diff --git a/Dockerfile b/Dockerfile index aac7798..30e88de 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,6 +8,6 @@ WORKDIR /app COPY src/ /app/ -ENTRYPOINT ["sh", "-c", "sleep 10 && python main.py"] +ENTRYPOINT ["python","main.py"] diff --git a/requirements.txt b/requirements.txt index ba89cb7..7095e1d 100644 --- a/requirements.txt +++ b/requirements.txt @@ -2,22 +2,18 @@ annotated-types==0.7.0 anyio==4.11.0 argon2-cffi==25.1.0 argon2-cffi-bindings==25.1.0 -certifi==2025.8.3 cffi==2.0.0 -charset-normalizer==3.4.3 click==8.3.0 +cryptography==46.0.2 fastapi==0.118.0 h11==0.16.0 -hvac==2.3.0 idna==3.10 mysql-connector-python==9.4.0 pycparser==2.23 -pydantic==2.11.9 -pydantic_core==2.33.2 -requests==2.32.5 +pydantic==2.12.0 +pydantic_core==2.41.1 sniffio==1.3.1 starlette==0.48.0 typing-inspection==0.4.2 typing_extensions==4.15.0 -urllib3==2.5.0 uvicorn==0.37.0 diff --git a/src/db.py b/src/db.py index a2516df..ee5fe06 100644 --- a/src/db.py +++ b/src/db.py @@ -1,14 +1,13 @@ import mysql.connector -from mysql.connector import pooling import threading -from hvac_handler import get_secret +from secret_handler import return_credentials import os import time import sys -db_username = get_secret("secret/api/db", "username") -db_password = get_secret("secret/api/db", "password") +db_username = return_credentials("/etc/secrets/db_username") +db_password = return_credentials("/etc/secrets/db_password") db_host = os.getenv("BACKEND_API_DB_HOST","localhost") db_database = os.getenv("BACKEND_API_DB_DATABASE","app") diff --git a/src/hvac_handler.py b/src/hvac_handler.py deleted file mode 100644 index b1dad1a..0000000 --- a/src/hvac_handler.py +++ /dev/null @@ -1,43 +0,0 @@ -import hvac -import base64 -import os -import time -import sys - -HVAC_AGENT_URL = os.getenv("HVAC_AGENT_URL","http://vault-agent:8201") - -MAX_RETRIES = 5 -BACKOFF = 5 - -def get_client(): - for attempt in range(1, MAX_RETRIES+1): - try: - client = hvac.Client(url=HVAC_AGENT_URL) - if client.is_authenticated(): - return client - raise Exception("Not authenticated") - except Exception as e: - print(f"Vault connection failed (attempt {attempt}/{MAX_RETRIES}): {e}") - time.sleep(BACKOFF * attempt) - print("Vault unreachable after retries. Exiting.") - sys.exit(1) - -client = get_client() - -def get_secret(path:str, key:str): - try: - secret = client.secrets.kv.v2.read_secret_version( - mount_point="kv", - path=path - ) - return secret["data"]["data"][key] - except Exception as e: - print(f"Failed to fetch secret '{path}:{key}': {e}") - sys.exit(1) - -def encrypt_token(token: str) -> str: - response = client.secrets.transit.encrypt_data( - name='push-tokens', - plaintext=base64.b64encode(token.encode()).decode() - ) - return response['data']['ciphertext'] \ No newline at end of file diff --git a/src/main.py b/src/main.py index 619c324..6dbb713 100644 --- a/src/main.py +++ b/src/main.py @@ -5,7 +5,7 @@ from starlette.exceptions import HTTPException as StarletteHTTPException from typing import Optional,List from pydantic import BaseModel from validator import is_valid_platform,is_valid_token,verify_api_key -from hvac_handler import encrypt_token +from secret_handler import encrypt_token from db import get_db from logger_handler import setup_logger import uuid diff --git a/src/secret_handler.py b/src/secret_handler.py new file mode 100644 index 0000000..653f9ee --- /dev/null +++ b/src/secret_handler.py @@ -0,0 +1,16 @@ +from cryptography.fernet import Fernet + +with open("/etc/secrets/encryption_key","rb") as file: + encryption_key = file.read() + +fernet = Fernet(encryption_key) + +def encrypt_token(token:str)->str: + return fernet.encrypt(token.encode()).decode() + +def decrypt_token(token:str)->str: + return fernet.decrypt(token.encode()).decode() + +def return_credentials(path: str)->str: + with open (path) as file: + return file.read()