Personal Blog of Mahesh Chandra Regmi

Is your code really good?

Har Har Mahadev! — Mon, 29 Jul 2024 18:56:51 GMT

When working on a project, I find myself repeatedly asking the question: "Is this the best way to do this?" This is the constant refrain that runs through my mind as I navigate the process of creating abstractions, API contracts, generics, mixins, adapters, and other architectural elements.

Just yesterday, I was working on some Terraform infrastructure code and doing a code review with a senior member of the team. During the review, they posed a simple question that gave me pause:

"Do you understand the difference between 'looks good' and 'is good'?"

At first, I thought this was their way of telling me that my code wasn't good enough. However, after reflecting on it for a while, I began to discern a deeper meaning in their question.

Looks good.

Making a code look good is easy.

module "label" {
  source = "./modules/label"

  tags       = var.tags
  namespace  = var.namespace
  name       = var.name
  stage      = var.stage
  delimiter  = var.delimiter
  attributes = compact(concat(var.attributes, ["cluster"]))
}

module "vpc" {
  source = "./modules/vpc/"

  tags       = local.tags
  namespace  = module.label.namespace
  name       = module.label.name
  stage      = module.label.stage
  cidr_block = var.cidr_block
}

This code may appear neat and visually appealing. Someone who stumbles upon this Terraform code might say it is beautifully written and likely copied from a template provided by a popular Terraform module provider, such as CloudPosse.

However, this does not necessarily mean the code is "good." At least, not on the inside. One could argue that the only thing that truly matters is the exported interface of the module, and the underlying complexity of the implementation may be irrelevant.

While the code may look clean and organized on the surface, the actual quality and maintainability of the codebase depend on factors beyond just its aesthetics. The complexity of the logic, the efficiency of the implementations, the robustness of the error handling, and the overall alignment with the project's requirements are all important considerations that cannot be fully assessed based on the appearances alone.

In software development, it is important to strike a balance between the visual appeal and the underlying quality of the codebase. Code that looks "beautiful" on the outside but is convoluted or difficult to understand on the inside may still pose challenges for long-term maintenance and future enhancements. The true measure of "good" code should encompass both its external presentation and its internal structure and implementation.

locals {

  defaults = {
    label_order = ["namespace", "stage", "environment", "name", "attributes"]
    delimiter   = "-"
    replacement = ""
    # The `sentinel` should match the `regex_replace_chars`, so it will be replaced with the `replacement` value
    sentinel   = "~"
    attributes = [""]
  }

  # The values provided by variables superceed the values inherited from the context

  enabled             = var.enabled
  regex_replace_chars = coalesce(var.regex_replace_chars, var.context.regex_replace_chars)

  name               = lower(replace(coalesce(var.name, var.context.name, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  namespace          = lower(replace(coalesce(var.namespace, var.context.namespace, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  environment        = lower(replace(coalesce(var.environment, var.context.environment, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  stage              = lower(replace(coalesce(var.stage, var.context.stage, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  delimiter          = coalesce(var.delimiter, var.context.delimiter, local.defaults.delimiter)
  label_order        = length(var.label_order) > 0 ? var.label_order : (length(var.context.label_order) > 0 ? var.context.label_order : local.defaults.label_order)
  additional_tag_map = merge(var.context.additional_tag_map, var.additional_tag_map)

  # Merge attributes
  attributes = compact(distinct(concat(var.attributes, var.context.attributes, local.defaults.attributes)))

 # code removed for clarity
}

This is what the label module code looks like on the inside. It's a real mess of Terraform code that would be very challenging to maintain. Although I understand the purpose of each function and local variable here, trying to make edits after being away from this codebase for a month would likely require several minutes to reorient myself and figure out the implementation.

But can this code truly be made "good"?

To improve this, we must first focus on simplifying it. Before proceeding, I'd like to reference the "Zen of Python" principle:

Simple is better than complex.
Complex is better than complicated.

The key distinction here is that complexity, while not ideal, can be justified if it is necessary to accomplish a task. Complication, on the other hand, simply means the code is disorderly and difficult to understand without necessity.

In the case of this label module, the current implementation appears to be overly complicated, rather than appropriately complex. To make this code "good," the focus should be on reducing the complication and unnecessary complexity, breaking down the logic into more modular and understandable components.

Complex vs Complicated

Complexity means that something is hard to understand for a reason, because it requires you to study the complexity, and there is no pragmatic way to avoid it. Compilers might be complex for a programmer because they accomplish a complex job. The nature of compilers is inherently hard to understand, so it cannot be reduced to simpler elements.

Complication means something is difficult to understand and disorderly. In other words, it's a mess. Although this is subjective, one could argue that Helm templates are complicated. However, complicated things can be simplified into simpler and more maintainable components using tools like Kustomize or domain-specific languages (DSLs) like Jsonnet.

The key difference is that complexity arises from the inherent nature of a system, while complication is more about the disorder and difficulty in understanding something. Complexity cannot be easily reduced, while complicated things can often be simplified through the use of appropriate tools and techniques.

Is Good

For something to become good, it must possess a good internal mechanisms and external interface. The code must be maintainable.

In the above example: The sheer number of variables and the nested conditional logic can make the code complex and potentially difficult to maintain or extend in the future, especially for larger or more complex software projects.

In summary, while the code "looks good" in terms of its structure, readability, and adherence to coding best practices, the statement "is good" requires a more in-depth evaluation of the code's actual functionality, performance, and overall quality, which cannot be determined solely from the provided code snippet. A comprehensive assessment of the code's suitability, robustness, and alignment with the software's requirements would be necessary to determine whether the code "is good" or not.

From Dumb and Boring YAML to Dumb and Boring YAML; IaC Experience

Har Har Mahadev! — Wed, 10 Jul 2024 16:12:00 GMT

For more than 3 years I've been doing DevOps and involved myself in multiple projects ranging from simple static web applications deployed to some CDNs to multi-tenant systems with event-driven architectures. I've always found some ways to make my boring job fun. Sometimes, I experiment with new DevOps tools other times I try to write automation over some repetitive tasks. One of the major thing that is in every DevOps toolbox in IaC (Infrastructure as a Code) tool.

The experience I've shared in this article is personal and might not be the same for you. Hey, remember as long as it works for you, don't complain.

Infrastructure-as-a-Code

Remember the last time you tried to spin up a virtual machine in some cloud? Think, there are multiple virtual machines involved each having different configurations. How do you make this process repeatable, observable, managed, and testable? This is where IaC tools come in. IaC tools let you to define your infrastructure in code declaratively and have some sort of tooling to apply, preview, and destroy the changes in your cloud. There are multiple tools and technologies involved to define and manage your IaC code. Terraform is a popular example.

Infrastructure as code (IaC) is the ability to provision and support your computing infrastructure using code instead of manual processes and settings. Any application environment requires many infrastructure components like operating systems, database connections, and storage. Developers have to regularly set up, update, and maintain the infrastructure to develop, test, and deploy applications.

- Amazon Web Services (AWS)

Square 1: AWS Cloudformation

In the beginning, I started with AWS Cloudformation. So, AWS Cloudformation is the IaC tool that lets you define your infrastructure in YAML / JSON code and deploy it in AWS.

AWS CloudFormation is a service that helps you model and set up your AWS resources so that you can spend less time managing those resources and more time focusing on your applications that run in AWS. You create a template that describes all the AWS resources that you want (like Amazon EC2 instances or Amazon RDS DB instances), and CloudFormation takes care of provisioning and configuring those resources for you. You don't need to individually create and configure AWS resources and figure out what's dependent on what; CloudFormation handles that. The following scenarios demonstrate how CloudFormation can help.

- Amazon Web Services (AWS)

Cloudformation template looks like this when written in YAML.

AWSTemplateFormatVersion: '2010-09-09'
Description: Create an S3 Bucket

Resources:
  S3Bucket:
    Type: AWS::S3::Bucket
    Properties:
      BucketName: my-example-s3-bucket
      PublicAccessBlockConfiguration:
        BlockPublicAcls: true
        BlockPublicPolicy: true
        IgnorePublicAcls: true
        RestrictPublicBuckets: true

Outputs:
  BucketName:
    Description: Name of the S3 bucket
    Value: !Ref S3Bucket

The first project I worked on was a legacy AWS Cloudformation project. It was a relatively simple 3-tier application with some ETL processing involved. The codebase was a single 3000+ LOC YAML document. Changing it felt tough and cumbersome. I think these are the major reasons why I felt it was so lacking.

I didn't use cfn-lint at that time and making sure the YAML change is valid required deploying it. There were a lot of repetitive patterns in the code which I thought should be composable. The configuration was too static and it felt too boring. Although some variables and stuff were involved I didn't like the static nature of the YAML file. Like not being able to calculate CIDR ranges, string manipulations etc.

Square 2: Terraform

Then, I heard of HashiCorp Terraform. Terraform is written in a language called HCL (Hashicorp Configuration Language). HCL is a DSL created by Hashicorp, the creator company of Terraform. Terraform felt great. It felt like I was programming the infrastructure at the time. And hearing all the great benefits like I can deploy AWS, Azure or any other resources with the same codebase felt like a clear winner to me.

This is how the above code looks like in terraform.

provider "aws" {
  region = "us-west-2"
}

resource "aws_s3_bucket" "example" {
  bucket = "my-example-s3-bucket"
  acl    = "private"

  block_public_acls       = true
  block_public_policy     = true
  ignore_public_acls      = true
  restrict_public_buckets = true
}

output "bucket_name" {
  description = "Name of the S3 bucket"
  value       = aws_s3_bucket.example.id
}

The language is great. You can manipulate strings using a wide variety of functions, there are multiple providers and the plugin system is really extensible. You can write a clean and neat IaC with it. This really overcome the challenges I felt previously.

The tooling is extremely good. For example: there are LSPs which can help you in writing the code. There are many sane functions provided by the terraform itself. It feels like programming to some sense. The modules system is a great abstraction mechanism. I can create a module called static-website and provision all CDNs, Storage Buckets there and reuse that module in multiple places. The configuration is dynamic now to some extent.

Terraform started providing me the correct amount of abstraction, until it didn't. I started abusing the programmability nature of the terraform to start making everything dynamic. I wanted to write the master terraform code which I can plug into any project and just change some variables and have it work.

This is a code snippet of the label module from my template repository for terraform codebases.

 name               = lower(replace(coalesce(var.name, var.context.name, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  namespace          = lower(replace(coalesce(var.namespace, var.context.namespace, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  environment        = lower(replace(coalesce(var.environment, var.context.environment, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  stage              = lower(replace(coalesce(var.stage, var.context.stage, local.defaults.sentinel), local.regex_replace_chars, local.defaults.replacement))
  delimiter          = coalesce(var.delimiter, var.context.delimiter, local.defaults.delimiter)
  label_order        = length(var.label_order) > 0 ? var.label_order : (length(var.context.label_order) > 0 ? var.context.label_order : local.defaults.label_order)
  additional_tag_map = merge(var.context.additional_tag_map, var.additional_tag_map)

Github: regmicmahesh/infrastructure-backend (github.com )

Slowly, terraform started feeling limited. Although the new DSL provided some level of dynamic nature in the codebase, it's DSL in the end. It's not a programming language. There are limitations to it. I don't think the problems I faced on Cloudformation were solved by Terraform.

You can create multiple resources by using count terraform but it introduces its own sort of issues. So, the usage of count introduces a list data structure in the scene which manages the count of the resources. Like if you remove an item of some index in the list, all of the elements of the list following the item will be redeployed. There is a drift between terraform modules and official AWS APIs, some stuffs are implemented in the aws-provider in their own way. There is not any good proper concept of conditional resources in terraform, like how Conditions: block work in Cloudformation.

Square 3: Pulumi

Then, I heard of this new IaC tool called Pulumi and decided to invest some time on it. Pulumi felt great. You can write your IaC in any of the supported programming languages and have it deployed in the cloud. I enjoyed writing Pulumi code in Go. Pulumi is also the language in which it itself is written, so the support was great!

I wrote custom stacks, experimented with different architecture patterns, and wrote custom components and stuff.

There's this automation API of Pulumi which lets you not even use the Pulumi tooling and just have your infrastructure code as a single binary. Doesn't it sound cool to have a binary that you can store in some artifact store and deploy it and your infrastructure will be in the desired state?

This is how the above code looks like in Pulumi.

package main

import (
    "github.com/pulumi/pulumi-aws/sdk/v5/go/aws/s3"
    "github.com/pulumi/pulumi/sdk/v3/go/pulumi"
)

func main() {
    pulumi.Run(func(ctx *pulumi.Context) error {
        bucket, err := s3.NewBucket(ctx, "example-bucket", &s3.BucketArgs{
            BucketName: pulumi.String("my-example-s3-bucket"),
            AcceleratedConfigurati on: &s3.BucketAcceleratedConfigurationArgs{
                Enabled: pulumi.Bool(false),
            },
            AclInput: pulumi.String("private"),
            PublicAccessBlockConfiguration: &s3.BucketPublicAccessBlockConfigurationArgs{
                BlockPublicAcls:       pulumi.Bool(true),
                BlockPublicPolicy:     pulumi.Bool(true),
                IgnorePublicAcls:      pulumi.Bool(true),
                RestrictPublicBuckets: pulumi.Bool(true),
            },
        })
        if err != nil {
            return err
        }

        ctx.Export("bucketName", bucket.ID())
        return nil
    })
}

You can find a blog about my Pulumi architecture here as well.

Structuring Infrastructure as Code with a Layered Approach (maheshchandraregmi.com.np)

I thought developers would also be involved in managing the IaC if it's in the programming language that they use. But, it didn't quite work like that. They had no interest in writing infrastructure code and even if they did, it was just too risky for them to deploy.

Then, I didn't touch the pulumi code for a month. I opened the pulumi codebase next month and it all started breaking apart. The dependencies were outdated, there were vulnerabilities introduced in the packages that I used.

The code felt too magic to me and required few hours to quickly wrap my head around how I had done things. The dynamic nature of the code quickly became the downside because there were just too many moving pieces and changing something had unintended consequences.

Back to Square 1: AWS Cloudformation

And, now I'm back in AWS CloudFormation. I think the configuration and DevOps processes should be as dumb as possible. It should be clear to the eyes on one look and involve no magic. It should be lean and every extra line of code or tool involved is a tech debt.

I started using nested stacks and custom resources of CloudFormation as well. I don't need to use loops because I don't need to make the infrastructure dynamic. Do I need to add a new subnet in future? Ok, I will modify the code to have a new subnet. For me or any other DevOps who will join in the future it is easier to see than to wrap a head around the looping logic.

We can also leverage features like Stacksets, Drift Detection, Automated Rollbacks with cloudformation. The code can also be viewed as a diagram in the application manager and can be entirely managed through AWS.

I use these templates in the projects nowadays.

regmicmahesh/cloudformation-stack-templates (github.com)

Thank you for reading!

Structuring Infrastructure as Code with a Layered Approach

Har Har Mahadev! — Tue, 30 Jan 2024 06:55:14 GMT

One of the problems that I face frequently when writing Infrastructure as a Code is how you structure it. To answer this question, I think there are a few indicators that decide how we want to structure.

One resource will have less change compared to another resource. For example: your VPC resource may not change for the lifespan of the project but the application resource may change every day. How can I structure it in a way that I can make sure the changes in application don't have any relationship with the change in VPC?
Changes in some resources are significant. Such as IAM Roles, Accounts, Billing, etc. They may bring down the whole system. How to make sure it's properly encapsulated? So that the code responsible for the application is guaranteed to have read-only access to the IAM Roles.

Layered Approach

Then, I read this fantastic write-up I've included in the references section of this blog. We can think differently. What if we can distinguish every resource in different layers based on the two principles:

Rate of Change: The resources with a similar rate of change should go in the same layer.
Encapsulation: A layer should encapsulate all the necessary resources which change with it.

If you think of these layers, they resemble somewhat like the OSI layer model in computer networking. Each layer encapsulates the data passing only the required data to the lower layer. The rate of change and the effect of change increases drastically as you go up the layer chain.

Layer Representation

This is the diagram of different layers as presented in the blog by Lee Briggs.

Layer	Name	Example Resources
0	Billing	AWS Organization/Azure Account/Google Cloud Account
1	Privilege	AWS Account/Azure Subscription/Google Cloud Project
2	Network	AWS VPC/Google Cloud VPC/Azure Virtual Network
3	Permissions	AWS IAM/Azure Managed Identity/Google Cloud Service Account
4	Data	AWS RDS/Azure Cosmos DB/Google Cloud SQL
5	Compute	AWS EC2/Azure Container Instances/GKE
6	Ingress	AWS ELB/Azure Load Balancer/Google Cloud Load Balancer
7	Application	Kubernetes Manifests/Azure Functions/ECS Taks/Google Cloud Functions

We can discard the upper two layers. It's best if we manage those layers manually because the lifespan of those resources is generally equivalent to the lifespan of your whole IaC project. And, we have this sweet problem always existing of "if IaC manages state using a resource which can't be managed by that IaC, what manages that resource? For example s3 bucket". For this kind of resource, it's best to have some scripts that do it.

So, the approach that I'd like to take is the following.

Layer	Name	Example Resources
0	IAM	IAM Users, IAM Roles etc.
1	Network	AWS VPC / Security Groups / NAT / IGW / Route Tables / Subnets
2	Certificates	AWS Certificate Manager, Route53 Records for Certificates
3	Data	AWS RDS, AWS DocumentDB, DynamoDB
4	Assets	S3 Buckets, ECR Repositories
5	Ingress	AWS ELB, Target Groups, Cloudfront Distributions, DNS Records for Route53
6	Compute	ECS, EKS, EC2 Instances, Autoscaling Groups, Lambda Functions
7	Application	ECS Services, EKS Resource, Lambda Functions

If you prefer a tree view, this is how I've structured the codebase written using Pulumi SDK in Golang.

./layers/
├── application
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
├── assets
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
├── certs
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
├── compute
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
├── data
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
├── ingress
│   ├── main.go
│   ├── Pulumi.dev.yaml
│   └── Pulumi.yaml
└── network
    ├── main.go
    ├── Pulumi.dev.yaml
    └── Pulumi.yaml

Complete Project Structure

If you look at the complete project structure, it resembles something like this.

.
├── assets
├── base
│   ├── Dockerfile.infras-builder
│   └── Makefile
├── env
│   └── override.mk
├── go.mod
├── go.sum
├── internal
│   └── file
│       └── main.go
├── layers
│   ├── application
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   ├── assets
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   ├── certs
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   ├── compute
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   ├── data
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   ├── ingress
│   │   ├── main.go
│   │   ├── Pulumi.dev.yaml
│   │   └── Pulumi.yaml
│   └── network
│       ├── main.go
│       ├── Pulumi.dev.yaml
│       └── Pulumi.yaml
├── main.go
├── Makefile
├── pkg
│   ├── acm-certificate
│   │   └── main.go
│   ├── ecr-repository
│   │   └── main.go
│   ├── ecs-cluster
│   │   └── main.go
│   ├── ecs-service-v2
│   │   ├── main.go
│   │   └── types.go
│   ├── label
│   │   └── main.go
│   ├── load-balancer
│   │   ├── main.go
│   │   └── target_group.go
│   ├── mongo-database
│   │   └── main.go
│   ├── postgres-database
│   │   └── main.go
│   ├── s3-cloudfront-website
│   │   └── main.go
│   ├── security-group
│   │   ├── main.go
│   │   └── rule.go
│   └── ssm-parameters
│       └── main.go
├── policies
│   └── ssm-parameter.access.json
└── targets
    ├── docker.mk
    ├── go.mk
    └── pulumi.mk

Explanation

I've heavily used Makefile for this architecture.

targets

Everything that needs to be run from automation is grouped into the CLI it invokes. For example: dockerized commands, go into the docker.mk, go building/ linting/ vendoring commands go int othe go.mk file

pkg

This folder contains the Pulumi components that I've created to abstract all the resources required for one logical component. For example: the ecs-service-v2 creates EBS volumes, ECS task definitions, and ECS service itself.

layers

Every layer of the above diagram resides in a respective folder inside of the layers folder. Each of those packages produces a binary which is then passed with LAYER_NAME to the make command to operate on a single layer at a time.

env

This folder contains the environment variables required for the whole deployment to function. It also sets some handy variables like GOCACHE, GOPATH, and PULUMI_HOME to ensure I have a caching mechanism and a pretty fast build cycle in local environment.

These things will be directly set when running the IaC in CI/CD platform.

Reference

Structuring your Infrastructure as Code | lbr. (leebriggs.co.uk)

Hands-On: I wrote my auth logic with JS in Nginx; Will you?

Har Har Mahadev! — Sun, 17 Sep 2023 16:02:03 GMT

This may come as a surprise to you. How can someone use nginx configuration with Javascript? Fortunately, nginx supports a language called njs which is a strict subset of ECMA5. This can be used to further extend your routing logic, but don't be that happy because the feature you get with njs is very limited.

Lots of syntax doesn't work out of the box and I couldn't make it work with third-party npm modules such as jsonwebtoken etc. I couldn't even use esbuild to generate a single file build.

From the documentation of nginx:

njs is a subset of the JavaScript language that allows extending nginx functionality. njs is created in compliance with ECMAScript 5.1 (strict mode) with some ECMAScript 6 and later extensions. The compliance is still evolving.

I won't go with the installation process because you can get it easily in the documentation here. Also, you'd have to add the following repositories to have nginx packages available if you're also using Ubuntu.

# NGINX Repository
deb http://nginx.org/packages/mainline/ubuntu/ jammy nginx
deb-src http://nginx.org/packages/mainline/ubuntu/ jammy nginx

Running Hello World

After, we've installed the njs module. Let's go ahead and write the js code for straight-up firing the hello world.


@machine:/etc/nginx sudo cat > index.js << EOF
> var hello = function (r) {
    r.return(200, "Hello world!");
};
export default { hello: hello };
> EOF
root@machine:/etc/nginx

This is a very simple handler, which will return the string "Hello world!" with status code 200.

Let's plug it into the nginx.conf file.

user  nginx;
worker_processes  auto;

load_module modules/ngx_http_js_module.so;

http {
  js_import index.js;
  server {
      location / {
          js_content index.hello;
      }
  }
}

Now, when I send GET request to localhost with curl, I get the expected response.

root@machine:/etc/nginx# curl localhost
Hello world!
root@machine:/etc/nginx#

This is already very cool. But, we can do even more.

Implementing Dummy Auth and User Service

Let's create two simple services; one auth service and one for consuming the auth service.

Auth Service: Code

This is a fairly simple API. The login handler takes a POST request with username JSON key and generates a JWT token. The verify handler verifies the JWT token passed as a bearer token.

Let's test our auth service if it's working as intended.

regmicmahesh@machine:/etc/nginx$ curl -s localhost:8080/login -XPOST -d '{"username":"mahesh"}'
{"token":"eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTUyMjUzMjMsInVzZXJuYW1lIjoibWFoZXNoIn0.y7kOx9dScMwg0XjRj1AAa9xh3rZp0GzEzR0FC1f3x-w"}
regmicmahesh@machine:/etc/nginx$ curl -s localhost:8080/login -XPOST -d '{"username":"mahesh"}' | jq -r ".token"
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTUyMjUzMjYsInVzZXJuYW1lIjoibWFoZXNoIn0.XXkLCwspeYYy8kCONSSPve1T7AYX94GgzNB1rrdOygk
regmicmahesh@machine:/etc/nginx$ k^C
regmicmahesh@machine:/etc/nginx$ curl localhost:8080/verify -H 'Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTUyMjI5NTksInVzZXJuYW1lIjoibWFoZXNoIn0.GXnnmLuXRr8tu1Sx08DXcgs7N6au4huku-S62sR0JCU'
{"exp":1695222959,"username":"mahesh"}

User Service: Code

The user-service simply prints out the value of the header X-User-Id .

Now, we need to configure our nginx such that, every request first goes through the auth service, decodes the token if possible, and passes the username to user-service

Writing Nginx Config

First of all, let's configure the /verify .

 location = /verify {
   internal;
   proxy_pass http://localhost:8080/verify;
}

This is okay enough. The auth-service is running on port 8080. This should pass the request to that endpoint whenever requested.

Now, we can simply use auth_request /verify . But, where's the fun in that? We want to set the username in the header dynamically.

Let's write a simple njs script to send a request to this endpoint.

function verify(originalR) {
  function callback(r) {
    originalR.return(r.status);
  }

  originalR.subrequest("/verify", { method: "GET", body: "" }, callback);
}
export default { verify };

The NJS script above simply sends the request to /verify but doesn't send the request body. It sends only the headers.

Let's add one more block in nginx to use this js function.

 location = /auth {
   internal;
   js_content index.verify;
}

Now, we need to use this /auth endpoint as the authentication endpoint and everything should be good. We just wrapped our actual verification endpoint with a proxy. Why? Because now we can add our JS logic to set the header.

Let's define a variable to hold the value of the username.

server {
    set $username "";
# other code
}

Now, we can set this variable from the NJS script.

function verify(originalR) {
  function callback(r) {
    if (r.status === 200) {
      const body = JSON.parse(r.responseText);
      originalR.variables.username = body.username; 
      originalR.return(200);
    } else {
      originalR.return(401);
    }
  }

  originalR.subrequest("/verify", { method: "GET", body: "" }, callback);
}

export default { verify };

Now, we can send this variable as a header to the actual user service.

Adding it in the location, block it comes as follows:

location / {
    auth_request /auth;
    proxy_set_header "X-User-Id" $username;
    proxy_pass http://localhost:8081;
}

Let's take it for a test-run. It works!

regmicmahesh@machine:/etc/nginx$ curl  localhost -H "Authorization: Bearer eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJleHAiOjE2OTUyMjI5NTksInVzZXJuYW1lIjoibWFoZXNoIn0.GXnnmLuXRr8tu1Sx08DXcgs7N6au4huku-S62sR0JCU"
Request Received From: mahesh
regmicmahesh@machine:/etc/nginx$

Thanks for reading my blog. I don't think this is the best way, but just wanted to share what's possible with NJS scripting.

Dev Blog 1; Scratching the Kube API Server to get TTY

Har Har Mahadev! — Sat, 16 Sep 2023 06:50:49 GMT

This is my first blog of multiple blogs on developing a pod troubleshooter turned into a compiler as a service. What do you call it CaaS? COMPaaS is cooler though, lol. I've been learning a lot of things in this journey, so I decided to share about it with you all.

Let me start this blog with how it started, I wanted to make a super simple pod troubleshooter to provide for developers. Developers were having a hard time running migrations, checking application logs, and everything. I thought, okay, I'll create a simple tool which will do one simple thing; provide live tty session inside a running pod.

Although I used Weavescope for the project need, I thought it was always exciting to learn how these tools work and how can I develop one myself. So, I decided I'll build one live tty API for the pod myself.

REST API of Kube-API Server

Let me give you a little bit of background on what is this kube-apiserver thing.

Kube-API Server is one of the major services in the control plane which provides a REST API to change/configure the cluster's state. All the things (kubelets, controller manager) need to communicate with the API Server to perform any change in the cluster.

Now, it was clear. If I want a shell in the pod, I need to go through the kube-api server. But how? I wanted the REST API documentation or any reference on how can I send requests to the kube-API server.

Let me teach you a nice hack to find out what requests are you making when you're using kubectl. You can change the verbosity to level 10 to get the exact curl request you're making with the API Server.

kubectl get pods --v=10
...
curl -v -XGET -H "User-Agent: kubectl/v1.25.4 (linux/amd64) kubernetes/872a965" \
 'https://[redacted].com/api/v1/namespaces/default/pods?limit=500'
...

It's that simple to understand what request is kubectl making to fetch the list of pods in your cluster.

You can also get the OpenAPI schema of the REST API of Kubernetes.

curl --insecure -L "https://$API_URL/openapi/v2" \
    -H "Authorization: Bearer $TOKEN"

This will provide you with the complete open API schema of the kube-api server. You can then visualize this with tools like redoc, swagger, etc., and get a proper hold of the API.

REST Endpoint for pod/exec

Our goal is to extract the endpoint of exec-ing inside of the pod. You can either get it using the kubectl as I showed you or just explore through the schema. Either way, the endpoint is this.

${this.config.url}/api/v1/namespaces/${namespace}/pods/${podName}/exec?command=${cmd}&stdin=true&stdout=true&stderr=true&tty=true

But the catch is, that this endpoint doesn't work on HTTP, it upgrades your request to WebSockets. You can't do something like okay, I'll fire up an HTTP request with the command I wanna execute and show the stdout. The response to this endpoint is always a WebSocket upgrade, and the stdout/stderr is sent as a WebSocket message.

curl -XPOST -H "X-Stream-Protocol-Version: v4.channel.k8s.io" \
 -H "X-Stream-Protocol-Version: v3.channel.k8s.io" \
 -H "X-Stream-Protocol-Version: v2.channel.k8s.io" \
 -H "X-Stream-Protocol-Version: channel.k8s.io" \
 -H "User-Agent: kubectl/v1.25.4 (linux/amd64) kubernetes/872a965" \
 "https://$API_URL/api/v1/namespaces/default/pods/nginx-deployment-cbdccf466-qjfvw/exec?command=python&container=nginx&stdin=true&stdout=true&tty=true"

The response will contain the header Connection: Upgrade and Upgrade: SPDY/3.1 This means the connection is upgraded to WebSocket.

curl won't be able to take you long enough with WebSockets, we can use another tool similar to curl wscurl to send WebSockets requests with curl-like API.

If you're using curl, make sure to specify the subprotocol (i.e. X-Stream-Protocol-Version) with the flag -s .

wscat -H "Authorization: Bearer $TOKEN" \
   -c "$URL" \
   -s "v4.channel.k8s.io"

Message Format from Kube-API Server.

The message you receive from kube-api server over WebSockets is in a specific format. The first byte contains the messageType and the remaining bytes are the actual message from the TTY.

There can be three types of messages: stdin, stdout, stderr .

Message Type	Byte
stdin	0x00
stdout	0x01
stderr	0x02

In this way, you need to filter out the messages whether they're in stdin, stdout, or stderr.

For example: if you establish a connection with websocket, wscat will print something like this:

You see the first byte in the message received from the server. It's 0x01 because it's sent in stdout by the pod when you open a shell. And, your terminal doesn't know how to render that.

Will continue in Part 2.

My bad; But it's too late to rewrite.

Har Har Mahadev! — Mon, 11 Sep 2023 14:32:10 GMT

It's been around 5 years in the software space as a software engineer. In this journey, I started with the backend, jumped around between different full-stack technologies and currently settling down as the DevOps Engineer, occasionally handling difficult and complex parts of the system development.

Throughout my career, I've worked with numerous frontend frameworks, backend frameworks and operational strategies and technologies. This brings back a lot of painful and happy memories. In this blog, I've written about my views from my experience which may or may not be correct.

One problem I've always faced in the majority of the projects is as the projects grow it gets increasingly difficult to change things, observe things and gain a better understanding of the system. When we aren't able to have a good sense of the system, we can't properly architect the new change.

One recent example; I was leading in moving the auth-module of a system from self-backend implementation to Google provider. When I started the project it was really simple, I had implemented the auth module as a separate testable entity that could be plugged into other modules and easily modified. As the project grew with other developers, they started plugging in middlewares, modifying attributes of the auth module and injecting unneeded things to the auth state just because it was properly designed to hold the state in the request-response lifecycle.

Now, I thought to change the internal implementation of the auth module, and sweet hell Mary, everything was a mess. Our middleware broke, and authorization didn't work. Most of the modules that depended on the auth module broke.

Another example; I was leading the development of a data labeling system. We envisioned this system would be complex, so we chose to separate systems into 3 different components. This time, I had bootstrapped the projects and the code was in proper shape in the initial commit. But, soon after from Day 2, there were blockers. Separate components had separate developers working on them. The interaction between components was over HTTP, and communication issues between these components ate up a lot of the development time. By a lot, I mean the development time was extended significantly. Now, when I think about it, it boils down to "premature optimization is the root of all evil".

Another example; This was a streaming site built with a claimed "Super Fast" NodeJS framework at the time. I thought, okay streaming is a tough job. Let's write this service with NodeJS and a custom ffmpeg wrapper in NodeJS. The super-fast framework was so slow to develop, that it had no community plugins. I wrote a lot of things myself which I could have got for free. If I'd sacrificed 1% speed and used a slower framework, my productivity would be 100x.

What did I learn from it?

I learned two key things from it:

Developers often fail to understand the intention behind the code.
You don't need to think about scaling to 10 million when you're writing your first line of code.
There is no such thing as "It worked for X corp, it should surely work for us."
Don't go with "Yeah, I've worked with X framework between these choices, and I think it's a good fit."
Performance isn't always the top priority.

How do I do it now?

Now, I've seen enough failures to identify the correct one. I'm confident enough to tell that whatever you're building, it should follow these characteristics:

should have as little magic as it can.
dx is not a thing to ignore.
Most of the things should be automated.
Interfaces and boundaries should be thought of at first.
The system should be observable.
There should be a proper document in place to understand "why" for all ADRs (architecture decision records)

In the starting, I'll start with some BaaS (Firebase, Supabase, Strapi maybe) because it's not worth investing a lot of code and developer time when your (potential) clients and software don't even understand each other.

Most of the BaaS makes things observable, you can know which services are getting most requests, which queries are taking the most time, what time you are getting a lot of traffic, which is the bottleneck in your system etc. You also get sweet other things out of the box such as authentication/authorization, and data persistence layers and the best of them all is dx with it.

After a certain period, you'll get a perfect understanding of which way your software is heading. You can slowly start separating the bottlenecks of the BaaS platform into separate services. You write your code this time, as serverless functions if possible for your service. And you plug it into your BaaS.

Now, you need to start finding out how that BaaS does certain things and how'd you on about doing that on your own, research on the database performance, language, toolings etc.

After a certain level of maturity, you'll realize your business logic is getting too complicated to tune your BaaS and you need to do it on your own. This is the moment you start slowly rewriting your backend and shifting your API into your backend, one service at a time.

At last, this is my personal experience. Let me know if you have any conflicting views or I misunderstood something, I'm learning every day and would be very happy to correct myself.

Is unpacking faster than indexing?

Har Har Mahadev! — Tue, 12 Apr 2022 09:24:34 GMT

This is a strange story.

One morning, I woke up and wrote a few lines of code. Then, there came an interesting situation. I need to assign two elements of an array to two variables. There are many ways of achieving this in python.

If you're a javascript developer, your instinct should say this is the way.

const [x,y] = items;

Suppose, I've got an array [1,2] and I need to assign two variables to this value. Something like follow:

a = 1
b = 2

I did the natural thing I was used to doing, unpacking the variable.

a, b = items

This works with charm. But suddenly I remember of an another way. What if I index the array and grab the elements that way.

a, b = items[0], items[1]

Or even.

a = items[0]
b = items[1]

Now, I want to profile this code. I know this is over-engineering at max but let's see what exactly happens.

First I wrote the same implementation in python and disassembled the code.

In [15]: def x():
    ...:     a , b = items
    ...:     return
    ...:

In [16]: def y():
    ...:     a = items[0]
    ...:     b = items[1]
    ...:     return
    ...:

In [17]: dis(x)
  2           0 LOAD_GLOBAL              0 (items)
              2 UNPACK_SEQUENCE          2
              4 STORE_FAST               0 (a)
              6 STORE_FAST               1 (b)

  3           8 LOAD_CONST               0 (None)
             10 RETURN_VALUE

In [18]: dis(y)
  2           0 LOAD_GLOBAL              0 (items)
              2 LOAD_CONST               1 (0)
              4 BINARY_SUBSCR
              6 STORE_FAST               0 (a)

  3           8 LOAD_GLOBAL              0 (items)
             10 LOAD_CONST               2 (1)
             12 BINARY_SUBSCR
             14 STORE_FAST               1 (b)

  4          16 LOAD_CONST               0 (None)
             18 RETURN_VALUE

In [19]:

Do you see the extra overhead when I index the value? First, it need to load the constant i.e. index value, then perform the subscription. The store the value in a. This is a long way of doing it.

If I look at the other code, which is unpacking. One instruction UNPACK_SEQUENCE is capable of returning all the values and it's followed by two store instructions.

Even by intuition, I suppose the first function (x) will run faster.

Now, let's compare the execution time.

In [19]: %timeit x()
84.3 ns ± 3.59 ns per loop (mean ± std. dev. of 7 runs, 10,000,000 loops each)

In [20]: %timeit y()
108 ns ± 2.42 ns per loop (mean ± std. dev. of 7 runs, 10,000,000 loops each)

To no surprise, the unpacking beats the indexing by around ~24ns. This isn't the kind of optimization you should be thinking when writing a code. Write a clean, readable testable code.

Don't abuse your codebase with lines like the following:

a ,= items
# use this
b = items[0]

I stopped using environment variables for config.

Har Har Mahadev! — Sun, 10 Apr 2022 06:03:29 GMT

Environment variables were the standards for passing configurations, keys, and deployment assets in the system for a long time. It's even recommended by the twelve-factor apps guide.

No syntax, No composition

But the problem is once your configuration starts getting too complex, it's very tough to manage environment variables. Currently, in one of my projects, the environment variable count is 53 and it's bound to increase substantially when we deploy our next release. If only there was composition we could identify which are common variables to be used in all stages and which are the unique ones. For this problem, what we're doing currently is namespacing the environment variables via underscore. For example MY_COMMERCE_DB_HOST_NAME. Now, when we deploy another environment it's very tough to identify which environment variable is used in which aspect of the project and how. The complexity and no data types of environment variables is only one part of the problem, and probably a lesser significant one.

Security Issues

Environment variables increase the attack surface for your application when sensitive values like SSH Keys, Database Passwords, authentication credentials, and API Keys are passed via it. Most of the loggers dump all your environment variables into the log file when your application crashes along with the stack trace which silently passes down your secret variables into a plain text log file. Also, the environment variables when supplied to a parent process are passed down to every child process. Now, if you're spawning a subprocess to some third party process it has access to all of your secrets. In ephemeral deployment solutions like AWS Lambda, Azure Functions it maybe not be much of an issue because you can use your own master key to sign your environment variables, and also the container lifecycle is ephemeral which significantly reduces the risk of leaking down your variables but still, it's doable and is happening.

What is my approach?

Store your configuration file in YAML.

It's easy enough to create language and OS agnostic configuration files (INI, YAML, etc.) and it's usually straightforward to make files easy to change between deployments too - e.g. if a deployment is containerized, by mounting the file.

You can replace it like this:

APP_ID=123
APP_HOST=domain.com
APP_LOGGER=logging-service

DB_HOST=domain.com
DB_PORT=5433
DB_USERNAME=mmm

app:
  id: 123
  host: domain.com
  logger: logging-service

db:
  host: domain.com
  port: 5433
  username: mmm

Now, this is significantly easier to parse and pass down the road to required places which also supports the dependency inversion principle. There are packages that can create schemas from YAML files which will even help you further. Also, you can use YAML validators to add different validations, now your configuration has its own syntax, and data types are composite.

Store your secrets in an ephemeral file system.

Different containerization platforms have their own way of passing down secrets in an ephemeral file system. If you're using Docker in swarm mode, you can utilize the full benefit of docker secrets. Kubernetes has its own configuration mechanisms for passing secrets. One of the methods I personally suggest to pass secrets is using Hashicorp Vault which is very good for implementing in zero-trust environments.

Also, the cloud provider has some sort of secrets management service like AWS Secrets Manager which has a variety of security mechanisms as a service.

Should you use Kubernetes?

Har Har Mahadev! — Sun, 03 Apr 2022 10:24:02 GMT

No.

Hardening a Docker Image

Har Har Mahadev! — Wed, 23 Mar 2022 02:18:13 GMT

Hardening

Hardening refers to decrease the potential of a system getting exploited by reducing the attack surface. It may range from adhering different policies like Least Privilege, Zero Trust and also contain different steps like automatic security updates, firewalls, rotating passwords etc.

For hardening a system, basically the system-ops should cut-off unnecessary provisioned processes, services and vast majority of other resources currently used by the system unless they're bare minimum or essential for the system to function.

There are a million steps to be taken in order to prepare an absolutely stone hardened system but we'll look at some essential steps in hardening a docker image so that next time someone tries to own your docker container, they'll have hard time.

Limit the build data with .dockerignore or unnecessary copy.

Most of the times when building a docker image, it's a wild practice to move a directory directly inside the image, but this increases the attack surface as .env files, configuration folders, log files may be moved inside the docker image which gives the attacker more information already present inside the docker container regarding the system.

Even if the data are too many to be copied without doing a wild-card copy, I'd suggest to use a .dockerignore file which behaves similar to .gitignore and it stops the files from being copied which are mentioned there.

Use smaller images or scratch if possible.

Using a larger docker bases which consist of a thousand of tools your application doesn't need to function but increase the attack surface as there's chances of them having security issues is a great way of helping the hacker.

Try to use a very small image. Also, don't make a nightmare for developer by using images like alpine when the application is supposed to use very complicated libraries as alpine builds everything using musl and sometimes it's a nightmare.

My preferred docker images are slim builds of debian. Also, it's a lot easier when you're using statically compiled languages like go, which can run natively inside docker container when you just ship a container with only the binary. Think about the attack surface reduction when everything the filesystem contains is a single binary.

Downgrade to non-privileged User.

Getting rid of the root user in a docker image is just a two line configuration change. By doing just this simple change, we introduced a whole new problem of privilege escalation to the potential attacker.

Mount host file system as read-only.

Often times, we need to mount host data for reading configuration, or many other reasons for the docker container to function properly. For this, if we mount the host file system with full RW access chances are the potential attacker will misbehave with the mounted file system. To mitigate to some extent, we should mount the file system in read-only mode. We should reduce the access in the host file system by stripping down to the only required folder / file.

Don't expose unnecessary ports.

In development environment, it's a good idea to expose multiple ports, as the developer may require to run remote debugging in the container, or an extra development only network access for whatever reason but those ports should be strictly shut down while running with live users. It's a good idea to expose only the port listened by the main process running inside the docker container.

Never run in privileged mode

This requires no explanation. Running a container in privileged mode means it can do basically anything the host system. This is the worst thing through which you not only risk the container but also risk the host system.

Other Extra Suggestions

Enable Scan on Push in ECR.

Elastic Container Registry (ECR) service provided by Amazon can scan for security issues in your docker images as soon as you push them. This enables you to know about the potential threats in the docker image and quickly update / patch the packages which have CVEs assigned to them.

some notes i took.

Har Har Mahadev! — Sat, 22 Jan 2022 06:25:32 GMT

The Single Responsibility rule states that a class should have a single purpose, and its methods should all be related to that purpose.
The Encapsulation rule states that a class’s implementation details should be hidden from its clients as much as possible.
The Most Qualified Class rule states that work should be assigned to the class that knows best how to do it.
The Low Coupling rule states that the number of class dependencies should be minimized.
The rule of Transparency states that a client should be able to use an interface without needing to know the classes that implement that interface.
The Open/Closed rule states that programs should be structured so that they can be revised by creating new classes instead of modifying existing ones.
The Liskov Substitution Principle (LSP) specifies when it is meaningful for one interface to be a subtype of another. In particular, X should be a subtype of Y only if an object of type X can always be used wherever an object of type Y is expected.
The rule of Abstraction states that a class’s dependencies should be as abstract as possible.

Splitting a big tfstate into Multiple Environments with Remote Backend

Har Har Mahadev! — Mon, 20 Sep 2021 05:31:37 GMT

Splitting tfstate files into multiple environments is very useful when your project is growing so much and you've a very big tfstate file and you need to monitor which resource are failing, which are deploying effectively.

It's hard to track resources specifically when you're using for example own mongodb in your dev cluster but want managed service for your production environment.

Let us consider a file structure as below. Currently, all your backend configurations are stored inside the mono/provider.tf. Now, your project is growing and you need to separate out your tfstate into multiple environments.

For this example, we consider s3 backend. But you may use any; the process is same.


 [FILE] envs ~/devops/learningtf/envs
      dev                                                                                 
     └  provider.tf                                                                        
      mono                                                                      
     └  provider.tf                                  
      prod                                                                           
     └  provider.tf

The code inside the mono/provider.tf is as follows.

mono/provider.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
  backend "s3" {
    bucket = "test-split-backend"
    key    = "dev"
    region = "us-east-1"

    dynamodb_table = "dev-test-split-backend"
  }
}

# Configure the AWS Provider
provider "aws" {
  region = "us-east-1"
}

resource "aws_s3_bucket" "dev-bucket" {
  bucket = "test-split-qa"
  acl    = "private"
}

resource "aws_s3_bucket" "qa-bucket" {
  bucket = "test-split-qa"
  acl    = "private"
}

Consider these two buckets dev-bucket and qa-bucket. Now, you want to move these two resources into it's own environment.

Let's make a scaffold for putting resources with provider and backend for dev environment.

dev/provider.tf

terraform {
  required_providers {
    aws = {
      source  = "hashicorp/aws"
      version = "~> 3.0"
    }
  }
  backend "s3" {
    bucket = "test-split-backend"
    key    = "dev-split/terraform.tfstate"
    region = "us-east-1"

    dynamodb_table = "dev-test-split-backend-final"
  }
}

Now, you may proceed to terraform apply so that terraform will generate state file and lock files on the remote backend.

If you run terraform state list, the output should be empty as we haven't added any resources in this environment.

Now, the first step is to dump the tfstate file which is very easy, just one command.

cd dev && terraform state pull > dev.tfstate

This will pull your current configuration of dev environment which should be not exactly empty but without any resources.

Now, you're ready to move the resource from mono into dev environment.

First of all identify which resource / module you want to move by looking at the tf files.

After identifying the resources, now move them into dev.tfstate using this simple command.

cd mono
terraform state mv -state-out=../dev/dev.tfstate aws_s3_bucket.dev-bucket aws_s3_bucket.dev-bucket

This will remove the resource tracking from mono and move into to dev.tfstate which is not synced with dev remote tfstate as of now.

Now, the last thing you need to do is push the dev tfstate into the remote server, which is as easy as the following command.

cd dev
terraform state push dev.tfstate

Now, if you run terraform state show, you should be able to see the different as it won't show in the mono but it'll show in the dev.

You can confirm if there's any drift by doing terraform plan inside the dev environment.

Reduce the fear on reduce - Javascript.

Har Har Mahadev! — Mon, 24 May 2021 05:21:19 GMT

The reduce method available on arrays on JavaScript is one of the most powerful feature of functional programming. It is used to combine an sequence of elements together as a binary operation. In general terms, when we reduce an array we produce a single value at the end which consists of a pure function and some important concepts of reduce workflow.

The image below correctly explains the three main pillars provided in javascript to support functional programming paradigm.

Map is used to create a new array based on certain manipulation of every item of existing array but not removing them.

Filter is used to create a new array based on certain condition of existing array.

Reduce is the master of all which includes a whole pipeline and can do map, filter and much more. But, as you see in the diagram it is used to produce a single value at the end.

Before getting hands-on with reduce, we need to understand few concepts first.

Accumulator

Accumulator is used to store the current value of our reduce pipeline. Initially, if we provide any initial value to the reduce function, accumulator equals that value if not accumulator takes the first value in the array and the iteration starts from second item. Not clear? Look at the examples below.

Let's start with one of the most basic reducing operation.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.reduce((acc, el) => acc + el);
console.log(num); // 55

Here, the reduce function takes 1 as initial value ( first item in the array ) because no initial value is provided. After taking the first item as initial value, the invocation of function starts with the second item in the array.

Initially, the accumulator stores the same value as the initial value.

So, the initial value is 1, the accumulator holds the value 1, and the current element is 2.

After running the function we passed inside the callback, the returned value of our function is the new value to be set in the accumulator.

After one iteration.

So, the accumulator holds to value 3, and the current element is 3.

After second iteration.

So, the accumulator holds the value 6, and the current element in 4.

So, the accumulator is responsible for holding the returned new item after every iteration which is again passed while invoking the function for next item.

Guess, the above example makes it crystal clear now.

Now, let's try to do the same thing but providing initial value.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.reduce((acc, el) => acc + el, 5);
console.log(num); //60

Here, we pass another argument to the reduce method of array 5. Now, the reduce method will take 5 as initial value. The iteration begins on first item because it's not taken as initial value.

So, the initial value is 5, the accumulator holds the value 5, and the current element is 1.

After one iteration.

So, the accumulator holds to value 6, and the current element is 2.

After second iteration.

So, the accumulator holds the value 8, and the current element in 3.

Hope you understood the process.

Now, let's understand the whole syntax.

reduce((acc, el) => { ... } )
reduce((acc, el, i) => { ... } )
reduce((acc, el, i, arr) => { ... } )

We tried the first syntax already. The first item we pass is the accumulated value which is equal to the initialValue ( if we pass ) or the first item of array initially.

The second syntax is also near-equivalent but it takes a third argument i which is equal to the current index of the array.

The third syntax passes the whole array as first argument.

Keep in mind, only the first two are required. All other are optional parameters, pass it if you need them.

Now, you've a foundational knowledge of reduce, let's try to see how it's a swiss knife of functional programming.

Converting an array of number to array of strings.

For this operation map may be suitable and if you do it via map, you can do something like this...

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.map(el => el.toString())
console.log(num); // ["1", "2", "3", "4", "5", "6", "7", "8", "9", "10"]

This is a lot simpler approach. Let's try to approach this with reduce.

First let's think how we can solve this like a functional programmer.

The initial value for this operation should be blank array i.e. []. Now, on every reduce operation we convert the number into string and push into the array.

Pretty straight-forward right?

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.reduce((acc, el) => [...acc, el.toString()], []);
console.log(num);

If you're confused with the part [...acc, el.toString()], it means to spread the value of current acc array in the place of ...acc which means if acc equals to [1,2,3] then our new array will be replaced as [...acc] => [1,2,3], here the value inside of acc array is spread in-place.

After the current value held by the acc, we are pushing our current el.toString().

The flow can be explained as...

At first, acc = [] and current element = 1

At second, acc = ["1"] and current element = 2

At third, acc = ["1" , "2"] and current element = 3

Pretty straight forward right? If you're having issues with spread operator, consider this.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];

const num = arr.reduce((acc, el) => {
 acc.push(el.toString());
 return acc;
}, []);

console.log(num);

Now, what if only even number is required.

Let's try with filter and map.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr
    .filter(el => el % 2 == 0)
    .map(el => el.toString())
console.log(num);

This does the job. Now, let's try implementing this with reduce.

So, the initial value will be []. Our callback function should return the accumulator if element is odd, else add the stringified-element to the accumulator and return it.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.reduce((acc, el) => {
  if(el % 2 == 0) acc.push(el.toString());
 return acc;
}, []);
console.log(num);

Now, this is getting interesting, right?

Let's try to implement a reduce function which reverses an array. It's quite simple because we also have reduce right, which reduces the array from left.

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr.reduceRight((acc, el) => {
  if(el % 2 == 0) acc.push(el.toString());
 return acc;
}, []);
console.log(num);

We can also do this though...

const arr = [1, 2, 3, 4, 5, 6, 7, 8, 9, 10];
const num = arr
    .filter(el => el % 2 == 0)
    .map(el => el.toString())
    .reverse()
console.log(num);

This is just the surface of the power of reduce. You can do much more based on your needs. If you've more examples, feel free to drop those in comments.

Further Reading: https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Array/Reduce

Learning Django Middleware by exploring CSRF.

Har Har Mahadev! — Fri, 21 May 2021 11:15:52 GMT

Talking about how much people assume me to be experienced in django, I'm one of those guys who've never seriously thought about how django does specific stuffs and rather rely on it works kind of thoughts. I just simply make my own if I don't want to hassle with django generics and mixins, or I spend 5second of my development time trying to search for it in docs ( thanks for the wonderful examples).

Recently, I had a software engineer interview, and one question that hit me was you've done django but have you written your own csrf (Cross Site Request Forgery) validator? I had written once in node when using with ejs, but I had never thought about how django does it... I answered the same.

CSRF

Cross Site Request Forgery refers when an attacker from another website can submit a form in my website.

Imagine you have a form which allows user to delete his account when he hits a POST request to /deleteprofile.

Now, a third party website can make same form as yours, provide a better SEO and use ads campaign on facebook to make a form which will instead submit a deletion request to your backend.

This is a serious issue.

-Image from Portswigger

You need to validate that the request you've received is originated by you and authorized by you to be performed.

Read More About CSRF: https://portswigger.net/web-security/csrf

One of the general solution to solve this issue is to use csrf token. Now, the token will be given by your backend to the webpage which is responsible to submit the form as a cookie.

And, the webpage will submit you the data including the csrf token. Now, you will validate if the submitted token is same as csrf token issued by your backend.

This cuts off all the attackers trying to request to your system from another system or trying to trick your users into submitting data unknowingly.

How Django handles security?

If you didn't know django comes with pretty much all the middlewares required to secure your backend. If you want to be practical, just check the settings.py file in your recent django project and find a list called MIDDLEWARE.

#other code....
MIDDLEWARE = [
    'django.middleware.security.SecurityMiddleware',
    'django.contrib.sessions.middleware.SessionMiddleware',
    'django.middleware.common.CommonMiddleware',
    'django.middleware.csrf.CsrfViewMiddleware', # this is the one
    'django.contrib.auth.middleware.AuthenticationMiddleware',
    'django.contrib.messages.middleware.MessageMiddleware',
    'django.middleware.clickjacking.XFrameOptionsMiddleware',
]
#other code...

CsrfViewMiddleware

Let's get into the github repository of django and try to locate where the source of this middleware is located. Open File in Github

A little Context on Django Middlewares.

In django, a middleware is just a request interceptor which has some hooks associated with it.

If you have zero experience, have a read here.

Some hooks are mentioned below...

process_view() is called just before Django calls the view.
process_request() is called just before Django parses the requst.

Now, you're ready to go into this journey.

In django, a csrf token contains two part mask and actual token. Each part contains 32 characters consisting of letters and digits.

CSRF_SECRET_LENGTH = 32
CSRF_TOKEN_LENGTH = 2 * CSRF_SECRET_LENGTH
CSRF_ALLOWED_CHARS = string.ascii_letters + string.digits

There are couple of helper methods defined there which help us to create a token, mask token, unmask token and compare tokens...

For this purpose.

 def _get_token(self, request):
        if settings.CSRF_USE_SESSIONS:
            #not important for this context.
        else:
            try:
                cookie_token = request.COOKIES[settings.CSRF_COOKIE_NAME]
            except KeyError:
                return None
            csrf_token = _sanitize_token(cookie_token)
            if csrf_token != cookie_token:
                request.csrf_cookie_needs_reset = True
            return csrf_token

This method extracts the token from the cookies using the CSRF_COOKIE_NAME as defined in the settings.

Now, let's go into the lifecycle.

def process_request(self, request):
        csrf_token = self._get_token(request)
        if csrf_token is not None:
            # Use same token next time.
            request.META['CSRF_COOKIE'] = csrf_token

This hook utilizes the above helper method to extract the token and save it in request.META.

Now let's get into process_view.

if getattr(request, 'csrf_processing_done', False):
            return None

skipping checks if processing is already done.

if getattr(callback, 'csrf_exempt', False):
            return None

skipping checks if csrf_exempt is on.

if request.method not in ('GET', 'HEAD', 'OPTIONS', 'TRACE'):
    if getattr(request, '_dont_enforce_csrf_checks', False):
         return self._accept(request)

csrf token check is only done for put, patch, post and delete methods only. Also, it's worth nothing django doesn't accept post request without csrf tokens by default.

Then the check starts checking if the HTTP_REFERRER is valid or not.

request_csrf_token = ""
if request.method == "POST":
    try:
           request_csrf_token = request.POST.get('csrfmiddlewaretoken', '')
     except OSError:
            pass

Now, we get the token sent by the user in the request.

And then the django checks the token with the issued token.

request_csrf_token = _sanitize_token(request_csrf_token)
if not _compare_masked_tokens(request_csrf_token, csrf_token):
       return self._reject(request, REASON_BAD_TOKEN)

Now, I guess this also explains to you about django middleware. A middleware essentially captures a request in middle, and does something with it and it's upto the middleware whether to forward to next middleware / view or just drop it.

Removing Sensitive Information from Git History

Har Har Mahadev! — Wed, 12 May 2021 07:45:19 GMT

We all have gone through this problem once in our development career. We mistakenly have pushed sensitive info into github and we need to remove it. The sensitive info can be anything like a prod .env file or passwords hard-coded in the code.

Luckily, it's pretty straight forward to remove that change from git history both from your local repository and remote repository.

For the demonstration, I've create a local git repository.

And populated with some fake git commits to demonstrate what you may actually do.

$ git log --oneline
d5d9f70 (HEAD -> main) some more changes to main
c05631b Added Password
ac547a8 Added Main File to Project

Editing Commit

Here, I have made clear using commit message to show that the commit with has c05631b adds sensitive information to our git history. Now, we need to remove that.

If you're having hard time finding which commit actually changed the password. You can use the following git command...

git log -p fileName

Now, run git rebase using this commit hash to rebase our git history from that commit onwards.

$ git rebase -i c05631b
pick c05631b Added Password
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)
#

Now, edit the text in the editor. We need to edit the commit which added password into the git history. So, I'll rewrite the first line as follows...

edit c05631b Added Password
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)

Note the first line, I've replaced the pick with edit. Now, after saving and exiting the text editor, git will put me right into the staging area of that commit.

Now, edit your password file. I will remove the password from .env file in this case.

And, I will add the changes into the commit using the given command.

$ git commit --amend -a -m "Removed Sensitive Content"

This will update the message in that commit and also the changed file.

Now, I will continue the rebase using the following command...

$ git rebase --continue

Now, git will try and update the git history by updating that specific commit with our new change.. We may also get some conflicts in the process.

Dropping Commit

This section is optional. If that's all you want you can go ahead and skip this section and follow the pushing into GitHub section.

Now, I will drop the same repository.

Use the git rebase command as before, but keep in mind the commit hash will be changed. So, again grab your commit hash using git log.

git rebase -i ab5edff

Now, change the pick line into drop which will actually remove the commit from git history.

Make sure you aren't dropping a repository which has other changes, it's generally bad idea to drop a commit. Or, it was a bad idea to create :D.

$ git rebase -i c05631b
drop c05631b Removed Secure Content
pick d5d9f70 some more changes to main

# Rebase ac547a8..d5d9f70 onto ac547a8 (2 commands)
#

Now, after saving and exiting this file. git automatically removes your commit and updates the git history.

$ git log --oneline
9f865e5 (HEAD -> main) some more changes to main
ac547a8 Added Main File to Project

YAY!

Pushing To Github

If this repository is already pushed into the github, it's always a bad news to rebase a remote repository, because it'll make conflict on all of your co-workers git history.

The command given below will do the job.

$ git push origin main --force

Ownership in RUST - ELIF 5

Har Har Mahadev! — Tue, 11 May 2021 16:06:04 GMT

Hello everyone ! A fellow rust learner here. It's been couple of weeks I've started learning rust. The most confusing part I found about rust as a programming language is the concept of ownership and borrowing.

We all are used to throwing a variable to a function using it later, or just re-assigning to multiple variables by making clones just because we can. But rust follows a strict practice here.

In order to make sure your code doesn't have any data race, it restricts a variable's value to be written only from one place. This also solves the problem of dangling pointers as rust has no garbage collector, it uses the variable scope to automatically clear the memory.

Ownership

In rust, every value has a variable which is called it's owner. And there can't be multiple owners at one time. When you initialize a new variable with a value it's said to be the owner of the value.

let name = "mahesh";

Here, name is the owner of the string literal "mahesh".

let name = "mahesh";

When you use this variable in another variable's assignment. The value is copied into another variable. Or, the variable is cloned. The two variable do not point to the same variable from memory's perspective.

This is because variables like integer, characters, booleans, raw strings implement the Copy trait. They require very less memory and can be copied easily to another. In other words, copying them is efficient enough for a computer.

But, this is not the case with structs or any other compound data types which are stored on heap.

#[derive(Debug)]
struct Age{
    num: i32
}
fn main() {
   let _name = Age { num: 30};
   let _another = _name;
   println!("{:?}", _name);
}

In this case, the variable _name is a struct. This _struct declaration doesn't implement the Copy trait. So, whenever you reassign the variable, it's owner is changed. At the line let _another = _name;, the ownership of newly created struct is shifter from _name to _another. Now, rust won't let you access the variable _name because a variable can only have one owner at a time.

But, this is not the case if you use #[derive(Copy)], it will create a brand new struct everytime you re-assign the variable if it implements the Copy trait.

error[E0382]: borrow of moved value: `_name`
 --> src/main.rs:8:21
  |
6 |    let _name = Age { num: 30};
  |        ----- move occurs because `_name` has type `Age`, which does not implement the `Copy` trait
7 |    let _another = _name;
  |                   ----- value moved here
8 |    println!("{:?}", _name);
  |                     ^^^^^ value borrowed here after move

The rust compiler is also pretty much self explanatory on this matter.

To avoid this from happening, you have multiple one options. One is to derive Copy trait as mentioned before. Another option is to clone the variable. You can either write your own clone method or derive the predefined trait and use it.

But these two are not the trivial solution always. So, the solution is to use referencing.

Referencing

Rust allows you to create a read-only or mutable reference to a variable. This allows you to safely access the variable but remember there can never be multiple mutable reference of a variable at once. Rust borrows the same & notation to create reference of a variable.

   let _name = Age { num: 30};
   let _another = &_name;
   let _other = &_name;
   println!("{:?}", _name);

The snippet shown above runs completely fine because in this case we are creating reference of the variable _name and we're good to do it. Because remember, this won't create multiple data and since there isn't a actual value stored at _another, there won't be issues like double-memory cleaning issue.

But, this isn't the case when you try to create multiple mutable references.

   let mut _name = Age { num: 30};
   let _another = &mut _name;
   let _other = &mut _name;
   println!("{:?} {:?}", _another, _other);

In this snippet you'll get a error as follows...

error[E0499]: cannot borrow `_name` as mutable more than once at a time
 --> src/main.rs:8:17
  |
7 |    let _another = &mut _name;
  |                   ---------- first mutable borrow occurs here
8 |    let _other = &mut _name;
  |                 ^^^^^^^^^^ second mutable borrow occurs here
9 |    println!("{:?} {:?}", _another, _other);
  |                          -------- first borrow later used here

This helps you to avoid data race at compile time.

I'm just getting started with rust migrating from high level language. Would love to hear any suggestions, feedbacks. Cheers!

Efficient Background Processing in NodeJS with BullMQ — MP4 to HLS.

Har Har Mahadev! — Mon, 03 May 2021 11:31:56 GMT

In one of our recent projects, we had to design a scalable distributed system to process incoming videos and serve those videos efficiently to large amount of concurrent users. Like netflix, but not complex from engineer perspective.

Two of the major concerns we had while designing the system was efficiently converting the video into HLS format, so that user can have better experience and the video adapts with change of the bandwidth, other concern is regarding tracking the watch time and recommending other videos to the user.

The second one is a lot easier because of prior experience of developers in our team with recommendation system on python and websockets for tracking everything the user does.

For converting the video into HLS format, we had a major hassle as this requires a lot of domain knowledge about video encoding and conversions.

Luckily, ffmpeg acted as a saviour for all of our issues. We could have used node-ffmpeg but we went with native ffmpeg in order to keep it simple, as we’re going distributed we may also have an extra endpoint layer of ffmpeg in aws to handle the video conversion in and out from AWS S3.

$ ffmpeg -i filename.mp4 -codec: copy -start_number 0 -hls_time 10 -hls_list_size 0 -f hls filename.m3u8

We used this script in order to convert a file from mp4 format to HLS.

Currently, we have a bit longer script which re-encodes the video into multiple resolutions for seamless and lag-free streaming experience.

In order to let this script to be executed, we needed a message broker which takes incoming video and consumes it to convert it to HLS.

For that problem, we used bull to act as message broker.

We created a queue at first called VideoQueue which will route our messages into the consumer.

Then, we wrote a very simple consumer function which just encodes the raw video file. Keep in mind, if you’re planning to do the same, you must validate all the inputs. Don’t throw native packages randomly as the file may not be what you want and unsanitized may lead to RCE.

This is our internal video converter which uses the shell script in order to convert the file and save it into movies folder.

Bull is extremely easy to use and configure.

It just stores your message into redis and consumer pulls from it. We’ve had a pretty good response time and conversion status with it as of now. We’re currently experimenting other video conversion formats to serve best traffic under certain video bandwidth.

Thanks. Too busy these days. No time to write articles.

Clean Way to Work With JWT —

Har Har Mahadev! — Wed, 03 Mar 2021 07:55:18 GMT

Working with JWT is a headache specially when you’re starting out building a stateless backend system.

Note: This is not an introduction to JWT ( JSON Web Tokens) or any tutorial to implement JWT from scratch.

In JWT, the token is the most important piece of information to identify the user in the system. If user is able to tamper, see and modify the JWT by any means, then he/she’ll be able to perform identity theft with XSS / CSRF attacks when not secured properly.

Let’s try to approach this problem by whatever comes in mind.

What if we tried to save the token in local storage and send it in header on every request?

There are many things wrong with this approach, One of the many being user has complete access to localstorage CRUD operations in the browser with few lines of javascript. This is extremely vulnerable to XSS attacks.

If a potential attacker has access to local storage, he can perform whatever he desires while the backend recognizes him to be the JWT Stored User.

And he hacker will have access forever, now what if user changes password what will you do?

Store it in database.

If you store the credentials in database and validate if the password has changed since the last token was issued, it’ll help you a little bit. But that’s not the point of JWT. The point of using Token Based Authentication like JWT is make sure the authentication system is maximum stateless as possible.

Let’s change the thought a little bit. What if the token expires after short time? And a new token is issued.

What ? A user logs in every(short)time?

No, let’s not do that way. It’s a terrible UX to login everytime. You can minimize UX such a terrible way just to make sure hacker doesn’t get access for long time.

Let’s use another token called refresh token which will stay with access token but have a greater expiry time. This works, now how will you make sure refresh token is used to refresh after access token is done (expired)?

Expose two endpoints

This works. But not for a long. A sensible hacker will request jwt forever and try to maximize his session as possible.

Keep in mind, our storage of JWT problem is not solved yet.

Covering the expiry part…

When you specify expiry time in jwt token, it won’t be valid token after the time has expired.

Now, the UX won’t be that bad and the token will keep on refreshing every time but how to make sure client / hacker doesn’t have reach to that token?

Using Cookies

What kind of cookies? If you store JWT in plain cookies, that’s how 90% of XSS attacks escalate to massive impact.

Using HTTPOnly Cookies

HTTP Only cookies are such kind of cookies which can’t be accessed and read from the client but will be stored on the client and passed on every request, which means the cookie works sort of like session but in a completely stateless manner.

The above code issues a two token which will be expired after 20m and 7days while the cookies can’t be read from the client.

This protects us from maximum attacks.

Little Help to Developers

This is how we can write a middleware to make sure, the token is validated and try to refresh the token if there’s any.

Make sure, your CORS enables frontend to work with HTTPOnly Cookies by following…

Keep in mind, origin can’t be wildcard when credentials is true..

You can login in this way…

Hand-On — Containerizing Development Environment with Visual Studio Code

Har Har Mahadev! — Tue, 16 Feb 2021 06:39:40 GMT

The Problem

I was having this problem since few months and I guess most of you are having the same issues.

Do you do development of multiple languages on your laptop and have trouble managing all the environments and dependencies of the projects?

This is one of the biggest burden in my current development environment, specially with slow HDD read/write speed.

Just now, I had issues installing the graphics library files for my development environment as Pillow in python used another version and NodeJS used another version. Updating any of them would break another.

It would be lot better, if I could isolate my programming environment but I can’t run a whole virtual machine just to have a isolation.

I mean, I don’t need a new OS, I just want to isolate my development programs, tools and codebases. Another benefit it comes is that if you stop working in any of the projects in golang, and you can remove the whole development environment with just some commands, and you’re good to go.

Isn’t that already convincing enough to try containerizing your development workflow?

Container

A container is a standard unit of software that packages up code and all its dependencies so the application runs quickly and reliably from one computing environment to another.

What a container does is, it comes as a software but contains everything it depends upon. Like if a script requires a example.so linker files and a whole g++ installed to run, a container can include all of those and still remain lightweight than you expect!

This is all the magic of linux namespaces and cgroups. The concept of isolation of processes was thought long back then and kept in linux.

So, if you’re running a virtual machine, then it runs on top of a hypervisor such as virtualbox, hyper-v, vmware, but docker containers run on the same host, but do not share the same PID list and are isolated from each other.

Keep in mind, docker container are also built secure and has minimal security concerns to think of if you configure it properly.

So, docker is just a platform which is used to control the containers effectively.

Or, quoting from the wiki:

Docker is a set of platform as a service products that use OS-level virtualization to deliver software in packages called containers.

You can research further about docker and containers.

So, when you convert your whole development environment inside a docker container, it’s totally isolated from the host operating system and also can be managed as a whole from the host operating system, or via docker cli.

Solution

I won’t cover installing docker in this article, but you can look it up here. Installing Docker :https://docs.docker.com/get-docker/

So, in order to convert your visual studio code setup into docker container. the first you need is to choose an docker image to run.

Keep in mind, docker images are the whole software shipped with dependencies which can run isolatedly forming containers.

The most common one to use is ubuntu (if you prefer a big community) or archlinux (if you prefer lightweight)

#if you want to run ubuntu, execute this after installing docker.
docker pull ubuntu:20.04
#if you want to run arch, execute this after installing docker.
docker pull archlinux

After you’ve pulled the images for your development environment, we’ll use a volume so it’ll be easier for you to share files, to and from the container.

#For ubuntu,
docker run -d -it --name ubuntu-dev -v ~/my_files:/my_files ubuntu:20.04 /bin/sh # or /bin/bash

#For arch,
docker run -d -it --name arch-dev -v ~/my_files:/my_files archlinux /bin/sh # or /bin/bash

Now, you can check if your container is running using docker container ps

CONTAINER ID   IMAGE          COMMAND       CREATED          STATUS          PORTS     NAMES
84bc37ed215b   ubuntu:20.04   "/bin/bash"   54 minutes ago   Up 44 minutes             ubuntu-machine

The output should be similar to above one.

Now, you can open vscode and install remote pack extensions.

Install this extension pack, if you don’t have already which will allow you to setup vscode remotely in a container.

Now, you’ll see your container listed here. Just click on it and vscode will prepare a development environment in the container and make it ready to start coding.

Now, you can install all your compilers, interpreters and everything using the provided bash via package managers.

When you need to remove the development environment just remove the container and you’re good to go :)

Automatic Type Conversion in Runtime | Python

Har Har Mahadev! — Wed, 02 Dec 2020 12:33:13 GMT

Hi. I am back with an exciting topic in python.

How many times you have come across functions which automatically convert your values to required types in runtime?

For e.g. In Django whenever you define your types like this in route definitions the URL parameters are automatically parsed inside of your function.

urlpatterns = [

path("/", someRandomView, name="home"),
path("/", someRandomProfile, name="home_profile")

]

So whenever you define your views, your data types are automatically converted to the required data type.

def someRandomView(slug):
  ...

def someRandomProfile(pk):
  ...

This offers a huge convenience in your application by automatically converting your type as per your function or something hints the function wants to achieve.

Similar behavior is achieved in fast API.

Let’s define a simple function.

def getAge(age, name):
    print( f" {age} : {type(age)} , {name} : {type(name)} " )

You can see our types are nowhere defined in this piece of code. But, we can guess the user wants to age as an int variable and name as an str variable ( most probably). But python doesn’t work that way. You can call that function with any variable you want.

It would be a lot better if your code automatically gave the developer some idea about data types.

Let’s refactor that piece of code a little bit.

def getAge(age: int, name: str):
    print( f" {age} : {type(age)} , {name} : {type(name)} " )

Now, this code is a lot cleaner than your previous code. But, we still have the same problem but it aids a little bit. Your text editor may flag out wrong parameter types if you’re using some linters or running on mypy.

But, what we wanted to achieve is to make automatic type conversions in runtime. So, whenever you call the function, your arguments are automatically parsed to be converted into required data types.

Let’s try writing a decorator to print what exactly we can extract out of the function definition.

from typing import Callable

def decorator(func: Callable):

    def inner_func(*args, **kwargs):
        print(kwargs, func.__annotations__)
        func(*args, **kwargs)

    return inner_func


@decorator
def getAge(age: int, name: str):
    print( f" {age} : {type(age)} , {name} : {type(name)} " )

When we call the function using getAge(age=12,name=”Mahesh”), this is the output we get.

kwargs: {'age': 12, 'name': 'mahesh'}
__annotations__ : {'age': <class 'int'>, 'name': <class 'str'>}

Now, this makes sense. Your annotations are extracted from your function in the compile time of the function and not changed by your arguments.

So, to achieve automatic type conversion on the function, we can write all the code to convert types as mentioned in the function annotations.

#/bin/env python
from typing import Callable
def decorator(function: Callable):

    def inner_function(*args, **kwargs):

        newKwargs = {}

        for argName, typeName in function.__annotations__.items():
            if typeName is int:
                intVar = int(kwargs[argName])
                newKwargs[argName] = intVar
            elif typeName is str:
                strVar = str(kwargs[argName])
                newKwargs[argName] = strVar
        function(*args, **newKwargs)

    return inner_function


@decorator
def getAge(age: int, name: str):
    print( f" {age} : {type(age)} , {name} : {type(name)} " )

And boom, this works!

Whenever you call the function, it gets automatically converted to the required type and if it fails, it will throw the value error.