Adding certbot-aws-store back, smaller deps. Updated other major deps (#18)

Author: JohnPreston

.pre-commit-config.yaml

@@ -23,11 +23,11 @@ repos:
         exclude: ^ecs_files_composer/input.py|docs/
 
   - repo: https://github.com/psf/black
-    rev: 22.12.0
+    rev: 23.1.0
     hooks:
       - id: black
   - repo: https://github.com/pycqa/isort
-    rev: 5.11.4
+    rev: 5.12.0
     hooks:
       - id: isort
         args: ["--profile", "black", "--filter-files"]

Dockerfile

@@ -2,20 +2,23 @@ ARG ARCH=
 ARG PY_VERSION=3.9
 ARG BASE_IMAGE=public.ecr.aws/docker/library/python:${PY_VERSION}-slim
 ARG LAMBDA_IMAGE=public.ecr.aws/lambda/python:latest
-FROM $BASE_IMAGE as builder
+
+FROM $LAMBDA_IMAGE AS builder
 
 WORKDIR /opt
 COPY ecs_files_composer /opt/ecs_files_composer
 COPY poetry.lock pyproject.toml MANIFEST.in README.rst LICENSE /opt/
+RUN yum install gcc -y
 RUN python -m pip install pip -U; python -m pip install poetry; poetry build
+RUN pip install wheel --no-cache-dir && pip install dist/*.whl --no-cache-dir -t /opt/venv
+RUN find /opt/venv -type d -name "*pycache*" | xargs -i -P10 rm -rf {}
 
 FROM $BASE_IMAGE
 
-RUN yum upgrade -y; yum install -y tar unzip xz gzip;\
-    yum autoremove -y; yum clean packages; yum clean headers; yum clean metadata; yum clean all; rm -rfv /var/cache/yum
-ENV PATH=/app/.local/bin:${PATH}
-COPY --from=builder /opt/dist/ecs_files_composer-*.whl ${LAMBDA_TASK_ROOT:-/app/}/
-WORKDIR /app
-RUN echo $PATH ; pip install pip -U --no-cache-dir && pip install wheel --no-cache-dir && pip install *.whl --no-cache-dir
+COPY --from=builder /opt/venv ${LAMBDA_TASK_ROOT:-/app/}/venv
+ENV PYTHONPATH /app/venv:$PYTHONPATH
+ENV LD_LIBRARY_PATH=/app/venv:$LD_LIBRARY_PATH
+ENV PATH /app/venv/bin:$PATH
 WORKDIR /
-ENTRYPOINT ["ecs_files_composer"]
+ENTRYPOINT ["python", "-m", "ecs_files_composer.cli"]
+CMD ["-h"]

ecs-files-input.json

@@ -28,10 +28,24 @@
     },
     "certbot_store": {
       "type": "object",
-      "uniqueItems": true,
-      "patternProperties": {
-        "[\\W\\-\\.]+$": {
-          "$ref": "#/definitions/CertbotAwsStoreCertificate"
+      "properties": {
+        "certificates_registry_table_name": {
+          "type": "string",
+          "description": "default table name to query for certificates.",
+          "default": "certbot-registry"
+        },
+        "certificates_registry_table_region": {
+          "type": "string",
+          "description": "region to use for the certificates_registry_table_name. Defaults to current region found in profiles chain."
+        },
+        "certificates": {
+          "type": "object",
+          "uniqueItems": true,
+          "patternProperties": {
+            "[\\W\\-\\.]+$": {
+              "$ref": "#/definitions/CertbotAwsStoreCertificate"
+            }
+          }
         }
       }
     },
@@ -360,23 +374,26 @@
           "default": "root"
         },
         "jksConfig": {
-          "description": "Configuration that will allow to transform the certificate into a JKS for java applications",
-          "type": "object",
-          "additionalProperties": false,
-          "required": [
-            "fileName",
-            "passphrase"
-          ],
-          "properties": {
-            "fileName": {
-              "type": "string",
-              "description": "Name of the JKS file to create"
-            },
-            "passphrase": {
-              "type": "string",
-              "description": "The passphrase to use to secure the jks and certificate"
-            }
-          }
+          "$ref": "#/definitions/jksConfig"
+        }
+      }
+    },
+    "jksConfig": {
+      "description": "Configuration that will allow to transform the certificate into a JKS for java applications",
+      "type": "object",
+      "additionalProperties": false,
+      "required": [
+        "fileName",
+        "passphrase"
+      ],
+      "properties": {
+        "fileName": {
+          "type": "string",
+          "description": "Name of the JKS file to create"
+        },
+        "passphrase": {
+          "type": "string",
+          "description": "The passphrase to use to secure the jks and certificate"
         }
       }
     },
@@ -391,14 +408,17 @@
           "pattern": "^/[\\x00-\\x7F]+$",
           "description": "path to folder to store the certbot certificates into."
         },
-        "table_name": {
+        "certificates_registry_table_name": {
           "type": "string",
-          "description": "dynamodb table name of the certbot-aws-store registry",
-          "default": "certbot-registry"
+          "description": "Override the top level certificates_registry_table_name"
         },
-        "table_region_name": {
+        "certificates_registry_table_region": {
           "type": "string",
-          "description": "Region in which the table_name is. Defaults to profile default region, or eu-west-1"
+          "description": "Override the top level certificates_registry_table_region"
+        },
+        "jksConfig": {
+          "$ref": "#/definitions/jksConfig",
+          "description": "Automatically creates a JKS with the retrieved certificate."
         }
       }
     }

ecs_files_composer/certbot_aws_store.py

@@ -0,0 +1,87 @@
+# SPDX-License-Identifier: MPL-2.0
+# Copyright 2020-2022 John Mille<[email protected]>
+
+"""
+Manages certbot certificates download from certbot-aws-store
+"""
+
+from __future__ import annotations
+
+import os
+from typing import TYPE_CHECKING
+
+from boto3.session import Session
+
+if TYPE_CHECKING:
+    from .input import Model, CertbotAwsStoreCertificate
+
+from os import makedirs, path
+
+import jks as pyjks
+from certbot_aws_store.certificate import AcmeCertificate
+from OpenSSL import crypto
+
+from ecs_files_composer.common import LOG
+
+
+def create_jks_config(
+    certificate_name: str, certificate_job: CertbotAwsStoreCertificate
+):
+    with open(
+        f"{certificate_job.storage_path}/{AcmeCertificate.full_chain_file_name}"
+    ) as full_chain_fd:
+        full_chain = crypto.load_certificate(crypto.FILETYPE_PEM, full_chain_fd.read())
+    with open(
+        f"{certificate_job.storage_path}/{AcmeCertificate.private_key_file_name}"
+    ) as priv_key_fd:
+        private_key = priv_key_fd.read()
+
+    jks_path = path.abspath(
+        f"{certificate_job.storage_path}/{certificate_job.jks_config.file_name}"
+    )
+    pkey = pyjks.jks.PrivateKeyEntry.new(
+        certificate_name,
+        certs=[crypto.dump_certificate(crypto.FILETYPE_ASN1, full_chain)],
+        key=private_key,
+        key_format="rsa_raw",
+    )
+    pkey.encrypt(certificate_job.jks_config.passphrase)
+    keystore = pyjks.KeyStore.new("jks", [pkey])
+    keystore.save(jks_path, certificate_job.jks_config.passphrase)
+
+
+def process_certbot_aws_store_certificates(job: Model) -> None:
+    """
+    Pulls certificates from certbot-aws-store to local filesystem
+    If the path does not exist, creates a new directory for download.
+    """
+    if not job.certbot_store:
+        return
+    default_table_name = job.certbot_store.certificates_registry_table_name
+    if job.certbot_store.certificates_registry_table_region:
+        default_table_region = job.certbot_store.certificates_registry_table_region
+    else:
+        default_table_region = os.getenv("AWS_DEFAULT_REGION", Session().region_name)
+    for _hostname, _definition in job.certbot_store.certificates.items():
+        certificate = AcmeCertificate(
+            _hostname,
+            None,
+            table_name=_definition.certificates_registry_table_name
+            if _definition.certificates_registry_table_name
+            else default_table_name,
+            region_name=_definition.certificates_registry_table_region
+            if _definition.certificates_registry_table_region
+            else default_table_region,
+        )
+        if not path.exists(_definition.storage_path):
+            makedirs(_definition.storage_path, exist_ok=True)
+        try:
+            certificate.pull(_definition.storage_path)
+            LOG.info("Successfully pulled certificates for %s", _hostname)
+        except Exception as error:
+            LOG.exception(error)
+            LOG.error(
+                "Failed to download certificate from certbot-aws-store", _hostname
+            )
+        if _definition.jks_config:
+            create_jks_config(_hostname, _definition)

ecs_files_composer/ecs_files_composer.py

@@ -20,6 +20,7 @@
 
 from ecs_files_composer import input
 from ecs_files_composer.aws_mgmt import S3Fetcher
+from ecs_files_composer.certbot_aws_store import process_certbot_aws_store_certificates
 from ecs_files_composer.certificates_mgmt import process_x509_certs
 from ecs_files_composer.common import LOG
 from ecs_files_composer.files_mgmt import File
@@ -149,5 +150,7 @@ def start_jobs(config: dict, override_session=None):
     job = input.Model(**config)
     if job.certificates:
         process_x509_certs(job)
+    if job.certbot_store:
+        process_certbot_aws_store_certificates(job)
     if job.files:
         process_files(job, override_session)

ecs_files_composer/files_mgmt.py

@@ -3,6 +3,8 @@
 
 """Main module."""
 
+from __future__ import annotations
+
 import base64
 import os
 import pathlib
@@ -15,7 +17,6 @@
 import jinja2.exceptions
 import requests
 from botocore.response import StreamingBody
-from compose_x_common.compose_x_common import keyisset
 from jinja2 import Environment, FileSystemLoader
 
 from ecs_files_composer.aws_mgmt import S3Fetcher, SecretFetcher, SsmFetcher
@@ -68,7 +69,6 @@ def handler(self, iam_override=None, session_override=None):
         self.post_processing()
 
     def files_content_processing(self) -> None:
-
         if self.content and self.encoding and self.encoding == Encoding["base64"]:
             self.content = base64.b64decode(self.content).decode()
         if self.templates_dir:
@@ -305,7 +305,6 @@ def set_unix_settings(self):
                 raise
 
     def exec_post_commands(self):
-
         ignore_post_command_failure = (
             self.ignore_failure
             if self.ignore_failure and isinstance(self.ignore_failure, bool)