Implement remote signing providers with rotation telemetry#61
Implement remote signing providers with rotation telemetry#61DevOpsMadDog wants to merge 2 commits into
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting
| def sign(self, payload: bytes) -> bytes: | ||
| response = self._crypto_client.sign(payload) # type: ignore[call-arg] | ||
| signature = _extract_signature(response) | ||
| if signature is None: | ||
| raise RuntimeError("Azure Key Vault did not return a signature") |
There was a problem hiding this comment.
The Azure Key Vault provider’s sign implementation calls self._crypto_client.sign(payload) without supplying a SignatureAlgorithm or digest. The Azure SDK requires two arguments (algorithm and the hashed payload) and will raise TypeError: sign() missing required positional argument as soon as an Azure-backed provider is exercised. This effectively makes the Azure signing backend unusable in production.
Useful? React with 👍 / 👎.
| if not cve_ids: | ||
| return {} | ||
|
|
||
| now = _normalize_datetime(datetime.now(timezone.utc)) | ||
|
|
||
| stmt = ( | ||
| select(KevWaiverModel) | ||
| .where( | ||
| KevWaiverModel.cve_id.in_(list(cve_ids)), | ||
| KevWaiverModel.is_active.is_(True), | ||
| KevWaiverModel.expires_at >= now, | ||
| ) | ||
| ) |
There was a problem hiding this comment.
Policy endpoints normalise all datetimes via _normalize_datetime, which strips the timezone info (datetime.now(timezone.utc) → naive) before comparing or persisting to the KEV waiver model. However, the waiver ORM columns are declared as DateTime(timezone=True) in KevFindingWaiver, so passing naive values will trigger SQLAlchemy’s "naive datetime is disallowed when time zone support is active" errors on Postgres and block waiver creation or querying. Keep timestamps timezone-aware when interacting with these columns.
Useful? React with 👍 / 👎.
|
Closing as part of PR consolidation. Useful changes have been cherry-picked into PR #240. |
…4 at HEAD e9014b0 Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
1 participant
Summary
Testing
https://chatgpt.com/codex/tasks/task_e_68e4ee4183748329b8d6bba14a4ab0c4