Raise CtapError and ClientError directly from Rust instead of encoding as ValueError

Rust PyO3 bindings now import and instantiate the proper Python exception types
(CtapError, ClientError, PinRequiredError) directly, eliminating ~50 instances
of try/except ValueError + _handle_native_error() boilerplate across 7 Python
files.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: dainnilsson

crates/fido2-pyo3/src/py_client.rs

@@ -137,23 +137,65 @@ impl ClientDataCollector {
 
 // ---- Error conversion helpers ----
 
+fn make_client_error(py: Python<'_>, code: u32, cause: Option<PyObject>) -> PyErr {
+    let Ok(m) = py.import("fido2.client") else {
+        return PyValueError::new_err(format!("ClientError code {code}"));
+    };
+    let Ok(cls) = m.getattr("ClientError") else {
+        return PyValueError::new_err(format!("ClientError code {code}"));
+    };
+    let args = match cause {
+        Some(c) => (code, c),
+        None => (code, py.None()),
+    };
+    match cls.call1(args) {
+        Ok(inst) => PyErr::from_value(inst.into_any()),
+        Err(e) => e,
+    }
+}
+
 fn client_err(e: client::ClientError) -> PyErr {
-    match e {
-        client::ClientError::BadRequest(msg) => {
-            PyValueError::new_err(format!("CLIENT_BAD_REQUEST:{}", msg))
-        }
-        client::ClientError::ConfigurationUnsupported(msg) => {
-            PyValueError::new_err(format!("CLIENT_CONFIG_UNSUPPORTED:{}", msg))
-        }
-        client::ClientError::PinRequired => {
-            PyValueError::new_err("CLIENT_PIN_REQUIRED".to_string())
-        }
-        client::ClientError::DeviceIneligible => {
-            PyValueError::new_err("CLIENT_DEVICE_INELIGIBLE".to_string())
+    Python::with_gil(|py| match e {
+        client::ClientError::BadRequest(msg) => make_client_error(
+            py,
+            2,
+            Some(msg.into_pyobject(py).unwrap().into_any().unbind()),
+        ),
+        client::ClientError::ConfigurationUnsupported(msg) => make_client_error(
+            py,
+            3,
+            Some(msg.into_pyobject(py).unwrap().into_any().unbind()),
+        ),
+        client::ClientError::PinRequired => match py.import("fido2.client") {
+            Ok(m) => match m.getattr("PinRequiredError") {
+                Ok(cls) => match cls.call0() {
+                    Ok(inst) => PyErr::from_value(inst.into_any()),
+                    Err(e) => e,
+                },
+                Err(e) => e,
+            },
+            Err(e) => e,
+        },
+        client::ClientError::DeviceIneligible => make_client_error(py, 4, None),
+        client::ClientError::Timeout => make_client_error(py, 5, None),
+        client::ClientError::Ctap(e) => {
+            // Convert CTAP error to ClientError via _ctap2client_err
+            let ctap_err = crate::py_ctap::ctap_err(e);
+            match py.import("fido2.client") {
+                Ok(m) => match m.getattr("_ctap2client_err") {
+                    Ok(func) => {
+                        let ctap_exc = ctap_err.value(py);
+                        match func.call1((ctap_exc,)) {
+                            Ok(inst) => PyErr::from_value(inst.into_any()),
+                            Err(e) => e,
+                        }
+                    }
+                    Err(_) => ctap_err,
+                },
+                Err(_) => ctap_err,
+            }
         }
-        client::ClientError::Timeout => PyValueError::new_err("CLIENT_TIMEOUT".to_string()),
-        client::ClientError::Ctap(e) => crate::py_ctap::ctap_err(e),
-    }
+    })
 }
 
 // ---- UserInteraction bridge ----

crates/fido2-pyo3/src/py_ctap.rs

@@ -128,9 +128,16 @@ impl CtapDevice for PyCtapDevice {
 
 pub fn ctap_err(e: CtapError) -> PyErr {
     match e {
-        CtapError::StatusError(status) => {
-            PyValueError::new_err(format!("CTAP_ERR:{}", status.as_byte()))
-        }
+        CtapError::StatusError(status) => Python::with_gil(|py| match py.import("fido2.ctap") {
+            Ok(m) => match m.getattr("CtapError") {
+                Ok(cls) => match cls.call1((status.as_byte(),)) {
+                    Ok(inst) => PyErr::from_value(inst.into_any()),
+                    Err(e) => e,
+                },
+                Err(e) => e,
+            },
+            Err(e) => e,
+        }),
         CtapError::InvalidResponse(ref msg) if msg.starts_with("Invalid PIN:") => {
             PyValueError::new_err(msg.clone())
         }

fido2/client/__init__.py

@@ -32,7 +32,7 @@
 import logging
 from enum import IntEnum, unique
 from threading import Event, Timer
-from typing import Any, Callable, Mapping, NoReturn, Sequence
+from typing import Any, Callable, Mapping, Sequence
 
 from _fido2_native.client import ClientDataCollector as NativeClientDataCollector
 from _fido2_native.client import NativeFido2Client
@@ -141,25 +141,6 @@ def __init__(
         super().__init__(code, cause)
 
 
-def _handle_native_error(e: ValueError) -> NoReturn:
-    """Convert native ValueError exceptions to appropriate Python exceptions."""
-    msg = str(e)
-    if msg.startswith("CTAP_ERR:"):
-        ctap_e = CtapError(int(msg.split(":")[1]))
-        raise _ctap2client_err(ctap_e) from None
-    if msg.startswith("CLIENT_BAD_REQUEST:"):
-        raise ClientError.ERR.BAD_REQUEST(msg.split(":", 1)[1]) from None
-    if msg.startswith("CLIENT_CONFIG_UNSUPPORTED:"):
-        raise ClientError.ERR.CONFIGURATION_UNSUPPORTED(msg.split(":", 1)[1]) from None
-    if msg == "CLIENT_PIN_REQUIRED":
-        raise PinRequiredError() from None
-    if msg == "CLIENT_DEVICE_INELIGIBLE":
-        raise ClientError.ERR.DEVICE_INELIGIBLE() from None
-    if msg == "CLIENT_TIMEOUT":
-        raise ClientError.ERR.TIMEOUT() from None
-    raise ClientError.ERR.OTHER_ERROR(e)
-
-
 class AssertionSelection:
     """GetAssertion result holding one or more assertions.
 
@@ -401,10 +382,7 @@ def _enterprise_rpid_list(self, value: list[str] | None) -> None:
         self._native.enterprise_rpid_list = value
 
     def selection(self, event: Event | None = None) -> None:
-        try:
-            self._native.selection(event)
-        except ValueError as e:
-            _handle_native_error(e)
+        self._native.selection(event)
 
     def make_credential(
         self,
@@ -431,15 +409,12 @@ def make_credential(
         logger.debug(f"Register a new credential for RP ID: {rp_id}")
 
         try:
-            try:
-                att_resp_dict, ext_outputs = self._native.do_make_credential(
-                    json.dumps(dict(options), cls=_BytesEncoder),
-                    client_data.hash,
-                    rp_id,
-                    event,
-                )
-            except ValueError as e:
-                _handle_native_error(e)
+            att_resp_dict, ext_outputs = self._native.do_make_credential(
+                json.dumps(dict(options), cls=_BytesEncoder),
+                client_data.hash,
+                rp_id,
+                event,
+            )
         finally:
             if timer:
                 timer.cancel()
@@ -488,15 +463,12 @@ def get_assertion(
         logger.debug(f"Assert a credential for RP ID: {rp_id}")
 
         try:
-            try:
-                assertions_dicts, ext_outputs_list = self._native.do_get_assertion(
-                    json.dumps(dict(options), cls=_BytesEncoder),
-                    client_data.hash,
-                    rp_id,
-                    event,
-                )
-            except ValueError as e:
-                _handle_native_error(e)
+            assertions_dicts, ext_outputs_list = self._native.do_get_assertion(
+                json.dumps(dict(options), cls=_BytesEncoder),
+                client_data.hash,
+                rp_id,
+                event,
+            )
         finally:
             if timer:
                 timer.cancel()