Merge pull request #581 from fstagni/securitytxt

feat: added /.well-known/security.txt

Author: aldbr

.github/workflows/update_security_txt_expiry.yml

@@ -0,0 +1,88 @@
+name: Update Security.txt Expiry
+
+on:
+  schedule:
+    # Runs once a year
+    - cron: '15 2 1 1 *' # January 1st at 02:15 UTC
+  workflow_dispatch: # Allows manual triggering for testing.
+
+jobs:
+  update-expiry:
+    runs-on: ubuntu-latest
+    # Grant GITHUB_TOKEN permissions to create a pull request.
+    permissions:
+      contents: write
+      pull-requests: write
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@v4
+
+      - name: Set up Python
+        uses: actions/setup-python@v4
+        with:
+          python-version: '3.x'
+
+      - name: Update expiry date in well_known.py
+        id: update_script
+        run: |
+          import re
+          from datetime import datetime, timedelta, timezone
+          import os
+
+          file_path = "diracx-routers/src/diracx/routers/auth/well_known.py"
+          changes_made = False
+
+          with open(file_path, "r") as f:
+              content = f.read()
+
+          # Using a robust regex to find the line and capture the date
+          pattern = re.compile(r'''(^\s*Expires: )(\d{4}-\d{2}-\d{2}T\d{2}:\d{2}:\d{2}\.\d{3}Z)''', re.MULTILINE)
+          match = pattern.search(content)
+
+          if match:
+              old_date_str = match.group(2)
+              try:
+                  expiry_date = datetime.strptime(old_date_str, "%Y-%m-%dT%H:%M:%S.%fZ").replace(tzinfo=timezone.utc)
+                  now = datetime.now(timezone.utc)
+
+                  # Update if the expiry is less than 45 days away
+                  if (expiry_date - now) < timedelta(days=45):
+                      # Set the new expiry to be 1 year from today
+                      new_expiry_date = now + timedelta(days=365)
+                      new_date_str = new_expiry_date.strftime("%Y-%m-%dT%H:%M:%S.%f")[:-3] + "Z"
+
+                      new_content = pattern.sub(r'''\g<1>''' + new_date_str, content)
+
+                      with open(file_path, "w") as f:
+                          f.write(new_content)
+
+                      print(f"INFO: Updated expiry date to {new_date_str}")
+                      changes_made = True
+                  else:
+                      print(f"INFO: Expiry date {old_date_str} is not within the update window. No changes made.")
+              except (ValueError) as e:
+                  print(f"ERROR: Could not parse date string {old_date_str}. Error: {e}")
+
+          else:
+              print(f"ERROR: Could not find the 'Expires:' line in the specified format in {file_path}")
+
+          # Set output for subsequent steps
+          with open(os.environ['GITHUB_OUTPUT'], 'a') as hf:
+              print(f'changes_made={str(changes_made).lower()}', file=hf)
+        shell: python
+
+      - name: Create Pull Request
+        if: steps.update_script.outputs.changes_made == 'true'
+        uses: peter-evans/create-pull-request@v7
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          commit-message: "chore(security): Update security.txt expiry date"
+          title: "Automated Security.txt Expiry Update"
+          body: |
+            This is an automated PR to update the `Expires` field in the `security.txt` file.
+
+            The expiry date is automatically updated to one year from the current date to ensure it remains valid.
+          branch: "chore/update-security-txt-expiry"
+          base: "main"
+          delete-branch: true

diracx-client/src/diracx/client/_generated/aio/operations/_operations.py

@@ -56,6 +56,7 @@
     build_well_known_get_installation_metadata_request,
     build_well_known_get_jwks_request,
     build_well_known_get_openid_configuration_request,
+    build_well_known_get_security_txt_request,
 )
 from .._configuration import DiracConfiguration
 
@@ -223,6 +224,53 @@ async def get_installation_metadata(self, **kwargs: Any) -> _models.Metadata:
 
         return deserialized  # type: ignore
 
+    @distributed_trace_async
+    async def get_security_txt(self, **kwargs: Any) -> str:
+        """Get Security Txt.
+
+        Get the security.txt file.
+
+        :return: str
+        :rtype: str
+        :raises ~azure.core.exceptions.HttpResponseError:
+        """
+        error_map: MutableMapping = {
+            401: ClientAuthenticationError,
+            404: ResourceNotFoundError,
+            409: ResourceExistsError,
+            304: ResourceNotModifiedError,
+        }
+        error_map.update(kwargs.pop("error_map", {}) or {})
+
+        _headers = kwargs.pop("headers", {}) or {}
+        _params = kwargs.pop("params", {}) or {}
+
+        cls: ClsType[str] = kwargs.pop("cls", None)
+
+        _request = build_well_known_get_security_txt_request(
+            headers=_headers,
+            params=_params,
+        )
+        _request.url = self._client.format_url(_request.url)
+
+        _stream = False
+        pipeline_response: PipelineResponse = await self._client._pipeline.run(  # pylint: disable=protected-access
+            _request, stream=_stream, **kwargs
+        )
+
+        response = pipeline_response.http_response
+
+        if response.status_code not in [200]:
+            map_error(status_code=response.status_code, response=response, error_map=error_map)
+            raise HttpResponseError(response=response)
+
+        deserialized = self._deserialize("str", pipeline_response.http_response)
+
+        if cls:
+            return cls(pipeline_response, deserialized, {})  # type: ignore
+
+        return deserialized  # type: ignore
+
 
 class AuthOperations:  # pylint: disable=abstract-class-instantiated
     """

diracx-client/src/diracx/client/_generated/operations/_operations.py

@@ -77,6 +77,20 @@ def build_well_known_get_installation_metadata_request(**kwargs: Any) -> HttpReq
     return HttpRequest(method="GET", url=_url, headers=_headers, **kwargs)
 
 
+def build_well_known_get_security_txt_request(**kwargs: Any) -> HttpRequest:  # pylint: disable=name-too-long
+    _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
+
+    accept = _headers.pop("Accept", "application/json")
+
+    # Construct URL
+    _url = "/.well-known/.well-known/security.txt"
+
+    # Construct headers
+    _headers["Accept"] = _SERIALIZER.header("accept", accept, "str")
+
+    return HttpRequest(method="GET", url=_url, headers=_headers, **kwargs)
+
+
 def build_auth_initiate_device_flow_request(*, client_id: str, scope: str, **kwargs: Any) -> HttpRequest:
     _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
     _params = case_insensitive_dict(kwargs.pop("params", {}) or {})
@@ -754,6 +768,53 @@ def get_installation_metadata(self, **kwargs: Any) -> _models.Metadata:
 
         return deserialized  # type: ignore
 
+    @distributed_trace
+    def get_security_txt(self, **kwargs: Any) -> str:
+        """Get Security Txt.
+
+        Get the security.txt file.
+
+        :return: str
+        :rtype: str
+        :raises ~azure.core.exceptions.HttpResponseError:
+        """
+        error_map: MutableMapping = {
+            401: ClientAuthenticationError,
+            404: ResourceNotFoundError,
+            409: ResourceExistsError,
+            304: ResourceNotModifiedError,
+        }
+        error_map.update(kwargs.pop("error_map", {}) or {})
+
+        _headers = kwargs.pop("headers", {}) or {}
+        _params = kwargs.pop("params", {}) or {}
+
+        cls: ClsType[str] = kwargs.pop("cls", None)
+
+        _request = build_well_known_get_security_txt_request(
+            headers=_headers,
+            params=_params,
+        )
+        _request.url = self._client.format_url(_request.url)
+
+        _stream = False
+        pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
+            _request, stream=_stream, **kwargs
+        )
+
+        response = pipeline_response.http_response
+
+        if response.status_code not in [200]:
+            map_error(status_code=response.status_code, response=response, error_map=error_map)
+            raise HttpResponseError(response=response)
+
+        deserialized = self._deserialize("str", pipeline_response.http_response)
+
+        if cls:
+            return cls(pipeline_response, deserialized, {})  # type: ignore
+
+        return deserialized  # type: ignore
+
 
 class AuthOperations:  # pylint: disable=abstract-class-instantiated
     """

diracx-routers/src/diracx/routers/auth/well_known.py

@@ -52,3 +52,12 @@ async def get_installation_metadata(
 ) -> Metadata:
     """Get metadata about the dirac installation."""
     return await get_installation_metadata_bl(config)
+
+
+@router.get("/.well-known/security.txt")
+async def get_security_txt() -> str:
+    """Get the security.txt file."""
+    return """Contact: https://github.com/DIRACGrid/diracx/security/advisories/new
+Expires: 2026-07-02T23:59:59.000Z
+Preferred-Languages: en
+"""

extensions/gubbins/gubbins-client/src/gubbins/client/_generated/aio/operations/_operations.py

@@ -59,6 +59,7 @@
     build_well_known_get_installation_metadata_request,
     build_well_known_get_jwks_request,
     build_well_known_get_openid_configuration_request,
+    build_well_known_get_security_txt_request,
 )
 from .._configuration import DiracConfiguration
 
@@ -179,6 +180,53 @@ async def get_jwks(self, **kwargs: Any) -> Dict[str, Any]:
 
         return deserialized  # type: ignore
 
+    @distributed_trace_async
+    async def get_security_txt(self, **kwargs: Any) -> str:
+        """Get Security Txt.
+
+        Get the security.txt file.
+
+        :return: str
+        :rtype: str
+        :raises ~azure.core.exceptions.HttpResponseError:
+        """
+        error_map: MutableMapping = {
+            401: ClientAuthenticationError,
+            404: ResourceNotFoundError,
+            409: ResourceExistsError,
+            304: ResourceNotModifiedError,
+        }
+        error_map.update(kwargs.pop("error_map", {}) or {})
+
+        _headers = kwargs.pop("headers", {}) or {}
+        _params = kwargs.pop("params", {}) or {}
+
+        cls: ClsType[str] = kwargs.pop("cls", None)
+
+        _request = build_well_known_get_security_txt_request(
+            headers=_headers,
+            params=_params,
+        )
+        _request.url = self._client.format_url(_request.url)
+
+        _stream = False
+        pipeline_response: PipelineResponse = await self._client._pipeline.run(  # pylint: disable=protected-access
+            _request, stream=_stream, **kwargs
+        )
+
+        response = pipeline_response.http_response
+
+        if response.status_code not in [200]:
+            map_error(status_code=response.status_code, response=response, error_map=error_map)
+            raise HttpResponseError(response=response)
+
+        deserialized = self._deserialize("str", pipeline_response.http_response)
+
+        if cls:
+            return cls(pipeline_response, deserialized, {})  # type: ignore
+
+        return deserialized  # type: ignore
+
     @distributed_trace_async
     async def get_installation_metadata(self, **kwargs: Any) -> _models.ExtendedMetadata:
         """Get Installation Metadata.

extensions/gubbins/gubbins-client/src/gubbins/client/_generated/operations/_operations.py

@@ -63,6 +63,20 @@ def build_well_known_get_jwks_request(**kwargs: Any) -> HttpRequest:
     return HttpRequest(method="GET", url=_url, headers=_headers, **kwargs)
 
 
+def build_well_known_get_security_txt_request(**kwargs: Any) -> HttpRequest:  # pylint: disable=name-too-long
+    _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
+
+    accept = _headers.pop("Accept", "application/json")
+
+    # Construct URL
+    _url = "/.well-known/.well-known/security.txt"
+
+    # Construct headers
+    _headers["Accept"] = _SERIALIZER.header("accept", accept, "str")
+
+    return HttpRequest(method="GET", url=_url, headers=_headers, **kwargs)
+
+
 def build_well_known_get_installation_metadata_request(**kwargs: Any) -> HttpRequest:  # pylint: disable=name-too-long
     _headers = case_insensitive_dict(kwargs.pop("headers", {}) or {})
 
@@ -756,6 +770,53 @@ def get_jwks(self, **kwargs: Any) -> Dict[str, Any]:
 
         return deserialized  # type: ignore
 
+    @distributed_trace
+    def get_security_txt(self, **kwargs: Any) -> str:
+        """Get Security Txt.
+
+        Get the security.txt file.
+
+        :return: str
+        :rtype: str
+        :raises ~azure.core.exceptions.HttpResponseError:
+        """
+        error_map: MutableMapping = {
+            401: ClientAuthenticationError,
+            404: ResourceNotFoundError,
+            409: ResourceExistsError,
+            304: ResourceNotModifiedError,
+        }
+        error_map.update(kwargs.pop("error_map", {}) or {})
+
+        _headers = kwargs.pop("headers", {}) or {}
+        _params = kwargs.pop("params", {}) or {}
+
+        cls: ClsType[str] = kwargs.pop("cls", None)
+
+        _request = build_well_known_get_security_txt_request(
+            headers=_headers,
+            params=_params,
+        )
+        _request.url = self._client.format_url(_request.url)
+
+        _stream = False
+        pipeline_response: PipelineResponse = self._client._pipeline.run(  # pylint: disable=protected-access
+            _request, stream=_stream, **kwargs
+        )
+
+        response = pipeline_response.http_response
+
+        if response.status_code not in [200]:
+            map_error(status_code=response.status_code, response=response, error_map=error_map)
+            raise HttpResponseError(response=response)
+
+        deserialized = self._deserialize("str", pipeline_response.http_response)
+
+        if cls:
+            return cls(pipeline_response, deserialized, {})  # type: ignore
+
+        return deserialized  # type: ignore
+
     @distributed_trace
     def get_installation_metadata(self, **kwargs: Any) -> _models.ExtendedMetadata:
         """Get Installation Metadata.