Improve typing (#911)

* Make type checking more strict. * mypy: warn about unreachable code. * Enable warn_redundant_casts. * Enable strict_bytes. * Look at some warn_return_any warnings.
2026-05-07 13:53:06 +00:00 · 2025-05-31 10:25:55 +02:00
parent 6d273bc5b7
commit 82522fc07f
20 changed files with 88 additions and 65 deletions
--- a/plugins/modules/acme_certificate.py
+++ b/plugins/modules/acme_certificate.py
@@ -634,7 +634,7 @@ class ACMECertificateClient:
        self.cert_days = -1
        self.order: Order | None = None
        self.order_uri = self.data.get("order_uri") if self.data else None
-        self.all_chains = None
+        self.all_chains: list[dict[str, t.Any]] | None = None
        self.select_chain_matcher = []
        self.include_renewal_cert_id = module.params["include_renewal_cert_id"]
        self.profile = module.params["profile"]
--- a/plugins/modules/acme_certificate_revoke.py
+++ b/plugins/modules/acme_certificate_revoke.py
@@ -217,12 +217,16 @@ def main() -> t.NoReturn:
        if info["status"] != 200:
            already_revoked = False
            # Standardized error from draft 14 on (https://tools.ietf.org/html/rfc8555#section-7.6)
-            if result.get("type") == "urn:ietf:params:acme:error:alreadyRevoked":
+            if (
+                isinstance(result, dict)
+                and result.get("type") == "urn:ietf:params:acme:error:alreadyRevoked"
+            ):
                already_revoked = True
            else:
                # Hack for Boulder errors
                if (
-                    result.get("type") == "urn:ietf:params:acme:error:malformed"
+                    isinstance(result, dict)
+                    and result.get("type") == "urn:ietf:params:acme:error:malformed"
                    and result.get("detail") == "Certificate already revoked"
                ):
                    # Fallback: boulder returns this in case the certificate was already revoked.
--- a/plugins/modules/get_certificate.py
+++ b/plugins/modules/get_certificate.py
@@ -440,7 +440,7 @@ def main() -> t.NoReturn:
                    module.fail_json(
                        msg=f"tls_ctx_options must be a string or integer, got {tls_ctx_option!r}"
                    )
-                    tls_ctx_option_int = (
+                    tls_ctx_option_int = (  # type: ignore[unreachable]
                        0  # make pylint happy; this code is actually unreachable
                    )

@@ -558,7 +558,7 @@ def main() -> t.NoReturn:
    elif x509.version == cryptography.x509.Version.v3:
        result["version"] = 3 - 1
    else:
-        result["version"] = "unknown"
+        result["version"] = "unknown"  # type: ignore[unreachable]

    if verified_chain is not None:
        result["verified_chain"] = verified_chain
--- a/plugins/modules/luks_device.py
+++ b/plugins/modules/luks_device.py
@@ -510,9 +510,6 @@ class Handler:
    def get_device_by_label(self, label: str) -> str | None:
        """Returns the device that holds label passed by user"""
        blkid_bin = self._module.get_bin_path("blkid", True)
-        label = self._module.params["label"]
-        if label is None:
-            return None
        rc, stdout, dummy = self._run_command([blkid_bin, "--label", label])
        if rc != 0:
            return None
--- a/plugins/modules/openssl_pkcs12.py
+++ b/plugins/modules/openssl_pkcs12.py
@@ -529,13 +529,8 @@ class Pkcs(OpenSSLObject):
            elif bool(pkcs12_certificate) != bool(self.certificate_content):
                return False

-            if (pkcs12_other_certificates is not None) and (
-                self.other_certificates is not None
-            ):
-                expected_other_certs = self._dump_other_certificates(self.pkcs12)
-                if set(pkcs12_other_certificates) != set(expected_other_certs):
-                    return False
-            elif bool(pkcs12_other_certificates) != bool(self.other_certificates):
+            expected_other_certs = self._dump_other_certificates(self.pkcs12)
+            if set(pkcs12_other_certificates) != set(expected_other_certs):
                return False

            if pkcs12_privatekey:
--- a/plugins/modules/x509_certificate.py
+++ b/plugins/modules/x509_certificate.py
@@ -293,7 +293,7 @@ class GenericCertificate(OpenSSLObject):
        self.module = module
        self.return_content = module.params["return_content"]
        self.backup = module.params["backup"]
-        self.backup_file = None
+        self.backup_file: str | None = None

        self.module_backend = module_backend
        self.module_backend.set_existing(