[INFRA-5590] Add functions to Download file from Cloud Providers (#2)

* Download file from AWS S3

* [INFRA-5590] Bazel functions and rules to download file from AWS S3

* Update README.md

* change the file name and do some cleanups

---------

Co-authored-by: Xiandong Meng <[email protected]>

Author: Angellow

.github/pull_request_template.md

@@ -0,0 +1,33 @@
+- [ ] Include relevant Jira ticket ID(s) in the PR title
+
+Why?
+----
+- Why is this PR necessary? What problem is this trying to solve?
+
+How?
+----
+- How are we solving the above challenge?
+- Explain the design
+- Add any relevant reference links
+
+Testing Evidence
+----------------
+- Examples:
+  - Screenshots/Videos
+  - API request/responses
+  - DAG inspect results
+  - Query plan
+  - CLI command input/output
+  - etc
+
+Deployment Steps
+----------------
+- Examples:
+  - Migration plan (e.g. databases, services)
+  - Config changes (e.g. flag creation/setup)
+  - Any PR dependencies (link/specify which PRs need to be merged and deployed before or after)
+
+Deployment Verification
+-----------------------
+- How do you test the PR is working correctly?
+- What do SLA/on-call teams need to know to monitor for any issues as a result of this PR?

README.md

@@ -1,3 +1,24 @@
 # Rules Cloud Files
 
 This repo contains Bazel rules related to fetching files from a cloud storage provider, namely, AWS S3, etc.
+
+## Usage
+- Example 
+```starlark
+load("@bazel_tools//tools/build_defs/repo:git.bzl", "git_repository")
+git_repository(
+    name = "rules_cloud_files",
+    remote = "https://github.com/6si/rules_cloud_files.git",
+    commit = "d8097550e5c507f29c760a670daa3230c52dda59",
+)
+
+load("@rules_cloud_files//cloud_file:cloud_file_rules.bzl", "s3_file")
+
+s3_file(
+    name = "my_file",
+    bucket = "bootstrap-software",
+    file_path = "hadoop2-configs-20180306012540.tgz",
+    sha256 = "74a0bdd648f009ebce72494f54903230a9dcebaca1d438a13c1c691ad2f1e110",
+)
+```
+This is an example to download the file from s3://bootstrap-software/hadoop2-configs-20180306012540.tgz.

WORKSPACE

@@ -0,0 +1 @@
+workspace(name = "rules_cloud_files")

cloud_file/BUILD

@@ -0,0 +1,154 @@
+"""
+Module for downloading and validating the checksum of the downloaded file.
+
+This module contains the `validate_checksum` function and `cloud_file_download` function
+"""
+def validate_checksum(repo_ctx, url, local_path, expected_sha256):
+    """
+    Verify the checksum of the downloaded file.
+
+    This function uses the sha256sum command to generate the checksum of the
+    file located at local_path. The generated checksum is compared to the
+    expected_sha256 value and if they do not match, the function raises an error.
+
+    Args:
+        repo_ctx (object): The repository context object.
+        url (str): The URL of the file.
+        local_path (str): The local path of the file on the system.
+        expected_sha256 (str): The expected sha256 value of the file.
+
+    Raises:
+        Exception: If the checksum of the file does not match the expected_sha256 value.
+    """
+    sha256_path = repo_ctx.which("sha256sum")
+    repo_ctx.report_progress("Checksumming {}.".format(local_path))
+    sha256_result = repo_ctx.execute([sha256_path, local_path])
+    if sha256_result.return_code != 0:
+        fail("Failed to verify checksum: {}".format(sha256_result.stderr))
+    sha256 = sha256_result.stdout.split(" ")[0]
+    if sha256 != expected_sha256:
+        fail("Checksum mismatch for {}, expected {}, got {}.".format(
+            url,
+            expected_sha256,
+            sha256,
+        ))
+
+_CLOUD_FILE_DOWNLOAD = """
+package(default_visibility = ["//visibility:public"])
+
+filegroup(
+    name = "file",
+    srcs = ["{}"],
+)
+"""
+
+def cloud_file_download(
+        repo_ctx,
+        file_path,
+        expected_sha256,
+        provider,
+        bucket = "",
+        build_file = "",
+        profile = ""):
+    """
+    Securely download the file from the cloud provider.
+
+    The function downloads the specified file from a cloud provider and checks its
+    sha256 hash to verify its integrity.
+
+    Args:
+        repo_ctx (object): Bazel repository context.
+        file_path (str): Path to the file to download from Cloud Provider.
+        expected_sha256 (str): Expected sha256 hash of the downloaded file.
+        provider (str): Name of the cloud provider, default is set to "s3".
+        bucket (str): Name of the bucket containing the file.
+        build_file(str): Build file for the downloaded file
+        profile (str): CLI profile to use for authentication.
+
+    Raises:
+        Exception: If the command line utility is not found, if downloading the
+        file fails or if the sha256 hash of the downloaded file does not match the
+        expected value.
+    """
+    filename = repo_ctx.path(file_path).basename
+    if provider == "s3":
+        tool_path = repo_ctx.which("aws")
+        if tool_path == None:
+            fail("Could not find command line utility for S3")
+        extra_flags = ["--profile", profile] if profile else []
+        src_url = "s3://{}/{}".format(bucket, file_path)
+        cmd = [tool_path] + extra_flags + ["s3", "cp", src_url, "."]
+    elif provider == "gcp":
+        tool_path = repo_ctx.which("gsutil")
+        if tool_path == None:
+            fail("Could not find command line utility for GCP")
+        src_url = "gs://{}/{}".format(bucket, file_path)
+        cmd = [tool_path, "cp", src_url, "."]
+    else:
+        fail("Provider not supported: " + provider.capitalize())
+
+    # Download.
+    repo_ctx.report_progress("Downloading {}.".format(src_url))
+    result = repo_ctx.execute(cmd, timeout = 1800)
+    if result.return_code != 0:
+        fail("Failed to download {} from {}: {}".format(src_url, provider.capitalize(), result.stderr))
+
+    # Verify.
+    filename = repo_ctx.path(src_url).basename
+    validate_checksum(repo_ctx, file_path, filename, expected_sha256)
+    
+    # Default build file set to get the file
+    repo_ctx.file("BUILD.bazel", _CLOUD_FILE_DOWNLOAD.format(filename), executable = False)
+    
+    # Use user provided build file if exists
+    bash_path = repo_ctx.os.environ.get("BAZEL_SH", "bash")
+    if build_file:
+        repo_ctx.execute([bash_path, "-c", "rm -f BUILD BUILD.bazel"])
+        repo_ctx.symlink(build_file, "BUILD.bazel")
+
+def _cloud_file_impl(ctx):
+    cloud_file_download(
+        ctx,
+        ctx.attr.file_path,
+        ctx.attr.sha256,
+        provider = ctx.attr._provider,
+        build_file = ctx.attr.build_file,
+        profile = ctx.attr.profile if hasattr(ctx.attr, "profile") else "",
+        bucket = ctx.attr.bucket if hasattr(ctx.attr, "bucket") else "",
+    )
+
+s3_file = repository_rule(
+    implementation = _cloud_file_impl,
+    attrs = {
+        "bucket": attr.string(mandatory = True, doc = "Bucket name"),
+        "file_path": attr.string(
+            mandatory = True,
+            doc = "Relative path to the archive file within the bucket",
+        ),
+        "profile": attr.string(doc = "Profile to use for authentication."),
+        "sha256": attr.string(mandatory = True, doc = "SHA256 checksum of the archive"),
+        "build_file": attr.label(
+            allow_single_file = True,
+            doc = "BUILD file for the downloaded file",
+        ),
+        "_provider": attr.string(default = "s3"),
+    },
+)
+
+gcp_file = repository_rule(
+    implementation = _cloud_file_impl,
+    attrs = {
+        "bucket": attr.string(mandatory = True, doc = "Bucket name"),
+        "file_path": attr.string(
+            mandatory = True,
+            doc = "Relative path to the archive file within the bucket",
+        ),
+        "profile": attr.string(doc = "Profile to use for authentication."),
+        "sha256": attr.string(mandatory = True, doc = "SHA256 checksum of the archive"),
+        "build_file": attr.label(
+            allow_single_file = True,
+            doc = "BUILD file for the downloaded file",
+        ),
+        "_provider": attr.string(default = "gcp"),
+    },
+)