derivepassphrase.git

@@ -1056,68 +1056,6 @@ class TestPhraseAndKeyOverriding:

         ), "unexpected error output"

-# TODO(the-13th-letter): Assimilate into its descendant.

-class TestNotesPrinting000:

-    """Tests concerning printing the service notes: group 000."""

-

-    @hypothesis.given(

-        notes=strategies.text(

-            strategies.characters(

-                min_codepoint=32,

-                max_codepoint=126,

-                include_characters="\n",

-            ),

-            max_size=256,

-        ),

-    )

-    def test_207_service_with_notes_actually_prints_notes(

-        self,

-        notes: str,

-    ) -> None:

-        """Service notes are printed, if they exist."""

-        hypothesis.assume("Error:" not in notes)

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_vault_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                    vault_config={

-                        "global": {

-                            "phrase": DUMMY_PASSPHRASE,

-                        },

-                        "services": {

-                            DUMMY_SERVICE: {

-                                "notes": notes,

-                                **DUMMY_CONFIG_SETTINGS,

-                            },

-                        },

-                    },

-                )

-            )

-            result = runner.invoke(

-                cli.derivepassphrase_vault,

-                ["--", DUMMY_SERVICE],

-            )

-        assert result.clean_exit(), "expected clean exit"

-        assert result.stdout, "expected program output"

-        assert result.stdout.strip() == DUMMY_RESULT_PASSPHRASE.decode(

-            "ascii"

-        ), "expected known program output"

-        assert result.stderr or not notes.strip(), "expected stderr"

-        assert "Error:" not in result.stderr, (

-            "expected no error messages on stderr"

-        )

-        assert result.stderr.strip() == notes.strip(), (

-            "expected known stderr contents"

-        )

-

-

-# TODO(the-13th-letter): Assimilate the descendants.

 class TestInvalidCommandLines:

     """Tests concerning invalid command-lines."""

@@ -1320,6 +1258,52 @@ class TestInvalidCommandLines:

             "expected error exit and known error message"

         )

+    def test_no_arguments(self) -> None:

+        """Calling `derivepassphrase vault` without any arguments fails."""

+        runner = machinery.CliRunner(mix_stderr=False)

+        # TODO(the-13th-letter): Rewrite using parenthesized

+        # with-statements.

+        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

+        with contextlib.ExitStack() as stack:

+            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

+            stack.enter_context(

+                pytest_machinery.isolated_config(

+                    monkeypatch=monkeypatch,

+                    runner=runner,

+                )

+            )

+            result = runner.invoke(

+                cli.derivepassphrase_vault, [], catch_exceptions=False

+            )

+        assert result.error_exit(

+            error="Deriving a passphrase requires a SERVICE"

+        ), "expected error exit and known error message"

+

+    def test_no_passphrase_or_key(

+        self,

+    ) -> None:

+        """Deriving a passphrase without a passphrase or key fails."""

+        runner = machinery.CliRunner(mix_stderr=False)

+        # TODO(the-13th-letter): Rewrite using parenthesized

+        # with-statements.

+        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

+        with contextlib.ExitStack() as stack:

+            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

+            stack.enter_context(

+                pytest_machinery.isolated_config(

+                    monkeypatch=monkeypatch,

+                    runner=runner,

+                )

+            )

+            result = runner.invoke(

+                cli.derivepassphrase_vault,

+                ["--", DUMMY_SERVICE],

+                catch_exceptions=False,

+            )

+        assert result.error_exit(error="No passphrase or key was given"), (

+            "expected error exit and known error message"

+        )

+

 class TestImportConfigValid:

     """Tests concerning `vault` configuration imports: valid imports."""

@@ -1731,9 +1715,64 @@ class TestExportConfigInvalid:

         )

-# TODO(the-13th-letter): Assimilate the parent.

-class TestNotesPrinting001:

-    """Tests concerning printing the service notes: group 001."""

+class TestNotesPrinting:

+    """Tests concerning printing the service notes."""

+

+    @hypothesis.given(

+        notes=strategies.text(

+            strategies.characters(

+                min_codepoint=32,

+                max_codepoint=126,

+                include_characters="\n",

+            ),

+            max_size=256,

+        ),

+    )

+    def test_service_with_notes_actually_prints_notes(

+        self,

+        notes: str,

+    ) -> None:

+        """Service notes are printed, if they exist."""

+        hypothesis.assume("Error:" not in notes)

+        runner = machinery.CliRunner(mix_stderr=False)

+        # TODO(the-13th-letter): Rewrite using parenthesized

+        # with-statements.

+        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

+        with contextlib.ExitStack() as stack:

+            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

+            stack.enter_context(

+                pytest_machinery.isolated_vault_config(

+                    monkeypatch=monkeypatch,

+                    runner=runner,

+                    vault_config={

+                        "global": {

+                            "phrase": DUMMY_PASSPHRASE,

+                        },

+                        "services": {

+                            DUMMY_SERVICE: {

+                                "notes": notes,

+                                **DUMMY_CONFIG_SETTINGS,

+                            },

+                        },

+                    },

+                )

+            )

+            result = runner.invoke(

+                cli.derivepassphrase_vault,

+                ["--", DUMMY_SERVICE],

+            )

+        assert result.clean_exit(), "expected clean exit"

+        assert result.stdout, "expected program output"

+        assert result.stdout.strip() == DUMMY_RESULT_PASSPHRASE.decode(

+            "ascii"

+        ), "expected known program output"

+        assert result.stderr or not notes.strip(), "expected stderr"

+        assert "Error:" not in result.stderr, (

+            "expected no error messages on stderr"

+        )

+        assert result.stderr.strip() == notes.strip(), (

+            "expected known stderr contents"

+        )

     @Parametrize.NOTES_PLACEMENT

     @hypothesis.given(

@@ -2266,7 +2305,6 @@ class TestNotesEditingInvalid:

             assert config == vault_config

-# TODO(the-13th-letter): Assimilate the descendants.

 class TestStoringConfigurationSuccesses:

     """Tests concerning storing the configuration: successes."""

@@ -2317,8 +2355,53 @@ class TestStoringConfigurationSuccesses:

             )

             assert_vault_config_is_indented_and_line_broken(config_txt)

+    def test_config_directory_nonexistant(

+        self,

+    ) -> None:

+        """Running without an existing config directory works.

+

+        This is a regression test; see [issue\u00a0#6][] for context.

+        See also

+        [TestStoringConfigurationFailures001.test_config_directory_not_a_file][]

+        for a related aspect of this.

+

+        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6

+

+        """

+        runner = machinery.CliRunner(mix_stderr=False)

+        # TODO(the-13th-letter): Rewrite using parenthesized

+        # with-statements.

+        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

+        with contextlib.ExitStack() as stack:

+            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

+            stack.enter_context(

+                pytest_machinery.isolated_config(

+                    monkeypatch=monkeypatch,

+                    runner=runner,

+                )

+            )

+            with contextlib.suppress(FileNotFoundError):

+                shutil.rmtree(cli_helpers.config_filename(subsystem=None))

+            result = runner.invoke(

+                cli.derivepassphrase_vault,

+                ["--config", "-p"],

+                catch_exceptions=False,

+                input="abc\n",

+            )

+            assert result.clean_exit(), "expected clean exit"

+            assert result.stderr == "Passphrase:", (

+                "program unexpectedly failed?!"

+            )

+            with cli_helpers.config_filename(subsystem="vault").open(

+                encoding="UTF-8"

+            ) as infile:

+                config_readback = json.load(infile)

+            assert config_readback == {

+                "global": {"phrase": "abc"},

+                "services": {},

+            }, "config mismatch"

+

-# TODO(the-13th-letter): Assimilate the descendants.

 class TestStoringConfigurationFailures:

     """Tests concerning storing the configuration: failures."""

@@ -2660,113 +2743,6 @@ class TestStoringConfigurationFailures:

             "expected error exit and known error message"

         )

-

-# TODO(the-13th-letter): Assimilate the parent.

-class TestInvalidCommandLines001(TestInvalidCommandLines):

-    """Tests concerning invalid command-lines: group 001."""

-

-    def test_no_arguments(self) -> None:

-        """Calling `derivepassphrase vault` without any arguments fails."""

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                )

-            )

-            result = runner.invoke(

-                cli.derivepassphrase_vault, [], catch_exceptions=False

-            )

-        assert result.error_exit(

-            error="Deriving a passphrase requires a SERVICE"

-        ), "expected error exit and known error message"

-

-    def test_no_passphrase_or_key(

-        self,

-    ) -> None:

-        """Deriving a passphrase without a passphrase or key fails."""

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                )

-            )

-            result = runner.invoke(

-                cli.derivepassphrase_vault,

-                ["--", DUMMY_SERVICE],

-                catch_exceptions=False,

-            )

-        assert result.error_exit(error="No passphrase or key was given"), (

-            "expected error exit and known error message"

-        )

-

-

-# TODO(the-13th-letter): Assimilate into the parent.

-class TestStoringConfigurationSuccesses001:

-    """Tests concerning storing the configuration: successes, group 001."""

-

-    def test_config_directory_nonexistant(

-        self,

-    ) -> None:

-        """Running without an existing config directory works.

-

-        This is a regression test; see [issue\u00a0#6][] for context.

-        See also

-        [TestStoringConfigurationFailures001.test_config_directory_not_a_file][]

-        for a related aspect of this.

-

-        [issue #6]: https://github.com/the-13th-letter/derivepassphrase/issues/6

-

-        """

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                )

-            )

-            with contextlib.suppress(FileNotFoundError):

-                shutil.rmtree(cli_helpers.config_filename(subsystem=None))

-            result = runner.invoke(

-                cli.derivepassphrase_vault,

-                ["--config", "-p"],

-                catch_exceptions=False,

-                input="abc\n",

-            )

-            assert result.clean_exit(), "expected clean exit"

-            assert result.stderr == "Passphrase:", (

-                "program unexpectedly failed?!"

-            )

-            with cli_helpers.config_filename(subsystem="vault").open(

-                encoding="UTF-8"

-            ) as infile:

-                config_readback = json.load(infile)

-            assert config_readback == {

-                "global": {"phrase": "abc"},

-                "services": {},

-            }, "config mismatch"

-

-

-# TODO(the-13th-letter): Assimilate into the parent.

-class TestStoringConfigurationFailures001:

-    """Tests concerning storing the configuration: failures, group 001."""

-

     def test_config_directory_not_a_file(

         self,

     ) -> None:

@@ -2818,42 +2794,6 @@ class TestStoringConfigurationFailures001:

                 "expected error exit and known error message"

             )

-    # TODO(the-13th-letter): Remove this test, because it is basically

-    # the same as

-    # TestStoringConfigurationFailures.test_fail_because_of_custom_error.

-    def test_store_config_custom_error(

-        self,

-    ) -> None:

-        """Storing the configuration reacts even to weird errors."""

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                )

-            )

-            custom_error = "custom error message"

-

-            def raiser(config: Any) -> None:

-                del config

-                raise RuntimeError(custom_error)

-

-            monkeypatch.setattr(cli_helpers, "save_config", raiser)

-            result = runner.invoke(

-                cli.derivepassphrase_vault,

-                ["--config", "-p"],

-                catch_exceptions=False,

-                input="abc\n",

-            )

-            assert result.error_exit(error=custom_error), (

-                "expected error exit and known error message"

-            )

-

 class TestPassphraseUnicodeNormalization:

     """Tests concerning the Unicode normalization of passphrases."""

@@ -56,7 +56,6 @@ class Parametrize(test_000_basic.Parametrize, test_utils.Parametrize):

     )

-# TODO(the-13th-letter): Assimilate the descendants.

 class TestConfigMigrationMachinery:

     """Tests for the configuration file migration machinery."""

@@ -162,6 +161,36 @@ class TestConfigMigrationMachinery:

             ):

                 cli_helpers.migrate_and_load_old_config()

+    def test_completion_supports_old_config_file(

+        self,

+    ) -> None:

+        """Completing service names from the old settings file works."""

+        config = {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}}

+        runner = machinery.CliRunner(mix_stderr=False)

+        # TODO(the-13th-letter): Rewrite using parenthesized

+        # with-statements.

+        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

+        with contextlib.ExitStack() as stack:

+            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

+            stack.enter_context(

+                pytest_machinery.isolated_vault_config(

+                    monkeypatch=monkeypatch,

+                    runner=runner,

+                    vault_config=config,

+                )

+            )

+            old_name = cli_helpers.config_filename(

+                subsystem="old settings.json"

+            )

+            new_name = cli_helpers.config_filename(subsystem="vault")

+            old_name.unlink(missing_ok=True)

+            new_name.rename(old_name)

+            assert cli_helpers.shell_complete_service(

+                click.Context(cli.derivepassphrase),

+                click.Argument(["some_parameter"]),

+                "",

+            ) == [DUMMY_SERVICE]

+

 class TestArgumentForwarding:

     """Tests for the argument forwarding up to v1.0."""

@@ -403,38 +432,3 @@ class TestConfigMigration:

         assert machinery.warning_emitted(

             "Failed to migrate to ", caplog.record_tuples

         ), "expected known warning message in stderr"

-

-

-# TODO(the-13th-letter): Assimilate into the parent.

-class TestConfigMigrationMachinery001(TestConfigMigrationMachinery):

-    """Tests for the configuration file migration machinery, group 001."""

-

-    def test_completion_supports_old_config_file(

-        self,

-    ) -> None:

-        """Completing service names from the old settings file works."""

-        config = {"services": {DUMMY_SERVICE: DUMMY_CONFIG_SETTINGS.copy()}}

-        runner = machinery.CliRunner(mix_stderr=False)

-        # TODO(the-13th-letter): Rewrite using parenthesized

-        # with-statements.

-        # https://the13thletter.info/derivepassphrase/latest/pycompatibility/#after-eol-py3.9

-        with contextlib.ExitStack() as stack:

-            monkeypatch = stack.enter_context(pytest.MonkeyPatch.context())

-            stack.enter_context(

-                pytest_machinery.isolated_vault_config(

-                    monkeypatch=monkeypatch,

-                    runner=runner,

-                    vault_config=config,

-                )

-            )

-            old_name = cli_helpers.config_filename(

-                subsystem="old settings.json"

-            )

-            new_name = cli_helpers.config_filename(subsystem="vault")

-            old_name.unlink(missing_ok=True)

-            new_name.rename(old_name)

-            assert cli_helpers.shell_complete_service(

-                click.Context(cli.derivepassphrase),

-                click.Argument(["some_parameter"]),

-                "",

-            ) == [DUMMY_SERVICE]

@@ -785,25 +785,6 @@ class TestStaticFunctionality:

         return ssh_agent.SSHAgentClient.string(unstringed)

-class TestObsolete001:

-    """Obsolete tests: group 001."""

-

-    # TODO(the-13th-letter): Remove this test. The test key data has its

-    # own set of tests now.

-    @Parametrize.PUBLIC_KEY_DATA

-    def test_100_key_decoding(

-        self,

-        public_key_struct: data.SSHTestKey,

-    ) -> None:

-        """The [`tests.ALL_KEYS`][] public key data looks sane."""

-        keydata = base64.b64decode(

-            public_key_struct.public_key.split(None, 2)[1]

-        )

-        assert keydata == public_key_struct.public_key_data, (

-            "recorded public key data doesn't match"

-        )

-

-

 class TestShellExportScriptParsing:

     """Test the shell export script parsing utility function."""

@@ -952,6 +933,44 @@ class TestSSHProtocolDatatypes(TestStaticFunctionality):

                 assert canon1(encoded) == canon2(encoded)

                 assert canon1(canon2(encoded)) == canon1(encoded)

+    @Parametrize.UINT32_EXCEPTIONS

+    def test_uint32_exceptions(

+        self, input: int, exc_type: type[Exception], exc_pattern: str

+    ) -> None:

+        """`uint32` encoding fails for out-of-bound values."""

+        uint32 = ssh_agent.SSHAgentClient.uint32

+        with pytest.raises(exc_type, match=exc_pattern):

+            uint32(input)

+

+    @Parametrize.SSH_STRING_EXCEPTIONS

+    def test_string_exceptions(

+        self, input: Any, exc_type: type[Exception], exc_pattern: str

+    ) -> None:

+        """SSH string encoding fails for non-strings."""

+        string = ssh_agent.SSHAgentClient.string

+        with pytest.raises(exc_type, match=exc_pattern):

+            string(input)

+

+    @Parametrize.SSH_UNSTRING_EXCEPTIONS

+    def test_unstring_exceptions(

+        self,

+        input: bytes | bytearray,

+        exc_type: type[Exception],

+        exc_pattern: str,

+        has_trailer: bool,

+        parts: tuple[bytes | bytearray, bytes | bytearray] | None,

+    ) -> None:

+        """SSH string decoding fails for invalid values."""

+        unstring = ssh_agent.SSHAgentClient.unstring

+        unstring_prefix = ssh_agent.SSHAgentClient.unstring_prefix

+        with pytest.raises(exc_type, match=exc_pattern):

+            unstring(input)

+        if has_trailer:

+            assert tuple(bytes(x) for x in unstring_prefix(input)) == parts

+        else:

+            with pytest.raises(exc_type, match=exc_pattern):

+                unstring_prefix(input)

+

 class TestSSHAgentSocketProviderRegistry:

     """Tests for the SSH agent socket provider registry."""

@@ -1102,54 +1121,6 @@ class TestSSHAgentSocketProviderRegistry:

             stack.enter_context(pytest.raises(AssertionError))

             socketprovider.SocketProvider._find_all_ssh_agent_socket_providers()

-

-# TODO(the-13th-letter): Assimilate into base class.

-class TestSSHProtocolDatatypes001(TestSSHProtocolDatatypes):

-    """More tests for the utility functions for the SSH protocol datatypes."""

-

-    @Parametrize.UINT32_EXCEPTIONS

-    def test_uint32_exceptions(

-        self, input: int, exc_type: type[Exception], exc_pattern: str

-    ) -> None:

-        """`uint32` encoding fails for out-of-bound values."""

-        uint32 = ssh_agent.SSHAgentClient.uint32

-        with pytest.raises(exc_type, match=exc_pattern):

-            uint32(input)

-

-    @Parametrize.SSH_STRING_EXCEPTIONS

-    def test_string_exceptions(

-        self, input: Any, exc_type: type[Exception], exc_pattern: str

-    ) -> None:

-        """SSH string encoding fails for non-strings."""

-        string = ssh_agent.SSHAgentClient.string

-        with pytest.raises(exc_type, match=exc_pattern):

-            string(input)

-

-    @Parametrize.SSH_UNSTRING_EXCEPTIONS

-    def test_unstring_exceptions(

-        self,

-        input: bytes | bytearray,

-        exc_type: type[Exception],

-        exc_pattern: str,

-        has_trailer: bool,

-        parts: tuple[bytes | bytearray, bytes | bytearray] | None,

-    ) -> None:

-        """SSH string decoding fails for invalid values."""

-        unstring = ssh_agent.SSHAgentClient.unstring

-        unstring_prefix = ssh_agent.SSHAgentClient.unstring_prefix

-        with pytest.raises(exc_type, match=exc_pattern):

-            unstring(input)

-        if has_trailer:

-            assert tuple(bytes(x) for x in unstring_prefix(input)) == parts

-        else:

-            with pytest.raises(exc_type, match=exc_pattern):

-                unstring_prefix(input)

-

-

-# TODO(the-13th-letter): Assimilate into base class.

-class TestSSHAgentSocketProviderRegistry001(TestSSHAgentSocketProviderRegistry):

-    """More tests for the SSH agent socket provider registry."""

-

     def test_already_registered(

         self,

     ) -> None:

@@ -138,6 +138,10 @@ class TestPhraseDependence:

             max_size=BLOCK_SIZE // 2,

         ),

     )

+    @hypothesis.example(phrases=[b"\x00", b"\x00\x00"], service="0").xfail(

+        reason="phrases are interchangable",

+        raises=AssertionError,

+    )

     def test_small(

         self,

         phrases: list[bytes],

@@ -227,6 +231,23 @@ class TestPhraseDependence:

             max_size=BLOCK_SIZE // 2,

         ),

     )

+    @hypothesis.example(

+        phrases=[

+            (

+                b"plnlrtfpijpuhqylxbgqiiyipieyxvfs"

+                b"avzgxbbcfusqkozwpngsyejqlmjsytrmd"

+            ),

+            b"eBkXQTfuBqp'cTcar&g*",

+        ],

+        service="any service name here",

+    ).xfail(

+        reason=(

+            "phrases are interchangable (Wikipedia example:"

+            "https://en.wikipedia.org/w/index.php?title=PBKDF2&oldid=1264881215#HMAC_collisions"

+            ")"

+        ),

+        raises=AssertionError,

+    )

     def test_mixed(

         self,

         phrases: list[bytes],

@@ -241,6 +262,46 @@ class TestPhraseDependence:

             phrase=phrases[0], service=service

         ) != vault.Vault.create_hash(phrase=phrases[1], service=service)

+    @hypothesis.given(

+        phrases=strategies.lists(

+            strategies.text(

+                strategies.characters(min_codepoint=32, max_codepoint=126),

+                min_size=1,

+                max_size=32,

+            ),

+            min_size=2,

+            max_size=2,

+            unique=True,

+        ),

+        config=hypothesis_machinery.vault_full_service_config(),

+        service=strategies.text(

+            strategies.characters(min_codepoint=32, max_codepoint=126),

+            min_size=1,

+            max_size=32,

+        ),

+    )

+    def test_phrase_dependence_with_config(

+        self,

+        phrases: list[str],

+        config: dict[str, int],

+        service: bytes,

+    ) -> None:

+        """The derived passphrase is dependent on the master passphrase."""

+        try:

+            assert vault.Vault(phrase=phrases[0], **config).generate(

+                service

+            ) != vault.Vault(phrase=phrases[1], **config).generate(service)

+        except ValueError as exc:  # pragma: no cover

+            # The service configuration strategy attempts to only

+            # generate satisfiable configurations.  It is possible,

+            # though rare, that this fails, and that unsatisfiability is

+            # only recognized when actually deriving a passphrase.  In

+            # that case, reject the generated configuration.

+            hypothesis.assume("no allowed characters left" not in exc.args)

+            # Otherwise it's a genuine bug in the test case or the

+            # implementation, and should be raised.

+            raise

+

 class TestServiceNameDependence:

     """Test the dependence of the internal hash on the service name."""

@@ -268,6 +329,46 @@ class TestServiceNameDependence:

             phrase=phrase, service=services[0]

         ) != vault.Vault.create_hash(phrase=phrase, service=services[1])

+    @hypothesis.given(

+        phrase=strategies.text(

+            strategies.characters(min_codepoint=32, max_codepoint=126),

+            min_size=1,

+            max_size=32,

+        ),

+        config=hypothesis_machinery.vault_full_service_config(),

+        services=strategies.lists(

+            strategies.text(

+                strategies.characters(min_codepoint=32, max_codepoint=126),

+                min_size=1,

+                max_size=32,

+            ),

+            min_size=2,

+            max_size=2,

+            unique=True,

+        ),

+    )

+    def test_service_name_dependence_with_config(

+        self,

+        phrase: str,

+        config: dict[str, int],

+        services: list[bytes],

+    ) -> None:

+        """The derived passphrase is dependent on the service name."""

+        try:

+            assert vault.Vault(phrase=phrase, **config).generate(

+                services[0]

+            ) != vault.Vault(phrase=phrase, **config).generate(services[1])

+        except ValueError as exc:  # pragma: no cover

+            # The service configuration strategy attempts to only

+            # generate satisfiable configurations.  It is possible,

+            # though rare, that this fails, and that unsatisfiability is

+            # only recognized when actually deriving a passphrase.  In

+            # that case, reject the generated configuration.

+            hypothesis.assume("no allowed characters left" not in exc.args)

+            # Otherwise it's a genuine bug in the test case or the

+            # implementation, and should be raised.

+            raise

+

 class TestInterchangablePhrases:

     """Test the interchangability of certain master passphrases."""

@@ -348,61 +449,6 @@ class TestBasicFunctionalityFromUpstream(TestVault):

             == b"n+oIz6sL>K*lTEWYRO%7"

         )

-    # TODO(the-13th-letter): Retire this test in favor of

-    # TestPhraseDependence.  The first example is a "short" example, the

-    # second is a "mixed" one.

-    @hypothesis.given(

-        phrases=strategies.lists(

-            strategies.binary(min_size=1, max_size=32),

-            min_size=2,

-            max_size=2,

-            unique=True,

-        ).filter(lambda tup: not phrases_are_interchangable(*tup)),

-        service=strategies.text(

-            strategies.characters(min_codepoint=32, max_codepoint=126),

-            min_size=1,

-            max_size=32,

-        ),

-    )

-    @hypothesis.example(phrases=[b"\x00", b"\x00\x00"], service="0").xfail(

-        reason="phrases are interchangable",

-        raises=AssertionError,

-    )

-    @hypothesis.example(

-        phrases=[

-            (

-                b"plnlrtfpijpuhqylxbgqiiyipieyxvfs"

-                b"avzgxbbcfusqkozwpngsyejqlmjsytrmd"

-            ),

-            b"eBkXQTfuBqp'cTcar&g*",

-        ],

-        service="any service name here",

-    ).xfail(

-        reason=(

-            "phrases are interchangable (Wikipedia example:"

-            "https://en.wikipedia.org/w/index.php?title=PBKDF2&oldid=1264881215#HMAC_collisions"

-            ")"

-        ),

-        raises=AssertionError,

-    )

-    def test_xxx_phrase_dependence(

-        self,

-        phrases: list[bytes],

-        service: str,

-    ) -> None:

-        """The derived passphrase is dependent on the master passphrase.

-

-        Certain pairs of master passphrases are known to be

-        interchangable; see [`vault.Vault.phrases_are_interchangable`][].

-        These are excluded from consideration by the hypothesis

-        strategy.

-

-        """

-        # See test_100_create_hash_phrase_dependence for context.

-        assert vault.Vault(phrase=phrases[0]).generate(service) != vault.Vault(

-            phrase=phrases[1]

-        ).generate(service)

-

 class TestStringAndBinaryExchangability(TestVault):

     """Test the exchangability of text and byte strings in the "vault" scheme.

@@ -502,76 +548,8 @@ class TestStringAndBinaryExchangability(TestVault):

                 "service name generate different passphrases"

             )

-    # TODO(the-13th-letter): Retire this test in favor of

-    # TestServiceNameDependence.

-    @hypothesis.given(

-        phrase=strategies.text(

-            strategies.characters(min_codepoint=32, max_codepoint=126),

-            min_size=1,

-            max_size=32,

-        ),

-        services=strategies.lists(

-            strategies.binary(min_size=1, max_size=32),

-            min_size=2,

-            max_size=2,

-            unique=True,

-        ),

-    )

-    def test_xxx_service_name_dependence(

-        self,

-        phrase: str,

-        services: list[bytes],

-    ) -> None:

-        """The derived passphrase is dependent on the service name."""

-        assert vault.Vault(phrase=phrase).generate(services[0]) != vault.Vault(

-            phrase=phrase

-        ).generate(services[1])

-

-    # TODO(the-13th-letter): Move this test into TestServiceNameDependence

-    # and write a counterpart for TestPhraseDependence. Or, generalize

-    # this test into a class TestConfigDependence.

-    @hypothesis.given(

-        phrase=strategies.text(

-            strategies.characters(min_codepoint=32, max_codepoint=126),

-            min_size=1,

-            max_size=32,

-        ),

-        config=hypothesis_machinery.vault_full_service_config(),

-        services=strategies.lists(

-            strategies.binary(min_size=1, max_size=32),

-            min_size=2,

-            max_size=2,

-            unique=True,

-        ),

-    )

-    def test_service_name_dependence_with_config(

-        self,

-        phrase: str,

-        config: dict[str, int],

-        services: list[bytes],

-    ) -> None:

-        """The derived passphrase is dependent on the service name."""

-        try:

-            assert vault.Vault(phrase=phrase, **config).generate(

-                services[0]

-            ) != vault.Vault(phrase=phrase, **config).generate(services[1])

-        except ValueError as exc:  # pragma: no cover

-            # The service configuration strategy attempts to only

-            # generate satisfiable configurations.  It is possible,

-            # though rare, that this fails, and that unsatisfiability is

-            # only recognized when actually deriving a passphrase.  In

-            # that case, reject the generated configuration.

-            hypothesis.assume("no allowed characters left" not in exc.args)

-            # Otherwise it's a genuine bug in the test case or the

-            # implementation, and should be raised.

-            raise

-

-

-# TODO(the-13th-letter): State machine, for master passphrase, service

-# name and config dependence?

-

-class TestConstraintSatisfactionFromUpstream001(TestVault):

+class TestConstraintSatisfactionFromUpstream(TestVault):

     """Test passphrase derivation with the "vault" scheme: upstream tests."""

     def test_nonstandard_length(self) -> None:

@@ -581,36 +559,6 @@ class TestConstraintSatisfactionFromUpstream001(TestVault):

             == b"xDFu"

         )

-

-class TestConstraintSatisfactionThoroughness001(TestVault):

-    """Test passphrase derivation with the "vault" scheme: constraint satisfaction."""

-

-    @hypothesis.given(

-        phrase=strategies.one_of(

-            strategies.binary(min_size=1, max_size=100),

-            strategies.text(

-                min_size=1,

-                max_size=100,

-                alphabet=strategies.characters(max_codepoint=255),

-            ),

-        ),

-        length=strategies.integers(min_value=1, max_value=200),

-        service=strategies.text(min_size=1, max_size=100),

-    )

-    def test_password_with_length(

-        self,

-        phrase: str | bytes,

-        length: int,

-        service: str,

-    ) -> None:

-        """Derived passphrases have the requested length."""

-        password = vault.Vault(phrase=phrase, length=length).generate(service)

-        assert len(password) == length

-

-

-class TestConstraintSatisfactionFromUpstream002(TestVault):

-    """Test passphrase derivation with the "vault" scheme: upstream tests."""

-

     def test_repetition_limit(self) -> None:

         """Deriving a passphrase adheres to imposed repetition limits."""

         assert (

@@ -674,8 +622,102 @@ class TestConstraintSatisfactionFromUpstream002(TestVault):

             == b": : fv_wqt>a-4w1S  R"

         )

+    def test_only_numbers_and_very_high_repetition_limit(self) -> None:

+        """Deriving a passphrase adheres to imposed repetition limits.

+

+        This example is checked explicitly against forbidden substrings.

+

+        """

+        generated = vault.Vault(

+            phrase=b"",

+            length=40,

+            lower=0,

+            upper=0,

+            space=0,

+            dash=0,

+            symbol=0,

+            repeat=4,

+        ).generate("abcdef")

+        forbidden_substrings = {

+            b"0000",

+            b"1111",

+            b"2222",

+            b"3333",

+            b"4444",

+            b"5555",

+            b"6666",

+            b"7777",

+            b"8888",

+            b"9999",

+        }

+        for substring in forbidden_substrings:

+            assert substring not in generated

+

+    def test_very_limited_character_set(self) -> None:

+        """Deriving a passphrase works even with limited character sets."""

+        generated = vault.Vault(

+            phrase=b"", length=24, lower=0, upper=0, space=0, symbol=0

+        ).generate("testing")

+        assert generated == b"763252593304946694588866"

+

+

+class TestConstraintSatisfactionThoroughness(TestVault):

+    """Test passphrase derivation with the "vault" scheme: constraint satisfaction."""

+

+    @hypothesis.given(

+        phrase=strategies.one_of(

+            strategies.binary(min_size=1, max_size=100),

+            strategies.text(

+                min_size=1,

+                max_size=100,

+                alphabet=strategies.characters(max_codepoint=255),

+            ),

+        ),

+        length=strategies.integers(min_value=1, max_value=200),

+        service=strategies.text(min_size=1, max_size=100),

+    )

+    def test_password_with_length(

+        self,

+        phrase: str | bytes,

+        length: int,

+        service: str,

+    ) -> None:

+        """Derived passphrases have the requested length."""

+        password = vault.Vault(phrase=phrase, length=length).generate(service)

+        assert len(password) == length

+

+    # This test has time complexity `O(length * repeat)`, both of which

+    # are chosen by hypothesis and thus outside our control.

+    @hypothesis.settings(deadline=None)

+    @hypothesis.given(

+        phrase=strategies.one_of(

+            strategies.binary(min_size=1, max_size=100),

+            strategies.text(

+                min_size=1,

+                max_size=100,

+                alphabet=strategies.characters(max_codepoint=255),

+            ),

+        ),

+        length=strategies.integers(min_value=2, max_value=200),

+        repeat=strategies.integers(min_value=1, max_value=200),

+        service=strategies.text(min_size=1, max_size=1000),

+    )

+    def test_arbitrary_repetition_limit(

+        self,

+        phrase: str | bytes,

+        length: int,

+        repeat: int,

+        service: str,

+    ) -> None:

+        """Derived passphrases obey the given occurrence constraint."""

+        password = vault.Vault(

+            phrase=phrase, length=length, repeat=repeat

+        ).generate(service)

+        for i in range((length + 1) - (repeat + 1)):

+            assert len(set(password[i : i + repeat + 1])) > 1

+

-class TestConstraintSatisfactionHeavyDuty001(TestVault):

+class TestConstraintSatisfactionHeavyDuty(TestVault):

     """Test passphrase derivation with the "vault" scheme: constraint satisfaction."""

     @hypothesis.given(

@@ -780,86 +822,6 @@ class TestConstraintSatisfactionHeavyDuty001(TestVault):

                 )

-class TestConstraintSatisfactionFromUpstream003(TestVault):

-    """Test passphrase derivation with the "vault" scheme: upstream tests."""

-

-    def test_only_numbers_and_very_high_repetition_limit(self) -> None:

-        """Deriving a passphrase adheres to imposed repetition limits.

-

-        This example is checked explicitly against forbidden substrings.

-

-        """

-        generated = vault.Vault(

-            phrase=b"",

-            length=40,

-            lower=0,

-            upper=0,

-            space=0,

-            dash=0,

-            symbol=0,

-            repeat=4,

-        ).generate("abcdef")

-        forbidden_substrings = {

-            b"0000",

-            b"1111",

-            b"2222",

-            b"3333",

-            b"4444",

-            b"5555",

-            b"6666",

-            b"7777",

-            b"8888",

-            b"9999",

-        }

-        for substring in forbidden_substrings:

-            assert substring not in generated

-

-

-class TestConstraintSatisfactionThoroughness002(TestVault):

-    """Test passphrase derivation with the "vault" scheme: constraint satisfaction."""

-

-    # This test has time complexity `O(length * repeat)`, both of which

-    # are chosen by hypothesis and thus outside our control.

-    @hypothesis.settings(deadline=None)

-    @hypothesis.given(

-        phrase=strategies.one_of(

-            strategies.binary(min_size=1, max_size=100),

-            strategies.text(

-                min_size=1,

-                max_size=100,

-                alphabet=strategies.characters(max_codepoint=255),

-            ),

-        ),

-        length=strategies.integers(min_value=2, max_value=200),

-        repeat=strategies.integers(min_value=1, max_value=200),

-        service=strategies.text(min_size=1, max_size=1000),

-    )

-    def test_218a_arbitrary_repetition_limit(

-        self,

-        phrase: str | bytes,

-        length: int,

-        repeat: int,

-        service: str,

-    ) -> None:

-        """Derived passphrases obey the given occurrence constraint."""

-        password = vault.Vault(