c2cciutils 1.8.0.dev64__py3-none-any.whl → 1.8.0.dev68__py3-none-any.whl

c2cciutils/lib/docker.py

@@ -1,141 +0,0 @@
-"""Some utility functions for Docker images."""
-
-import os
-import subprocess  # nosec: B404
-from typing import Optional, cast
-
-import yaml
-from debian_inspector.version import Version
-
-import c2cciutils.configuration
-
-
-def get_dpkg_packages_versions(
-    image: str,
-    default_distribution: Optional[str] = None,
-    default_release: Optional[str] = None,
-) -> tuple[bool, dict[str, Version]]:
-    """
-    Get the versions of the dpkg packages installed in the image.
-
-    `get_dpkg_packages_versions("org/image:tag")` will return something like:
-    (true, {"debian_11/api": "2.2.0", ...})
-
-    Where `debian_11` corresponds on last path element for 'Debian 11'
-    from https://repology.org/repositories/statistics
-    """
-    dpkg_configuration = c2cciutils.get_config().get("dpkg", {})
-
-    os_release = {}
-    try:
-        os_release_process = subprocess.run(
-            ["docker", "run", "--rm", "--entrypoint=", image, "cat", "/etc/os-release"],
-            stdout=subprocess.PIPE,
-            check=True,
-        )
-        os_release = dict([e.split("=") for e in os_release_process.stdout.decode().split("\n") if e])
-    except subprocess.CalledProcessError:
-        print("Info: /etc/os-release not found in the image")
-
-    lsb_release = {}
-    try:
-        lsb_release_process = subprocess.run(
-            ["docker", "run", "--rm", "--entrypoint=", image, "cat", "/etc/lsb-release"],
-            stdout=subprocess.PIPE,
-            check=True,
-        )
-        lsb_release = dict([e.split("=") for e in lsb_release_process.stdout.decode().split("\n") if e])
-    except subprocess.CalledProcessError:
-        print("Info: /etc/lsb-release not found in the image")
-
-    distribution = os_release.get("ID", lsb_release.get("DISTRIB_ID", default_distribution))
-    release = os_release.get("VERSION_ID", lsb_release.get("DISTRIB_RELEASE", default_release))
-    if distribution is None:
-        print("Could not get the distribution of the image, you should provide a default distribution")
-        return False, {}
-    if release is None:
-        print("Could not get the release of the image, you should provide a default release")
-        return False, {}
-
-    distribution_final = distribution.strip('"').lower()
-    release_final = release.strip('"').replace(".", "_")
-    prefix = f"{distribution_final}_{release_final}/"
-    print(f"Found distribution '{distribution_final}', release '{release_final}'.")
-
-    if distribution_final == "ubuntu" and release_final == "18_04":
-        print("Warning: Ubuntu 18.04 is not supported")
-        return False, {}
-
-    package_version: dict[str, Version] = {}
-    packages_status_process = subprocess.run(
-        ["docker", "run", "--rm", "--entrypoint=", image, "dpkg", "--status"],
-        stdout=subprocess.PIPE,
-        check=True,
-    )
-    packages_status_1 = packages_status_process.stdout.decode().split("\n")
-    packages_status_2 = [e.split(": ", maxsplit=1) for e in packages_status_1]
-    packages_status = [e for e in packages_status_2 if len(e) == 2]
-    package = None
-    version = None
-    for name, value in packages_status:
-        if name == "Package":
-            if package is not None:
-                if version is None:
-                    print(f"Error: Missing version for package {package}")
-                else:
-                    if package not in dpkg_configuration.get("ignored_packages", []):
-                        package = dpkg_configuration.get("packages_mapping", {}).get(package, package)
-                        if package in package_version and version != package_version[package]:
-                            print(
-                                f"The package {package} has different version ({package_version[package]} != {version})"
-                            )
-                        if package not in ("base-files",):
-                            package_version[package] = version
-            package = value
-            version = None
-        if name == "Version" and version is None:
-            version = Version.from_string(value)
-
-    return True, {f"{prefix}{k}": v for k, v in package_version.items()}
-
-
-def get_versions_config() -> tuple[dict[str, dict[str, str]], bool]:
-    """Get the versions from the config file."""
-    if os.path.exists("ci/dpkg-versions.yaml"):
-        with open("ci/dpkg-versions.yaml", encoding="utf-8") as versions_file:
-            return (
-                cast(dict[str, dict[str, str]], yaml.load(versions_file.read(), Loader=yaml.SafeLoader)),
-                True,
-            )
-    return {}, False
-
-
-def check_versions(
-    versions_config: dict[str, str],
-    image: str,
-    default_distribution: Optional[str] = None,
-    default_release: Optional[str] = None,
-) -> bool:
-    """
-    Check if the versions are correct.
-
-    The versions of packages in the image should be present in the config file.
-    The versions of packages in the image shouldn't be older than the versions of the config file.
-    """
-    result, versions_image = get_dpkg_packages_versions(image, default_distribution, default_release)
-    if not result:
-        return False
-
-    success = True
-    for package, version in versions_image.items():
-        if package not in versions_config:
-            print(f"Package {package} with version {version} is not in the config file for the image {image}")
-            success = False
-        elif Version.from_string(versions_config[package]) > version:
-            print(
-                f"Package {package} is older than the config file for the image {image}: "
-                f"{versions_config[package]} > {version}."
-            )
-            success = False
-
-    return success

c2cciutils/lib/oidc.py

@@ -1,188 +0,0 @@
-"""
-Manage OpenID Connect (OIDC) token exchange for external services.
-
-Inspired by
-https://github.com/pypa/gh-action-pypi-publish/blob/unstable/v1/oidc-exchange.py
-"""
-
-import base64
-import json
-import os
-import sys
-from typing import NoReturn
-
-import id as oidc_id
-import requests
-
-
-class _OidcError(Exception):
-    pass
-
-
-def _fatal(message: str) -> NoReturn:
-    # HACK: GitHub Actions' annotations don't work across multiple lines naively;
-    # translating `\n` into `%0A` (i.e., HTML percent-encoding) is known to work.
-    # See: https://github.com/actions/toolkit/issues/193
-    message = message.replace("\n", "%0A")
-    print(f"::error::Trusted publishing exchange failure: {message}", file=sys.stderr)
-    raise _OidcError(message)
-
-
-def _debug(message: str) -> None:
-    print(f"::debug::{message.title()}", file=sys.stderr)
-
-
-def _render_claims(token: str) -> str:
-    _, payload, _ = token.split(".", 2)
-
-    # urlsafe_b64decode needs padding; JWT payloads don't contain any.
-    payload += "=" * (4 - (len(payload) % 4))
-    claims = json.loads(base64.urlsafe_b64decode(payload))
-
-    return f"""
-The claims rendered below are **for debugging purposes only**. You should **not**
-use them to configure a trusted publisher unless they already match your expectations.
-
-If a claim is not present in the claim set, then it is rendered as `MISSING`.
-
-* `sub`: `{claims.get("sub", "MISSING")}`
-* `repository`: `{claims.get("repository", "MISSING")}`
-* `repository_owner`: `{claims.get("repository_owner", "MISSING")}`
-* `repository_owner_id`: `{claims.get("repository_owner_id", "MISSING")}`
-* `job_workflow_ref`: `{claims.get("job_workflow_ref", "MISSING")}`
-* `ref`: `{claims.get("ref")}`
-
-See https://docs.pypi.org/trusted-publishers/troubleshooting/ for more help.
-"""
-
-
-def _get_token(hostname: str) -> str:
-    # Indices are expected to support `https://{hostname}/_/oidc/audience`,
-    # which tells OIDC exchange clients which audience to use.
-    audience_resp = requests.get(f"https://{hostname}/_/oidc/audience", timeout=5)
-    audience_resp.raise_for_status()
-
-    _debug(f"selected trusted publishing exchange endpoint: https://{hostname}/_/oidc/mint-token")
-
-    try:
-        oidc_token = oidc_id.detect_credential(audience=audience_resp.json()["audience"])
-    except oidc_id.IdentityError as identity_error:
-        _fatal(
-            f"""
-OpenID Connect token retrieval failed: {identity_error}
-
-This generally indicates a workflow configuration error, such as insufficient
-permissions. Make sure that your workflow has `id-token: write` configured
-at the job level, e.g.:
-
-```yaml
-permissions:
-  id-token: write
-```
-
-Learn more at https://docs.github.com/en/actions/deployment/security-hardening-your-deployments/about-security-hardening-with-openid-connect#adding-permissions-settings.
-"""
-        )
-
-    # Now we can do the actual token exchange.
-    mint_token_resp = requests.post(
-        f"https://{hostname}/_/oidc/mint-token",
-        json={"token": oidc_token},
-        timeout=5,
-    )
-
-    try:
-        mint_token_payload = mint_token_resp.json()
-    except requests.JSONDecodeError:
-        # Token exchange failure normally produces a JSON error response, but
-        # we might have hit a server error instead.
-        _fatal(
-            f"""
-Token request failed: the index produced an unexpected
-{mint_token_resp.status_code} response.
-
-This strongly suggests a server configuration or downtime issue; wait
-a few minutes and try again.
-
-You can monitor PyPI's status here: https://status.python.org/
-"""  # noqa: E702
-        )
-
-    # On failure, the JSON response includes the list of errors that
-    # occurred during minting.
-    if not mint_token_resp.ok:
-        reasons = "\n".join(
-            f"* `{error['code']}`: {error['description']}"
-            for error in mint_token_payload["errors"]  # noqa: W604
-        )
-
-        rendered_claims = _render_claims(oidc_token)
-
-        _fatal(
-            f"""
-Token request failed: the server refused the request for the following reasons:
-
-{reasons}
-
-This generally indicates a trusted publisher configuration error, but could
-also indicate an internal error on GitHub or PyPI's part.
-
-{rendered_claims}
-"""
-        )
-
-    pypi_token = mint_token_payload.get("token")
-    if not isinstance(pypi_token, str):
-        _fatal(
-            """
-Token response error: the index gave us an invalid response.
-
-This strongly suggests a server configuration or downtime issue; wait
-a few minutes and try again.
-"""
-        )
-
-    # Mask the newly minted PyPI token, so that we don't accidentally leak it in logs.
-    print(f"::add-mask::{pypi_token}")
-
-    # This final print will be captured by the subshell in `twine-upload.sh`.
-    return pypi_token
-
-
-def pypi_login() -> None:
-    """
-    Connect to PyPI using OpenID Connect and mint a token for the user.
-
-    See Also
-    --------
-    - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect
-    - https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/configuring-openid-connect-in-pypi
-
-    """
-    pypirc_filename = os.path.expanduser("~/.pypirc")
-
-    if os.path.exists(pypirc_filename):
-        print(f"::info::{pypirc_filename} already exists; consider as already logged in.")  # noqa: E702
-        return
-
-    if "ACTIONS_ID_TOKEN_REQUEST_TOKEN" not in os.environ:
-        print(
-            """::error::Not available, you probably miss the permission `id-token: write`.
-              ```
-              permissions:
-                id-token: write
-              ```
-              See also: https://docs.github.com/en/actions/security-for-github-actions/security-hardening-your-deployments/about-security-hardening-with-openid-connect"""
-        )
-        return
-
-    try:
-        token = _get_token("pypi.org")
-        with open(pypirc_filename, "w", encoding="utf-8") as pypirc_file:
-            pypirc_file.write("[pypi]\n")
-            pypirc_file.write("repository: https://upload.pypi.org/legacy/\n")
-            pypirc_file.write("username: __token__\n")
-            pypirc_file.write(f"password: {token}\n")
-    except _OidcError:
-        # Already visible in logs; no need to re-raise.
-        return