commit python-service_identity for openSUSE:Factory

Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package python-service_identity for openSUSE:Factory checked in at 2024-11-01 21:00:44 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/python-service_identity (Old) and /work/SRC/openSUSE:Factory/.python-service_identity.new.2020 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Package is "python-service_identity" Fri Nov 1 21:00:44 2024 rev:16 rq:1219726 version:24.2.0 Changes: -------- --- /work/SRC/openSUSE:Factory/python-service_identity/python-service_identity.changes 2024-01-21 23:07:26.671511362 +0100 +++ /work/SRC/openSUSE:Factory/.python-service_identity.new.2020/python-service_identity.changes 2024-11-01 21:00:48.745507595 +0100 @@ -1,0 +2,11 @@ +Wed Oct 30 19:54:23 UTC 2024 - Dirk Müller <dmueller@suse.com> + +- update to 24.2.0: + * Python 3.13 is now officially supported. + * pyOpenSSL's identity extraction has been reimplemented using + *cryptography*'s primitives instead of deprecated pyOpenSSL + APIs. + * As a result, the oldest supported pyOpenSSL version is now + 17.1.0. + +------------------------------------------------------------------- Old: ---- 24.1.0.tar.gz New: ---- 24.2.0.tar.gz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ python-service_identity.spec ++++++ --- /var/tmp/diff_new_pack.89EqKV/_old 2024-11-01 21:00:49.505539320 +0100 +++ /var/tmp/diff_new_pack.89EqKV/_new 2024-11-01 21:00:49.509539487 +0100 @@ -19,7 +19,7 @@ %define oname service_identity %{?sle15_python_module_pythons} Name: python-service_identity -Version: 24.1.0 +Version: 24.2.0 Release: 0 Summary: Service identity verification for pyOpenSSL License: MIT @@ -34,7 +34,7 @@ BuildRequires: %{python_module hatchling >= 1.14.0} BuildRequires: %{python_module idna} BuildRequires: %{python_module pip} -BuildRequires: %{python_module pyOpenSSL >= 17.0.0} +BuildRequires: %{python_module pyOpenSSL >= 17.1.0} BuildRequires: %{python_module pyasn1-modules} BuildRequires: %{python_module pyasn1} BuildRequires: %{python_module pytest} @@ -46,7 +46,7 @@ Requires: python-pyasn1 Requires: python-pyasn1-modules Recommends: python-idna -Recommends: python-pyOpenSSL +Recommends: python-pyOpenSSL >= 17.1.0 BuildArch: noarch %ifpython2 Requires: python-ipaddress ++++++ 24.1.0.tar.gz -> 24.2.0.tar.gz ++++++ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.git_archival.txt new/service-identity-24.2.0/.git_archival.txt --- old/service-identity-24.1.0/.git_archival.txt 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.git_archival.txt 2024-10-26 09:10:38.000000000 +0200 @@ -1,4 +1,3 @@ -node: e5ba15ec13b1750cae35004dede2e6e4af74308f -node-date: 2024-01-14T08:05:19+01:00 -describe-name: 24.1.0 -ref-names: tag: 24.1.0 +node: b51873e5aff777ff2e35dfb2bee1f4acbf203b25 +node-date: 2024-10-26T09:10:38+02:00 +describe-name: 24.2.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.github/CONTRIBUTING.md new/service-identity-24.2.0/.github/CONTRIBUTING.md --- old/service-identity-24.1.0/.github/CONTRIBUTING.md 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.github/CONTRIBUTING.md 2024-10-26 09:10:38.000000000 +0200 @@ -137,8 +137,10 @@ A very important return value. """ ``` + - If you add or change public APIs, tag the docstring using `.. versionadded:: 16.0.0 WHAT` or `.. versionchanged:: 16.2.0 WHAT`. -- We use [Ruff](https://ruff.rs/) to sort our imports, and we use [Black](https://github.com/psf/black) with line length of 79 characters to format our code. + +- We follow [PEP 8](https://peps.python.org/pep-0008/) as enforced by [Ruff](https://ruff.rs/) with a line length of 79 characters. As long as you run our full [*tox*] suite before committing, or install our [*pre-commit*] hooks (ideally you'll do both – see [*Local Development Environment*](#local-development-environment) above), you won't have to spend any time on formatting your code at all. If you don't, [CI] will catch it for you – but that seems like a waste of your time! diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.github/SECURITY.md new/service-identity-24.2.0/.github/SECURITY.md --- old/service-identity-24.1.0/.github/SECURITY.md 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.github/SECURITY.md 2024-10-26 09:10:38.000000000 +0200 @@ -2,7 +2,7 @@ ## Supported Versions -We are following [*CalVer*](https://calver.org) with generous backwards-compatibility guarantees. +We are following [Calendar Versioning](https://calver.org) with generous backwards-compatibility guarantees. *Therefore we only support the latest version*. That said, you shouldn't be afraid to upgrade if you're only using our documented public APIs and pay attention to `DeprecationWarning`s. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.github/workflows/ci.yml new/service-identity-24.2.0/.github/workflows/ci.yml --- old/service-identity-24.1.0/.github/workflows/ci.yml 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.github/workflows/ci.yml 2024-10-26 09:10:38.000000000 +0200 @@ -4,6 +4,7 @@ on: push: branches: [main] + tags: ["*"] pull_request: workflow_dispatch: @@ -14,6 +15,7 @@ permissions: {} + jobs: lint: name: Run linters @@ -22,61 +24,81 @@ - uses: actions/checkout@v4 - uses: actions/setup-python@v5 with: - python-version: "3.11" # XXX: change once interrogate works on 3.12 - cache: pip + python-version-file: .python-version-default + - uses: hynek/setup-cached-uv@v2 + + - run: > + uvx --with tox-uv + tox run -e lint -- --show-diff-on-failure + + + build-package: + name: Build & verify package + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v4 + with: + fetch-depth: 0 + + - uses: hynek/build-and-inspect-python-package@v2 + id: baipp + + outputs: + # Used to define the matrix for tests below. The value is based on + # packaging metadata (trove classifiers). + python-versions: ${{ steps.baipp.outputs.supported_python_classifiers_json_array }} - - name: Install & run tox - run: | - python -Im pip install tox - python -Im tox run -e lint -- --show-diff-on-failure tests: - name: Tests on ${{ matrix.python-version }} + name: Tests & Mypy API on ${{ matrix.python-version }} runs-on: ubuntu-latest + needs: build-package strategy: matrix: - python-version: - - "3.8" - - "3.9" - - "3.10" - - "3.11" - - "3.12" - - "pypy-3.8" - - "pypy-3.9" + # Created by the build-and-inspect-python-package action above. + python-version: ${{ fromJson(needs.build-package.outputs.python-versions) }} steps: - - uses: actions/checkout@v4 + - name: Download pre-built packages + uses: actions/download-artifact@v4 + with: + name: Packages + path: dist + - run: | + tar xf dist/*.tar.gz --strip-components=1 + rm -rf src - uses: actions/setup-python@v5 with: python-version: ${{ matrix.python-version }} allow-prereleases: true - cache: pip - - - name: Prepare tox & run tests - run: | - V=${{ matrix.python-version }} + - uses: hynek/setup-cached-uv@v2 - if [[ "$V" = pypy-* ]]; then - V=pypy3 - else - V=py$(echo $V | tr -d .) - fi - - python -Im pip install tox - python -Im tox run -f "$V" - - - name: Run Mypy on API - run: python -Im tox run -e mypy-api + - name: Run tests + run: > + uvx --with tox-uv + tox run + --installpkg dist/*.whl + -f py$(echo ${{ matrix.python-version }} | tr -d .) - name: Upload coverage data uses: actions/upload-artifact@v4 with: name: coverage-data-${{ matrix.python-version }} path: .coverage.* + include-hidden-files: true if-no-files-found: ignore + - name: Check public API with Mypy + run: > + uvx --with tox-uv + tox run + --installpkg dist/*.whl + -e mypy-api + + coverage: - name: Combine & check coverage + name: Ensure 100% test coverage needs: tests runs-on: ubuntu-latest @@ -85,7 +107,7 @@ - uses: actions/setup-python@v5 with: python-version-file: .python-version-default - cache: pip + - uses: hynek/setup-cached-uv@v2 - uses: actions/download-artifact@v4 with: @@ -94,16 +116,16 @@ - name: Combine coverage & fail if it's <100% run: | - python -Im pip install coverage[toml] + uv tool install coverage[toml] - python -Im coverage combine - python -Im coverage html --skip-covered --skip-empty + coverage combine + coverage html --skip-covered --skip-empty # Report and write to summary. - python -Im coverage report --format=markdown >> $GITHUB_STEP_SUMMARY + coverage report --format=markdown >> $GITHUB_STEP_SUMMARY # Report again and fail if under 100%. - python -Im coverage report --fail-under=100 + coverage report --fail-under=100 - name: Upload HTML report if check failed. uses: actions/upload-artifact@v4 @@ -112,21 +134,28 @@ path: htmlcov if: ${{ failure() }} + mypy-pkg: - name: Type-check package + name: Mypy Codebase runs-on: ubuntu-latest + needs: build-package steps: - - uses: actions/checkout@v4 + - name: Download pre-built packages + uses: actions/download-artifact@v4 + with: + name: Packages + path: dist + - run: tar xf dist/*.tar.gz --strip-components=1 - uses: actions/setup-python@v5 with: python-version-file: .python-version-default - cache: pip + - uses: hynek/setup-cached-uv@v2 + + - run: > + uvx --with tox-uv + tox run -e mypy-pkg - - name: Install & run tox - run: | - python -Im pip install tox - python -Im tox run -e mypy-pkg install-dev: strategy: @@ -147,25 +176,35 @@ run: | python -Im pip install -e .[dev] python -Ic 'import service_identity; print(service_identity.__version__)' + python -Ic 'import service_identity.pyopenssl' + python -Ic 'import service_identity.cryptography' + docs: name: Build docs & run doctests + needs: build-package runs-on: ubuntu-latest + steps: - - uses: actions/checkout@v4 + - name: Download pre-built packages + uses: actions/download-artifact@v4 + with: + name: Packages + path: dist + - run: tar xf dist/*.tar.gz --strip-components=1 - uses: actions/setup-python@v5 with: # Keep in sync with tox.ini/docs & .readthedocs.yaml python-version: "3.12" - cache: pip + - uses: hynek/setup-cached-uv@v2 + + - run: > + uvx --with tox-uv + tox run -e docs - - name: Install & run tox - run: | - python -Im pip install tox - python -Im tox run -e docs - # Ensure everything required is passing for branch protection. required-checks-pass: + name: Ensure everything required is passing for branch protection if: always() needs: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.github/workflows/pypi-package.yml new/service-identity-24.2.0/.github/workflows/pypi-package.yml --- old/service-identity-24.1.0/.github/workflows/pypi-package.yml 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.github/workflows/pypi-package.yml 2024-10-26 09:10:38.000000000 +0200 @@ -5,13 +5,13 @@ push: branches: [main] tags: ["*"] - pull_request: release: types: - published workflow_dispatch: permissions: + attestations: write contents: read id-token: write @@ -27,6 +27,8 @@ fetch-depth: 0 - uses: hynek/build-and-inspect-python-package@v2 + with: + attest-build-provenance-github: 'true' # Upload to Test PyPI on every commit on main. release-test-pypi: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.pre-commit-config.yaml new/service-identity-24.2.0/.pre-commit-config.yaml --- old/service-identity-24.1.0/.pre-commit-config.yaml 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.pre-commit-config.yaml 2024-10-26 09:10:38.000000000 +0200 @@ -1,31 +1,26 @@ --- repos: - - repo: https://github.com/psf/black - rev: 23.12.1 - hooks: - - id: black - - repo: https://github.com/astral-sh/ruff-pre-commit - rev: v0.1.13 + rev: v0.7.1 hooks: - id: ruff args: [--fix, --exit-non-zero-on-fix] + - id: ruff-format - repo: https://github.com/codespell-project/codespell - rev: v2.2.6 + rev: v2.3.0 hooks: - id: codespell args: [-L, fo] - repo: https://github.com/econchick/interrogate - rev: 1.5.0 + rev: 1.7.0 hooks: - id: interrogate - language_version: python3.11 - args: [tests, -v] + args: [tests] - repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.5.0 + rev: v5.0.0 hooks: - id: trailing-whitespace - id: end-of-file-fixer diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.python-version-default new/service-identity-24.2.0/.python-version-default --- old/service-identity-24.1.0/.python-version-default 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.python-version-default 2024-10-26 09:10:38.000000000 +0200 @@ -1 +1 @@ -3.12 +3.13 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/.readthedocs.yaml new/service-identity-24.2.0/.readthedocs.yaml --- old/service-identity-24.1.0/.readthedocs.yaml 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/.readthedocs.yaml 2024-10-26 09:10:38.000000000 +0200 @@ -2,10 +2,14 @@ version: 2 build: - os: ubuntu-22.04 + os: ubuntu-lts-latest tools: # Keep in-sync with tox.ini/docs and ci.yml/docs python: "3.12" + jobs: + # Need the tags to calculate the version (sometimes). + post_checkout: + - git fetch --tags python: install: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/CHANGELOG.md new/service-identity-24.2.0/CHANGELOG.md --- old/service-identity-24.1.0/CHANGELOG.md 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/CHANGELOG.md 2024-10-26 09:10:38.000000000 +0200 @@ -13,6 +13,21 @@ <!-- changelog follows --> +## [24.2.0](https://github.com/pyca/service-identity/compare/24.1.0...24.2.0) - 2024-10-26 + +### Added + +- Python 3.13 is now officially supported. + [#74](https://github.com/pyca/service-identity/pull/74) + + +### Changed + +- pyOpenSSL's identity extraction has been reimplemented using *cryptography*'s primitives instead of deprecated pyOpenSSL APIs. + As a result, the oldest supported pyOpenSSL version is now 17.1.0. + [#70](https://github.com/pyca/service-identity/pull/70) + + ## [24.1.0](https://github.com/pyca/service-identity/compare/23.1.0...24.1.0) - 2024-01-14 ### Changed diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/README.md new/service-identity-24.2.0/README.md --- old/service-identity-24.1.0/README.md 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/README.md 2024-10-26 09:10:38.000000000 +0200 @@ -36,8 +36,7 @@ ### *service-identity* for Enterprise -Available as part of the Tidelift Subscription. +Available as part of the [Tidelift Subscription](https://tidelift.com/?utm_source=lifter&utm_medium=referral&utm_campaign=hynek). The maintainers of *service-identity* and thousands of other packages are working with Tidelift to deliver commercial support and maintenance for the open-source packages you use to build your applications. Save time, reduce risk, and improve code health, while paying the maintainers of the exact packages you use. -[Learn more.](https://tidelift.com/lifter/search/pypi/service-identity) diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/docs/conf.py new/service-identity-24.2.0/docs/conf.py --- old/service-identity-24.1.0/docs/conf.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/docs/conf.py 2024-10-26 09:10:38.000000000 +0200 @@ -1,16 +1,6 @@ from importlib import metadata -# If extensions (or modules to document with autodoc) are in another directory, -# add these directories to sys.path here. If the directory is relative to the -# documentation root, use os.path.abspath to make it absolute, like shown here. -# sys.path.insert(0, os.path.abspath('.')) - -# -- General configuration ------------------------------------------------ - -# If your documentation needs a minimal Sphinx version, state it here. -# needs_sphinx = '1.0' - # Add any Sphinx extension module names here, as strings. They can be # extensions coming with Sphinx (named 'sphinx.ext.*') or your custom # ones. @@ -45,9 +35,6 @@ # The suffix of source filenames. source_suffix = ".rst" -# The encoding of source files. -# source_encoding = 'utf-8-sig' - # The master toctree document. master_doc = "index" @@ -68,50 +55,16 @@ if "dev" in release: release = version = "UNRELEASED" -# The language for content autogenerated by Sphinx. Refer to documentation -# for a list of supported languages. -# language = None - -# There are two options for replacing |today|: either, you set today to some -# non-false value, then it is used: -# today = '' -# Else, today_fmt is used as the format for a strftime call. -# today_fmt = '%B %d, %Y' - # List of patterns, relative to source directory, that match files and # directories to ignore when looking for source files. exclude_patterns = ["_build"] -# The reST default role (used for this markup: `text`) to use for all -# documents. -# default_role = None - -# If true, '()' will be appended to :func: etc. cross-reference text. -# add_function_parentheses = True - -# If true, the current module name will be prepended to all description -# unit titles (such as .. function::). -# add_module_names = True - -# If true, sectionauthor and moduleauthor directives will be shown in the -# output. They are ignored by default. -# show_authors = False - -# The name of the Pygments (syntax highlighting) style to use. -# pygments_style = "sphinx" - -# A list of ignored prefixes for module index sorting. -# modindex_common_prefix = [] - -# If true, keep warnings as "system message" paragraphs in the built documents. -# keep_warnings = False - # -- Options for HTML output ---------------------------------------------- html_theme = "furo" html_theme_options = { - "top_of_page_button": None, + "top_of_page_buttons": [], "light_css_variables": { "font-stack": "Inter, sans-serif", "font-stack--monospace": "BerkeleyMono, MonoLisa, ui-monospace, " @@ -142,27 +95,6 @@ ) ] -# The name of an image file (relative to this directory) to place at the top of -# the title page. -# latex_logo = None - -# For "manual" documents, if this is true, then toplevel headings are parts, -# not chapters. -# latex_use_parts = False - -# If true, show page references after internal links. -# latex_show_pagerefs = False - -# If true, show URL addresses after external links. -# latex_show_urls = False - -# Documents to append as an appendix to all manuals. -# latex_appendices = [] - -# If false, no module index is generated. -# latex_domain_indices = True - - # -- Options for manual page output --------------------------------------- # One entry per manual page. List of tuples @@ -177,10 +109,6 @@ ) ] -# If true, show URL addresses after external links. -# man_show_urls = False - - # -- Options for Texinfo output ------------------------------------------- # Grouping the document tree into Texinfo files. List of tuples @@ -198,18 +126,6 @@ ) ] -# Documents to append as an appendix to all manuals. -# texinfo_appendices = [] - -# If false, no module index is generated. -# texinfo_domain_indices = True - -# How to display URL addresses: 'footnote', 'no', or 'inline'. -# texinfo_show_urls = 'footnote' - -# If true, do not generate a @detailmenu in the "Top" node's menu. -# texinfo_no_detailmenu = False - intersphinx_mapping = { "python": ("https://docs.python.org/3", None), diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/pyproject.toml new/service-identity-24.2.0/pyproject.toml --- old/service-identity-24.1.0/pyproject.toml 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/pyproject.toml 2024-10-26 09:10:38.000000000 +0200 @@ -18,6 +18,7 @@ "Programming Language :: Python :: 3.10", "Programming Language :: Python :: 3.11", "Programming Language :: Python :: 3.12", + "Programming Language :: Python :: 3.13", "Programming Language :: Python :: Implementation :: CPython", "Programming Language :: Python :: Implementation :: PyPy", "Topic :: Security :: Cryptography", @@ -88,12 +89,8 @@ addopts = ["-ra", "--strict-markers", "--strict-config"] xfail_strict = true testpaths = "tests" -filterwarnings = [ - "once::Warning", - "ignore:::aiohttp[.*]", - "ignore:::importlib[.*]", - "ignore::DeprecationWarning:twisted.python.threadable", -] +filterwarnings = ["once::Warning"] +norecursedirs = ["tests/typing"] [tool.coverage.run] @@ -132,55 +129,56 @@ whitelist-regex = ["test_.*"] -[tool.black] -line-length = 79 - - [tool.ruff] src = ["src", "tests"] -select = [ - "E", # pycodestyle - "W", # pycodestyle - "F", # Pyflakes - "UP", # pyupgrade - "N", # pep8-naming - "YTT", # flake8-2020 - "S", # flake8-bandit - "B", # flake8-bugbear - "C4", # flake8-comprehensions - "T10", # flake8-debugger - "ISC", # flake8-implicit-str-concat - "RET", # flake8-return - "SIM", # flake8-simplify - "DTZ", # flake8-datetimez - "I", # isort - "PGH", # pygrep-hooks - "PLC", # Pylint - "PIE", # flake8-pie - "RUF", # ruff -] +line-length = 79 + +[tool.ruff.lint] +select = ["ALL"] ignore = [ - "RUF001", # leave my smart characters alone - "N801", # some artistic freedom when naming things after RFCs - "N802", # ditto + "A001", # shadowing is fine + "ANN", # Mypy is better at this + "ARG001", # we don't control all args passed in + "ARG005", # we need stub lambdas + "COM", # ruff format takes care of our commas + "D", # We prefer our own docstring style. + "E501", # leave line-length enforcement to ruff format + "FIX", # Yes, we want XXX as a marker. + "INP001", # sometimes we want Python files outside of packages + "ISC001", # conflicts with ruff format + "N801", # some artistic freedom when naming things after RFCs + "N802", # ditto + "PLR2004", # numbers are sometimes fine + "RUF001", # leave my smart characters alone + "SLF001", # private members are accessed by friendly functions + "TCH", # TYPE_CHECKING blocks break autodocs + "TD", # we don't follow other people's todo style ] -[tool.ruff.per-file-ignores] +[tool.ruff.lint.per-file-ignores] "tests/*" = [ + "B018", # "useless" expressions can be useful in tests + "PLC1901", # empty strings are falsey, but are less specific in tests + "PT005", # we always add underscores and explicit name + "PT011", # broad is fine "S101", # assert "S301", # I know pickle is bad, but people use it. - "SIM300", # Yoda rocks in tests - "PLC1901", # empty strings are falsey, but are less specific in tests - "B018", # "useless" expressions can be useful in tests + "SIM300", # Yoda rocks in asserts + "TRY301", # tests need to raise exceptions +] +"docs/pyopenssl_example.py" = [ + "T201", # print is fine in the example + "T203", # pprint is fine in the example ] -[tool.ruff.isort] +[tool.ruff.lint.isort] lines-between-types = 1 lines-after-imports = 2 [tool.mypy] strict = true +pretty = true show_error_codes = true enable_error_code = ["ignore-without-code"] diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/src/service_identity/__init__.py new/service-identity-24.2.0/src/service_identity/__init__.py --- old/service-identity-24.1.0/src/service_identity/__init__.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/src/service_identity/__init__.py 2024-10-26 09:10:38.000000000 +0200 @@ -2,7 +2,6 @@ Verify service identities. """ - from . import cryptography, hazmat, pyopenssl from .exceptions import ( CertificateError, @@ -30,34 +29,10 @@ def __getattr__(name: str) -> str: - dunder_to_metadata = { - "__version__": "version", - "__description__": "summary", - "__uri__": "", - "__url__": "", - "__email__": "", - } - if name not in dunder_to_metadata: - raise AttributeError(f"module {__name__} has no attribute {name}") - - import warnings - - from importlib.metadata import metadata - - warnings.warn( - f"Accessing service_identity.{name} is deprecated and will be " - "removed in a future release. Use importlib.metadata directly " - "to query packaging metadata.", - DeprecationWarning, - stacklevel=2, - ) - - meta = metadata("service-identity") - - if name in ("__uri__", "__url__"): - return meta["Project-URL"].split(" ", 1)[1] + if name != "__version__": + msg = f"module {__name__} has no attribute {name}" + raise AttributeError(msg) - if name == "__email__": - return meta["Author-email"].split("<", 1)[1].rstrip(">") + from importlib.metadata import version - return meta[dunder_to_metadata[name]] + return version("service-identity") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/src/service_identity/cryptography.py new/service-identity-24.2.0/src/service_identity/cryptography.py --- old/service-identity-24.1.0/src/service_identity/cryptography.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/src/service_identity/cryptography.py 2024-10-26 09:10:38.000000000 +0200 @@ -163,7 +163,8 @@ if isinstance(srv, IA5String): ids.append(SRVPattern.from_bytes(srv.asOctets())) else: # pragma: no cover - raise CertificateError("Unexpected certificate content.") + msg = "Unexpected certificate content." + raise CertificateError(msg) return ids diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/src/service_identity/hazmat.py new/service-identity-24.2.0/src/service_identity/hazmat.py --- old/service-identity-24.1.0/src/service_identity/hazmat.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/src/service_identity/hazmat.py 2024-10-26 09:10:38.000000000 +0200 @@ -51,9 +51,8 @@ if a pattern of the respective type is present. """ if not cert_patterns: - raise CertificateError( - "Certificate does not contain any `subjectAltName`s." - ) + msg = "Certificate does not contain any `subjectAltName`s." + raise CertificateError(msg) errors = [] matches = _find_matches(cert_patterns, obligatory_ids) + _find_matches( @@ -63,7 +62,9 @@ matched_ids = [match.service_id for match in matches] for i in obligatory_ids: if i not in matched_ids: - errors.append(i.error_on_mismatch(mismatched_id=i)) + errors.append( # noqa: PERF401 + i.error_on_mismatch(mismatched_id=i) + ) for i in optional_ids: # If an optional ID is not matched by a certificate pattern *but* there @@ -73,7 +74,9 @@ if i not in matched_ids and _contains_instance_of( cert_patterns, i.pattern_class ): - errors.append(i.error_on_mismatch(mismatched_id=i)) + errors.append( # noqa: PERF401 + i.error_on_mismatch(mismatched_id=i) + ) if errors: raise VerificationError(errors=errors) @@ -95,7 +98,10 @@ for sid in service_ids: for cid in cert_patterns: if sid.verify(cid): - matches.append(ServiceMatch(cert_pattern=cid, service_id=sid)) + matches.append( # noqa: PERF401 + ServiceMatch(cert_pattern=cid, service_id=sid) + ) + return matches @@ -121,9 +127,10 @@ try: int(pattern) - return True except ValueError: pass + else: + return True try: ipaddress.ip_address(pattern.replace("*", "1")) @@ -147,12 +154,14 @@ @classmethod def from_bytes(cls, pattern: bytes) -> DNSPattern: if not isinstance(pattern, bytes): - raise TypeError("The DNS pattern must be a bytes string.") + msg = "The DNS pattern must be a bytes string." + raise TypeError(msg) pattern = pattern.strip() if pattern == b"" or _is_ip_address(pattern) or b"\0" in pattern: - raise CertificateError(f"Invalid DNS pattern {pattern!r}.") + msg = f"Invalid DNS pattern {pattern!r}." + raise CertificateError(msg) pattern = pattern.translate(_TRANS_TO_LOWER) if b"*" in pattern: @@ -175,9 +184,8 @@ try: return cls(pattern=ipaddress.ip_address(bs)) except ValueError: - raise CertificateError( - f"Invalid IP address pattern {bs!r}." - ) from None + msg = f"Invalid IP address pattern {bs!r}." + raise CertificateError(msg) from None @attr.s(slots=True) @@ -194,12 +202,14 @@ @classmethod def from_bytes(cls, pattern: bytes) -> URIPattern: if not isinstance(pattern, bytes): - raise TypeError("The URI pattern must be a bytes string.") + msg = "The URI pattern must be a bytes string." + raise TypeError(msg) pattern = pattern.strip().translate(_TRANS_TO_LOWER) if b":" not in pattern or b"*" in pattern or _is_ip_address(pattern): - raise CertificateError(f"Invalid URI pattern {pattern!r}.") + msg = f"Invalid URI pattern {pattern!r}." + raise CertificateError(msg) protocol_pattern, hostname = pattern.split(b":") @@ -223,7 +233,8 @@ @classmethod def from_bytes(cls, pattern: bytes) -> SRVPattern: if not isinstance(pattern, bytes): - raise TypeError("The SRV pattern must be a bytes string.") + msg = "The SRV pattern must be a bytes string." + raise TypeError(msg) pattern = pattern.strip().translate(_TRANS_TO_LOWER) @@ -233,7 +244,8 @@ or b"*" in pattern or _is_ip_address(pattern) ): - raise CertificateError(f"Invalid SRV pattern {pattern!r}.") + msg = f"Invalid SRV pattern {pattern!r}." + raise CertificateError(msg) name, hostname = pattern.split(b".", 1) return cls( @@ -253,15 +265,12 @@ @runtime_checkable class ServiceID(Protocol): @property - def pattern_class(self) -> type[CertificatePattern]: - ... + def pattern_class(self) -> type[CertificatePattern]: ... @property - def error_on_mismatch(self) -> type[Mismatch]: - ... + def error_on_mismatch(self) -> type[Mismatch]: ... - def verify(self, pattern: CertificatePattern) -> bool: - ... + def verify(self, pattern: CertificatePattern) -> bool: ... @attr.s(init=False, slots=True) @@ -279,25 +288,27 @@ def __init__(self, hostname: str): if not isinstance(hostname, str): - raise TypeError("DNS-ID must be a text string.") + msg = "DNS-ID must be a text string." + raise TypeError(msg) hostname = hostname.strip() if not hostname or _is_ip_address(hostname): - raise ValueError("Invalid DNS-ID.") + msg = "Invalid DNS-ID." + raise ValueError(msg) if any(ord(c) > 127 for c in hostname): if idna: ascii_id = idna.encode(hostname) else: - raise ImportError( - "idna library is required for non-ASCII IDs." - ) + msg = "idna library is required for non-ASCII IDs." + raise ImportError(msg) else: ascii_id = hostname.encode("ascii") self.hostname = ascii_id.translate(_TRANS_TO_LOWER) if self._RE_LEGAL_CHARS.match(self.hostname) is None: - raise ValueError("Invalid DNS-ID.") + msg = "Invalid DNS-ID." + raise ValueError(msg) def verify(self, pattern: CertificatePattern) -> bool: """ @@ -346,11 +357,13 @@ def __init__(self, uri: str): if not isinstance(uri, str): - raise TypeError("URI-ID must be a text string.") + msg = "URI-ID must be a text string." + raise TypeError(msg) uri = uri.strip() if ":" not in uri or _is_ip_address(uri): - raise ValueError("Invalid URI-ID.") + msg = "Invalid URI-ID." + raise ValueError(msg) prot, hostname = uri.split(":") @@ -384,11 +397,13 @@ def __init__(self, srv: str): if not isinstance(srv, str): - raise TypeError("SRV-ID must be a text string.") + msg = "SRV-ID must be a text string." + raise TypeError(msg) srv = srv.strip() if "." not in srv or _is_ip_address(srv) or srv[0] != "_": - raise ValueError("Invalid SRV-ID.") + msg = "Invalid SRV-ID." + raise ValueError(msg) name, hostname = srv.split(".", 1) @@ -420,7 +435,7 @@ if actual_head.startswith(b"xn--"): return False - return cert_head == b"*" or cert_head == actual_head + return cert_head in (b"*", actual_head) return cert_pattern == actual_hostname @@ -432,25 +447,19 @@ """ cnt = cert_pattern.count(b"*") if cnt > 1: - raise CertificateError( - f"Certificate's DNS-ID {cert_pattern!r} contains too many wildcards." - ) + msg = f"Certificate's DNS-ID {cert_pattern!r} contains too many wildcards." + raise CertificateError(msg) parts = cert_pattern.split(b".") if len(parts) < 3: - raise CertificateError( - f"Certificate's DNS-ID {cert_pattern!r} has too few host components for " - "wildcard usage." - ) + msg = f"Certificate's DNS-ID {cert_pattern!r} has too few host components for wildcard usage." + raise CertificateError(msg) # We assume there will always be only one wildcard allowed. if b"*" not in parts[0]: - raise CertificateError( - "Certificate's DNS-ID {!r} has a wildcard outside the left-most " - "part.".format(cert_pattern) - ) + msg = f"Certificate's DNS-ID {cert_pattern!r} has a wildcard outside the left-most part." + raise CertificateError(msg) if any(not len(p) for p in parts): - raise CertificateError( - f"Certificate's DNS-ID {cert_pattern!r} contains empty parts." - ) + msg = f"Certificate's DNS-ID {cert_pattern!r} contains empty parts." + raise CertificateError(msg) # Ensure no locale magic interferes. diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/src/service_identity/pyopenssl.py new/service-identity-24.2.0/src/service_identity/pyopenssl.py --- old/service-identity-24.1.0/src/service_identity/pyopenssl.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/src/service_identity/pyopenssl.py 2024-10-26 09:10:38.000000000 +0200 @@ -9,20 +9,11 @@ from typing import Sequence -from pyasn1.codec.der.decoder import decode -from pyasn1.type.char import IA5String -from pyasn1.type.univ import ObjectIdentifier -from pyasn1_modules.rfc2459 import GeneralNames - -from .exceptions import CertificateError +from .cryptography import extract_patterns as _cryptography_extract_patterns from .hazmat import ( DNS_ID, CertificatePattern, - DNSPattern, IPAddress_ID, - IPAddressPattern, - SRVPattern, - URIPattern, verify_service_identity, ) @@ -105,9 +96,6 @@ ) -ID_ON_DNS_SRV = ObjectIdentifier("1.3.6.1.5.5.7.8.7") # id_on_dnsSRV - - def extract_patterns(cert: X509) -> Sequence[CertificatePattern]: """ Extract all valid ID patterns from a certificate for service verification. @@ -121,44 +109,7 @@ .. versionchanged:: 23.1.0 ``commonName`` is not used as a fallback anymore. """ - ids: list[CertificatePattern] = [] - for i in range(cert.get_extension_count()): - ext = cert.get_extension(i) - if ext.get_short_name() == b"subjectAltName": - names, _ = decode(ext.get_data(), asn1Spec=GeneralNames()) - for n in names: - name_string = n.getName() - if name_string == "dNSName": - ids.append( - DNSPattern.from_bytes(n.getComponent().asOctets()) - ) - elif name_string == "iPAddress": - ids.append( - IPAddressPattern.from_bytes( - n.getComponent().asOctets() - ) - ) - elif name_string == "uniformResourceIdentifier": - ids.append( - URIPattern.from_bytes(n.getComponent().asOctets()) - ) - elif name_string == "otherName": - comp = n.getComponent() - oid = comp.getComponentByPosition(0) - if oid == ID_ON_DNS_SRV: - srv, _ = decode(comp.getComponentByPosition(1)) - if isinstance(srv, IA5String): - ids.append(SRVPattern.from_bytes(srv.asOctets())) - else: # pragma: no cover - raise CertificateError( - "Unexpected certificate content." - ) - else: # pragma: no cover - pass - else: # pragma: no cover - pass - - return ids + return _cryptography_extract_patterns(cert.to_cryptography()) def extract_ids(cert: X509) -> Sequence[CertificatePattern]: diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/tests/constraints/oldest-pyopenssl.txt new/service-identity-24.2.0/tests/constraints/oldest-pyopenssl.txt --- old/service-identity-24.1.0/tests/constraints/oldest-pyopenssl.txt 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/tests/constraints/oldest-pyopenssl.txt 2024-10-26 09:10:38.000000000 +0200 @@ -1,3 +1,3 @@ attrs==19.1.0 cryptography<35 -pyOpenSSL==17.0.0 +pyOpenSSL==17.1.0 diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/tests/test_hazmat.py new/service-identity-24.2.0/tests/test_hazmat.py --- old/service-identity-24.1.0/tests/test_hazmat.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/tests/test_hazmat.py 2024-10-26 09:10:38.000000000 +0200 @@ -699,11 +699,11 @@ """ The __str__ and __repr__ methods return something helpful. """ - try: + with pytest.raises(VerificationError) as ei: raise VerificationError(errors=["foo"]) - except VerificationError as e: - assert repr(e) == str(e) - assert str(e) != "" + + assert repr(ei.value) == str(ei.value) + assert str(ei.value) != "" @pytest.mark.parametrize("proto", range(pickle.HIGHEST_PROTOCOL + 1)) @pytest.mark.parametrize( diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/tests/test_packaging.py new/service-identity-24.2.0/tests/test_packaging.py --- old/service-identity-24.1.0/tests/test_packaging.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/tests/test_packaging.py 2024-10-26 09:10:38.000000000 +0200 @@ -10,38 +10,10 @@ """ service_identity.__version__ returns the correct version. """ - with pytest.deprecated_call(): - assert ( - metadata.version("service-identity") - == service_identity.__version__ - ) - - def test_description(self): - """ - service_identity.__description__ returns the correct description. - """ - with pytest.deprecated_call(): - assert ( - "Service identity verification for pyOpenSSL & cryptography." - == service_identity.__description__ - ) - - @pytest.mark.parametrize("name", ["uri", "url"]) - def test_uri(self, name): - """ - service_identity.__uri__ & __url__ return the correct project URL. - """ - with pytest.deprecated_call(): - assert "https://service-identity.readthedocs.io/" == getattr( - service_identity, f"__{name}__" - ) - - def test_email(self): - """ - service_identity.__email__ returns Hynek's email address. - """ - with pytest.deprecated_call(): - assert "hs@ox.cx" == service_identity.__email__ + assert ( + metadata.version("service-identity") + == service_identity.__version__ + ) def test_does_not_exist(self): """ diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/tests/typing/api.py new/service-identity-24.2.0/tests/typing/api.py --- old/service-identity-24.1.0/tests/typing/api.py 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/tests/typing/api.py 2024-10-26 09:10:38.000000000 +0200 @@ -20,9 +20,9 @@ backend = default_backend() c_cert = load_pem_x509_certificate("foo.pem", backend) -c_ids: Sequence[ - service_identity.hazmat.CertificatePattern -] = service_identity.cryptography.extract_patterns(c_cert) +c_ids: Sequence[service_identity.hazmat.CertificatePattern] = ( + service_identity.cryptography.extract_patterns(c_cert) +) service_identity.cryptography.verify_certificate_hostname( c_cert, "example.com" ) @@ -36,8 +36,8 @@ p_cert = conn.get_peer_certificate() assert p_cert -p_ids: Sequence[ - service_identity.hazmat.CertificatePattern -] = service_identity.pyopenssl.extract_patterns(p_cert) +p_ids: Sequence[service_identity.hazmat.CertificatePattern] = ( + service_identity.pyopenssl.extract_patterns(p_cert) +) service_identity.pyopenssl.verify_hostname(conn, "example.com") service_identity.pyopenssl.verify_ip_address(conn, "127.0.0.1") diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' '--exclude=.svnignore' old/service-identity-24.1.0/tox.ini new/service-identity-24.2.0/tox.ini --- old/service-identity-24.1.0/tox.ini 2024-01-14 08:05:19.000000000 +0100 +++ new/service-identity-24.2.0/tox.ini 2024-10-26 09:10:38.000000000 +0200 @@ -4,8 +4,7 @@ lint, mypy-{api,pkg}, docs, - pypy3{,-pyopenssl-latest-idna}, - py3{8,9,10,11,12}{,-pyopenssl}{,-oldest}{,-idna}, + py3{8,9,10,11,12,13}{,-pyopenssl}{,-oldest}{,-idna}, coverage-report @@ -40,7 +39,7 @@ [testenv:lint] skip_install = true -deps = pre-commit +deps = pre-commit-uv commands = pre-commit run --all-files {posargs}