chore: Disallow implicit re-exports of imported values in Python modules

- Set Mypy option `no_implicit_reexport` to `True`. - Fix errors reported by Mypy after the configuration change. From https://mypy.readthedocs.io/en/stable/command_line.html#cmdoption-mypy-no-implicit-reexport: > […] [do] not re-export unless the item is imported using from-as or is included in `__all__`. Ref: https://app.shortcut.com/cordada/story/6589 [sc-6589]
cordada · May 15, 2024 · e6281e6 · e6281e6
1 parent a52a17f
commit e6281e6
Show file tree

Hide file tree

Showing 4 changed files with 17 additions and 5 deletions.
diff --git a/mypy.ini b/mypy.ini
@@ -12,6 +12,7 @@ plugins =
 
 follow_imports = normal
 ignore_missing_imports = False
+no_implicit_reexport = True
 strict_optional = True
 disallow_untyped_defs = True
 check_untyped_defs = True

diff --git a/src/cl_sii/libs/crypto_utils.py b/src/cl_sii/libs/crypto_utils.py
@@ -38,6 +38,11 @@
 
 """
 
+__all__ = [
+    'X509Cert',
+    '_X509CertOpenSsl',
+]
+
 import base64
 from typing import Union
 

diff --git a/src/cl_sii/libs/xml_utils.py b/src/cl_sii/libs/xml_utils.py
@@ -20,6 +20,11 @@
 
 """
 
+__all__ = [
+    'XmlElement',
+    'XmlElementTree',
+]
+
 import io
 import logging
 import os
@@ -354,7 +359,7 @@ def write_xml_doc(xml_doc: XmlElement, output: IO[bytes]) -> None:
 def verify_xml_signature(
     xml_doc: XmlElement,
     trusted_x509_cert: Optional[Union[crypto_utils.X509Cert, crypto_utils._X509CertOpenSsl]] = None,
-    xml_verifier: Optional[signxml.XMLVerifier] = None,
+    xml_verifier: Optional[signxml.verifier.XMLVerifier] = None,
     xml_verifier_supports_multiple_signatures: bool = False,
 ) -> Tuple[bytes, XmlElementTree, XmlElementTree]:
     """
@@ -419,13 +424,13 @@ def verify_xml_signature(
         raise NotImplementedError("XML document with more than one signature is not supported.")
 
     if use_default_xml_verifier:
-        xml_verifier = signxml.XMLVerifier()
+        xml_verifier = signxml.verifier.XMLVerifier()
 
         # Workaround for breaking change in signxml 2.10.0 and 2.10.1:
         # (See https://github.com/XML-Security/signxml/blob/v2.10.1/Changes.rst)
         xml_verifier.excise_empty_xmlns_declarations = True
 
-    if not isinstance(xml_verifier, signxml.XMLVerifier):
+    if not isinstance(xml_verifier, signxml.verifier.XMLVerifier):
         raise TypeError(
             "'xml_verifier' must be an instance of 'signxml.XMLVerifier' or of a subclass of it."
         )
@@ -480,7 +485,7 @@ def verify_xml_signature(
                 digest_algorithms=frozenset([signxml.algorithms.DigestAlgorithm.SHA1]),
             ),
         )
-        assert isinstance(result, signxml.VerifyResult)
+        assert isinstance(result, signxml.verifier.VerifyResult)
 
     except signxml.exceptions.InvalidDigest as exc:
         # warning: catch before 'InvalidSignature' (it is the parent of 'InvalidDigest').

diff --git a/src/cl_sii/rtc/xml_utils.py b/src/cl_sii/rtc/xml_utils.py
@@ -5,6 +5,7 @@
 
 import signxml
 import signxml.util
+import signxml.verifier
 
 from cl_sii.dte.parse import DTE_XMLNS_MAP
 from cl_sii.libs import crypto_utils, xml_utils
@@ -14,7 +15,7 @@
 logger = logging.getLogger(__name__)
 
 
-class AecXMLVerifier(signxml.XMLVerifier):
+class AecXMLVerifier(signxml.verifier.XMLVerifier):
     """
     Custom XML Signature Verifier for AECs.
     """