independent RekorV2Client

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

Author: ramonpetgrave64

sigstore/_internal/rekor/client.py

@@ -26,6 +26,7 @@
 
 import rekor_types
 import requests
+from sigstore_protobuf_specs.dev.sigstore.rekor import v1 as rekor_v1
 
 from sigstore._internal import USER_AGENT
 from sigstore._internal.rekor_tiles.dev.sigstore.rekor import v2
@@ -148,25 +149,12 @@ def get(
         return LogEntry._from_response(resp.json())
 
     def post(
-        self,
-        proposed_entry: rekor_types.Hashedrekord
-        | rekor_types.Dsse
-        | v2.CreateEntryRequest,
+        self, proposed_entry: rekor_types.Hashedrekord | rekor_types.Dsse
     ) -> LogEntry:
         """
         Submit a new entry for inclusion in the Rekor log.
         """
-        # There may be a bug in betterproto, where the V_0_0_2 is changed to V002.
-        if isinstance(proposed_entry, v2.CreateEntryRequest):
-            payload = proposed_entry.to_dict()
-            if "hashedRekordRequestV002" in payload:
-                payload["hashedRekordRequestV0_0_2"] = payload.pop(
-                    "hashedRekordRequestV002"
-                )
-            if "dsseRequestV002" in payload:
-                payload["dsseRequestV0_0_2"] = payload.pop("dsseRequestV002")
-        else:
-            payload = proposed_entry.model_dump(mode="json", by_alias=True)
+        payload = proposed_entry.model_dump(mode="json", by_alias=True)
         _logger.debug(f"proposed: {json.dumps(payload)}")
         resp: requests.Response = self.session.post(self.url, json=payload)
         try:
@@ -176,10 +164,7 @@ def post(
 
         integrated_entry = resp.json()
         _logger.debug(f"integrated: {integrated_entry}")
-        if isinstance(proposed_entry, v2.CreateEntryRequest):
-            return LogEntry._from_dict_rekor(integrated_entry)
-        else:
-            return LogEntry._from_response(integrated_entry)
+        return LogEntry._from_response(integrated_entry)
 
     @property
     def retrieve(self) -> RekorEntriesRetrieve:
@@ -236,14 +221,11 @@ def post(
 class RekorClient:
     """The internal Rekor client"""
 
-    def __init__(
-        self, url: str, major_api_version: int = REKOR_V1_API_MAJOR_VERSION
-    ) -> None:
+    def __init__(self, url: str) -> None:
         """
         Create a new `RekorClient` from the given URL.
         """
-        self.url = f"{url}/api/v{major_api_version}"
-        self.major_api_version = major_api_version
+        self.url = f"{url}/api/v1"
         self.session = requests.Session()
         self.session.headers.update(
             {
@@ -281,3 +263,71 @@ def log(self) -> RekorLog:
         Returns a `RekorLog` adapter for making requests to a Rekor log.
         """
         return RekorLog(f"{self.url}/log", session=self.session)
+
+
+class RekorV2Client:
+    """The internal Rekor client for the v2 API"""
+
+    # TODO: implement get_tile, get_entry_bundle, get_checkpoint.
+
+    def __init__(self, base_url: str) -> None:
+        """
+        Create a new `RekorV2Client` from the given URL.
+        """
+        self.url = f"{base_url}/api/v2"
+        self.session = requests.Session()
+        self.session.headers.update(
+            {
+                "Content-Type": "application/json",
+                "Accept": "application/json",
+                "User-Agent": USER_AGENT,
+            }
+        )
+
+    def __del__(self) -> None:
+        """
+        Terminates the underlying network session.
+        """
+        self.session.close()
+
+    def create_entry(
+        self, request: v2.CreateEntryRequest
+    ) -> rekor_v1.TransparencyLogEntry:
+        """
+        Submit a new entry for inclusion in the Rekor log.
+        """
+        # There may be a bug in betterproto, where the V_0_0_2 is changed to V002.
+        payload = request.to_dict()
+        if "hashedRekordRequestV002" in payload:
+            payload["hashedRekordRequestV0_0_2"] = payload.pop(
+                "hashedRekordRequestV002"
+            )
+        if "dsseRequestV002" in payload:
+            payload["dsseRequestV0_0_2"] = payload.pop("dsseRequestV002")
+        _logger.debug(f"request: {json.dumps(payload)}")
+        resp = self.session.post(f"{self.url}/log/entries", json=payload)
+
+        try:
+            resp.raise_for_status()
+        except requests.HTTPError as http_error:
+            raise RekorClientError(http_error)
+
+        integrated_entry = resp.json()
+        _logger.debug(f"integrated: {integrated_entry}")
+        return LogEntry._from_dict_rekor(integrated_entry)
+
+    @classmethod
+    def production(cls) -> RekorClient:
+        """
+        Returns a `RekorClient` populated with the default Rekor production instance.
+        """
+        return cls(
+            DEFAULT_REKOR_URL,
+        )
+
+    @classmethod
+    def staging(cls) -> RekorClient:
+        """
+        Returns a `RekorClient` populated with the default Rekor staging instance.
+        """
+        return cls(STAGING_REKOR_URL)

sigstore/sign.py

@@ -64,6 +64,7 @@
 from sigstore._internal.rekor.client import (
     REKOR_V1_API_MAJOR_VERSION,
     RekorClient,
+    RekorV2Client,
 )
 from sigstore._internal.rekor_tiles.dev.sigstore.common import v1
 from sigstore._internal.rekor_tiles.dev.sigstore.rekor import v2
@@ -195,13 +196,19 @@ def _finalize_sign(
         self,
         cert: x509.Certificate,
         content: MessageSignature | dsse.Envelope,
-        proposed_entry: rekor_types.Hashedrekord | rekor_types.Dsse,
+        proposed_entry: rekor_types.Hashedrekord
+        | rekor_types.Dsse
+        | v2.CreateEntryRequest,
     ) -> Bundle:
         """
         Perform the common "finalizing" steps in a Sigstore signing flow.
         """
         # Submit the proposed entry to the transparency log
-        entry = self._signing_ctx._rekor.log.entries.post(proposed_entry)
+        client = self._signing_ctx._rekor
+        if isinstance(client, RekorV2Client):
+            entry = client.create_entry(proposed_entry)
+        else:
+            entry = self._signing_ctx._rekor.log.entries.post(proposed_entry)
 
         _logger.debug(f"Transparency log entry created with index: {entry.log_index}")
 
@@ -311,24 +318,7 @@ def sign_artifact(
         )
 
         # Create the proposed hashedrekord entry
-        if self._signing_ctx._rekor.major_api_version == REKOR_V1_API_MAJOR_VERSION:
-            proposed_entry = rekor_types.Hashedrekord(
-                spec=rekor_types.hashedrekord.HashedrekordV001Schema(
-                    signature=rekor_types.hashedrekord.Signature(
-                        content=base64.b64encode(artifact_signature).decode(),
-                        public_key=rekor_types.hashedrekord.PublicKey(
-                            content=b64_cert.decode()
-                        ),
-                    ),
-                    data=rekor_types.hashedrekord.Data(
-                        hash=rekor_types.hashedrekord.Hash(
-                            algorithm=hashed_input._as_hashedrekord_algorithm(),
-                            value=hashed_input.digest.hex(),
-                        )
-                    ),
-                ),
-            )
-        else:
+        if isinstance(self._signing_ctx._rekor, RekorV2Client):
             proposed_entry = v2.CreateEntryRequest(
                 hashed_rekord_request_v0_0_2=v2.HashedRekordRequestV002(
                     digest=hashed_input.digest,
@@ -346,7 +336,23 @@ def sign_artifact(
                     ),
                 )
             )
-
+        else:
+            proposed_entry = rekor_types.Hashedrekord(
+                spec=rekor_types.hashedrekord.HashedrekordV001Schema(
+                    signature=rekor_types.hashedrekord.Signature(
+                        content=base64.b64encode(artifact_signature).decode(),
+                        public_key=rekor_types.hashedrekord.PublicKey(
+                            content=b64_cert.decode()
+                        ),
+                    ),
+                    data=rekor_types.hashedrekord.Data(
+                        hash=rekor_types.hashedrekord.Hash(
+                            algorithm=hashed_input._as_hashedrekord_algorithm(),
+                            value=hashed_input.digest.hex(),
+                        )
+                    ),
+                ),
+            )
         return self._finalize_sign(cert, content, proposed_entry)
 
 
@@ -359,7 +365,7 @@ def __init__(
         self,
         *,
         fulcio: FulcioClient,
-        rekor: RekorClient,
+        rekor: RekorClient | RekorV2Client,
         trusted_root: TrustedRoot,
         tsa_clients: list[TimestampAuthorityClient] | None = None,
     ):
@@ -407,12 +413,18 @@ def _from_trust_config(cls, trust_config: ClientTrustConfig) -> SigningContext:
         @api private
         """
         signing_config = trust_config.signing_config
+        if (
+            signing_config._inner.rekor_tlog_urls[0].major_api_version
+            == REKOR_V1_API_MAJOR_VERSION
+        ):
+            rekor_client = RekorClient(
+                signing_config.get_tlog_urls()[0],
+            )
+        else:
+            rekor_client = RekorV2Client(signing_config.get_tlog_urls()[0])
         return cls(
             fulcio=FulcioClient(signing_config.get_fulcio_url()),
-            rekor=RekorClient(
-                signing_config.get_tlog_urls()[0],
-                signing_config._inner.rekor_tlog_urls[0].major_api_version,
-            ),
+            rekor=rekor_client,
             trusted_root=trust_config.trusted_root,
             tsa_clients=[
                 TimestampAuthorityClient(url) for url in signing_config.get_tsa_urls()