pyca · reaperhulk · Jun 23, 2023 · Jun 22, 2023
diff --git a/pyproject.toml b/pyproject.toml
@@ -138,7 +138,7 @@ exclude_lines = [
 # UP006: Minimum Python 3.9
 # UP007, UP038: Minimum Python 3.10
 ignore = ['N818', 'UP006', 'UP007', 'UP038']
-select = ['E', 'F', 'I', 'N', 'W', 'UP']
+select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
 line-length = 79
 
 [tool.ruff.isort]

diff --git a/setup.py b/setup.py
@@ -58,7 +58,7 @@
             )
         ],
     )
-except:  # noqa: E722
+except:
     # Note: This is a bare exception that re-raises so that we don't interfere
     # with anything the installation machinery might want to do. Because we
     # print this for any exception this msg can appear (e.g. in verbose logs)

diff --git a/src/cryptography/hazmat/backends/openssl/backend.py b/src/cryptography/hazmat/backends/openssl/backend.py
@@ -96,7 +96,7 @@ class Backend:
     # disallowed algorithms are still present in OpenSSL. They just error if
     # you try to use them. To avoid that we allowlist the algorithms in
     # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are.
-    _fips_aead = {
+    _fips_aead: typing.ClassVar[typing.Set[bytes]] = {
         b"aes-128-ccm",
         b"aes-192-ccm",
         b"aes-256-ccm",

diff --git a/src/cryptography/hazmat/primitives/serialization/pkcs7.py b/src/cryptography/hazmat/primitives/serialization/pkcs7.py
@@ -111,7 +111,7 @@ def add_signer(
 
         return PKCS7SignatureBuilder(
             self._data,
-            self._signers + [(certificate, private_key, hash_algorithm)],
+            [*self._signers, (certificate, private_key, hash_algorithm)],
         )
 
     def add_certificate(
@@ -121,7 +121,7 @@ def add_certificate(
             raise TypeError("certificate must be a x509.Certificate")
 
         return PKCS7SignatureBuilder(
-            self._data, self._signers, self._additional_certs + [certificate]
+            self._data, self._signers, [*self._additional_certs, certificate]
         )
 
     def sign(

diff --git a/src/cryptography/hazmat/primitives/serialization/ssh.py b/src/cryptography/hazmat/primitives/serialization/ssh.py
@@ -1356,7 +1356,7 @@ def add_critical_option(
             _valid_for_all_principals=self._valid_for_all_principals,
             _valid_before=self._valid_before,
             _valid_after=self._valid_after,
-            _critical_options=self._critical_options + [(name, value)],
+            _critical_options=[*self._critical_options, (name, value)],
             _extensions=self._extensions,
         )
 
@@ -1379,7 +1379,7 @@ def add_extension(
             _valid_before=self._valid_before,
             _valid_after=self._valid_after,
             _critical_options=self._critical_options,
-            _extensions=self._extensions + [(name, value)],
+            _extensions=[*self._extensions, (name, value)],
         )
 
     def sign(self, private_key: SSHCertPrivateKeyTypes) -> SSHCertificate:

diff --git a/src/cryptography/utils.py b/src/cryptography/utils.py
@@ -85,7 +85,7 @@ def __delattr__(self, attr: str) -> None:
         delattr(self._module, attr)
 
     def __dir__(self) -> typing.Sequence[str]:
-        return ["_module"] + dir(self._module)
+        return ["_module", *dir(self._module)]
 
 
 def deprecated(

diff --git a/src/cryptography/x509/base.py b/src/cryptography/x509/base.py
@@ -664,7 +664,7 @@ def add_extension(
 
         return CertificateSigningRequestBuilder(
             self._subject_name,
-            self._extensions + [extension],
+            [*self._extensions, extension],
             self._attributes,
         )
 
@@ -697,7 +697,7 @@ def add_attribute(
         return CertificateSigningRequestBuilder(
             self._subject_name,
             self._extensions,
-            self._attributes + [(oid, value, tag)],
+            [*self._attributes, (oid, value, tag)],
         )
 
     def sign(
@@ -916,7 +916,7 @@ def add_extension(
             self._serial_number,
             self._not_valid_before,
             self._not_valid_after,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def sign(
@@ -1057,7 +1057,7 @@ def add_extension(
             self._issuer_name,
             self._last_update,
             self._next_update,
-            self._extensions + [extension],
+            [*self._extensions, extension],
             self._revoked_certificates,
         )
 
@@ -1075,7 +1075,7 @@ def add_revoked_certificate(
             self._last_update,
             self._next_update,
             self._extensions,
-            self._revoked_certificates + [revoked_certificate],
+            [*self._revoked_certificates, revoked_certificate],
         )
 
     def sign(
@@ -1152,7 +1152,7 @@ def add_extension(
         return RevokedCertificateBuilder(
             self._serial_number,
             self._revocation_date,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def build(self, backend: typing.Any = None) -> RevokedCertificate:

diff --git a/src/cryptography/x509/ocsp.py b/src/cryptography/x509/ocsp.py
@@ -478,7 +478,7 @@ def add_extension(
         _reject_duplicate_extension(extension, self._extensions)
 
         return OCSPRequestBuilder(
-            self._request, self._request_hash, self._extensions + [extension]
+            self._request, self._request_hash, [*self._extensions, extension]
         )
 
     def build(self) -> OCSPRequest:
@@ -583,7 +583,7 @@ def add_extension(
             self._response,
             self._responder_id,
             self._certs,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def sign(

diff --git a/tests/hazmat/backends/test_openssl_memleak.py b/tests/hazmat/backends/test_openssl_memleak.py
@@ -172,11 +172,7 @@ def assert_no_memory_leaks(s, argv=[]):
     env.pop("COV_CORE_DATAFILE", None)
     env.pop("COV_CORE_SOURCE", None)
 
-    argv = [
-        sys.executable,
-        "-c",
-        f"{s}\n\n{MEMORY_LEAK_SCRIPT}",
-    ] + argv
+    argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv]
     # Shell out to a fresh Python process because OpenSSL does not allow you to
     # install new memory hooks after the first malloc/free occurs.
     proc = subprocess.Popen(

diff --git a/tests/hazmat/primitives/test_aead.py b/tests/hazmat/primitives/test_aead.py
@@ -696,7 +696,7 @@ def test_vectors_invalid(self, backend, subtests):
                     badkey = AESSIV(AESSIV.generate_key(256))
                     badkey.decrypt(ct, aad)
                 with pytest.raises(InvalidTag):
-                    aessiv.decrypt(ct, aad + [b""])
+                    aessiv.decrypt(ct, [*aad, b""])
                 with pytest.raises(InvalidTag):
                     aessiv.decrypt(ct, [b"nonsense"])
                 with pytest.raises(InvalidTag):

diff --git a/tests/hazmat/primitives/test_dh.py b/tests/hazmat/primitives/test_dh.py
@@ -932,9 +932,7 @@ def test_public_bytes_values(
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -946,8 +944,8 @@ def test_public_bytes_values(
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(self, encoding, fmt, backend):
         parameters = FFDH3072_P.parameters(backend)

diff --git a/tests/hazmat/primitives/test_dsa.py b/tests/hazmat/primitives/test_dsa.py
@@ -988,9 +988,7 @@ def test_public_bytes_pkcs1_unsupported(self, backend):
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -1002,8 +1000,8 @@ def test_public_bytes_pkcs1_unsupported(self, backend):
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(self, encoding, fmt, backend):
         key = DSA_KEY_2048.private_key(backend).public_key()

diff --git a/tests/hazmat/primitives/test_pkcs12.py b/tests/hazmat/primitives/test_pkcs12.py
@@ -796,11 +796,11 @@ def test_certificate_repr(self, backend):
         cert = _load_cert(backend, os.path.join("x509", "cryptography.io.pem"))
         assert (
             repr(PKCS12Certificate(cert, None))
-            == f"<PKCS12Certificate({repr(cert)}, friendly_name=None)>"
+            == f"<PKCS12Certificate({cert!r}, friendly_name=None)>"
         )
         assert (
             repr(PKCS12Certificate(cert, b"a"))
-            == f"<PKCS12Certificate({repr(cert)}, friendly_name=b'a')>"
+            == f"<PKCS12Certificate({cert!r}, friendly_name=b'a')>"
         )
 
     def test_key_and_certificates_constructor(self, backend):

diff --git a/tests/hazmat/primitives/test_rsa.py b/tests/hazmat/primitives/test_rsa.py
@@ -2740,9 +2740,7 @@ def test_public_bytes_invalid_format(
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -2754,8 +2752,8 @@ def test_public_bytes_invalid_format(
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(
         self, rsa_key_2048: rsa.RSAPrivateKey, encoding, fmt, backend

diff --git a/tests/hazmat/primitives/test_ssh.py b/tests/hazmat/primitives/test_ssh.py
@@ -404,12 +404,12 @@ def make_file(
             priv_type = pub_type
 
         pub = ssh._FragList()
-        for elem in (pub_type,) + pub_fields:
+        for elem in (pub_type, *pub_fields):
             pub.put_sshstr(elem)
 
         secret = ssh._FragList([checkval1, checkval2])
         for i in range(nkeys):
-            for elem in (priv_type,) + priv_fields + (comment,):
+            for elem in (priv_type, *priv_fields, comment):
                 secret.put_sshstr(elem)
 
         if pad is None:

diff --git a/tests/hazmat/primitives/test_x963_vectors.py b/tests/hazmat/primitives/test_x963_vectors.py
@@ -26,7 +26,9 @@ def _skip_hashfn_unsupported(backend, hashfn):
 
 
 class TestX963:
-    _algorithms_dict: typing.Dict[str, typing.Type[hashes.HashAlgorithm]] = {
+    _algorithms_dict: typing.ClassVar[
+        typing.Dict[str, typing.Type[hashes.HashAlgorithm]]
+    ] = {
         "SHA-1": hashes.SHA1,
         "SHA-224": hashes.SHA224,
         "SHA-256": hashes.SHA256,

diff --git a/tests/x509/test_x509.py b/tests/x509/test_x509.py
@@ -5437,7 +5437,9 @@ def test_bad_time_in_validity(self, backend):
 
 
 class TestNameAttribute:
-    EXPECTED_TYPES = [
+    EXPECTED_TYPES: typing.ClassVar[
+        typing.List[typing.Tuple[x509.ObjectIdentifier, _ASN1Type]]
+    ] = [
         (NameOID.COMMON_NAME, _ASN1Type.UTF8String),
         (NameOID.COUNTRY_NAME, _ASN1Type.PrintableString),
         (NameOID.LOCALITY_NAME, _ASN1Type.UTF8String),