Add Azure Signer support

[malancas]

Fixes: #

Description of the changes being introduced by the pull request:

This pull request adds an Azure signer implementation so we can use Azure's KMS offering Key Vault. This signer currently only supports ECDSA keys. RSA key support can be added later in a follow up pull request.

Please verify and check that the pull request fulfils the following requirements:

• The code follows the Code Style Guidelines
• Tests have been added for the bug fix or new feature
• Docs have been added for the bug fix or new feature

[jku]

Based on a quick glance, looks nice!
Some early comments:

• tests are failing because the signer modules should be importable even without the optional deps (and cryptography is an optional dep -- you could probably move the import inside the try-except you already have) -- I fixed this one in a later commits
• tox -e lint runs the same lint tests locally as the CI runs. Please use it, ask if the results don't seem to make sense
• I think the import_() should not take the fully built "private key URI" as argument -- that forces the caller to understand and be able to build the URI. Instead it should take the logical arguments that azure vault users will understand and the import method should build the URI

Finally a suggestion/comment, feel free to disregard:

• from experience with GCP, I would suggest you might want to use the full azure keyid that contains the vault and key version, if that is easily available to users (because we likely do want a specific key version): https://myvault.vault.azure.net/keys/my-key/my-key-version,
  • this full keyid might work as the import argument
  • you probably won't need to call KeyClient() during __init__() since you can use the full keyid to create CryptographyClient: https://learn.microsoft.com/en-us/python/api/azure-keyvault-keys/azure.keyvault.keys.crypto.cryptographyclient?view=azure-python

[jku]

Since you're allowing maintainer pushes (thanks!), I'll take the liberty of adding some annotation and lint fixes:

• most changes come from running black and isort (like tox -e lint does) but there are some manual lint fixes and some annotation tweaks as well
• I've only touched things that should not affect intended function
• the unrelated tests should pass after this
• there are still linter issues (both pylint and mypy) that require actual changes

Obviously feel free to remove my commits if you we're already working on this and don't need them

[jku]

looks good! WRT linter failures:

• there are some more from pylint and mypy (the tox -e lint run just ends on first error)
• IIRC most of them are about some azure class not having attributes -- totally fine to skip those checks somehow if that seems appropriate

[jku]

IIRC most of them are about some azure class not having attributes

scratch that comment: these were seemingly all in the code that you managed to remove in the last commits

[malancas]

@jku All of the linting errors should now be fixed. Thanks for your feedback and help with this PR. I did disable pylint for the too-many-locals rule that was failing on the import_ class method because I find it clearer to use all of the local variables declared in that method. But let me know otherwise.

[kommendorkapten]

We can take this out of "draft" now @malancas right?

[malancas]

@kommendorkapten yep, I'll change that now.

[lukpueh]

Great work, @malancas!

[lukpueh]

Should UnsupportedKeyType be public API? Currently it isn't, so a user can't really handle it. Would a built-in exception type also do the trick?

Also, is it really worth to catch, log and re-raise? Doesn't the original error message, which you control, provide enough info? This pattern seems more useful below, where you contextualise the 3rd-party HttpResponseError, although even there I wonder if the stack trace alone might be enough. 🤷

FYI: we have a discussion ticket about Signer exceptions in #468. Curious about your opinions.

[jku]

I left a note about this: #588 (comment)

TLDR: I think it's not really public API, it's just part of the larger group of exceptions that we know we may raise that callers are not really meant to handle: GCPSigner handles similar cases by just allowing KeyErrors from dict lookups go through...

[lukpueh]

Agreed. I was actually trying to challenge the need for a custom exception and the way it is handled internally. But I'm okay with it. The code is still very readable and extra info for the caller is nice.

[jku]

I think the code looks good. left some notes but nothing that I think requires changes if you'd like to merge as is.

The one thing I'd like to bring up is testing... I know it's tricky to setup a proper test with the KMS service dependency (I talk a bit more about that in a comment) and we can't require a real time testing setup. But right now we as maintainers are in a situation where we can't see

• example code -- how is it supposed to be used
• proof that it actually works anywhere -- logs of a successful signing

Do you have good ideas about this?
Are there public logs of this working?
Should we add testing code (similar to check_kms_signers) even if it is disabled and only works in your fork?

[kommendorkapten]

I'll work on adding azure support in check_kms_signers, I can share credentials with you if you want to replicate the test locally.

[jku]

I can share credentials with you if you want to replicate the test locally.

Oh no need for that -- would just be good to know that if someone needs to test this, they mostly just need to setup the KMS (and maybe enable the tests or run another tox env or something simple like that).

[jku]

👍 thanks for the test: it works exactly like I expected but it's good to actually see it.

The requirements-kms.txt changes are now not needed (since it is used as requirements for tests.check_kms_signers which doesn't currently include azure). I can remove those changes before merging.

[malancas]

Great, thank you for the reviews!