Improve typing (#911)

* Make type checking more strict.

* mypy: warn about unreachable code.

* Enable warn_redundant_casts.

* Enable strict_bytes.

* Look at some warn_return_any warnings.

plugins/module_utils/_crypto/_obj2txt.py

@@ -57,7 +57,8 @@ def obj2txt(openssl_lib, openssl_ffi, obj) -> str:
         buf_len = res + 1
         buf = openssl_ffi.new("char[]", buf_len)
         res = openssl_lib.OBJ_obj2txt(buf, buf_len, obj, 1)
-    return openssl_ffi.buffer(buf, res)[:].decode()
+    bytes_str: bytes = openssl_ffi.buffer(buf, res)[:]
+    return bytes_str.decode()
 
 
 __all__ = ("obj2txt",)

plugins/module_utils/_crypto/cryptography_support.py

@@ -287,8 +287,6 @@ def cryptography_oid_to_name(
 
 
 def _get_hex(bytesstr: bytes) -> str:
-    if bytesstr is None:
-        return bytesstr
     data = binascii.hexlify(bytesstr)
     return to_text(b":".join(data[i : i + 2] for i in range(0, len(data), 2)))
 
@@ -863,7 +861,7 @@ def parse_pkcs12(
     if _load_pkcs12 is not None:
         return _parse_pkcs12_36_0_0(pkcs12_bytes, passphrase=passphrase_bytes)
 
-    if LooseVersion(cryptography.__version__) >= LooseVersion("35.0"):
+    if LooseVersion(cryptography.__version__) >= LooseVersion("35.0"):  # type: ignore[unreachable]
         return _parse_pkcs12_35_0_0(pkcs12_bytes, passphrase=passphrase_bytes)
 
     return _parse_pkcs12_legacy(pkcs12_bytes, passphrase=passphrase_bytes)

plugins/module_utils/_crypto/module_backends/certificate_info.py

@@ -281,7 +281,7 @@ class CertificateInfoRetrievalCryptography(CertificateInfoRetrieval):
             return 1
         if self.cert.version == x509.Version.v3:
             return 3
-        return "unknown"
+        return "unknown"  # type: ignore[unreachable]
 
     def _get_key_usage(self) -> tuple[list[str] | None, bool]:
         try:

plugins/module_utils/_crypto/module_backends/csr.py

@@ -133,7 +133,7 @@ class CertificateSigningRequestBackend(metaclass=abc.ABCMeta):
         self.authority_cert_issuer: list[str] | None = module.params[
             "authority_cert_issuer"
         ]
-        self.authority_cert_serial_number: int = module.params[
+        self.authority_cert_serial_number: int | None = module.params[
             "authority_cert_serial_number"
         ]
         self.crl_distribution_points: (
@@ -361,10 +361,6 @@ def parse_crl_distribution_points(
 class CertificateSigningRequestCryptographyBackend(CertificateSigningRequestBackend):
     def __init__(self, *, module: AnsibleModule) -> None:
         super().__init__(module=module)
-        if self.version != 1:
-            module.warn(
-                "The cryptography backend only supports version 1. (The only valid value according to RFC 2986.)"
-            )
 
         crl_distribution_points: list[dict[str, t.Any]] | None = module.params[
             "crl_distribution_points"

plugins/module_utils/_crypto/module_backends/privatekey.py

@@ -287,7 +287,9 @@ class _Curve:
     def _get_ec_class(
         self, *, module: GeneralAnsibleModule
     ) -> type[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve]:
-        ecclass = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get(self.ectype)  # type: ignore
+        ecclass: (
+            type[cryptography.hazmat.primitives.asymmetric.ec.EllipticCurve] | None
+        ) = cryptography.hazmat.primitives.asymmetric.ec.__dict__.get(self.ectype)
         if ecclass is None:
             module.fail_json(
                 msg=f"Your cryptography version does not support {self.ectype}"