PYCO-93: Fix lint findings

anirudhlakhotia · anirudhlakhotia · commit 5169aafcc3bd · 2026-05-12T22:36:44.000+05:30
Changes
-------
* Replaces two `assert self._cert_path is not None` lines in
  Credential with explicit if-raise guards, since `python -O`
  strips asserts and bandit B101 flags them.
* Wraps the dispatched-header lookup in the test helper with
  str() so mypy stops returning Any from the str-typed function.
* Adds `[mypy-cryptography.*] ignore_missing_imports = True` to
  mypy.ini. The cryptography package doesn't ship stubs for the
  pkcs12 / serialization namespace.
* Adds `# type: ignore[import-not-found]` to `import tomli` in
  couchbase_analytics_version.py, matching the existing ignore on
  `import tomli_w` two lines below. The pre-commit mypy hook runs
  in an isolated env that doesn't include tomli.
diff --git a/acouchbase_analytics/tests/credential_t.py b/acouchbase_analytics/tests/credential_t.py
@@ -103,7 +103,7 @@ def _authorization_header(client: Any) -> str:
     req = Request('POST', request_url)
     flow = auth.auth_flow(req)
     dispatched = next(flow)
-    return dispatched.headers.get('Authorization', '')
+    return str(dispatched.headers.get('Authorization', ''))
 
 
 class CredentialTestSuite:
diff --git a/couchbase_analytics/common/credential.py b/couchbase_analytics/common/credential.py
@@ -275,15 +275,18 @@ def _apply_to_ssl_context(self, ctx: ssl.SSLContext) -> None:
         # No-op for password/JWT credentials.
         if self._kind != 'cert':
             return
-        assert self._cert_path is not None  # for mypy; set in _init_certificate
+        cert_path = self._cert_path
+        if cert_path is None:
+            # Unreachable: _init_certificate always sets _cert_path when _kind=='cert'.
+            raise RuntimeError('_cert_path is unset for a cert credential.')
         if self._key_path is None:
             # PKCS#12 bundle: cert_path holds the .p12 file.
             self._load_pkcs12_into_context(ctx)
             return
         # PEM cert + PEM key.  password is forwarded to OpenSSL so it can
         # decrypt the key file if it's encrypted; ignored for plain keys.
         ctx.load_cert_chain(
-            certfile=self._cert_path,
+            certfile=cert_path,
             keyfile=self._key_path,
             password=self._cert_password,
         )
@@ -296,18 +299,21 @@ def _load_pkcs12_into_context(self, ctx: ssl.SSLContext) -> None:
             pkcs12,
         )
 
-        assert self._cert_path is not None  # for mypy; set in _init_certificate
-        with open(self._cert_path, 'rb') as f:
+        cert_path = self._cert_path
+        if cert_path is None:
+            # Unreachable: _init_certificate always sets _cert_path when _kind=='cert'.
+            raise RuntimeError('_cert_path is unset for a PKCS#12 credential.')
+        with open(cert_path, 'rb') as f:
             data = f.read()
         password_bytes = self._cert_password.encode('utf-8') if self._cert_password is not None else None
         try:
             key, cert, additional_certs = pkcs12.load_key_and_certificates(data, password_bytes)
         except ValueError as e:
             # cryptography raises ValueError for both wrong password and malformed
             # input.  Wrap with the path so the cluster log identifies which file.
-            raise ValueError(f'Failed to load PKCS#12 file at {self._cert_path}: {e}') from e
+            raise ValueError(f'Failed to load PKCS#12 file at {cert_path}: {e}') from e
         if key is None or cert is None:
-            raise ValueError(f'PKCS#12 file at {self._cert_path} does not contain a private key + certificate pair.')
+            raise ValueError(f'PKCS#12 file at {cert_path} does not contain a private key + certificate pair.')
 
         # ssl.SSLContext.load_cert_chain only accepts file paths, so we write
         # the chain plus the decrypted key into a single PEM tempfile, hand
diff --git a/couchbase_analytics/tests/credential_t.py b/couchbase_analytics/tests/credential_t.py
@@ -103,7 +103,7 @@ def _authorization_header(client: Any) -> str:
     req = Request('POST', request_url)
     flow = auth.auth_flow(req)
     dispatched = next(flow)
-    return dispatched.headers.get('Authorization', '')
+    return str(dispatched.headers.get('Authorization', ''))
 
 
 class CredentialTestSuite:
diff --git a/couchbase_analytics_version.py b/couchbase_analytics_version.py
@@ -193,7 +193,7 @@ def gen_version(
 
 # uv does not support a dynamic project version (yet), this is a workaround in the interim
 def update_pyproject_version(pyproject_path: str, new_version: str) -> bool:
-    import tomli
+    import tomli  # type: ignore[import-not-found,unused-ignore]
     import tomli_w  # type: ignore[import-not-found]
 
     if not os.path.exists(pyproject_path):
diff --git a/mypy.ini b/mypy.ini
@@ -6,6 +6,9 @@ exclude = (?x)(
     | tests/utils/
     )
 
+[mypy-cryptography.*]
+ignore_missing_imports = True
+
 [mypy-ijson.*]
 ignore_missing_imports = True
 
diff --git a/requirements.txt b/requirements.txt
@@ -26,9 +26,7 @@ idna==3.10
     #   httpx
 ijson==3.4.0
     # via -r requirements.in
-pycparser==2.23 ; python_full_version < '3.10' and implementation_name != 'PyPy' and platform_python_implementation != 'PyPy'
-    # via cffi
-pycparser==3.0 ; python_full_version >= '3.10' and implementation_name != 'PyPy' and platform_python_implementation != 'PyPy'
+pycparser==3.0 ; implementation_name != 'PyPy' and platform_python_implementation != 'PyPy'
     # via cffi
 sniffio==1.3.1
     # via
diff --git a/uv.lock b/uv.lock

Original file line number	Diff line number	Diff line change
`@@ -6,6 +6,9 @@ exclude = (?x)(`
`6`	`6`	`\| tests/utils/`
`7`	`7`	`)`
`8`	`8`
	`9`	`+[mypy-cryptography.*]`
	`10`	`+ignore_missing_imports = True`
	`11`	`+`
`9`	`12`	`[mypy-ijson.*]`
`10`	`13`	`ignore_missing_imports = True`
`11`	`14`