From 57d1a8208dbf51c31f140ead4cf0acf372c49759 Mon Sep 17 00:00:00 2001 From: Krishnakanth Alagiri Date: Mon, 11 Apr 2022 00:49:25 +0530 Subject: [PATCH] Improved code quality (#7) - Squashed potential bugs. - Deepsource tags: BAN-B104, PTC-W0019, PTC-W0049, PYL-W0125, BAN-B605, PYL-R1710, PYL-R1722, PYL-W0621, PYL-W0613. --- .github/workflows/ci.yml | 2 +- Access/is_auth.py | 8 +++++--- Access/tokens.py | 4 +++- Api/api.py | 3 ++- Dockerfile | 2 +- Engines/kv.py | 2 +- build.sh | 2 +- connection.py | 9 +++++---- docker-compose.yml | 2 +- docs/README_dockerhub.md | 11 ++++++++--- server.py | 3 +-- 11 files changed, 29 insertions(+), 19 deletions(-) diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 9982348..0a093b1 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -36,7 +36,7 @@ jobs: env: IMG_NAME: ${{ 'krishnaalagiri/ssm' }} # Versioning: MAJOR.MINOR.PATCH (eg., 1.2.3) - VERSION_FULL: ${{ '1.1.1' }} + VERSION_FULL: ${{ '1.1.2' }} # For v1.2.3, VERSION_SHORT is '1.2' VERSION_SHORT: ${{ '1.1' }} # For v1.2.3, VERSION_MAJOR is '1' diff --git a/Access/is_auth.py b/Access/is_auth.py index 13516a0..e76c4a3 100644 --- a/Access/is_auth.py +++ b/Access/is_auth.py @@ -10,15 +10,16 @@ @token.verify_token -def abort_if_authorization_fail(token): +def abort_if_authorization_fail(token_to_check): """ Check if an API token is valid Args: - token (str): API Token + token_to_check (str): API Token """ - check, username = conn.tokens.is_authorized(token) + check, username = conn.tokens.is_authorized(token_to_check) if check: return username api.abort(401, "Not Authorized to access the requested resource") + return None @userpass.verify_password @@ -26,3 +27,4 @@ def verify_userpass(username, password): if conn.userpass.is_authorized(username, password): return username api.abort(401, "Not Authorized to access the requested resource") + return None diff --git a/Access/tokens.py b/Access/tokens.py index 7724b1b..6e52de1 100644 --- a/Access/tokens.py +++ b/Access/tokens.py @@ -1,7 +1,7 @@ #!/usr/bin/env python3 """ Token authentication for Secrets Manager """ -# TODO: Max TTL, Access Control +# TODO: Implement Max TTL, Access Control from bson.timestamp import Timestamp import datetime as dt @@ -30,6 +30,7 @@ def generate(self, username, max_ttl=15811200): data = { "token": token, "owner": username, + "max_ttl": max_ttl, "generated_on": Timestamp(int(dt.datetime.today().timestamp()), 1), } _ = self._tokens.insert_one(data) @@ -66,4 +67,5 @@ def is_authorized(self, token): return True, finder["owner"] def renew(self): + # TODO: Implement renew to extend MAX TTL pass diff --git a/Api/api.py b/Api/api.py index e386bbe..767ed59 100644 --- a/Api/api.py +++ b/Api/api.py @@ -17,7 +17,7 @@ conn = Connection() api_v1 = Blueprint("api", __name__, url_prefix="/api") -api = Api(api_v1, version="1.1.1", title="Simple Secrets Manager", +api = Api(api_v1, version="1.1.2", title="Simple Secrets Manager", description="Secrets management simplified", authorizations=authorizations) app = Flask(__name__) @@ -26,6 +26,7 @@ # Import API Resources # The below conditions prevents IDE auto-formatting +# skipcq: PYL-W0125 if True: # Secret Engines from Api.resources.secrets.kv_resource import Engine_KV # noqa: F401 diff --git a/Dockerfile b/Dockerfile index 31352f3..424998b 100644 --- a/Dockerfile +++ b/Dockerfile @@ -3,7 +3,7 @@ FROM python:3.8-slim-buster LABEL com.ssm.title="Simple Secrets Manager" -LABEL com.ssm.version="1.1.1" +LABEL com.ssm.version="1.1.2" LABEL com.ssm.author.name="Krishnakanth Alagiri" LABEL com.ssm.author.github="https://github.com/bearlike" LABEL com.ssm.repo="https://github.com/bearlike/simple-secrets-manager" diff --git a/Engines/kv.py b/Engines/kv.py index 2230812..f79f343 100644 --- a/Engines/kv.py +++ b/Engines/kv.py @@ -40,7 +40,7 @@ def add(self, path, key, value): # Create a Path where kv(s) goes into finder = { "path": path, - "data": dict(), + "data": {}, } _ = self._kv.insert_one(finder) if key not in finder["data"].keys(): diff --git a/build.sh b/build.sh index 63afd03..41059ac 100644 --- a/build.sh +++ b/build.sh @@ -4,7 +4,7 @@ # $ docker login -u # # We try to follow [SemVer v2.0.0](https://semver.org/) -VERSION="1.1.1" +VERSION="1.1.2" # If $VERSION = "1.2.3" # ${VERSION::3} will be "1.2" # ${VERSION::1} will be "1" diff --git a/connection.py b/connection.py index 144e70b..ebe5af1 100644 --- a/connection.py +++ b/connection.py @@ -1,12 +1,13 @@ #!/usr/bin/env python3 -""" Brains for the Secrets Manager +""" Database model for the Secrets Manager """ import pymongo import logging import os -# Secret Engines +import sys +# Secret engines imports from Engines.kv import Key_Value_Secrets as _KV -# Auth Methods +# Auth methods imports from Access.tokens import Tokens as _Tokens from Access.userpass import User_Pass as _User_Pass @@ -15,7 +16,7 @@ class Connection: def __init__(self): if os.environ.get("CONNECTION_STRING") is None: logging.error("CONNECTION_STRING variable not found") - exit(-1) + sys.exit(-1) # Create a connection using MongoClient. self._client = pymongo.MongoClient(os.environ["CONNECTION_STRING"]) self._data = self._client["secrets_manager_data"] diff --git a/docker-compose.yml b/docker-compose.yml index 8ebfe9c..ceac82d 100644 --- a/docker-compose.yml +++ b/docker-compose.yml @@ -22,7 +22,7 @@ services: networks: - app-tier - app: + ssm-app: image: krishnaalagiri/ssm:latest restart: always depends_on: diff --git a/docs/README_dockerhub.md b/docs/README_dockerhub.md index f9b8996..df51e37 100644 --- a/docs/README_dockerhub.md +++ b/docs/README_dockerhub.md @@ -13,7 +13,8 @@ Secure storage, and delivery for tokens, passwords, API keys, and other secrets ## Supported tags and respective [Dockerfile](https://github.com/bearlike/simple-secrets-manager/blob/main/Dockerfile) links -- [`1.1.1`, `1.1`, `1`, `latest`](https://github.com/bearlike/simple-secrets-manager/blob/releases/v1.1.1/Dockerfile) +- [`1.1.2`, `1.1`, `1`, `latest`](https://github.com/bearlike/simple-secrets-manager/blob/releases/v1.1.2/Dockerfile) +- [`1.1.1`](https://github.com/bearlike/simple-secrets-manager/blob/releases/v1.1.1/Dockerfile) - [`1.1.0`](https://github.com/bearlike/simple-secrets-manager/blob/releases/v1.1.0/Dockerfile) - [`1.0.0`, `1.0`](https://github.com/bearlike/simple-secrets-manager/blob/releases/v1.0.0/Dockerfile) @@ -49,13 +50,16 @@ Hashi Corp Vault works well but it was meant for enterprises. Therefore, it was ## Getting started ### Automated Install: [`docker-compose`](https://docs.docker.com/compose/install/) (Recommended) 1. Run the [stack](https://github.com/bearlike/simple-secrets-manager/blob/main/docker-compose.yml) by executing `docker-compose up -d`. - +2. Stop stack by executing `docker-compose down` ```yaml version: '3' volumes: mongo_data: services: + # From v5.0.0, mongoDB requires atleast ARMv8.2-A microarchitecture to run. + # So we're going with v4 to improve compatibility on SBCs such as + # Raspberry Pi 4 and Odroid C2 with ARMv8.0-A mongo: image: mongo:4 restart: always @@ -67,8 +71,9 @@ services: networks: - app-tier - app: + ssm-app: image: krishnaalagiri/ssm:latest + restart: always depends_on: - mongo ports: diff --git a/server.py b/server.py index a13fb5e..f9f35b2 100644 --- a/server.py +++ b/server.py @@ -15,13 +15,12 @@ def init_app(): from Api.api import app - app.run(host='0.0.0.0', + app.run(host=os.environ.get("BIND_HOST", '0.0.0.0'), port=os.environ.get("PORT", 5000), debug=bool(strtobool(os.getenv('DEBUG', 'False'))), use_reloader=True) if __name__ == "__main__": - os.system('cls' if os.name == 'nt' else 'clear') print("Server started...") init_app()