PDFCLOUD-5556 Add client methods for digital signatures in PDF#21
Closed
datalogics-cgreen wants to merge 3 commits intopdfrest:mainfrom
Closed
PDFCLOUD-5556 Add client methods for digital signatures in PDF#21datalogics-cgreen wants to merge 3 commits intopdfrest:mainfrom
datalogics-cgreen wants to merge 3 commits intopdfrest:mainfrom
Conversation
datalogics-cgreen
changed the title
datalogics-cgreen
force-pushed
the
pdfcloud-5464-sign
branch
from
0de94ba to
c5cfde8
Compare
datalogics-kam
requested changes
Feb 12, 2026
Contributor
datalogics-kam
left a comment
datalogics-kam
left a comment
There was a problem hiding this comment.
Requesting changes
- Proper use of Pydantic dumping
- Bool | none code smell
- Mismatch between payload optionality vs typing of the public interface
- Validation should be done in Pydantic models, not client.py.
| def _serialize_signature_configuration( | ||
| value: _PdfSignatureConfigurationModel, | ||
| ) -> str: | ||
| payload = value.model_dump(mode="json", exclude_none=True) |
Contributor
There was a problem hiding this comment.
Use model_dump_json instead of model_dump followed by json.dumps.
Comment on lines
+591
to
+592
| x: str | int | float | ||
| y: str | int | float |
Comment on lines
+125
to
+126
| x: str | int | float | ||
| y: str | int | float |
Contributor
There was a problem hiding this comment.
Use float as a type here.
| class PdfSignatureLocation(TypedDict): | ||
| bottom_left: Required[PdfSignaturePoint] | ||
| top_right: Required[PdfSignaturePoint] | ||
| page: Required[str | int] |
Contributor
There was a problem hiding this comment.
I'm wondering...can this still be typed...maybe a Pydantic annotation won't help on the int but probably that str is a Literal really.
Comment on lines
+4346
to
+4365
| if "pfx" in credential_map and "certificate" in credential_map: | ||
| msg = "Provide either PFX credentials or certificate/private_key, not both." | ||
| raise PdfRestConfigurationError(msg) | ||
| if "pfx" not in credential_map and "certificate" not in credential_map: | ||
| msg = "Either PFX credentials (pfx + passphrase) or certificate/private_key credentials are required." | ||
| raise PdfRestConfigurationError(msg) | ||
| if "pfx" in credential_map: | ||
| payload["pfx_credential"] = credential_map["pfx"] | ||
| try: | ||
| payload["pfx_passphrase"] = credential_map["passphrase"] | ||
| except KeyError as exc: | ||
| msg = "PFX credentials require both 'pfx' and 'passphrase' files." | ||
| raise PdfRestConfigurationError(msg) from exc | ||
| elif "certificate" in credential_map: | ||
| payload["certificate"] = credential_map["certificate"] | ||
| try: | ||
| payload["private_key"] = credential_map["private_key"] | ||
| except KeyError as exc: | ||
| msg = "Certificate credentials require both 'certificate' and 'private_key' files." | ||
| raise PdfRestConfigurationError(msg) from exc |
Contributor
There was a problem hiding this comment.
All this should be on a Payload validator.
Suggested change
| if "pfx" in credential_map and "certificate" in credential_map: | |
| msg = "Provide either PFX credentials or certificate/private_key, not both." | |
| raise PdfRestConfigurationError(msg) | |
| if "pfx" not in credential_map and "certificate" not in credential_map: | |
| msg = "Either PFX credentials (pfx + passphrase) or certificate/private_key credentials are required." | |
| raise PdfRestConfigurationError(msg) | |
| if "pfx" in credential_map: | |
| payload["pfx_credential"] = credential_map["pfx"] | |
| try: | |
| payload["pfx_passphrase"] = credential_map["passphrase"] | |
| except KeyError as exc: | |
| msg = "PFX credentials require both 'pfx' and 'passphrase' files." | |
| raise PdfRestConfigurationError(msg) from exc | |
| elif "certificate" in credential_map: | |
| payload["certificate"] = credential_map["certificate"] | |
| try: | |
| payload["private_key"] = credential_map["private_key"] | |
| except KeyError as exc: | |
| msg = "Certificate credentials require both 'certificate' and 'private_key' files." | |
| raise PdfRestConfigurationError(msg) from exc | |
| # Move to payload validator |
Comment on lines
+3001
to
+3020
| if "pfx" in credential_map and "certificate" in credential_map: | ||
| msg = "Provide either PFX credentials or certificate/private_key, not both." | ||
| raise PdfRestConfigurationError(msg) | ||
| if "pfx" not in credential_map and "certificate" not in credential_map: | ||
| msg = "Either PFX credentials (pfx + passphrase) or certificate/private_key credentials are required." | ||
| raise PdfRestConfigurationError(msg) | ||
| if "pfx" in credential_map: | ||
| payload["pfx_credential"] = credential_map["pfx"] | ||
| try: | ||
| payload["pfx_passphrase"] = credential_map["passphrase"] | ||
| except KeyError as exc: | ||
| msg = "PFX credentials require both 'pfx' and 'passphrase' files." | ||
| raise PdfRestConfigurationError(msg) from exc | ||
| elif "certificate" in credential_map: | ||
| payload["certificate"] = credential_map["certificate"] | ||
| try: | ||
| payload["private_key"] = credential_map["private_key"] | ||
| except KeyError as exc: | ||
| msg = "Certificate credentials require both 'certificate' and 'private_key' files." | ||
| raise PdfRestConfigurationError(msg) from exc |
Contributor
There was a problem hiding this comment.
All this should be done by validating the payload, which can have optional fields, and check them either before or after the whole class is validated (I think before is for data mods, after is better for validity)
Not least because it duplicates 21 lines of complicated code.
Suggested change
| if "pfx" in credential_map and "certificate" in credential_map: | |
| msg = "Provide either PFX credentials or certificate/private_key, not both." | |
| raise PdfRestConfigurationError(msg) | |
| if "pfx" not in credential_map and "certificate" not in credential_map: | |
| msg = "Either PFX credentials (pfx + passphrase) or certificate/private_key credentials are required." | |
| raise PdfRestConfigurationError(msg) | |
| if "pfx" in credential_map: | |
| payload["pfx_credential"] = credential_map["pfx"] | |
| try: | |
| payload["pfx_passphrase"] = credential_map["passphrase"] | |
| except KeyError as exc: | |
| msg = "PFX credentials require both 'pfx' and 'passphrase' files." | |
| raise PdfRestConfigurationError(msg) from exc | |
| elif "certificate" in credential_map: | |
| payload["certificate"] = credential_map["certificate"] | |
| try: | |
| payload["private_key"] = credential_map["private_key"] | |
| except KeyError as exc: | |
| msg = "Certificate credentials require both 'certificate' and 'private_key' files." | |
| raise PdfRestConfigurationError(msg) from exc | |
| # Move to payload validator |
|
|
||
| class _PdfSignatureDisplayModel(BaseModel): | ||
| include_distinguished_name: bool | None = None | ||
| include_datetime: bool | None = None |
Contributor
There was a problem hiding this comment.
Are these bools really optional? Optional bool can be confusing...and the TypedDict doesn't have optional values. This is the part that validates, and makes sure that at runtime, the TypedDict got passed the correct values.
type checking -> IDE time
validation -> runtime
Comment on lines
+604
to
+607
| contact: str | None = None | ||
| location: str | None = None | ||
| name: str | None = None | ||
| reason: str | None = None |
Contributor
There was a problem hiding this comment.
According to the types on PdfSignatureDisplay, these are not optional. They should validate how they're typed on the public interface.
Contributor
Author
There was a problem hiding this comment.
These are meant to be optional. If they are not wanted, then they should be omitted from the request.
|
|
||
| class _PdfSignatureConfigurationModel(BaseModel): | ||
| type: Literal["new"] | ||
| name: str | None = None |
Contributor
There was a problem hiding this comment.
But the public interface says this isn't optional...
Contributor
Author
There was a problem hiding this comment.
It's required.
| timeout=timeout, | ||
| ) | ||
|
|
||
| def sign_pdf( |
Contributor
There was a problem hiding this comment.
Since I was on the topic of "things we split into separate functions for clarity", pdfAssistant has
pdfassistant_chatbot/functions/signed_pdf.py
255:async def digitally_sign_pdf_with_pfx(
362:async def digitally_sign_pdf_with_non_pfx(
...should that idea be surfaced here? Just trying to keep the interface grounded.
Contributor
Author
There was a problem hiding this comment.
This is what I have now done with Watermark PDF and what I'm currently working on for /pdf.
Assisted-by: Codex
Assisted-by: Codex
datalogics-cgreen
force-pushed
the
pdfcloud-5464-sign
branch
from
c5cfde8 to
503c84c
Compare
Contributor
|
Replaced by #26 with some additional fixes. |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Adds client support for the Sign PDF endpoint, including new payload models and public types in the pdfrest package.
Adds comprehensive Sign PDF tests (unit + live) and supporting test fixtures/resources for signing credentials and assets.