deprecate signer/verifier on asymmetric keys

[reaperhulk]

fixes #3659

[mention-bot]

@reaperhulk, thanks for your PR! By analyzing the history of the files in this pull request, we identified @alex, @public and @gorisaka to be potential reviewers.

[alex]

Drop this assigment, we already have a public_key

[alex]

same

[alex]

once more, with feelign!

[alex]

Is there a reason not to use the same PersistentlyDeprecated class, or is your expectation that we'll migrate to them once this switches from Pending to regular?

[reaperhulk]

My main thinking was that it's useful to know at what point we persistently deprecated something. By grouping the persistent deprecations we have to look at the repository history or changelog to know how long it's been. Having written those words I think I'm going to just use PersistentlyDeprecated though, because looking at the changelog is not a burden.

[reaperhulk]

I don't know how to write a test that catches this deprecation warning actually. It happens once and then is suppressed after that, but we also run a random test order job so we can't introduce an order dependent test. warnings.simplefilter("always", PendingDeprecationWarning) doesn't appear to work either. I assume I'm missing something -- ideas?

[alex]

I'm very confused, I would have expected the code as written to work.

[reaperhulk]

I can't reproduce this except in our tests (which I got down to two calls to signer). I have no idea what's going on.

[alex]

Meaning if you copy the tests out of our overall suite, into it's own suite, you still can't reproduce?

[reaperhulk]

This reproduces it in its own file:

import pytest

from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa


def test_signer_deprecated():
    private_key = rsa.generate_private_key(65537, 512, backend)
    private_key.signer(
        padding.PKCS1v15(),
        hashes.SHA1()
    )


def test_signer_check_deprecated():
    private_key = rsa.generate_private_key(65537, 512, backend)
    with pytest.deprecated_call():
        private_key.signer(
            padding.PKCS1v15(),
            hashes.SHA1()
        )

[reaperhulk]

Notably if you put the contextmanager around the first call then it all works.

[alex]

Interesting! And what happens if you replace .signer() with just a function that does nothing but call warnings.warn?

[reaperhulk]

It works then:

import warnings

import pytest

from cryptography.hazmat.backends.openssl.backend import backend
from cryptography.hazmat.primitives import hashes
from cryptography.hazmat.primitives.asymmetric import padding, rsa


def warn_me():
    warnings.warn("deprecated", PendingDeprecationWarning, stacklevel=2)


def test_signer_deprecated():
    private_key = rsa.generate_private_key(65537, 512, backend)
    private_key.signer(
        padding.PKCS1v15(),
        hashes.SHA1()
    )


def test_signer_check_deprecated():
    private_key = rsa.generate_private_key(65537, 512, backend)
    with pytest.deprecated_call():
        private_key.signer(
            padding.PKCS1v15(),
            hashes.SHA1()
        )


def test_warn_me():
    warn_me()


def test_warn_me_check_deprecated():
    with pytest.deprecated_call():
        warn_me()

So the output of that set of tests is: .F..

[alex]

wat.

Does this mean that somewhere in the test suite there's a signer or verifier call that isn't marked as deprecated_call?

[reaperhulk]

There's a ton of those actually (we call signer/verifier...a lot). But here's a minimal reproducer!

import warnings

import pytest


def warn_me():
    warnings.warn("deprecated", PendingDeprecationWarning, stacklevel=2)


def i_call_warn_me():
    warn_me()


def test_warn_me():
    i_call_warn_me()


def test_warn_me_check_deprecated():
    with pytest.deprecated_call():
        i_call_warn_me()

[alex]

So.... wtf. File a pytest bug I guess?

[reaperhulk]

pytest-dev/pytest#2469