90 lines
3.0 KiB
Python
90 lines
3.0 KiB
Python
"""Provision non-secret provider auth markers into a smolmachines bottle."""
|
|
|
|
from __future__ import annotations
|
|
|
|
import os
|
|
|
|
from ....log import die
|
|
from .. import smolvm as _smolvm
|
|
from ..bottle_plan import SmolmachinesBottlePlan
|
|
|
|
|
|
_DEFAULT_GUEST_HOME = "/home/node"
|
|
|
|
|
|
def provision_provider_auth(plan: SmolmachinesBottlePlan, target: str) -> None:
|
|
"""Copy a dummy Codex auth marker when host credentials are
|
|
forwarded through egress.
|
|
|
|
The real host access token remains in the egress bundle env; this
|
|
file only selects Codex's user/device auth code path.
|
|
"""
|
|
if not plan.codex_auth_file:
|
|
return
|
|
guest_home = os.environ.get("BOT_BOTTLE_GUEST_HOME", _DEFAULT_GUEST_HOME)
|
|
auth_dir = plan.guest_env.get("CODEX_HOME", f"{guest_home}/.codex")
|
|
|
|
result = _smolvm.machine_exec(
|
|
target,
|
|
["mkdir", "-p", auth_dir],
|
|
)
|
|
if result.returncode != 0:
|
|
detail = (result.stderr or result.stdout).strip()
|
|
if detail:
|
|
detail = f": {detail}"
|
|
die(f"codex host credentials: could not create {auth_dir}{detail}")
|
|
result = _smolvm.machine_exec(target, ["chown", "node:node", auth_dir])
|
|
if result.returncode != 0:
|
|
detail = (result.stderr or result.stdout).strip()
|
|
if detail:
|
|
detail = f": {detail}"
|
|
die(f"codex host credentials: could not chown {auth_dir}{detail}")
|
|
result = _smolvm.machine_exec(target, ["chmod", "700", auth_dir])
|
|
if result.returncode != 0:
|
|
detail = (result.stderr or result.stdout).strip()
|
|
if detail:
|
|
detail = f": {detail}"
|
|
die(f"codex host credentials: could not chmod {auth_dir}{detail}")
|
|
result = _smolvm.machine_exec(
|
|
target,
|
|
[
|
|
"find", auth_dir,
|
|
"-maxdepth", "1",
|
|
"-type", "f",
|
|
"(",
|
|
"-name", "*.sqlite",
|
|
"-o", "-name", "*.sqlite-*",
|
|
"-o", "-name", "*.codex-repair-*.bak",
|
|
")",
|
|
"-delete",
|
|
],
|
|
)
|
|
if result.returncode != 0:
|
|
detail = (result.stderr or result.stdout).strip()
|
|
if detail:
|
|
detail = f": {detail}"
|
|
die(f"codex host credentials: could not reset runtime db files{detail}")
|
|
|
|
auth_path = f"{auth_dir}/auth.json"
|
|
_smolvm.machine_cp(str(plan.codex_auth_file), f"{target}:{auth_path}")
|
|
_smolvm.machine_exec(target, ["chown", "node:node", auth_path])
|
|
_smolvm.machine_exec(target, ["chmod", "600", auth_path])
|
|
result = _smolvm.machine_exec(
|
|
target,
|
|
[
|
|
"runuser", "-u", "node", "--",
|
|
"env",
|
|
f"HOME={guest_home}",
|
|
f"CODEX_HOME={auth_dir}",
|
|
"codex", "login", "status",
|
|
],
|
|
)
|
|
if result.returncode != 0:
|
|
detail = (result.stderr or result.stdout).strip()
|
|
if detail:
|
|
detail = f": {detail}"
|
|
die(
|
|
"codex host credentials: dummy auth was copied into the "
|
|
f"smolmachine, but Codex did not accept it{detail}"
|
|
)
|