Add Python to Codespaces & Test

metaskills · web-flow · commit 699bfbd8355b · 2022-10-26T07:40:54.000-04:00
diff --git a/.github/workflows/test.yml b/.github/workflows/test.yml
@@ -38,3 +38,16 @@ jobs:
           runCmd: |
             ./amzn/setup
             ./amzn/test
+      - name: Build & Run Development Container (w/ Python)
+        uses: devcontainers/ci@v0.2
+        with:
+          env: |
+            AWS_ACCESS_KEY_ID
+            AWS_SECRET_ACCESS_KEY
+            AWS_SESSION_TOKEN
+            AWS_DEFAULT_REGION
+            AWS_REGION
+          imageName: ghcr.io/customink/crypteia-devcontainer
+          runCmd: |
+            ./py27/setup
+            ./py27/test
diff --git a/.gitignore b/.gitignore
@@ -4,3 +4,5 @@
 /package/package.zip
 /package/packaged.yaml
 outputs.json
+python/crypteia/build
+python/crypteia/src/*.egg-info
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -10,6 +10,7 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ### Added
 
  - `ltrace` for debugging
+ - Patch Python's `os.environ` if `PYTHONPATH` is set accordingly. Needed for Crypteia's binary to work in Python environments.
 
 ### Changed
 
diff --git a/README.md b/README.md
@@ -2,7 +2,7 @@
 
 # 🛡 Crypteia
 
-![Node](https://shields.io/badge/x-Node.js-x?logo=node.js&style=plastic&color=339933&label=&labelColor=white) ![Ruby](https://shields.io/badge/x-Ruby-x?logo=ruby&style=plastic&color=CC342D&label=&labelColor=white&logoColor=CC342D) ![PHP](https://shields.io/badge/x-PHP-x?logo=php&style=plastic&color=777BB4&label=&labelColor=white)
+![Node](https://shields.io/badge/x-Node.js-x?logo=node.js&style=plastic&color=339933&label=&labelColor=white) ![Ruby](https://shields.io/badge/x-Ruby-x?logo=ruby&style=plastic&color=CC342D&label=&labelColor=white&logoColor=CC342D) ![PHP](https://shields.io/badge/x-PHP-x?logo=php&style=plastic&color=777BB4&label=&labelColor=white) ![Python](https://shields.io/badge/x-Python-x?logo=python&style=plastic&color=3776AB&label=&labelColor=white)
 
 ## Rust Lambda Extension for any Runtime to preload SSM Parameters as Secure Environment Variables!
 
@@ -61,6 +61,12 @@ COPY libcrypteia.so /opt/lib/libcrypteia.so
 ENV LD_PRELOAD=/opt/lib/libcrypteia.so
 ```
 
+If you are using Python you will need to add our Crypteia python package to the PYTHONPATH in order for things to "just work". The result of this will be that `os.environ["SECRET"]`, `os.environ.get("SECRET")`, and `os.getenv("SECRET")` will be routed to the `getenv` system call and therefore take advantage of the Crypteia rust extension.
+
+```dockerfile
+ENV PYTHONPATH=${PYTHONPATH:/opt/crypteia/python}
+```
+
 ⚠️ When building your own Lambda Containers, please make sure [glibc](https://www.gnu.org/software/libc/) is installed since this is used by [redhook](https://github.com/geofft/redhook).
 
 #### Lambda Extension
diff --git a/bin/build-arch b/bin/build-arch
@@ -8,6 +8,12 @@ rm -rf "./build/${BIN}"
 rm -rf "./build/${BIN}.zip"
 rm -rf "./build/{$LIB}"
 rm -rf "./build/libcrypteia-${BUILD_ARCH}.zip"
+rm -rf ./build/crypteia
+rm -rf ./build/crypteia*.egg-info
+rm -rf ./build/crypteia*.dist-info
+rm -rf ./build/wrapt*
+rm -rf ./python/crypteia/build
+rm -rf ./python/crypteia/src/crypteia.egg-info
 
 cargo build \
   --release \
@@ -28,3 +34,12 @@ mkdir -p ./package/opt/extensions
 mkdir -p ./package/opt/lib
 cp "./build/crypteia-${BUILD_ARCH}" ./package/opt/extensions/crypteia
 cp "./build/libcrypteia-${BUILD_ARCH}.so" ./package/opt/lib/libcrypteia.so
+
+cd ./python/crypteia && pip install . --target ../../build --upgrade && cd ../..
+cp ./python/usercustomize.py ./build/
+
+mkdir -p ./package/opt/crypteia/python/crypteia
+cp -r ./build/crypteia/ ./package/opt/crypteia/python/
+cp -r ./build/crypteia-*.dist-info ./package/opt/crypteia/python/
+cp -r ./build/wrapt/ ./package/opt/crypteia/python/crypteia/
+cp ./python/usercustomize.py ./package/opt/crypteia/python/usercustomize.py
diff --git a/bin/test b/bin/test
@@ -8,3 +8,4 @@ fi
 TEST_LANG=node ./test/libcrypteia.sh 
 TEST_LANG=ruby ./test/libcrypteia.sh 
 TEST_LANG=php ./test/libcrypteia.sh 
+TEST_LANG=python ./test/libcrypteia.sh
diff --git a/py27/Dockerfile-test b/py27/Dockerfile-test
@@ -0,0 +1,23 @@
+FROM ubuntu:20.04
+
+ENV SHELL=/bin/sh
+
+RUN apt update \
+    && apt-get install -y curl \
+    && apt-get install -y python2.7 python2.7-dev \
+    && update-alternatives --install /usr/bin/python python /usr/bin/python2.7 2
+
+RUN curl https://bootstrap.pypa.io/pip/2.7/get-pip.py --output get-pip.py \
+    && python get-pip.py \
+    && pip install --upgrade pip \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY ./package/opt /opt
+
+ENV BUILD_ARCH=debian
+ENV SKIP_CARGO_TEST=1
+
+ENV EXISTING=existingvalue
+ENV LD_PRELOAD=/opt/lib/libcrypteia.so
+ENV PYTHONPATH=/opt/crypteia/python
diff --git a/py27/setup b/py27/setup
@@ -0,0 +1,5 @@
+#!/bin/sh
+set -e
+
+echo "== [py27/Dockerfile-test] building... =="
+docker build --tag crypteia-debian-py27-test --file py27/Dockerfile-test .
diff --git a/py27/test b/py27/test
@@ -0,0 +1,13 @@
+#!/bin/sh
+set -e
+
+echo "== [py27/Dockerfile-test] bin/test =="
+docker run \
+  --rm \
+  --user root \
+  --env TEST_LANG=python \
+  --entrypoint "./test/libcrypteia.sh" \
+  --volume "${PWD}:/var/task" \
+  --workdir "/var/task" \
+  crypteia-debian-py27-test \
+  sh
diff --git a/python/crypteia/setup.cfg b/python/crypteia/setup.cfg
@@ -0,0 +1,19 @@
+[metadata]
+name = crypteia
+author = Custom Ink (https://customink.com)
+description = Crypteia
+license = MIT
+url = https://github.com/customink/crypteia
+classifiers =
+    Programming Language :: Python :: 2
+    Programming Language :: Python :: 2.7
+    Programming Language :: Python :: 3
+
+[options]
+package_dir =
+    = src
+packages = find:
+python_requires = >=2.7
+
+[options.packages.find]
+where = src
diff --git a/python/crypteia/setup.py b/python/crypteia/setup.py
@@ -0,0 +1,6 @@
+from setuptools import setup
+
+setup(
+    version="0.1.0",
+    install_requires=["wrapt>=1.10.4"]
+)
diff --git a/python/crypteia/src/crypteia/__init__.py b/python/crypteia/src/crypteia/__init__.py
@@ -0,0 +1,48 @@
+import ctypes
+import os
+import sys
+
+from crypteia.wrapt import ObjectProxy, register_post_import_hook, wrap_object
+
+PY2 = sys.version_info[0] == 2
+
+crypteia = os.environ.get("LD_PRELOAD")
+getenv = ctypes.cdll.LoadLibrary(crypteia).getenv
+getenv.restype = ctypes.c_char_p
+
+
+class GetEnvWrapper(ObjectProxy):
+    def __getitem__(self, key):
+        if PY2:
+            value = getenv(key)
+        else:
+            encodedkey = self.__wrapped__.encodekey(key)
+            value = getenv(encodedkey)
+            if value:
+                value = self.__wrapped__.decodevalue(value)
+
+        if value:
+            return value
+        else:
+            raise KeyError(key)
+
+    def __repr__(self):
+        if PY2:
+            return repr(self.__wrapped__.data)
+        else:
+            return repr(self.__wrapped__)
+
+    def get(self, key, default=None):
+        try:
+            item = self[key]
+        except KeyError:
+            return default
+
+        return item
+
+
+def _load_and_patch(module):
+    wrap_object(module, 'environ', GetEnvWrapper)
+
+
+register_post_import_hook(_load_and_patch, 'os')
diff --git a/python/usercustomize.py b/python/usercustomize.py
@@ -0,0 +1,29 @@
+# Trigger the load of the Crypteia python package,
+# that is going to apply wrapt to the os.environ object,
+# so that we can customize the lookup of the environment
+# variables at runtime. We cannot do this in LD_PRELOAD,
+# because CPython uses LibC to look up only the PYTHON*
+# environment variables, parsing directly the memory
+# resolved by the linker to the __environ symbol as a
+# Unix dictionary.
+
+# IMPORTANT: This file must be valid Python 2.7+
+
+from os.path import dirname
+from sys import path, version, version_info
+
+
+def import_crypteia():
+    current_site = dirname(__file__)
+
+    # We cannot use `sys.version_info.major` and other named attribute
+    # got introduced only in Python 3.1
+    if version_info[0] == 2 and version_info[1] < 7:
+        path.remove(current_site)
+        print("#CRYPTEIA# - Cannot import 'crypteia' due unsupported runtime version: {}".format(version))
+        return
+
+    import crypteia
+
+
+import_crypteia()
diff --git a/test/libcrypteia.sh b/test/libcrypteia.sh
@@ -6,6 +6,7 @@ export CRYPTEIA_ENV_FILE="/tmp/crypteia.json"
 export BUILD_ARCH="${BUILD_ARCH:=debian}"
 export TEST_LANG="${TEST_LANG:=node}"
 export LD_PRELOAD="${LD_PRELOAD:=$PWD/build/libcrypteia-${BUILD_ARCH}.so}"
+export PYTHONPATH="${PYTHONPATH:=$PWD/package/opt/crypteia/python}"
 
 echo "============================="
 echo "   TEST_LANG: ${TEST_LANG}"
diff --git a/test/libcrypteia/empty-python.sh b/test/libcrypteia/empty-python.sh
@@ -0,0 +1,4 @@
+#!/bin/sh
+set -e
+
+python -c "import os; print(os.environ.get('EMPTY','undefined'))"
diff --git a/test/libcrypteia/existing-python.sh b/test/libcrypteia/existing-python.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export EXISTING=existingvalue
+
+python -c "import os; print(os.environ.get('EXISTING',''))"
diff --git a/test/libcrypteia/fullpath-python.sh b/test/libcrypteia/fullpath-python.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export X_CRYPTEIA_SSM=x-crypteia-ssm-path:/crypteia/v5/myapp/envs
+
+python -c "import os; print(os.environ.get('X_CRYPTEIA_SSM',''))"
diff --git a/test/libcrypteia/override-python.sh b/test/libcrypteia/override-python.sh
@@ -0,0 +1,6 @@
+#!/bin/sh
+set -e
+
+export SECRET=x-crypteia-ssm:/crypteia/v5/myapp/SECRET
+
+python -c "import os; print(os.environ.get('SECRET',''))"
