refactor: run container as non-root and minimize copies

LeslieLeung · Jan 11, 2024 · 983e545 · 983e545
1 parent c9899fb
commit 983e545
Show file tree

Hide file tree

Showing 5 changed files with 84 additions and 74 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -1,8 +1,18 @@
 FROM python:3.11.6-slim
 WORKDIR /app
+
+RUN adduser --disabled-password --gecos '' appuser
+
 RUN pip install poetry && poetry config virtualenvs.create false
 
+ENV PORT=9000
+
+# dependencies
 COPY pyproject.toml poetry.lock ./
 RUN poetry install --no-dev
-COPY . .
-CMD ["python", "-m", "uvicorn", "main:app", "--host", "0.0.0.0", "--port", "9000"]
+
+USER appuser
+COPY heimdallr ./heimdallr
+COPY env.py main.py ./
+
+CMD python -m uvicorn main:app --host 0.0.0.0 --port $PORT
diff --git a/heimdallr/api/api.py b/heimdallr/api/api.py
@@ -1,77 +1,7 @@
 from fastapi import APIRouter
 
-from env import get_env
 from heimdallr.api import push, webhook
-from heimdallr.channel import (
-    Bark,
-    BarkMessage,
-    Chanify,
-    ChanifyMessage,
-    Channel,
-    Email,
-    EmailMessage,
-    Message,
-    PushDeer,
-    PushDeerMessage,
-    Pushover,
-    PushoverMessage,
-    WecomApp,
-    WecomMessage,
-    WecomWebhook,
-)
-from heimdallr.response import Response, success
 
 router = APIRouter()
 router.include_router(push.push_router)
 router.include_router(webhook.webhook_router)
-
-
-def serve(
-    channel: str, title: str = "", body: str = "", key: str = "", jump_url: str = ""
-):
-    env = get_env()
-    if env.key != "" and key != env.key:
-        return {"code": -1, "message": "key not authorized"}
-    channels = channel.split("+")
-    senders = []
-    for chan in channels:
-        message: Message
-        sender: Channel
-        match chan:
-            case "bark":
-                message = BarkMessage(title, body, jump_url)
-                sender = Bark(message)
-            case "wecom-webhook":
-                message = WecomMessage(title, body)
-                sender = WecomWebhook(message)
-            case "wecom-app":
-                message = WecomMessage(title, body)
-                sender = WecomApp(message)
-            case "pushdeer":
-                message = PushDeerMessage(title, body)
-                sender = PushDeer(message)
-            case "pushover":
-                message = PushoverMessage(title, body)
-                sender = Pushover(message)
-            case "chanify":
-                message = ChanifyMessage(title, body)
-                sender = Chanify(message)
-            case "email":
-                message = EmailMessage(title, body)
-                sender = Email(message)
-            case _:
-                return {"code": 2, "message": f"{chan} is not supported"}
-        senders.append(sender)
-
-    errors = {}
-    for sender in senders:
-        rs, msg = sender.send()
-        if not rs:
-            errors[sender.get_name()] = msg
-
-    if len(errors) == 0:
-        return success()
-    err_msg = ""
-    for err in errors.items():
-        err_msg += f"{err[0]} return: {err[1]}."
-    return Response(1, err_msg).render()
diff --git a/heimdallr/api/base.py b/heimdallr/api/base.py
@@ -0,0 +1,70 @@
+from env import get_env
+from heimdallr.channel import (
+    Bark,
+    BarkMessage,
+    Chanify,
+    ChanifyMessage,
+    Channel,
+    Email,
+    EmailMessage,
+    Message,
+    PushDeer,
+    PushDeerMessage,
+    Pushover,
+    PushoverMessage,
+    WecomApp,
+    WecomMessage,
+    WecomWebhook,
+)
+from heimdallr.response import Response, success
+
+
+def serve(
+    channel: str, title: str = "", body: str = "", key: str = "", jump_url: str = ""
+):
+    env = get_env()
+    if env.key != "" and key != env.key:
+        return {"code": -1, "message": "key not authorized"}
+    channels = channel.split("+")
+    senders = []
+    for chan in channels:
+        message: Message
+        sender: Channel
+        match chan:
+            case "bark":
+                message = BarkMessage(title, body, jump_url)
+                sender = Bark(message)
+            case "wecom-webhook":
+                message = WecomMessage(title, body)
+                sender = WecomWebhook(message)
+            case "wecom-app":
+                message = WecomMessage(title, body)
+                sender = WecomApp(message)
+            case "pushdeer":
+                message = PushDeerMessage(title, body)
+                sender = PushDeer(message)
+            case "pushover":
+                message = PushoverMessage(title, body)
+                sender = Pushover(message)
+            case "chanify":
+                message = ChanifyMessage(title, body)
+                sender = Chanify(message)
+            case "email":
+                message = EmailMessage(title, body)
+                sender = Email(message)
+            case _:
+                return {"code": 2, "message": f"{chan} is not supported"}
+        senders.append(sender)
+
+    errors = {}
+    for sender in senders:
+        rs, msg = sender.send()
+        if not rs:
+            errors[sender.get_name()] = msg
+
+    if len(errors) == 0:
+        return success()
+    err_msg = ""
+    for err in errors.items():
+        err_msg += f"{err[0]} return: {err[1]}."
+    return Response(1, err_msg).render()
diff --git a/heimdallr/api/push.py b/heimdallr/api/push.py
@@ -1,7 +1,7 @@
 from fastapi import APIRouter, Form, Request
 from pydantic import BaseModel
 
-from heimdallr.api.api import serve
+from heimdallr.api.base import serve
 from heimdallr.channel import Channel, WecomApp, WecomMessage, WecomWebhook
 from heimdallr.exception import WecomException
 

diff --git a/heimdallr/api/webhook.py b/heimdallr/api/webhook.py
@@ -2,7 +2,7 @@
 
 from fastapi import APIRouter, Request
 
-from heimdallr.api.api import serve
+from heimdallr.api.base import serve
 from heimdallr.webhook.github_star import GithubStarWebhook
 
 webhook_router = APIRouter()