
             KeyError:
... ...
@@ -588,7 +588,7 @@ class Vault:
588 588
                     'signature not deterministic under this agent'
589 589
                 )
590 590
                 raise ValueError(msg)
591
-            raw_sig = client.sign(key, cls._UUID)
591
+            raw_sig = client.sign(key, cls.UUID)
592 592
         _keytype, trailer = ssh_agent.SSHAgentClient.unstring_prefix(raw_sig)
593 593
         signature_blob = ssh_agent.SSHAgentClient.unstring(trailer)
594 594
         return bytes(base64.standard_b64encode(signature_blob))
... ...
@@ -1708,7 +1708,7 @@ def sign(
1708 1708
 
1709 1709
     """
1710 1710
     del self  # Unused.
1711
-    assert message == vault.Vault._UUID
1711
+    assert message == vault.Vault.UUID
1712 1712
     for value in SUPPORTED_KEYS.values():
1713 1713
         if value.public_key_data == key:  # pragma: no branch
1714 1714
             assert value.expected_signature is not None
... ...
@@ -641,7 +641,7 @@ class TestCLI:
641 641
     ) -> None:
642 642
         """Named character classes can be disabled on the command-line."""
643 643
         option = f'--{charset_name}'
644
-        charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
644
+        charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
645 645
         runner = click.testing.CliRunner(mix_stderr=False)
646 646
         # TODO(the-13th-letter): Rewrite using parenthesized
647 647
         # with-statements.
... ...
@@ -3757,7 +3757,7 @@ class TestCLITransition:
3757 3757
     ) -> None:
3758 3758
         """Forwarding arguments from top-level to "vault" works."""
3759 3759
         option = f'--{charset_name}'
3760
-        charset = vault.Vault._CHARSETS[charset_name].decode('ascii')
3760
+        charset = vault.Vault.CHARSETS[charset_name].decode('ascii')
3761 3761
         runner = click.testing.CliRunner(mix_stderr=False)
3762 3762
         # TODO(the-13th-letter): Rewrite using parenthesized
3763 3763
         # with-statements.
... ...
@@ -459,11 +459,11 @@ class TestAgentInteraction:
459 459
         if public_key_data not in key_comment_pairs:  # pragma: no cover
460 460
             pytest.skip('prerequisite SSH key not loaded')
461 461
         signature = bytes(
462
-            client.sign(payload=vault.Vault._UUID, key=public_key_data)
462
+            client.sign(payload=vault.Vault.UUID, key=public_key_data)
463 463
         )
464 464
         assert signature == expected_signature, 'SSH signature mismatch'
465 465
         signature2 = bytes(
466
-            client.sign(payload=vault.Vault._UUID, key=public_key_data)
466
+            client.sign(payload=vault.Vault.UUID, key=public_key_data)
467 467
         )
468 468
         assert signature2 == expected_signature, 'SSH signature mismatch'
469 469
         assert (
... ...
@@ -666,7 +666,7 @@ class TestVault:
666 666
         for key in ('lower', 'upper', 'number', 'space', 'dash', 'symbol'):
667 667
             if config[key] > 0:
668 668
                 assert (
669
-                    sum(c in vault.Vault._CHARSETS[key] for c in password)
669
+                    sum(c in vault.Vault.CHARSETS[key] for c in password)
670 670
                     >= config[key]
671 671
                 ), (
672 672
                     'Password does not satisfy '
... ...
@@ -678,7 +678,7 @@ class TestVault:
678 678
                 assert True
679 679
             else:
680 680
                 assert (
681
-                    sum(c in vault.Vault._CHARSETS[key] for c in password) == 0
681
+                    sum(c in vault.Vault.CHARSETS[key] for c in password) == 0
682 682
                 ), 'Password does not satisfy character ban constraints.'
683 683
 
684 684
         T = TypeVar('T', str, bytes)
685 685