updating lib usage after py-spiffe update

Author: telliere

.github/workflows/build-container-prep-image.yml

@@ -12,9 +12,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          lfs: 'true'
 
       - name: Build image
-        run: docker build . -f ./client/container_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
+        run: git lfs pull ; docker build . -f ./client/container_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

.github/workflows/build-data-prep-image.yml

@@ -12,9 +12,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          lfs: 'true'
 
       - name: Build image
-        run: docker build . -f ./client/data_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
+        run: git lfs pull ; docker build . -f ./client/data_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

.github/workflows/build-job-prep-image.yml

@@ -12,9 +12,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          lfs: 'true'
 
       - name: Build image
-        run: docker build . -f ./client/job_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
+        run: git lfs pull ; docker build . -f ./client/job_preparation/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

.github/workflows/build-server-image.yml

@@ -12,9 +12,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@v4
+        with:
+          lfs: 'true'
 
       - name: Build image
-        run: docker build . -f ./server/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
+        run: git lfs pull ; docker build . -f ./server/Dockerfile -t $IMAGE_NAME --label "runnumber=${GITHUB_RUN_ID}"
 
       - name: Log in to registry
         run: echo "${{ secrets.GITHUB_TOKEN }}" | docker login ghcr.io -u $ --password-stdin

client/job_preparation/prepare_job.py

@@ -53,7 +53,7 @@
     ssh_copy_file(ssh_client, sbatch_path, f"~/")
 
     # Copy config file to supercomputer
-    ssh_copy_file(ssh_client, options.config, f"~/.config/hpcs.conf")
+    ssh_copy_file(ssh_client, options.config, f"~/.config/hpcs-client.conf")
 
     # Create public encryption key for output data
     ident = x25519.Identity.generate()
@@ -63,7 +63,7 @@
         public_key_file.write(str(ident.to_public()))
 
     # Write private key to current directory
-    with open("./private_key", "w+") as private_key_file:
+    with open("/tmp/private_key", "w+") as private_key_file:
         private_key_file.write(str(ident))
 
     # Copy public key to supercomputer

server/app.py

@@ -30,6 +30,8 @@
 
 if configuration['spire-server'].get('pre-command') :
     spire_interactions.pre_command = configuration['spire-server']['pre-command']
+    if configuration['spire-server']['pre-command'] == "\"\"":
+        spire_interactions.pre_command = ""
 
 # Defining the trust domain (SPIRE Trust Domain)
 trust_domain = configuration['spire-server']['trust-domain']
@@ -49,7 +51,7 @@ async def handle_dummy_token_endpoint():
     if hostname != None:
 
         # Create spiffeID based on the hostname
-        spiffeID = SpiffeId.parse(f"spiffe://{trust_domain}/h/{hostname}")
+        spiffeID = SpiffeId(f"spiffe://{trust_domain}/h/{hostname}")
 
         # Associate a token to the spiffeID
         result = token_generate(spiffeID)
@@ -87,7 +89,7 @@ async def handle_client_registration():
     write_client_policy(hvac_client, f"client_{client_id}")
 
     # Create spiffeID out of this client id
-    agent_spiffeID = SpiffeId.parse(f"spiffe://{trust_domain}/c/{client_id}")
+    agent_spiffeID = SpiffeId(f"spiffe://{trust_domain}/c/{client_id}")
 
     # Generate a token to register the agent (again, based on the client id)
     result = token_generate(agent_spiffeID)
@@ -99,7 +101,7 @@ async def handle_client_registration():
 
         # Create a spiffeID for the workloads on the client.
         # Register workloads that have to run on this agent
-        workload_spiffeID = SpiffeId.parse(
+        workload_spiffeID = SpiffeId(
             f"spiffe://{trust_domain}/c/{client_id}/workload"
         )
 
@@ -163,7 +165,7 @@ async def handle_workload_creation():
     client_id = hashlib.sha256(client_id.encode()).hexdigest()[0:9]
 
     # Parse the spiffeID that will access the application
-    spiffeID = SpiffeId.parse(
+    spiffeID = SpiffeId(
         f"spiffe://{trust_domain}/c/{client_id}/s/{data['secret']}"
     )
 
@@ -179,7 +181,7 @@ async def handle_workload_creation():
             groups_added = []
 
             # Compute node's agent spiffeID
-            parentID = SpiffeId.parse(f"spiffe://{trust_domain}/h/{compute_node}")
+            parentID = SpiffeId(f"spiffe://{trust_domain}/h/{compute_node}")
 
             # For each user
             if data["users"] != None:

server/lib/spire_interactions.py

@@ -64,9 +64,9 @@ def get_server_identity_JWT() -> JwtSvid:
     """
 
     # Perform an api fetch using pyspiffe
-    SVID = jwt_workload_api.get_jwt_svid(
+    SVID = jwt_workload_api.fetch_svid(
         audiences=["TESTING"],
-        subject=SpiffeId().parse("spiffe://lumi-sd-dev/lumi-sd-server"),
+        subject=SpiffeId("spiffe://lumi-sd-dev/lumi-sd-server"),
     )
     return SVID
 

utils/agent-on-the-fly.conf

@@ -28,9 +28,6 @@ plugins {
             discover_workload_path = true
         }
     }
-        
-    WorkloadAttestor "systemd" {
-    }
 
     WorkloadAttestor "docker" {
         plugin_data {}

utils/ship_a_key.py

@@ -166,7 +166,7 @@ def validate_options(options: argparse.ArgumentParser):
 
     # Check that user provided spiffeID is well formed
     try:
-        spiffeID = spiffe_id.SpiffeId().parse(f"{options.spiffeid}")
+        spiffeID = spiffe_id.SpiffeId(f"{options.spiffeid}")
     except SpiffeIdError:
         print(f"Error, spiffeID {options.spiffeid} is malformed")
         exit(1)
@@ -268,7 +268,7 @@ def create_authorized_workloads(
     )
 
     # Get the client's certificate to perform mTLS
-    SVID = jwt_workload_api.get_jwt_svid(audiences=["TESTING"], subject=spiffeID)
+    SVID = jwt_workload_api.fetch_svid(audiences=["TESTING"], subject=spiffeID)
 
     # Perform workloads authorization for the secret to be created
     users_spiffeID, client_id, secrets_path, user_role = create_authorized_workloads(

utils/ssh_utils.py

@@ -35,8 +35,8 @@ def ssh_connect(username: str) -> SSHClient:
             host,
             port,
             username=username,
-             pkey=pkey,
-             look_for_keys=False,
+            pkey=pkey,
+            look_for_keys=False,
             auth_timeout=30,
             timeout=30,
         )