Fix instantiation in _to_rekor() for optional inclusion promise (#1382)

* betterproto: avoid assigning a var of type Optional[InclusionPromise] to TransparencyLogEntry.inclusion_promise

```
  File "/usr/local/google/home/rpetgrave/src/ssp/sigstore-python/sigstore/models.py", line 262, in _to_rekor
    tlog_entry = rekor_v1.TransparencyLogEntry(
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/google/home/rpetgrave/src/ssp/.venv/lib/python3.12/site-packages/pydantic/_internal/_dataclasses.py", line 120, in __init__
    s.__pydantic_validator__.validate_python(ArgsKwargs(args, kwargs), self_instance=s)
pydantic_core._pydantic_core.ValidationError: 1 validation error for TransparencyLogEntry
inclusion_promise
  Input should be a dictionary or an instance of InclusionPromise [type=dataclass_type, input_value=None, input_type=NoneType]
```

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* add test

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* Revert "betterproto: avoid assigning a var of type Optional[InclusionPromise] to TransparencyLogEntry.inclusion_promise"

This reverts commit 46b0087.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* cleanup

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* Reapply "betterproto: avoid assigning a var of type Optional[InclusionPromise] to TransparencyLogEntry.inclusion_promise"

This reverts commit 43dc468.

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* cleanup

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* format

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* also delete integrated_time

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* lint

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>

* remove mention of pydantic in changelog

Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>

---------

Signed-off-by: Ramon Petgrave <ramon.petgrave64@gmail.com>
Signed-off-by: Ramon Petgrave <32398091+ramonpetgrave64@users.noreply.github.com>
Co-authored-by: Jussi Kukkonen <jkukkonen@google.com>

Author: ramonpetgrave64

CHANGELOG.md

@@ -15,6 +15,8 @@ All versions prior to 0.9.0 are untracked.
 
 ### Fixed
 
+* Avoid instantiation issues with `TransparencyLogEntry` when `InclusionPromise` is not present.
+
 * TSA: Changed the Timestamp Authority requests to explicitly use sha256 for message digests.
   [#1373](https://github.com/sigstore/sigstore-python/pull/1373)
 

sigstore/models.py

@@ -219,18 +219,22 @@ def _from_dict_rekor(cls, dict_: dict[str, Any]) -> LogEntry:
             tree_size=inclusion_proof.tree_size,
         )
 
+        inclusion_promise: Optional[B64Str] = None
+        if tlog_entry.inclusion_promise:
+            inclusion_promise = B64Str(
+                base64.b64encode(
+                    tlog_entry.inclusion_promise.signed_entry_timestamp
+                ).decode()
+            )
+
         return LogEntry(
             uuid=None,
             body=B64Str(base64.b64encode(tlog_entry.canonicalized_body).decode()),
             integrated_time=tlog_entry.integrated_time,
             log_id=tlog_entry.log_id.key_id.hex(),
             log_index=tlog_entry.log_index,
             inclusion_proof=parsed_inclusion_proof,
-            inclusion_promise=B64Str(
-                base64.b64encode(
-                    tlog_entry.inclusion_promise.signed_entry_timestamp
-                ).decode()
-            ),
+            inclusion_promise=inclusion_promise,
         )
 
     def _to_rekor(self) -> rekor_v1.TransparencyLogEntry:
@@ -239,12 +243,6 @@ def _to_rekor(self) -> rekor_v1.TransparencyLogEntry:
 
         @private
         """
-        inclusion_promise: rekor_v1.InclusionPromise | None = None
-        if self.inclusion_promise:
-            inclusion_promise = rekor_v1.InclusionPromise(
-                signed_entry_timestamp=base64.b64decode(self.inclusion_promise)
-            )
-
         inclusion_proof = rekor_v1.InclusionProof(
             log_index=self.inclusion_proof.log_index,
             root_hash=bytes.fromhex(self.inclusion_proof.root_hash),
@@ -257,10 +255,14 @@ def _to_rekor(self) -> rekor_v1.TransparencyLogEntry:
             log_index=self.log_index,
             log_id=common_v1.LogId(key_id=bytes.fromhex(self.log_id)),
             integrated_time=self.integrated_time,
-            inclusion_promise=inclusion_promise,  # type: ignore[arg-type]
             inclusion_proof=inclusion_proof,
             canonicalized_body=base64.b64decode(self.body),
         )
+        if self.inclusion_promise:
+            inclusion_promise = rekor_v1.InclusionPromise(
+                signed_entry_timestamp=base64.b64decode(self.inclusion_promise)
+            )
+            tlog_entry.inclusion_promise = inclusion_promise
 
         # Fill in the appropriate kind
         body_entry: ProposedEntry = TypeAdapter(ProposedEntry).validate_json(

test/unit/conftest.py

@@ -113,7 +113,7 @@ def _signing_materials(name: str, client: RekorClient) -> tuple[Path, Bundle]:
 
 
 @pytest.fixture
-def signing_bundle(asset):
+def signing_bundle(asset) -> Callable[[str], tuple[Path, Bundle]]:
     def _signing_bundle(name: str) -> tuple[Path, Bundle]:
         file = asset(name)
         bundle_path = asset(f"{name}.sigstore")

test/unit/test_models.py

@@ -43,6 +43,23 @@ def test_missing_inclusion_proof(self, integrated_time: int):
                 inclusion_promise=None,
             )
 
+    def test_missing_inclusion_promise_and_integrated_time_round_trip(
+        self, signing_bundle
+    ):
+        """
+        Ensures that LogEntry._to_rekor() succeeds even without an inclusion_promise and integrated_time.
+        """
+        bundle: Bundle
+        _, bundle = signing_bundle("bundle.txt")
+        _dict = bundle.log_entry._to_rekor().to_dict()
+        print(_dict)
+        del _dict["inclusionPromise"]
+        del _dict["integratedTime"]
+        entry = LogEntry._from_dict_rekor(_dict)
+        assert entry.inclusion_promise is None
+        assert entry._to_rekor() is not None
+        assert LogEntry._from_dict_rekor(entry._to_rekor().to_dict()) == entry
+
     def test_logentry_roundtrip(self, signing_bundle):
         _, bundle = signing_bundle("bundle.txt")