Apply assorted ruff rules (#12988)

* Apply ruff/flake8-comprehensions rule C420

C420 Unnecessary dict comprehension for iterable; use `dict.fromkeys` instead

* Apply ruff/flake8-pie rule PIE810

PIE810 Call `startswith` once with a `tuple`

* Apply ruff/flake8-pyi rule PYI009

PYI009 Empty body should contain `...`, not `pass`

* Apply ruff/flake8-pytest-style rule PT006

PT006 Wrong type passed to first argument of `pytest.mark.parametrize`; expected `str`

* Apply ruff/flake8-simplify rule SIM103

SIM103 Return the condition directly

* Apply ruff/Perflint rule PERF401

PERF401 Use `list.extend` to create a transformed list

* Apply ruff/pygrep-hooks rule PGH003

PGH003 Use specific rule codes when ignoring type issues

* Apply ruff/Pylint rule PLR5501

PLR5501 Use `elif` instead of `else` then `if`, to reduce indentation

* Apply ruff/refurb rule FURB136

FURB136 Replace `x if x < y else y` with `min(x, y)`

* Address new flake8 issue

Need type annotation for "tags" (hint: "tags: List[<type>] = ...")  [var-annotated]

* Revert "Apply ruff/Perflint rule PERF401"

This reverts commit 69d4725.

Author: DimitriPapadopoulos

.github/bin/merge_rust_coverage.py

@@ -81,7 +81,7 @@ def main(*lcov_paths: str):
     }
     coverage_data.add_arcs(covered_lines)
     coverage_data.add_file_tracers(
-        {file_name: "None.RustCoveragePlugin" for file_name in covered_lines}
+        dict.fromkeys(covered_lines, "None.RustCoveragePlugin")
     )
     coverage_data.write()
 

src/cryptography/hazmat/backends/openssl/backend.py

@@ -260,9 +260,7 @@ def dh_x942_serialization_supported(self) -> bool:
         return self._lib.Cryptography_HAS_EVP_PKEY_DHX == 1
 
     def x25519_supported(self) -> bool:
-        if self._fips_enabled:
-            return False
-        return True
+        return not self._fips_enabled
 
     def x448_supported(self) -> bool:
         if self._fips_enabled:
@@ -274,9 +272,7 @@ def x448_supported(self) -> bool:
         )
 
     def ed25519_supported(self) -> bool:
-        if self._fips_enabled:
-            return False
-        return True
+        return not self._fips_enabled
 
     def ed448_supported(self) -> bool:
         if self._fips_enabled:
@@ -294,9 +290,7 @@ def ecdsa_deterministic_supported(self) -> bool:
         )
 
     def poly1305_supported(self) -> bool:
-        if self._fips_enabled:
-            return False
-        return True
+        return not self._fips_enabled
 
     def pkcs7_supported(self) -> bool:
         return (

src/cryptography/hazmat/bindings/_rust/x509.pyi

@@ -298,5 +298,4 @@ class ServerVerifier:
 class Store:
     def __init__(self, certs: list[x509.Certificate]) -> None: ...
 
-class VerificationError(Exception):
-    pass
+class VerificationError(Exception): ...

src/cryptography/hazmat/primitives/kdf/kbkdf.py

@@ -117,9 +117,7 @@ def _valid_byte_length(value: int) -> bool:
             raise TypeError("value must be of type int")
 
         value_bin = utils.int_to_bytes(1, value)
-        if not 1 <= len(value_bin) <= 4:
-            return False
-        return True
+        return 1 <= len(value_bin) <= 4
 
     def derive(
         self, key_material: utils.Buffer, prf_output_size: int

src/cryptography/x509/name.py

@@ -144,9 +144,8 @@ def __init__(
                 )
             if not isinstance(value, bytes):
                 raise TypeError("value must be bytes for BitString")
-        else:
-            if not isinstance(value, str):
-                raise TypeError("value argument must be a str")
+        elif not isinstance(value, str):
+            raise TypeError("value argument must be a str")
 
         length_limits = _NAMEOID_LENGTH_LIMIT.get(oid)
         if length_limits is not None:

tests/hazmat/primitives/test_kbkdf.py

@@ -299,7 +299,7 @@ def test_keyword_only_break_location(self, backend):
                 None,
                 backend,
                 0,  # break_location
-            )  # type: ignore
+            )  # type: ignore[misc]
 
     def test_invalid_break_location(self, backend):
         with pytest.raises(
@@ -770,7 +770,7 @@ def test_keyword_only_break_location(self, backend):
                 None,
                 backend,
                 0,  # break_location
-            )  # type: ignore
+            )  # type: ignore[misc]
 
     def test_invalid_break_location(self, backend):
         with pytest.raises(

tests/hazmat/primitives/test_ssh.py

@@ -160,17 +160,17 @@ def run_partial_pubkey(self, pubdata, backend):
                 load_ssh_public_key(new_pub, backend)
 
     @pytest.mark.parametrize(
-        ("key_file",),
+        "key_file",
         [
-            ("rsa-nopsw.key",),
-            ("rsa-psw.key",),
-            ("dsa-nopsw.key",),
-            ("dsa-psw.key",),
-            ("ecdsa-nopsw.key",),
-            ("ecdsa-psw.key",),
-            ("ed25519-nopsw.key",),
-            ("ed25519-psw.key",),
-            ("ed25519-aesgcm-psw.key",),
+            "rsa-nopsw.key",
+            "rsa-psw.key",
+            "dsa-nopsw.key",
+            "dsa-psw.key",
+            "ecdsa-nopsw.key",
+            "ecdsa-psw.key",
+            "ed25519-nopsw.key",
+            "ed25519-psw.key",
+            "ed25519-aesgcm-psw.key",
         ],
     )
     def test_load_ssh_private_key(self, key_file, backend):

tests/hazmat/primitives/test_xofhash.py

@@ -98,7 +98,7 @@ def test_shake128_variable(self, backend, subtests):
                 data = b""
                 stride = random.randint(1, 128)
                 while remaining > 0:
-                    stride = remaining if remaining < stride else stride
+                    stride = min(stride, remaining)
                     data += m.squeeze(stride)
                     remaining -= stride
                 assert data == binascii.unhexlify(vector["output"])
@@ -126,7 +126,7 @@ def test_shake256_variable(self, backend, subtests):
                 data = b""
                 stride = random.randint(1, 128)
                 while remaining > 0:
-                    stride = remaining if remaining < stride else stride
+                    stride = min(stride, remaining)
                     data += m.squeeze(stride)
                     remaining -= stride
                 assert data == binascii.unhexlify(vector["output"])

tests/utils.py

@@ -120,7 +120,7 @@ def load_hash_vectors(vector_data):
     for line in vector_data:
         line = line.strip()
 
-        if not line or line.startswith("#") or line.startswith("["):
+        if not line or line.startswith(("#", "[")):
             continue
 
         if line.startswith("Len"):
@@ -133,7 +133,7 @@ def load_hash_vectors(vector_data):
             # string as hex 00, which is of course not actually an empty
             # string. So we parse the provided length and catch this edge case.
             msg = line.split(" = ")[1].encode("ascii") if length > 0 else b""
-        elif line.startswith("MD") or line.startswith("Output"):
+        elif line.startswith(("MD", "Output")):
             md = line.split(" = ")[1]
             # after MD is found the Msg+MD (+ potential key) tuple is complete
             if key is not None:
@@ -162,10 +162,8 @@ def load_pkcs1_vectors(vector_data):
     examples = []
     vectors = []
     for line in vector_data:
-        if (
-            line.startswith("# PSS Example")
-            or line.startswith("# OAEP Example")
-            or line.startswith("# PKCS#1 v1.5")
+        if line.startswith(
+            ("# PSS Example", "# OAEP Example", "# PKCS#1 v1.5")
         ):
             if example_vector:
                 for key, value in example_vector.items():
@@ -202,13 +200,12 @@ def load_pkcs1_vectors(vector_data):
             attr = None
         elif example_vector and line.startswith("#"):
             continue
-        else:
-            if attr is not None and example_vector is not None:
-                example_vector[attr].append(line.strip())
-                continue
+        elif attr is not None and example_vector is not None:
+            example_vector[attr].append(line.strip())
+            continue
 
-        if line.startswith("# Example") or line.startswith(
-            "# ============================================="
+        if line.startswith(
+            ("# Example", "# =============================================")
         ):
             if key:
                 assert private_key_vector
@@ -271,9 +268,8 @@ def load_pkcs1_vectors(vector_data):
             attr = "iqmp"
         elif line.startswith("#"):
             attr = None
-        else:
-            if key is not None and attr is not None:
-                key[attr].append(line.strip())
+        elif key is not None and attr is not None:
+            key[attr].append(line.strip())
     return vectors
 
 
@@ -343,7 +339,7 @@ def load_fips_dsa_key_pair_vectors(vector_data):
     for line in vector_data:
         line = line.strip()
 
-        if not line or line.startswith("#") or line.startswith("[mod"):
+        if not line or line.startswith(("#", "[mod")):
             continue
 
         if line.startswith("P"):
@@ -607,7 +603,7 @@ def load_kasvs_ecdh_vectors(vector_data):
         "P-521": "secp521r1",
     }
 
-    tags = []
+    tags: typing.List[str] = []
     sets = {}
     vectors = []
 
@@ -720,7 +716,7 @@ def load_rfc6979_vectors(vector_data):
                 reading_key = False
                 current_key_name = None
 
-        if line.startswith("PrivateKey=") or line.startswith("PublicKey="):
+        if line.startswith(("PrivateKey=", "PublicKey=")):
             reading_key = True
             current_key_name = line.split("=")[1].strip()
             keys[current_key_name] = []

tests/wycheproof/test_rsa.py

@@ -279,19 +279,18 @@ def test_rsa_pkcs1_encryption(backend, wycheproof):
             binascii.unhexlify(wycheproof.testcase["ct"]), padding.PKCS1v15()
         )
         assert pt == binascii.unhexlify(wycheproof.testcase["msg"])
+    elif backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
+        try:
+            assert key.decrypt(
+                binascii.unhexlify(wycheproof.testcase["ct"]),
+                padding.PKCS1v15(),
+            ) != binascii.unhexlify(wycheproof.testcase["ct"])
+        except ValueError:
+            # Some raise ValueError due to length mismatch.
+            pass
     else:
-        if backend._lib.Cryptography_HAS_IMPLICIT_RSA_REJECTION:
-            try:
-                assert key.decrypt(
-                    binascii.unhexlify(wycheproof.testcase["ct"]),
-                    padding.PKCS1v15(),
-                ) != binascii.unhexlify(wycheproof.testcase["ct"])
-            except ValueError:
-                # Some raise ValueError due to length mismatch.
-                pass
-        else:
-            with pytest.raises(ValueError):
-                key.decrypt(
-                    binascii.unhexlify(wycheproof.testcase["ct"]),
-                    padding.PKCS1v15(),
-                )
+        with pytest.raises(ValueError):
+            key.decrypt(
+                binascii.unhexlify(wycheproof.testcase["ct"]),
+                padding.PKCS1v15(),
+            )