Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

intial unit test and impl for ssh-keygen simulator #1432

Draft
wants to merge 1 commit into
base: master
Choose a base branch
from
Draft

intial unit test and impl for ssh-keygen simulator #1432

wants to merge 1 commit into from

Conversation

castedo
Copy link
Contributor

@castedo castedo commented Nov 14, 2024
edited
Loading

  • unit test that check-novalidate subcmd rejects
  • basic CLI impl for ssh-keygen simulator
  • trivial always fail impl of check-novalidate subcmd

@castedo castedo requested a review from jelmer as a code owner November 14, 2024 12:46
@castedo castedo marked this pull request as draft November 14, 2024 12:47
@castedo
Copy link
Contributor Author

castedo commented Nov 14, 2024

Probably not worth merging yet since it doesn't actually to any check. So I've put it in draft mode. But good preview of what's to come soon so you can point out any improvements and changes that make sense.

@castedo
Copy link
Contributor Author

castedo commented Nov 14, 2024

@jelmer Pick your poison:

Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.

And I think there are few other benefits.

BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

@jelmer
Copy link
Owner

jelmer commented Nov 14, 2024

@jelmer Pick your poison:

Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.

And I think there are few other benefits.

BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

Why do we need that? Dulwich is python >= 3.9, so annotations shouldn't require a "from future import"

@castedo
Copy link
Contributor Author

castedo commented Nov 14, 2024

@jelmer Pick your poison:
Soon I'm going to be adding a line of

from __future__ import annotations

from https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L1
so that a return type hint like:
https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48
does not have to be quoted.
And I think there are few other benefits.
BUT if you think it's better to not __future__, just let me know and I'll quote some of these type hints and go back from the __future__.

Why do we need that? Dulwich is python >= 3.9, so annotations shouldn't require a "from future import"

It is still needed for recursive/self-referential type hints. For instance, in

https://gitlab.com/perm.pub/hidos/-/blob/923691a51921de59250e80f7fd82fe40fa895637/hidos/sshsiglib/ssh_keygen.py#L48

the unquoted AllowedSigner return type hint is for a function of the class AllowedSigner. So even with 3.9, either the type hint needs to be quoted or the __future__ is needed.

@castedo
Copy link
Contributor Author

castedo commented Nov 14, 2024

I'm usually in a container with Python 3.12 and the choice still is needed in 3.12.

castedo
castedo commented Nov 14, 2024
View reviewed changes
tests/test_ssh_keygen.py Outdated Show resolved Hide resolved
castedo
castedo commented Nov 14, 2024
View reviewed changes
Makefile Outdated Show resolved Hide resolved
@castedo
Copy link
Contributor Author

castedo commented Nov 15, 2024

Interesting ... I just discovered another benefit to using from __future__ import annotations:

ruff requests using the X | Y type notation instead of Union and Option, which Python 3.9 barfs on (I just confirmed) ... but without __future__. With the __future__ Python 3.9 will ignore the pipe X | Y type notation. I'll start following ruffs suggestion by using __future__ to keep both ruff and Python 3.9 happy.

@castedo castedo marked this pull request as ready for review November 15, 2024 03:09
@castedo
Copy link
Contributor Author

castedo commented Nov 15, 2024

@jelmer OK, this is an actual implementation of ssh-keygen -Y check-novalidate, the core crypto functionality at the base of SSH key signing. This could be a good check point to merge, even though there's more to come, and some more extra sshsig features layerd on top that git uses (namely checking the allowed_signers file for the key found in the signature from this core stage).

@castedo
Copy link
Contributor Author

castedo commented Nov 15, 2024

I figured I would just throw all the code in to one file, to keep it simple within the bigger picture of dulwich. However, there are a number of natural splits and layers to this implementation. This single file could naturally be split into multiple and placed within a subdirectory/submodule for all this sshsig/ssh_keygen stuff.

jelmer
jelmer reviewed Nov 15, 2024
View reviewed changes
tests/test_ssh_keygen.py Outdated Show resolved Hide resolved
Makefile Outdated Show resolved Hide resolved
dulwich/ssh_keygen.py Outdated Show resolved Hide resolved
@castedo castedo marked this pull request as draft November 15, 2024 13:12
@castedo
Copy link
Contributor Author

castedo commented Nov 15, 2024

Interesting ... I just discovered another benefit to using from __future__ import annotations:

ruff requests using the X | Y type notation instead of Union and Option, which Python 3.9 barfs on (I just confirmed) ... but without __future__. With the __future__ Python 3.9 will ignore the pipe X | Y type notation. I'll start following ruffs suggestion by using __future__ to keep both ruff and Python 3.9 happy.

Another option here is to stay consistent with the rest of the code and ignore this suggestion from ruff by adding UP007 (Use X | Y for type annotations) to the pyproject ruff ignore list.

@castedo
add ssh-keygen -Y check-novalidate implementation
bc1b571 
* core functionality of ssh-keygen -Y check-novalidate
* unit test for ssh-keygen check-novalidate functionality
* compat test to double check against real ssh-keygen exec
@castedo
Copy link
Contributor Author

castedo commented Nov 15, 2024

@jelmer OK, I believe all outstanding issues are resolved now. I've also rebased and squashed.

There are some minor trade-offs between using __future__, using quoted type names, using pipe symbol instead of Union/Optional, and a ruff ignore setting. I'm fine switching the code be older-style Python. But I went ahead and committed newer style.

Since the key two functions at the end of sshsig.py aren't getting called by anything in Dulwich yet, I'm not sure whether it makes sense to merge this into the master branch. But to me it looks fine to merge now.

From what I know now, there isn't much reason for this code to change. Additional SSH signing functionality is all built on top of this PR and shouldn't require much modification of this PR code.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jelmer jelmer jelmer left review comments

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@castedo @jelmer