tft-cli 0.0.19__tar.gz → 0.0.21__tar.gz

{tft_cli-0.0.19 → tft_cli-0.0.21}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.1
 Name: tft-cli
-Version: 0.0.19
+Version: 0.0.21
 Summary: Testing Farm CLI tool
 License: Apache-2.0
 Author: Miroslav Vadkerti
@@ -15,6 +15,7 @@ Requires-Dist: click (>=8.0.4,<8.1.0)
 Requires-Dist: colorama (>=0.4.4,<0.5.0)
 Requires-Dist: dynaconf (>=3.1.7,<4.0.0)
 Requires-Dist: requests (>=2.27.1,<3.0.0)
+Requires-Dist: rich (>=12,<13)
 Requires-Dist: ruamel-yaml (>=0.18.6,<0.19.0)
 Requires-Dist: setuptools
 Requires-Dist: typer[all] (>=0.7.0,<0.8.0)

{tft_cli-0.0.19 → tft_cli-0.0.21}/pyproject.toml

@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "tft-cli"
-version = "0.0.19"
+version = "0.0.21"
 description = "Testing Farm CLI tool"
 authors = ["Miroslav Vadkerti <mvadkert@redhat.com>"]
 license = "Apache-2.0"
@@ -21,6 +21,7 @@ click = "~8.0.4"
 dynaconf = "^3.1.7"
 colorama = "^0.4.4"
 requests = "^2.27.1"
+rich = "^12"
 ruamel-yaml = "^0.18.6"
 setuptools = "*"
 

{tft_cli-0.0.19 → tft_cli-0.0.21}/src/tft/cli/commands.py

@@ -2,12 +2,13 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import base64
+import ipaddress
 import json
 import os
 import re
 import shutil
+import stat
 import subprocess
-import tempfile
 import textwrap
 import time
 import urllib.parse
@@ -60,6 +61,9 @@ RESERVE_REF = os.getenv("TESTING_FARM_RESERVE_REF", "main")
 
 DEFAULT_PIPELINE_TIMEOUT = 60 * 12
 
+# Won't be validating CIDR and 65535 max port range with regex here, not worth it
+SECURITY_GROUP_RULE_FORMAT = re.compile(r"(tcp|ip|icmp|udp|-1|[0-255]):(.*):(\d{1,5}-\d{1,5}|\d{1,5}|-1)")
+
 
 class WatchFormat(str, Enum):
     text = 'text'
@@ -134,6 +138,24 @@ OPTION_PIPELINE_TYPE: Optional[PipelineType] = typer.Option(None, help="Force a
 OPTION_POST_INSTALL_SCRIPT: Optional[str] = typer.Option(
     None, help="Post-install script to run right after the guest boots for the first time."
 )
+OPTION_SECURITY_GROUP_RULE_INGRESS: Optional[List[str]] = typer.Option(
+    None,
+    help=(
+        "Additional ingress security group rules to be passed to guest in "
+        "PROTOCOL:CIDR:PORT format. Multiple rules can be specified as comma separated, "
+        "eg. `tcp:109.81.42.42/32:22,142.0.42.0/24:22`. "
+        "Supported by AWS only atm."
+    ),
+)
+OPTION_SECURITY_GROUP_RULE_EGRESS: Optional[List[str]] = typer.Option(
+    None,
+    help=(
+        "Additional egress security group rules to be passed to guest in "
+        "PROTOCOL:CIDR:PORT format. Multiple rules can be specified as comma separated, "
+        "eg. `tcp:109.81.42.42/32:22,142.0.42.0/24:22`. "
+        "Supported by AWS only atm."
+    ),
+)
 OPTION_KICKSTART: Optional[List[str]] = typer.Option(
     None,
     metavar="key=value|@file",
@@ -212,6 +234,58 @@ OPTION_PARALLEL_LIMIT: Optional[int] = typer.Option(
         "Red Hat Ranch."
     ),
 )
+OPTION_TAGS = typer.Option(
+    None,
+    "-t",
+    "--tag",
+    metavar="key=value|@file",
+    help="Tag cloud resources with given value. The @ prefix marks a yaml file to load.",
+)
+
+
+# NOTE(ivasilev) Largely borrowed from artemis-cli
+def _parse_security_group_rules(ingress_rules: List[str], egress_rules: List[str]) -> Dict[str, Any]:
+    """
+    Returns a dictionary with ingress/egress rules in TFT request friendly format
+    """
+    security_group_rules = {}
+
+    def _add_secgroup_rules(sg_type: str, sg_data: List[str]) -> None:
+        security_group_rules[sg_type] = []
+
+        for sg_rule in normalize_multistring_option(sg_data):
+            matches = re.match(SECURITY_GROUP_RULE_FORMAT, sg_rule)
+            if not matches:
+                exit_error(f"Bad format of security group rule '{sg_rule}', should be PROTOCOL:CIDR:PORT")  # noqa: E231
+
+            protocol, cidr, port = matches[1], matches[2], matches[3]
+
+            # Let's validate cidr
+            try:
+                # This way a single ip address will be converted to a valid ip/32 cidr.
+                cidr = str(ipaddress.ip_network(cidr))
+            except ValueError as err:
+                exit_error(f'CIDR {cidr} has incorrect format: {err}')
+
+            # Artemis expectes port_min/port_max, -1 has to be convered to a proper range 0-65535
+            port_min = 0 if port == '-1' else int(port.split('-')[0])
+            port_max = 65535 if port == '-1' else int(port.split('-')[-1])
+
+            # Add rule for Artemis API
+            security_group_rules[sg_type].append(
+                {
+                    'type': sg_type.split('_')[-1],
+                    'protocol': protocol,
+                    'cidr': cidr,
+                    'port_min': port_min,
+                    'port_max': port_max,
+                }
+            )
+
+    _add_secgroup_rules('security_group_rules_ingress', ingress_rules)
+    _add_secgroup_rules('security_group_rules_egress', egress_rules)
+
+    return security_group_rules
 
 
 def _parse_xunit(xunit: str):
@@ -441,7 +515,12 @@ def watch(
                 raise typer.Exit(code=1)
 
         elif state == "error":
-            _console_print(f"📛 pipeline error\n{request['result']['summary']}", style="red")
+            msg = (
+                request['result'].get('summary')
+                if request['result']
+                else '\n'.join(note['message'] for note in request['notes'])
+            )
+            _console_print(f"📛 pipeline error\n{msg}", style="red")
             _print_summary_table(request_summary, format)
             raise typer.Exit(code=2)
 
@@ -521,13 +600,7 @@ def request(
     repository: List[str] = OPTION_REPOSITORY,
     repository_file: List[str] = OPTION_REPOSITORY_FILE,
     sanity: bool = typer.Option(False, help="Run Testing Farm sanity test.", rich_help_panel=RESERVE_PANEL_GENERAL),
-    tags: Optional[List[str]] = typer.Option(
-        None,
-        "-t",
-        "--tag",
-        metavar="key=value|@file",
-        help="Tag cloud resources with given value. The @ prefix marks a yaml file to load.",
-    ),
+    tags: Optional[List[str]] = OPTION_TAGS,
     watchdog_dispatch_delay: Optional[int] = typer.Option(
         None,
         help="How long (seconds) before the guest \"is-alive\" watchdog is dispatched. Note that this is implemented only in Artemis service.",  # noqa
@@ -539,6 +612,8 @@ def request(
     dry_run: bool = OPTION_DRY_RUN,
     pipeline_type: Optional[PipelineType] = OPTION_PIPELINE_TYPE,
     post_install_script: Optional[str] = OPTION_POST_INSTALL_SCRIPT,
+    security_group_rule_ingress: Optional[List[str]] = OPTION_SECURITY_GROUP_RULE_INGRESS,
+    security_group_rule_egress: Optional[List[str]] = OPTION_SECURITY_GROUP_RULE_EGRESS,
     user_webpage: Optional[str] = typer.Option(
         None, help="URL to the user's webpage. The link will be shown in the results viewer."
     ),
@@ -707,7 +782,17 @@ def request(
 
         environments.append(environment)
 
-    if tags or watchdog_dispatch_delay or watchdog_period_delay or post_install_script:
+    if any(
+        provisioning_detail
+        for provisioning_detail in [
+            tags,
+            watchdog_dispatch_delay,
+            watchdog_period_delay,
+            post_install_script,
+            security_group_rule_ingress,
+            security_group_rule_egress,
+        ]
+    ):
         if "settings" not in environments[0]:
             environments[0]["settings"] = {}
 
@@ -726,6 +811,10 @@ def request(
     if post_install_script:
         environments[0]["settings"]["provisioning"]["post_install_script"] = post_install_script
 
+    if security_group_rule_ingress or security_group_rule_egress:
+        rules = _parse_security_group_rules(security_group_rule_ingress or [], security_group_rule_egress or [])
+        environments[0]["settings"]["provisioning"].update(rules)
+
     # create final request
     request = TestingFarmRequestV1
     request["api_key"] = api_token
@@ -747,6 +836,7 @@ def request(
 
     # worker image
     if worker_image:
+        console.print(f"👷 Forcing worker image [blue]{worker_image}[/blue]")
         request["settings"]["worker"] = {"image": worker_image}
 
     if not user_webpage and (user_webpage_name or user_webpage_icon):
@@ -810,6 +900,7 @@ def restart(
     git_ref: Optional[str] = typer.Option(None, help="Force GIT ref or branch to test."),
     git_merge_sha: Optional[str] = typer.Option(None, help="Force GIT ref or branch into which --ref will be merged."),
     hardware: List[str] = OPTION_HARDWARE,
+    tags: Optional[List[str]] = OPTION_TAGS,
     tmt_plan_name: Optional[str] = OPTION_TMT_PLAN_NAME,
     tmt_plan_filter: Optional[str] = OPTION_TMT_PLAN_FILTER,
     tmt_test_name: Optional[str] = OPTION_TMT_TEST_NAME,
@@ -853,6 +944,17 @@ def restart(
     if response.status_code == 401:
         exit_error(f"API token is invalid. See {settings.ONBOARDING_DOCS} for more information.")
 
+    # The API token is valid, but it doesn't own the request
+    if response.status_code == 403:
+        console.print(
+            "⚠️ [yellow] You are not the owner of this request. Any secrets associated with the request will not be included on the restart.[/yellow]"  # noqa: E501
+        )
+        # Construct URL to the internal API
+        get_url = urllib.parse.urljoin(str(api_url), f"v0.1/requests/{_request_id}")
+
+        # Get the request details
+        response = session.get(get_url)
+
     if response.status_code != 200:
         exit_error(f"Unexpected error. Please file an issue to {settings.ISSUE_TRACKER}.")
 
@@ -933,7 +1035,7 @@ def restart(
 
     # worker image
     if worker_image:
-        console.print(f"👷 forcing worker image [blue]{worker_image}[/blue]")
+        console.print(f"👷 Forcing worker image [blue]{worker_image}[/blue]")
         request["settings"] = request["settings"] if request.get("settings") else {}
         request["settings"]["worker"] = {"image": worker_image}
         # it is required to have also pipeline key set, otherwise API will fail
@@ -954,6 +1056,16 @@ def restart(
     if parallel_limit:
         request["settings"]["pipeline"]["parallel-limit"] = parallel_limit
 
+    if tags:
+        for environment in request["environments"]:
+            if "settings" not in environment or not environment["settings"]:
+                environment["settings"] = {}
+
+            if 'provisioning' not in environment["settings"]:
+                environment["settings"]["provisioning"] = {}
+
+            environment["settings"]["provisioning"]["tags"] = options_to_dict("tags", tags)
+
     # dry run
     if dry_run:
         console.print("🔍 Dry run, showing POST json only", style="bright_yellow")
@@ -1163,6 +1275,7 @@ def reserve(
         rich_help_panel=RESERVE_PANEL_ENVIRONMENT,
     ),
     hardware: List[str] = OPTION_HARDWARE,
+    tags: Optional[List[str]] = OPTION_TAGS,
     kickstart: Optional[List[str]] = OPTION_KICKSTART,
     pool: Optional[str] = OPTION_POOL,
     fedora_koji_build: List[str] = OPTION_FEDORA_KOJI_BUILD,
@@ -1180,6 +1293,9 @@ def reserve(
     autoconnect: bool = typer.Option(
         True, help="Automatically connect to the guest via SSH.", rich_help_panel=RESERVE_PANEL_GENERAL
     ),
+    worker_image: Optional[str] = OPTION_WORKER_IMAGE,
+    security_group_rule_ingress: Optional[List[str]] = OPTION_SECURITY_GROUP_RULE_INGRESS,
+    security_group_rule_egress: Optional[List[str]] = OPTION_SECURITY_GROUP_RULE_EGRESS,
 ):
     """
     Reserve a system in Testing Farm.
@@ -1189,6 +1305,28 @@ def reserve(
         if not print_only_request_id:
             console.print(message)
 
+    # Sanity checks for ssh-agent
+
+    # Check of SSH_AUTH_SOCK is defined
+    ssh_auth_sock = os.getenv("SSH_AUTH_SOCK")
+    if not ssh_auth_sock:
+        exit_error("SSH_AUTH_SOCK is not defined, make sure the ssh-agent is running by executing 'eval `ssh-agent`'.")
+
+    # Check if SSH_AUTH_SOCK exists
+    if not os.path.exists(ssh_auth_sock):
+        exit_error(
+            "SSH_AUTH_SOCK socket does not exist, make sure the ssh-agent is running by executing 'eval `ssh-agent`'."
+        )
+
+    # Check if value of SSH_AUTH_SOCK is socket
+    if not stat.S_ISSOCK(os.stat(ssh_auth_sock).st_mode):
+        exit_error("SSH_AUTH_SOCK is not a socket, make sure the ssh-agent is running by executing 'eval `ssh-agent`'.")
+
+    # Check if ssh-add -L is not empty
+    ssh_add_output = subprocess.run(["ssh-add", "-L"], stdout=subprocess.PIPE, stderr=subprocess.PIPE)
+    if ssh_add_output.returncode != 0:
+        exit_error("No SSH identities found in the SSH agent. Please run `ssh-add`.")
+
     # check for token
     if not settings.API_TOKEN:
         exit_error("No API token found, export `TESTING_FARM_API_TOKEN` environment variable.")
@@ -1208,12 +1346,22 @@ def reserve(
     environment["pool"] = pool
     environment["artifacts"] = []
 
-    if post_install_script:
+    if "settings" not in environment:
+        environment["settings"] = {}
+
+    if post_install_script or security_group_rule_ingress or security_group_rule_egress or tags:
         if "settings" not in environment:
             environment["settings"] = {}
 
-        if 'provisioning' not in environment["settings"]:
-            environment["settings"]["provisioning"] = {}
+    if "provisioning" not in environment["settings"]:
+        environment["settings"]["provisioning"] = {}
+
+    if "tags" not in environment["settings"]["provisioning"]:
+        environment["settings"]["provisioning"]["tags"] = {}
+
+    # reserve command is for interacting with the guest, and so non-spot instances
+    # would be nicer for the user than them getting shocked when they loose their work.
+    environment["settings"]["provisioning"]["tags"]["ArtemisUseSpot"] = "false"
 
     if compose:
         environment["os"] = {"compose": compose}
@@ -1221,6 +1369,9 @@ def reserve(
     if hardware:
         environment["hardware"] = hw_constraints(hardware)
 
+    if tags:
+        environment["settings"]["provisioning"]["tags"] = options_to_dict("tags", tags)
+
     if kickstart:
         environment["kickstart"] = options_to_dict("environment kickstart", kickstart)
 
@@ -1242,6 +1393,10 @@ def reserve(
     if post_install_script:
         environment["settings"]["provisioning"]["post_install_script"] = post_install_script
 
+    if security_group_rule_ingress or security_group_rule_egress:
+        rules = _parse_security_group_rules(security_group_rule_ingress or [], security_group_rule_egress or [])
+        environment["settings"]["provisioning"].update(rules)
+
     console.print(f"🕗 Reserved for [blue]{str(reservation_duration)}[/blue] minutes")
     environment["variables"] = {"TF_RESERVATION_DURATION": str(reservation_duration)}
 
@@ -1261,6 +1416,12 @@ def reserve(
     request["api_key"] = settings.API_TOKEN
     request["test"]["fmf"] = test
 
+    # worker image
+    if worker_image:
+        console.print(f"👷 Forcing worker image [blue]{worker_image}[/blue]")
+        request["settings"] = request["settings"] if request.get("settings") else {}
+        request["settings"]["worker"] = {"image": worker_image}
+
     request["environments"] = [environment]
 
     # in case the reservation duration is more than the pipeline timeout, adjust also the pipeline timeout
@@ -1427,24 +1588,16 @@ def reserve(
 
     ssh_proxy_option = f" -J {content['ssh_proxy']}" if content.get('ssh_proxy') else ""
 
-    ssh_private_key_option = ""
     if ssh_private_key:
-        tmp = tempfile.NamedTemporaryFile(delete=False)
-        tmp.write(ssh_private_key.encode())
-        tmp.flush()
-        tmp.close()
-
-        os.chmod(tmp.name, 0o600)
-
-        ssh_private_key_option = f" -i {tmp.name}"
+        console.print("🔑 [blue]Adding SSH proxy key[/blue]")
+        subprocess.run(["ssh-add", "-"], input=ssh_private_key.encode())
 
-    console.print(f"🌎 ssh{ssh_proxy_option}{ssh_private_key_option} root@{guest}")
+    console.print(f"🌎 ssh{ssh_proxy_option} root@{guest}")
 
     if autoconnect:
         os.system(
-            f"ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null{ssh_proxy_option}{ssh_private_key_option} root@{guest}"  # noqa: E501
+            f"ssh -oStrictHostKeyChecking=no -oUserKnownHostsFile=/dev/null{ssh_proxy_option} root@{guest}"  # noqa: E501
         )
-        os.unlink(tmp.name)
 
 
 def update():

{tft_cli-0.0.19 → tft_cli-0.0.21}/src/tft/cli/utils.py

@@ -2,7 +2,9 @@
 # SPDX-License-Identifier: Apache-2.0
 
 import glob
+import itertools
 import os
+import shlex
 import subprocess
 import sys
 import uuid
@@ -119,6 +121,12 @@ def options_to_dict(name: str, options: List[str]) -> Dict[str, str]:
     """Create a dictionary from list of `key=value|@file` options"""
 
     options_dict = {}
+
+    # Turn option list such as
+    # `['aaa=bbb "foo foo=bar bar"', 'foo=bar']` into
+    # `['aaa=bbb', 'foo foo=bar bar', 'foo=bar']`
+    options = list(itertools.chain.from_iterable(shlex.split(option) for option in options))
+
     for option in options:
         # Option is `@file`
         if option.startswith('@'):