treewide: ratchet down typing, move mypy config to pyproject (sigstore#85)

woodruffw · web-flow · commit fa5717d19f90 · 2022-05-11T14:00:54.000-04:00
* treewide: ratchet down typing, move mypy config to pyproject

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;

* rekor/client: don't rename kwargs

This makes Pydantic unhappy.

Signed-off-by: William Woodruff &lt;william@trailofbits.com&gt;
diff --git a/Makefile b/Makefile
@@ -47,7 +47,7 @@ lint:
 		black $(ALL_PY_SRCS) && \
 		isort $(ALL_PY_SRCS) && \
 		flake8 $(ALL_PY_SRCS) && \
-		mypy $(PY_MODULE) test/ \
+		mypy $(PY_MODULE) \
 # TODO: Reenable interrogate
 #		interrogate -v -c pyproject.toml . && \
 #	        git diff --exit-code
diff --git a/mypy.ini b/mypy.ini
diff --git a/pyproject.toml b/pyproject.toml
@@ -79,3 +79,21 @@ omit = ["sigstore/_cli.py"]
 exclude = ["setup.py", "env", "test", "sigstore/_cli.py", "sigstore/_version.py"]
 ignore-semiprivate = true
 fail-under = 100
+
+[tool.mypy]
+allow_redefinition = true
+check_untyped_defs = true
+disallow_incomplete_defs = true
+disallow_untyped_defs = true
+ignore_missing_imports = true
+no_implicit_optional = true
+show_error_codes = true
+strict_equality = true
+warn_no_return = true
+warn_redundant_casts = true
+warn_return_any = true
+warn_unreachable = true
+warn_unused_configs = true
+warn_unused_ignores = true
+
+plugins = ["pydantic.mypy"]
diff --git a/sigstore/_cli.py b/sigstore/_cli.py
@@ -14,6 +14,7 @@
 
 import logging
 from importlib import resources
+from typing import BinaryIO, List, Optional
 
 import click
 
@@ -29,7 +30,7 @@
 
 @click.group()
 @click.version_option(version=__version__)
-def main():
+def main() -> None:
     pass
 
 
@@ -87,14 +88,14 @@ def main():
     required=True,
 )
 def _sign(
-    files,
-    identity_token,
-    ctfe_pem,
-    oidc_client_id,
-    oidc_client_secret,
-    oidc_issuer,
-    oidc_disable_ambient_providers,
-):
+    files: List[BinaryIO],
+    identity_token: Optional[str],
+    ctfe_pem: BinaryIO,
+    oidc_client_id: str,
+    oidc_client_secret: str,
+    oidc_issuer: str,
+    oidc_disable_ambient_providers: bool,
+) -> None:
     # The order of precedence is as follows:
     #
     # 1) Explicitly supplied identity token
@@ -136,7 +137,12 @@ def _sign(
 @click.argument(
     "files", metavar="FILE [FILE ...]", type=click.File("rb"), nargs=-1, required=True
 )
-def _verify(files, certificate_path, signature_path, cert_email):
+def _verify(
+    files: List[BinaryIO],
+    certificate_path: BinaryIO,
+    signature_path: BinaryIO,
+    cert_email: Optional[str],
+) -> None:
     # Load the signing certificate
     logger.debug(f"Using certificate from: {certificate_path.name}")
     certificate = certificate_path.read()
diff --git a/sigstore/_internal/fulcio/_client.py b/sigstore/_internal/fulcio/_client.py
@@ -122,7 +122,7 @@ def __init__(self, b64_encoded_sct: str):
         self.signature: bytes = digitally_signed[4:]
 
     @property
-    def version(self):
+    def version(self) -> Version:
         return self._version
 
     @property
diff --git a/sigstore/_internal/oidc/oauth.py b/sigstore/_internal/oidc/oauth.py
@@ -21,7 +21,7 @@
 import urllib.parse
 import uuid
 import webbrowser
-from typing import Dict, List, Optional, cast
+from typing import Any, Dict, List, Optional, cast
 
 import requests
 
@@ -40,10 +40,10 @@
 
 
 class RedirectHandler(http.server.BaseHTTPRequestHandler):
-    def log_message(self, format, *args):
+    def log_message(self, _format: str, *_args: Any) -> None:
         pass
 
-    def do_GET(self):
+    def do_GET(self) -> None:
         server = cast(RedirectServer, self.server)
         r = urllib.parse.urlsplit(self.path)
 
@@ -56,7 +56,7 @@ def do_GET(self):
             self.end_headers()
             self.wfile.write(body)
             server.auth_response = urllib.parse.parse_qs(r.query)
-            return
+            return None
 
         # Any other request generates an auth request
         url = server.auth_request()
diff --git a/sigstore/_internal/rekor/_client.py b/sigstore/_internal/rekor/_client.py
@@ -41,11 +41,11 @@ class RekorEntry:
     raw_data: dict
 
     @classmethod
-    def from_response(cls, dict_) -> RekorEntry:
+    def from_response(cls, dict_: Dict[str, Any]) -> RekorEntry:
         # Assumes we only get one entry back
         entries = list(dict_.items())
         if len(entries) != 1:
-            raise RekorClientError("Recieved multiple entries in response")
+            raise RekorClientError("Received multiple entries in response")
 
         uuid, entry = entries[0]
 
@@ -67,19 +67,21 @@ class RekorInclusionProof(BaseModel):
     hashes: List[str] = Field(..., alias="hashes")
 
     @validator("log_index")
-    def log_index_positive(cls, v):
+    def log_index_positive(cls, v: int) -> int:
         if v < 0:
             raise ValueError(f"Inclusion proof has invalid log index: {v} < 0")
         return v
 
     @validator("tree_size")
-    def tree_size_positive(cls, v):
+    def tree_size_positive(cls, v: int) -> int:
         if v < 0:
             raise ValueError(f"Inclusion proof has invalid tree size: {v} < 0")
         return v
 
     @validator("tree_size")
-    def log_index_within_tree_size(cls, v, values, **kwargs):
+    def log_index_within_tree_size(
+        cls, v: int, values: Dict[str, Any], **kwargs: Any
+    ) -> int:
         if v <= values["log_index"]:
             raise ValueError(
                 "Inclusion proof has log index greater than or equal to tree size: "
diff --git a/sigstore/_internal/set.py b/sigstore/_internal/set.py
@@ -24,7 +24,7 @@
 from cryptography.exceptions import InvalidSignature
 from cryptography.hazmat.primitives import hashes
 from cryptography.hazmat.primitives.serialization import load_pem_public_key
-from securesystemslib.formats import encode_canonical  # type: ignore
+from securesystemslib.formats import encode_canonical
 
 from sigstore._internal.rekor import RekorEntry
 
diff --git a/sigstore/_verify.py b/sigstore/_verify.py
@@ -56,7 +56,7 @@
 class VerificationResult(BaseModel):
     success: bool
 
-    def __bool__(self):
+    def __bool__(self) -> bool:
         return self.success
 
 
