laniakea-api-server 0.0.1__tar.gz

laniakea_api_server-0.0.1/.gitignore

@@ -0,0 +1,8 @@
+*.json
+__pycache__/
+.env
+test_*
+*.crt
+*.key
+test_enqueue.py
+

laniakea_api_server-0.0.1/PKG-INFO

@@ -0,0 +1,94 @@
+Metadata-Version: 2.4
+Name: laniakea-api-server
+Version: 0.0.1
+Summary: Laniakea Queue API — OIDC-authenticated gateway for cloud deployment orchestration
+Project-URL: Homepage, https://github.com/riccardocaccia/laniakea-api-redis
+Project-URL: Issues, https://github.com/riccardocaccia/laniakea-api-redis/issues
+Author: Laniakea Team
+License: MIT
+Keywords: aws,cloud,deployment,fastapi,openstack,orchestration,redis
+Classifier: Development Status :: 3 - Alpha
+Classifier: Framework :: FastAPI
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: System :: Systems Administration
+Requires-Python: >=3.10
+Requires-Dist: fastapi
+Requires-Dist: httpx
+Requires-Dist: hvac>=2.0.0
+Requires-Dist: openstacksdk
+Requires-Dist: psycopg2-binary
+Requires-Dist: pydantic>=2.0
+Requires-Dist: pyjwt
+Requires-Dist: python-dotenv
+Requires-Dist: pyyaml
+Requires-Dist: redis
+Requires-Dist: rq
+Requires-Dist: uvicorn[standard]
+Description-Content-Type: text/markdown
+
+# laniakea-api-server
+
+Laniakea Queue API — OIDC-authenticated gateway for cloud deployment orchestration.
+
+## Installation
+
+```bash
+pip install laniakea-api-server
+```
+
+## Configuration
+
+Create a `.env` file:
+
+```bash
+# Auth
+SECRET_KEY=generate-with-python3-secrets-token-hex-32
+SESSION_TTL_MINUTES=60
+OIDC_DISCOVERY_URL=https://iam.your-provider.it/.well-known/openid-configuration
+
+# Agent pool password
+AGENT_MASTER_PASSWORD=generate-with-python3-secrets-token-hex-32
+
+# Redis
+REDIS_HOST=your-redis-host
+REDIS_PORT=6379
+REDIS_PASSWORD=your-redis-password
+
+# PostgreSQL
+PG_HOST=your-pg-host
+PG_PORT=5432
+PG_DATABASE=your-db-name
+PG_USER=your-db-user
+PG_PASSWORD=your-db-password
+
+# Vault
+VAULT_ADDR=https://your-vault:8200
+VAULT_WRITER_TOKEN=hvs.xxxxxxxxxxxx
+VAULT_TLS_VERIFY=false
+
+# TLS (only needed with --ssl flag)
+SSL_KEYFILE=certs/api.key
+SSL_CERTFILE=certs/api.crt
+
+# Logs
+DEPLOYMENT_LOG_DIR=/var/log/laniakea-agent
+```
+
+## Usage
+
+```bash
+# HTTP (testing)
+laniakea-api --port 8000
+
+# HTTPS (production)
+laniakea-api --port 8443 --ssl
+
+# Custom env file
+laniakea-api --env /etc/laniakea/api.env --ssl
+```
+

laniakea_api_server-0.0.1/README.md

@@ -0,0 +1,61 @@
+# laniakea-api-server
+
+Laniakea Queue API — OIDC-authenticated gateway for cloud deployment orchestration.
+
+## Installation
+
+```bash
+pip install laniakea-api-server
+```
+
+## Configuration
+
+Create a `.env` file:
+
+```bash
+# Auth
+SECRET_KEY=generate-with-python3-secrets-token-hex-32
+SESSION_TTL_MINUTES=60
+OIDC_DISCOVERY_URL=https://iam.your-provider.it/.well-known/openid-configuration
+
+# Agent pool password
+AGENT_MASTER_PASSWORD=generate-with-python3-secrets-token-hex-32
+
+# Redis
+REDIS_HOST=your-redis-host
+REDIS_PORT=6379
+REDIS_PASSWORD=your-redis-password
+
+# PostgreSQL
+PG_HOST=your-pg-host
+PG_PORT=5432
+PG_DATABASE=your-db-name
+PG_USER=your-db-user
+PG_PASSWORD=your-db-password
+
+# Vault
+VAULT_ADDR=https://your-vault:8200
+VAULT_WRITER_TOKEN=hvs.xxxxxxxxxxxx
+VAULT_TLS_VERIFY=false
+
+# TLS (only needed with --ssl flag)
+SSL_KEYFILE=certs/api.key
+SSL_CERTFILE=certs/api.crt
+
+# Logs
+DEPLOYMENT_LOG_DIR=/var/log/laniakea-agent
+```
+
+## Usage
+
+```bash
+# HTTP (testing)
+laniakea-api --port 8000
+
+# HTTPS (production)
+laniakea-api --port 8443 --ssl
+
+# Custom env file
+laniakea-api --env /etc/laniakea/api.env --ssl
+```
+

laniakea_api_server-0.0.1/laniakea_api/__init__.py

@@ -0,0 +1,5 @@
+"""
+OIDC-authenticated gateway for enqueuing cloud deployment jobs.
+"""
+
+__version__ = "0.0.1"

laniakea_api_server-0.0.1/laniakea_api/auth.py

@@ -0,0 +1,113 @@
+"""
+all Pydantic models used across the api.
+"""
+
+from typing import Optional
+from pydantic import BaseModel
+
+
+class OIDCLoginRequest(BaseModel):
+    """
+    Only the aai token is needed.
+    """
+    oidc_token: str
+
+
+class SessionTokenResponse(BaseModel):
+    """
+    If the token check is OK returns:
+    """
+    session_token: str
+    token_type:    str = "bearer" # checks if the user has the correct permission
+    expires_in:    int            # sec.
+    user_info:     dict
+
+
+class UserCredentials(BaseModel):
+    """
+    Provider credentials associated with the user
+    Stored in Vault in secret/data/<sub>/credentials.
+    OpenStack: app_credentials or aai_token.
+    AWS: app_credentials
+    """
+    # NOTE: now no credentials is essential. Consider changing this logic
+    # OpenStack
+    openstack_ssh_key:               Optional[str] = None
+    openstack_app_credential_id:     Optional[str] = None
+    openstack_app_credential_secret: Optional[str] = None
+    openstack_proxy_host:            Optional[str] = None
+    openstack_auth_url:              Optional[str] = None
+    openstack_region_name:           Optional[str] = None
+    openstack_interface:             Optional[str] = None
+    openstack_identity_api_version:  Optional[str] = None
+    # AWS
+    aws_ssh_key:    Optional[str] = None #NOTE:mmmm I already have one in openstack, change key name ecc
+    aws_access_key: Optional[str] = None
+    aws_secret_key: Optional[str] = None
+    aws_bastion_ip: Optional[str] = None
+
+
+class DeploymentRequest(BaseModel):
+    """
+    Full deployment configuration (deployment_info.json), matching the structure used by workers.
+    The auth.aai_token field carries the OIDC token so that workers can exchange it for a keystone token
+    token when they process the job.
+    """
+    deployment_uuid:   str    # NOTE: the dashboard needs to create a uuid for each job
+    timestamp:         str
+    description:       str    # optional or mandatory? check teams
+    auth:              dict   # { aai_token, sub, group }
+    orchestrator:      dict   # target_provider, desired_orchestrator, endpoint
+    selected_provider: str    # OpenStack | AWS
+    cloud_providers:   dict
+
+
+class JobResponse(BaseModel):
+    job_id:          str
+    queue_name:      str
+    deployment_uuid: str
+    status:          str
+    message:         str
+
+
+class StatusUpdateRequest(BaseModel):
+    """
+    Payload sent by the agent to update a deployment status.
+    Only the agent (authenticated via mTLS client cert) can call PATCH /internal/...
+    """
+    status:        str
+    status_reason: Optional[str] = None
+    outputs:       Optional[str] = None
+
+
+class LogLineRequest(BaseModel):
+    """
+    A single log line pushed by the agent.
+    The API appends it to logs/orchestrator-{uuid}.log on the API VM.
+    """
+    level:   str   # INFO, ERROR, WARNING, ...
+    message: str
+
+
+class CredentialTestRequest(BaseModel):
+    """
+    Tests users app credential communicating with OpenStack.
+    Object used in credential.py
+    """
+    os_auth_url:                      str
+    os_application_credential_id:     str
+    os_application_credential_secret: str
+    os_region_name:                   str = "RegionOne"
+    os_interface:                     str = "public"
+
+
+class CredentialTestResponse(BaseModel):
+    """
+    Give back the check over the app credential validity, after
+    the user requests the test on the Dashboard.
+    """
+    success:      bool
+    message:      str
+    server_count: int = 0
+    detail:       str = ""
+

laniakea_api_server-0.0.1/laniakea_api/config.py

@@ -0,0 +1,53 @@
+"""
+Import the .env
+Inizialize all the service: Redis, Vault, Posgre
+"""
+
+import os
+
+# Authentication
+SECRET_KEY          = os.getenv("SECRET_KEY", "")
+ALGORITHM           = "HS256"
+SESSION_TTL_MINUTES = int(os.getenv("SESSION_TTL_MINUTES", "60")) # NOTE: maybe longer
+OIDC_DISCOVERY_URL  = os.getenv("OIDC_DISCOVERY_URL", "")
+
+# Agent pool password
+# to revoke ALL agents: change this value and restart API + all agents.
+AGENT_MASTER_PASSWORD = os.getenv("AGENT_MASTER_PASSWORD", "")
+
+# Redis
+REDIS_HOST     = os.getenv("REDIS_HOST", "")
+# NOTE: Idk port
+REDIS_PORT     = int(os.getenv("REDIS_PORT", "1908"))
+REDIS_PASSWORD = os.getenv("REDIS_PASSWORD", "")
+
+# vault 
+VAULT_ADDR         = os.getenv("VAULT_ADDR", "")
+VAULT_WRITER_TOKEN = os.getenv("VAULT_WRITER_TOKEN", "")
+VAULT_TLS_VERIFY   = os.getenv("VAULT_TLS_VERIFY", "false").lower() == "true"
+VAULT_MOUNT        = "secret"
+
+# PostgreSQL
+PG_HOST     = os.getenv("PG_HOST", "localhost")
+PG_PORT     = int(os.getenv("PG_PORT", "5432"))
+PG_DATABASE = os.getenv("PG_DATABASE", "")
+PG_USER     = os.getenv("PG_USER", "")
+PG_PASSWORD = os.getenv("PG_PASSWORD", "")
+
+# Deployment logs
+# One file per deployment: terraform_{uuid}.log
+# Agent pushes lines via POST /internal/deployments/{uuid}/logs.
+# Dashboard reads via GET /api/deployments/{uuid}/logs.
+LOG_DIR = os.getenv("DEPLOYMENT_LOG_DIR", "/var/log/laniakea-agent")
+
+# NOTE: UPDATE.. still not used
+# deployment status
+VALID_STATUSES = {
+    "QUEUED",
+    "CREATE_IN_PROGRESS",
+    "CREATE_COMPLETE",
+    "CREATE_FAILED",
+    "UPDATE_IN_PROGRESS",
+    "UPDATE_FAILED",
+}
+

laniakea_api_server-0.0.1/laniakea_api/credential_parser.py

@@ -0,0 +1,178 @@
+"""
+Parses OpenStack credential files (.sh RC file or clouds.yaml) and returns
+a structured dict ready to be sent to POST /profile/credentials.
+
+Supports:
+  - RC file  (export OS_APPLICATION_CREDENTIAL_ID=xxx ...)
+  - clouds.yaml (single or multi-cloud)
+
+Standalone usage (TEST ONLY):
+    python3 credential_parser.py openrc.sh
+    python3 credential_parser.py clouds.yaml
+    python3 credential_parser.py clouds.yaml --cloud openstack
+
+"""
+
+import argparse
+import os
+import re
+import sys
+from pathlib import Path
+from typing import Optional
+
+try:
+    import yaml
+    HAS_YAML = True
+except ImportError:
+    HAS_YAML = False
+
+# RC file parser
+# Maps RC env var names needed for internal credential field names
+_RC_FIELD_MAP = {
+    "OS_AUTH_URL":                      "openstack_auth_url",
+    "OS_APPLICATION_CREDENTIAL_ID":     "openstack_app_credential_id",
+    "OS_APPLICATION_CREDENTIAL_SECRET": "openstack_app_credential_secret",
+    "OS_REGION_NAME":                   "openstack_region_name",
+    "OS_INTERFACE":                     "openstack_interface",
+    "OS_IDENTITY_API_VERSION":          "openstack_identity_api_version",
+}
+
+def _parse_rc_file(path: Path) -> dict:
+    """
+    Parse a bash RC file like:
+        export OS_AUTH_URL=https://keystone...
+        export OS_APPLICATION_CREDENTIAL_ID=abc123
+    """
+    result = {}
+    # matches: export KEY=value or KEY=value (with optional ecport and quotes)
+    pattern = re.compile(r"""^\s*(?:export\s+)?(\w+)=["\']?([^"\';\n]*)["\']?\s*$""")
+
+    for line in path.read_text().splitlines():
+        m = pattern.match(line)
+        # if the line matches the schema it continues putting it inside the result dict
+        if not m:
+            continue
+        env_key, value = m.group(1).strip(), m.group(2).strip()
+        field = _RC_FIELD_MAP.get(env_key)
+        if field and value:
+            result[field] = value
+    return result
+
+#clouds.yaml parser
+
+def _parse_clouds_yaml(path: Path, cloud_name: Optional[str] = None) -> dict:
+    """
+    Parse a clouds.yaml file.
+    If cloud_name is None and there is only one cloud entry, use that one.
+    """
+    # NOTE: put it in the requirement 
+    if not HAS_YAML:
+        raise ImportError("PyYAML is required to parse clouds.yaml. Run: pip install pyyaml")
+
+    raw = yaml.safe_load(path.read_text()) # from yaml to python dict
+    clouds = raw.get("clouds", {})
+
+    if not clouds:
+        raise ValueError("No 'clouds' section found in the file.")
+
+    # auto-select if only one cloud
+    # if user hasn't specifyed with parser
+    # NOTE: to be removed outside test 
+    if cloud_name is None:
+        if len(clouds) == 1:
+            cloud_name = next(iter(clouds))
+        else:
+            raise ValueError(
+                f"Multiple clouds found: {list(clouds.keys())}. "
+                "Specify one with --cloud <name>."
+            )
+
+    if cloud_name not in clouds:
+        raise ValueError(f"Cloud '{cloud_name}' not found. Available: {list(clouds.keys())}")
+
+    entry = clouds[cloud_name]
+    auth  = entry.get("auth", {})
+
+    result = {}
+
+    # auth block
+    # add fields to the result
+    if auth.get("auth_url"):
+        result["openstack_auth_url"] = auth["auth_url"]
+    if auth.get("application_credential_id"):
+        result["openstack_app_credential_id"] = auth["application_credential_id"]
+    if auth.get("application_credential_secret"):
+        result["openstack_app_credential_secret"] = auth["application_credential_secret"]
+    if entry.get("region_name"):
+        result["openstack_region_name"] = entry["region_name"]
+    if entry.get("interface"):
+        result["openstack_interface"] = entry["interface"]
+    if entry.get("identity_api_version"):
+        result["openstack_identity_api_version"] = str(entry["identity_api_version"])
+
+    return result
+
+# Public API
+
+def parse_credential_file(path: str, cloud_name: Optional[str] = None) -> dict:
+    """
+    Auto-detect file type (.sh / .yaml / .yml) and return a dict of credentials.
+
+    Returns dict with any of:
+        openstack_auth_url
+        openstack_app_credential_id
+        openstack_app_credential_secret
+        openstack_region_name
+        openstack_interface
+        openstack_identity_api_version
+    """
+    p = Path(path)
+    if not p.exists():
+        raise FileNotFoundError(f"Credential file not found: {path}")
+
+    suffix = p.suffix.lower()
+
+    if suffix in (".yaml", ".yml"):
+        creds = _parse_clouds_yaml(p, cloud_name)
+    elif suffix in (".sh", ".env", ""):
+        creds = _parse_rc_file(p)
+    else:
+        # try RC first, fall back to YAML
+        try:
+            creds = _parse_rc_file(p)
+            if not creds:
+                raise ValueError("No RC fields found")
+        except Exception:
+            creds = _parse_clouds_yaml(p, cloud_name)
+
+    if not creds:
+        raise ValueError(f"No recognizable OpenStack credentials found in '{path}'.")
+
+    return creds
+
+
+def _print_parsed(creds: dict) -> None:
+    """
+    Print the parsed credential masking ids and secrets.
+    """
+    print("\nParsed credentials:")
+    for k, v in creds.items():
+        # mask the secret
+        display = v[:4] + "***" if ("secret" in k or "id" in k) in k and len(v) > 4 else v
+        print(f"  {k:<45} {display}")
+    print()
+
+# main block
+if __name__ == "__main__":
+    parser = argparse.ArgumentParser(description="Parse OpenStack RC or clouds.yaml credential file")
+    parser.add_argument("file",  help="Path to the RC file (.sh) or clouds.yaml")
+    parser.add_argument("--cloud", default=None, help="Cloud name to use (clouds.yaml only)")
+    args = parser.parse_args()
+
+    try:
+        creds = parse_credential_file(args.file, cloud_name=args.cloud)
+        _print_parsed(creds)
+    except Exception as exc:
+        print(f"ERROR: {exc}", file=sys.stderr)
+        sys.exit(1)
+

laniakea_api_server-0.0.1/laniakea_api/database.py

@@ -0,0 +1,128 @@
+"""
+PostgreSQL connection.
+The agent has NO direct DB access, **all writes go through the API**
+"""
+
+import os
+from datetime import datetime
+from typing import Optional
+import psycopg2
+from psycopg2.extras import RealDictCursor
+from laniakea_api.config import PG_HOST, PG_PORT, PG_DATABASE, PG_USER, PG_PASSWORD
+
+
+def get_conn():
+    """
+    Open and return a new PostgreSQL connection.
+    """
+    # act over config.py before changing here
+    return psycopg2.connect(
+        host=PG_HOST,
+        port=PG_PORT,
+        database=PG_DATABASE,
+        user=PG_USER,
+        password=PG_PASSWORD,
+    )
+
+def create_deployment(
+    uuid: str, user_sub: str, username: str, description: str, provider: str, requested_at: datetime,
+    ) -> None:
+    """
+    Insert a new deployment row with status QUEUED.
+    Called by the API the moment a job is accepted, 
+    (db before redis)
+    """
+    conn = get_conn()
+    try:
+        with conn.cursor() as cur:
+            cur.execute(
+                """
+                INSERT INTO users (sub, username, email, role, active)
+                VALUES (%s, %s, %s, 'user', true)
+                ON CONFLICT (sub) DO NOTHING
+                """,
+                (user_sub, username, ""),
+            )
+            cur.execute(
+                """
+                INSERT INTO deployments (
+                    uuid, status, creation_time, update_time,
+                    description, provider_name, sub
+                ) VALUES (%s, %s, %s, %s, %s, %s, %s)
+                ON CONFLICT (uuid) DO UPDATE
+                    SET status      = EXCLUDED.status,
+                        update_time = EXCLUDED.update_time
+                """,
+                (uuid, "QUEUED", requested_at, requested_at, description, provider, user_sub),
+            )
+        conn.commit()
+    finally:
+        conn.close()
+
+def update_status(
+    uuid: str, new_status: str, status_reason: Optional[str] = None, outputs: Optional[str] = None,
+    ) -> bool:
+    """
+    Update the status of an existing deployment.
+    Returns True if a row was updated, False if uuid not found.
+    """
+    conn = get_conn()
+    try:
+        with conn.cursor() as cur:
+            cur.execute(
+                """
+                UPDATE deployments
+                SET status        = %s,
+                    status_reason = COALESCE(%s, status_reason),
+                    outputs       = COALESCE(%s, outputs),
+                    update_time   = %s
+                WHERE uuid = %s
+                """,
+                (new_status, status_reason, outputs, datetime.utcnow(), uuid),
+            )
+            updated = cur.rowcount > 0
+        conn.commit()
+        return updated
+    finally:
+        conn.close()
+
+def get_deployment(uuid: str) -> Optional[dict]:
+    """
+    Fetch a single deployment row by uuid. Returns None if not found.
+    """
+    conn = get_conn()
+    try:
+        with conn.cursor(cursor_factory=RealDictCursor) as cur:
+            cur.execute("SELECT * FROM deployments WHERE uuid = %s", (uuid,))
+            row = cur.fetchone()
+            return dict(row) if row else None
+    finally:
+        conn.close()
+
+def list_deployments(user_sub: str) -> list:
+    """
+    Fetch all deployments owned by a user, ordered by creation time desc.
+    """
+    conn = get_conn()
+    try:
+        with conn.cursor(cursor_factory=RealDictCursor) as cur:
+            cur.execute(
+                "SELECT * FROM deployments WHERE sub = %s ORDER BY creation_time DESC",
+                (user_sub,),
+            )
+            return [dict(r) for r in cur.fetchall()]
+    finally:
+        conn.close()
+
+def check_connection() -> str:
+    """
+    Returns 'connected' or an error string. 
+    Used by /health.
+    """
+    try:
+        conn = get_conn()
+        conn.close()
+        return "connected"
+    except Exception as exc:
+        return f"error: {exc}"
+

laniakea_api_server-0.0.1/laniakea_api/main.py

@@ -0,0 +1,58 @@
+"""
+Registers all routers and starts uvicorn
+"""
+
+import os
+import uvicorn
+from fastapi import FastAPI
+from laniakea_api.routers import agent, credentials, deployments, health
+
+# FastAPI App
+
+app = FastAPI(
+    title="Laniakea Queue API",
+    description="OIDC-authenticated gateway for enqueuing cloud deployment jobs.",
+    version="1.4.0",
+)
+
+# NOTE: CHANGE HERE for path
+# Route prefixes
+BASE    = "/laniakea_core/v1.0"
+INTERNAL = BASE + "/internal"
+
+app.include_router(credentials.router, prefix=BASE)
+app.include_router(deployments.router, prefix=BASE)
+app.include_router(agent.router,       prefix=INTERNAL)
+app.include_router(health.router)       # /health:no prefix
+
+############ Routes registered ############################
+#NOTE: Add or remove every new modification
+#
+# Public (dashboard):
+#   POST   /laniakea_core/v1.0/auth/oidc
+#   POST   /laniakea_core/v1.0/profile/credentials
+#   POST   /laniakea_core/v1.0/profile/credentials/test
+#   POST   /laniakea_core/v1.0/api/deployments
+#   GET    /laniakea_core/v1.0/api/deployments
+#   GET    /laniakea_core/v1.0/api/deployments/{uuid}
+#   GET    /laniakea_core/v1.0/api/deployments/{uuid}/logs
+#
+# Internal (agent only):
+#   PATCH  /laniakea_core/v1.0/internal/deployments/{uuid}/status
+#   POST   /laniakea_core/v1.0/internal/deployments/{uuid}/logs
+#
+# Monitoring:
+#   GET    /health
+
+# Entry point uvicorn 
+if __name__ == "__main__":
+    uvicorn.run(
+        "main:app",
+        host="0.0.0.0",
+        port=8443,
+        ssl_keyfile=os.getenv("SSL_KEYFILE", "certs/api.key"),
+        ssl_certfile=os.getenv("SSL_CERTFILE", "certs/api.crt"),
+        log_level="info",
+        reload=False,
+    )
+

laniakea_api_server-0.0.1/laniakea_api/queue.py

@@ -0,0 +1,97 @@
+"""
+Redis connection and RQ queue setup
+"""
+
+import hvac
+from fastapi import HTTPException, status
+from redis import Redis
+from rq import Queue
+from config import (REDIS_HOST, REDIS_PORT, REDIS_PASSWORD,
+                    VAULT_ADDR, VAULT_WRITER_TOKEN, VAULT_TLS_VERIFY, VAULT_MOUNT,)
+
+# Redis
+redis_conn = Redis(
+    host=REDIS_HOST,
+    port=REDIS_PORT,
+    password=REDIS_PASSWORD,
+    decode_responses=False,  # RQ uses binary pickle
+)
+
+# NOTE: need a final decision over the queues names
+queues: dict = {
+    "openstack": Queue("openstack", connection=redis_conn),
+    "aws":       Queue("aws",       connection=redis_conn),
+}
+
+# NOTE: is this necessary? check 
+PROVIDER_TO_QUEUE: dict = {
+    "openstack": "openstack",
+    "Openstack": "openstack",
+    "OpenStack": "openstack",
+    "aws":       "aws",
+    "AWS":       "aws",
+    "Aws":       "aws",
+}
+
+def get_queue(provider: str) -> tuple:
+    """
+    Returns (queue_name, Queue) for the given provider string.
+    Raises HTTP 400 if the provider is not supported.
+    """
+    queue_name = PROVIDER_TO_QUEUE.get(provider)
+    if not queue_name:
+        raise HTTPException(
+            status_code=status.HTTP_400_BAD_REQUEST,
+            detail=f"Unsupported provider '{provider}'. Supported: {list(PROVIDER_TO_QUEUE.keys())}",
+        )
+    return queue_name, queues[queue_name]
+
+def check_redis() -> str:
+    """
+    Returns 'connected' or an error string. 
+    Used by /health.
+    """
+    try:
+        redis_conn.ping()
+        return "connected"
+    except Exception as exc:
+        return f"error: {exc}"
+
+# Vault
+# see config.py
+vault_client = hvac.Client(
+    url=VAULT_ADDR,
+    token=VAULT_WRITER_TOKEN,
+    verify=VAULT_TLS_VERIFY,
+)
+
+def vault_write_credentials(user_sub: str, creds: dict) -> str:
+    """
+    Write user credentials to Vault under secret/data/<sub>/credentials.
+    Returns the vault path on success; raises HTTP 502 on failure.
+    """
+    vault_path = f"{user_sub}/credentials"
+    try:
+        vault_client.secrets.kv.v2.create_or_update_secret(
+            path=vault_path,
+            secret=creds,
+            mount_point=VAULT_MOUNT,
+        )
+    except Exception as exc:
+        raise HTTPException(
+            status_code=status.HTTP_502_BAD_GATEWAY,
+            detail=f"Vault write failed: {exc}",
+        )
+    return vault_path
+
+
+def check_vault() -> str:
+    """
+    Returns 'authenticated' or an error string.
+    Used by /health.
+    """
+    try:
+        return "authenticated" if vault_client.is_authenticated() else "unauthenticated"
+    except Exception as exc:
+        return f"error: {exc}"
+

laniakea_api_server-0.0.1/laniakea_api/routers/agent.py

@@ -0,0 +1,98 @@
+"""
+internal endpoints called exclusively by laniakea-agent.
+
+PATCH /internal/deployments/{uuid}/status
+POST  /internal/deployments/{uuid}/logs
+"""
+
+import os
+from datetime import datetime
+from fastapi import APIRouter, Depends, HTTPException, status
+import database as db
+from laniakea_api.auth import verify_agent_token
+from laniakea_api.config import VALID_STATUSES, LOG_DIR
+from laniakea_api.models import StatusUpdateRequest, LogLineRequest
+
+router = APIRouter()
+
+def _validate_transition(current: str, new_status: str, uuid: str) -> None:
+    """
+    Raise 409 Conflict if the requested state transition is not allowed
+    """
+    allowed = {
+        "QUEUED":              {"CREATE_IN_PROGRESS", "UPDATE_IN_PROGRESS"},
+        "CREATE_IN_PROGRESS":  {"CREATE_COMPLETE", "CREATE_FAILED"},
+        "UPDATE_IN_PROGRESS":  {"UPDATE_FAILED"},
+        "CREATE_COMPLETE":     set(),
+        "CREATE_FAILED":       set(),
+        "UPDATE_FAILED":       set(),}
+
+    permitted = allowed.get(current, set())
+    if new_status not in permitted:
+        raise HTTPException(
+            status_code=status.HTTP_409_CONFLICT,
+            detail=(
+                f"Deployment {uuid}: transition {current!r} -> {new_status!r} is not allowed. "
+                f"Permitted next states: {sorted(permitted) or 'none (terminal state)'}."
+            ),
+        )
+
+
+@router.patch("/deployments/{uuid}/status")
+async def agent_update_status(
+    uuid: str, body: StatusUpdateRequest, agent_id: str = Depends(verify_agent_token),):
+    """
+    Called exclusively by laniakea-agent to transition a deployment status.
+
+    Auth: the agent sends a short-lived token signed with AGENT_MASTER_PASSWORD. 
+    No client certificates needed.
+
+    If the token is invalid (wrong/rotated password) the API updates the
+    deployment to CREATE_FAILED before returning 401, so the dashboard
+    always shows a meaningful state instead of QUEUED forever.
+    """
+    new_status = body.status.upper()
+    if new_status not in VALID_STATUSES:
+        raise HTTPException(
+            status_code=status.HTTP_422_UNPROCESSABLE_ENTITY,
+            detail=f"Unknown status '{new_status}'. Valid: {sorted(VALID_STATUSES)}",
+        )
+
+    row = db.get_deployment(uuid)
+    if row is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Deployment {uuid} not found.")
+
+    current = row.get("status", "")
+    _validate_transition(current, new_status, uuid)
+
+    updated = db.update_status(
+        uuid=uuid,
+        new_status=new_status,
+        status_reason=body.status_reason,
+        outputs=body.outputs,
+    )
+    if not updated:
+        raise HTTPException(status_code=status.HTTP_500_INTERNAL_SERVER_ERROR, detail="DB update failed.")
+
+    return {
+        "deployment_uuid": uuid,
+        "previous_status": current,
+        "new_status":      new_status,
+        "updated_by":      agent_id,
+        "updated_at":      datetime.utcnow().isoformat(),
+    }
+
+@router.post("/deployments/{uuid}/logs", status_code=204)
+async def agent_push_log(
+    uuid: str, body: LogLineRequest,agent_id: str = Depends(verify_agent_token),):
+    """
+    Receive a single log line from the agent and append it to
+    /var/log/laniakea-agent/terraform_{uuid}.log on the API VM.
+    The dashboard reads these logs via GET /api/deployments/{uuid}/logs.
+    """
+    os.makedirs(LOG_DIR, exist_ok=True)
+    log_path = os.path.join(LOG_DIR, f"terraform_{uuid}.log")
+    timestamp = datetime.utcnow().strftime("%Y-%m-%d %H:%M:%S")
+    line      = f"{timestamp} [{body.level}] {body.message}\n"
+    with open(log_path, "a") as f:
+        f.write(line)

laniakea_api_server-0.0.1/laniakea_api/routers/credentials.py

@@ -0,0 +1,98 @@
+"""
+User credential management.
+
+POST /auth/oidc
+POST /profile/credentials
+POST /profile/credentials/test
+"""
+
+from fastapi import APIRouter, Depends, HTTPException, status
+from laniakea_api.auth import fetch_userinfo, create_session_token, verify_session_token
+from laniakea_api.models import (OIDCLoginRequest, SessionTokenResponse,UserCredentials,
+                    CredentialTestRequest, CredentialTestResponse,)
+from laniakea_api.queue import vault_write_credentials, VAULT_MOUNT
+
+router = APIRouter()
+
+@router.post("/auth/oidc", response_model=SessionTokenResponse)
+async def login_oidc(req: OIDCLoginRequest):
+    """
+    exchange a valid OIDC access token for a short-lived API session token.
+
+    Flow:
+      1. Caller authenticates with the OIDC provider and obtains an access token.
+      2. POST /auth/oidc { "oidc_token": "<access_token>" }
+      3. This endpoint verifies the token against the provider's userinfo endpoint.
+      4. On success, returns a signed JWT session token
+      5. Use the session token as Bearer on all subsequent requests.
+    """
+    user_info = await fetch_userinfo(req.oidc_token)
+    session_token, expires_in = create_session_token(user_info)
+    return SessionTokenResponse(session_token=session_token, expires_in=expires_in,
+        # Add here additional information to include in the token
+        user_info={
+            "sub":      user_info.get("sub"),
+            "username": user_info.get("preferred_username"),
+            "email":    user_info.get("email"),
+            "groups":   user_info.get("groups", []),
+        },
+    )
+
+@router.post("/profile/credentials", status_code=201)
+async def save_credentials(creds: UserCredentials, caller: dict = Depends(verify_session_token),):
+    """
+    Save or update provider credentials for the authenticated user in Vault
+    """
+    secret_data = {k: v for k, v in creds.model_dump().items() if v is not None}
+    if not secret_data:
+        raise HTTPException(status_code=status.HTTP_400_BAD_REQUEST, detail="No credentials provided.",)
+    vault_path = vault_write_credentials(caller["sub"], secret_data)
+    return {
+        "message":    "Credentials saved to Vault.",
+        "vault_path": f"{VAULT_MOUNT}/data/{vault_path}",
+        "user":       caller["username"],
+    }
+
+# TEST CREDENTIALS
+@router.post("/profile/credentials/test", response_model=CredentialTestResponse,
+    summary="Test OpenStack application credentials",
+    description=(
+        "Attempts to list servers on OpenStack using the provided app credentials. "
+        "Equivalent to running `openstack server list` on the CLI."),
+)
+async def test_openstack_credentials(body: CredentialTestRequest, 
+                                     caller: dict = Depends(verify_session_token),):
+    """
+    Test OpenStack application credentials without storing them
+
+    Flow:
+      1. Build an OpenStack connection with the provided credentials.
+      2. Call conn.compute.servers(), equivalent to *openstack server list*
+      3. If it returns (even empty) credentials are valid.
+      4. If it raises credentials are invalid or endpoint unreachable.
+    """
+    try:
+        import openstack
+        conn    = openstack.connect(
+            auth_url=body.os_auth_url,
+            auth_type="v3applicationcredential",
+            application_credential_id=body.os_application_credential_id,
+            application_credential_secret=body.os_application_credential_secret,
+            region_name=body.os_region_name,
+            interface=body.os_interface,
+            identity_api_version=3,
+        )
+        servers = list(conn.compute.servers())
+        #NOTE: now returns a printed message
+        return CredentialTestResponse(
+            success=True,
+            message=f"Credentials are valid. {len(servers)} server(s) visible in region {body.os_region_name}.",
+            server_count=len(servers),)
+
+    except Exception as exc:
+        return CredentialTestResponse(
+            success=False,
+            message="Could not authenticate to OpenStack, check credentials and auth_url.",
+            detail=str(exc),
+        )
+

laniakea_api_server-0.0.1/laniakea_api/routers/deployments.py

@@ -0,0 +1,145 @@
+"""
+user deployment endpoints:
+
+GET  /api/deployments
+GET  /api/deployments/{uuid}
+POST /api/deployments
+GET  /api/deployments/{uuid}/logs
+"""
+
+import copy
+import os
+from datetime import datetime
+from typing import Optional
+from fastapi import APIRouter, Depends, HTTPException, status
+import database as db
+from laniakea_api.auth import verify_session_token
+from laniakea_api.config import LOG_DIR
+from laniakea_api.models import DeploymentRequest, JobResponse
+from laniakea_api.queue import get_queue
+
+router = APIRouter()
+
+def _strip_secrets(deployment: DeploymentRequest) -> dict:
+    """
+    Return deployment dict without sensitive credential fields.
+    """
+    d = copy.deepcopy(deployment.model_dump())
+    provider_key = deployment.selected_provider.lower()
+    provider     = d.get("cloud_providers", {}).get(provider_key, {})
+    for field in [
+        "ssh_key", "aws_access_key", "aws_secret_key", "bastion_ip",
+        "private_network_proxy_host", "os_application_credential_id",
+        "os_application_credential_secret",
+    ]:
+        provider.pop(field, None)
+    return d
+
+
+@router.get("/api/deployments")
+async def list_deployments(caller: dict = Depends(verify_session_token)):
+    """
+    Return all deployments belonging to the authenticated user.
+    """
+    rows = db.list_deployments(caller["sub"])
+    return {"deployments": rows, "total": len(rows)}
+
+
+# depends on session token: verify the sign on the token
+@router.get("/api/deployments/{uuid}")
+async def get_deployment(uuid: str, caller: dict = Depends(verify_session_token)):
+    """
+    Return the full state of a single deployment.
+    """
+    row = db.get_deployment(uuid)
+    if row is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, detail=f"Deployment {uuid} not found.")
+    if row.get("sub") != caller["sub"]:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied.")
+    return row
+
+
+@router.post("/api/deployments", response_model=JobResponse, status_code=202)
+async def enqueue_deployment(
+    deployment: DeploymentRequest, caller: dict = Depends(verify_session_token),):
+    """
+    Accept a deployment request:
+      1. Write QUEUED to PostgreSQL (dashboard can see it immediately)
+      2. eenqueue the job on the matching Redis queue.
+    """
+    queue_name, q = get_queue(deployment.selected_provider)
+    requested_at  = datetime.utcnow()
+
+    # persist QUEUED state before touching Redis
+    try:
+        db.create_deployment(
+            uuid=deployment.deployment_uuid,
+            user_sub=caller["sub"],
+            username=caller["username"] or caller["sub"],
+            description=deployment.description,
+            provider=deployment.selected_provider,
+            requested_at=requested_at,)
+    except Exception as exc:
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to persist deployment to database: {exc}",)
+
+    # Enqueue on Redis
+    job_data = {
+        **_strip_secrets(deployment),
+        "user_sub":     caller["sub"],
+        "user_email":   caller.get("email"),
+        "requested_by": caller["username"],
+        "requested_at": requested_at.isoformat(),
+    }
+
+    try:
+        job = q.enqueue(
+            # NOTE: agent: worker_wrapper.py
+            "worker_wrapper.run_from_dict",
+            job_data,
+            job_timeout="10h",
+            description=f"Deployment {deployment.deployment_uuid} by {caller['username']}",
+        )
+    except Exception as exc:
+        db.update_status(deployment.deployment_uuid, "CREATE_FAILED", 
+                         status_reason=f"Redis enqueue error: {exc}")
+        raise HTTPException(
+            status_code=status.HTTP_500_INTERNAL_SERVER_ERROR,
+            detail=f"Failed to enqueue job: {exc}",
+        )
+
+    return JobResponse(
+        job_id=job.id,
+        queue_name=queue_name,
+        deployment_uuid=deployment.deployment_uuid,
+        status="QUEUED",
+        message=f"Job enqueued on '{queue_name}' queue.",)
+
+
+@router.get("/api/deployments/{uuid}/logs")
+async def get_deployment_logs(
+    uuid: str, tail: Optional[int] = None, caller: dict = Depends(verify_session_token),):
+    """
+    Return the log lines for a deployment.
+    Optional ?tail=N returns only the last N lines.
+    """
+    row = db.get_deployment(uuid)
+    if row is None:
+        raise HTTPException(status_code=status.HTTP_404_NOT_FOUND, 
+                            detail=f"Deployment {uuid} not found.")
+    if row.get("sub") != caller["sub"]:
+        raise HTTPException(status_code=status.HTTP_403_FORBIDDEN, detail="Access denied")
+
+    log_path = os.path.join(LOG_DIR, f"terraform_{uuid}.log")
+    if not os.path.exists(log_path):
+        return {"uuid": uuid, "lines": [], "message": "No logs yet, deployment may still be queued."}
+
+    with open(log_path, "r") as f:
+        lines = f.read().splitlines()
+
+    if tail:
+        lines = lines[-tail:]
+
+    return {"uuid": uuid, "lines": lines, "total": len(lines)}
+

laniakea_api_server-0.0.1/laniakea_api/routers/health.py

@@ -0,0 +1,33 @@
+"""
+health check endpoint.
+### no auth required,used by load balancers and monitoring.
+
+GET /health
+"""
+
+from datetime import datetime
+from fastapi import APIRouter
+from laniakea_api.database import check_connection
+from laniakea_api.queue import check_redis, check_vault
+
+router = APIRouter()
+
+@router.get("/health")
+async def health():
+    """
+    Verify Redis, Vault and PostgreSQL connectivity
+    """
+    redis_status = check_redis()
+    vault_status = check_vault()
+    pg_status    = check_connection()
+
+    healthy = all(
+        s in ("connected", "authenticated") for s in [redis_status, vault_status, pg_status])
+
+    return {
+        "status":    "healthy" if healthy else "unhealthy",
+        "redis":     redis_status,
+        "vault":     vault_status,
+        "postgres":  pg_status,
+        "timestamp": datetime.utcnow().isoformat(),
+    }

laniakea_api_server-0.0.1/pyproject.toml

@@ -0,0 +1,55 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "laniakea-api-server"
+version = "0.0.1"
+description = "Laniakea Queue API — OIDC-authenticated gateway for cloud deployment orchestration"
+readme = "README.md"
+license = { text = "MIT" }
+requires-python = ">=3.10"
+
+authors = [
+  { name = "Laniakea Team" }
+]
+
+keywords = ["cloud", "deployment", "openstack", "aws", "fastapi", "redis", "orchestration"]
+
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: System Administrators",
+  "License :: OSI Approved :: MIT License",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.10",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Framework :: FastAPI",
+  "Topic :: System :: Systems Administration",
+]
+
+dependencies = [
+  "fastapi",
+  "uvicorn[standard]",
+  "redis",
+  "rq",
+  "pyjwt",
+  "httpx",
+  "pydantic>=2.0",
+  "hvac>=2.0.0",
+  "openstacksdk",
+  "psycopg2-binary",
+  "python-dotenv",
+  "pyyaml",
+]
+
+[project.scripts]
+laniakea-api = "laniakea_api.cli:main"
+
+[project.urls]
+Homepage = "https://github.com/riccardocaccia/laniakea-api-redis"
+Issues = "https://github.com/riccardocaccia/laniakea-api-redis/issues"
+
+[tool.hatch.build.targets.wheel]
+packages = ["laniakea_api"]
+