xactfetch: Suppress asyncio InvalidStateError

There is currently a [bug][0] in the Python Playwright API that causes _asyncio_ to raise an `InvalidStateError` occasionally when the `PlaywrightContextManager` exits. This causes the program to exit with a nonzero return code, even though it actually completed successfully, which will cause the Job to be retried. To avoid this, we can catch and ignore the spurious exception. I've reorganized the code a bit here because we have to wrap the whole `with` block in the `try`/`except`; moving the contents of the block into a function keeps the indentation level from getting out of control. [0]: https://github.com/microsoft/playwright-python/issues/2238
container: Add secretsocket, chase2fa scripts
2024-07-11 21:50:27 -05:00 · 2024-07-11 21:50:27 -05:00 · 2024-07-11 21:50:27 -05:00 · 2024-07-11 21:50:27 -05:00 · 2024-07-11 21:50:27 -05:00 · 2024-07-11 21:50:27 -05:00
6 changed files with 142 additions and 38 deletions
--- a/.containerignore
+++ b/.containerignore
@ -1,5 +1,8 @@
 *
 !.git
+!chase2fa.py
+!entrypoint.sh
 !pinentry-stub.sh
 !pyproject.toml
+!secretsocket.py
 !xactfetch.py
--- a/31
+++ b/31
@ -1,4 +1,4 @@
-FROM registry.fedoraproject.org/fedora-minimal:38 AS build
+FROM git.pyrocufflink.net/containerimages/dch-base AS build

 RUN --mount=type=cache,target=/var/cache \
 	microdnf install -y \
@ -18,11 +18,22 @@ RUN --mount=type=cache,target=/var/cache \
 		python3-wheel \
 	&& :

-COPY . /src
+COPY .git /src/.git
+COPY xactfetch.py pyproject.toml /src

 RUN python3 -m pip wheel -w /wheels /src

-FROM registry.fedoraproject.org/fedora-minimal:38
+
+FROM scratch AS mixin
+
+COPY pinentry-stub.sh /usr/local/bin/pinentry-stub
+COPY secretsocket.py /usr/local/bin/secretsocket
+COPY chase2fa.py /usr/local/bin/chase2fa
+
+COPY entrypoint.sh /entrypoint.sh
+
+
+FROM git.pyrocufflink.net/containerimages/dch-base

 RUN --mount=type=cache,target=/var/cache \
 	microdnf install -y \
@ -47,11 +58,16 @@ RUN --mount=type=cache,target=/var/cache \
 		libXrandr \
 		libXrender \
 		libXtst \
+		libdrm \
 		libxcb \
+		mesa-libgbm \
+		nspr \
+		nss \
 		pango \
 		python3 \
 		python3-pip \
 		tini \
+		xorg-x11-server-Xvfb \
 	&& echo xactfetch:x:2468: >> /etc/group \
 	&& echo xactfetch:*:2468:2468:xactfetch:/var/lib/xactfetch:/sbin/nologin >> /etc/passwd \
 	&& :
@ -61,16 +77,15 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/playwright/browsers
 RUN --mount=type=bind,from=build,source=/,target=/build \
 	python3 -m pip install --no-index -f /build/wheels xactfetch \
 	&& cp /build/root/.cargo/bin/rbw* /usr/local/bin/ \
-	&& install /build/src/pinentry-stub.sh /usr/local/bin/pinentry-stub \
-	&& playwright install firefox \
+	&& playwright install chromium \
 	&& :

+COPY --from=mixin / /
+
 VOLUME /var/lib/xactfetch

 WORKDIR /var/lib/xactfetch

 USER 2468:2468

-ENV XDG_CONFIG_HOME=/etc
-
-ENTRYPOINT ["tini", "xactfetch", "--"]
+ENTRYPOINT ["/entrypoint.sh"]
--- a/chase2fa.py
+++ b/chase2fa.py
@ -0,0 +1,19 @@
+#!/usr/bin/env python3
+import re
+
+import httpx
+
+stream = httpx.stream(
+    'GET',
+    'https://ntfy.pyrocufflink.blue/chase2fa/raw',
+    timeout=httpx.Timeout(5, read=None),
+)
+with stream as r:
+    for line in r.iter_lines():
+        line = line.strip()
+        if not line:
+            continue
+        m = re.search(r'\d{4,}', line)
+        if m:
+            print(m.group(0))
+            break
--- a/entrypoint.sh
+++ b/entrypoint.sh
@ -0,0 +1,19 @@
+#!/bin/sh
+
+if [ $$ -eq 1 ]; then
+	exec tini "$0" -- "$@"
+fi
+
+if [ -z "${SECRET_SOCKET_PATH}" ] || [ ! -e "${SECRET_SOCKET_PATH}" ]; then
+	export SECRET_SOCKET_PATH="${SECRET_SOCKET_PATH:-/tmp/.secretsocket}"
+	secretsocket &
+	sspid=$!
+fi
+
+xvfb-run -e /dev/stderr -s '-screen 0 1920x1080x24 -nolisten unix' xactfetch "$@"
+rc=$?
+
+if [ -n "${sspid}" ]; then
+	kill $sspid
+fi
+exit $rc
--- a/secretsocket.py
+++ b/secretsocket.py
@ -15,7 +15,8 @@ log = logging.getLogger('secretsocket')


 ALLOW_UNKNOWN_PEER = os.environ.get('ALLOW_UNKNOWN_PEER') == '1'
-XDG_RUNTIME_DIR = Path(os.environ['XDG_RUNTIME_DIR'])
+SECRET_SOCKET_PATH = os.environ.get('SECRET_SOCKET_PATH')
+XDG_RUNTIME_DIR = os.environ.get('XDG_RUNTIME_DIR')


 class Secret:
@ -176,7 +177,12 @@ def shutdown(signum, server):

 async def main():
    logging.basicConfig(level=logging.DEBUG)
-    sock_path = XDG_RUNTIME_DIR / 'secretsocket/.ss'
+    if SECRET_SOCKET_PATH:
+        sock_path = Path(SECRET_SOCKET_PATH)
+    elif XDG_RUNTIME_DIR:
+        sock_path = Path(XDG_RUNTIME_DIR) / 'secretsocket/.ss'
+    else:
+        sock_path = Path('/tmp/.secretsocket')

    if not sock_path.parent.exists():
        sock_path.parent.mkdir()
--- a/xactfetch.py
+++ b/xactfetch.py
@ -13,7 +13,7 @@ from types import TracebackType
 from typing import Any, Optional, Type

 import httpx
-from playwright.async_api import Page
+from playwright.async_api import Playwright, Page
 from playwright.async_api import async_playwright


@ -551,11 +551,8 @@ class Chase:
            with self.saved_cookies.open(encoding='utf-8') as f:
                cookies = await asyncio.to_thread(json.load, f)
                await self.page.context.add_cookies(cookies)
-        except:
-            log.warning(
-                'Could not load saved cookies, '
-                'SMS verification will be required!'
-            )
+        except Exception as e:
+            log.debug('Failed to load saved cookies: %s', e)
        else:
            log.info('Successfully loaded saved cookies')

@ -587,9 +584,39 @@ class Chase:
        await logonbox.get_by_role('button', name='Sign in').click()
        log.debug('Waiting for page load')
        await self.page.wait_for_load_state()
-        await self.page.get_by_role('button', name='Pay Card').wait_for(
-            timeout=120000
+        logonframe = self.page.frame_locator('iframe[title="logon"]')
+        t_2fa = asyncio.create_task(
+            logonframe.get_by_role(
+                'heading', name="We don't recognize this device"
+            ).wait_for()
        )
+        t_finished = asyncio.create_task(
+            self.page.get_by_role('button', name='Pay Card').wait_for()
+        )
+        done, pending = await asyncio.wait(
+            (t_2fa, t_finished),
+            return_when=asyncio.FIRST_COMPLETED,
+        )
+        for t in pending:
+            t.cancel()
+        for t in done:
+            await t
+        if t_2fa in done:
+            log.warning('Device verification (SMS 2-factor auth) required')
+            await logonframe.get_by_label('Tell us how: Choose one').click()
+            await logonframe.locator(
+                '#container-1-simplerAuth-dropdownoptions-styledselect'
+            ).click()
+            otp_task = asyncio.create_task(self.get_secret('bank.chase.otp'))
+            await logonframe.get_by_role('button', name='Next').click()
+            log.info('Waiting for SMS verification code')
+            otp = await otp_task
+            log.debug('Filling verification code form')
+            await logonframe.get_by_label('One-time code').fill(otp)
+            await logonframe.get_by_label('Password').fill(password)
+            await logonframe.get_by_role('button', name='Next').click()
+            await self.page.wait_for_load_state()
+            await self.page.get_by_role('button', name='Pay Card').wait_for()
        log.info('Successfully logged in to Chase')
        self._logged_in = True

@ -675,10 +702,7 @@ class Chase:
        return secret.decode()


-async def amain() -> None:
-    logging.basicConfig(level=logging.DEBUG)
-    secrets = SecretsClient()
-    await secrets.connect()
+async def fetch_transactions(pw: Playwright, secrets: SecretsClient) -> bool:
    log.debug('Getting Firefly III access token')
    token = (await secrets.get_secret('firefly.token')).decode()
    import_secret = (
@ -693,22 +717,40 @@ async def amain() -> None:
    )
    end_date = datetime.date.today() - datetime.timedelta(days=1)
    failed = False
-    async with async_playwright() as pw, secrets:
-        headless = os.environ.get('DEBUG_HEADLESS_BROWSER', '1') == '1'
-        browser = await pw.firefox.launch(headless=headless)
-        page = await browser.new_page()
-        banks = sys.argv[1:] or list(ACCOUNTS.keys())
-        if 'commerce' in banks:
-            if not await download_commerce(
-                page, secrets, end_date, token, importer
-            ):
-                failed = True
-        if 'chase' in banks:
-            if not await download_chase(
-                page, secrets, end_date, token, importer
-            ):
-                failed = True
-    raise SystemExit(1 if failed else 0)
+    browser = await pw.chromium.launch(headless=False)
+    context = await browser.new_context()
+    await context.tracing.start(screenshots=True, snapshots=True)
+    page = await context.new_page()
+    banks = sys.argv[1:] or list(ACCOUNTS.keys())
+    if 'commerce' in banks:
+        if not await download_commerce(
+            page, secrets, end_date, token, importer
+        ):
+            failed = True
+    if 'chase' in banks:
+        if not await download_chase(page, secrets, end_date, token, importer):
+            failed = True
+    if failed:
+        await context.tracing.stop(path='trace.zip')
+        with open('trace.zip', 'rb') as f:
+            await ntfy(
+                'Downloading one or more transaction lists failed.',
+                attach=f.read(),
+                filename='trace.zip',
+            )
+    return failed
+
+
+async def amain() -> None:
+    logging.basicConfig(level=logging.DEBUG)
+
+    async with SecretsClient() as secrets:
+        try:
+            async with async_playwright() as pw:
+                failed = await fetch_transactions(pw, secrets)
+            raise SystemExit(1 if failed else 0)
+        except asyncio.exceptions.InvalidStateError:
+            log.debug('Ignoring exception: %s', exc_info=sys.exc_info())


 def main():
Author	SHA1	Message	Date
Dustin	48708af68e	xactfetch: Suppress asyncio InvalidStateError dustin/xactfetch/pipeline/head This commit looks good Details There is currently a [bug][0] in the Python Playwright API that causes _asyncio_ to raise an `InvalidStateError` occasionally when the `PlaywrightContextManager` exits. This causes the program to exit with a nonzero return code, even though it actually completed successfully, which will cause the Job to be retried. To avoid this, we can catch and ignore the spurious exception. I've reorganized the code a bit here because we have to wrap the whole `with` block in the `try`/`except`; moving the contents of the block into a function keeps the indentation level from getting out of control. [0]: https://github.com/microsoft/playwright-python/issues/2238	2024-07-11 21:50:27 -05:00
Dustin	3ff18d1042	container: Add secretsocket, chase2fa scripts While the original intent of the `secretsocket` script was to have `rbw` run outside the `xactfetch` container, that is only useful during development; both processes need to run in the container in Kubernetes.	2024-07-11 21:50:27 -05:00
Dustin	0f9b3a5ac5	secretsocket: Respect SECRET_SOCKET_PATH The `secretsocket` server will now create its IPC soket at the location specified by the `SECRET_SOCKET_PATH` environment variable, if set. This way, both `secretsocket` and `xactfetch` can be pointed to the same location with this single variable.	2024-07-11 21:50:27 -05:00
Dustin	e4742f1c6e	container: Optimize layer cache usage With the addition of ancillary scripts like `entrypoint.sh`, the `COPY .` instruction in the build stage results in a full rebuild of the final image for every change. To avoid this, we now only copy the files that are actually required to build the wheel. The other scripts are copied later, using an intermediate layer. This avoids needing a `COPY` instruction, and therefore a new layer in the final image, for each script. Hypothetically, we could use `RUN --mount=bind` and copy the files with the `install` command, but bind-mounting the build context doesn't actually work; SELinux prevents the container builder from accessing the source directory directly.	2024-07-11 21:50:27 -05:00
Dustin	76cb7c7958	container: Rebase on dch-base	2024-07-11 21:50:27 -05:00
Dustin	bef7206642	entrypoint: Start secretsocket server if needed If the `SECRET_SOCKET_PATH` environment variable is not set, or refers to a non-existent path, then we assume we need to manage the `secretsocket` server ourselves.	2024-07-11 21:50:27 -05:00
Dustin	28fe49c2b2	xactfetch: Save Playwright trace for failed runs Playwright has a nifty feature called the [Trace Viewer][0], which you can use to observe the state of the page at any given point during the browsing session. This should make troubleshooting failures a lot easier. [0]: https://playwright.dev/python/docs/trace-viewer-intro	2024-07-11 21:48:47 -05:00
Dustin	9f113d6a3f	xactfetch: Switch to headed Chrome Earlier this week, `xactfetch` stopped being able to log in to the Chase website. After logging in, the website just popped up a message that said "It looks like this part of our website isn't working right now," with a hint that I should try a different browser. I suspect they have enhanced their bot detection/scraping resistance, because the error only occurs when `xactfetch` is run from inside a container. It happens every time in that case, but never when I run it on my computer directly. After several hours of messing with this, the only way I was able to get it to work is to use full-blown headed Chromium. Neither headless nor headed Firefox works, nor does headless Chromium. This is a bit cumbersome, but not really a big deal. Headed Chromium works fine in an Xvfb session.	2024-07-11 21:34:11 -05:00
Dustin	8de0d93eb1	xactfetch: chase: Handle SMS 2-factor auth When logging in to the Chase website with a fresh browser profile, or otherwise without any cookies, the user will be required to "validate the device" using a one-time code delivered via SMS. Previously, I handled this by running the `xactfetch` script with a headed browser, manually entering the verification code when the prompt came up. Then, I would copy the `cookies.json` file, now containing a cookie indicating the device had been verified, to the Kubernetes volume, where it would be used by the production pod. Now that `xactfetch` uses asyncio, it is possible for the Chase `login` method to wait for one of multiple conditions: either login succeeds, or SMS 2FA is required. In the case of the latter, we can get the 2FA code from the secret server and enter it into the form to complete the login process. The real magic here is how we're getting the 2FA code from the SMS message. There are two components to this. First, I've installed [SMS to URL Forwarder][0] on my phone. This app does what it says on the tin: it relays SMS messages to an HTTP(S) server. I have configured it to forward messages from the Chase SMS 2FA short code to an _ntfy_ topic. The second component is the `chase2fa` script, which is called by the secret server. This script listens for notifications on the _ntfy_ topic where the SMS messages are forwarded. When a message arrives, it extracts the verification code using a simple regular expression that identifies a several-digit number. With all these pieces in place, the `xactfetch` script is no longer thwarted by the SMS 2FA barrier! [0]: https://github.com/bogkonstantin/android_income_sms_gateway_webhook	2024-07-11 21:21:03 -05:00