Enable ruff's own ruleset (#9114)

pyproject.toml

@@ -138,7 +138,7 @@ exclude_lines = [
 # UP006: Minimum Python 3.9
 # UP007, UP038: Minimum Python 3.10
 ignore = ['N818', 'UP006', 'UP007', 'UP038']
-select = ['E', 'F', 'I', 'N', 'W', 'UP']
+select = ['E', 'F', 'I', 'N', 'W', 'UP', 'RUF']
 line-length = 79
 
 [tool.ruff.isort]

setup.py

@@ -58,7 +58,7 @@ try:
             )
         ],
     )
-except:  # noqa: E722
+except:
     # Note: This is a bare exception that re-raises so that we don't interfere
     # with anything the installation machinery might want to do. Because we
     # print this for any exception this msg can appear (e.g. in verbose logs)

src/cryptography/hazmat/backends/openssl/backend.py

@@ -96,7 +96,7 @@ class Backend:
     # disallowed algorithms are still present in OpenSSL. They just error if
     # you try to use them. To avoid that we allowlist the algorithms in
     # FIPS 140-3. This isn't ideal, but FIPS 140-3 is trash so here we are.
-    _fips_aead = {
+    _fips_aead: typing.ClassVar[typing.Set[bytes]] = {
         b"aes-128-ccm",
         b"aes-192-ccm",
         b"aes-256-ccm",

src/cryptography/hazmat/primitives/serialization/pkcs7.py

@@ -111,7 +111,7 @@ class PKCS7SignatureBuilder:
 
         return PKCS7SignatureBuilder(
             self._data,
-            self._signers + [(certificate, private_key, hash_algorithm)],
+            [*self._signers, (certificate, private_key, hash_algorithm)],
         )
 
     def add_certificate(
@@ -121,7 +121,7 @@ class PKCS7SignatureBuilder:
             raise TypeError("certificate must be a x509.Certificate")
 
         return PKCS7SignatureBuilder(
-            self._data, self._signers, self._additional_certs + [certificate]
+            self._data, self._signers, [*self._additional_certs, certificate]
         )
 
     def sign(

src/cryptography/hazmat/primitives/serialization/ssh.py

@@ -1356,7 +1356,7 @@ class SSHCertificateBuilder:
             _valid_for_all_principals=self._valid_for_all_principals,
             _valid_before=self._valid_before,
             _valid_after=self._valid_after,
-            _critical_options=self._critical_options + [(name, value)],
+            _critical_options=[*self._critical_options, (name, value)],
             _extensions=self._extensions,
         )
 
@@ -1379,7 +1379,7 @@ class SSHCertificateBuilder:
             _valid_before=self._valid_before,
             _valid_after=self._valid_after,
             _critical_options=self._critical_options,
-            _extensions=self._extensions + [(name, value)],
+            _extensions=[*self._extensions, (name, value)],
         )
 
     def sign(self, private_key: SSHCertPrivateKeyTypes) -> SSHCertificate:

src/cryptography/utils.py

@@ -85,7 +85,7 @@ class _ModuleWithDeprecations(types.ModuleType):
         delattr(self._module, attr)
 
     def __dir__(self) -> typing.Sequence[str]:
-        return ["_module"] + dir(self._module)
+        return ["_module", *dir(self._module)]
 
 
 def deprecated(

src/cryptography/x509/base.py

@@ -664,7 +664,7 @@ class CertificateSigningRequestBuilder:
 
         return CertificateSigningRequestBuilder(
             self._subject_name,
-            self._extensions + [extension],
+            [*self._extensions, extension],
             self._attributes,
         )
 
@@ -697,7 +697,7 @@ class CertificateSigningRequestBuilder:
         return CertificateSigningRequestBuilder(
             self._subject_name,
             self._extensions,
-            self._attributes + [(oid, value, tag)],
+            [*self._attributes, (oid, value, tag)],
         )
 
     def sign(
@@ -916,7 +916,7 @@ class CertificateBuilder:
             self._serial_number,
             self._not_valid_before,
             self._not_valid_after,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def sign(
@@ -1057,7 +1057,7 @@ class CertificateRevocationListBuilder:
             self._issuer_name,
             self._last_update,
             self._next_update,
-            self._extensions + [extension],
+            [*self._extensions, extension],
             self._revoked_certificates,
         )
 
@@ -1075,7 +1075,7 @@ class CertificateRevocationListBuilder:
             self._last_update,
             self._next_update,
             self._extensions,
-            self._revoked_certificates + [revoked_certificate],
+            [*self._revoked_certificates, revoked_certificate],
         )
 
     def sign(
@@ -1152,7 +1152,7 @@ class RevokedCertificateBuilder:
         return RevokedCertificateBuilder(
             self._serial_number,
             self._revocation_date,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def build(self, backend: typing.Any = None) -> RevokedCertificate:

src/cryptography/x509/ocsp.py

@@ -478,7 +478,7 @@ class OCSPRequestBuilder:
         _reject_duplicate_extension(extension, self._extensions)
 
         return OCSPRequestBuilder(
-            self._request, self._request_hash, self._extensions + [extension]
+            self._request, self._request_hash, [*self._extensions, extension]
         )
 
     def build(self) -> OCSPRequest:
@@ -583,7 +583,7 @@ class OCSPResponseBuilder:
             self._response,
             self._responder_id,
             self._certs,
-            self._extensions + [extension],
+            [*self._extensions, extension],
         )
 
     def sign(

tests/hazmat/backends/test_openssl_memleak.py

@@ -172,11 +172,7 @@ def assert_no_memory_leaks(s, argv=[]):
     env.pop("COV_CORE_DATAFILE", None)
     env.pop("COV_CORE_SOURCE", None)
 
-    argv = [
-        sys.executable,
-        "-c",
-        f"{s}\n\n{MEMORY_LEAK_SCRIPT}",
-    ] + argv
+    argv = [sys.executable, "-c", f"{s}\n\n{MEMORY_LEAK_SCRIPT}", *argv]
     # Shell out to a fresh Python process because OpenSSL does not allow you to
     # install new memory hooks after the first malloc/free occurs.
     proc = subprocess.Popen(

tests/hazmat/primitives/test_aead.py

@@ -696,7 +696,7 @@ class TestAESSIV:
                     badkey = AESSIV(AESSIV.generate_key(256))
                     badkey.decrypt(ct, aad)
                 with pytest.raises(InvalidTag):
-                    aessiv.decrypt(ct, aad + [b""])
+                    aessiv.decrypt(ct, [*aad, b""])
                 with pytest.raises(InvalidTag):
                     aessiv.decrypt(ct, [b"nonsense"])
                 with pytest.raises(InvalidTag):

tests/hazmat/primitives/test_dh.py

@@ -932,9 +932,7 @@ class TestDHParameterSerialization:
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -946,8 +944,8 @@ class TestDHParameterSerialization:
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(self, encoding, fmt, backend):
         parameters = FFDH3072_P.parameters(backend)

tests/hazmat/primitives/test_dsa.py

@@ -988,9 +988,7 @@ class TestDSAPEMPublicKeySerialization:
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -1002,8 +1000,8 @@ class TestDSAPEMPublicKeySerialization:
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(self, encoding, fmt, backend):
         key = DSA_KEY_2048.private_key(backend).public_key()

tests/hazmat/primitives/test_pkcs12.py

@@ -796,11 +796,11 @@ class TestPKCS12Objects:
         cert = _load_cert(backend, os.path.join("x509", "cryptography.io.pem"))
         assert (
             repr(PKCS12Certificate(cert, None))
-            == f"<PKCS12Certificate({repr(cert)}, friendly_name=None)>"
+            == f"<PKCS12Certificate({cert!r}, friendly_name=None)>"
         )
         assert (
             repr(PKCS12Certificate(cert, b"a"))
-            == f"<PKCS12Certificate({repr(cert)}, friendly_name=b'a')>"
+            == f"<PKCS12Certificate({cert!r}, friendly_name=b'a')>"
         )
 
     def test_key_and_certificates_constructor(self, backend):

tests/hazmat/primitives/test_rsa.py

@@ -2740,9 +2740,7 @@ class TestRSAPEMPublicKeySerialization:
                 serialization.PublicFormat.SubjectPublicKeyInfo,
             ),
             (serialization.Encoding.Raw, serialization.PublicFormat.PKCS1),
-        ]
-        + list(
-            itertools.product(
+            *itertools.product(
                 [
                     serialization.Encoding.Raw,
                     serialization.Encoding.X962,
@@ -2754,8 +2752,8 @@ class TestRSAPEMPublicKeySerialization:
                     serialization.PublicFormat.UncompressedPoint,
                     serialization.PublicFormat.CompressedPoint,
                 ],
-            )
-        ),
+            ),
+        ],
     )
     def test_public_bytes_rejects_invalid(
         self, rsa_key_2048: rsa.RSAPrivateKey, encoding, fmt, backend

tests/hazmat/primitives/test_ssh.py

@@ -404,12 +404,12 @@ class TestOpenSSHSerialization:
             priv_type = pub_type
 
         pub = ssh._FragList()
-        for elem in (pub_type,) + pub_fields:
+        for elem in (pub_type, *pub_fields):
             pub.put_sshstr(elem)
 
         secret = ssh._FragList([checkval1, checkval2])
         for i in range(nkeys):
-            for elem in (priv_type,) + priv_fields + (comment,):
+            for elem in (priv_type, *priv_fields, comment):
                 secret.put_sshstr(elem)
 
         if pad is None:

tests/hazmat/primitives/test_x963_vectors.py

@@ -26,7 +26,9 @@ def _skip_hashfn_unsupported(backend, hashfn):
 
 
 class TestX963:
-    _algorithms_dict: typing.Dict[str, typing.Type[hashes.HashAlgorithm]] = {
+    _algorithms_dict: typing.ClassVar[
+        typing.Dict[str, typing.Type[hashes.HashAlgorithm]]
+    ] = {
         "SHA-1": hashes.SHA1,
         "SHA-224": hashes.SHA224,
         "SHA-256": hashes.SHA256,

tests/x509/test_x509.py

@@ -5437,7 +5437,9 @@ class TestOtherCertificate:
 
 
 class TestNameAttribute:
-    EXPECTED_TYPES = [
+    EXPECTED_TYPES: typing.ClassVar[
+        typing.List[typing.Tuple[x509.ObjectIdentifier, _ASN1Type]]
+    ] = [
         (NameOID.COMMON_NAME, _ASN1Type.UTF8String),
         (NameOID.COUNTRY_NAME, _ASN1Type.PrintableString),
         (NameOID.LOCALITY_NAME, _ASN1Type.UTF8String),