feat: add Auth0 WIF token script and update Dockerfile (refs #127)
- Create fetch-auth0-token.sh for Auth0 M2M -> GCP WIF token exchange - Add jq to Dockerfile system dependencies - Ensure script is executable in container image Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Eric Gullickson
@@ -1,8 +1,8 @@
|
||||
# Production Dockerfile for MotoVaultPro OCR Service
|
||||
# Uses mirrored base images from Gitea Package Registry
|
||||
#
|
||||
# Primary engine: PaddleOCR PP-OCRv4 (models baked into image)
|
||||
# Cloud fallback: Google Vision (optional, requires API key at runtime)
|
||||
# Primary engine: Google Vision via Auth0 WIF (monthly-capped)
|
||||
# Fallback engine: PaddleOCR PP-OCRv4 (models baked into image)
|
||||
|
||||
# Build argument for registry (defaults to Gitea mirrors, falls back to Docker Hub)
|
||||
ARG REGISTRY_MIRRORS=git.motovaultpro.com/egullickson/mirrors
|
||||
@@ -14,7 +14,8 @@ FROM ${REGISTRY_MIRRORS}/python:3.13-slim
|
||||
# - libheif1/libheif-dev: HEIF image support (iPhone photos)
|
||||
# - libglib2.0-0: GLib shared library (OpenCV dependency)
|
||||
# - libmagic1: File type detection
|
||||
# - curl: Health check endpoint
|
||||
# - curl: Health check endpoint + Auth0 token fetch
|
||||
# - jq: JSON parsing for Auth0 token script
|
||||
RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
libgomp1 \
|
||||
libheif1 \
|
||||
@@ -22,6 +23,7 @@ RUN apt-get update && apt-get install -y --no-install-recommends \
|
||||
libglib2.0-0 \
|
||||
libmagic1 \
|
||||
curl \
|
||||
jq \
|
||||
&& rm -rf /var/lib/apt/lists/*
|
||||
|
||||
# Python dependencies
|
||||
@@ -42,5 +44,8 @@ RUN python -c "from paddleocr import PaddleOCR; PaddleOCR(ocr_version='PP-OCRv4'
|
||||
|
||||
COPY . .
|
||||
|
||||
# Ensure Auth0 WIF token script is executable
|
||||
RUN chmod +x /app/scripts/fetch-auth0-token.sh
|
||||
|
||||
EXPOSE 8000
|
||||
CMD ["uvicorn", "app.main:app", "--host", "0.0.0.0", "--port", "8000"]
|
||||
|
||||
75
ocr/scripts/fetch-auth0-token.sh
Executable file
75
ocr/scripts/fetch-auth0-token.sh
Executable file
@@ -0,0 +1,75 @@
|
||||
#!/bin/sh
|
||||
# fetch-auth0-token.sh -- Auth0 M2M token fetcher for Google WIF
|
||||
#
|
||||
# Called by the Google Auth library when using executable-sourced
|
||||
# credentials (see google-wif-config.json). Reads Auth0 client
|
||||
# credentials from Docker secrets and returns the JWT in the format
|
||||
# expected by Google's credential helpers.
|
||||
#
|
||||
# Exit codes:
|
||||
# 0 -- success (JSON with token on stdout)
|
||||
# 1 -- missing secrets or curl/jq failure
|
||||
|
||||
set -e
|
||||
|
||||
CLIENT_ID_FILE="/run/secrets/auth0-ocr-client-id"
|
||||
CLIENT_SECRET_FILE="/run/secrets/auth0-ocr-client-secret"
|
||||
AUTH0_DOMAIN="motovaultpro.auth0.com"
|
||||
AUDIENCE="https://iam.googleapis.com/projects/487954699429/locations/global/workloadIdentityPools/motovaultpro-pool/providers/auth0-provider"
|
||||
|
||||
# Read credentials from Docker secrets
|
||||
if [ ! -f "$CLIENT_ID_FILE" ]; then
|
||||
echo "Error: $CLIENT_ID_FILE not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
if [ ! -f "$CLIENT_SECRET_FILE" ]; then
|
||||
echo "Error: $CLIENT_SECRET_FILE not found" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
CLIENT_ID=$(cat "$CLIENT_ID_FILE" | tr -d '[:space:]')
|
||||
CLIENT_SECRET=$(cat "$CLIENT_SECRET_FILE" | tr -d '[:space:]')
|
||||
|
||||
# Request M2M token from Auth0
|
||||
RESPONSE=$(curl -s --fail-with-body \
|
||||
--request POST \
|
||||
--url "https://${AUTH0_DOMAIN}/oauth/token" \
|
||||
--header 'Content-Type: application/json' \
|
||||
--data "{
|
||||
\"client_id\": \"${CLIENT_ID}\",
|
||||
\"client_secret\": \"${CLIENT_SECRET}\",
|
||||
\"audience\": \"${AUDIENCE}\",
|
||||
\"grant_type\": \"client_credentials\"
|
||||
}")
|
||||
|
||||
if [ $? -ne 0 ]; then
|
||||
echo "Error: Auth0 token request failed" >&2
|
||||
echo "$RESPONSE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
# Extract the access token
|
||||
TOKEN=$(echo "$RESPONSE" | jq -r '.access_token')
|
||||
|
||||
if [ -z "$TOKEN" ] || [ "$TOKEN" = "null" ]; then
|
||||
echo "Error: No access_token in Auth0 response" >&2
|
||||
echo "$RESPONSE" >&2
|
||||
exit 1
|
||||
fi
|
||||
|
||||
EXPIRY=$(echo "$RESPONSE" | jq -r '.expires_in')
|
||||
|
||||
# Calculate expiration timestamp (seconds since epoch)
|
||||
EXPIRATION_TIME=$(($(date +%s) + ${EXPIRY:-3600}))
|
||||
|
||||
# Output in Google executable-sourced credential format
|
||||
# https://cloud.google.com/iam/docs/workload-identity-federation-with-other-providers#create_a_credential_configuration
|
||||
cat <<GCPEOF
|
||||
{
|
||||
"version": 1,
|
||||
"success": true,
|
||||
"token_type": "urn:ietf:params:oauth:token-type:jwt",
|
||||
"id_token": "${TOKEN}",
|
||||
"expiration_time": ${EXPIRATION_TIME}
|
||||
}
|
||||
GCPEOF
|
||||
Reference in New Issue
Block a user