From 69235b22932f97cd7ebf0dc1d3c81f1d04ec21ac Mon Sep 17 00:00:00 2001
From: vaultah <4944562+vaultah@users.noreply.github.com>
Date: Sat, 9 Apr 2022 23:50:38 +0100
Subject: [PATCH] Stricter validation of init/unlock arguments

---
 replicat/repository.py            | 10 ++++++++++
 replicat/tests/test_repository.py |  9 ++++-----
 2 files changed, 14 insertions(+), 5 deletions(-)

diff --git a/replicat/repository.py b/replicat/repository.py
index b0f7cf3..3c1d02b 100644
--- a/replicat/repository.py
+++ b/replicat/repository.py
@@ -677,6 +677,12 @@ async def init(self, *, password=None, settings=None, key_output_path=None):
                     json.dumps(key, indent=4, default=self.default_serialization_hook)
                 )
         else:
+            if password is not None or key_output_path is not None:
+                raise exceptions.ReplicatError(
+                    'Password and key output path can only be provided to initialise '
+                    'encrypted repositories'
+                )
+
             key = None
 
         self.display_status('Uploading config')
@@ -708,6 +714,10 @@ async def unlock(self, *, password=None, key=None):
                 props,
                 **self._instantiate_key(key, password=password, cipher=props.cipher),
             )
+        elif password is not None or key is not None:
+            raise exceptions.ReplicatError(
+                'Cannot provide password or key to unlock unencrypted repositories'
+            )
 
         self.props = props
 
diff --git a/replicat/tests/test_repository.py b/replicat/tests/test_repository.py
index 3e74b59..7fa025d 100644
--- a/replicat/tests/test_repository.py
+++ b/replicat/tests/test_repository.py
@@ -274,7 +274,6 @@ async def test_encrypted_ok(self, local_backend, local_repo, tmp_path):
     @pytest.mark.asyncio
     async def test_unencrypted_ok(self, local_backend, local_repo):
         result = await local_repo.init(
-            password=b'<password>',
             settings={'encryption': None, 'chunking': {'max_length': 128_129}},
         )
 
@@ -736,7 +735,7 @@ def upldstream(name, contents, length):
     async def test_not_locked(self, monkeypatch, local_backend, tmp_path, encryption):
         local_repo = Repository(local_backend, concurrent=5)
         await local_repo.init(
-            password=b'<password>',
+            password=encryption and b'<password>',
             settings={'encryption': encryption},
         )
 
@@ -780,7 +779,7 @@ async def _wait_for_lock(*a, **ka):
     async def test_locked(self, monkeypatch, local_backend, tmp_path, encryption):
         local_repo = Repository(local_backend, concurrent=5)
         await local_repo.init(
-            password=b'<password>',
+            password=encryption and b'<password>',
             settings={'encryption': encryption},
         )
 
@@ -1154,7 +1153,7 @@ async def test_unencrypted_unreferenced(self, local_backend, local_repo, tmp_pat
     async def test_not_locked(self, monkeypatch, local_backend, encryption):
         local_repo = Repository(local_backend, concurrent=5)
         await local_repo.init(
-            password=b'<password>',
+            password=encryption and b'<password>',
             settings={'encryption': encryption},
         )
 
@@ -1187,7 +1186,7 @@ async def test_not_locked(self, monkeypatch, local_backend, encryption):
     async def test_locked(self, monkeypatch, local_backend, encryption):
         local_repo = Repository(local_backend, concurrent=5)
         await local_repo.init(
-            password=b'<password>',
+            password=encryption and b'<password>',
             settings={'encryption': encryption},
         )