dustin
/
xactfetch
1
0
Fork 0
Code Releases Activity

Compare commits

base: dustin:c8111c6e4839e13e7d315a5b770f01597916707b
Branches Tags
dustin:master
...
compare: dustin:48708af68e8e784e659637b5bbc520a7eb0a603f
Branches Tags
dustin:master

9 Commits
c8111c6e48 ... 48708af68e

Author SHA1 Message Date
Dustin 48708af68e xactfetch: Suppress asyncio InvalidStateError
dustin/xactfetch/pipeline/head This commit looks good Details 
There is currently a [bug][0] in the Python Playwright API that causes
_asyncio_ to raise an `InvalidStateError` occasionally when the
`PlaywrightContextManager` exits.  This causes the program to exit
with a nonzero return code, even though it actually completed
successfully, which will cause the Job to be retried.  To avoid this,
we can catch and ignore the spurious exception.

I've reorganized the code a bit here because we have to wrap the whole
`with` block in the `try`/`except`; moving the contents of the block
into a function keeps the indentation level from getting out of control.

[0]: https://github.com/microsoft/playwright-python/issues/2238
 2024-07-11 21:50:27 -05:00
Dustin 3ff18d1042 container: Add secretsocket, chase2fa scripts 
While the original intent of the `secretsocket` script was to have `rbw`
run outside the `xactfetch` container, that is only useful during
development; both processes need to run in the container in Kubernetes.
 2024-07-11 21:50:27 -05:00
Dustin 0f9b3a5ac5 secretsocket: Respect SECRET_SOCKET_PATH 
The `secretsocket` server will now create its IPC soket at the location
specified by the `SECRET_SOCKET_PATH` environment variable, if set.
This way, both `secretsocket` and `xactfetch` can be pointed to the
same location with this single variable.
 2024-07-11 21:50:27 -05:00
Dustin e4742f1c6e container: Optimize layer cache usage 
With the addition of ancillary scripts like `entrypoint.sh`, the `COPY .`
instruction in the build stage results in a full rebuild of the final
image for every change.  To avoid this, we now only copy the files that
are actually required to build the wheel.  The other scripts are copied
later, using an intermediate layer.  This avoids needing a `COPY`
instruction, and therefore a new layer in the final image, for each
script.  Hypothetically, we could use `RUN --mount=bind` and copy the
files with the `install` command, but bind-mounting the build context
doesn't actually work; SELinux prevents the container builder from
accessing the source directory directly.
 2024-07-11 21:50:27 -05:00
Dustin 76cb7c7958 container: Rebase on dch-base 2024-07-11 21:50:27 -05:00
Dustin bef7206642 entrypoint: Start secretsocket server if needed 
If the `SECRET_SOCKET_PATH` environment variable is not set, or refers
to a non-existent path, then we assume we need to manage the
`secretsocket` server ourselves.
 2024-07-11 21:50:27 -05:00
Dustin 28fe49c2b2 xactfetch: Save Playwright trace for failed runs 
Playwright has a nifty feature called the [Trace Viewer][0], which you
can use to observe the state of the page at any given point during the
browsing session.  This should make troubleshooting failures a lot
easier.

[0]: https://playwright.dev/python/docs/trace-viewer-intro
 2024-07-11 21:48:47 -05:00
Dustin 9f113d6a3f xactfetch: Switch to headed Chrome 
Earlier this week, `xactfetch` stopped being able to log in to the Chase
website.  After logging in, the website just popped up a message that
said "It looks like this part of our website isn't working right now,"
with a hint that I should try a different browser.  I suspect they have
enhanced their bot detection/scraping resistance, because the error
only occurs when `xactfetch` is run from inside a container.  It happens
every time in that case, but never when I run it on my computer
directly.

After several hours of messing with this, the only way I was able to
get it to work is to use full-blown headed Chromium.  Neither headless
nor headed Firefox works, nor does headless Chromium.  This is a bit
cumbersome, but not really a big deal.  Headed Chromium works fine in
an Xvfb session.
 2024-07-11 21:34:11 -05:00
Dustin 8de0d93eb1 xactfetch: chase: Handle SMS 2-factor auth 
When logging in to the Chase website with a fresh browser profile, or
otherwise without any cookies, the user will be required to "validate
the device" using a one-time code delivered via SMS.  Previously, I
handled this by running the `xactfetch` script with a headed browser,
manually entering the verification code when the prompt came up.  Then,
I would copy the `cookies.json` file, now containing a cookie indicating
the device had been verified, to the Kubernetes volume, where it would
be used by the production pod.

Now that `xactfetch` uses asyncio, it is possible for the Chase `login`
method to wait for one of multiple conditions: either login succeeds,
or SMS 2FA is required.  In the case of the latter, we can get the
2FA code from the secret server and enter it into the form to complete
the login process.

The real magic here is how we're getting the 2FA code from the SMS
message.  There are two components to this.  First, I've installed [SMS
to URL Forwarder][0] on my phone.  This app does what it says on the
tin: it relays SMS messages to an HTTP(S) server.  I have configured it
to forward messages from the Chase SMS 2FA short code to an _ntfy_
topic.  The second component is the `chase2fa` script, which is called
by the secret server.  This script listens for notifications on the
_ntfy_ topic where the SMS messages are forwarded.  When a message
arrives, it extracts the verification code using a simple regular
expression that identifies a several-digit number.

With all these pieces in place, the `xactfetch` script is no longer
thwarted by the SMS 2FA barrier!

[0]: https://github.com/bogkonstantin/android_income_sms_gateway_webhook
 2024-07-11 21:21:03 -05:00
6 changed files with 142 additions and 38 deletions
Show Stats Expand all files Collapse all files

3
.containerignore
View File

@ -1,5 +1,8 @@
*
!.git
!chase2fa.py
!entrypoint.sh
!pinentry-stub.sh
!pyproject.toml
!secretsocket.py
!xactfetch.py

31
Containerfile
View File

@ -1,4 +1,4 @@
FROM registry.fedoraproject.org/fedora-minimal:38 AS build
FROM git.pyrocufflink.net/containerimages/dch-base AS build
RUN --mount=type=cache,target=/var/cache \
microdnf install -y \
@ -18,11 +18,22 @@ RUN --mount=type=cache,target=/var/cache \
python3-wheel \
&& :
COPY . /src
COPY .git /src/.git
COPY xactfetch.py pyproject.toml /src
RUN python3 -m pip wheel -w /wheels /src
FROM registry.fedoraproject.org/fedora-minimal:38
FROM scratch AS mixin
COPY pinentry-stub.sh /usr/local/bin/pinentry-stub
COPY secretsocket.py /usr/local/bin/secretsocket
COPY chase2fa.py /usr/local/bin/chase2fa
COPY entrypoint.sh /entrypoint.sh
FROM git.pyrocufflink.net/containerimages/dch-base
RUN --mount=type=cache,target=/var/cache \
microdnf install -y \
@ -47,11 +58,16 @@ RUN --mount=type=cache,target=/var/cache \
libXrandr \
libXrender \
libXtst \
libdrm \
libxcb \
mesa-libgbm \
nspr \
nss \
pango \
python3 \
python3-pip \
tini \
xorg-x11-server-Xvfb \
&& echo xactfetch:x:2468: >> /etc/group \
&& echo xactfetch:*:2468:2468:xactfetch:/var/lib/xactfetch:/sbin/nologin >> /etc/passwd \
&& :
@ -61,16 +77,15 @@ ENV PLAYWRIGHT_BROWSERS_PATH=/usr/local/playwright/browsers
RUN --mount=type=bind,from=build,source=/,target=/build \
python3 -m pip install --no-index -f /build/wheels xactfetch \
&& cp /build/root/.cargo/bin/rbw* /usr/local/bin/ \
&& install /build/src/pinentry-stub.sh /usr/local/bin/pinentry-stub \
&& playwright install firefox \
&& playwright install chromium \
&& :
COPY --from=mixin / /
VOLUME /var/lib/xactfetch
WORKDIR /var/lib/xactfetch
USER 2468:2468
ENV XDG_CONFIG_HOME=/etc
ENTRYPOINT ["tini", "xactfetch", "--"]
ENTRYPOINT ["/entrypoint.sh"]

19
chase2fa.py Executable file
View File

@ -0,0 +1,19 @@
#!/usr/bin/env python3
import re
import httpx
stream = httpx.stream(
'GET',
'https://ntfy.pyrocufflink.blue/chase2fa/raw',
timeout=httpx.Timeout(5, read=None),
)
with stream as r:
for line in r.iter_lines():
line = line.strip()
if not line:
continue
m = re.search(r'\d{4,}', line)
if m:
print(m.group(0))
break

19
entrypoint.sh Executable file
View File

@ -0,0 +1,19 @@
#!/bin/sh
if [ $$ -eq 1 ]; then
exec tini "$0" -- "$@"
fi
if [ -z "${SECRET_SOCKET_PATH}" ] || [ ! -e "${SECRET_SOCKET_PATH}" ]; then
export SECRET_SOCKET_PATH="${SECRET_SOCKET_PATH:-/tmp/.secretsocket}"
secretsocket &
sspid=$!
fi
xvfb-run -e /dev/stderr -s '-screen 0 1920x1080x24 -nolisten unix' xactfetch "$@"
rc=$?
if [ -n "${sspid}" ]; then
kill $sspid
fi
exit $rc

10
secretsocket.py Normal file → Executable file
View File

@ -15,7 +15,8 @@ log = logging.getLogger('secretsocket')
ALLOW_UNKNOWN_PEER = os.environ.get('ALLOW_UNKNOWN_PEER') == '1'
XDG_RUNTIME_DIR = Path(os.environ['XDG_RUNTIME_DIR'])
SECRET_SOCKET_PATH = os.environ.get('SECRET_SOCKET_PATH')
XDG_RUNTIME_DIR = os.environ.get('XDG_RUNTIME_DIR')
class Secret:
@ -176,7 +177,12 @@ def shutdown(signum, server):
async def main():
logging.basicConfig(level=logging.DEBUG)
sock_path = XDG_RUNTIME_DIR / 'secretsocket/.ss'
if SECRET_SOCKET_PATH:
sock_path = Path(SECRET_SOCKET_PATH)
elif XDG_RUNTIME_DIR:
sock_path = Path(XDG_RUNTIME_DIR) / 'secretsocket/.ss'
else:
sock_path = Path('/tmp/.secretsocket')
if not sock_path.parent.exists():
sock_path.parent.mkdir()

80
xactfetch.py
View File

@ -13,7 +13,7 @@ from types import TracebackType
from typing import Any, Optional, Type
import httpx
from playwright.async_api import Page
from playwright.async_api import Playwright, Page
from playwright.async_api import async_playwright
@ -551,11 +551,8 @@ class Chase:
with self.saved_cookies.open(encoding='utf-8') as f:
cookies = await asyncio.to_thread(json.load, f)
await self.page.context.add_cookies(cookies)
except:
log.warning(
'Could not load saved cookies, '
'SMS verification will be required!'
)
except Exception as e:
log.debug('Failed to load saved cookies: %s', e)
else:
log.info('Successfully loaded saved cookies')
@ -587,9 +584,39 @@ class Chase:
await logonbox.get_by_role('button', name='Sign in').click()
log.debug('Waiting for page load')
await self.page.wait_for_load_state()
await self.page.get_by_role('button', name='Pay Card').wait_for(
timeout=120000
logonframe = self.page.frame_locator('iframe[title="logon"]')
t_2fa = asyncio.create_task(
logonframe.get_by_role(
'heading', name="We don't recognize this device"
).wait_for()
)
t_finished = asyncio.create_task(
self.page.get_by_role('button', name='Pay Card').wait_for()
)
done, pending = await asyncio.wait(
(t_2fa, t_finished),
return_when=asyncio.FIRST_COMPLETED,
)
for t in pending:
t.cancel()
for t in done:
await t
if t_2fa in done:
log.warning('Device verification (SMS 2-factor auth) required')
await logonframe.get_by_label('Tell us how: Choose one').click()
await logonframe.locator(
'#container-1-simplerAuth-dropdownoptions-styledselect'
).click()
otp_task = asyncio.create_task(self.get_secret('bank.chase.otp'))
await logonframe.get_by_role('button', name='Next').click()
log.info('Waiting for SMS verification code')
otp = await otp_task
log.debug('Filling verification code form')
await logonframe.get_by_label('One-time code').fill(otp)
await logonframe.get_by_label('Password').fill(password)
await logonframe.get_by_role('button', name='Next').click()
await self.page.wait_for_load_state()
await self.page.get_by_role('button', name='Pay Card').wait_for()
log.info('Successfully logged in to Chase')
self._logged_in = True
@ -675,10 +702,7 @@ class Chase:
return secret.decode()
async def amain() -> None:
logging.basicConfig(level=logging.DEBUG)
secrets = SecretsClient()
await secrets.connect()
async def fetch_transactions(pw: Playwright, secrets: SecretsClient) -> bool:
log.debug('Getting Firefly III access token')
token = (await secrets.get_secret('firefly.token')).decode()
import_secret = (
@ -693,10 +717,10 @@ async def amain() -> None:
)
end_date = datetime.date.today() - datetime.timedelta(days=1)
failed = False
async with async_playwright() as pw, secrets:
headless = os.environ.get('DEBUG_HEADLESS_BROWSER', '1') == '1'
browser = await pw.firefox.launch(headless=headless)
page = await browser.new_page()
browser = await pw.chromium.launch(headless=False)
context = await browser.new_context()
await context.tracing.start(screenshots=True, snapshots=True)
page = await context.new_page()
banks = sys.argv[1:] or list(ACCOUNTS.keys())
if 'commerce' in banks:
if not await download_commerce(
@ -704,11 +728,29 @@ async def amain() -> None:
):
failed = True
if 'chase' in banks:
if not await download_chase(
page, secrets, end_date, token, importer
):
if not await download_chase(page, secrets, end_date, token, importer):
failed = True
if failed:
await context.tracing.stop(path='trace.zip')
with open('trace.zip', 'rb') as f:
await ntfy(
'Downloading one or more transaction lists failed.',
attach=f.read(),
filename='trace.zip',
)
return failed
async def amain() -> None:
logging.basicConfig(level=logging.DEBUG)
async with SecretsClient() as secrets:
try:
async with async_playwright() as pw:
failed = await fetch_transactions(pw, secrets)
raise SystemExit(1 if failed else 0)
except asyncio.exceptions.InvalidStateError:
log.debug('Ignoring exception: %s', exc_info=sys.exc_info())
def main():