Enable ruff and pre-commit

.github/workflows/pre-commit.yaml

@@ -0,0 +1,30 @@
+name: "Pre-commit checks"
+
+on:
+  push:
+    branches:
+      - main
+
+  pull_request:
+    branches:
+      - main
+    types:
+      - opened
+      - synchronize
+      - reopened
+
+jobs:
+  pre-commit:
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+
+      - name: Set up Python
+        uses: actions/setup-python@a309ff8b426b58ec0e2a45f0f869d46889d02405 # v6
+        with:
+          python-version: "3.12"
+
+      - name: Run pre-commit
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1

.pre-commit-config.yaml

@@ -0,0 +1,6 @@
+repos:
+  - repo: https://github.com/astral-sh/ruff-pre-commit
+    rev: v0.15.14
+    hooks:
+      - id: ruff-check
+      - id: ruff-format

Containerfile

@@ -42,4 +42,4 @@ EXPOSE 8080
 
 USER 1001
 
-ENTRYPOINT ["rhos-ls-mcps"]
+ENTRYPOINT ["rhos-ls-mcps", "--ip", "0.0.0.0"]

README.md

@@ -82,7 +82,7 @@ The configuration file has 4 sections:
 - MCP Security
 
 ## General
-- `ip`: IP address the server will bind to. Default `0.0.0.0`.
+- `ip`: IP address the server will bind to. Default `127.0.0.1`.
 - `port`: TCP port the server will bind to. Default `8080`.
 - `debug`: Default `false`.
 - `workers`: Number of different uvicorn workers. Default `1`.

config.yaml.sample

@@ -1,4 +1,4 @@
-ip: 0.0.0.0
+ip: 127.0.0.1
 port: 8901
 debug: true
 workers: 1

pyproject.toml

@@ -18,9 +18,19 @@ requires-python = ">=3.12,<3.13"
 readme = "README.md"
 license = {text = "Apache-2.0"}
 
+[dependency-groups]
+dev = [
+    "cliff>=4.14.0",
+    "ruff>=0.15.14",
+    "pre-commit>=4.6.0"
+]
+
 [build-system]
 requires = ["uv_build>=0.11.16,<0.12"]
 build-backend = "uv_build"
 
 [project.scripts]
 rhos-ls-mcps = "rhos_ls_mcps.main:main"
+
+[tool.ruff.lint]
+extend-select = ["S"]

scripts/allow-deny-list.py

@@ -15,6 +15,7 @@
 The accept commands list is generated using the rhros_ls_mcps package itself,
 where the reject and ignore list of commands come from this script.
 """
+
 from importlib.metadata import entry_points
 
 import sys
@@ -28,43 +29,159 @@
 # - export:
 # - cp:
 REJECT_COMMANDS: set[str] = {
-    "create", "delete", "update", "set", "unset", "remove", "add", "abort",
-    "complete", "revoke", "issue", "cleanup", "migrate", "resize", "cleanup",
-    "shelve", "unshelve", "reboot", "restart", "rebuild", "stop", "restore",
-    "import", "failover", "associate", "revert", "run", "save", "shrink",
-    "reset", "del", "onboard", "commit", "unrescue", "adopt", "on", "off",
-    "forcedown", "detach", "edit", "lock", "unlock", "purge", "rerun",
-    "attach", "resume", "start", "pause", "create-from-file", "request-refresh",
-    "rename", "post", "clear", "move", "manage", "enable", "register", "rescue",
-    "deploy", "unpause", "disable", "benchmark metric create", "abandon",
-    "renew", "ssh", "export", "replace", "alarm create", "alarm update",
-    "alarm quota set", "alarm state set", "recover", "cancel", "unhold", "accept",
-    "pull", "exec", "upgrade", "suspend", "disassociate", "undeploy", "grow",
-    "scale", "execute", "grant", "confirm", "kill", "mark", "eject", "op",
-    "verification", "reprocess", "expand", "evacuate", "signed", "axfr",
-    "unregister", "clean", "download", "authorize", "cp", "submit", "stage",
-    "promote", "configure", "inject", "signal", "release",
-
+    "create",
+    "delete",
+    "update",
+    "set",
+    "unset",
+    "remove",
+    "add",
+    "abort",
+    "complete",
+    "revoke",
+    "issue",
+    "cleanup",
+    "migrate",
+    "resize",
+    "cleanup",
+    "shelve",
+    "unshelve",
+    "reboot",
+    "restart",
+    "rebuild",
+    "stop",
+    "restore",
+    "import",
+    "failover",
+    "associate",
+    "revert",
+    "run",
+    "save",
+    "shrink",
+    "reset",
+    "del",
+    "onboard",
+    "commit",
+    "unrescue",
+    "adopt",
+    "on",
+    "off",
+    "forcedown",
+    "detach",
+    "edit",
+    "lock",
+    "unlock",
+    "purge",
+    "rerun",
+    "attach",
+    "resume",
+    "start",
+    "pause",
+    "create-from-file",
+    "request-refresh",
+    "rename",
+    "post",
+    "clear",
+    "move",
+    "manage",
+    "enable",
+    "register",
+    "rescue",
+    "deploy",
+    "unpause",
+    "disable",
+    "benchmark metric create",
+    "abandon",
+    "renew",
+    "ssh",
+    "export",
+    "replace",
+    "alarm create",
+    "alarm update",
+    "alarm quota set",
+    "alarm state set",
+    "recover",
+    "cancel",
+    "unhold",
+    "accept",
+    "pull",
+    "exec",
+    "upgrade",
+    "suspend",
+    "disassociate",
+    "undeploy",
+    "grow",
+    "scale",
+    "execute",
+    "grant",
+    "confirm",
+    "kill",
+    "mark",
+    "eject",
+    "op",
+    "verification",
+    "reprocess",
+    "expand",
+    "evacuate",
+    "signed",
+    "axfr",
+    "unregister",
+    "clean",
+    "download",
+    "authorize",
+    "cp",
+    "submit",
+    "stage",
+    "promote",
+    "configure",
+    "inject",
+    "signal",
+    "release",
     # These are full names
-    "secret_store",  "baremetal_node_inspect", "baremetal_node_service",
-    "baremetal_node_provide", "aggregate_cache_image", "alarm delete",
-    "cached_image_queue", "baremetal_driver_passthru_call",
-    "baremetal_node_passthru_call", "static-action_call",
-    "metric_benchmark measures add", "metric_measures_batch-metrics",
+    "secret_store",
+    "baremetal_node_inspect",
+    "baremetal_node_service",
+    "baremetal_node_provide",
+    "aggregate_cache_image",
+    "alarm delete",
+    "cached_image_queue",
+    "baremetal_driver_passthru_call",
+    "baremetal_node_passthru_call",
+    "static-action_call",
+    "metric_benchmark measures add",
+    "metric_measures_batch-metrics",
     "metric_measures_batch-resources-metrics",
-
     # This sounds intrusive: https://docs.openstack.org/senlin/rocky/user/nodes.html#checking-a-node
     "cluster_node_check",
 }
 
 # These must be full names with the "_" suffix, and they are not really commands but artifacts
 # from the arg parsing mechanism
 IGNORE_COMMANDS: set[str] = {
-    "database_", "infra_optim_", "load_balancer_", "identity_", "neutronclient_",
-    "rca_", "object_store_", "compute_", "container_", "dns_", "key_manager_",
-    "application_catalog_", "congressclient_", "messaging_", "baremetal_", "image_",
-    "volume_", "network_", "clustering_", "metric_", "baremetal-introspection_",
-    "cluster_profile_type_ops_", "workflow_engine_", "data_processing_",
+    "database_",
+    "infra_optim_",
+    "load_balancer_",
+    "identity_",
+    "neutronclient_",
+    "rca_",
+    "object_store_",
+    "compute_",
+    "container_",
+    "dns_",
+    "key_manager_",
+    "application_catalog_",
+    "congressclient_",
+    "messaging_",
+    "baremetal_",
+    "image_",
+    "volume_",
+    "network_",
+    "clustering_",
+    "metric_",
+    "baremetal-introspection_",
+    "cluster_profile_type_ops_",
+    "workflow_engine_",
+    "data_processing_",
     "orchestration_",
 }
 
@@ -92,13 +209,17 @@ def osp_list_commands(verbs: set[str]) -> tuple[list[str], list[str]]:
 
 def get_openstackclient_version() -> str | None:
     import openstackclient
+
     return openstackclient.__version__
 
+
 def main() -> None:
     accept_commands, non_accept_commands = osc.osp_list_commands(osc.ACCEPT_COMMANDS)
     reject_commands, non_reject_commands = osc.osp_list_commands(REJECT_COMMANDS)
 
-    undefined_commands: list[str] = list(set(non_accept_commands).intersection(non_reject_commands) - IGNORE_COMMANDS)
+    undefined_commands: list[str] = list(
+        set(non_accept_commands).intersection(non_reject_commands) - IGNORE_COMMANDS
+    )
 
     result = {
         "undefined_commands": undefined_commands,
@@ -109,5 +230,6 @@ def main() -> None:
     }
     yaml.dump(result, sys.stdout)
 
+
 if __name__ == "__main__":
     main()

scripts/diff-allow-deny.py

@@ -18,7 +18,9 @@
 UNDEFINED_COMMANDS_MSG = "check ACCEPT_COMMANDS, REJECT_COMMANDS, and IGNORE_COMMANDS"
 
 
-def show_diff(list_name: str, data_1: list[str], data_2: list[str], change_msg: str) -> None:
+def show_diff(
+    list_name: str, data_1: list[str], data_2: list[str], change_msg: str
+) -> None:
     in_list_1_not_in_list_2 = set(data_1[list_name]) - set(data_2[list_name])
     in_list_2_not_in_list_1 = set(data_2[list_name]) - set(data_1[list_name])
 
@@ -37,7 +39,9 @@ def show_diff(list_name: str, data_1: list[str], data_2: list[str], change_msg:
 
 def main() -> None:
     if len(sys.argv) != 3:
-        print("Usage: diff-allow-deny.py <allow-deny-list-1.yaml> <allow-deny-list-2.yaml>")
+        print(
+            "Usage: diff-allow-deny.py <allow-deny-list-1.yaml> <allow-deny-list-2.yaml>"
+        )
         sys.exit(1)
 
     file_name_1 = sys.argv[1]
@@ -48,17 +52,23 @@ def main() -> None:
     with open(file_name_2, "r") as f:
         list_2 = yaml.safe_load(f)
 
-    print("Differences between python-openstackclient version "
-          f"{list_1['python_osc_version']} and version {list_2['python_osc_version']}")
+    print(
+        "Differences between python-openstackclient version "
+        f"{list_1['python_osc_version']} and version {list_2['python_osc_version']}"
+    )
     changes = show_diff("allow_commands", list_1, list_2, RIGHT_GROUP_MSG)
     changes |= show_diff("deny_commands", list_1, list_2, RIGHT_GROUP_MSG)
 
-    undefined_changes = show_diff("undefined_commands", list_1, list_2, UNDEFINED_COMMANDS_MSG)
+    undefined_changes = show_diff(
+        "undefined_commands", list_1, list_2, UNDEFINED_COMMANDS_MSG
+    )
     changes |= undefined_changes
     if not undefined_changes and list_2["undefined_commands"]:
-        print("Undefined commands have not changed, but there are undefined commands, "
-              "so ACCEPT_COMMANDS, REJECT_COMMANDS, and IGNORE_COMMANDS need to be "
-              f"revised to include them: {sorted(list_2['undefined_commands'])}")
+        print(
+            "Undefined commands have not changed, but there are undefined commands, "
+            "so ACCEPT_COMMANDS, REJECT_COMMANDS, and IGNORE_COMMANDS need to be "
+            f"revised to include them: {sorted(list_2['undefined_commands'])}"
+        )
         sys.exit(1)
 
     if not changes: