[DRAFT] Add RekorV2Client

[ramonpetgrave64]

Client support for Rekor V2: sigstore-python #289

Summary

Adds a new RekorV2Client class, for use as a library, not yet within the CLI.

With the same pending TODOs in #1387

• We are embedding the auto-generated types until we can find a home for them

Testing

• Unit tests that call live instances of RekorV2, only "alpha" for now
• Lints are not yet expected to pass, mainly due to type hints on the copy-pasted auto-generated types.

TODOS

• add more client methods: get_tile, get_entry_bundle, get_checkpoint.
• enable testing against more instances: staging, prod, local
• add extra assert in test after improve KindVersion compatibility #1370
• use these types in sigstore/protobuf-specs when ready (hopefully this week of May 19, 2025)
• remove workaround where the ...V_0_0_2 is changed to ...V002
• prefer sending the certificate, rather than the public key to Rekor

Release Note

• Added a RekorV2Client for posting new entries to a Rekor V2 instance.

Documentation

TODO

[jku]

I'll look at cleaning up some tests next:

• all of the added tests currently end up getting skipped or xfailed on CI
• some of them are essentially parsing tests and should likely never be skipped: there is no need for the signing cert and private key here to be from a real environment
• the actual staging test should likely be gated behind staging marker
• I don't think testing rekorv1 (staging, prod) urls as expected failures is useful
• similarly, adding local test servers URLs xfailing because we don't have local test servers in the suite is probably not useful

In fact I don't think we need to test with multiple instances at all in the RekorClient test -- we will have integration tests later for the whole client

[jku]

Note to self:

• I think nothing in either Client really needs the "rekor types" that the _build_* methods return: create_entry() uses them but only to generate the json payload
• so it looks like the _build_*() methods could just return the relevant json payload
• this would allow making the create_entry method signatures actually same and not just pretend they are similar

I'll look into this later this week.

EDIT: I have done this change: the log submitter abstraction is now less leaky

[jku]

todo for this pr:

• sort out the protobuf situation (Client generation and mirroring in protobuf-specs rekor-tiles#338): preferably get the proto code generated in protobuf-specs, release that. Alternatively update and polish the generated code here -- this would be a temporary thing
• testing (I'm looking at this next):
  • I think the current tests for the _build_*() methods are not amazing: they are complicated and basically only repeat the content of the methods in the test and I think rely on an external service (OIDC + fulcio) for no reason: the value is questionable... I think I will remove them for now.
  • The create_entry() test seems more usable --- but even that depends on both OIDC and fulcio so is essentially an integration test pretending to be a unit test
  • the support for multiple environments in the tests is probably overkill -- unit tests should just verify the code works

[jku]

this does not really do what the rekor docs say... Session timeout is the maximum allowed time between any two bytes the server sends as response. So the effective total timeout could still be effectively infinite.

I don't think the setting here is harmful but it strongly suggests that we're enforcing the rekor documented overall timeout when we're really not... We could either not have a timeout (we don't in other places) or mention in a comment that this is not the same thing as the rekor 20 sec recommendation

[jku]

I've replaced the tests with two very simple staging tests -- they're definitely not unit tests but essentially integration tests (with a small hack since the integration does not exist yet) that prove the client is at some level operational.

I think I'll move this branch to origin -- that should make the staging tests run (since the GH token should be available)...

[jku]

closing for #1422 (the branch is the same, but now in origin so staging tests run on CI)