egullickson/motovaultpro
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: add Auth0 WIF token script and update Dockerfile (refs #127)

Browse Source 
- Create fetch-auth0-token.sh for Auth0 M2M -> GCP WIF token exchange
- Add jq to Dockerfile system dependencies
- Ensure script is executable in container image

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Eric Gullickson
2026-02-09 20:51:30 -06:00
parent 4abd7d8d5b
commit 9209739e75
2 changed files with 83 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
ocr/Dockerfile
View File

@@ -1,8 +1,8 @@
# Production Dockerfile for MotoVaultPro OCR Service # Production Dockerfile for MotoVaultPro OCR Service
# Uses mirrored base images from Gitea Package Registry # Uses mirrored base images from Gitea Package Registry
# #
# Primary engine: PaddleOCR PP-OCRv4 (models baked into image) # Primary engine: Google Vision via Auth0 WIF (monthly-capped)
# Cloud fallback: Google Vision (optional, requires API key at runtime) # Fallback engine: PaddleOCR PP-OCRv4 (models baked into image)
# Build argument for registry (defaults to Gitea mirrors, falls back to Docker Hub) # Build argument for registry (defaults to Gitea mirrors, falls back to Docker Hub)
ARG REGISTRY_MIRRORS=git.motovaultpro.com/egullickson/mirrors ARG REGISTRY_MIRRORS=git.motovaultpro.com/egullickson/mirrors
@@ -14,7 +14,8 @@ FROM ${REGISTRY_MIRRORS}/python:3.13-slim
# - libheif1/libheif-dev: HEIF image support (iPhone photos) # - libheif1/libheif-dev: HEIF image support (iPhone photos)
# - libglib2.0-0: GLib shared library (OpenCV dependency) # - libglib2.0-0: GLib shared library (OpenCV dependency)
# - libmagic1: File type detection # - libmagic1: File type detection
# - curl: Health check endpoint # - curl: Health check endpoint + Auth0 token fetch
# - jq: JSON parsing for Auth0 token script
RUN apt-get update && apt-get install -y --no-install-recommends \ RUN apt-get update && apt-get install -y --no-install-recommends \
libgomp1 \ libgomp1 \
libheif1 \ libheif1 \
@@ -22,6 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
libglib2.0-0 \ libglib2.0-0 \
libmagic1 \ libmagic1 \
curl \ curl \
jq \
&& rm -rf /var/lib/apt/lists/* && rm -rf /var/lib/apt/lists/*
# Python dependencies # Python dependencies
@@ -42,5 +44,8 @@ RUN python -c "from paddleocr import PaddleOCR; PaddleOCR(ocr_version='PP-OCRv4'
COPY . . COPY . .
# Ensure Auth0 WIF token script is executable
RUN chmod +x /app/scripts/fetch-auth0-token.sh
EXPOSE 8000 EXPOSE 8000
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"] CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]

75
ocr/scripts/fetch-auth0-token.sh Executable file
View File

@@ -0,0 +1,75 @@
#!/bin/sh
# fetch-auth0-token.sh -- Auth0 M2M token fetcher for Google WIF
#
# Called by the Google Auth library when using executable-sourced
# credentials (see google-wif-config.json). Reads Auth0 client
# credentials from Docker secrets and returns the JWT in the format
# expected by Google's credential helpers.
#
# Exit codes:
# 0 -- success (JSON with token on stdout)
# 1 -- missing secrets or curl/jq failure
set -e
CLIENT_ID_FILE="/run/secrets/auth0-ocr-client-id"
CLIENT_SECRET_FILE="/run/secrets/auth0-ocr-client-secret"
AUTH0_DOMAIN="motovaultpro.auth0.com"
AUDIENCE="https://iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider"
# Read credentials from Docker secrets
if [ ! -f "$CLIENT_ID_FILE" ]; then
echo "Error: $CLIENT_ID_FILE not found" >&2
exit 1
fi
if [ ! -f "$CLIENT_SECRET_FILE" ]; then
echo "Error: $CLIENT_SECRET_FILE not found" >&2
exit 1
fi
CLIENT_ID=$(cat "$CLIENT_ID_FILE" | tr -d '[:space:]')
CLIENT_SECRET=$(cat "$CLIENT_SECRET_FILE" | tr -d '[:space:]')
# Request M2M token from Auth0
RESPONSE=$(curl -s --fail-with-body \
--request POST \
--url "https://${AUTH0_DOMAIN}/oauth/token" \
--header 'Content-Type: application/json' \
--data "{
\"client_id\": \"${CLIENT_ID}\",
\"client_secret\": \"${CLIENT_SECRET}\",
\"audience\": \"${AUDIENCE}\",
\"grant_type\": \"client_credentials\"
}")
if [ $? -ne 0 ]; then
echo "Error: Auth0 token request failed" >&2
echo "$RESPONSE" >&2
exit 1
fi
# Extract the access token
TOKEN=$(echo "$RESPONSE" | jq -r '.access_token')
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
echo "Error: No access_token in Auth0 response" >&2
echo "$RESPONSE" >&2
exit 1
fi
EXPIRY=$(echo "$RESPONSE" | jq -r '.expires_in')
# Calculate expiration timestamp (seconds since epoch)
EXPIRATION_TIME=$(($(date +%s) + ${EXPIRY:-3600}))
# Output in Google executable-sourced credential format
# https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_a_credential_configuration
cat <<GCPEOF
{
"version": 1,
"success": true,
"token_type": "urn:ietf:params:oauth:token-type:jwt",
"id_token": "${TOKEN}",
"expiration_time": ${EXPIRATION_TIME}
}
GCPEOF