build(deps): bump the pinned-test-dependencies group across 2 directories with 2 updates (#499)

* build(deps): bump the pinned-test-dependencies group across 2 directories with 2 updates

Bumps the pinned-test-dependencies group with 2 updates in the /repo directory: [mypy](https://github.com/python/mypy) and [ruff](https://github.com/astral-sh/ruff).
Bumps the pinned-test-dependencies group with 2 updates in the /signer directory: [mypy](https://github.com/python/mypy) and [ruff](https://github.com/astral-sh/ruff).


Updates `mypy` from 1.13.0 to 1.14.1
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.13.0...v1.14.1)

Updates `ruff` from 0.8.3 to 0.8.4
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.8.3...0.8.4)

Updates `mypy` from 1.13.0 to 1.14.1
- [Changelog](https://github.com/python/mypy/blob/master/CHANGELOG.md)
- [Commits](python/mypy@v1.13.0...v1.14.1)

Updates `ruff` from 0.8.3 to 0.8.4
- [Release notes](https://github.com/astral-sh/ruff/releases)
- [Changelog](https://github.com/astral-sh/ruff/blob/main/CHANGELOG.md)
- [Commits](astral-sh/ruff@0.8.3...0.8.4)

---
updated-dependencies:
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pinned-test-dependencies
- dependency-name: ruff
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: pinned-test-dependencies
- dependency-name: mypy
  dependency-type: direct:production
  update-type: version-update:semver-minor
  dependency-group: pinned-test-dependencies
- dependency-name: ruff
  dependency-type: direct:production
  update-type: version-update:semver-patch
  dependency-group: pinned-test-dependencies
...

Signed-off-by: dependabot[bot] <[email protected]>

* signer: Fix typing issue in User class

User.pykcs11lib cannot be None (not after initialization): make that
visible to static analyzers by tweaking the code.

Also add a test for the pykcs11lib probing.

---------

Signed-off-by: dependabot[bot] <[email protected]>
Co-authored-by: dependabot[bot] <49699333+dependabot[bot]@users.noreply.github.com>
Co-authored-by: Jussi Kukkonen <[email protected]>

Author: dependabot[bot]

repo/pyproject.toml

@@ -29,8 +29,8 @@ tuf-on-ci-update-targets = "tuf_on_ci:update_targets"
 
 [project.optional-dependencies]
 lint = [
-  "mypy == 1.13.0",
-  "ruff == 0.8.3",
+  "mypy == 1.14.1",
+  "ruff == 0.8.4",
 ]
 
 [tool.hatch.version]

signer/pyproject.toml

@@ -23,8 +23,8 @@ tuf-on-ci-sign = "tuf_on_ci_sign:sign"
 
 [project.optional-dependencies]
 lint = [
-  "mypy == 1.13.0",
-  "ruff == 0.8.3",
+  "mypy == 1.14.1",
+  "ruff == 0.8.4",
 ]
 
 [tool.hatch.version]

signer/test/test_user.py

@@ -1,17 +1,25 @@
 import os
+import platform
 import unittest
 from tempfile import TemporaryDirectory
 
 import click
 from securesystemslib.signer import HSMSigner, SSlibKey
 
+from tuf_on_ci_sign import _user
 from tuf_on_ci_sign._user import User
 
 # Long lines are ok here
 # ruff: noqa: E501
-
 REQUIRED = """
 [settings]
+user-name = @signer
+push-remote = origin
+pull-remote = myremote
+"""
+
+WITH_PYKCS11LIB = """
+[settings]
 pykcs11lib = /usr/lib/x86_64-linux-gnu/libykcs11.so
 user-name = @signer
 push-remote = origin
@@ -71,7 +79,7 @@ def test_required(self):
         with TemporaryDirectory() as tempdir:
             inifile = os.path.join(tempdir, ".tuf-on-ci-sign.ini")
             with open(inifile, "w") as f:
-                f.write(REQUIRED)
+                f.write(WITH_PYKCS11LIB)
 
             user = User(inifile)
             self.assertEqual(user.name, "@signer")
@@ -90,6 +98,29 @@ def test_required(self):
             with self.assertRaises(click.ClickException):
                 user = User(inifile)
 
+    def test_pkcs_prober(self):
+        with TemporaryDirectory() as tempdir:
+            inifile = os.path.join(tempdir, ".tuf-on-ci-sign.ini")
+            with open(inifile, "w") as f:
+                f.write(REQUIRED)
+
+            nonexistent_pkcs11lib = os.path.join(tempdir, "nonexistent-pkcs11lib")
+            mock_pkcs11lib = os.path.join(tempdir, "mock-pkcs11lib")
+            with open(mock_pkcs11lib, "w") as f:
+                f.write("")
+
+            # mock prober lookup locations so that a library is not found:
+            _user.LIBYKCS11_LOCATIONS = {platform.system(): [nonexistent_pkcs11lib]}
+            with self.assertRaises(click.ClickException):
+                User(inifile)
+
+            # mock prober lookup locations so that a library is found:
+            _user.LIBYKCS11_LOCATIONS = {
+                platform.system(): [nonexistent_pkcs11lib, mock_pkcs11lib]
+            }
+            user = User(inifile)
+            self.assertEqual(user.pykcs11lib, mock_pkcs11lib)
+
     def test_signing_keys(self):
         with TemporaryDirectory() as tempdir:
             inifile = os.path.join(tempdir, ".tuf-on-ci-sign.ini")

signer/tuf_on_ci_sign/_user.py

@@ -55,15 +55,16 @@ def __init__(self, path: str):
             self._signing_key_uris = {}
 
         # probe for pykcs11lib if it's not set
-        self.pykcs11lib = self._config["settings"].get("pykcs11lib")
-        if self.pykcs11lib is None:
+        try:
+            self.pykcs11lib = self._config["settings"]["pykcs11lib"]
+        except KeyError:
             for loc in LIBYKCS11_LOCATIONS.get(platform.system(), []):
                 if os.path.exists(loc):
                     self.pykcs11lib = loc
+                    logger.debug("Using probed YKCS11 location %s", self.pykcs11lib)
                     break
-            if self.pykcs11lib is None:
+            else:
                 raise click.ClickException("Failed to find libykcs11")
-            logger.debug("Using probed YKCS11 location %s", self.pykcs11lib)
 
         # signer cache gets populated as they are used the first time
         self._signers: dict[str, Signer] = {}