run ducc directly

Only the /api/sync/secret has been tested so far.

Author: max-fatouros

unpack-api/pyproject.toml

@@ -19,6 +19,7 @@ dependencies = [
     "fastapi[standard]",
     "python-dotenv",
     "requests",
+    "mjaf==0.2.0",
 ]
 
 [project.optional-dependencies]

unpack-api/unpack_api/__init__.py

@@ -0,0 +1 @@
+from unpack_api.main import *

unpack-api/unpack_api/main.py

@@ -1,7 +1,10 @@
 import json
+import logging
 import os
+import subprocess
 from typing import Annotated
 
+import mjaf
 import requests
 from authlib.jose import jwt
 from authlib.jose.errors import BadSignatureError
@@ -12,48 +15,17 @@
 from fastapi import HTTPException
 
 
-load_dotenv()
-
-SECRET_TOKEN = os.getenv('SECRET_TOKEN')
-
-# >>> GitHub
-GITHUB_REPO = os.getenv('GITHUB_REPO')
-GITHUB_TOKEN = os.getenv('GITHUB_TOKEN')
-GITHUB_WORKFLOW = os.getenv('GITHUB_WORKFLOW')
-# <<<
-
-# >>> GitLab
-GITLAB_SERVER = os.getenv('GITLAB_SERVER')
-GITLAB_TARGET_REPOSITORY_ID = os.getenv('GITLAB_TARGET_REPOSITORY_ID')
-GITLAB_TOKEN = os.getenv('GITLAB_TOKEN')
-# <<<
-
-
-def get_expose_api_map():
-    expose_api = {
-        'gitlab': False,
-        'github': False,
-        'secret': False,
-    }
-
-    if None not in (
-        GITLAB_SERVER,
-        GITLAB_TARGET_REPOSITORY_ID,
-        GITLAB_TOKEN,
-    ):
-        expose_api['gitlab'] = True
+mjaf.logging.set_handlers(
+    logger_name=__name__,
+    level=logging.INFO,
+)
+log = logging.getLogger(__name__)
 
-    if None not in (
-        GITHUB_REPO,
-        GITHUB_TOKEN,
-        GITHUB_WORKFLOW,
-    ):
-        expose_api['github'] = True
 
-    if SECRET_TOKEN is not None:
-        expose_api['secret'] = True
+load_dotenv()
+log.info('Environment loaded')
 
-    return expose_api
+SECRET_TOKEN = os.getenv('SECRET_TOKEN')
 
 
 def get_jwt_keys(jwt_server_url):
@@ -65,52 +37,33 @@ def get_jwt_keys(jwt_server_url):
     return jwks_keys
 
 
-def request_gitlab_sync(image):
-    request = requests.post(
-        url=(
-            f'{GITLAB_SERVER}/api/v4/projects/'
-            f'{GITLAB_TARGET_REPOSITORY_ID}/trigger/pipeline'
-        ),
-        data={
-            'token': GITLAB_TOKEN,
-            'ref': 'main',
-            'variables[IMAGE]': image,
-        },
-    )
-
-    if request.status_code != 200:
-        raise HTTPException(
-            status_code=request.status_code,
-            detail=f'Token server error: {request.text}',
-        )
+def call_ducc(image: str | None, cvmfs_repository: str | None):
+    string = f'quack: {image}, {cvmfs_repository}'
 
+    log.info(f'{image=}')
+    log.info(f'{cvmfs_repository=}')
 
-def request_github_sync(image):
-    """
-    https://docs.github.com/en/rest/actions/workflows?apiVersion=2022-11-28#create-a-workflow-dispatch-event
-    """
-    request = requests.post(
-        url=(
-            f'https://api.github.com/repos/{GITHUB_REPO}/actions/workflows/{GITHUB_WORKFLOW}/dispatches'  # noqa
-        ),
-        data=json.dumps({
-            'ref': 'action-testing',
-            # 'inputs': {
-            #     'image': image,
-            # },
-        }),
-        headers={
-            'Accept': 'application/vnd.github+json',
-            'Authorization': f'Bearer {GITHUB_TOKEN}',
-            'X-GitHub-Api-Version': '2022-11-28',
-        },
+    stdout = subprocess.run(
+        [
+            'sudo',
+            'systemctl',
+            'stop',
+            'autofs',
+        ],
     )
 
-    if request.status_code != 200:
-        raise HTTPException(
-            status_code=request.status_code,
-            detail=f'Token server error: {request.text}',
-        )
+    # TODO: ensure cvmfs_ducc exists
+    subprocess.run(
+        [
+            'sudo',
+            'cvmfs_ducc',
+            'convert-single-image',
+            image,
+            cvmfs_repository,
+            '--skip-podman',
+            '--skip-thin-image',
+        ],
+    )
 
 
 def check_authorization(
@@ -125,114 +78,89 @@ def check_authorization(
 
 app = FastAPI()
 
-expose_api = get_expose_api_map()
-
-gitlab_jwks_keys = None
-if expose_api['gitlab']:
-    gitlab_jwks_keys = get_jwt_keys(
-        f'{GITLAB_SERVER}/oauth/discovery/keys',
-    )
-
-
-github_jwks_keys = None
-if expose_api['github']:
-    github_jwks_keys = get_jwt_keys(
-        'https://token.actions.githubusercontent.com/.well-known/jwks',
-    )
-
 
 @app.get('/')
 def root():
     return {'message': 'PSI Image Unpacker'}
 
 
-if expose_api['gitlab']:
-    @app.post('/api/gitlab/sync/jwt')
-    def gitlab_sync_jwt(
-        authorization: Annotated[str | None, Header()] = None,
-        image: str | None = None,
-    ):
-
-        check_authorization(authorization)
-        try:
-            claims = jwt.decode(
-                authorization,
-                gitlab_jwks_keys,
-            )
-        except DecodeError:
-            raise HTTPException(
-                status_code=403,
-                detail='Invalid token: DecodeError',
-            )
-        except BadSignatureError:
-            raise HTTPException(
-                status_code=403,
-                detail='Invalid token: BadSignatureError',
-            )
-        if claims['iss'] != GITLAB_SERVER:
-            raise HTTPException(
-                status_code=403,
-                detail=f"Invalid issuer {claims['iss']}",
-            )
-
-        request_gitlab_sync(image)
-
-
-if expose_api['github']:
-    @app.post('/api/github/sync/jwt')
-    def github_sync_jwt(
-        authorization: Annotated[str | None, Header()] = None,
-        image: str | None = None,
-    ):
+@app.post('/api/gitlab/sync/jwt')
+def gitlab_sync_jwt(
+    authorization: Annotated[str | None, Header()] = None,
+    image: str | None = None,
+    cvmfs_repository: str | None = None,
+    gitlab_server: str | None = None,
+):
+    gitlab_jwks_keys = get_jwt_keys(
+        f'https://{gitlab_server}/oauth/discovery/keys',
+    )
 
-        check_authorization(authorization)
-        try:
-            claims = jwt.decode(
-                authorization,
-                github_jwks_keys,
-            )
-        except DecodeError:
-            raise HTTPException(
-                status_code=403,
-                detail='Invalid token: DecodeError',
-            )
-        except BadSignatureError:
-            raise HTTPException(
-                status_code=403,
-                detail='Invalid token: BadSignatureError',
-            )
-        if claims['iss'] != 'https://token.actions.githubusercontent.com':
-            raise HTTPException(
-                status_code=403,
-                detail=f"Invalid issuer {claims['iss']}",
-            )
+    check_authorization(authorization)
+    try:
+        claims = jwt.decode(
+            authorization,
+            gitlab_jwks_keys,
+        )
+    except DecodeError:
+        raise HTTPException(
+            status_code=403,
+            detail='Invalid token: DecodeError',
+        )
+    except BadSignatureError:
+        raise HTTPException(
+            status_code=403,
+            detail='Invalid token: BadSignatureError',
+        )
+    if claims['iss'] != gitlab_server:
+        raise HTTPException(
 
-        request_gitlab_sync(image)
+            detail=f"Invalid issuer {claims['iss']}",
+        )
 
+    return call_ducc(image, cvmfs_repository)
 
-if expose_api['secret'] and expose_api['gitlab']:
-    @app.post('/api/gitlab/sync/secret')
-    def gitlab_sync_secret(
-            authorization: Annotated[str | None, Header()] = None,
-            image: str | None = None,
-    ):
 
-        check_authorization(authorization)
+@app.post('/api/github/sync/jwt')
+def github_sync_jwt(
+    authorization: Annotated[str | None, Header()] = None,
+    image: str | None = None,
+    cvmfs_repository: str | None = None,
+):
+    github_jwks_keys = get_jwt_keys(
+        'https://token.actions.githubusercontent.com/.well-known/jwks',
+    )
 
-        if authorization != SECRET_TOKEN:
-            raise HTTPException(
-                status_code=401,
-                detail='Invalid authorization token',
-            )
+    check_authorization(authorization)
+    try:
+        claims = jwt.decode(
+            authorization,
+            github_jwks_keys,
+        )
+    except DecodeError:
+        raise HTTPException(
+            status_code=403,
+            detail='Invalid token: DecodeError',
+        )
+    except BadSignatureError:
+        raise HTTPException(
+            status_code=403,
+            detail='Invalid token: BadSignatureError',
+        )
+    if claims['iss'] != 'https://token.actions.githubusercontent.com':
+        raise HTTPException(
+            status_code=403,
+            detail=f"Invalid issuer {claims['iss']}",
+        )
 
-        request_gitlab_sync(image)
+    return call_ducc(image, cvmfs_repository)
 
 
-if expose_api['secret'] and expose_api['github']:
-    @app.post('/api/github/sync/secret')
-    def github_sync_secret(
+if SECRET_TOKEN is not None:
+    @app.post('/api/sync/secret')
+    def gitlab_sync_secret(
             authorization: Annotated[str | None, Header()] = None,
             image: str | None = None,
+            cvmfs_repository: str | None = None,
     ):
 
         check_authorization(authorization)
@@ -243,4 +171,4 @@ def github_sync_secret(
                 detail='Invalid authorization token',
             )
 
-        request_github_sync(image)
+        return call_ducc(image, cvmfs_repository)