mirror of
https://github.com/openai/codex.git
synced 2026-05-17 17:53:06 +00:00
19badb0be2
## Why Device-key providers should only own platform key material. The account/client binding used to authorize a signing payload is app-server state, and keeping that state in provider-specific metadata makes the same check harder to audit and harder to share across platform implementations. Persisting the binding in the shared state database gives the device-key crate a platform-neutral source of truth before it asks a provider to sign. It also lets app-server move potentially blocking key operations off the main message processor path, which matters once providers may wait for OS authentication prompts. ## What changed - Add a `device_key_bindings` state migration plus `StateRuntime` helpers keyed by `key_id`. - Add an async `DeviceKeyBindingStore` abstraction to `codex-device-key` and use it from `DeviceKeyStore::create` and `DeviceKeyStore::sign`. - Keep provider calls behind async store methods and run the synchronous provider work through `spawn_blocking`. - Wire app-server device-key RPC handling to the SQLite-backed binding store and spawn response/error delivery tasks for device-key requests. - Run the turn-start tracing test on the existing larger current-thread test harness after the larger async surface made the default test stack too small locally. ## Validation - `cargo test -p codex-device-key` - `cargo test -p codex-state device_key` - `cargo test -p codex-state` - `cargo test -p codex-app-server device_key` - `cargo test -p codex-app-server message_processor::tracing_tests::turn_start_jsonrpc_span_parents_core_turn_spans` - `cargo test -p codex-app-server` - `just fix -p codex-device-key` - `just fix -p codex-state` - `just fix -p codex-app-server` - `just bazel-lock-update` - `just bazel-lock-check` - `git diff --check`
50 lines
1.4 KiB
Rust
50 lines
1.4 KiB
Rust
use crate::DeviceKeyError;
|
|
use crate::DeviceKeyInfo;
|
|
use crate::DeviceKeyProtectionClass;
|
|
use crate::DeviceKeyProvider;
|
|
use crate::ProviderCreateRequest;
|
|
use crate::ProviderSignature;
|
|
use std::sync::Arc;
|
|
|
|
pub(crate) fn default_provider() -> Arc<dyn DeviceKeyProvider> {
|
|
Arc::new(UnsupportedDeviceKeyProvider)
|
|
}
|
|
|
|
#[derive(Debug)]
|
|
pub(crate) struct UnsupportedDeviceKeyProvider;
|
|
|
|
impl DeviceKeyProvider for UnsupportedDeviceKeyProvider {
|
|
fn create(&self, request: ProviderCreateRequest) -> Result<DeviceKeyInfo, DeviceKeyError> {
|
|
let _ = request.key_id_for(DeviceKeyProtectionClass::HardwareTpm);
|
|
let _ = request
|
|
.protection_policy
|
|
.allows(DeviceKeyProtectionClass::HardwareTpm);
|
|
Err(DeviceKeyError::HardwareBackedKeysUnavailable)
|
|
}
|
|
|
|
fn delete(
|
|
&self,
|
|
_key_id: &str,
|
|
_protection_class: DeviceKeyProtectionClass,
|
|
) -> Result<(), DeviceKeyError> {
|
|
Ok(())
|
|
}
|
|
|
|
fn get_public(
|
|
&self,
|
|
_key_id: &str,
|
|
_protection_class: DeviceKeyProtectionClass,
|
|
) -> Result<DeviceKeyInfo, DeviceKeyError> {
|
|
Err(DeviceKeyError::KeyNotFound)
|
|
}
|
|
|
|
fn sign(
|
|
&self,
|
|
_key_id: &str,
|
|
_protection_class: DeviceKeyProtectionClass,
|
|
_payload: &[u8],
|
|
) -> Result<ProviderSignature, DeviceKeyError> {
|
|
Err(DeviceKeyError::KeyNotFound)
|
|
}
|
|
}
|