From d21f56a2ae7cc21e9963653e4e9d5614f4f96efd Mon Sep 17 00:00:00 2001
From: Florian <flo@meergans.org>
Date: Wed, 5 Nov 2025 22:21:33 +0100
Subject: [PATCH] Added lib-secret-manager which consumes secrets after
 application launch

---
 requirements.txt                              |  1 +
 src/db.py                                     |  2 +-
 ..._handler.py => device_token_repository.py} | 30 -------------------
 src/rabbitmq_handler.py                       | 13 +++++++-
 4 files changed, 14 insertions(+), 32 deletions(-)
 rename src/{secret_handler.py => device_token_repository.py} (68%)

diff --git a/requirements.txt b/requirements.txt
index 5bbd764..0896c90 100644
--- a/requirements.txt
+++ b/requirements.txt
@@ -10,6 +10,7 @@ cffi==2.0.0
 cryptography==46.0.2
 frozenlist==1.8.0
 idna==3.11
+lib-secret-manager[encryption] @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
 multidict==6.7.0
 pamqp==3.3.0
 prometheus_client==0.23.1
diff --git a/src/db.py b/src/db.py
index 0d60329..8e1da76 100644
--- a/src/db.py
+++ b/src/db.py
@@ -1,7 +1,7 @@
 from contextlib import asynccontextmanager
 import aiomysql
 import asyncio
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 from simple_logger_handler import setup_logger
 import pymysql.err
diff --git a/src/secret_handler.py b/src/device_token_repository.py
similarity index 68%
rename from src/secret_handler.py
rename to src/device_token_repository.py
index 62d21aa..ff8bb54 100644
--- a/src/secret_handler.py
+++ b/src/device_token_repository.py
@@ -1,37 +1,7 @@
-from cryptography.fernet import Fernet
 from simple_logger_handler import setup_logger
 
 logger = setup_logger(__name__)
 
-try:
-	with open("/etc/secrets/encryption_key","rb") as file:
-			  encryption_key = file.read()
-except FileNotFoundError:
-	logger.fatal("[Secret Handler] Encryption key not found")
-	raise
-except Exception as e:
-	logger.fatal(f"[Secret Handler] Failed to read encryption key: {e}")
-	raise
-
-fernet = Fernet(encryption_key)
-
-def encrypt_token(token:str)->str:
-	return fernet.encrypt(token.encode()).decode()
-
-def decrypt_token(token:str)->str:
-	return fernet.decrypt(token.encode()).decode()
-
-def return_credentials(path: str)->str:
-	try:
-		with open (path) as file:
-			return file.read().strip()
-	except FileNotFoundError:
-		logger.fatal(f"[Secret Handler] Secret file not found: {path}")
-		raise
-	except Exception as e:
-		logger.fatal(f"[Secret Handler] Failed to read secret file {path}: {e}")
-		raise
-
 async def database_lookup_by_user_id(routing_key: str, db_manager):
 	try:
 		user_id = int(routing_key.split('.')[-1])
diff --git a/src/rabbitmq_handler.py b/src/rabbitmq_handler.py
index 7bf412f..165192d 100644
--- a/src/rabbitmq_handler.py
+++ b/src/rabbitmq_handler.py
@@ -1,7 +1,9 @@
 import asyncio
 import aio_pika
 from aio_pika.exceptions import AMQPException
-from secret_handler import return_credentials, database_lookup_by_user_id, decrypt_token, remove_inactive_push_token, database_lookup_by_uuid
+from secret_manager import return_credentials, cleanup_secret_files
+from secret_manager.fernet_encryption import decrypt_token
+from device_token_repository import database_lookup_by_user_id, remove_inactive_push_token, database_lookup_by_uuid
 import os
 from simple_logger_handler import setup_logger
 import json
@@ -295,6 +297,15 @@ async def main():
 	await consumer.consume()
 	stop_event = asyncio.Event()
 
+	SECRET_PATHS = frozenset({
+		"/etc/secrets/encryption_key",
+		"/etc/secrets/db_username",
+		"/etc/secrets/db_password",
+		"/etc/secrets/rmq_username",
+		"/etc/secrets/rmq_password"
+	})
+	cleanup_secret_files(SECRET_PATHS)
+
 	for sig in (signal.SIGINT, signal.SIGTERM):
 		asyncio.get_running_loop().add_signal_handler(sig, stop_event.set)