https://git.schokokeks.org/derivepassphrase.git/tree/bbda81848f19467eac4364337e6993d347a5fe33 2026-02-08T16:10:06+01:00 tag:gitlist.org,2012:commit/bbda81848f19467eac4364337e6993d347a5fe33 2026-02-08T16:10:06+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/dd95f72397ce3b78436fe211e8bf9d33a9cedecc 2026-02-08T16:02:18+01:00 Marco Ricci software@the13thletter.info <pre>Extend the vault CLI tests for basic SSH key usage to also cover the SSH agent socket provider choice case. We split up the monolithic `_test` helper function into separate `_setup_environment` and `_check_result` functions, so that we can share common setup code (including fixtures and parametrizations), but use different result testing code. We also extend the `_setup_environment` code to handle main user configuration mocking and SSH agent socket provider registry mocking as well, even if the basic key tests don't use this functionality. &lt;/pre&gt; tag:gitlist.org,2012:commit/546b916851c6fc96f84f3f2db42817bab4cc2db5 2026-02-08T13:40:06+01:00 Marco Ricci software@the13thletter.info <pre>Issue the correct error message when an SSH agent socket provider is specified via command-line options or via user configuration, but the socket provider does not appear in the registry. Previously, due to a technicality, this would be treated the same as the `SSH_AUTH_SOCK` environment variable missing, and would issue the same error message. This is, of course, blatantly false, and has now been corrected. &lt;/pre&gt; tag:gitlist.org,2012:commit/9d41d409bfb8623f419905cf123c80114dcc49e2 2026-02-08T13:00:41+01:00 Marco Ricci software@the13thletter.info <pre>Add a designated entry `vault.ssh-agent-socket-provider` to the `derivepassphrase` main configuration and the new option `--ssh-agent-socket-provider` to the `derivepassphrase vault` command-line interface. These both specify a specific SSH agent socket provider to use, instead of the built-in default provider list. The command-line option has precedence over the user configuration. In complementary work, streamline the construction of SSH agent client contexts and the querying of configuration files in `derivepassphrase vault`'s main program: provide a `get_configured_connection_hint` for the former, and harmonize function signatures and call responsibilities for the latter. &lt;/pre&gt; tag:gitlist.org,2012:commit/610cd05c290e255d59dde6915826221df2d3bf96 2026-02-01T20:51:53+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/2ab74a949c7943354c68c198210997ace4d9674e 2026-02-01T20:38:39+01:00 Marco Ricci software@the13thletter.info <pre>Mark some tests as needing the ability to construct a second SSH agent client (on the same socket address) while another one is still connected. This works with most agents, except `gpg-agent` on The Annoying OS when masquerading as OpenSSH's `ssh-agent`. Presumably, `gpg-agent` handles the requests with a single thread, non-multiplexed, and so blocks all other agent clients from progressing. The symptoms are blocking during the connect call, then failing with "socket address not found" immediately once the other client closes its connection. We address the affected tests by monkeypatching the `ssh_agent.SSHAgentClient.ensure_agent_subcontext` context manager – the main way `derivepassphrase` internally interacts with the SSH agent – to return a singleton agent: the agent provided to the test function (via a fixture). We implement this as a machinery function to set up the environment explicitly, because this functionality hard to set up usefully as a test fixture: it interferes with testing SSH agent client constructor failures, and *those* are sometimes implemented as single `pytest.param`s of a common test function, but the test function cannot dynamically adapt the set of applicable fixtures to the specific parametrization. While specifically designed for use with `gpg-agent` on The Annoying OS, the interface is general in nature, and can be used with any declared SSH agent (except the fake agents). Since this internally works similarly to the "permitted SSH agents" feature of the test suite, we generalize the latter slightly to allow implementing the former. &lt;/pre&gt; tag:gitlist.org,2012:commit/b9f852b49674d88d35d5f5e15f56c2a0ccfa8111 2026-01-28T20:48:27+01:00 Marco Ricci software@the13thletter.info <pre>&lt;/pre&gt; tag:gitlist.org,2012:commit/e9f5e45d85b7db5459b8f60ffcb065ec4dabfa1d 2026-01-24T23:50:57+01:00 Marco Ricci software@the13thletter.info <pre>In the output of `derivepassphrase vault --version`, output the list of supported and the list of unavailable SSH agent socket providers. Report all aliases as well. We intend to reuse the names later on in the user configuration file, so it is important to expose them somewhere. To determine whether an entry key is a base name or an alias, we build a topological sorting over the entry keys, using tools from the standard library introduced in Python 3.9. (Older Python versions could be retrofitted with a backport, if need be.) Open problem: The topological sorter checks for cycles, but there is otherwise no deeper error checking yet. In particular, these entry keys may be supplied by a malicious third party, but there are no sanitization checks yet for terminal sequences or similar when outputting the key during the `--version` call. How to handle this? &lt;/pre&gt; tag:gitlist.org,2012:commit/2c19c96e87f600597c74df42682b366b87c77ba6 2026-01-24T23:47:54+01:00 Marco Ricci software@the13thletter.info <pre>Whenever a list of feature items is given during `--version`, such as "Supported subcommands", support adding a list of aliases to that item (provided there is no line break in between, the aliases are marked as such, and neither contain nested aliases nor parentheses). Document this format somewhat more explicitly in `tests.test_derivepassphrase_cli.test_all_cli.parse_version_output`, and provide a more explicit reference parser/tokenizer as well. That said, the format is restricted enough to allow other parsers to somewhat easily be written manually, or via a parser generator. Though this could principally be used for the subcommands case (as also used in the test cases for this functionality), the real beneficiary is a piece of code I intend to commit next. &lt;/pre&gt; tag:gitlist.org,2012:commit/c7ce5bd977734838335242cac80c4f800c8b0d9c 2026-01-24T22:59:24+01:00 Marco Ricci software@the13thletter.info <pre>This eliminates typos once and for all. It also makes it really easy to distinguish third-party socket providers from first-party ones, as the enum cannot be amended later. Finally, it centralizes the knowledge for testing whether the socket provider is functional directly to the enum, similar to the other version info "feature items". (In fact, the "master SSH key" vault feature (`Features.SSH_KEY`) can now delegate the feature support check to the socket provider name enum.) &lt;/pre&gt;