run lint & format, add ci pipeline

Author: fed1337

.github/workflows/ci.yml

@@ -1,10 +1,21 @@
-name: ci.yml
+name: CI
 on:
   push:
-    branches: [ main ]
+    branches: [ main, ci-test ]
 
 jobs:
   check:
-
-  test:
-
+    name: Lint & format (ruff)
+    runs-on: ubuntu-22.04
+    steps:
+      - uses: actions/checkout@v6
+      - name: Install uv
+        uses: astral-sh/setup-uv@v7
+      - name: Sync dev dependencies
+        run: uv sync --frozen --dev
+      - name: Ruff check
+        run: uv run ruff check .
+      - name: Ruff format check
+        run: uv run ruff format --check .
+      - name: mypy check
+        run: uv run mypy lemur

lemur/__init__.py

@@ -9,6 +9,7 @@
 .. moduleauthor:: Hossein Shafagh <[email protected]>
 
 """
+
 import socket
 import time
 import urllib.parse
@@ -78,9 +79,7 @@
 
 
 def create_app(config_path=None):
-    app = factory.create_app(
-        app_name=__name__, blueprints=LEMUR_BLUEPRINTS, config=config_path
-    )
+    app = factory.create_app(app_name=__name__, blueprints=LEMUR_BLUEPRINTS, config=config_path)
     configure_hook(app)
     return app
 
@@ -140,29 +139,32 @@ def sanitize_path(*, path: str) -> str:
                         parsed_path.path,
                         parsed_path.params,
                         "<sanitized_query_parameters>",
-                        parsed_path.fragment
+                        parsed_path.fragment,
                     )
                 )
             return path
 
         # Log request headers
         skip_endpoints = any(
-            endpoint in request.full_path for endpoint in app.config.get("LOG_REQUEST_HEADERS_SKIP_ENDPOINT", [])
+            endpoint in request.full_path
+            for endpoint in app.config.get("LOG_REQUEST_HEADERS_SKIP_ENDPOINT", [])
         )
         if app.config.get("LOG_REQUEST_HEADERS", False) and not skip_endpoints:
-            app.logger.info({
-                "lemur": socket.gethostname(),
-                "ingress-ip": request.remote_addr,
-                "request-id": request.headers.get("X-Request-Id"),
-                "ip": request.headers.get("X-Real-Ip", request.remote_addr),
-                "method": request.method,
-                "scheme": request.headers.get("X-Scheme", request.scheme),
-                "path": sanitize_path(path=request.full_path),
-                "status": response.status_code,
-                "user-agent": request.headers.get("User-Agent"),
-                "referer": sanitize_path(path=request.headers.get("Referer")),
-                "host": request.headers.get("Host")
-            })
+            app.logger.info(
+                {
+                    "lemur": socket.gethostname(),
+                    "ingress-ip": request.remote_addr,
+                    "request-id": request.headers.get("X-Request-Id"),
+                    "ip": request.headers.get("X-Real-Ip", request.remote_addr),
+                    "method": request.method,
+                    "scheme": request.headers.get("X-Scheme", request.scheme),
+                    "path": sanitize_path(path=request.full_path),
+                    "status": response.status_code,
+                    "user-agent": request.headers.get("User-Agent"),
+                    "referer": sanitize_path(path=request.headers.get("Referer")),
+                    "host": request.headers.get("Host"),
+                }
+            )
 
         # Update custom response headers
         response.headers.update(custom_response_headers)

lemur/acme_providers/cli.py

@@ -26,14 +26,10 @@ def cli():
     "--domain",
     "domain",
     required=True,
-    help="Name of the Domain to store to (ex. \"_acme-chall.test.com\"."
+    help='Name of the Domain to store to (ex. "_acme-chall.test.com".',
 )
 @click.option(
-    "-t",
-    "--token",
-    "token",
-    required=True,
-    help="Value of the Token to store in DNS as content."
+    "-t", "--token", "token", required=True, help="Value of the Token to store in DNS as content."
 )
 def dnstest_command(domain, token):
     dnstest(domain, token)
@@ -105,31 +101,18 @@ def dnstest(domain, token):
     "token",
     default="date: " + arrow.utcnow().format("YYYY-MM-DDTHH-mm-ss"),
     required=False,
-    help="Value of the Token to store in DNS as content."
+    help="Value of the Token to store in DNS as content.",
 )
 @click.option(
     "-n",
     "--token_name",
     "token_name",
     default="Token-" + arrow.utcnow().format("YYYY-MM-DDTHH-mm-ss"),
     required=False,
-    help="path"
-)
-@click.option(
-    "-p",
-    "--prefix",
-    "prefix",
-    default="test/",
-    required=False,
-    help="S3 bucket prefix"
-)
-@click.option(
-    "-a",
-    "--account_number",
-    "account_number",
-    required=True,
-    help="AWS Account"
+    help="path",
 )
+@click.option("-p", "--prefix", "prefix", default="test/", required=False, help="S3 bucket prefix")
+@click.option("-a", "--account_number", "account_number", required=True, help="AWS Account")
 @click.option(
     "-b",
     "--bucket_name",
@@ -201,5 +184,5 @@ def upload_acme_token_s3(token, token_name, prefix, account_number, bucket_name)
         prefix + "/"
 
     token_res = s3.get(bucket_name, prefix + token_name, account_number=account_number)
-    assert (token_res == token)
+    assert token_res == token
     s3.delete(bucket_name, prefix + token_name, account_number=account_number)

lemur/api_keys/cli.py

@@ -5,6 +5,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Eric Coan <[email protected]>
 """
+
 from datetime import datetime
 
 import click
@@ -21,13 +22,9 @@ def cli():
 
 
 @cli.command("create")
-@click.option(
-    "-u", "--user-id", "uid", help="The User ID this access key belongs too."
-)
+@click.option("-u", "--user-id", "uid", help="The User ID this access key belongs too.")
 @click.option("-n", "--name", "name", help="The name of this API Key.")
-@click.option(
-    "-t", "--ttl", "ttl", help="The TTL of this API Key. -1 for forever."
-)
+@click.option("-t", "--ttl", "ttl", help="The TTL of this API Key. -1 for forever.")
 def create_command(uid, name, ttl):
     create(uid, name, ttl)
 

lemur/api_keys/models.py

@@ -6,6 +6,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Eric Coan <[email protected]>
 """
+
 from sqlalchemy import BigInteger, Boolean, Column, ForeignKey, Integer, String
 
 from lemur.database import BaseModel

lemur/api_keys/schemas.py

@@ -5,6 +5,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Eric Coan <[email protected]>
 """
+
 from flask import g
 from marshmallow import fields
 
@@ -22,9 +23,7 @@ def current_user_id():
 
 class ApiKeyInputSchema(LemurInputSchema):
     name = fields.String(required=False)
-    user = fields.Nested(
-        UserInputSchema, missing=current_user_id, default=current_user_id
-    )
+    user = fields.Nested(UserInputSchema, missing=current_user_id, default=current_user_id)
     ttl = fields.Integer()
 
 

lemur/api_keys/service.py

@@ -5,6 +5,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Eric Coan <[email protected]>
 """
+
 from lemur import database
 from lemur.api_keys.models import ApiKey
 from lemur.logs import service as log_service

lemur/api_keys/views.py

@@ -7,6 +7,7 @@
 .. moduleauthor:: Eric Coan <[email protected]>
 
 """
+
 from datetime import datetime
 
 from flask import Blueprint, g
@@ -33,7 +34,7 @@
 
 
 class ApiKeyList(AuthenticatedResource):
-    """ Defines the 'api_keys' endpoint """
+    """Defines the 'api_keys' endpoint"""
 
     def __init__(self):
         super().__init__()
@@ -148,13 +149,11 @@ def post(self, data=None):
             revoked=False,
             issued_at=int(datetime.utcnow().timestamp()),
         )
-        return dict(
-            jwt=create_token(access_token.user_id, access_token.id, access_token.ttl)
-        )
+        return dict(jwt=create_token(access_token.user_id, access_token.id, access_token.ttl))
 
 
 class ApiKeyUserList(AuthenticatedResource):
-    """ Defines the 'keys' endpoint on the 'users' endpoint. """
+    """Defines the 'keys' endpoint on the 'users' endpoint."""
 
     def __init__(self):
         super().__init__()
@@ -253,11 +252,7 @@ def post(self, user_id, data=None):
         if not ApiKeyCreatorPermission().can():
             if user_id != g.current_user.id:
                 return (
-                    dict(
-                        message="You are not authorized to create tokens for: {}".format(
-                            user_id
-                        )
-                    ),
+                    dict(message="You are not authorized to create tokens for: {}".format(user_id)),
                     403,
                 )
 
@@ -268,9 +263,7 @@ def post(self, user_id, data=None):
             revoked=False,
             issued_at=int(datetime.utcnow().timestamp()),
         )
-        return dict(
-            jwt=create_token(access_token.user_id, access_token.id, access_token.ttl)
-        )
+        return dict(jwt=create_token(access_token.user_id, access_token.id, access_token.ttl))
 
 
 class ApiKeys(AuthenticatedResource):
@@ -366,9 +359,7 @@ def put(self, aid, data=None):
             if not ApiKeyCreatorPermission().can():
                 return dict(message="You are not authorized to update this token!"), 403
 
-        service.update(
-            access_key, name=data["name"], revoked=data["revoked"], ttl=data["ttl"]
-        )
+        service.update(access_key, name=data["name"], revoked=data["revoked"], ttl=data["ttl"])
         return dict(jwt=create_token(access_key.user_id, access_key.id, access_key.ttl))
 
     def delete(self, aid):
@@ -512,9 +503,7 @@ def put(self, uid, aid, data=None):
         if access_key.user_id != uid:
             return dict(message="You are not authorized to update this token!"), 403
 
-        service.update(
-            access_key, name=data["name"], revoked=data["revoked"], ttl=data["ttl"]
-        )
+        service.update(access_key, name=data["name"], revoked=data["revoked"], ttl=data["ttl"])
         return dict(jwt=create_token(access_key.user_id, access_key.id, access_key.ttl))
 
     def delete(self, uid, aid):
@@ -616,10 +605,6 @@ def get(self, aid):
 
 api.add_resource(ApiKeyList, "/keys", endpoint="api_keys")
 api.add_resource(ApiKeys, "/keys/<int:aid>", endpoint="api_key")
-api.add_resource(
-    ApiKeysDescribed, "/keys/<int:aid>/described", endpoint="api_key_described"
-)
+api.add_resource(ApiKeysDescribed, "/keys/<int:aid>/described", endpoint="api_key_described")
 api.add_resource(ApiKeyUserList, "/users/<int:user_id>/keys", endpoint="user_api_keys")
-api.add_resource(
-    UserApiKeys, "/users/<int:uid>/keys/<int:aid>", endpoint="user_api_key"
-)
+api.add_resource(UserApiKeys, "/users/<int:uid>/keys/<int:aid>", endpoint="user_api_key")

lemur/auth/ldap.py

@@ -5,6 +5,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Ian Stahnke <[email protected]>
 """
+
 import ldap
 from flask import current_app
 
@@ -44,9 +45,7 @@ def __init__(self, args):
         self.ldap_default_role = current_app.config.get("LEMUR_DEFAULT_ROLE", None)
         self.ldap_required_group = current_app.config.get("LDAP_REQUIRED_GROUP", None)
         self.ldap_groups_to_roles = current_app.config.get("LDAP_GROUPS_TO_ROLES", None)
-        self.ldap_is_active_directory = current_app.config.get(
-            "LDAP_IS_ACTIVE_DIRECTORY", False
-        )
+        self.ldap_is_active_directory = current_app.config.get("LDAP_IS_ACTIVE_DIRECTORY", False)
         self.ldap_attrs = ["memberOf"]
         self.ldap_client = None
         self.ldap_groups = None
@@ -110,9 +109,7 @@ def _authorize(self):
         # update their 'roles'
         role = role_service.get_by_name(self.ldap_principal)
         if not role:
-            description = "auto generated role based on owner: {}".format(
-                self.ldap_principal
-            )
+            description = "auto generated role based on owner: {}".format(self.ldap_principal)
             role = role_service.create(
                 self.ldap_principal, description=description, third_party=True
             )
@@ -127,14 +124,10 @@ def _authorize(self):
             if role:
                 if ldap_group_name in self.ldap_groups:
                     current_app.logger.debug(
-                        "assigning role {} to ldap user {}".format(
-                            self.ldap_principal, role
-                        )
+                        "assigning role {} to ldap user {}".format(self.ldap_principal, role)
                     )
                     if not role.third_party:
-                        role = role_service.set_third_party(
-                            role.id, third_party_status=True
-                        )
+                        role = role_service.set_third_party(role.id, third_party_status=True)
                     roles.add(role)
         return roles
 
@@ -176,9 +169,7 @@ def _bind(self):
                 self.ldap_client.set_option(ldap.OPT_X_TLS_DEMAND, True)
                 self.ldap_client.set_option(ldap.OPT_DEBUG_LEVEL, 255)
             if self.ldap_cacert_file:
-                self.ldap_client.set_option(
-                    ldap.OPT_X_TLS_CACERTFILE, self.ldap_cacert_file
-                )
+                self.ldap_client.set_option(ldap.OPT_X_TLS_CACERTFILE, self.ldap_cacert_file)
             self.ldap_client.simple_bind_s(self.ldap_principal, self.ldap_password)
         except ldap.INVALID_CREDENTIALS:
             self.ldap_client.unbind()

lemur/auth/permissions.py

@@ -6,6 +6,7 @@
     :license: Apache, see LICENSE for more details.
 .. moduleauthor:: Kevin Glisson <[email protected]>
 """
+
 from functools import partial
 from collections import namedtuple