https://git.schokokeks.org/derivepassphrase.git/tree/369ca71eaa5b58f91a1b31e6e0bbecd87db4a488 2026-02-08T16:02:18+01:00 tag:gitlist.org,2012:commit/369ca71eaa5b58f91a1b31e6e0bbecd87db4a488 2026-02-08T16:02:18+01:00 Marco Ricci software@the13thletter.info <pre>Extend the vault CLI tests for basic SSH key usage to also cover the SSH agent socket provider choice case. We split up the monolithic `_test` helper function into separate `_setup_environment` and `_check_result` functions, so that we can share common setup code (including fixtures and parametrizations), but use different result testing code. We also extend the `_setup_environment` code to handle main user configuration mocking and SSH agent socket provider registry mocking as well, even if the basic key tests don't use this functionality. &lt;/pre&gt; tag:gitlist.org,2012:commit/b47aeba92dcb366450841a5f480f0d47d0cd4785 2026-02-08T13:40:06+01:00 Marco Ricci software@the13thletter.info <pre>Issue the correct error message when an SSH agent socket provider is specified via command-line options or via user configuration, but the socket provider does not appear in the registry. Previously, due to a technicality, this would be treated the same as the `SSH_AUTH_SOCK` environment variable missing, and would issue the same error message. This is, of course, blatantly false, and has now been corrected. &lt;/pre&gt; tag:gitlist.org,2012:commit/04d675f8ef255a5e68589a6a132490a424595216 2026-02-08T13:00:41+01:00 Marco Ricci software@the13thletter.info <pre>Add a designated entry `vault.ssh-agent-socket-provider` to the `derivepassphrase` main configuration and the new option `--ssh-agent-socket-provider` to the `derivepassphrase vault` command-line interface. These both specify a specific SSH agent socket provider to use, instead of the built-in default provider list. The command-line option has precedence over the user configuration. In complementary work, streamline the construction of SSH agent client contexts and the querying of configuration files in `derivepassphrase vault`'s main program: provide a `get_configured_connection_hint` for the former, and harmonize function signatures and call responsibilities for the latter. &lt;/pre&gt; tag:gitlist.org,2012:commit/1480df53a6ad1f89fb2a570eb7d38f5e10a06e03 2026-02-01T20:51:53+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/9207fef5eb8663a3246f18239c9b648fbdd3a090 2026-02-01T20:38:39+01:00 Marco Ricci software@the13thletter.info <pre>Mark some tests as needing the ability to construct a second SSH agent client (on the same socket address) while another one is still connected. This works with most agents, except `gpg-agent` on The Annoying OS when masquerading as OpenSSH's `ssh-agent`. Presumably, `gpg-agent` handles the requests with a single thread, non-multiplexed, and so blocks all other agent clients from progressing. The symptoms are blocking during the connect call, then failing with "socket address not found" immediately once the other client closes its connection. We address the affected tests by monkeypatching the `ssh_agent.SSHAgentClient.ensure_agent_subcontext` context manager – the main way `derivepassphrase` internally interacts with the SSH agent – to return a singleton agent: the agent provided to the test function (via a fixture). We implement this as a machinery function to set up the environment explicitly, because this functionality hard to set up usefully as a test fixture: it interferes with testing SSH agent client constructor failures, and *those* are sometimes implemented as single `pytest.param`s of a common test function, but the test function cannot dynamically adapt the set of applicable fixtures to the specific parametrization. While specifically designed for use with `gpg-agent` on The Annoying OS, the interface is general in nature, and can be used with any declared SSH agent (except the fake agents). Since this internally works similarly to the "permitted SSH agents" feature of the test suite, we generalize the latter slightly to allow implementing the former. &lt;/pre&gt; tag:gitlist.org,2012:commit/9d4a186f43ffb9dba80980ed38febd3859ff5b78 2026-01-28T20:48:27+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/598c2ba6e3c4a162236535d613a6b6ec1c8b1dcc 2026-01-24T23:50:57+01:00 Marco Ricci software@the13thletter.info <pre>In the output of `derivepassphrase vault --version`, output the list of supported and the list of unavailable SSH agent socket providers. Report all aliases as well. We intend to reuse the names later on in the user configuration file, so it is important to expose them somewhere. To determine whether an entry key is a base name or an alias, we build a topological sorting over the entry keys, using tools from the standard library introduced in Python 3.9. (Older Python versions could be retrofitted with a backport, if need be.) Open problem: The topological sorter checks for cycles, but there is otherwise no deeper error checking yet. In particular, these entry keys may be supplied by a malicious third party, but there are no sanitization checks yet for terminal sequences or similar when outputting the key during the `--version` call. How to handle this? &lt;/pre&gt; tag:gitlist.org,2012:commit/13f516c49b2cfabcaff8384f91d14e9d6c148646 2026-01-24T23:47:54+01:00 Marco Ricci software@the13thletter.info <pre>Whenever a list of feature items is given during `--version`, such as "Supported subcommands", support adding a list of aliases to that item (provided there is no line break in between, the aliases are marked as such, and neither contain nested aliases nor parentheses). Document this format somewhat more explicitly in `tests.test_derivepassphrase_cli.test_all_cli.parse_version_output`, and provide a more explicit reference parser/tokenizer as well. That said, the format is restricted enough to allow other parsers to somewhat easily be written manually, or via a parser generator. Though this could principally be used for the subcommands case (as also used in the test cases for this functionality), the real beneficiary is a piece of code I intend to commit next. &lt;/pre&gt; tag:gitlist.org,2012:commit/640fb5cba54e3f63a776f93cf14425237b5ff621 2026-01-24T22:59:24+01:00 Marco Ricci software@the13thletter.info <pre>This eliminates typos once and for all. It also makes it really easy to distinguish third-party socket providers from first-party ones, as the enum cannot be amended later. Finally, it centralizes the knowledge for testing whether the socket provider is functional directly to the enum, similar to the other version info "feature items". (In fact, the "master SSH key" vault feature (`Features.SSH_KEY`) can now delegate the feature support check to the socket provider name enum.) &lt;/pre&gt; tag:gitlist.org,2012:commit/0a81704eabd281f1b550bbaf5424feded03deeb2 2026-01-24T22:18:05+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt;