Fix test suite to actually test deterministic signature support
Marco Ricci commited on 2024-11-26 14:03:34
Zeige 2 geänderte Dateien mit 10 Einfügungen und 4 Löschungen.
So far, the test suite was silently passing for me, because it requires either a patched version or a not-yet-released version of PuTTY to actually run the tests against Pageant (which is the main beneficiary of deterministic signature detection). Actually plugging in a suitable patched Pageant version revealed a couple of key places where we silently assume that the key type alone determines its suitability for `derivepassphrase`. This commit rectifies that.
- src/derivepassphrase/cli.py 020ac53..df063f2
- tests/test_derivepassphrase_ssh_agent.py 1b6cce6..ed2222f
| ... | ... |
@@ -511,6 +511,7 @@ def _get_suitable_ssh_keys( |
| 511 | 511 |
|
| 512 | 512 |
""" |
| 513 | 513 |
with ssh_agent.SSHAgentClient.ensure_agent_subcontext(conn) as client: |
| 514 |
+ has_deterministic_signatures = client.has_deterministic_signatures() |
|
| 514 | 515 |
try: |
| 515 | 516 |
all_key_comment_pairs = list(client.list_keys()) |
| 516 | 517 |
except EOFError as e: # pragma: no cover |
| ... | ... |
@@ -518,7 +519,10 @@ def _get_suitable_ssh_keys( |
| 518 | 519 |
suitable_keys = copy.copy(all_key_comment_pairs) |
| 519 | 520 |
for pair in all_key_comment_pairs: |
| 520 | 521 |
key, _comment = pair |
| 521 |
- if vault.Vault._is_suitable_ssh_key(key): # noqa: SLF001 |
|
| 522 |
+ if ( |
|
| 523 |
+ has_deterministic_signatures |
|
| 524 |
+ or vault.Vault._is_suitable_ssh_key(key) # noqa: SLF001 |
|
| 525 |
+ ): |
|
| 522 | 526 |
yield pair |
| 523 | 527 |
if not suitable_keys: # pragma: no cover |
| 524 | 528 |
raise LookupError(_NO_USABLE_KEYS) |
| ... | ... |
@@ -275,6 +275,8 @@ class TestAgentInteraction: |
| 275 | 275 |
_ = data_dict['expected_signature'] |
| 276 | 276 |
if public_key_data not in key_comment_pairs: # pragma: no cover |
| 277 | 277 |
pytest.skip('prerequisite SSH key not loaded')
|
| 278 |
+ if client.has_deterministic_signatures(): |
|
| 279 |
+ pytest.skip('agent ensures all keys are suitable')
|
|
| 278 | 280 |
with pytest.raises(ValueError, match='unsuitable SSH key'): |
| 279 | 281 |
vault.Vault.phrase_from_key(public_key_data) |
| 280 | 282 |
|
| ... | ... |
@@ -289,14 +291,14 @@ class TestAgentInteraction: |
| 289 | 291 |
def test_210_ssh_key_selector( |
| 290 | 292 |
self, |
| 291 | 293 |
monkeypatch: pytest.MonkeyPatch, |
| 292 |
- running_ssh_agent: str, |
|
| 294 |
+ ssh_agent_client_with_test_keys_loaded: ssh_agent.SSHAgentClient, |
|
| 293 | 295 |
key: bytes, |
| 294 | 296 |
single: bool, |
| 295 | 297 |
) -> None: |
| 296 |
- del running_ssh_agent |
|
| 298 |
+ client = ssh_agent_client_with_test_keys_loaded |
|
| 297 | 299 |
|
| 298 | 300 |
def key_is_suitable(key: bytes) -> bool: |
| 299 |
- return key in {
|
|
| 301 |
+ return client.has_deterministic_signatures() or key in {
|
|
| 300 | 302 |
v['public_key_data'] for v in tests.SUPPORTED_KEYS.values() |
| 301 | 303 |
} |
| 302 | 304 |
|
| 303 | 305 |