Update toolchain to uv; add more linting

.gitignore

@@ -9,4 +9,5 @@ __pycache__/
 # shell utility, run sporadically and 2) committing a lockfile means keeping it
 # up to date every time there is a security issue. In this case, we're going to
 # assume "follow latest" for each use/installation.
-Pipfile.lock
+uv.lock
+requirements.txt

.mega-linter.yml

@@ -5,10 +5,9 @@ DISABLE_LINTERS:
   # A self-contained maintaince page is not expected to conform to best
   # practices for web site.
   - HTML_DJLINT
-  # Pylint doesn't handle our Pipenv dependencies, and is redundant with ruff.
+  # Pylint errors on missing dependencies, and is redundant with ruff.
   - PYTHON_PYLINT
-  # Pyright doesn't handle our pipenv dependencies, plus we aren't using
-  # static typing.
+  # Pyright errors on missing dependencies.
   - PYTHON_PYRIGHT
   # Disable dependency security scanning.
   - REPOSITORY_GRYPE

.python-version

@@ -0,0 +1 @@
+3.12

Makefile

@@ -3,22 +3,30 @@
 
 .PHONY: all clean test
 
+all:
+	@echo 'no default: supported targets are "requirements.txt", ".venv", "clean" and "sync"' >&2
 all: requirements.txt
 
 clean:
-	rm -Rf __pycache__ .ruff_cache megalinter-reports
+	rm -Rf requirements.txt __pycache__ .venv .ruff_cache megalinter-reports
 
 lint:
+	docker pull oxsecurity/megalinter-python:v7
 	docker run --rm --platform linux/amd64 -v '$(CURDIR):/tmp/lint:rw' oxsecurity/megalinter-python:v7
 
 test:
-	@echo "No tests to run ... would you like to 'make lint'?"
+	@echo "No tests to run ... would you like to 'make lint'?" >&2
 
-requirements.txt: Pipfile.lock .license-header
+requirements.txt: requirements.in
 	cat .license-header > requirements.txt
-	# Because we are avoiding pinning dep versions, we also prune them from the
-	# generated requirements.txt file.
-	pipenv requirements --exclude-markers | sed 's/=.*$$//' >> requirements.txt
+	uv pip compile requirements.in >> requirements.txt
 
-Pipfile.lock: Pipfile
-	pipenv lock
+.venv:
+	uv venv .venv
+
+sync: .venv requirements.txt
+	uv pip sync requirements.txt
+
+fmt:
+	uv tool -q run black *.py
+	uv tool -q run isort *.py

README.md

@@ -1,4 +1,4 @@
-# CDN Maintenance Toggle script
+# CDN maintenance toggle script
 
 This script disables/enables CDN services operating on AWS Cloudfront by
 setting them into maintenance mode, implemented as a Cloudfront edge function
@@ -14,31 +14,33 @@ Features include:
 
 For more details, run the script with the `--help` option.
 
-## Setup & Usage for Linux Foundation / LFX sites
+## Setup & usage for Linux Foundation / LFX sites
 
-Recommend installation is via a pipenv-managed virtualenv, and pyenv to install
-the supported Python release if your system doesn't have Python 3.11.
+Recommend installation is via a `uv` virtualenv, and `pyenv` to install the
+supported Python release.
 
-Be sure to set `AWS_PROFILE` with MFA and/or SSO authentication helpers before
-running the script.
+The script relies on the environment to provide AWS authentication and
+determine which account to connect to. Export the `AWS_PROFILE` environment
+variable, or run the script with `aws-vault`, depending on your setup.
 
 ```bash
-pyenv install 3.11
-pipenv install
-pipenv shell
+pyenv install 3.12 # or: brew install [email protected]; brew pyenv-sync
+make sync # requires `uv` to be installed
+source .venv/bin/activate
 ./cdn_maintenance_toggle.py --template lfx-maintenance.html -v --disable-sites "*.platform.linuxfoundation.org" "*.lfx.dev"
 ./cdn_maintenance_toggle.py -v --enable-sites "*.platform.linuxfoundation.org" "*.lfx.dev"
 ./cdn_maintenance_toggle.py --cleanup
+deactivate
 ```
 
 Alternativelly, you can install the required Python packages system-wide or to
-the current user. This tool has been developed against Python 3.11 and may not
+the current user. This tool has been developed against Python 3.12 and may not
 work on other versions.
 
 ```bash
-pip3.11 install --user boto3 trieregex
+pip install --user boto3 trieregex
 # Optional: to set AWS_PROFILE or other parameters via .env:
-# pip3.11 install --user python-dotenv
+# pip install --user python-dotenv
 ./cdn_maintenance_toggle.py --template lfx-maintenance.html -v --disable-sites "*.platform.linuxfoundation.org" "*.lfx.dev"
 ./cdn_maintenance_toggle.py -v --enable-sites "*.platform.linuxfoundation.org" "*.lfx.dev"
 ./cdn_maintenance_toggle.py --cleanup

cdn_maintenance_toggle.py

@@ -3,7 +3,8 @@
 # Copyright The Linux Foundation and each contributor to LFX.
 # SPDX-License-Identifier: MIT
 
-"""
+"""Set or clear maintenance notices on CloudFlare CDNs.
+
 This script disables/enables CDN services operating on AWS Cloudfront by
 setting them into maintenance mode, implemented as a Cloudfront edge function
 returning an HTML maintenance page.
@@ -19,7 +20,7 @@
 
 import boto3
 from botocore.exceptions import ClientError
-from trieregex import TrieRegEx as TRE
+from trieregex import TrieRegEx
 
 # Optional support for .env file.
 try:
@@ -74,13 +75,15 @@
   return response;
 }"""
 
+# Maximum size of Cloudfront function after interpolating the template.
+MAX_FUNCTION_SIZE = 20000
 
-def main():
-    """main is the entry point for script invocations."""
 
+def main() -> None:
+    """Implement command-line interface."""
     # Parse arguments from command line.
     parser = argparse.ArgumentParser(
-        description="Set or clear maintenance notices on CloudFlare CDNs for the current AWS_PROFILE."
+        description="Set or clear maintenance notices on CloudFlare CDNs."
     )
     parser.add_argument(
         "--dry-run",
@@ -159,24 +162,28 @@ def main():
         )
 
 
-def enable_sites(patterns, dry_run=False):
+def enable_sites(patterns: list, dry_run: bool = False) -> None:
     """Enable sites matching patterns (clear maintenance page)."""
-
     targets = get_matching_distributions(patterns)
-
     if dry_run is True:
         logging.warning("running in dry-run mode: any logged changes are as-if")
-
     for distribution in targets:
         remove_maintenance_function(distribution, dry_run=dry_run)
 
 
-def disable_sites(patterns, html=None, allowed_ips=tuple(), dry_run=False):
+def disable_sites(
+    patterns: list,
+    html: str | None = None,
+    allowed_ips: list | None = None,
+    dry_run: bool = False,
+) -> None:
     """Disable sites matching patterns (set maintenance page)."""
-
     if html is None:
         # Fallback/default maintenance page HTML.
-        html = "<!DOCTYPE html><html><body><p>This site is down for scheduled maintenance.</p></body></html>"
+        html = (
+            "<!DOCTYPE html>"
+            "<html><body><p>This site is down for scheduled maintenance.</p></body></html>"
+        )
 
     # Find Cloudfront distributions matching the supplied domain patterns.
     targets = get_matching_distributions(patterns)
@@ -188,10 +195,13 @@ def disable_sites(patterns, html=None, allowed_ips=tuple(), dry_run=False):
         # Bypass function creation if there are no matching targets.
         return
 
+    if allowed_ips is None:
+        allowed_ips = []
+
     html_bytes = html.encode("utf8")
 
     # Validate passed IPs and build a trie regex pattern out of them.
-    tre = TRE("127.0.0.1")
+    tre = TrieRegEx("127.0.0.1")
     for ip_text in allowed_ips:
         try:
             # Read IPv4 & IPv6 addresses.
@@ -225,9 +235,8 @@ def disable_sites(patterns, html=None, allowed_ips=tuple(), dry_run=False):
         set_maintenance_function(distribution, function_name, dry_run=dry_run)
 
 
-def cleanup(dry_run=False):
+def cleanup(dry_run: bool = False) -> None:
     """Delete unused maintenance pages."""
-
     if dry_run is True:
         logging.warning("running in dry-run mode: any logged changes are as-if")
 
@@ -258,10 +267,16 @@ def cleanup(dry_run=False):
                 raise error
 
 
-def create_function(function, dry_run=False):
-    """Idempotently create-if-not-exist the provided CloudFront function and return the function name."""
+def create_function(function: str, dry_run: bool = False) -> str:
+    """Create a CloudFront function if it does not exist.
 
-    if len(function) > 20000:
+    The function will be named based on a hash of the function's code. Returns
+    the function name.
+    """
+    if len(function) > MAX_FUNCTION_SIZE:
+        # Check size explicitly, rather than merely catching the corresponding
+        # error, to allow users to catch and work around limits even in dry-run
+        # mode.
         raise ValueError("function is too big, try reducing allowed IPs")
 
     # Hash the function to calculate a unique function name.
@@ -292,7 +307,7 @@ def create_function(function, dry_run=False):
         return function_name
 
     # The function was not found, so it needs to be created and published.
-    logging.info("creating function %s", function_name)
+    logging.info("creating & publishing function %s", function_name)
     if not dry_run:
         config = {
             "Comment": "503 maintenance page created by cdn_maintenance_toggle",
@@ -304,16 +319,13 @@ def create_function(function, dry_run=False):
             FunctionCode=function.encode("utf8"),
         )
 
-    logging.info("publishing function %s", function_name)
-    if not dry_run:
         CLIENT.publish_function(Name=function_name, IfMatch=response["ETag"])
 
     return function_name
 
 
-def remove_maintenance_function(distribution, dry_run=False):
+def remove_maintenance_function(distribution: dict, dry_run: bool = False) -> None:
     """Idempotently remove any maintenance functions from a CloudFront distribution."""
-
     resp = CLIENT.get_distribution_config(Id=distribution["Id"])
     cache_config = resp["DistributionConfig"]["DefaultCacheBehavior"]
 
@@ -356,12 +368,14 @@ def remove_maintenance_function(distribution, dry_run=False):
     CLIENT.update_distribution(Id=distribution["Id"], **resp)
 
 
-def set_maintenance_function(distribution, function_name, dry_run=False):
+def set_maintenance_function(
+    distribution: dict, function_name: str, dry_run: bool = False
+) -> None:
     """Idempotently configure a request type function on a CloudFront distribution.
 
-    The passed function_name must be a published CloudFront function or this function will raise an exception.
+    The passed function_name must be a published CloudFront function or this
+    function will raise an exception.
     """
-
     dist_response = CLIENT.get_distribution_config(Id=distribution["Id"])
     cache_config = dist_response["DistributionConfig"]["DefaultCacheBehavior"]
 
@@ -478,12 +492,10 @@ def set_maintenance_function(distribution, function_name, dry_run=False):
     CLIENT.update_distribution(Id=distribution["Id"], **dist_response)
 
 
-def get_matching_distributions(patterns):
+def get_matching_distributions(patterns: list) -> list:
     """Find Cloudfront distributions matching the supplied domain patterns."""
-
     distributions = []
-
-    args = {}
+    args: dict[str, str] = {}
     while True:
         # Fetch next batch of CloudFront distributions in the current AWS
         # account (global region).
@@ -512,13 +524,9 @@ def get_matching_distributions(patterns):
     return distributions
 
 
-def fnmatch_any(string, patterns):
+def fnmatch_any(string: str, patterns: list) -> bool:
     """Run fnmatch on multiple patterns and return True if any match, otherwise False."""
-
-    for pattern in patterns:
-        if fnmatch(string, pattern):
-            return True
-    return False
+    return any(fnmatch(string, pattern) for pattern in patterns)
 
 
 if __name__ == "__main__":

pyproject.toml

@@ -0,0 +1,18 @@
+# Copyright The Linux Foundation and each contributor to LFX.
+# SPDX-License-Identifier: MIT
+
+[project]
+name = "cdn-maintenance-toggle"
+version = "0.0.1"
+requires-python = ">=3.12"
+
+[tool.isort]
+profile = "black"
+
+[tool.ruff]
+target-version = "py312"
+# For linting only; not intended for `ruff format`.
+line-length = 100
+
+[tool.ruff.lint]
+select = ["E", "F", "UP", "B", "G", "I", "ANN"]

requirements.in

@@ -0,0 +1,4 @@
+boto3
+botocore
+python-dotenv
+trieregex