DEVOPS-41 update secrets from KV

Author: githubofkrishnadhas

.github/workflows/simple-az-check-secret.yaml

@@ -0,0 +1,25 @@
+name: Azure Auth and az account show
+
+on:
+  push:
+  workflo_dispatch:
+
+jobs:
+  azure-auth:
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Checkout repository
+      uses: actions/checkout@v2
+
+    - name: Set up Azure CLI
+      uses: azure/CLI@v1
+
+    - name: Login via Azure CLI
+      run: |
+        az login --service-principal -u ${{ secrets.ARM_CLIENT_ID }} -p ${{ secrets.ARM_CLIENT_SECRET }} --tenant ${{ secrets.ARM_TENANT_ID }}
+        az account set --subscription ${{ secrets.ARM_SUBSCRIPTION_ID }}
+        az account show -o json
+
+    - name: Completed
+      run: echo 'completed'

.gitignore

@@ -99,7 +99,7 @@ ipython_config.py
 #   This is especially recommended for binary packages to ensure reproducibility, and is more
 #   commonly ignored for libraries.
 #   https://python-poetry.org/docs/basic-usage/#commit-your-poetrylock-file-to-version-control
-#poetry.lock
+poetry.lock
 
 # pdm
 #   Similar to Pipfile.lock, it is generally recommended to include pdm.lock in version control.
@@ -159,4 +159,4 @@ cython_debug/
 #  be found at https://github.com/github/gitignore/blob/main/Global/JetBrains.gitignore
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
-#.idea/
+.idea/

create_repo_secrets.py

@@ -0,0 +1,60 @@
+import requests
+import os
+from datetime import datetime
+import pytz
+
+def current_ist_time():
+    """code to return time in IST"""
+    # Get the current time in IST
+    ist = pytz.timezone('Asia/Kolkata')
+    ist_now = datetime.now(ist)
+
+    # Format and print the current time in IST
+    ist_now_formatted = ist_now.strftime('%Y-%m-%d %H:%M:%S %Z%z')
+    return ist_now_formatted
+
+
+def create_or_update_repository_secret_github(repo_name: str, secret_name: str, secret_value: str, public_key_id: int):
+    """
+    Create or update org level secret in GitHub
+    Ref https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-an-organization-secret
+
+    The token must have the following permission set: organization_secrets:write
+    """
+    encrypted_secret = secret_value
+    organization = os.getenv('GITHUB_REPOSITORY_OWNER')
+
+    if not encrypted_secret:
+        print("ENCRYPTED_SECRET environment variable is not set or is empty.")
+    # print(f'encrypted sec is: {encrypted_secret}')
+    ist_now_formatted = current_ist_time()
+    github_repo_secret_endpoint = f"https://api.github.com/repos/{organization}/{repo_name}/actions/secrets/{secret_name}"
+
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "Authorization": f"Bearer {os.getenv('GH_TOKEN')}",
+        "X-GitHub-Api-Version": "2022-11-28"
+    }
+    data = {
+        "encrypted_value": encrypted_secret,
+        "visibility": "all",
+        "key_id": public_key_id
+    }
+    response = requests.put(github_repo_secret_endpoint, headers=headers, json=data)
+    if response.status_code == 201:
+        print(f"Secret {secret_name} created on {repo_name} at {ist_now_formatted} ")
+    else:
+        print(f"Secret {secret_name} updated on {repo_name} at {ist_now_formatted} ")
+
+
+def main():
+    """To test the code"""
+
+    organization = os.getenv('organization')
+    secret_name = os.getenv('secret_name')
+
+    # Function call
+    create_or_update_repository_secret_github(organization, secret_name)
+
+if __name__ == "__main__":
+    main()

encrypt_using_libnacl.py

@@ -0,0 +1,43 @@
+# Python script includes a function, encrypt, designed to encrypt Unicode strings using public-key cryptography through the PyNaCl library.
+# To utilize this functionality, begin by importing the necessary libraries with the from base64 import b64encode and from nacl import encoding,
+# public statements. Subsequently, define and call the encrypt function, passing a Base64-encoded public key and a Unicode string as parameters.
+# The function then encrypts the provided value using the public key and returns the result in a Base64-encoded format.
+# For example, calling encrypt("aSBhbSBrcmlzaG5hZGhhcwo=", "aSBhbSBrcmlzaG5hZGhhcwo=") demonstrates how to encrypt a sample Unicode string using a specified public key.
+# Ensure proper handling and security of public keys and secret values within your application.
+from get_repo_public_key import get_repository_public_key
+from base64 import b64encode
+from nacl import encoding, public
+import os
+
+def encrypt(public_key: str, secret_value: str) -> str:
+    """Encrypt a Unicode string using the public key."""
+    public_key = public.PublicKey(public_key.encode("utf-8"), encoding.Base64Encoder())
+    sealed_box = public.SealedBox(public_key)
+    encrypted = sealed_box.encrypt(secret_value.encode("utf-8"))
+    return b64encode(encrypted).decode("utf-8")
+
+def main():
+    organization = os.getenv('organization')
+    repository_name = os.getenv('repository_name')
+    repo_public_key = get_repository_public_key(organization=organization, repository_name=repository_name)
+    # repo_public_key = os.environ.get("REPOSITORY_PUBLIC_KEY")
+    # secret_value = os.environ.get("SECRET_VALUE")
+    # public_key = "<public key here for local testing>"
+    secret_value = "Krishnadhas"
+
+    if not (repo_public_key and secret_value):
+        print("Please set REPOSITORY_PUBLIC_KEY and SECRET_VALUE environment variables.")
+        exit(1)
+
+    try:
+        encrypted_secret = encrypt(repo_public_key, secret_value)
+        os.system(f'echo "ENCRYPTED_SECRET={encrypted_secret}" >> $GITHUB_ENV')
+        print(f"Encrypted Secret: {encrypted_secret}")
+        print(f"Encrypted secret added as a environment variable")
+        return encrypted_secret
+    except Exception as e:
+        print(f"Error encrypting secret: {e}")
+        exit(1)
+
+if __name__ == "__main__":
+    main()

get_repo_public_key.py

@@ -0,0 +1,96 @@
+import os
+import pytz
+import requests
+import argparse
+from datetime import datetime
+
+def current_ist_time():
+    """code to return time in IST"""
+    # Get the current time in IST
+    ist = pytz.timezone('Asia/Kolkata')
+    ist_now = datetime.now(ist)
+
+    # Format and print the current time in IST
+    ist_now_formatted = ist_now.strftime('%Y-%m-%d %H:%M:%S %Z%z')
+    return ist_now_formatted
+def get_repository_public_key(organization:str ,repository_name: str):
+    """
+    Get the ORG name and repo name retrieve the public key of the repository
+    :param organization:
+    :param repository_name:
+    :return:
+    """
+    repository_public_key_url = f'https://api.github.com/repos/{organization}/{repository_name}/actions/secrets/public-key'
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "Authorization": f"Bearer {os.getenv('GH_TOKEN')}",
+        "X-GitHub-Api-Version": "2022-11-28"
+    }
+    response = requests.get(repository_public_key_url, headers= headers)
+    response_json = response.json()
+    repository_public_key = response_json['key']
+    # print(f'repo public key is {repository_public_key}')
+    response_code = response.status_code
+
+    if response_code == 200:
+        print(f'Public key for {repository_name} retrieved from {organization} Org Successfully at {current_ist_time()}')
+    else:
+        print(f'Failed to retrieve public key for {repository_name} retrieved from {organization} Org at {current_ist_time()}')
+
+    return repository_public_key
+
+
+def get_repository_public_key_id(organization:str ,repository_name: str):
+    """
+    Get the ORG name and repo name retrieve the public key id of the repository
+    :param organization:
+    :param repository_name:
+    :return:
+    """
+    repository_public_key_id_url = f'https://api.github.com/repos/{organization}/{repository_name}/actions/secrets/public-key'
+    headers = {
+        "Accept": "application/vnd.github+json",
+        "Authorization": f"Bearer {os.getenv('GH_TOKEN')}",
+        "X-GitHub-Api-Version": "2022-11-28"
+    }
+    response = requests.get(repository_public_key_id_url, headers= headers)
+    response_json = response.json()
+    repository_public_key_id = response_json['key_id']
+    # print(f'repo public key is {repository_public_key_id}')
+    response_code = response.status_code
+
+    if response_code == 200:
+        print(f'Public key id for {repository_name} retrieved from {organization} Org Successfully at {current_ist_time()}')
+    else:
+        print(f'Failed to retrieve public key id for {repository_name} retrieved from {organization} Org at {current_ist_time()}')
+
+    return repository_public_key_id
+
+
+def main():
+    """ To test the python code """
+    GH_TOKEN = os.environ.get("GH_TOKEN")
+    parser = argparse.ArgumentParser(description="Get the public key of the repository in GitHub")
+    parser.add_argument("--organization", required=True, type=str, help= "GitHub organization name")
+    parser.add_argument("--repository_name", help= "GitHub repository name", type=str, required=True)
+
+    args = parser.parse_args()
+    organization = args.organization
+    repository_name = args.repository_name
+
+    try:
+        repo_public_key = get_repository_public_key(organization, repository_name)
+        os.system(f'echo "REPOSITORY_PUBLIC_KEY={repo_public_key}" >> $GITHUB_ENV')
+        print(f"Public key added as a environment variable")
+        repo_public_key_id = get_repository_public_key_id(organization, repository_name)
+        os.system(f'echo "REPOSITORY_PUBLIC_KEY_ID={repo_public_key_id}" >> $GITHUB_ENV')
+        print(f"Public key id added as a environment variable")
+
+
+        # return encrypted_secret
+    except Exception as e:
+        print(f"Error retrieving public key and public key id of {repository_name}: {e}")
+        exit(1)
+
+if __name__ == "__main__":
+    main()