https://git.schokokeks.org/derivepassphrase.git/tree/b2c8067ded2b23d25b000067174b1037adce9fb3 Recent commits feed provided by GitList. * t/storeroom-invalid-examples: Trigger InvalidSignature exceptions in storeroom exporter tests Add remaining tests to the storeroom exporter for 100% coverage https://git.schokokeks.org/derivepassphrase.git/commit/b2c8067ded2b23d25b000067174b1037adce9fb3 software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 13:31:41 +0200 b2c8067ded2b23d25b000067174b1037adce9fb3 * t/vault-config-falsy: Signal and list falsy value cleanup steps that were actually performed Manage health checks in centralized hypothesis settings as well Centralize settings for hypothesis deadline management Add changelog entry for key/phrase and falsy behavior changes Align behavior with vault concerning falsy values in config Align behavior with vault concerning key and phrase in config GitHub: Closes #17. https://git.schokokeks.org/derivepassphrase.git/commit/d29025e290a39d992a54b36d28b6a503479ef0cb software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 13:31:25 +0200 d29025e290a39d992a54b36d28b6a503479ef0cb * t/support-py313: Support Python 3.13 https://git.schokokeks.org/derivepassphrase.git/commit/7daaa0e2eb18b33c84cb771efe80725503caebe4 software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 13:31:16 +0200 7daaa0e2eb18b33c84cb771efe80725503caebe4 * t/documentation-ideas: Suggest new reference documentation: vault(1) configuration Add a tutorial: setting up three services with master passphrase Add some ideas for missing documentation pages Tell MkDocs to ignore scriv's changelog snippets https://git.schokokeks.org/derivepassphrase.git/commit/890c3b079f2a50ddea674937ba1eac031894bf33 software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 13:31:02 +0200 890c3b079f2a50ddea674937ba1eac031894bf33 So far, we haven't been explicitly testing for whether the master and session keys decrytion routines correctly reject payloads with invalid MAC values, and with the correct error type. Surely the `cryptography` primitive is implemented correctly, but there was no test whether *we* were using the primitive correctly. So, add one. https://git.schokokeks.org/derivepassphrase.git/commit/3ad62c4d59c6d54fb86b2774919b2f71713eecae software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 12:36:24 +0200 3ad62c4d59c6d54fb86b2774919b2f71713eecae Before this commit, certain consistency checks within the storeroom exporter that seemed difficult to test remained untested: a payload size check in the master keys decryption routine, another payload size check in the session keys decryption routine, and object connectivity and type correctness checks in the top-level exporter routine. The master and session keys decryption routines, it turns out, don't need this explicit size check: the `struct` library, used for decoding the payload even further, already checks this automatically. (What *is* needed is a wrapper to convert the exception type, in general, for the whole decryption block.) For the connectivity and type correctness checks in the top-level exporter routine, I generated another couple of broken storeroom configurations (e.g. where directory contents, encoded as a JSON array, contain non-string elements). We now test for each of these configurations if they correctly fail to parse. Finally, it turns out that many of the docstrings reported the ciphertext sizes incorrectly, because they wrongly neglected the padding in their calculations. Fix this, of course. https://git.schokokeks.org/derivepassphrase.git/commit/837e57d2ce6c317d5ba483d88baddbdccfae03df software@the13thletter.info (Marco Ricci) Thu, 10 Oct 2024 12:18:23 +0200 837e57d2ce6c317d5ba483d88baddbdccfae03df Signal whether cleanup was actually perfomed on the requested object or not, and if yes, list the actual cleanup steps undertaken. When importing a vault configuration on the command-line, issue a warning for each cleaning step. Since the warning messages in both the cleanup steps and the check for non-normalized passphrases report on "paths" in a JSON object, implement a fully general JSONPath formatting function (single item selection from the root only). This harmonizes the warnings output, but also causes changes in the test cases and expected output. Additionally, the JSONPath function name clashes with a common local variable name, necessitating renaming, and control flow for the validation function and the vault configuration import action have changed somewhat; the former to impose a consistent validation order (global first, service-specific next), the latter to avoid extraneous else-branches. As a result of all this, this patch is somewhat larger and less concise than it should be, given the modest magnitude of changes it actually introduces. https://git.schokokeks.org/derivepassphrase.git/commit/2eaaa7f8ace52c29c83e36568417c92b358d9710 software@the13thletter.info (Marco Ricci) Wed, 09 Oct 2024 16:20:12 +0200 2eaaa7f8ace52c29c83e36568417c92b358d9710 No functional changes needed; only the project metadata has been amended. https://git.schokokeks.org/derivepassphrase.git/commit/743df7112b0a80c8b4e1fd8503487bb7aa67aa6f software@the13thletter.info (Marco Ricci) Wed, 09 Oct 2024 08:03:20 +0200 743df7112b0a80c8b4e1fd8503487bb7aa67aa6f Some of the tests that time out under coverage-based slow instrumentation time out during the data generation phase, not the actual test phase (i.e. trigger health check errors). The root cause is the same, and settings objects cannot be stacked, so amend the standard decorator for slow `hypothesis`-based tests, instead of introducing a new one. https://git.schokokeks.org/derivepassphrase.git/commit/695ac3fd833a1d50ba99f9539d668982bbd2bc00 software@the13thletter.info (Marco Ricci) Tue, 08 Oct 2024 13:57:21 +0200 695ac3fd833a1d50ba99f9539d668982bbd2bc00 Our unit tests run in multiple, very different environments, which leads to drastically different execution times, up to a slowdown factor of roughly 40 (test coverage, "timid" Python tracer). The `hypothesis` library however runs timing checks on each of its tests, indepedent of the available processing power and coverage instrumentation. As a result, some benign tests time out under these circumstances regardless. In the past, I've raised their execution deadline in an ad-hoc manner whenever this happens (or fixed the tests, if they weren't so benign). But instead of littering the test suite with one-time adjustments of deadlines, a more sensible approach is to use a test decorator that ensures a common extended deadline for tests that need it, only if they need it (i.e. run under coverage). So do that. (Sadly, because of how the settings decorator works, this must be applied function-wise, and cannot be stacked with other settings decorators.) Finally, if this deadline extension still doesn't help, then this usually means we are generating huge or expensive-to-evaluate inputs. So limit the size of some of the inputs (string length, recursion depth, size of passphrases to derive) to keep execution times better constrained. https://git.schokokeks.org/derivepassphrase.git/commit/3eabf0cd303c0e2e83a61a7c7835ee66b7fb5acf software@the13thletter.info (Marco Ricci) Tue, 08 Oct 2024 11:43:10 +0200 3eabf0cd303c0e2e83a61a7c7835ee66b7fb5acf