azaion/loader
1
0
Fork 0
mirror of https://github.com/azaion/loader.git synced 2026-04-22 22:16:32 +00:00
Code Issues Packages Projects Releases Wiki Activity
Files
765d3d32c1177ca2bac0afaf5766cddb1fec1942
loader/_docs/02_document/modules/binary_split.md
T
Oleksandr Bezdieniezhnykh 4eaf218f09 Quality cleanup refactoring 
Made-with: Cursor
2026-04-13 06:21:26 +03:00

67 lines
3.1 KiB
Markdown
Raw Blame History

# Module: binary_split
## Purpose
Handles the encrypted Docker image archive workflow: downloading a key fragment from the API, decrypting an AES-256-CBC encrypted archive, loading it into Docker, and verifying expected images are present.
## Public Interface
### Functions
| Function | Signature | Description |
|------------------------|------------------------------------------------------------------------|----------------------------------------------------------|
| `download_key_fragment`| `(resource_api_url: str, token: str) -> bytes` | GET request to `/binary-split/key-fragment` with Bearer auth |
| `decrypt_archive` | `(encrypted_path: str, key_fragment: bytes, output_path: str) -> None` | AES-256-CBC stream decrypt with SHA-256 derived key; PKCS7 removed in-pipeline via unpadder |
| `docker_load` | `(tar_path: str) -> None` | Runs `docker load -i <tar_path>` subprocess |
| `check_images_loaded` | `(version: str) -> bool` | Checks all `API_SERVICES` images exist for given version tag |
### Module-level Constants
| Name | Value |
|---------------|--------------------------------------------------------------------------------------------|
| API_SERVICES | List of 7 Docker image names: `azaion/annotations`, `azaion/flights`, `azaion/detections`, `azaion/gps-denied-onboard`, `azaion/gps-denied-desktop`, `azaion/autopilot`, `azaion/ai-training` |
## Internal Logic
### `decrypt_archive`
1. Derives AES key: `SHA-256(key_fragment)` → 32-byte key
2. Reads first 16 bytes as IV from encrypted file
3. Streams ciphertext in 64KB chunks through AES-256-CBC decryptor
4. Feeds decrypted chunks through `padding.PKCS7(128).unpadder()`; writes unpadded bytes to the output file (`finalize` on decryptor and unpadder at end)
### `check_images_loaded`
Iterates all 7 service image names, runs `docker image inspect <name>:<version>` for each. Returns `False` on first missing image.
## Dependencies
- **Internal**: none (leaf module)
- **External**: `hashlib`, `subprocess` (stdlib), `requests` (2.32.4), `cryptography` (44.0.2)
## Consumers
- `main``_run_unlock()` calls all four functions; `unlock()` endpoint calls `check_images_loaded()`
## Data Models
None.
## Configuration
No env vars consumed directly. `API_SERVICES` list is hardcoded.
## External Integrations
- **REST API**: GET `{resource_api_url}/binary-split/key-fragment` — downloads encryption key fragment
- **Docker CLI**: `docker load` and `docker image inspect` via subprocess
- **File system**: reads encrypted `.enc` archive, writes decrypted `.tar` archive
## Security
- Key derivation: SHA-256 hash of server-provided key fragment
- Encryption: AES-256-CBC with PKCS7 padding
- The key fragment is ephemeral — downloaded per unlock operation
## Tests
No tests found.
Reference in New Issue View Git Blame Copy Permalink