Updating code and dependencies to run as a Python 3.7 lambda with the…

… latest Amazon Linux.
silverlogic · May 20, 2019 · 5d92a03 · 5d92a03
1 parent a7b454a
commit 5d92a03
Show file tree

Hide file tree

Showing 11 changed files with 37 additions and 55 deletions.
diff --git a/.travis.yml b/.travis.yml
@@ -6,7 +6,7 @@ addons:
 
 matrix:
   include:
-    - python: "3.6"
+    - python: "3.7"
 
 install:
   - pip install coveralls

diff --git a/Makefile b/Makefile
@@ -5,6 +5,7 @@ test: lint
 
 develop:
 	@echo "--> Installing dependencies"
+	pip install --upgrade pip setuptools
 	pip install -r requirements.txt
 	pip install "file://`pwd`#egg=bless[tests]"
 	@echo ""
@@ -39,15 +40,10 @@ publish:
 	cd ./publish/bless_lambda && zip -FSr ../bless_lambda.zip .
 
 compile:
-	yum install -y gcc libffi-devel openssl-devel python36 python36-virtualenv
-	virtualenv-3.6 /tmp/venv
-	/tmp/venv/bin/pip install --upgrade pip setuptools
-	/tmp/venv/bin/pip install -e .
-	cp -r /tmp/venv/lib/python3.6/site-packages/. ./aws_lambda_libs
-	cp -r /tmp/venv/lib64/python3.6/site-packages/. ./aws_lambda_libs
+	./lambda_compile.sh
 
 lambda-deps:
 	@echo "--> Compiling lambda dependencies"
-	docker run --rm -v ${CURDIR}:/src -w /src amazonlinux:1 make compile
+	docker run --rm -v ${CURDIR}:/src -w /src amazonlinux:2 ./lambda_compile.sh
 
 .PHONY: develop dev-docs clean test lint coverage publish
diff --git a/README.md b/README.md
@@ -33,7 +33,7 @@ Cd to the bless repo:
 
 Create a virtualenv if you haven't already:
 
-    $ python3.6 -m venv venv
+    $ python3.7 -m venv venv
 
 Activate the venv:
 
@@ -55,34 +55,12 @@ Makefile includes a publish target to package up everything into a deploy-able .
 the expected locations.
 
 ### Compiling BLESS Lambda Dependencies
-AWS Lambda has some limitations, and to deploy code as a Lambda Function, you need to package up
-all of the dependencies.  AWS Lambda only supports Python 2.7 and BLESS depends on
-[Cryptography](https://cryptography.io/en/latest/), which must be compiled.  You will need to
+To deploy code as a Lambda Function, you need to package up all of the dependencies.  You will need to
 compile and include your dependencies before you can publish a working AWS Lambda.
 
-You can use a docker container running [Amazon Linux](https://hub.docker.com/_/amazonlinux):
+BLESS uses a docker container running [Amazon Linux 2](https://hub.docker.com/_/amazonlinux) to package everything up:
 - Execute ```make lambda-deps``` and this will run a container and save all the dependencies in ./aws_lambda_libs
 
-Alternatively you can:
-- Deploy an [Amazon Linux AMI](http://docs.aws.amazon.com/lambda/latest/dg/current-supported-versions.html)
-- SSH onto that instance
-- Copy BLESS' `setup.py` to the instance
-- Copy BLESS' `bless/__about__.py` to the instance at `bless/__about__.py`
-- Install BLESS' dependencies:
-```
-$ sudo yum install gcc libffi-devel openssl-devel
-$ virtualenv venv
-$ source venv/bin/activate
-(venv) $ pip install --upgrade pip setuptools
-(venv) $ pip install -e .
-```
-- From that instance, copy off the contents of:
-```
-$ cp -r venv/lib/python2.7/site-packages/. aws_lambda_libs
-$ cp -r venv/lib64/python2.7/site-packages/. aws_lambda_libs
-```
-- put those files in: ./aws_lambda_libs/
-
 ### Protecting the CA Private Key
 - Generate a password protected RSA Private Key:
 ```

diff --git a/bless/config/bless_config.py b/bless/config/bless_config.py
@@ -185,7 +185,7 @@ def get(self, section, option, **kwargs):
 
     @staticmethod
     def _environment_key(section, option):
-        return (re.sub('\W+', '_', section) + '_' + re.sub('\W+', '_', option)).lower()
+        return (re.sub(r'\W+', '_', section) + '_' + re.sub(r'\W+', '_', option)).lower()
 
     @staticmethod
     def _decompress(data, algorithm):

diff --git a/bless/request/bless_request.py b/bless/request/bless_request.py
@@ -16,15 +16,15 @@
     REMOTE_USERNAMES_BLACKLIST_DEFAULT
 
 # man 8 useradd
-USERNAME_PATTERN = re.compile('[a-z_][a-z0-9_-]*[$]?\Z')
+USERNAME_PATTERN = re.compile(r'[a-z_][a-z0-9_-]*[$]?\Z')
 
 # debian
 # On Debian, the only constraints are that usernames must neither start
 # with a dash ('-') nor plus ('+') nor tilde ('~') nor contain a colon
 # (':'), a comma (','), or a whitespace (space: ' ', end of line: '\n',
 # tabulation: '\t', etc.). Note that using a slash ('/') may break the
 # default algorithm for the definition of the user's home directory.
-USERNAME_PATTERN_DEBIAN = re.compile('\A[^-+~][^:,\s]*\Z')
+USERNAME_PATTERN_DEBIAN = re.compile(r'\A[^-+~][^:,\s]*\Z')
 
 # It appears that most printable ascii is valid, excluding whitespace, #, and commas.
 # There doesn't seem to be any practical size limits of an SSH Certificate Principal (> 4096B allowed).

diff --git a/bless/ssh/public_keys/ed25519_public_key.py b/bless/ssh/public_keys/ed25519_public_key.py
@@ -7,7 +7,7 @@
 import hashlib
 
 from bless.ssh.public_keys.ssh_public_key import SSHPublicKey, SSHPublicKeyType
-from cryptography.hazmat.primitives import serialization
+from cryptography.hazmat.primitives.serialization import ssh
 
 
 class ED25519PublicKey(SSHPublicKey):
@@ -46,15 +46,15 @@ def __init__(self, ssh_public_key):
         except TypeError:
             raise ValueError('Key is not in the proper format.')
 
-        inner_key_type, rest = serialization._ssh_read_next_string(decoded_data)
+        inner_key_type, rest = ssh._ssh_read_next_string(decoded_data)
 
         if inner_key_type != key_type.encode("utf-8"):
             raise ValueError(
                 'Key header and key body contain different key type values.'
             )
 
         # ed25519 public key is a single string https://tools.ietf.org/html/rfc8032#section-5.1.5
-        self.a, rest = serialization._ssh_read_next_string(rest)
+        self.a, rest = ssh._ssh_read_next_string(rest)
 
         key_bytes = base64.b64decode(split_ssh_public_key[1])
         fingerprint = hashlib.md5(key_bytes).hexdigest()

diff --git a/lambda_compile.sh b/lambda_compile.sh
@@ -0,0 +1,8 @@
+#!/bin/sh
+
+yum install -y python37
+python3.7 -m venv /tmp/venv
+/tmp/venv/bin/pip install --upgrade pip setuptools
+/tmp/venv/bin/pip install -e .
+cp -r /tmp/venv/lib/python3.7/site-packages/. ./aws_lambda_libs
+cp -r /tmp/venv/lib64/python3.7/site-packages/. ./aws_lambda_libs
diff --git a/requirements.txt b/requirements.txt
@@ -1,16 +1,16 @@
 -e .
 asn1crypto==0.24.0
-boto3==1.7.61
-botocore==1.10.61
-cffi==1.11.5
-cryptography==2.3
+boto3==1.9.151
+botocore==1.12.151
+cffi==1.12.3
+cryptography==2.6.1
 docutils==0.14
-idna==2.7
 ipaddress==1.0.22
-jmespath==0.9.3
+jmespath==0.9.4
 kmsauth==0.3.0
-marshmallow==2.15.3
-pycparser==2.18
-python-dateutil==2.7.3
-s3transfer==0.1.13
-six==1.11.0
+marshmallow==2.19.2
+pycparser==2.19
+python-dateutil==2.8.0
+s3transfer==0.2.0
+six==1.12.0
+urllib3==1.24.3
diff --git a/tests/config/test_bless_config.py b/tests/config/test_bless_config.py
@@ -95,7 +95,7 @@ def test_zlib_compression_env_with_uncompressed_key(monkeypatch):
     extra_environment_variables = {
         'bless_ca_default_password': '<INSERT_DEFAULT_KMS_ENCRYPTED_BASE64_ENCODED_PEM_PASSWORD_HERE>',
         'bless_ca_ca_private_key_compression': 'zlib',
-        'bless_ca_ca_private_key': base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'),
+        'bless_ca_ca_private_key': str(base64.b64encode(b'<INSERT_YOUR_ENCRYPTED_PEM_FILE_CONTENT>'), encoding='ascii'),
     }
 
     for k, v in extra_environment_variables.items():

diff --git a/tests/request/test_bless_request.py b/tests/request/test_bless_request.py
@@ -100,7 +100,7 @@ def test_validate_user_debian(test_input):
 @pytest.mark.parametrize("test_input", [
     ('uservalid'),
     ('a32characterusernameyoumustok$'),
-    ('!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
+    ('!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~')
 ])
 def test_validate_user_principal(test_input):
     validate_user(test_input, USERNAME_VALIDATION_OPTIONS.principal)
@@ -128,7 +128,7 @@ def test_invalid_user_email(test_input):
 @pytest.mark.parametrize("test_input", [
     ('a33characterusernameyoumustbenuts'),
     ('~:, \n\t@'),
-    ('uservalid,!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~,'),
+    ('uservalid,!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~,'),
 ])
 def test_validate_user_disabled(test_input):
     validate_user(test_input, USERNAME_VALIDATION_OPTIONS.disabled)
@@ -137,7 +137,7 @@ def test_validate_user_disabled(test_input):
 @pytest.mark.parametrize("test_input", [
     ('uservalid'),
     ('uservalid,uservalid2'),
-    ('uservalid,!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~,'
+    ('uservalid,!"$%&\'()*+-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~,'
      'uservalid2')
 ])
 def test_validate_multiple_principals(test_input):

diff --git a/tests/ssh/test_ssh_certificate_rsa.py b/tests/ssh/test_ssh_certificate_rsa.py
@@ -1,7 +1,7 @@
 import base64
 
 import pytest
-from cryptography.hazmat.primitives.serialization import _ssh_read_next_string
+from cryptography.hazmat.primitives.serialization.ssh import _ssh_read_next_string
 
 from bless.ssh.certificate_authorities.rsa_certificate_authority import RSACertificateAuthority
 from bless.ssh.certificates.rsa_certificate_builder import RSACertificateBuilder