uc-cdis · BinamB · Sep 4, 2024 · Sep 4, 2024 · Sep 6, 2024 · Oct 16, 2024
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -23,25 +23,12 @@ jobs:
   BuildImageAndPush:
     name: Build Image and Push
     needs: Security
+    with:
+      BUILD_PLATFORMS: "linux/amd64"
     # https://github.com/uc-cdis/.github/blob/master/.github/workflows/image_build_push.yaml
     uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
     secrets:
       ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
       ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
       QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
       QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
-
-  # I did not test that this works
-  BuildMcryptImageAndPush:
-    name: Build Image and Push
-    needs: Security
-    # https://github.com/uc-cdis/.github/blob/master/.github/workflows/image_build_push.yaml
-    uses: uc-cdis/.github/.github/workflows/image_build_push.yaml@master
-    secrets:
-      ECR_AWS_ACCESS_KEY_ID: ${{ secrets.ECR_AWS_ACCESS_KEY_ID }}
-      ECR_AWS_SECRET_ACCESS_KEY: ${{ secrets.ECR_AWS_SECRET_ACCESS_KEY }}
-      QUAY_USERNAME: ${{ secrets.QUAY_USERNAME }}
-      QUAY_ROBOT_TOKEN: ${{ secrets.QUAY_ROBOT_TOKEN }}
-    with:
-      OVERRIDE_TAG_NAME: "mcrypt_$(echo ${GITHUB_REF#refs/*/} | tr / _)"
-      DOCKERFILE_LOCATION: "./DockerfileMcrypt"
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -395,5 +395,5 @@
       }
     ]
   },
-  "generated_at": "2023-10-20T20:37:17Z"
+  "generated_at": "2024-11-04T09:20:13Z"
 }
diff --git a/Dockerfile b/Dockerfile
@@ -20,6 +20,29 @@ RUN chown -R gen3:gen3 /${appname}
 # ------ Builder stage ------
 FROM base AS builder
 
+# Install ccrypt to decrypt dbgap telmetry files
+RUN if [ "$TARGETARCH" = "amd64" ]; then \
+        echo "Upgrading dnf"; \
+        dnf upgrade -y && \
+        echo "Installing Packages"; \
+        dnf install -y \
+            libxcrypt-compat-4.4.33 \
+            libpq-15.0 && \
+        echo "Installing RPM"; \
+        rpm -i https://ccrypt.sourceforge.net/download/1.11/ccrypt_1.11-1_amd64.deb; \
+    fi
+
+RUN if [ "$TARGETARCH" = "arm64" ]; then \
+    echo "Upgrading dnf"; \
+    dnf upgrade -y && \
+    echo "Installing Packages"; \
+    dnf install -y \
+        libxcrypt-compat-4.4.33 \
+        libpq-15.0 && \
+    echo "Installing RPM"; \
+    rpm -i https://ccrypt.sourceforge.net/download/1.11/ccrypt-1.11-1.x86_64.rpm; \
+fi
+
 # Install just the deps without the code as it's own step to avoid redoing this on code changes
 COPY poetry.lock pyproject.toml /${appname}/
 RUN poetry lock -vv --no-update \
@@ -48,4 +71,4 @@ FROM base
 
 COPY --chown=gen3:gen3 --from=builder /$appname /$appname
 
-CMD ["poetry", "run", "gunicorn", "-c", "deployment/wsgi/gunicorn.conf.py"]
+CMD ["/bin/bash", "-c", "/fence/dockerrun.bash"]
diff --git a/dockerrun.bash b/dockerrun.bash
@@ -15,4 +15,4 @@ if [ -f /fence/jwt-keys.tar ]; then
 fi
 
 nginx
-gunicorn -c /fence/deployment/wsgi/gunicorn.conf.py
+poetry run gunicorn -c "/fence/deployment/wsgi/gunicorn.conf.py"
diff --git a/fence/sync/sync_users.py b/fence/sync/sync_users.py
@@ -100,30 +100,20 @@ def _read_file(filepath, encrypted=True, key=None, logger=None):
         Generator[file-like class]: file like object for the file
     """
     if encrypted:
-        has_crypt = sp.call(["which", "mcrypt"])
+        has_crypt = sp.call(["which", "ccdecrypt"])
         if has_crypt != 0:
             if logger:
                 logger.error("Need to install mcrypt to decrypt files from dbgap")
             # TODO (rudyardrichter, 2019-01-08): raise error and move exit out to script
             exit(1)
         p = sp.Popen(
             [
-                "mcrypt",
-                "-a",
-                "enigma",
-                "-o",
-                "scrypt",
-                "-m",
-                "stream",
-                "--bare",
-                "--key",
+                "ccdecrypt",
+                "-u",
+                "-K",
                 key,
-                "--force",
-            ],
-            stdin=open(filepath, "r"),
-            stdout=sp.PIPE,
-            stderr=open(os.devnull, "w"),
-            universal_newlines=True,
+                filepath,
+            ]
         )
         try:
             yield StringIO(p.communicate()[0])
@@ -659,9 +649,13 @@ def _parse_csv(self, file_dict, sess, dbgap_config={}, encrypted=True):
                         tags["pi"] = row["downloader for names"]
 
                     user_info[username] = {
-                        "email": row.get("email") or user_info[username].get('email') or "",
+                        "email": row.get("email")
+                        or user_info[username].get("email")
+                        or "",
                         "display_name": display_name,
-                        "phone_number": row.get("phone") or user_info[username].get('phone_number') or "",
+                        "phone_number": row.get("phone")
+                        or user_info[username].get("phone_number")
+                        or "",
                         "tags": tags,
                     }
 
@@ -967,10 +961,10 @@ def sync_to_storage_backend(self, user_project, user_info, sess, expires):
             google_group_user_mapping = {}
             get_or_create_proxy_group_id(
                 expires=expires,
-                user_id=user_info['user_id'],
-                username=user_info['username'],
+                user_id=user_info["user_id"],
+                username=user_info["username"],
                 session=sess,
-                storage_manager=self.storage_manager
+                storage_manager=self.storage_manager,
             )
 
         # TODO: eventually it'd be nice to remove this step but it's required
@@ -987,14 +981,11 @@ def sync_to_storage_backend(self, user_project, user_info, sess, expires):
             for project, _ in projects.items():
                 syncing_user_project_list.add((username.lower(), project))
 
-
         to_add = set(syncing_user_project_list)
 
         # when updating users we want to maintain case sensitivity in the username so
         # pass the original, non-lowered user_info dict
-        self._upsert_userinfo(sess, {
-            user_info['username'].lower(): user_info
-        })
+        self._upsert_userinfo(sess, {user_info["username"].lower(): user_info})
 
         self._grant_from_storage(
             to_add,
@@ -2485,8 +2476,8 @@ def sync_single_user_visas(self, user, ga4gh_visas, sess=None, expires=None):
             projects = {**projects, **project}
             parsed_visas.append(visa)
 
-        info['user_id'] = user.id
-        info['username'] = user.username
+        info["user_id"] = user.id
+        info["username"] = user.username
         user_projects[user.username] = projects
 
         user_projects = self.parse_projects(user_projects)
@@ -2511,9 +2502,7 @@ def sync_single_user_visas(self, user, ga4gh_visas, sess=None, expires=None):
 
         if user_projects:
             self.logger.info("Sync to storage backend [sync_single_user_visas]")
-            self.sync_to_storage_backend(
-                user_projects, info, sess, expires=expires
-            )
+            self.sync_to_storage_backend(user_projects, info, sess, expires=expires)
         else:
             self.logger.info("No users for syncing")
-Original file line number
+Diff line change
@@ Expand Up / @@ -395,5 +395,5 @@ @@
           }
         ]
       },
-      "generated_at": "2023-10-20T20:37:17Z"
+      "generated_at": "2024-11-04T09:20:13Z"
     }