Skip to content

Enable follow_untyped_imports for ndnkdf and fido_mds#932

Merged
johanlundberg merged 5 commits intomainfrom
ylle-fido-mds-typing
Apr 14, 2026
Merged

Enable follow_untyped_imports for ndnkdf and fido_mds#932
johanlundberg merged 5 commits intomainfrom
ylle-fido-mds-typing

Conversation

@helylle
Copy link
Copy Markdown
Contributor

@helylle helylle commented Apr 14, 2026

Enable follow_untyped_imports for ndnkdf and fido_mds

Summary

  • Enable follow_untyped_imports = True in mypy.ini for ndnkdf and fido_mds,
    letting mypy check call sites against inferred types from both libraries
  • Fix real bugs exposed by fido_mds typing in webauthn.py
  • Move test monkey-patch helper to module level to eliminate the typing workaround
  • Remove now-unnecessary cast() in vccs/server/password.py (ndnkdf typing resolved the return type)

Changes

mypy.ini

Added follow_untyped_imports = True for ndnkdf and fido_mds. This makes mypy
follow the libraries' unannotated source and check call sites against inferred types,
surfacing real type mismatches instead of silently accepting Any.

Both entries will be removed once the upstream libraries ship their own type annotations
(python-fido-mds upstream PR pending).

webauthn.py — real bugs fixed

follow_untyped_imports revealed two latent crash paths in get_authenticator_information:

authenticator_id could be Noneatt.aaguid or att.certificate_key_identifier
produces UUID | str | None if both are None. fido_mds APIs (get_entry, exists,
AuthenticatorInformation) all require UUID | str. Added an early guard:

if authenticator_id is None:
    raise AttestationVerificationError("attestation contains no authenticator id ...")

metadata_entry could be Nonefido_mds.get_entry() returns
MetadataEntry | None. Code accessed attributes directly without checking. Added a
guard after the call. Also removed a duplicate att.aaguid or att.certificate_key_identifier
expression in the final return, replacing it with the already-guarded authenticator_id.

test_webauthn.py — monkey-patch to module level

_apple_special_verify_attestation was defined as a method on SecurityWebauthnTests
with self: FidoMetadataStore explicitly typed for monkey-patching. With fido_mds now
typed, mypy flagged the erased-type mismatch ([misc]). Moved to module level — at
module scope self is a plain parameter with no class hierarchy check — and updated
the mocker.patch call site. Also consolidated the mid-file fido_mds imports to the
top of the file.

vccs/server/password.py

Removed cast(str, H2.hex()) — with follow_untyped_imports for ndnkdf, mypy now
correctly infers that H2.hex() returns str.

@sonarqubecloud
Copy link
Copy Markdown

sonarqubecloud bot commented Apr 14, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@helylle helylle marked this pull request as ready for review April 14, 2026 10:00
@johanlundberg johanlundberg merged commit a055249 into main Apr 14, 2026
12 checks passed
@johanlundberg johanlundberg deleted the ylle-fido-mds-typing branch April 14, 2026 12:04
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@helylle @johanlundberg