Add linter

Author: mosquito

.github/workflows/pythonpackage.yml

@@ -10,6 +10,23 @@ env:
   FORCE_COLOR: 1
 
 jobs:
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - name: Setup uv
+        uses: astral-sh/setup-uv@v6
+
+      - name: Install dependencies
+        run: uv sync --frozen
+
+      - name: Run ruff check
+        run: uv run ruff check jwt_rsa tests
+
+      - name: Run ruff format check
+        run: uv run ruff format --check jwt_rsa tests
+
   mypy:
     runs-on: ubuntu-latest
     strategy:

Makefile

@@ -1,7 +1,12 @@
-.PHONY: test tests mypy pytest lint
+.PHONY: test tests mypy pytest lint format
+
+format:
+	uv run --group dev ruff check --fix jwt_rsa tests
+	uv run --group dev ruff format jwt_rsa tests
 
 lint:
 	uv run --group dev ruff check jwt_rsa tests
+	uv run --group dev ruff format --check jwt_rsa tests
 
 mypy:
 	uv run --group dev mypy jwt_rsa

jwt_rsa/cli.py

@@ -15,24 +15,32 @@ class Formatter(argparse.ArgumentDefaultsHelpFormatter, argparse.RawDescriptionH
 
 
 parser = ArgumentParser(formatter_class=Formatter)
+parser.add_argument("-a", "--algorithm", choices=ALGORITHMS, help="Algorithm for JWT keys", default="RS512")
 parser.add_argument(
-    "-a", "--algorithm", choices=ALGORITHMS,
-    help="Algorithm for JWT keys", default="RS512"
-)
-parser.add_argument(
-    "--log-level", choices=["debug", "info", "warning", "error", "critical"],
-    type=lambda x: getattr(logging, x.upper(), logging.INFO), default=logging.INFO,
+    "--log-level",
+    choices=["debug", "info", "warning", "error", "critical"],
+    type=lambda x: getattr(logging, x.upper(), logging.INFO),
+    default=logging.INFO,
 )
 
 subparsers = parser.add_subparsers(dest="command", required=True)
 
 keygen_parser = subparsers.add_parser("keygen", help="Generate a new RSA key pair", formatter_class=Formatter)
 keygen_parser.set_defaults(func=keygen.main)
 keygen_parser.add_argument(
-    "-b", "--bits", dest="bits", type=int, default=2048, choices=[2 ** i for i in range(10, 14)],
+    "-b",
+    "--bits",
+    dest="bits",
+    type=int,
+    default=2048,
+    choices=[2**i for i in range(10, 14)],
 )
 keygen_parser.add_argument(
-    "--kid", dest="kid", type=str, default="", help="Key ID, will be generated if missing",
+    "--kid",
+    dest="kid",
+    type=str,
+    default="",
+    help="Key ID, will be generated if missing",
 )
 keygen_parser.add_argument("-u", "--use", dest="use", type=str, default="sig", choices=["sig", "enc"])
 keygen_parser.add_argument("-o", "--format", choices=["pem", "jwk", "base64"], default="jwk")
@@ -69,23 +77,28 @@ class Formatter(argparse.ArgumentDefaultsHelpFormatter, argparse.RawDescriptionH
     " * 'y' means years\n"
 )
 issue_parser = subparsers.add_parser(
-    "issue",
-    help="Issue a new JWT token\n",
-    description=ISSUE_PARSER_DESCRIPTION,
-    formatter_class=Formatter
+    "issue", help="Issue a new JWT token\n", description=ISSUE_PARSER_DESCRIPTION, formatter_class=Formatter
 )
 issue_parser.add_argument(
-    "-K", "--private-key", required=True,
-    help="Private JWT key", type=Path,
+    "-K",
+    "--private-key",
+    required=True,
+    help="Private JWT key",
+    type=Path,
 )
 issue_parser.add_argument("--expired", help="Token expiration", type=parse_interval, default="+1M")
 issue_parser.add_argument("--nbf", help="Token nbf claim", type=parse_interval, default="-1m")
 issue_parser.add_argument(
-    "-I", "--no-interactive", action="store_false", dest="interactive",
+    "-I",
+    "--no-interactive",
+    action="store_false",
+    dest="interactive",
     help="No interactive mode, do not open editor for claims, just read JSON from stdin",
 )
 issue_parser.add_argument(
-    "-e", "--editor", help="Editor to use in interactive mode",
+    "-e",
+    "--editor",
+    help="Editor to use in interactive mode",
     default=os.getenv("EDITOR", "vim"),
 )
 issue_parser.set_defaults(func=issue.main)
@@ -96,7 +109,10 @@ class Formatter(argparse.ArgumentDefaultsHelpFormatter, argparse.RawDescriptionH
 verify_parser.add_argument("-k", "--public-key", required=False, help="Public key", type=Path)
 verify_parser.add_argument("-V", "--no-verify", action="store_false", help="No verify signature", dest="verify")
 verify_parser.add_argument(
-    "-I", "--no-interactive", action="store_false", dest="interactive",
+    "-I",
+    "--no-interactive",
+    action="store_false",
+    dest="interactive",
     help="Interactive mode or raw read token from stdin",
 )
 verify_parser.set_defaults(func=verify.main)

jwt_rsa/convert.py

@@ -19,9 +19,11 @@ def generate_kid(key: RSAPrivateKey) -> str:
 
 
 def convert(
-    private: RSAPrivateKey, public: RSAPublicKey,
+    private: RSAPrivateKey,
+    public: RSAPublicKey,
     fmt: Literal["pem", "jwk", "base64"],
-    pretty: bool = False, algorithm: AlgorithmType = "RS512",
+    pretty: bool = False,
+    algorithm: AlgorithmType = "RS512",
 ) -> tuple[str, str]:
     if fmt == "pem":
         return (

jwt_rsa/issue.py

@@ -96,7 +96,7 @@ def main(arguments: SimpleNamespace) -> None:
         load_private_key(arguments.private_key),
         expires=arguments.expired,
         nbf_delta=-arguments.nbf,
-        algorithm=arguments.algorithm
+        algorithm=arguments.algorithm,
     )
 
     whoami = pwd.getpwuid(os.getuid())
@@ -124,7 +124,8 @@ def main(arguments: SimpleNamespace) -> None:
         with NamedTemporaryFile("wt", suffix=".py") as fp:
             if arguments.interactive:
                 fp.write(
-                    TEMPLATE % {
+                    TEMPLATE
+                    % {
                         "exp": arguments.expired,
                         "nbf": arguments.nbf,
                         "preamble": preable,

jwt_rsa/jwks.py

@@ -43,7 +43,7 @@ def parse_jwk(self, jwk: dict[str, Any]) -> dict[str, RSAPublicKey]:
             if loaded_key is None:
                 log.warning("Skipping JWK key: %s", key)
                 continue
-            keys[jwk['kid']] = loaded_key
+            keys[jwk["kid"]] = loaded_key
         return keys
 
     @abstractmethod
@@ -58,10 +58,10 @@ def decoder(self, kid: str) -> JWTDecoder:
 
     def decode(self, token: str) -> dict[str, Any]:
         header = self.jws.get_unverified_header(token)
-        if 'kid' not in header:
+        if "kid" not in header:
             raise ValueError("Token does not contain 'kid' header")
 
-        decoder = self.decoder(header['kid'])
+        decoder = self.decoder(header["kid"])
         return decoder.decode(token)
 
 
@@ -74,11 +74,7 @@ def __init__(self, url: str, *, ssl_context: ssl.SSLContext | None = None, **kwa
 
     def refresh(self) -> None:
         url_parts = urlparse(self.url)
-        host, port = (
-            url_parts.netloc.split(":")
-            if ":" in url_parts.netloc
-            else (url_parts.netloc, 443)
-        )
+        host, port = url_parts.netloc.split(":") if ":" in url_parts.netloc else (url_parts.netloc, 443)
         with closing(self.CLIENT_CLASS(host, int(port), context=self.ssl_context)) as client:
             client.request("GET", url_parts.path)
             response = client.getresponse()
@@ -91,6 +87,7 @@ def refresh(self) -> None:
 
 def main(args: argparse.Namespace) -> None:
     from .rsa import rsa_to_jwk
+
     fetcher = HTTPSJWKFetcher(args.url)
     fetcher.refresh()
 

jwt_rsa/rsa.py

@@ -98,7 +98,7 @@ def load_jwk(jwk: RSAJWKPublicKey | RSAJWKPrivateKey | str) -> JWKKeyPair:
         jwk_dict = jwk
 
     if "d" in jwk_dict:  # Private key
-        private_key = load_jwk_private_key(jwk_dict)    # type: ignore
+        private_key = load_jwk_private_key(jwk_dict)  # type: ignore
         public_key = private_key.public_key()
     else:  # Public key
         public_key = load_jwk_public_key(jwk_dict)
@@ -108,20 +108,32 @@ def load_jwk(jwk: RSAJWKPublicKey | RSAJWKPrivateKey | str) -> JWKKeyPair:
 
 
 def int_to_base64url(value: int) -> str:
-    return base64.urlsafe_b64encode(
-        value.to_bytes((value.bit_length() + 7) // 8, byteorder="big"),
-    ).rstrip(b"=").decode("ascii")
+    return (
+        base64.urlsafe_b64encode(
+            value.to_bytes((value.bit_length() + 7) // 8, byteorder="big"),
+        )
+        .rstrip(b"=")
+        .decode("ascii")
+    )
 
 
 @overload
 def rsa_to_jwk(
-    key: RSAPublicKey, *, kid: str = "", alg: AlgorithmType = "RS256", use: str = "sig",
+    key: RSAPublicKey,
+    *,
+    kid: str = "",
+    alg: AlgorithmType = "RS256",
+    use: str = "sig",
 ) -> RSAJWKPublicKey: ...
 
 
 @overload
 def rsa_to_jwk(
-    key: RSAPrivateKey, *, kid: str = "", alg: AlgorithmType = "RS256", use: str = "sig",
+    key: RSAPrivateKey,
+    *,
+    kid: str = "",
+    alg: AlgorithmType = "RS256",
+    use: str = "sig",
 ) -> RSAJWKPrivateKey: ...
 
 

jwt_rsa/token.py

@@ -51,7 +51,8 @@ class JWTDecoder:
     def __init__(
         self,
         key: RSAPublicKey,
-        *, options: OptionsType | None = None,
+        *,
+        options: OptionsType | None = None,
         expires: int | float = DEFAULT_EXPIRATION,
         nbf_delta: int | float = NBF_DELTA,
         algorithm: AlgorithmType = "RS512",
@@ -66,8 +67,11 @@ def __init__(
 
     def decode(self, token: str, verify: bool = True, **kwargs: Any) -> dict[str, Any]:
         return self.jwt.decode(
-            token, key=self.public_key, verify=verify,
-            algorithms=list(self.algorithms), **kwargs,
+            token,
+            key=self.public_key,
+            verify=verify,
+            algorithms=list(self.algorithms),
+            **kwargs,
         )
 
 
@@ -84,7 +88,7 @@ def encode(
         expired: DateType | EllipsisType = ...,
         nbf: DateType | EllipsisType = ...,
         headers: dict[str, Any] | None = None,
-        **claims: Any
+        **claims: Any,
     ) -> str:
         claims.setdefault("exp", int(date_to_timestamp(expired, lambda: time.time() + self.expires)))
         claims.setdefault("nbf", int(date_to_timestamp(nbf, lambda: time.time() - self.nbf_delta, timedelta_func=sub)))
@@ -93,7 +97,8 @@ def encode(
 
 @overload
 def JWT(
-    key: RSAPrivateKey, *,
+    key: RSAPrivateKey,
+    *,
     options: OptionsType | None = None,
     expires: int | float = DEFAULT_EXPIRATION,
     nbf_delta: int | float = NBF_DELTA,
@@ -104,7 +109,8 @@ def JWT(
 
 @overload
 def JWT(
-    key: RSAPublicKey, *,
+    key: RSAPublicKey,
+    *,
     options: OptionsType | None = None,
     expires: int | float = DEFAULT_EXPIRATION,
     nbf_delta: int | float = NBF_DELTA,

tests/test_cli.py

@@ -56,13 +56,13 @@ def test_pem_format(capsys):
 
     stdout, stderr = capsys.readouterr()
 
-    public_bytes, private_bytes = [
-        x.strip().encode() for x in stdout.split("\n\n", 1)
-    ]
+    public_bytes, private_bytes = [x.strip().encode() for x in stdout.split("\n\n", 1)]
 
     public = serialization.load_pem_public_key(public_bytes, default_backend())
     private = serialization.load_pem_private_key(
-        private_bytes, None, default_backend(),
+        private_bytes,
+        None,
+        default_backend(),
     )
 
     payload = os.urandom(1024 * 16)
@@ -92,10 +92,17 @@ def test_keygen_no_force(capsys, tmp_path):
     public_path = tmp_path / "public.pem"
 
     keygen(
-        parser.parse_args([
-            "keygen", "-o", "pem",
-            "-K", str(private_path), "-k", str(public_path),
-        ]),
+        parser.parse_args(
+            [
+                "keygen",
+                "-o",
+                "pem",
+                "-K",
+                str(private_path),
+                "-k",
+                str(public_path),
+            ]
+        ),
     )
 
     assert private_path.exists()
@@ -109,20 +116,35 @@ def test_keygen_no_force(capsys, tmp_path):
 
     # Try to generate keys again buy don't overwrite existing
     keygen(
-        parser.parse_args([
-            "keygen", "-o", "pem",
-            "-K", str(private_path), "-k", str(public_path),
-        ]),
+        parser.parse_args(
+            [
+                "keygen",
+                "-o",
+                "pem",
+                "-K",
+                str(private_path),
+                "-k",
+                str(public_path),
+            ]
+        ),
     )
 
     assert public_content == public_path.read_text()
     assert private_content == private_path.read_text()
 
     keygen(
-        parser.parse_args([
-            "keygen", "-o", "pem", "-f",
-            "-K", str(private_path), "-k", str(public_path),
-        ]),
+        parser.parse_args(
+            [
+                "keygen",
+                "-o",
+                "pem",
+                "-f",
+                "-K",
+                str(private_path),
+                "-k",
+                str(public_path),
+            ]
+        ),
     )
 
     assert public_content != public_path.read_text()