feat: Add CAWG validation to Reader

[scouten-adobe]

This is a sketch of the changes I'd like to see made to the Reader interface to make CAWG more directly part of the reading process from clients' point of view.

[codecov]

Codecov Report

❌ Patch coverage is 14.54545% with 47 lines in your changes missing coverage. Please review.
✅ Project coverage is 28.13%. Comparing base (c4fc7a6) to head (aeab1bc).

Files with missing lines	Patch %	Lines
sdk/src/manifest.rs	6.25%	30 Missing ⚠️
sdk/src/reader.rs	28.57%	15 Missing ⚠️
sdk/src/manifest_store_report.rs	0.00%	1 Missing ⚠️
sdk/src/validation_status.rs	0.00%	1 Missing ⚠️

❗ There is a different number of reports uploaded between BASE (c4fc7a6) and HEAD (aeab1bc). Click for more details.

HEAD has 2 uploads less than BASE

Flag	BASE (c4fc7a6)	HEAD (aeab1bc)
	3	1

Additional details and impacted files

@@             Coverage Diff             @@
##             main    #1370       +/-   ##
===========================================
- Coverage   78.41%   28.13%   -50.29%     
===========================================
  Files         162      144       -18     
  Lines       39515    27439    -12076     
===========================================
- Hits        30986     7719    -23267     
- Misses       8529    19720    +11191     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[tmathern]

Will you need sync APIs here?

[tmathern]

Why not keep the sync interface too? I am not sure we can make everything async

[tmathern]

Good question. I wouldn't want everything to become async. I wonder if we need the sync interface for some native bindings? It's not great but maybe we need a blocking API? Or a cawg validation opt-out for the sync path?

[codspeed-hq]

CodSpeed Performance Report

Merging #1370 will not alter performance

_{Comparing scouten/cai-9212-add-cawg-to-reader (aeab1bc) with main (c4fc7a6)}

Summary

✅ 16 untouched
⏩ 2 skipped¹

Footnotes

1. 2 benchmarks were skipped, so the baseline results were used instead. If they were deleted from the codebase, click here and archive them to remove them from the performance reports. ↩

[scouten-adobe]

I think I've solved the sync/async issues by leaving the existing approach in C API unchanged. I've added a new convenience function (async only) which does the combined test. That's what we were doing in the C API wrapper functions already and I've removed my changes to those functions.

[scouten-adobe]

Just noticed this was still here. Will remove shortly.

[tmathern]

The implementations in
#[cfg(target_arch = "wasm32")]
pub async fn from_stream_with_cawg_async

and

#[cfg(not(target_arch = "wasm32"))]
pub async fn from_stream_with_cawg_async

are the same. Is there no way to reuse instead of duplicating? No trick to bypass the differences in requesteds traits on the stream ?

[scouten-adobe]

I wish … I wish …

Sadly, there is not such a trick. (I've looked.)

[emensch]

So without verify.verify_after_reading, this will behave the same as Reader::from_stream_async?

Unless I'm mistaken, that feels a bit unintuitive to me. I'd think that calling from_stream_with_cawg_async would be "enough" from an end-user perspective to opt in to CAWG validation.

[gpeacock]

Why not just say that Reader::from_stream_async() supports cawg but reader_from_stream() doesn't yet. The same would go for Reader:from_file() I don't see why we should add new cawg specific methods here.
Eventually, hopefully the sync methods can support cawg too.

Another option is that we can configure the cawg support with a setting. So if you have cawg enabled we always do the cawg call and if you don't there's no extra overhead.

Maybe there's a separate (or the same) option that allows the sync methods to block on the async call. you can can disable the setting if you don't want that behavior.

[gpeacock]

I think we need to support both sync and async identity validation if we are going to include it at this level in the API. If it is part of validation, it can't just be async validation.

[gpeacock]

PostValidate could be useful for validating and formatting any 3rd party assertions we don't have in the SDK.
Ideally there would be some way to integrate this into the definition of an Assertion such that you would just need to add an assertion handler to the SDK, but that's a problem for tomorrow.

[scouten-adobe]

TO DO: Delete this and fold back into the from_stream_async call. Add a note (depending on outcome) that says not supported on sync.

[scouten-adobe]

TO DO: If CAWG identity assertion is encountered, do the asynchronous blocking call in the sync implementation (borrow from the C bindings). Gavin may add a setting to disable if the blocking behavior is undesirable.

[scouten-adobe]

TO DO: Review c2patool usage.

[scouten-adobe]

TO DO: Check in to whether verify-on-sign does CAWG identity assertion verification and if it becomes async as a result.