qontract-reconcile 0.10.2.dev361__py3-none-any.whl → 0.10.2.dev474__py3-none-any.whl

reconcile/utils/quay_api.py

@@ -1,13 +1,16 @@
+import contextlib
 from typing import Any
 
 import requests
 
+from reconcile.utils.rest_api_base import ApiBase, BearerTokenAuth
+
 
 class QuayTeamNotFoundError(Exception):
     pass
 
 
-class QuayApi:
+class QuayApi(ApiBase):
     LIMIT_FOLLOWS = 15
 
     def __init__(
@@ -17,14 +20,18 @@ class QuayApi:
         base_url: str = "quay.io",
         timeout: int = 60,
     ) -> None:
-        self.token = token
+        # Support both hostname (e.g., "quay.io") and full URLs (e.g., "http://localhost:12345")
+        if base_url.startswith(("http://", "https://")):
+            host = base_url
+        else:
+            host = f"https://{base_url}"
+        super().__init__(
+            host=host,
+            auth=BearerTokenAuth(token),
+            read_timeout=timeout,
+        )
         self.organization = organization
-        self.auth_header = {"Authorization": "Bearer %s" % (token,)}
         self.team_members: dict[str, Any] = {}
-        self.api_url = f"https://{base_url}/api/v1"
-
-        self._timeout = timeout
-        """Timeout to use for HTTP calls to Quay (seconds)."""
 
     def list_team_members(self, team: str, **kwargs: Any) -> list[dict]:
         """
@@ -38,19 +45,20 @@ class QuayApi:
             if cache_members:
                 return cache_members
 
-        url = f"{self.api_url}/organization/{self.organization}/team/{team}/members?includePending=true"
-
-        r = requests.get(url, headers=self.auth_header, timeout=self._timeout)
-        if r.status_code == 404:
-            raise QuayTeamNotFoundError(
-                f"team {team} is not found in "
-                f"org {self.organization}. "
-                f"contact org owner to create the "
-                f"team manually."
-            )
-        r.raise_for_status()
-
-        body = r.json()
+        url = f"/api/v1/organization/{self.organization}/team/{team}/members"
+        params = {"includePending": "true"}
+
+        try:
+            body = self._get(url, params=params)
+        except requests.exceptions.HTTPError as e:
+            if e.response.status_code == 404:
+                raise QuayTeamNotFoundError(
+                    f"team {team} is not found in "
+                    f"org {self.organization}. "
+                    f"contact org owner to create the "
+                    f"team manually."
+                ) from e
+            raise
 
         # Using a set because members may be repeated
         members = {member["name"] for member in body["members"]}
@@ -61,30 +69,37 @@ class QuayApi:
         return members_list
 
     def user_exists(self, user: str) -> bool:
-        url = f"{self.api_url}/users/{user}"
-        r = requests.get(url, headers=self.auth_header, timeout=self._timeout)
-        return r.ok
+        url = f"/api/v1/users/{user}"
+        try:
+            self._get(url)
+            return True
+        except requests.exceptions.HTTPError:
+            return False
 
     def remove_user_from_team(self, user: str, team: str) -> bool:
         """Deletes an user from a team.
 
         :raises HTTPError if there are any problems with the request
         """
-        url_team = f"{self.api_url}/organization/{self.organization}/team/{team}/members/{user}"
+        url_team = (
+            f"/api/v1/organization/{self.organization}/team/{team}/members/{user}"
+        )
 
-        r = requests.delete(url_team, headers=self.auth_header, timeout=self._timeout)
-        if not r.ok:
-            message = r.json().get("message", "")
+        try:
+            self._delete(url_team)
+        except requests.exceptions.HTTPError as e:
+            message = ""
+            if e.response is not None:
+                with contextlib.suppress(ValueError, AttributeError):
+                    message = e.response.json().get("message", "")
 
             expected_message = f"User {user} does not belong to team {team}"
 
             if message != expected_message:
-                r.raise_for_status()
+                raise
 
-        url_org = f"{self.api_url}/organization/{self.organization}/members/{user}"
-
-        r = requests.delete(url_org, headers=self.auth_header, timeout=self._timeout)
-        r.raise_for_status()
+        url_org = f"/api/v1/organization/{self.organization}/members/{user}"
+        self._delete(url_org)
 
         return True
 
@@ -96,9 +111,8 @@ class QuayApi:
         if user in self.list_team_members(team, cache=True):
             return True
 
-        url = f"{self.api_url}/organization/{self.organization}/team/{team}/members/{user}"
-        r = requests.put(url, headers=self.auth_header, timeout=self._timeout)
-        r.raise_for_status()
+        url = f"/api/v1/organization/{self.organization}/team/{team}/members/{user}"
+        self._put(url)
         return True
 
     def create_or_update_team(
@@ -115,17 +129,14 @@ class QuayApi:
         :raises HTTPError: unsuccessful attempt to create the team
         """
 
-        url = f"{self.api_url}/organization/{self.organization}/team/{team}"
+        url = f"/api/v1/organization/{self.organization}/team/{team}"
 
         payload = {"role": role}
 
         if description:
             payload.update({"description": description})
 
-        r = requests.put(
-            url, headers=self.auth_header, json=payload, timeout=self._timeout
-        )
-        r.raise_for_status()
+        self._put(url, data=payload)
 
     def list_images(
         self, images: list | None = None, page: str | None = None, count: int = 0
@@ -140,7 +151,7 @@ class QuayApi:
         if count > self.LIMIT_FOLLOWS:
             raise ValueError("Too many page follows")
 
-        url = f"{self.api_url}/repository"
+        url = "/api/v1/repository"
 
         # params
         params = {"namespace": self.organization}
@@ -148,13 +159,7 @@ class QuayApi:
             params["next_page"] = page
 
         # perform request
-        r = requests.get(
-            url, params=params, headers=self.auth_header, timeout=self._timeout
-        )
-        r.raise_for_status()
-
-        # read body
-        body = r.json()
+        body = self._get(url, params=params)
         repositories = body.get("repositories", [])
         next_page = body.get("next_page")
 
@@ -176,7 +181,7 @@ class QuayApi:
         """
         visibility = "public" if public else "private"
 
-        url = f"{self.api_url}/repository"
+        url = "/repository"
 
         params = {
             "repo_kind": "image",
@@ -186,29 +191,16 @@ class QuayApi:
             "description": description,
         }
 
-        # perform request
-        r = requests.post(
-            url, json=params, headers=self.auth_header, timeout=self._timeout
-        )
-        r.raise_for_status()
+        self._post(url, data=params)
 
     def repo_delete(self, repo_name: str) -> None:
-        url = f"{self.api_url}/repository/{self.organization}/{repo_name}"
-
-        # perform request
-        r = requests.delete(url, headers=self.auth_header, timeout=self._timeout)
-        r.raise_for_status()
+        url = f"/api/v1/repository/{self.organization}/{repo_name}"
+        self._delete(url)
 
     def repo_update_description(self, repo_name: str, description: str) -> None:
-        url = f"{self.api_url}/repository/{self.organization}/{repo_name}"
-
+        url = f"/api/v1/repository/{self.organization}/{repo_name}"
         params = {"description": description}
-
-        # perform request
-        r = requests.put(
-            url, json=params, headers=self.auth_header, timeout=self._timeout
-        )
-        r.raise_for_status()
+        self._put(url, data=params)
 
     def repo_make_public(self, repo_name: str) -> None:
         self._repo_change_visibility(repo_name, "public")
@@ -217,39 +209,34 @@ class QuayApi:
         self._repo_change_visibility(repo_name, "private")
 
     def _repo_change_visibility(self, repo_name: str, visibility: str) -> None:
-        url = f"{self.api_url}/repository/{self.organization}/{repo_name}/changevisibility"
-
+        url = f"/api/v1/repository/{self.organization}/{repo_name}/changevisibility"
         params = {"visibility": visibility}
-
-        # perform request
-        r = requests.post(
-            url, json=params, headers=self.auth_header, timeout=self._timeout
-        )
-        r.raise_for_status()
+        self._post(url, data=params)
 
     def get_repo_team_permissions(self, repo_name: str, team: str) -> str | None:
         url = (
-            f"{self.api_url}/repository/{self.organization}/"
+            f"/api/v1/repository/{self.organization}/"
             + f"{repo_name}/permissions/team/{team}"
         )
-        r = requests.get(url, headers=self.auth_header, timeout=self._timeout)
-        if not r.ok:
-            message = r.json().get("message")
+        try:
+            body = self._get(url)
+            return body.get("role") or None
+        except requests.exceptions.HTTPError as e:
+            message = ""
+            if e.response is not None:
+                with contextlib.suppress(ValueError, AttributeError):
+                    message = e.response.json().get("message", "")
+
             expected_message = "Team does not have permission for repo."
             if message == expected_message:
                 return None
 
-            r.raise_for_status()
-
-        return r.json().get("role") or None
+            raise
 
     def set_repo_team_permissions(self, repo_name: str, team: str, role: str) -> None:
         url = (
-            f"{self.api_url}/repository/{self.organization}/"
+            f"/api/v1/repository/{self.organization}/"
             + f"{repo_name}/permissions/team/{team}"
         )
         body = {"role": role}
-        r = requests.put(
-            url, json=body, headers=self.auth_header, timeout=self._timeout
-        )
-        r.raise_for_status()
+        self._put(url, data=body)

reconcile/utils/raw_github_api.py

@@ -76,7 +76,7 @@ class RawGithubApi:
             if login is not None
         ]
 
-    def team_invitations(self, org_id: str, team_id: str) -> list[str]:
+    def team_invitations(self, org_id: str | int, team_id: str | int) -> list[str]:
         invitations = self.query(f"/organizations/{org_id}/team/{team_id}/invitations")
 
         return [

reconcile/utils/rhcsv2_certs.py

@@ -1,22 +1,33 @@
+import base64
 import re
 from datetime import UTC
+from enum import StrEnum
 
 import requests
 from cryptography import x509
 from cryptography.hazmat.primitives import hashes, serialization
 from cryptography.hazmat.primitives.asymmetric import rsa
+from cryptography.hazmat.primitives.serialization import pkcs12
 from cryptography.x509.oid import NameOID
 from pydantic import BaseModel, Field
 
 
-class RhcsV2Cert(BaseModel):
+class CertificateFormat(StrEnum):
+    PEM = "PEM"
+    PKCS12 = "PKCS12"
+
+
+class RhcsV2CertPem(BaseModel, validate_by_name=True, validate_by_alias=True):
     certificate: str = Field(alias="tls.crt")
     private_key: str = Field(alias="tls.key")
     ca_cert: str = Field(alias="ca.crt")
     expiration_timestamp: int
 
-    class Config:
-        allow_population_by_field_name = True
+
+class RhcsV2CertPkcs12(BaseModel, validate_by_name=True, validate_by_alias=True):
+    pkcs12_keystore: str = Field(alias="keystore.pkcs12.b64")
+    pkcs12_truststore: str = Field(alias="truststore.pkcs12.b64")
+    expiration_timestamp: int
 
 
 def extract_cert(text: str) -> re.Match:
@@ -70,7 +81,66 @@ def get_cert_expiry_timestamp(js_escaped_pem: str) -> int:
     return int(dt_expiry.timestamp())
 
 
-def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cert:
+def _format_pem(
+    private_key: rsa.RSAPrivateKey,
+    cert_pem: str,
+    ca_pem: str,
+    cert_expiry_timestamp: int,
+) -> RhcsV2CertPem:
+    """Generate RhcsV2Cert with PEM components."""
+    private_key_pem = private_key.private_bytes(
+        encoding=serialization.Encoding.PEM,
+        format=serialization.PrivateFormat.TraditionalOpenSSL,
+        encryption_algorithm=serialization.NoEncryption(),
+    ).decode()
+    return RhcsV2CertPem(
+        private_key=private_key_pem,
+        certificate=cert_pem.encode().decode("unicode_escape").replace("\\/", "/"),
+        ca_cert=ca_pem,
+        expiration_timestamp=cert_expiry_timestamp,
+    )
+
+
+def _format_pkcs12(
+    private_key: rsa.RSAPrivateKey,
+    cert_pem: str,
+    ca_pem: str,
+    uid: str,
+    pwd: str,
+    cert_expiry_timestamp: int,
+) -> RhcsV2CertPkcs12:
+    """Generate PKCS#12 keystore and truststore components, returns base64-encoded strings."""
+    clean_cert_pem = cert_pem.encode().decode("unicode_escape").replace("\\/", "/")
+    cert_obj = x509.load_pem_x509_certificate(clean_cert_pem.encode())
+    ca_obj = x509.load_pem_x509_certificate(ca_pem.encode())
+    keystore_p12 = pkcs12.serialize_key_and_certificates(
+        name=uid.encode("utf-8"),
+        key=private_key,
+        cert=cert_obj,
+        cas=[ca_obj],
+        encryption_algorithm=serialization.BestAvailableEncryption(pwd.encode("utf-8")),
+    )
+    truststore_p12 = pkcs12.serialize_key_and_certificates(
+        name=b"ca-trust",
+        key=None,
+        cert=None,
+        cas=[ca_obj],
+        encryption_algorithm=serialization.NoEncryption(),
+    )
+    return RhcsV2CertPkcs12(
+        pkcs12_keystore=base64.b64encode(keystore_p12).decode("utf-8"),
+        pkcs12_truststore=base64.b64encode(truststore_p12).decode("utf-8"),
+        expiration_timestamp=cert_expiry_timestamp,
+    )
+
+
+def generate_cert(
+    issuer_url: str,
+    uid: str,
+    pwd: str,
+    ca_url: str,
+    cert_format: CertificateFormat = CertificateFormat.PEM,
+) -> RhcsV2CertPem | RhcsV2CertPkcs12:
     private_key = rsa.generate_private_key(65537, 4096)
     csr = (
         x509.CertificateSigningRequestBuilder()
@@ -81,6 +151,7 @@ def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cer
         )
         .sign(private_key, hashes.SHA256())
     )
+
     data = {
         "uid": uid,
         "pwd": pwd,
@@ -90,27 +161,19 @@ def generate_cert(issuer_url: str, uid: str, pwd: str, ca_url: str) -> RhcsV2Cer
         "renewal": "false",
         "xmlOutput": "false",
     }
-    response = requests.post(issuer_url, data=data)
+    response = requests.post(issuer_url, data=data, timeout=30)
     response.raise_for_status()
+    cert_pem = extract_cert(response.text).group(1)
+    cert_expiry_timestamp = get_cert_expiry_timestamp(cert_pem)
 
-    cert_pem = extract_cert(response.text)
-    cert_expiry_timestamp = get_cert_expiry_timestamp(cert_pem.group(1))
-    private_key_pem = private_key.private_bytes(
-        encoding=serialization.Encoding.PEM,
-        format=serialization.PrivateFormat.TraditionalOpenSSL,
-        encryption_algorithm=serialization.NoEncryption(),
-    ).decode()
-
-    response = requests.get(ca_url)
+    response = requests.get(ca_url, timeout=30)
     response.raise_for_status()
     ca_pem = response.text
 
-    return RhcsV2Cert(
-        private_key=private_key_pem,
-        certificate=cert_pem.group(1)
-        .encode()
-        .decode("unicode_escape")
-        .replace("\\/", "/"),
-        ca_cert=ca_pem,
-        expiration_timestamp=cert_expiry_timestamp,
-    )
+    match cert_format:
+        case CertificateFormat.PKCS12:
+            return _format_pkcs12(
+                private_key, cert_pem, ca_pem, uid, pwd, cert_expiry_timestamp
+            )
+        case CertificateFormat.PEM:
+            return _format_pem(private_key, cert_pem, ca_pem, cert_expiry_timestamp)

reconcile/utils/rosa/session.py

@@ -178,6 +178,22 @@ class RosaSession:
             )
             result.write_logs_to_logger(logging.info)
 
+    def upgrade_rosa_roles(
+        self,
+        cluster_name: str,
+        upgrade_version: str,
+        policy_version: str,
+        dry_run: bool,
+    ) -> None:
+        logging.info(
+            f"Upgrade  roles in AWS account {self.aws_account_id} to {upgrade_version}"
+        )
+        if not dry_run:
+            result = self.cli_execute(
+                f"rosa upgrade roles  -c {cluster_name} --cluster-version {upgrade_version}  --policy-version {policy_version} -y -m=auto"
+            )
+            result.write_logs_to_logger(logging.info)
+
 
 def generate_rosa_creation_script(
     cluster_name: str, cluster: OCMSpec, dry_run: bool

reconcile/utils/runtime/integration.py

@@ -7,7 +7,6 @@ from dataclasses import dataclass
 from types import ModuleType
 from typing import (
     Any,
-    Generic,
     Optional,
     TypeVar,
 )
@@ -120,7 +119,7 @@ class PydanticRunParams(RunParams, BaseModel):
     def copy_and_update(
         self: PydanticRunParamsSelfTypeVar, update: dict[str, Any]
     ) -> PydanticRunParamsSelfTypeVar:
-        return self.copy(update=update)
+        return self.model_copy(update=update)
 
     def get(self, field: str) -> Any:
         return getattr(self, field)
@@ -144,7 +143,7 @@ IntegrationClassTypeVar = TypeVar(
 )
 
 
-class QontractReconcileIntegration(ABC, Generic[RunParamsTypeVar]):
+class QontractReconcileIntegration[RunParamsTypeVar: RunParams](ABC):
     """
     The base class for all integrations. It defines the basic interface to interact
     with an integration and offers hook methods that allow the integration to opt

reconcile/utils/runtime/runner.py

@@ -156,7 +156,7 @@ def run_integration_cfg(run_cfg: IntegrationRunConfiguration) -> None:
         _integration_wet_run(run_cfg.integration)
 
 
-def _integration_wet_run(
+def _integration_wet_run[RunParamsTypeVar: RunParams](
     integration: QontractReconcileIntegration[RunParamsTypeVar],
 ) -> None:
     """
@@ -165,7 +165,7 @@ def _integration_wet_run(
     integration.run(False)
 
 
-def _integration_dry_run(
+def _integration_dry_run[RunParamsTypeVar: RunParams](
     integration: QontractReconcileIntegration[RunParamsTypeVar],
     desired_state_diff: DesiredStateDiff | None,
 ) -> None:

reconcile/utils/saasherder/interfaces.py

@@ -1,7 +1,7 @@
 # ruff: noqa: N801
 from __future__ import annotations
 
-from collections.abc import Mapping, Sequence, Set
+from collections.abc import Sequence
 from typing import (
     TYPE_CHECKING,
     Any,
@@ -12,6 +12,8 @@ from typing import (
 from reconcile.utils import oc_connection_parameters
 
 if TYPE_CHECKING:
+    from pydantic.main import IncEx
+
     from reconcile.gql_definitions.fragments.saas_slo_document import SLODocument
     from reconcile.utils.secret_reader import HasSecret
 
@@ -27,18 +29,12 @@ class SaasFileSecretParameters(Protocol):
     @property
     def secret(self) -> HasSecret: ...
 
-    def dict(
-        self,
-        *,
-        by_alias: bool = False,
-        include: AbstractSetIntStr | MappingIntStrAny | None = None,
+    def model_dump(
+        self, *, by_alias: bool = False, include: IncEx | None = None
     ) -> dict[str, Any]: ...
 
 
 SaasSecretParameters = Sequence[SaasFileSecretParameters] | None
-# Taken from pydantic.typing
-AbstractSetIntStr = Set[int | str]
-MappingIntStrAny = Mapping[int | str, Any]
 
 
 @runtime_checkable
@@ -212,11 +208,8 @@ class SaasResourceTemplateTargetNamespace(Protocol):
     @property
     def cluster(self) -> oc_connection_parameters.Cluster: ...
 
-    def dict(
-        self,
-        *,
-        by_alias: bool = False,
-        include: AbstractSetIntStr | MappingIntStrAny | None = None,
+    def model_dump(
+        self, *, by_alias: bool = False, include: IncEx | None = None
     ) -> dict[str, Any]: ...
 
 
@@ -249,7 +242,7 @@ class SaasResourceTemplateTargetPromotion(Protocol):
     @property
     def promotion_data(self) -> Sequence[SaasPromotionData] | None: ...
 
-    def dict(self, *, by_alias: bool = False) -> dict[str, Any]: ...
+    def model_dump(self, *, by_alias: bool = False) -> dict[str, Any]: ...
 
 
 class Channel(Protocol):
@@ -274,7 +267,7 @@ class SaasPromotion(Protocol):
     @property
     def subscribe(self) -> list[Channel] | None: ...
 
-    def dict(self, *, by_alias: bool = False) -> dict[str, Any]: ...
+    def model_dump(self, *, by_alias: bool = False) -> dict[str, Any]: ...
 
 
 class SaasResourceTemplateTarget_SaasSecretParameters(Protocol):
@@ -295,7 +288,7 @@ class SaasResourceTemplateTargetUpstream(Protocol):
     @property
     def instance(self) -> SaasJenkinsInstance: ...
 
-    def dict(self, *, by_alias: bool = False) -> dict[str, Any]: ...
+    def model_dump(self, *, by_alias: bool = False) -> dict[str, Any]: ...
 
 
 class SaasQuayInstance(Protocol):
@@ -315,7 +308,7 @@ class SaasResourceTemplateTargetImage(Protocol):
     @property
     def org(self) -> SaasQuayOrg: ...
 
-    def dict(self, *, by_alias: bool = False) -> dict[str, Any]: ...
+    def model_dump(self, *, by_alias: bool = False) -> dict[str, Any]: ...
 
 
 class SaasResourceTemplateTarget(HasParameters, HasSecretParameters, Protocol):
@@ -344,7 +337,7 @@ class SaasResourceTemplateTarget(HasParameters, HasSecretParameters, Protocol):
         self, parent_saas_file_name: str, parent_resource_template_name: str
     ) -> str: ...
 
-    def dict(self, *, by_alias: bool = False) -> dict[str, Any]: ...
+    def model_dump(self, *, by_alias: bool = False) -> dict[str, Any]: ...
 
 
 class SaasResourceTemplate(HasParameters, HasSecretParameters, Protocol):
@@ -381,7 +374,7 @@ class ManagedResourceName(Protocol):
     resource: str
     resource_names: list[str]
 
-    def dict(self) -> dict[str, str]: ...
+    def model_dump(self) -> dict[str, str]: ...
 
 
 class SaasFile(HasParameters, HasSecretParameters, Protocol):