Recent commits to derivepassphrase.git (be6907ee4ee129cd1af0603149c5edad27dcede8)

Add more coverage and linting exclusions related to Windows named pipes

2026-01-04T22:40:37+01:00

Some of the missing exclusions are typos.

Others are accidental omissions due to writing the code for one platform
(POSIX-ish systems) without actually *testing* on that platform, because
the main logic is geared towards a different platform (here, The
Annoying OS) and was developed there.  This especially concerns code
that is designed to never be called and which immediately throws an
exception upon being called: it is easy to forget the coverage exclusion
if the corresponding code path is never actually run.

Finally, other exclusions and code refactorings are due to the fact that
the static type checking interface for `ctypes` (i.e., the typing stubs
from the `typeshed` project) is vastly different for different operating
systems.  So, type checking code on POSIX-ish systems that uses `ctypes`
for The Annoying OS's facilities causes the type checker to complain
about *a lot* of undefined symbols that `ctypes` supposedly does not
expose.  For some commonly-used symbols with many call sites, it is
worth defining a dual wrapper/stub function (wrapper for supported OSes,
stub for others) to both silence the type checker's complaints about
"undefined symbols" and to not sacrifice too much readability.

(While the type checker supports branching on the current OS, this
drastically increases the number of branches to cover, or alternatively,
the number of coverage branch exceptions/exclusions to mark up.  We
would be trading type checking exclusions for coverage branch
exclusions, gaining nothing.)

Finally finally, because The Annoying OS uses a very incompatible naming
scheme in its standard library, we need many linting exceptions for
variable, function and function argument naming.
</pre>

Fix SSH agent spawning on POSIX in the test suite

2026-01-04T22:06:26+01:00

If the `executable` passed to the `spawn_named_agent` function is
`None`, we now correctly locate the agent in `PATH` using its default
name, for all our SSH agent spawning functions.  This was advertised to
work this way when we introduced SSH agent interfacing functions in the
test suite in 3f4b4b35841b8247d1d32fd7f671ad7a0a19d167 and updated the
`spawn_named_agent` signature to match in
6340b5a541970c9d00ee653926102657028de309, but was never actually
implemented, until now.

Prior to 6340b5a541970c9d00ee653926102657028de309, the `executable`
argument to `spawn_named_agent` was both a registry key and the basename
of the executable to call, to be located in `PATH`.  In that scheme,
a `None` value meant that there was no external executable to spawn, so
the agent-specific spawning functions would return a failure code.  In
6340b5a541970c9d00ee653926102657028de309, the interpretation was changed
to an "override" path: a string value for `executable` meant "use this
path for the executable", a `None` value meant "use the default name,
and locate the executable in `PATH`".  But the corresponding *logic* for
the `None` value case, i.e., searching `PATH`, was never actually
implemented.

Because none of the standard agent spawning/interfacing function
definitions made use of this override mechanism, all SSH agent spawning
functions were silently breaking, flatly claiming that the agents were
not available even though they actually might have been.  Furthermore,
because this code refactoring was developed on The Annoying OS, where
all current SSH agents are interfaced, not spawned, this failure went
completely unnoticed.  Now, while double-checking that the new
Annoying-OS-specific code also works on POSIX, this misbehavior of the
SSH agent spawning logic became apparent again, because on POSIX we *do*
have agents that are spawned, not merely interfaced.

So reintroduce the logic to locate the (default) executable if the path
is not overriden.
</pre>

Use "overlapped I/O" for Windows named pipe communication

2025-12-28T18:53:33+01:00

(... or, as the rest of the world calls it: non-blocking I/O.)

We previously avoided using the overlapped I/O interface, for multiple
reasons:

  - It requires C structs which are not already natively wrapped by
    `ctypes` on The Annoying OS, and are fairly verbose to implement
    manually.

  - The notification that the I/O operation has completed requires
    further types and functions to be wrapped.

  - The C structs are documented reasonably well, but the bit flags used
    in this interface are sometimes only given by name, not by value,
    and thus need to be looked up in actual pre-existing code.

However, Pageant also internally uses overlapped I/O, and the behavior
observed in 5bcd2c39308880309286a2243e3795833817d1a5 may be due to
a mismatch between the I/O channel we see (non-overlapped) and the
channel Pageant sees (overlapped).  So, for consistency and
compatibility, we also use the overlapped I/O interface.
</pre>

Fix the fallback variant of the Windows named pipe handling code

2025-12-28T18:47:21+01:00

The fallback implementation for systems other than The Annoying OS was
incomplete.
</pre>

Retry connecting to a named pipe if the pipe is busy

2025-12-28T12:05:37+01:00

In the `WindowsNamedPipeHandle` constructor, if connecting the named
pipe fails with the Windows error 231 (`ERROR_PIPE_BUSY`), retry the
operation.  (For expected future compatibility, we treat
`BlockingIOError` the same way.)  This behavior roughly corresponds to
how system calls on POSIX should usually be retried if they return with
`EINTR`.
</pre>

Do not suppress OSError when constructing Windows named pipes in test fixtures

2025-12-27T18:52:29+01:00

Let any OSError that occurs when opening the named pipe bubble to the
top of the test fixture, instead of suppressing it and indicating that
the named pipe is unavailable.  At the top level, the test fixture can
then incorporate the error text into the failure or skip message (which
would otherwise be invisible if suppressed further down).
</pre>

In the test suite, correctly calculate if an SSH agent is isolated

2025-12-27T18:42:06+01:00

In particular, pay consideration to interfaced agents, not just spawned ones.
</pre>

Fix recognition of Pageant in the test fixtures

2025-12-27T18:26:50+01:00

When reacting to failures uploading a test key into an agent, both the
agent type `KnownSSHAgent.UNIXPageant` and the type
`KnownSSHAgent.Pageant` should be treated the same.  However, the
`ssh_agent_client_with_loaded_test_keys` only treated the former agent
type specially.  Now it also treats the latter type the same.
</pre>

Unload loaded test keys in the fixture more efficiently

2025-12-27T17:33:06+01:00

Instead of iterating over all test keys and testing whether the agent is
not isolated and the key is a successfully loaded key, first check
whether the agent is isolated or not, *then* iterate over the
successfully loaded key names and extract the relevant test key from the
test key table.  The efficiency per operation is similar, but the
previous setup always iterated the whole test key table unconditionally,
whereas the new setup only iterates the successfully loaded key name set
(fewer entries than the test key table), and only conditionally.
</pre>

Document the "test key uploading" helper functions

2025-12-27T17:19:38+01:00

Add docstrings to the `_prepare_payload` and `_load_key_optimistically`
helper functions.

Also change the signature of `_load_key_optimistically` to take the test
key structure directly, instead of taking a (dict) key to lookup the
structure.  (These types of things become apparent when writing
docstrings, even for otherwise internal functions.)
</pre>