Added lib-secret-manager which consumes secrets after application launch

requirements.txt

@@ -10,6 +10,7 @@ cffi==2.0.0
 cryptography==46.0.2
 frozenlist==1.8.0
 idna==3.11
+lib-secret-manager[encryption] @ git+https://git.gansejunge.com/notifier/lib-secret-manager.git@main
 multidict==6.7.0
 pamqp==3.3.0
 prometheus_client==0.23.1

src/db.py

@@ -1,7 +1,7 @@
 from contextlib import asynccontextmanager
 import aiomysql
 import asyncio
-from secret_handler import return_credentials
+from secret_manager import return_credentials
 import os
 from simple_logger_handler import setup_logger
 import pymysql.err

src/device_token_repository.py

@@ -1,37 +1,7 @@
-from cryptography.fernet import Fernet
 from simple_logger_handler import setup_logger
 
 logger = setup_logger(__name__)
 
-try:
-	with open("/etc/secrets/encryption_key","rb") as file:
-			  encryption_key = file.read()
-except FileNotFoundError:
-	logger.fatal("[Secret Handler] Encryption key not found")
-	raise
-except Exception as e:
-	logger.fatal(f"[Secret Handler] Failed to read encryption key: {e}")
-	raise
-
-fernet = Fernet(encryption_key)
-
-def encrypt_token(token:str)->str:
-	return fernet.encrypt(token.encode()).decode()
-
-def decrypt_token(token:str)->str:
-	return fernet.decrypt(token.encode()).decode()
-
-def return_credentials(path: str)->str:
-	try:
-		with open (path) as file:
-			return file.read().strip()
-	except FileNotFoundError:
-		logger.fatal(f"[Secret Handler] Secret file not found: {path}")
-		raise
-	except Exception as e:
-		logger.fatal(f"[Secret Handler] Failed to read secret file {path}: {e}")
-		raise
-
 async def database_lookup_by_user_id(routing_key: str, db_manager):
 	try:
 		user_id = int(routing_key.split('.')[-1])

src/rabbitmq_handler.py

@@ -1,7 +1,9 @@
 import asyncio
 import aio_pika
 from aio_pika.exceptions import AMQPException
-from secret_handler import return_credentials, database_lookup_by_user_id, decrypt_token, remove_inactive_push_token, database_lookup_by_uuid
+from secret_manager import return_credentials, cleanup_secret_files
+from secret_manager.fernet_encryption import decrypt_token
+from device_token_repository import database_lookup_by_user_id, remove_inactive_push_token, database_lookup_by_uuid
 import os
 from simple_logger_handler import setup_logger
 import json
@@ -295,6 +297,15 @@ async def main():
 	await consumer.consume()
 	stop_event = asyncio.Event()
 
+	SECRET_PATHS = frozenset({
+		"/etc/secrets/encryption_key",
+		"/etc/secrets/db_username",
+		"/etc/secrets/db_password",
+		"/etc/secrets/rmq_username",
+		"/etc/secrets/rmq_password"
+	})
+	cleanup_secret_files(SECRET_PATHS)
+
 	for sig in (signal.SIGINT, signal.SIGTERM):
 		asyncio.get_running_loop().add_signal_handler(sig, stop_event.set)