uc-cdis · MaribelleHGomez · Jan 17, 2025
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -1,6 +1,6 @@
 repos:
 -   repo: [email protected]:Yelp/detect-secrets
-    rev: v1.4.0
+    rev: v1.5.0
     hooks:
     -   id: detect-secrets
         args: ['--baseline', '.secrets.baseline']
@@ -13,6 +13,6 @@ repos:
     -   id: no-commit-to-branch
         args: [--branch, develop, --branch, master, --pattern, release/.*]
 -   repo: https://github.com/psf/black
-    rev: 22.3.0
+    rev: 22.6.0
     hooks:
     -   id: black
diff --git a/.secrets.baseline b/.secrets.baseline
@@ -0,0 +1,159 @@
+{
+  "version": "1.5.0",
+  "plugins_used": [
+    {
+      "name": "ArtifactoryDetector"
+    },
+    {
+      "name": "AWSKeyDetector"
+    },
+    {
+      "name": "AzureStorageKeyDetector"
+    },
+    {
+      "name": "Base64HighEntropyString",
+      "limit": 4.5
+    },
+    {
+      "name": "BasicAuthDetector"
+    },
+    {
+      "name": "CloudantDetector"
+    },
+    {
+      "name": "DiscordBotTokenDetector"
+    },
+    {
+      "name": "GitHubTokenDetector"
+    },
+    {
+      "name": "GitLabTokenDetector"
+    },
+    {
+      "name": "HexHighEntropyString",
+      "limit": 3.0
+    },
+    {
+      "name": "IbmCloudIamDetector"
+    },
+    {
+      "name": "IbmCosHmacDetector"
+    },
+    {
+      "name": "IPPublicDetector"
+    },
+    {
+      "name": "JwtTokenDetector"
+    },
+    {
+      "name": "KeywordDetector",
+      "keyword_exclude": ""
+    },
+    {
+      "name": "MailchimpDetector"
+    },
+    {
+      "name": "NpmDetector"
+    },
+    {
+      "name": "OpenAIDetector"
+    },
+    {
+      "name": "PrivateKeyDetector"
+    },
+    {
+      "name": "PypiTokenDetector"
+    },
+    {
+      "name": "SendGridDetector"
+    },
+    {
+      "name": "SlackDetector"
+    },
+    {
+      "name": "SoftlayerDetector"
+    },
+    {
+      "name": "SquareOAuthDetector"
+    },
+    {
+      "name": "StripeDetector"
+    },
+    {
+      "name": "TelegramBotTokenDetector"
+    },
+    {
+      "name": "TwilioKeyDetector"
+    }
+  ],
+  "filters_used": [
+    {
+      "path": "detect_secrets.filters.allowlist.is_line_allowlisted"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_baseline_file",
+      "filename": ".secrets.baseline"
+    },
+    {
+      "path": "detect_secrets.filters.common.is_ignored_due_to_verification_policies",
+      "min_level": 2
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_indirect_reference"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_likely_id_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_lock_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_not_alphanumeric_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_potential_uuid"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_prefixed_with_dollar_sign"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_sequential_string"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_swagger_file"
+    },
+    {
+      "path": "detect_secrets.filters.heuristic.is_templated_secret"
+    }
+  ],
+  "results": {
+    ".github/workflows/ci.yml": [
+      {
+        "type": "Secret Keyword",
+        "filename": ".github/workflows/ci.yml",
+        "hashed_secret": "3e26d6750975d678acb8fa35a0f69237881576b0",
+        "is_verified": false,
+        "line_number": 17
+      }
+    ],
+    "tests/.env": [
+      {
+        "type": "Secret Keyword",
+        "filename": "tests/.env",
+        "hashed_secret": "6ffd8b80f2a76ca670ae33ab196f7936d59fb43b",
+        "is_verified": false,
+        "line_number": 8
+      }
+    ],
+    "tests/tsvs/bdc/bdc_2.tsv": [
+      {
+        "type": "Hex High Entropy String",
+        "filename": "tests/tsvs/bdc/bdc_2.tsv",
+        "hashed_secret": "b6bb1128fca99567fb54d64d76630a9223f4c394",
+        "is_verified": false,
+        "line_number": 2
+      }
+    ]
+  },
+  "generated_at": "2025-01-17T16:26:37Z"
+}
diff --git a/Dockerfile b/Dockerfile
@@ -1,55 +1,71 @@
-FROM quay.io/cdis/amazonlinux:python3.9-master as build-deps
+ARG AZLINUX_BASE_VERSION=master
 
-USER root
+# Base stage with python-build-base
+FROM quay.io/cdis/python-nginx-al:${AZLINUX_BASE_VERSION} AS base
 
 ENV appname=gen3discoveryai
 
-RUN pip3 install --no-cache-dir --upgrade poetry
+WORKDIR /$appname
 
-RUN yum update -y && yum install -y --setopt install_weak_deps=0 \
-    kernel-devel libffi-devel libxml2-devel libxslt-devel postgresql-devel python3-devel \
-    git && yum clean all
+RUN chown -R gen3:gen3 /${appname}
 
-WORKDIR /$appname
+# Builder stage
+FROM base AS builder
 
-# copy ONLY poetry artifact, install the dependencies but not gen3discoveryai
-# this will make sure that the dependencies are cached
-COPY poetry.lock pyproject.toml /$appname/
-COPY ./docs/openapi.yaml /$appname/docs/openapi.yaml
-RUN poetry config virtualenvs.in-project true \
-    && poetry install -vv --no-root --only main --no-interaction \
-    && poetry show -v
+USER gen3
 
-# copy source code ONLY after installing dependencies
-COPY . /$appname
+COPY poetry.lock pyproject.toml /${appname}/
 
-# install gen3discoveryai
-RUN poetry config virtualenvs.in-project true \
-    && poetry install -vv --only main --no-interaction \
-    && poetry show -v
+RUN poetry lock -vv --no-update \
+    && poetry install -vv --only main --no-interaction
 
-#Creating the runtime image
-FROM quay.io/cdis/amazonlinux:python3.9-master
+COPY --chown=gen3:gen3 . /$appname
+# COPY --chown=gen3:gen3 ./deployment/wsgi/wsgi.py /$appname/wsgi.py
 
-ENV appname=gen3discoveryai
+# RUN yum update -y && yum install -y --setopt install_weak_deps=0 \
+#     kernel-devel libffi-devel libxml2-devel libxslt-devel postgresql-devel python3-devel \
+#     git && yum clean all
 
-USER root
 
-EXPOSE 80
+# Run poetry again so this app itself gets installed too
+RUN poetry lock -vv --no-update \
+    && poetry install -vv --only main --no-interaction
 
-RUN pip3 install --no-cache-dir --upgrade poetry
+RUN git config --global --add safe.directory /${appname} && COMMIT=`git rev-parse HEAD` && echo "COMMIT=\"${COMMIT}\"" > /$appname/version_data.py \
+    && VERSION=`git describe --always --tags` && echo "VERSION=\"${VERSION}\"" >> /$appname/version_data.py
 
-RUN yum update -y && yum install -y --setopt install_weak_deps=0 \
-    postgresql-devel shadow-utils\
-    bash && yum clean all
+# Final stage
+FROM base
 
-RUN useradd -ms /bin/bash appuser
+COPY --from=builder /${appname} /${appname}
 
-COPY --from=build-deps --chown=appuser:appuser /$appname /$appname
+# Switch to non-root user 'gen3' for the serving process
+USER gen3
 
-WORKDIR /$appname
+WORKDIR /${appname}
+
+# #Creating the runtime image
+# FROM quay.io/cdis/amazonlinux:python3.9-master
+
+# ENV appname=gen3discoveryai
+
+# USER root
+
+# EXPOSE 80
+
+# RUN pip3 install --no-cache-dir --upgrade poetry
+
+# RUN yum update -y && yum install -y --setopt install_weak_deps=0 \
+#     postgresql-devel shadow-utils\
+#     bash && yum clean all
+
+# RUN useradd -ms /bin/bash appuser
+
+# COPY --from=build-deps --chown=appuser:appuser /${appname} /${appname}
+
+# WORKDIR /${appname}
 
-USER appuser
+# USER appuser
 
 # Cache the necessary tiktoken encoding file
 RUN poetry run python -c "from langchain.text_splitter import TokenTextSplitter; TokenTextSplitter.from_tiktoken_encoder(chunk_size=100, chunk_overlap=0)"