merge updates

Signed-off-by: Ramon Petgrave <[email protected]>

Author: ramonpetgrave64

sigstore/_internal/rekor/__init__.py

@@ -17,18 +17,54 @@
 """
 
 import base64
+from abc import ABC, abstractmethod
 
 import rekor_types
 from cryptography.x509 import Certificate
 
+from sigstore._internal.rekor.v2_types.dev.sigstore.rekor import v2
 from sigstore._utils import base64_encode_pem_cert
+from sigstore.dsse import Envelope
 from sigstore.hashes import Hashed
+from sigstore.models import LogEntry
 
 __all__ = [
     "_hashedrekord_from_parts",
 ]
 
 
+class RekorLogSubmitter(ABC):
+    @abstractmethod
+    def create_entry(
+        self,
+        request: rekor_types.Hashedrekord | rekor_types.Dsse | v2.CreateEntryRequest,
+    ) -> LogEntry:
+        """
+        Submit the request to Rekor.
+        """
+        pass
+
+    @classmethod
+    @abstractmethod
+    def _build_hashed_rekord_request(
+        self, hashed_input: Hashed, signature: bytes, certificate: Certificate
+    ) -> rekor_types.Hashedrekord | v2.CreateEntryRequest:
+        """
+        Construct a hashed rekord request to submit to Rekor.
+        """
+        pass
+
+    @classmethod
+    @abstractmethod
+    def _build_dsse_request(
+        self, envelope: Envelope, certificate: Certificate
+    ) -> rekor_types.Dsse | v2.CreateEntryRequest:
+        """
+        Construct a dsse request to submit to Rekor.
+        """
+        pass
+
+
 # TODO: This should probably live somewhere better.
 def _hashedrekord_from_parts(
     cert: Certificate, sig: bytes, hashed: Hashed

sigstore/_internal/rekor/client_v2.py

@@ -27,6 +27,7 @@
 from cryptography.x509 import Certificate
 
 from sigstore._internal import USER_AGENT
+from sigstore._internal.rekor import RekorLogSubmitter
 from sigstore._internal.rekor.v2_types.dev.sigstore.common import v1 as common_v1
 from sigstore._internal.rekor.v2_types.dev.sigstore.rekor import v2
 from sigstore._internal.rekor.v2_types.io import intoto as v2_intoto
@@ -41,12 +42,12 @@
 
 # TODO: Link to merged documenation.
 # See https://github.com/sigstore/rekor-tiles/pull/255/files#diff-eb568acf84d583e4d3734b07773e96912277776bad39c560392aa33ea2cf2210R196
-CREATE_ENTRIES_TIMEOUT_SECONDS = 10
+CREATE_ENTRIES_TIMEOUT_SECONDS = 20
 
 DEFAULT_KEY_DETAILS = common_v1.PublicKeyDetails.PKIX_ECDSA_P384_SHA_256
 
 
-class RekorV2Client:
+class RekorV2Client(RekorLogSubmitter):
     """The internal Rekor client for the v2 API"""
 
     # TODO: implement get_tile, get_entry_bundle, get_checkpoint.
@@ -71,15 +72,22 @@ def __del__(self) -> None:
         """
         self.session.close()
 
-    def create_entry(self, request: v2.CreateEntryRequest) -> LogEntry:
+    # TODO: when we remove the original Rekor client, remove the type ignore here
+    def create_entry(self, request: v2.CreateEntryRequest) -> LogEntry:  # type: ignore[override]
         """
         Submit a new entry for inclusion in the Rekor log.
         """
         # TODO: There may be a bug in betterproto, where the V_0_0_2 is changed to V002,
         # Or it is an issue with the proto `json_value`.
         # See https://github.com/sigstore/rekor-tiles/blob/bd5893730de581629a5f475923c663f776793496/api/proto/rekor_service.proto#L66.
         payload = request.to_dict()
-        _logger.debug(f"proposed: {json.dumps(payload)}")
+        if "hashedRekordRequestV002" in payload:
+            payload["hashedRekordRequestV0_0_2"] = payload.pop(
+                "hashedRekordRequestV002"
+            )
+        if "dsseRequestV002" in payload:
+            payload["dsseRequestV0_0_2"] = payload.pop("dsseRequestV002")
+        _logger.debug(f"request: {json.dumps(payload)}")
         resp = self.session.post(
             f"{self.url}/log/entries",
             json=payload,
@@ -96,20 +104,23 @@ def create_entry(self, request: v2.CreateEntryRequest) -> LogEntry:
         return LogEntry._from_dict_rekor(integrated_entry)
 
     @classmethod
-    def _build_hashed_rekord_create_entry_request(
+    def _build_hashed_rekord_request(
         cls,
-        artifact_hashed_input: Hashed,
-        artifact_signature: bytes,
-        signing_certificate: Certificate,
+        hashed_input: Hashed,
+        signature: bytes,
+        certificate: Certificate,
     ) -> v2.CreateEntryRequest:
+        """
+        Construct a hashed rekord request to submit to Rekor.
+        """
         return v2.CreateEntryRequest(
             hashed_rekord_request_v0_0_2=v2.HashedRekordRequestV002(
-                digest=artifact_hashed_input.digest,
+                digest=hashed_input.digest,
                 signature=v2.Signature(
-                    content=artifact_signature,
+                    content=signature,
                     verifier=v2.Verifier(
                         x509_certificate=common_v1.X509Certificate(
-                            raw_bytes=signing_certificate.public_bytes(
+                            raw_bytes=certificate.public_bytes(
                                 encoding=serialization.Encoding.DER
                             )
                         ),
@@ -120,9 +131,12 @@ def _build_hashed_rekord_create_entry_request(
         )
 
     @classmethod
-    def _build_dsse_create_entry_request(
-        cls, envelope: Envelope, signing_certificate: Certificate
+    def _build_dsse_request(
+        cls, envelope: Envelope, certificate: Certificate
     ) -> v2.CreateEntryRequest:
+        """
+        Construct a dsse request to submit to Rekor.
+        """
         return v2.CreateEntryRequest(
             dsse_request_v0_0_2=v2.DsseRequestV002(
                 envelope=v2_intoto.Envelope(
@@ -139,7 +153,7 @@ def _build_dsse_create_entry_request(
                 verifiers=[
                     v2.Verifier(
                         x509_certificate=common_v1.X509Certificate(
-                            raw_bytes=signing_certificate.public_bytes(
+                            raw_bytes=certificate.public_bytes(
                                 encoding=serialization.Encoding.DER
                             )
                         ),

test/unit/internal/rekor/test_client_v2.py

@@ -1,13 +1,16 @@
 import hashlib
+import os
 import secrets
 
 import pytest
+from id import (
+    detect_credential,
+)
 
 from sigstore import dsse
+from sigstore._internal.rekor.client import STAGING_REKOR_URL
 from sigstore._internal.rekor.client_v2 import (
     DEFAULT_KEY_DETAILS,
-    DEFAULT_REKOR_URL,
-    STAGING_REKOR_URL,
     Certificate,
     Hashed,
     LogEntry,
@@ -17,10 +20,11 @@
     v2,
     v2_intoto,
 )
-
-# from sigstore.models import rekor_v1
+from sigstore._internal.trust import ClientTrustConfig
 from sigstore._utils import sha256_digest
-from sigstore.sign import ec
+from sigstore.models import rekor_v1
+from sigstore.oidc import _DEFAULT_AUDIENCE, IdentityToken
+from sigstore.sign import SigningContext, ec
 
 ALPHA_REKOR_V2_URL = "https://log2025-alpha1.rekor.sigstage.dev"
 LOCAL_REKOR_V2_URL = "http://localhost:3000"
@@ -29,12 +33,13 @@
 # TODO: add staging and production URLs when available,
 # and local after using scaffolding/setup-sigstore-env action
 @pytest.fixture(
+    scope="session",
     params=[
         ALPHA_REKOR_V2_URL,
         pytest.param(STAGING_REKOR_URL, marks=pytest.mark.xfail),
-        pytest.param(DEFAULT_REKOR_URL, marks=pytest.mark.xfail),
-        pytest.param(LOCAL_REKOR_V2_URL, marks=pytest.mark.xfail),
-    ]
+        # pytest.param(DEFAULT_REKOR_URL, marks=pytest.mark.xfail),
+        # pytest.param(LOCAL_REKOR_V2_URL, marks=pytest.mark.xfail),
+    ],
 )
 def client(request) -> RekorV2Client:
     """
@@ -44,37 +49,46 @@ def client(request) -> RekorV2Client:
     return RekorV2Client(base_url=request.param)
 
 
-@pytest.fixture()
-def sample_signer(staging):
+@pytest.fixture(scope="session")
+def sample_cert_and_private_key() -> tuple[Certificate, ec.EllipticCurvePrivateKey]:
     """
-    Returns a `Signer`.
+    Returns a sample Certificate and ec.EllipticCurvePrivateKey.
     """
-    sign_ctx_cls, _, id_token = staging
-    with sign_ctx_cls().signer(id_token) as signer:
-        return signer
+    # Detect env variable for local interactive tests.
+    token = os.getenv("SIGSTORE_IDENTITY_TOKEN_staging")
+    if not token:
+        # If the variable is not defined, try getting an ambient token.
+        token = detect_credential(_DEFAULT_AUDIENCE)
 
+    with SigningContext.from_trust_config(ClientTrustConfig.staging()).signer(
+        IdentityToken(token)
+    ) as signer:
+        return signer._signing_cert(), signer._private_key
 
-@pytest.fixture()
+
+@pytest.fixture(scope="session")
 def sample_hashed_rekord_request_materials(
-    sample_signer,
+    sample_cert_and_private_key,
 ) -> tuple[Hashed, bytes, Certificate]:
     """
     Creates materials needed for `RekorV2Client._build_hashed_rekord_create_entry_request`.
     """
-    cert = sample_signer._signing_cert()
+    cert, private_key = sample_cert_and_private_key
     hashed_input = sha256_digest(secrets.token_bytes(32))
-    signature = sample_signer._private_key.sign(
+    signature = private_key.sign(
         hashed_input.digest, ec.ECDSA(hashed_input._as_prehashed())
     )
     return hashed_input, signature, cert
 
 
-@pytest.fixture()
-def sample_dsse_request_materials(sample_signer) -> tuple[dsse.Envelope, Certificate]:
+@pytest.fixture(scope="session")
+def sample_dsse_request_materials(
+    sample_cert_and_private_key,
+) -> tuple[dsse.Envelope, Certificate]:
     """
     Creates materials needed for `RekorV2Client._build_dsse_create_entry_request`.
     """
-    cert = sample_signer._signing_cert()
+    cert, private_key = sample_cert_and_private_key
     stmt = (
         dsse.StatementBuilder()
         .subjects(
@@ -92,49 +106,34 @@ def sample_dsse_request_materials(sample_signer) -> tuple[dsse.Envelope, Certifi
             }
         )
     ).build()
-    envelope = dsse._sign(key=sample_signer._private_key, stmt=stmt)
+    envelope = dsse._sign(key=private_key, stmt=stmt)
     return envelope, cert
 
 
-@pytest.fixture()
+@pytest.fixture(scope="session")
 def sample_hashed_rekord_create_entry_request(
     sample_hashed_rekord_request_materials,
 ) -> v2.CreateEntryRequest:
     """
     Returns a sample `CreateEntryRequest` for for hashedrekor.
     """
     hashed_input, signature, cert = sample_hashed_rekord_request_materials
-    return RekorV2Client._build_hashed_rekord_create_entry_request(
-        artifact_hashed_input=hashed_input,
-        artifact_signature=signature,
-        signing_certificate=cert,
+    return RekorV2Client._build_hashed_rekord_request(
+        hashed_input=hashed_input,
+        signature=signature,
+        certificate=cert,
     )
 
 
-@pytest.fixture()
+@pytest.fixture(scope="session")
 def sample_dsse_create_entry_request(
     sample_dsse_request_materials,
 ) -> v2.CreateEntryRequest:
     """
     Returns a sample `CreateEntryRequest` for for dsse.
     """
     envelope, cert = sample_dsse_request_materials
-    return RekorV2Client._build_dsse_create_entry_request(
-        envelope=envelope, signing_certificate=cert
-    )
-
-
-@pytest.fixture(
-    params=[
-        sample_hashed_rekord_create_entry_request,
-        sample_dsse_create_entry_request,
-    ]
-)
-def sample_create_entry_request(request) -> v2.CreateEntryRequest:
-    """
-    Returns a sample `CreateEntryRequest`, for each of the the params in the supplied fixture.
-    """
-    return request.getfixturevalue(request.param.__name__)
+    return RekorV2Client._build_dsse_request(envelope=envelope, certificate=cert)
 
 
 @pytest.mark.ambient_oidc
@@ -159,10 +158,10 @@ def test_build_hashed_rekord_create_entry_request(
             ),
         )
     )
-    actual_request = RekorV2Client._build_hashed_rekord_create_entry_request(
-        artifact_hashed_input=hashed_input,
-        artifact_signature=signature,
-        signing_certificate=cert,
+    actual_request = RekorV2Client._build_hashed_rekord_request(
+        hashed_input=hashed_input,
+        signature=signature,
+        certificate=cert,
     )
     assert expected_request == actual_request
 
@@ -196,18 +195,30 @@ def test_build_dsse_create_entry_request(sample_dsse_request_materials):
             ],
         )
     )
-    actual_request = RekorV2Client._build_dsse_create_entry_request(
-        envelope=envelope, signing_certificate=cert
+    actual_request = RekorV2Client._build_dsse_request(
+        envelope=envelope, certificate=cert
     )
     assert expected_request == actual_request
 
 
+@pytest.mark.parametrize(
+    "sample_create_entry_request",
+    [
+        sample_hashed_rekord_create_entry_request.__name__,
+        sample_dsse_create_entry_request.__name__,
+    ],
+)
 @pytest.mark.ambient_oidc
-def test_create_entry(sample_create_entry_request, client):
+def test_create_entry(
+    request: pytest.FixtureRequest,
+    sample_create_entry_request: str,
+    client: RekorV2Client,
+):
     """
     Sends a request to RekorV2 and ensure's the response is parseable to a `LogEntry` and a `TransparencyLogEntry`.
     """
-    log_entry = client.create_entry(sample_create_entry_request)
+    log_entry = client.create_entry(
+        request.getfixturevalue(sample_create_entry_request)
+    )
     assert isinstance(log_entry, LogEntry)
-    # TODO: Pending https://github.com/sigstore/sigstore-python/pull/1370
-    # assert isinstance(log_entry._to_rekor(), rekor_v1.TransparencyLogEntry)
+    assert isinstance(log_entry._to_rekor(), rekor_v1.TransparencyLogEntry)