notifier/backend-push-notifications
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Added lib-secret-manager which consumes secrets after application launch
All checks were successful
Build & Publish to GHCR / build (push) Successful in 50s
Details

Browse Source
This commit is contained in:
Florian 2025-11-05 22:21:33 +01:00
parent ab1b48fe06
commit d21f56a2ae
4 changed files with 14 additions and 32 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
requirements.txt
View File

@ -10,6 +10,7 @@ cffi==2.0.0
cryptography==46.0.2 cryptography==46.0.2
frozenlist==1.8.0 frozenlist==1.8.0
idna==3.11 idna==3.11
lib-secret-manager[encryption] @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
multidict==6.7.0 multidict==6.7.0
pamqp==3.3.0 pamqp==3.3.0
prometheus_client==0.23.1 prometheus_client==0.23.1

2
src/db.py
View File

@ -1,7 +1,7 @@
from contextlib import asynccontextmanager from contextlib import asynccontextmanager
import aiomysql import aiomysql
import asyncio import asyncio
from secret_handler import return_credentials from secret_manager import return_credentials
import os import os
from simple_logger_handler import setup_logger from simple_logger_handler import setup_logger
import pymysql.err import pymysql.err

30
src/secret_handler.py → src/device_token_repository.py
View File

@ -1,37 +1,7 @@
from cryptography.fernet import Fernet
from simple_logger_handler import setup_logger from simple_logger_handler import setup_logger
logger = setup_logger(__name__) logger = setup_logger(__name__)
try:
with open("/etc/secrets/encryption_key","rb") as file:
encryption_key = file.read()
except FileNotFoundError:
logger.fatal("[Secret Handler] Encryption key not found")
raise
except Exception as e:
logger.fatal(f"[Secret Handler] Failed to read encryption key: {e}")
raise
fernet = Fernet(encryption_key)
def encrypt_token(token:str)->str:
return fernet.encrypt(token.encode()).decode()
def decrypt_token(token:str)->str:
return fernet.decrypt(token.encode()).decode()
def return_credentials(path: str)->str:
try:
with open (path) as file:
return file.read().strip()
except FileNotFoundError:
logger.fatal(f"[Secret Handler] Secret file not found: {path}")
raise
except Exception as e:
logger.fatal(f"[Secret Handler] Failed to read secret file {path}: {e}")
raise
async def database_lookup_by_user_id(routing_key: str, db_manager): async def database_lookup_by_user_id(routing_key: str, db_manager):
try: try:
user_id = int(routing_key.split('.')[-1]) user_id = int(routing_key.split('.')[-1])

13
src/rabbitmq_handler.py
View File

@ -1,7 +1,9 @@
import asyncio import asyncio
import aio_pika import aio_pika
from aio_pika.exceptions import AMQPException from aio_pika.exceptions import AMQPException
from secret_handler import return_credentials, database_lookup_by_user_id, decrypt_token, remove_inactive_push_token, database_lookup_by_uuid from secret_manager import return_credentials, cleanup_secret_files
from secret_manager.fernet_encryption import decrypt_token
from device_token_repository import database_lookup_by_user_id, remove_inactive_push_token, database_lookup_by_uuid
import os import os
from simple_logger_handler import setup_logger from simple_logger_handler import setup_logger
import json import json
@ -295,6 +297,15 @@ async def main():
await consumer.consume() await consumer.consume()
stop_event = asyncio.Event() stop_event = asyncio.Event()
SECRET_PATHS = frozenset({
"/etc/secrets/encryption_key",
"/etc/secrets/db_username",
"/etc/secrets/db_password",
"/etc/secrets/rmq_username",
"/etc/secrets/rmq_password"
})
cleanup_secret_files(SECRET_PATHS)
for sig in (signal.SIGINT, signal.SIGTERM): for sig in (signal.SIGINT, signal.SIGTERM):
asyncio.get_running_loop().add_signal_handler(sig, stop_event.set) asyncio.get_running_loop().add_signal_handler(sig, stop_event.set)