Merge pull request #13 from investigativedata/develop

v0.0.4

Author: simonwoerpel

.bumpversion.cfg

@@ -1,11 +1,13 @@
 [bumpversion]
-current_version = 0.0.3
+current_version = 0.0.4
 commit = True
 tag = True
 message = 🔖 Bump version: {current_version} → {new_version}
 
 [bumpversion:file:VERSION]
 
 [bumpversion:file:pyproject.toml]
+search = version = "{current_version}"
+replace = version = "{new_version}"
 
 [bumpversion:file:leakrfc/__init__.py]

.github/workflows/docker.yml

@@ -39,7 +39,7 @@ jobs:
         uses: docker/build-push-action@v6
         with:
           context: .
-          platforms: linux/amd64,linux/arm64
+          platforms: linux/amd64  #,linux/arm64
           push: true
           tags: ${{ steps.meta.outputs.tags }}
           labels: ${{ steps.meta.outputs.labels }}

.gitignore

@@ -1,6 +1,7 @@
 _wip
 archive/*
 .anystore/*
+tests/fixtures/**/.leakrfc/*
 # Byte-compiled / optimized / DLL files
 __pycache__/
 *.py[cod]

.pre-commit-config.yaml

@@ -69,10 +69,7 @@ repos:
       - id: rst-inline-touching-normal
 
   - repo: https://github.com/python-poetry/poetry
-    rev: 1.8.0
+    rev: 2.0.1
     hooks:
       - id: poetry-check
       - id: poetry-lock
-        args: ["--no-update"]
-      - id: poetry-export
-        args: ["-f", "requirements.txt", "-o", "requirements.txt"]

Makefile

@@ -33,3 +33,7 @@ clean:
 	find . -name '*.pyo' -exec rm -f {} +
 	find . -name '*~' -exec rm -f {} +
 	find . -name '__pycache__' -exec rm -fr {} +
+
+documentation:
+	mkdocs build
+	aws --endpoint-url https://s3.investigativedata.org s3 sync ./site s3://docs.investigraph.dev/lib/leakrfc

NOTICE

@@ -1,4 +1,5 @@
 LEAKRFC, (C) 2024 investigativedata.io
+LEAKRFC, (C) 2025 investigativedata.io
 
 This product includes software developed at investigativedata.io
 (https://investigativedata.io)

README.md

@@ -1,162 +1,24 @@
 # leakrfc
 
-_An RFC for leaks_
+"_A RFC for leaks_"
 
 [leak-rfc.org](https://leak-rfc.org)
 
 `leakrfc` provides a _data standard_ and _archive storage_ for leaked data, private and public document collections. The concepts and implementations are originally inspired by [mmmeta](https://github.com/simonwoerpel/mmmeta) and [Aleph's servicelayer archive](https://github.com/alephdata/servicelayer).
 
-`leakrfc` acts as a standardized storage and retrieval mechanism for documents and their metadata. It provides an high-level interface for generating and sharing document collections and importing them into various analysis platforms, such as [_ICIJ Datashare_](https://datashare.icij.org/), [_Liquid Investigations_](https://github.com/liquidinvestigations/), and [_Aleph_](docs.aleph.occrp.org/).
+`leakrfc` acts as a multi-tenant storage and retrieval mechanism for documents and their metadata. It provides a high-level interface for generating and sharing document collections and importing them into various search and analysis platforms, such as [_ICIJ Datashare_](https://datashare.icij.org/), [_Liquid Investigations_](https://github.com/liquidinvestigations/), and [_Aleph_](https://docs.aleph.occrp.org/).
 
-It can act as a drop-in replacement for the underlying archive of [Aleph](https://docs.aleph.occrp.org/).
+## Installation
 
-## install
+Requires python 3.11 or later.
 
 ```bash
 pip install leakrfc
 ```
 
-## build a dataset
+## Documentation
 
-`leakrfc` stores _metadata_ for the files that then refers to the actual _source file_.
-
-List the files in a public accessible source (using [`anystore`](https://github.com/investigativedata/anystore/)):
-
-```bash
-ANYSTORE_URI="https://data.ddosecrets.com/Patriot%20Front/patriotfront/2021/Organizational%20Documents%20and%20Notes/" anystore keys
-```
-
-Crawl these documents into this _dataset_:
-
-```bash
-leakrfc -d ddos_patriotfront crawl "https://data.ddosecrets.com/Patriot%20Front/patriotfront/2021/Organizational%20Documents%20and%20Notes"
-```
-
-The _metadata_ and _source files_ are now stored in the archive (`./data` by default). All _metadata_ and other information lives in the `ddos_patriotfront/.leakrfc` subdirectory. Files are keyed and retrievable by their checksum (default: `sha1`).
-
-Retrieve file metadata:
-
-```bash
-leakrfc -d ddos_patriotfront head "19338a97797bcc0eeb832cf7169cbbafc54ed255"
-```
-
-Retrieve actual file blob:
-
-```bash
-leakrfc -d ddos_patriotfront get "19338a97797bcc0eeb832cf7169cbbafc54ed255" > file.pdf
-```
-
-## api
-
-### run api
-
-```bash
-export LEAKRFC_ARCHIVE__URI=./data
-uvicorn leakrfc.api:app
-```
-
-### request a file
-
-For public files:
-
-```bash
-# metadata only via headers
-curl -I "http://localhost:5000/<dataset>/<sha1>"
-
-# bytes stream of file
-curl -s "http://localhost:5000/<dataset>/<sha1>" > /tmp/file.lrfc
-```
-
-Authorization expects an encrypted bearer token with the dataset and key lookup in the subject (token payload: `{"sub": "<dataset>/<key>"}`). Therefore, clients need to be able to create such tokens (knowing the secret key) and handle dataset permissions.
-
-Tokens should have a short expiration (via `exp` property in payload).
-
-```bash
-# token in Authorization header
-curl -H 'Authorization: Bearer <token>' ...
-
-# metadata only via headers
-curl -I "http://localhost:5000/file"
-
-# bytes stream of file
-curl -s "http://localhost:5000/file" > /tmp/file.s
-```
-
-## configure storage
-
-```yaml
-storage_config:
-  uri: s3://my_bucket
-  backend_kwargs:
-    endpoint_url: https://s3.example.org
-    aws_access_key_id: ${AWS_ACCESS_KEY_ID}
-    aws_secret_access_key: ${AWS_SECRET_ACCESS_KEY}
-```
-
-### pass through legacy aleph
-
-```yaml
-storage_config:
-  uri: gcs://aleph_archive/
-  legacy_aleph: true
-  copy_over: true # subsequently merge legacy archive data into `leakrfc`
-```
-
-## layout
-
-The _RFC_ is reflected by the following layout structure for a _Dataset_:
-
-```bash
-./archive/
-    my_dataset/
-
-        # metadata maintained by `leakrfc`
-        .leakrfc/
-            index.json      # generated dataset metadata served for clients
-            config.yml      # dataset configuration
-            documents.csv   # document database (all metadata combined)
-            keys.csv        # hash -> uri mapping for all files
-            state/          # processing state
-                logs/
-                created_at
-                updated_at
-            entities/
-                entities.ftm.json
-            files/                         # FILE METADATA STORAGE:
-                a1/b1/a1b1c1.../info.json  # - file metadata as json REQUIRED
-                a1/b1/a1b1c1.../txt        # - extracted plain text
-                a1/b1/a1b1c1.../converted.pdf  # - converted file, e.g. from .docx to .pdf for better web display
-                a1/b1/a1b1c1.../extracted/ # - extracted files from packages/archives
-                    foo.txt
-            export/
-                my_dataset.img.zst         # dump as image
-                my_dataset.leakrfc         # dump as zipfile
-
-        # actual (read-only) data
-        Arbitrary Folder/
-            Source1.pdf
-            Tables/
-                Another_File.xlsx
-```
-
-### dataset config.yml
-
-Follows the specification in [`ftmq.model.Dataset`](https://github.com/investigativedata/ftmq/blob/main/ftmq/model/dataset.py):
-
-```yaml
-name: my_dataset #  also known as "foreign_id"
-title: An awesome leak
-description: >
-  Incidunt eum asperiores impedit. Nobis est dolorem et quam autem quo. Name
-  labore sequi maxime qui non voluptatum ducimus voluptas. Exercitationem enim
-  similique asperiores quod et quae maiores. Et accusantium accusantium error
-  et alias aut omnis eos. Omnis porro sit eum et.
-updated_at: 2024-09-25
-index_url: https://static.example.org/my_dataset/index.json
-# add more metadata
-
-leakrfc: # see above
-```
+[docs.investigraph.dev/lib/leakrfc](https://docs.investigraph.dev/lib/leakrfc)
 
 ## Development
 
@@ -183,6 +45,7 @@ Before creating a commit, this checks for correct code formatting (isort, black)
 ## License and Copyright
 
 `leakrfc`, (C) 2024 investigativedata.io
+`leakrfc`, (C) 2025 investigativedata.io
 
 `leakrfc` is licensed under the AGPLv3 or later license.
 

VERSION

@@ -1 +1 @@
-0.0.3
+0.0.4

docs/api.md

@@ -0,0 +1,57 @@
+`leakrfc` provides a simpel api powered by [FastAPI](https://fastapi.tiangolo.com/) for clients to retrieve file metadata and blobs. It therefore acts as a proxy between client and archive, so that the client doesn't need to know where the actual blobs live. The api can handle authorization via [JSON Web Tokens](https://jwt.io).
+
+## Start local api server
+
+This is for a quick testing setup:
+
+```bash
+export LEAKRFC_URI=./data
+uvicorn leakrfc.api:app
+```
+
+!!! warning
+
+    Never run the api with `DEBUG=1` in a production application and make sure to have a proper setup with a load balancer (e.g. nginx) doing TLS termination in front of it. As well make sure to set a good `LEAKRFC_API_SECRET_KEY` environment variable for the token authorization.
+
+## Request a file
+
+For public files:
+
+```bash
+# metadata only via headers
+curl -I "http://localhost:5000/test_dataset/utf.txt"
+
+HTTP/1.1 200 OK
+date: Thu, 16 Jan 2025 08:44:59 GMT
+server: uvicorn
+content-length: 4
+content-type: application/json
+x-leakrfc-version: 0.0.3
+x-leakrfc-dataset: test_dataset
+x-leakrfc-key: utf.txt
+x-leakrfc-sha1: 5a6acf229ba576d9a40b09292595658bbb74ef56
+x-leakrfc-name: utf.txt
+x-leakrfc-size: 19
+x-mimetype: text/plain
+content-type: text/plain
+```
+
+```bash
+# bytes stream of file
+curl -s "http://localhost:5000/<dataset>/<path>" > /tmp/file.pdf
+```
+
+Authorization expects an encrypted bearer token with the dataset and key lookup in the subject (token payload: `{"sub": "<dataset>/<key>"}`). Therefore, clients need to be able to create such tokens (knowing the secret key configured via `LEAKRFC_API_SECRET_KEY`) and handle dataset permissions.
+
+Tokens should have a short expiration (via `exp` property in payload).
+
+```bash
+# token in Authorization header
+curl -H 'Authorization: Bearer <token>' ...
+
+# metadata only via headers
+curl -I "http://localhost:5000/file"
+
+# bytes stream of file
+curl -s "http://localhost:5000/file" > /tmp/file.lrfc
+```

docs/cache.md

@@ -0,0 +1,17 @@
+For incremental processing of tasks, `leakrfc` uses a global cache to track task results. If a computed cache key for a specific task (e.g. sync a file, extract an archive) is already found in cache, running the task again will be skipped. This is implemented very granular and applies to all kinds of operations, such as [crawl](./crawl.md), [make](./make.md) and the adapters (currently [aleph](./sync/aleph.md))
+
+`leakrfc` is using [anystore](https://docs.investigraph.dev/lib/anystore/cache/) for the cache implementation, so any supported backend is possible. Recommended backends are redis or sql, but a distributed cloud-backend (such as a shared s3 bucket) can make sense, too.
+
+Per default, an in-memory cache is used, which doesn't persist.
+
+## Configure
+
+Via environment var:
+
+```bash
+LEAKRFC_CACHE__URI=redis://localhost
+
+# additional config
+LEAKRFC_CACHE__DEFAULT_TTL=3600  # seconds
+LEAKRFC_CACHE__BACKEND_CONFIG__REDIS_PREFIX=my-prefix
+```