Move 1Password credential paths into config file

VegasNative · VegasNative · commit 904a5d1e0f37 · 2026-04-24T22:21:52.000-07:00
diff --git a/README.md b/README.md
@@ -1,2 +1,78 @@
 # rir-updater
-Scripts to do updates to RIR databases
+
+CLI tool for syncing RIPE NCC route objects and RPKI ROAs from a YAML config file.
+
+## Requirements
+
+- Python 3.14+
+- [uv](https://docs.astral.sh/uv/)
+- [1Password CLI](https://developer.1password.com/docs/cli/) (`op`) for credential access
+
+## Installation
+
+```bash
+uv sync
+```
+
+## Configuration
+
+Copy `config.example.yaml` and fill in your values:
+
+```yaml
+ripe:
+  maintainer: "MAINT-AS12345"
+  sso_emails:
+    - "admin@example.com"
+  routes:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      description: "Example IPv4 prefix"
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+  roas:
+    - prefix: "192.0.2.0/24"
+      origin: "AS12345"
+      max_length: 24
+    - prefix: "2001:db8::/32"
+      origin: "AS12345"
+```
+
+`roas` is optional. If omitted, only route objects are synced. ROA sync only manages prefixes explicitly listed — other ROAs in the account are left untouched.
+
+## Credentials
+
+The following secrets are read from 1Password via the `op` CLI:
+
+| Secret | Used for |
+|--------|----------|
+| `op://Code/Mozilla - RIPE NNC/username` | RIPE DB REST API (Basic auth) |
+| `op://Code/Mozilla - RIPE NNC/credential` | RIPE DB REST API (Basic auth) |
+| `op://Code/Mozilla - RIPE NNC/RPKI API Key` | RIPE RPKI Management API |
+
+## Usage
+
+```bash
+# Dry-run against the RIPE test database (default)
+uv run rir-updater config.yaml
+
+# Dry-run against production
+uv run rir-updater config.yaml --production
+
+# Apply changes to production
+uv run rir-updater config.yaml --production --commit
+
+# Set up the RIPE test database with objects replicated from production
+uv run rir-updater config.yaml --setup-test
+```
+
+### Test database bootstrap
+
+The first time you use `--setup-test`, the mntner must be created manually via the RIPE web UI at [apps-test.db.ripe.net](https://apps-test.db.ripe.net) — the API does not allow creating the first mntner programmatically due to a circular person↔mntner dependency. The tool will print instructions if the mntner is not found.
+
+## Development
+
+```bash
+uv run ruff check .   # lint
+uv run ruff format .  # format
+uv run pytest         # test
+```
diff --git a/config.example.yaml b/config.example.yaml
@@ -1,5 +1,9 @@
 ripe:
   maintainer: "MAINT-AS12345"
+  credentials:
+    db_username: "op://vault/item/username"
+    db_password: "op://vault/item/password"
+    rpki_api_key: "op://vault/item/rpki-api-key"
   sso_emails:
     - "admin1@example.com"
     - "admin2@example.com"
diff --git a/src/rir_updater/config.py b/src/rir_updater/config.py
@@ -73,8 +73,15 @@ def validate_max_length(cls, v: int | None, info) -> int | None:
         return v
 
 
+class RipeCredentials(BaseModel):
+    db_username: str
+    db_password: str
+    rpki_api_key: str
+
+
 class RipeConfig(BaseModel):
     maintainer: str
+    credentials: RipeCredentials
     sso_emails: list[str] = []
     routes: list[RouteObject] = []
     roas: list[ROA] = []
diff --git a/src/rir_updater/credentials.py b/src/rir_updater/credentials.py
@@ -23,15 +23,15 @@ def read_op(reference: str) -> str:
         ) from e
 
 
-def get_ripe_db_auth() -> str:
+def get_ripe_db_auth(username_ref: str, password_ref: str) -> str:
     """Return base64(username:password) for the RIPE DB REST API Basic auth header."""
     import base64
 
-    username = read_op("op://Code/Mozilla - RIPE NNC/username")
-    password = read_op("op://Code/Mozilla - RIPE NNC/credential")
+    username = read_op(username_ref)
+    password = read_op(password_ref)
     return base64.b64encode(f"{username}:{password}".encode()).decode()
 
 
-def get_ripe_rpki_key() -> str:
+def get_ripe_rpki_key(key_ref: str) -> str:
     """Return the API key for the RIPE RPKI Management API."""
-    return read_op("op://Code/Mozilla - RIPE NNC/RPKI API Key")
+    return read_op(key_ref)
diff --git a/src/rir_updater/main.py b/src/rir_updater/main.py
@@ -49,9 +49,10 @@ def _run(args, parser):
     config = load_config(args.config)
 
     if config.ripe:
+        creds = config.ripe.credentials
         with RipeClient(
-            db_auth=get_ripe_db_auth(),
-            rpki_key=get_ripe_rpki_key(),
+            db_auth=get_ripe_db_auth(creds.db_username, creds.db_password),
+            rpki_key=get_ripe_rpki_key(creds.rpki_api_key),
             maintainer=config.ripe.maintainer,
             dry_run=not args.commit,
             use_test_env=not args.production,
diff --git a/tests/test_config.py b/tests/test_config.py
@@ -61,12 +61,23 @@ def test_max_length_less_than_prefix_len(self):
 
 
 class TestLoadConfig:
+    CREDS = textwrap.dedent("""\
+        credentials:
+          db_username: "op://vault/item/username"
+          db_password: "op://vault/item/password"
+          rpki_api_key: "op://vault/item/rpki-api-key"
+    """)
+
     def test_load_valid_config(self, tmp_path: Path):
         cfg = tmp_path / "config.yaml"
         cfg.write_text(
             textwrap.dedent("""\
                 ripe:
                   maintainer: MAINT-AS64496
+                  credentials:
+                    db_username: "op://vault/item/username"
+                    db_password: "op://vault/item/password"
+                    rpki_api_key: "op://vault/item/rpki-api-key"
                   routes:
                     - prefix: "192.0.2.0/24"
                       origin: AS64496
@@ -85,7 +96,16 @@ def test_load_valid_config(self, tmp_path: Path):
 
     def test_empty_ripe_section(self, tmp_path: Path):
         cfg = tmp_path / "config.yaml"
-        cfg.write_text("ripe:\n  maintainer: MAINT-AS64496\n")
+        cfg.write_text(
+            textwrap.dedent("""\
+                ripe:
+                  maintainer: MAINT-AS64496
+                  credentials:
+                    db_username: "op://vault/item/username"
+                    db_password: "op://vault/item/password"
+                    rpki_api_key: "op://vault/item/rpki-api-key"
+            """)
+        )
         config = load_config(cfg)
         assert config.ripe.routes == []
         assert config.ripe.roas == []
@@ -96,6 +116,10 @@ def test_invalid_prefix_in_config(self, tmp_path: Path):
             textwrap.dedent("""\
                 ripe:
                   maintainer: MAINT-AS64496
+                  credentials:
+                    db_username: "op://vault/item/username"
+                    db_password: "op://vault/item/password"
+                    rpki_api_key: "op://vault/item/rpki-api-key"
                   routes:
                     - prefix: "192.0.2.1/24"
                       origin: AS64496
