Hardened the codebase by introducing type-checking.

Author: mridang

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
           cache: 'poetry'
 
       - name: Install Dependencies
-        run: poetry install
+        run: poetry install --no-interaction --sync --all-extras
 
       - name: Run Tests
         run: poetry run pytest

.github/workflows/typecheck.yml

@@ -0,0 +1,39 @@
+name: Typecheck
+
+on:
+  push:
+    branches:
+      - main
+  pull_request:
+
+permissions:
+  contents: read
+
+defaults:
+  run:
+    working-directory: ./
+
+jobs:
+  steep-check:
+    runs-on: ubuntu-latest
+    name: Inspect Code
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v4
+
+      - name: Install poetry
+        run: |
+          pipx install poetry
+
+      - name: Setup Python
+        uses: actions/setup-python@v5
+        with:
+          python-version-file: 'pyproject.toml'
+          cache: 'poetry'
+
+      - name: Install Dependencies
+        run: poetry install --no-interaction --sync --all-extras
+
+      - name: Run MyPy
+        run: poetry run mypy

pyproject.toml

@@ -69,43 +69,23 @@ extension-pkg-whitelist = "pydantic"
 [tool.mypy]
 files = [
   "zitadel_client",
-  "tests",
+  "test",
+  "spec"
 ]
-
-# List from: https://mypy.readthedocs.io/en/stable/existing_code.html#introduce-stricter-options
-warn_unused_configs = true
-warn_redundant_casts = true
-warn_unused_ignores = true
-
-## Getting these passing should be easy
-strict_equality = true
-extra_checks = true
-
-## Strongly recommend enabling this one as soon as you can
-check_untyped_defs = true
-
-## These shouldn't be too much additional work, but may be tricky to
-## get passing if you use a lot of untyped libraries
-disallow_subclassing_any = true
-disallow_untyped_decorators = true
-disallow_any_generics = true
+exclude = '(^zitadel_client/models/|^zitadel_client/api/)'
+strict = true
+implicit_reexport = true
 
 [[tool.mypy.overrides]]
 module = [
-  "zitadel_client.configuration",
+  "authlib",
+  "authlib.integrations.requests_client",
+  "authlib.jose",
+  "testcontainers.core.container",
+  "testcontainers"
 ]
-warn_unused_ignores = true
-strict_equality = true
-extra_checks = true
-check_untyped_defs = true
-disallow_subclassing_any = true
-disallow_untyped_decorators = true
-disallow_any_generics = true
-disallow_untyped_calls = true
-disallow_incomplete_defs = true
-disallow_untyped_defs = true
-no_implicit_reexport = true
-warn_return_any = true
+ignore_missing_imports = true
+disable_error_code = ["import-untyped"]
 
 [tool.flake8]
 max-line-length = 99

spec/conftest.py

@@ -3,6 +3,6 @@
 
 
 @pytest.fixture(scope="session", autouse=True)
-def load_env():
+def load_env() -> None:
   """Load the .env file for the entire test session."""
   load_dotenv()

spec/sdk_test_using_client_credentials_authentication_spec.py

@@ -8,32 +8,32 @@
 
 
 @pytest.fixture
-def client_id():
+def client_id() -> str | None:
     """Fixture to return a valid personal access token."""
     return os.getenv("CLIENT_ID")
 
 
 @pytest.fixture
-def client_secret():
+def client_secret() -> str | None:
     """Fixture to return a valid personal access token."""
     return os.getenv("CLIENT_SECRET")
 
 
 @pytest.fixture
-def base_url():
+def base_url() -> str | None:
     """Fixture to return the base URL."""
     return os.getenv("BASE_URL")
 
 
 @pytest.fixture
-def user_id(client_id, client_secret, base_url):
+def user_id(client_id: str, client_secret: str, base_url: str) -> str | None:
     """Fixture to create a user and return their ID."""
     with zitadel.Zitadel(ClientCredentialsAuthenticator.builder(base_url, client_id, client_secret).build()) as client:
         try:
             response = client.users.add_human_user(
                 body=zitadel.models.V2AddHumanUserRequest(
                     username=uuid.uuid4().hex,
-                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"),
+                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"), # type: ignore[call-arg]
                     email=zitadel.models.V2SetHumanEmail(email=f"johndoe{uuid.uuid4().hex}@caos.ag")
                 )
             )
@@ -43,7 +43,7 @@ def user_id(client_id, client_secret, base_url):
             pytest.fail(f"Exception while creating user: {e}")
 
 
-def test_should_deactivate_and_reactivate_user_with_valid_token(user_id, client_id, client_secret, base_url):
+def test_should_deactivate_and_reactivate_user_with_valid_token(user_id: str, client_id: str, client_secret: str, base_url: str) -> None:
     """Test to (de)activate the user with a valid token."""
     with zitadel.Zitadel(ClientCredentialsAuthenticator.builder(base_url, client_id, client_secret).build()) as client:
         try:
@@ -58,7 +58,7 @@ def test_should_deactivate_and_reactivate_user_with_valid_token(user_id, client_
             pytest.fail(f"Exception when calling deactivate_user or reactivate_user with valid token: {e}")
 
 
-def test_should_not_deactivate_or_reactivate_user_with_invalid_token(user_id, base_url):
+def test_should_not_deactivate_or_reactivate_user_with_invalid_token(user_id: str, base_url: str) -> None:
     """Test to attempt (de)activating the user with an invalid token."""
     with zitadel.Zitadel(ClientCredentialsAuthenticator.builder(base_url, "id", "secret").build()) as client:
         try:

spec/sdk_test_using_personal_access_token_authentication_spec.py

@@ -9,32 +9,32 @@
 
 
 @pytest.fixture
-def valid_token():
+def valid_token() -> str | None:
     """Fixture to return a valid personal access token."""
     return os.getenv("AUTH_TOKEN")
 
 
 @pytest.fixture
-def invalid_token():
+def invalid_token() -> str | None:
     """Fixture to return an invalid token."""
     return "whoops"
 
 
 @pytest.fixture
-def base_url():
+def base_url() -> str | None:
     """Fixture to return the base URL."""
     return os.getenv("BASE_URL")
 
 
 @pytest.fixture
-def user_id(valid_token, base_url):
+def user_id(valid_token: str, base_url: str) -> str | None:
     """Fixture to create a user and return their ID."""
     with zitadel.Zitadel(PersonalAccessTokenAuthenticator(base_url, valid_token)) as client:
         try:
             response = client.users.add_human_user(
                 body=zitadel.models.V2AddHumanUserRequest(
                     username=uuid.uuid4().hex,
-                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"),
+                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"), # type: ignore[call-arg]
                     email=zitadel.models.V2SetHumanEmail(email=f"johndoe{uuid.uuid4().hex}@caos.ag")
                 )
             )
@@ -44,7 +44,7 @@ def user_id(valid_token, base_url):
             pytest.fail(f"Exception while creating user: {e}")
 
 
-def test_should_deactivate_and_reactivate_user_with_valid_token(user_id, valid_token, base_url):
+def test_should_deactivate_and_reactivate_user_with_valid_token(user_id: str, valid_token: str, base_url: str) -> None:
     """Test to (de)activate the user with a valid token."""
     with zitadel.Zitadel(PersonalAccessTokenAuthenticator(base_url, valid_token)) as client:
         try:
@@ -59,7 +59,7 @@ def test_should_deactivate_and_reactivate_user_with_valid_token(user_id, valid_t
             pytest.fail(f"Exception when calling deactivate_user or reactivate_user with valid token: {e}")
 
 
-def test_should_not_deactivate_or_reactivate_user_with_invalid_token(user_id, invalid_token, base_url):
+def test_should_not_deactivate_or_reactivate_user_with_invalid_token(user_id: str, invalid_token: str, base_url: str) -> None:
     """Test to attempt (de)activating the user with an invalid token."""
     with zitadel.Zitadel(PersonalAccessTokenAuthenticator(base_url, invalid_token)) as client:
         try:

spec/sdk_test_using_web_token_authentication_spec.py

@@ -9,7 +9,7 @@
 
 
 @pytest.fixture
-def key_file():
+def key_file() -> str:
     jwt_key = os.getenv("JWT_KEY")
     if jwt_key is None:
         pytest.fail("JWT_KEY is not set in the environment")
@@ -19,20 +19,20 @@ def key_file():
 
 
 @pytest.fixture
-def base_url():
+def base_url() -> str | None:
     """Fixture to return the base URL."""
     return os.getenv("BASE_URL")
 
 
 @pytest.fixture
-def user_id(key_file, base_url):
+def user_id(key_file: str, base_url: str) -> str | None:
     """Fixture to create a user and return their ID."""
     with zitadel.Zitadel(WebTokenAuthenticator.from_json(base_url, key_file)) as client:
         try:
             response = client.users.add_human_user(
                 body=zitadel.models.V2AddHumanUserRequest(
                     username=uuid.uuid4().hex,
-                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"),
+                    profile=zitadel.models.V2SetHumanProfile(given_name="John", family_name="Doe"), # type: ignore[call-arg]
                     email=zitadel.models.V2SetHumanEmail(email=f"johndoe{uuid.uuid4().hex}@caos.ag")
                 )
             )
@@ -42,7 +42,7 @@ def user_id(key_file, base_url):
             pytest.fail(f"Exception while creating user: {e}")
 
 
-def test_should_deactivate_and_reactivate_user_with_valid_token(user_id, key_file, base_url):
+def test_should_deactivate_and_reactivate_user_with_valid_token(user_id: str, key_file: str, base_url: str) -> None:
     """Test to (de)activate the user with a valid token."""
     with zitadel.Zitadel(WebTokenAuthenticator.from_json(base_url, key_file)) as client:
         try:

test/auth/test_client_credentials_authenticator.py

@@ -11,9 +11,10 @@ class ClientCredentialsAuthenticatorTest(OAuthAuthenticatorTest):
   Extends the base OAuthAuthenticatorTest class.
   """
 
-  def test_refresh_token(self):
+  def test_refresh_token(self) -> None:
     time.sleep(20)
 
+    assert self.oauth_host is not None
     authenticator = ClientCredentialsAuthenticator.builder(self.oauth_host, "dummy-client", "dummy-secret") \
       .scopes("openid", "foo") \
       .build()

test/auth/test_no_auth_authenticator.py

@@ -4,12 +4,12 @@
 
 
 class NoAuthAuthenticatorTest(unittest.TestCase):
-  def test_returns_empty_headers_and_default_host(self):
+  def test_returns_empty_headers_and_default_host(self) -> None:
     auth = NoAuthAuthenticator()
     self.assertEqual({}, auth.get_auth_headers())
     self.assertEqual("http://localhost", auth.get_host())
 
-  def test_returns_empty_headers_and_custom_host(self):
+  def test_returns_empty_headers_and_custom_host(self) -> None:
     auth = NoAuthAuthenticator("https://custom-host")
     self.assertEqual({}, auth.get_auth_headers())
     self.assertEqual("https://custom-host", auth.get_host())

test/auth/test_oauth_authenticator.py

@@ -14,11 +14,11 @@ class OAuthAuthenticatorTest(unittest.TestCase):
   The container is configured to wait for an HTTP response from the "/" endpoint
   with a status code of 405, using HttpWaitStrategy.
   """
-  oauth_host: str = None
+  oauth_host: str | None = None
   mock_oauth2_server: DockerContainer = None
 
   @classmethod
-  def setUpClass(cls):
+  def setUpClass(cls) -> None:
     cls.mock_oauth2_server = DockerContainer("ghcr.io/navikt/mock-oauth2-server:2.1.10") \
       .with_exposed_ports(8080)
     cls.mock_oauth2_server.start()
@@ -27,6 +27,6 @@ def setUpClass(cls):
     cls.oauth_host = f"http://{host}:{port}"
 
   @classmethod
-  def tearDownClass(cls):
+  def tearDownClass(cls) -> None:
     if cls.mock_oauth2_server is not None:
       cls.mock_oauth2_server.stop()