refactor: move async runtime and signatures fetcher to oci client [NR-520796]#2218
refactor: move async runtime and signatures fetcher to oci client [NR-520796]#2218sigilioso merged 3 commits intofreeze-developfrom
Conversation
| } | ||
| impl Client { | ||
| /// Helper to build the [PublicKeyFetcher] corresponding to the client. | ||
| pub(super) fn try_build_public_key_fetcher( |
There was a problem hiding this comment.
We are also building a fetcher for the config verifier that checks signatures:
We could consider building it outside and inject it in both (it could even be a shared reference). But I'd leave that refactor out of the scope of this PR
sigilioso
changed the title
sigilioso
force-pushed
the
feat/sync-oci-client
branch
from
63710a6 to
9c4ed9f
Compare
vjripoll
left a comment
vjripoll
left a comment
There was a problem hiding this comment.
i think appart of this doubt everything is ok for me :)
There was a problem hiding this comment.
maybe here we can check here if the reference.digest() is already there and avoid one request?
There was a problem hiding this comment.
I think it makes sense! We missed that in the previous PR, right?
agent-control/src/oci.rs
Outdated
There was a problem hiding this comment.
Binding to this expression seems to work without relying on an "uninitialized" separate_signer:
| let separate_signer; | |
| let kp_signer = match signer_position { | |
| Some(pos) => &jwks_key_pairs[pos], | |
| None => { | |
| separate_signer = TestKeyPair::new(num_jwks_keys + 1); | |
| &separate_signer | |
| } | |
| }; | |
| let kp_signer = match signer_position { | |
| Some(pos) => &jwks_key_pairs[pos], | |
| None => &TestKeyPair::new(num_jwks_keys + 1), | |
| }; |
|
|
||
| pub async fn pull_blob<T: AsyncWrite>( | ||
| /// Pulls the specified blob through [oci_client::Client::pull_blob] and stores it in the specified file path. | ||
| pub fn pull_blob_to_file( |
There was a problem hiding this comment.
Thanks for the naming and type improvements! impl AsRef<Path> 💯
| /// Obtains public keys from the provided `public_key_url` and performs signature verification of the provided | ||
| /// `reference`. If verification succeeds, it returns the `reference` (identified by digest) that has been | ||
| /// verified. | ||
| pub fn verify_signature( |
3 participants
Summary
OCIArtifactDownloaderintooci::Client, makingClienta synchronous-facing wrapper that internallyblock_ons all async OCI operations. This removes the need for callers to manage and pass the runtime separately.PublicKeyFetcherintooci::Clientso that signature verification (verify_signature) fetches public keys from a JWKS URL directly, replacing the previous API that required callers to supply pre-fetchedPublicKeyslices.pull_blobwithpull_blob_to_file, encapsulating file creation andsync_datainside the client instead of requiring callers to manageAsyncWritestreams.Notes for reviewers and next steps
verify_signaturemethod in the downloader (this will come in a follow up PR also including the changes in feat(test): add signatures to oci integration tests [NR-520796] #2212.