-
Notifications
You must be signed in to change notification settings - Fork 50
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add Azure Signer support #588
Conversation
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Added packages to requirements and a small bug fix
Signed-off-by: Fredrik Skogman <[email protected]>
Added missing imports
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
The CryptographySigner expectes the digest when it performs a signing operation. It's a nicer API to let the AzureSigner calculate the digest.
Signed-off-by: Fredrik Skogman <[email protected]>
Make sure to calculated the digest using the correct hash function.
Signed-off-by: Meredith Lancaster <[email protected]>
…rmat. Signed-off-by: Fredrik Skogman <[email protected]>
Signed-off-by: Fredrik Skogman <[email protected]>
Add import method
Signed-off-by: Meredith Lancaster <[email protected]>
Based on a quick glance, looks nice!
Finally a suggestion/comment, feel free to disregard:
|
Signed-off-by: Meredith Lancaster <[email protected]>
Specifically $ black . $ isort .
These are the trivial looking issues: there are still some left that require actual decisions (both in pylint and mypy)
To allow the _azure_signer module import when azure dependency modules are not installed, use stringized annotations (this allows method definitions to happen without the types existing, while still letting the static type checkers do their work).
Since you're allowing maintainer pushes (thanks!), I'll take the liberty of adding some annotation and lint fixes:
Obviously feel free to remove my commits if you we're already working on this and don't need them |
It's clear now wheter it's a private uri (azurekms) or an azure uri (https) Signed-off-by: Fredrik Skogman <[email protected]>
Cleaned up the usage of uris.
Signed-off-by: Meredith Lancaster <[email protected]>
…lib into add-azure-support
… too Signed-off-by: Fredrik Skogman <[email protected]>
Update the import method to return a key id that contains the version…
looks good! WRT linter failures:
|
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
scratch that comment: these were seemingly all in the code that you managed to remove in the last commits |
Signed-off-by: Meredith Lancaster <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
@jku All of the linting errors should now be fixed. Thanks for your feedback and help with this PR. I did disable pylint for the |
We can take this out of "draft" now @malancas right? |
@kommendorkapten yep, I'll change that now. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Great work, @malancas!
public_key, | ||
) | ||
self.hash_algorithm = self._get_hash_algorithm(public_key) | ||
except UnsupportedKeyType as e: |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Should UnsupportedKeyType be public API? Currently it isn't, so a user can't really handle it. Would a built-in exception type also do the trick?
Also, is it really worth to catch, log and re-raise? Doesn't the original error message, which you control, provide enough info? This pattern seems more useful below, where you contextualise the 3rd-party HttpResponseError, although even there I wonder if the stack trace alone might be enough. 🤷
FYI: we have a discussion ticket about Signer exceptions in #468. Curious about your opinions.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I left a note about this: #588 (comment)
TLDR: I think it's not really public API, it's just part of the larger group of exceptions that we know we may raise that callers are not really meant to handle: GCPSigner handles similar cases by just allowing KeyErrors from dict lookups go through...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Agreed. I was actually trying to challenge the need for a custom exception and the way it is handled internally. But I'm okay with it. The code is still very readable and extra info for the caller is nice.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I think the code looks good. left some notes but nothing that I think requires changes if you'd like to merge as is.
The one thing I'd like to bring up is testing... I know it's tricky to setup a proper test with the KMS service dependency (I talk a bit more about that in a comment) and we can't require a real time testing setup. But right now we as maintainers are in a situation where we can't see
- example code -- how is it supposed to be used
- proof that it actually works anywhere -- logs of a successful signing
Do you have good ideas about this?
Are there public logs of this working?
Should we add testing code (similar to check_kms_signers
) even if it is disabled and only works in your fork?
Signed-off-by: Fredrik Skogman <[email protected]>
I'll work on adding azure support in |
Oh no need for that -- would just be good to know that if someone needs to test this, they mostly just need to setup the KMS (and maybe enable the tests or run another tox env or something simple like that). |
Co-authored-by: Jussi Kukkonen <[email protected]>
Signed-off-by: Meredith Lancaster <[email protected]>
…ify signature creation Signed-off-by: Meredith Lancaster <[email protected]>
Added smoke tests for Azure KMS sign. Signed-off-by: Fredrik Skogman <[email protected]>
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
👍 thanks for the test: it works exactly like I expected but it's good to actually see it.
The requirements-kms.txt
changes are now not needed (since it is used as requirements for tests.check_kms_signers which doesn't currently include azure). I can remove those changes before merging.
requirements-kms.txt lists the requirements to run tests.check_kms_signers (which is run on CI): Azure is not currently part of that test set so the requirements are not needed either.
Great, thank you for the reviews! |
Fixes: #
Description of the changes being introduced by the pull request:
This pull request adds an Azure signer implementation so we can use Azure's KMS offering Key Vault. This signer currently only supports ECDSA keys. RSA key support can be added later in a follow up pull request.
Please verify and check that the pull request fulfils the following requirements: