Fix typechecker problems exposed by signedjson 1.1.2 (#12326)
David Robertson
GitHub
parent
1f32b90b0f
commit
e0bb268134
|
|
@ -0,0 +1 @@
|
||||||
|
Fix typechecker problems exposed by signedjson 1.1.2.
|
||||||
3
mypy.ini
3
mypy.ini
|
|
@ -273,6 +273,9 @@ ignore_missing_imports = True
|
||||||
[mypy-ijson.*]
|
[mypy-ijson.*]
|
||||||
ignore_missing_imports = True
|
ignore_missing_imports = True
|
||||||
|
|
||||||
|
[mypy-importlib_metadata.*]
|
||||||
|
ignore_missing_imports = True
|
||||||
|
|
||||||
[mypy-jaeger_client.*]
|
[mypy-jaeger_client.*]
|
||||||
ignore_missing_imports = True
|
ignore_missing_imports = True
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,7 +16,7 @@
|
||||||
import hashlib
|
import hashlib
|
||||||
import logging
|
import logging
|
||||||
import os
|
import os
|
||||||
from typing import Any, Dict, Iterator, List, Optional
|
from typing import TYPE_CHECKING, Any, Dict, Iterator, List, Optional
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
import jsonschema
|
import jsonschema
|
||||||
|
|
@ -38,6 +38,9 @@ from synapse.util.stringutils import random_string, random_string_with_symbols
|
||||||
|
|
||||||
from ._base import Config, ConfigError
|
from ._base import Config, ConfigError
|
||||||
|
|
||||||
|
if TYPE_CHECKING:
|
||||||
|
from signedjson.key import VerifyKeyWithExpiry
|
||||||
|
|
||||||
INSECURE_NOTARY_ERROR = """\
|
INSECURE_NOTARY_ERROR = """\
|
||||||
Your server is configured to accept key server responses without signature
|
Your server is configured to accept key server responses without signature
|
||||||
validation or TLS certificate validation. This is likely to be very insecure. If
|
validation or TLS certificate validation. This is likely to be very insecure. If
|
||||||
|
|
@ -300,7 +303,7 @@ class KeyConfig(Config):
|
||||||
|
|
||||||
def read_old_signing_keys(
|
def read_old_signing_keys(
|
||||||
self, old_signing_keys: Optional[JsonDict]
|
self, old_signing_keys: Optional[JsonDict]
|
||||||
) -> Dict[str, VerifyKey]:
|
) -> Dict[str, "VerifyKeyWithExpiry"]:
|
||||||
if old_signing_keys is None:
|
if old_signing_keys is None:
|
||||||
return {}
|
return {}
|
||||||
keys = {}
|
keys = {}
|
||||||
|
|
@ -308,8 +311,8 @@ class KeyConfig(Config):
|
||||||
if is_signing_algorithm_supported(key_id):
|
if is_signing_algorithm_supported(key_id):
|
||||||
key_base64 = key_data["key"]
|
key_base64 = key_data["key"]
|
||||||
key_bytes = decode_base64(key_base64)
|
key_bytes = decode_base64(key_base64)
|
||||||
verify_key = decode_verify_key_bytes(key_id, key_bytes)
|
verify_key: "VerifyKeyWithExpiry" = decode_verify_key_bytes(key_id, key_bytes) # type: ignore[assignment]
|
||||||
verify_key.expired_ts = key_data["expired_ts"]
|
verify_key.expired = key_data["expired_ts"]
|
||||||
keys[key_id] = verify_key
|
keys[key_id] = verify_key
|
||||||
else:
|
else:
|
||||||
raise ConfigError(
|
raise ConfigError(
|
||||||
|
|
@ -422,7 +425,7 @@ def _parse_key_servers(
|
||||||
server_name = server["server_name"]
|
server_name = server["server_name"]
|
||||||
result = TrustedKeyServer(server_name=server_name)
|
result = TrustedKeyServer(server_name=server_name)
|
||||||
|
|
||||||
verify_keys = server.get("verify_keys")
|
verify_keys: Optional[Dict[str, str]] = server.get("verify_keys")
|
||||||
if verify_keys is not None:
|
if verify_keys is not None:
|
||||||
result.verify_keys = {}
|
result.verify_keys = {}
|
||||||
for key_id, key_base64 in verify_keys.items():
|
for key_id, key_base64 in verify_keys.items():
|
||||||
|
|
|
||||||
|
|
@ -176,7 +176,7 @@ class Keyring:
|
||||||
self._local_verify_keys: Dict[str, FetchKeyResult] = {}
|
self._local_verify_keys: Dict[str, FetchKeyResult] = {}
|
||||||
for key_id, key in hs.config.key.old_signing_keys.items():
|
for key_id, key in hs.config.key.old_signing_keys.items():
|
||||||
self._local_verify_keys[key_id] = FetchKeyResult(
|
self._local_verify_keys[key_id] = FetchKeyResult(
|
||||||
verify_key=key, valid_until_ts=key.expired_ts
|
verify_key=key, valid_until_ts=key.expired
|
||||||
)
|
)
|
||||||
|
|
||||||
vk = get_verify_key(hs.signing_key)
|
vk = get_verify_key(hs.signing_key)
|
||||||
|
|
|
||||||
|
|
@ -15,7 +15,7 @@ import logging
|
||||||
from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union
|
from typing import TYPE_CHECKING, Any, Dict, List, Optional, Tuple, Union
|
||||||
|
|
||||||
import attr
|
import attr
|
||||||
from nacl.signing import SigningKey
|
from signedjson.types import SigningKey
|
||||||
|
|
||||||
from synapse.api.constants import MAX_DEPTH
|
from synapse.api.constants import MAX_DEPTH
|
||||||
from synapse.api.room_versions import (
|
from synapse.api.room_versions import (
|
||||||
|
|
|
||||||
|
|
@ -76,17 +76,17 @@ class LocalKey(Resource):
|
||||||
|
|
||||||
def response_json_object(self) -> JsonDict:
|
def response_json_object(self) -> JsonDict:
|
||||||
verify_keys = {}
|
verify_keys = {}
|
||||||
for key in self.config.key.signing_key:
|
for signing_key in self.config.key.signing_key:
|
||||||
verify_key_bytes = key.verify_key.encode()
|
verify_key_bytes = signing_key.verify_key.encode()
|
||||||
key_id = "%s:%s" % (key.alg, key.version)
|
key_id = "%s:%s" % (signing_key.alg, signing_key.version)
|
||||||
verify_keys[key_id] = {"key": encode_base64(verify_key_bytes)}
|
verify_keys[key_id] = {"key": encode_base64(verify_key_bytes)}
|
||||||
|
|
||||||
old_verify_keys = {}
|
old_verify_keys = {}
|
||||||
for key_id, key in self.config.key.old_signing_keys.items():
|
for key_id, old_signing_key in self.config.key.old_signing_keys.items():
|
||||||
verify_key_bytes = key.encode()
|
verify_key_bytes = old_signing_key.encode()
|
||||||
old_verify_keys[key_id] = {
|
old_verify_keys[key_id] = {
|
||||||
"key": encode_base64(verify_key_bytes),
|
"key": encode_base64(verify_key_bytes),
|
||||||
"expired_ts": key.expired_ts,
|
"expired_ts": old_signing_key.expired,
|
||||||
}
|
}
|
||||||
|
|
||||||
json_object = {
|
json_object = {
|
||||||
|
|
|
||||||
|
|
@ -13,7 +13,7 @@
|
||||||
# limitations under the License.
|
# limitations under the License.
|
||||||
|
|
||||||
import logging
|
import logging
|
||||||
from typing import TYPE_CHECKING, Dict
|
from typing import TYPE_CHECKING, Dict, Set
|
||||||
|
|
||||||
from signedjson.sign import sign_json
|
from signedjson.sign import sign_json
|
||||||
|
|
||||||
|
|
@ -149,7 +149,7 @@ class RemoteKey(DirectServeJsonResource):
|
||||||
|
|
||||||
cached = await self.store.get_server_keys_json(store_queries)
|
cached = await self.store.get_server_keys_json(store_queries)
|
||||||
|
|
||||||
json_results = set()
|
json_results: Set[bytes] = set()
|
||||||
|
|
||||||
time_now_ms = self.clock.time_msec()
|
time_now_ms = self.clock.time_msec()
|
||||||
|
|
||||||
|
|
@ -234,8 +234,8 @@ class RemoteKey(DirectServeJsonResource):
|
||||||
await self.query_keys(request, query, query_remote_on_cache_miss=False)
|
await self.query_keys(request, query, query_remote_on_cache_miss=False)
|
||||||
else:
|
else:
|
||||||
signed_keys = []
|
signed_keys = []
|
||||||
for key_json in json_results:
|
for key_json_raw in json_results:
|
||||||
key_json = json_decoder.decode(key_json.decode("utf-8"))
|
key_json = json_decoder.decode(key_json_raw.decode("utf-8"))
|
||||||
for signing_key in self.config.key.key_server_signing_keys:
|
for signing_key in self.config.key.key_server_signing_keys:
|
||||||
key_json = sign_json(
|
key_json = sign_json(
|
||||||
key_json, self.config.server.server_name, signing_key
|
key_json, self.config.server.server_name, signing_key
|
||||||
|
|
|
||||||
|
|
@ -28,8 +28,8 @@ from tests import unittest
|
||||||
SIGNING_KEY_SEED = decode_base64("YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1")
|
SIGNING_KEY_SEED = decode_base64("YJDBA9Xnr2sVqXD9Vj7XVUnmFZcZrlw8Md7kMW+3XA1")
|
||||||
|
|
||||||
KEY_ALG = "ed25519"
|
KEY_ALG = "ed25519"
|
||||||
KEY_VER = 1
|
KEY_VER = "1"
|
||||||
KEY_NAME = "%s:%d" % (KEY_ALG, KEY_VER)
|
KEY_NAME = "%s:%s" % (KEY_ALG, KEY_VER)
|
||||||
|
|
||||||
HOSTNAME = "domain"
|
HOSTNAME = "domain"
|
||||||
|
|
||||||
|
|
@ -39,7 +39,7 @@ class EventSigningTestCase(unittest.TestCase):
|
||||||
# NB: `signedjson` expects `nacl.signing.SigningKey` instances which have been
|
# NB: `signedjson` expects `nacl.signing.SigningKey` instances which have been
|
||||||
# monkeypatched to include new `alg` and `version` attributes. This is captured
|
# monkeypatched to include new `alg` and `version` attributes. This is captured
|
||||||
# by the `signedjson.types.SigningKey` protocol.
|
# by the `signedjson.types.SigningKey` protocol.
|
||||||
self.signing_key: signedjson.types.SigningKey = nacl.signing.SigningKey(
|
self.signing_key: signedjson.types.SigningKey = nacl.signing.SigningKey( # type: ignore[assignment]
|
||||||
SIGNING_KEY_SEED
|
SIGNING_KEY_SEED
|
||||||
)
|
)
|
||||||
self.signing_key.alg = KEY_ALG
|
self.signing_key.alg = KEY_ALG
|
||||||
|
|
|
||||||
|
|
@ -76,7 +76,7 @@ class BaseRemoteKeyResourceTestCase(unittest.HomeserverTestCase):
|
||||||
"verify_keys": {
|
"verify_keys": {
|
||||||
key_id: {
|
key_id: {
|
||||||
"key": signedjson.key.encode_verify_key_base64(
|
"key": signedjson.key.encode_verify_key_base64(
|
||||||
signing_key.verify_key
|
signedjson.key.get_verify_key(signing_key)
|
||||||
)
|
)
|
||||||
}
|
}
|
||||||
},
|
},
|
||||||
|
|
@ -175,7 +175,7 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
|
||||||
% (
|
% (
|
||||||
self.hs_signing_key.version,
|
self.hs_signing_key.version,
|
||||||
): signedjson.key.encode_verify_key_base64(
|
): signedjson.key.encode_verify_key_base64(
|
||||||
self.hs_signing_key.verify_key
|
signedjson.key.get_verify_key(self.hs_signing_key)
|
||||||
)
|
)
|
||||||
},
|
},
|
||||||
}
|
}
|
||||||
|
|
@ -229,7 +229,9 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
|
||||||
assert isinstance(keyres, FetchKeyResult)
|
assert isinstance(keyres, FetchKeyResult)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
||||||
signedjson.key.encode_verify_key_base64(testkey.verify_key),
|
signedjson.key.encode_verify_key_base64(
|
||||||
|
signedjson.key.get_verify_key(testkey)
|
||||||
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_get_notary_key(self) -> None:
|
def test_get_notary_key(self) -> None:
|
||||||
|
|
@ -251,7 +253,9 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
|
||||||
assert isinstance(keyres, FetchKeyResult)
|
assert isinstance(keyres, FetchKeyResult)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
||||||
signedjson.key.encode_verify_key_base64(testkey.verify_key),
|
signedjson.key.encode_verify_key_base64(
|
||||||
|
signedjson.key.get_verify_key(testkey)
|
||||||
|
),
|
||||||
)
|
)
|
||||||
|
|
||||||
def test_get_notary_keyserver_key(self) -> None:
|
def test_get_notary_keyserver_key(self) -> None:
|
||||||
|
|
@ -268,5 +272,7 @@ class EndToEndPerspectivesTests(BaseRemoteKeyResourceTestCase):
|
||||||
assert isinstance(keyres, FetchKeyResult)
|
assert isinstance(keyres, FetchKeyResult)
|
||||||
self.assertEqual(
|
self.assertEqual(
|
||||||
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
signedjson.key.encode_verify_key_base64(keyres.verify_key),
|
||||||
signedjson.key.encode_verify_key_base64(self.hs_signing_key.verify_key),
|
signedjson.key.encode_verify_key_base64(
|
||||||
|
signedjson.key.get_verify_key(self.hs_signing_key)
|
||||||
|
),
|
||||||
)
|
)
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue