Marco Ricci commited on 2025-01-29 15:28:07
Zeige 6 geänderte Dateien mit 40 Einfügungen und 40 Löschungen.
They are constants, they are not priviledged information, and having to keep indirectly referring to them instead of directly is rather irritating.
... | ... |
@@ -215,8 +215,8 @@ class VaultNativeConfigParser(abc.ABC): |
215 | 215 |
) -> bytes: |
216 | 216 |
"""Generate a key from a password. |
217 | 217 |
|
218 |
- Uses PBKDF2 with HMAC-SHA1, with the vault UUID as a fixed salt |
|
219 |
- value. |
|
218 |
+ Uses PBKDF2 with HMAC-SHA1, with [vault.Vault.UUID][] as a fixed |
|
219 |
+ salt value. |
|
220 | 220 |
|
221 | 221 |
Args: |
222 | 222 |
password: |
... | ... |
@@ -246,7 +246,7 @@ class VaultNativeConfigParser(abc.ABC): |
246 | 246 |
raw_key = pbkdf2.PBKDF2HMAC( |
247 | 247 |
algorithm=hashes.SHA1(), |
248 | 248 |
length=key_size // 2, |
249 |
- salt=vault.Vault._UUID, # noqa: SLF001 |
|
249 |
+ salt=vault.Vault.UUID, |
|
250 | 250 |
iterations=iterations, |
251 | 251 |
).derive(bytes(password)) |
252 | 252 |
result_key = raw_key.hex().lower().encode('ASCII') |
... | ... |
@@ -254,7 +254,7 @@ class VaultNativeConfigParser(abc.ABC): |
254 | 254 |
_msg.TranslatedString( |
255 | 255 |
_msg.DebugMsgTemplate.VAULT_NATIVE_PBKDF2_CALL, |
256 | 256 |
password=password, |
257 |
- salt=vault.Vault._UUID, # noqa: SLF001 |
|
257 |
+ salt=vault.Vault.UUID, |
|
258 | 258 |
iterations=iterations, |
259 | 259 |
key_size=key_size // 2, |
260 | 260 |
algorithm='sha1', |
... | ... |
@@ -12,7 +12,7 @@ import hashlib |
12 | 12 |
import hmac |
13 | 13 |
import math |
14 | 14 |
import types |
15 |
-from typing import TYPE_CHECKING |
|
15 |
+from typing import TYPE_CHECKING, Final |
|
16 | 16 |
|
17 | 17 |
from typing_extensions import TypeAlias, assert_type |
18 | 18 |
|
... | ... |
@@ -49,18 +49,18 @@ class Vault: |
49 | 49 |
|
50 | 50 |
""" |
51 | 51 |
|
52 |
- _UUID = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7' |
|
52 |
+ UUID: Final = b'e87eb0f4-34cb-46b9-93ad-766c5ab063e7' |
|
53 | 53 |
"""A tag used by vault in the bit stream generation.""" |
54 |
- _CHARSETS = types.MappingProxyType( |
|
54 |
+ CHARSETS: Final = types.MappingProxyType( |
|
55 | 55 |
collections.OrderedDict([ |
56 | 56 |
('lower', b'abcdefghijklmnopqrstuvwxyz'), |
57 | 57 |
('upper', b'ABCDEFGHIJKLMNOPQRSTUVWXYZ'), |
58 | 58 |
( |
59 | 59 |
'alpha', |
60 | 60 |
( |
61 |
- # _CHARSETS['lower'] |
|
61 |
+ # CHARSETS['lower'] |
|
62 | 62 |
b'abcdefghijklmnopqrstuvwxyz' |
63 |
- # _CHARSETS['upper'] |
|
63 |
+ # CHARSETS['upper'] |
|
64 | 64 |
b'ABCDEFGHIJKLMNOPQRSTUVWXYZ' |
65 | 65 |
), |
66 | 66 |
), |
... | ... |
@@ -68,11 +68,11 @@ class Vault: |
68 | 68 |
( |
69 | 69 |
'alphanum', |
70 | 70 |
( |
71 |
- # _CHARSETS['lower'] |
|
71 |
+ # CHARSETS['lower'] |
|
72 | 72 |
b'abcdefghijklmnopqrstuvwxyz' |
73 |
- # _CHARSETS['upper'] |
|
73 |
+ # CHARSETS['upper'] |
|
74 | 74 |
b'ABCDEFGHIJKLMNOPQRSTUVWXYZ' |
75 |
- # _CHARSETS['number'] |
|
75 |
+ # CHARSETS['number'] |
|
76 | 76 |
b'0123456789' |
77 | 77 |
), |
78 | 78 |
), |
... | ... |
@@ -82,15 +82,15 @@ class Vault: |
82 | 82 |
( |
83 | 83 |
'all', |
84 | 84 |
( |
85 |
- # _CHARSETS['lower'] |
|
85 |
+ # CHARSETS['lower'] |
|
86 | 86 |
b'abcdefghijklmnopqrstuvwxyz' |
87 |
- # _CHARSETS['upper'] |
|
87 |
+ # CHARSETS['upper'] |
|
88 | 88 |
b'ABCDEFGHIJKLMNOPQRSTUVWXYZ' |
89 |
- # _CHARSETS['number'] |
|
89 |
+ # CHARSETS['number'] |
|
90 | 90 |
b'0123456789' |
91 |
- # _CHARSETS['space'] |
|
91 |
+ # CHARSETS['space'] |
|
92 | 92 |
b' ' |
93 |
- # _CHARSETS['symbol'] |
|
93 |
+ # CHARSETS['symbol'] |
|
94 | 94 |
b'!"#$%&\'()*+,./:;<=>?@[\\]^{|}~-_' |
95 | 95 |
), |
96 | 96 |
), |
... | ... |
@@ -160,7 +160,7 @@ class Vault: |
160 | 160 |
self._phrase = self._get_binary_string(phrase) |
161 | 161 |
self._length = length |
162 | 162 |
self._repeat = repeat |
163 |
- self._allowed = bytearray(self._CHARSETS['all']) |
|
163 |
+ self._allowed = bytearray(self.CHARSETS['all']) |
|
164 | 164 |
self._required: list[bytes] = [] |
165 | 165 |
|
166 | 166 |
def subtract_or_require( |
... | ... |
@@ -174,12 +174,12 @@ class Vault: |
174 | 174 |
for _ in range(count): |
175 | 175 |
self._required.append(characters) |
176 | 176 |
|
177 |
- subtract_or_require(lower, self._CHARSETS['lower']) |
|
178 |
- subtract_or_require(upper, self._CHARSETS['upper']) |
|
179 |
- subtract_or_require(number, self._CHARSETS['number']) |
|
180 |
- subtract_or_require(space, self._CHARSETS['space']) |
|
181 |
- subtract_or_require(dash, self._CHARSETS['dash']) |
|
182 |
- subtract_or_require(symbol, self._CHARSETS['symbol']) |
|
177 |
+ subtract_or_require(lower, self.CHARSETS['lower']) |
|
178 |
+ subtract_or_require(upper, self.CHARSETS['upper']) |
|
179 |
+ subtract_or_require(number, self.CHARSETS['number']) |
|
180 |
+ subtract_or_require(space, self.CHARSETS['space']) |
|
181 |
+ subtract_or_require(dash, self.CHARSETS['dash']) |
|
182 |
+ subtract_or_require(symbol, self.CHARSETS['symbol']) |
|
183 | 183 |
if len(self._required) > self._length: |
184 | 184 |
msg = 'requested passphrase length too short' |
185 | 185 |
raise ValueError(msg) |
... | ... |
@@ -297,8 +297,8 @@ class Vault: |
297 | 297 |
primitive. If a string, then the UTF-8 encoding of the |
298 | 298 |
string is used. |
299 | 299 |
service: |
300 |
- A vault service name. Will be suffixed with |
|
301 |
- `Vault._UUID`, and then used as the salt value for |
|
300 |
+ A vault service name. Will be suffixed with the |
|
301 |
+ [`UUID`][], and then used as the salt value for |
|
302 | 302 |
PBKDF2. If a string, then the UTF-8 encoding of the |
303 | 303 |
string is used. |
304 | 304 |
length: |
... | ... |
@@ -335,7 +335,7 @@ class Vault: |
335 | 335 |
""" |
336 | 336 |
phrase = cls._get_binary_string(phrase) |
337 | 337 |
assert isinstance(phrase, bytes) |
338 |
- salt = cls._get_binary_string(service) + cls._UUID |
|
338 |
+ salt = cls._get_binary_string(service) + cls.UUID |
|
339 | 339 |
return hashlib.pbkdf2_hmac( |
340 | 340 |
hash_name='sha1', |
341 | 341 |
password=phrase, |
... | ... |
@@ -526,9 +526,9 @@ class Vault: |
526 | 526 |
"""Obtain the master passphrase from a configured SSH key. |
527 | 527 |
|
528 | 528 |
vault allows the usage of certain SSH keys to derive a master |
529 |
- passphrase, by signing the vault UUID with the SSH key. The key |
|
530 |
- type must ensure that signatures are deterministic (perhaps only |
|
531 |
- in conjunction with the given SSH agent). |
|
529 |
+ passphrase, by signing the vault [`UUID`][] with the SSH key. |
|
530 |
+ The key type must ensure that signatures are deterministic |
|
531 |
+ (perhaps only in conjunction with the given SSH agent). |
|
532 | 532 |
|
533 | 533 |
Args: |
534 | 534 |
key: |
... | ... |
@@ -538,8 +538,8 @@ class Vault: |
538 | 538 |
[`ssh_agent.SSHAgentClient.ensure_agent_subcontext`][]. |
539 | 539 |
|
540 | 540 |
Returns: |
541 |
- The signature of the vault UUID under this key, unframed but |
|
542 |
- encoded in base64. |
|
541 |
+ The signature of the vault [`UUID`][] under this key, |
|
542 |
+ unframed but encoded in base64. |
|
543 | 543 |
|
544 | 544 |
Raises: |
545 | 545 |
KeyError: |
... | ... |
@@ -588,7 +588,7 @@ class Vault: |
588 | 588 |
'signature not deterministic under this agent' |
589 | 589 |
) |
590 | 590 |
raise ValueError(msg) |
591 |
- raw_sig = client.sign(key, cls._UUID) |
|
591 |
+ raw_sig = client.sign(key, cls.UUID) |
|
592 | 592 |
_keytype, trailer = ssh_agent.SSHAgentClient.unstring_prefix(raw_sig) |
593 | 593 |
signature_blob = ssh_agent.SSHAgentClient.unstring(trailer) |
594 | 594 |
return bytes(base64.standard_b64encode(signature_blob)) |
... | ... |
@@ -1708,7 +1708,7 @@ def sign( |
1708 | 1708 |
|
1709 | 1709 |
""" |
1710 | 1710 |
del self # Unused. |
1711 |
- assert message == vault.Vault._UUID |
|
1711 |
+ assert message == vault.Vault.UUID |
|
1712 | 1712 |
for value in SUPPORTED_KEYS.values(): |
1713 | 1713 |
if value.public_key_data == key: # pragma: no branch |
1714 | 1714 |
assert value.expected_signature is not None |
... | ... |
@@ -641,7 +641,7 @@ class TestCLI: |
641 | 641 |
) -> None: |
642 | 642 |
"""Named character classes can be disabled on the command-line.""" |
643 | 643 |
option = f'--{charset_name}' |
644 |
- charset = vault.Vault._CHARSETS[charset_name].decode('ascii') |
|
644 |
+ charset = vault.Vault.CHARSETS[charset_name].decode('ascii') |
|
645 | 645 |
runner = click.testing.CliRunner(mix_stderr=False) |
646 | 646 |
# TODO(the-13th-letter): Rewrite using parenthesized |
647 | 647 |
# with-statements. |
... | ... |
@@ -3757,7 +3757,7 @@ class TestCLITransition: |
3757 | 3757 |
) -> None: |
3758 | 3758 |
"""Forwarding arguments from top-level to "vault" works.""" |
3759 | 3759 |
option = f'--{charset_name}' |
3760 |
- charset = vault.Vault._CHARSETS[charset_name].decode('ascii') |
|
3760 |
+ charset = vault.Vault.CHARSETS[charset_name].decode('ascii') |
|
3761 | 3761 |
runner = click.testing.CliRunner(mix_stderr=False) |
3762 | 3762 |
# TODO(the-13th-letter): Rewrite using parenthesized |
3763 | 3763 |
# with-statements. |
... | ... |
@@ -459,11 +459,11 @@ class TestAgentInteraction: |
459 | 459 |
if public_key_data not in key_comment_pairs: # pragma: no cover |
460 | 460 |
pytest.skip('prerequisite SSH key not loaded') |
461 | 461 |
signature = bytes( |
462 |
- client.sign(payload=vault.Vault._UUID, key=public_key_data) |
|
462 |
+ client.sign(payload=vault.Vault.UUID, key=public_key_data) |
|
463 | 463 |
) |
464 | 464 |
assert signature == expected_signature, 'SSH signature mismatch' |
465 | 465 |
signature2 = bytes( |
466 |
- client.sign(payload=vault.Vault._UUID, key=public_key_data) |
|
466 |
+ client.sign(payload=vault.Vault.UUID, key=public_key_data) |
|
467 | 467 |
) |
468 | 468 |
assert signature2 == expected_signature, 'SSH signature mismatch' |
469 | 469 |
assert ( |
... | ... |
@@ -666,7 +666,7 @@ class TestVault: |
666 | 666 |
for key in ('lower', 'upper', 'number', 'space', 'dash', 'symbol'): |
667 | 667 |
if config[key] > 0: |
668 | 668 |
assert ( |
669 |
- sum(c in vault.Vault._CHARSETS[key] for c in password) |
|
669 |
+ sum(c in vault.Vault.CHARSETS[key] for c in password) |
|
670 | 670 |
>= config[key] |
671 | 671 |
), ( |
672 | 672 |
'Password does not satisfy ' |
... | ... |
@@ -678,7 +678,7 @@ class TestVault: |
678 | 678 |
assert True |
679 | 679 |
else: |
680 | 680 |
assert ( |
681 |
- sum(c in vault.Vault._CHARSETS[key] for c in password) == 0 |
|
681 |
+ sum(c in vault.Vault.CHARSETS[key] for c in password) == 0 |
|
682 | 682 |
), 'Password does not satisfy character ban constraints.' |
683 | 683 |
|
684 | 684 |
T = TypeVar('T', str, bytes) |
685 | 685 |