Facere/FacereDataset
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases 2 Wiki Activity

tools/epro2/std: fetch + decrypt Pro 2.x encrypted-external blobs

Browse Source 
Pro 2.x stores some doc payloads (notably Taishan's PCB) externally at
modules.lceda.cn keyed by dataStrId, AES-256-GCM encrypted with the
iv/key fields stored alongside. Same crypto pattern as Pro 3.x EPRO2:
last 16 bytes are the GCM auth tag, rest is gzip(plaintext-op-stream).
The CDN doesn't require auth.

  - pro2_writer.fetch_encrypted_plaintext(): fetch + decrypt + gunzip,
    cache result at source/<uuid>.decrypted.txt so re-runs skip the
    network round-trip. Heavy imports (httpx, pycryptodome) are
    deferred to call-time so the pure-replay path doesn't pay for them.
  - pro2_writer.split_plaintext_by_doctype(): walk the multi-doc
    plaintext (Pro 2.x bundles N FOOTPRINTs + 1 PCB into one blob), yield
    (label, sub_text) per inner doc. Label = HEAD.uuid if present, else
    fallback `<kind>_<idx>`.
  - __main__._convert_pro2_encrypted(): for each sub-doc, write a
    synthetic inline-Pro-2.x JSON next to the original and re-route
    through write_pro2_doc — re-uses BBox / layers / objects-extraction
    instead of duplicating the logic. Output filename
    `<parent_uuid>__<sub_label>.json` makes the parent association
    visible.

Smoke (Taishan): 28 inline SCHs → 55 total. Decrypts:
  - one PCB blob (3.4 MB plaintext, 20267-object PCB + 25 FOOTPRINT
    sub-docs of 130-580 objects each)
  - one SCH-typed encrypted doc (1 sub-SCH of 891 objects)

86 unit tests still pass; new fetch/decrypt path is covered manually
via the smoke test rather than mocking httpx + AES.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
Knowit
2026-04-29 02:07:40 +08:00
parent 3720cd176a
commit d11ca1d3be
2 changed files with 215 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files

118
tools/epro2/std/pro2_writer.py
View File

@@ -30,9 +30,11 @@ modules.lceda.cn + AES-decrypt is out of this writer's scope.
from __future__ import annotations
import gzip
import json
from dataclasses import dataclass
from pathlib import Path
from typing import Iterator
# Pro 2.x ops that carry no addressable id (one per doc) — keyed by their
@@ -166,6 +168,122 @@ def _layers_from_objects(objects: dict[str, list]) -> list[str]:
return layers
def fetch_encrypted_plaintext(json_path: Path) -> str | None:
"""For an encrypted-external Pro 2.x JSON (carries `dataStrId/iv/key`
instead of inline `dataStr`), fetch the AES-GCM blob from modules.lceda.cn,
decrypt + gunzip, and return the plaintext op-stream string.
Caches the result alongside the source file at
``<source>/<uuid>.decrypted.txt`` so subsequent runs skip the network
+ crypto round-trip entirely.
Returns None if the JSON isn't encrypted-external, or if any step
fails (network, AES tag, gunzip — all caught and logged).
"""
raw = json.loads(json_path.read_text(encoding="utf-8"))
if "dataStr" in raw:
return None
url = raw.get("dataStrId")
iv_hex = raw.get("iv")
key_hex = raw.get("key")
if not (url and iv_hex and key_hex):
return None
cache = json_path.with_suffix(".decrypted.txt")
if cache.exists():
return cache.read_text(encoding="utf-8")
# Heavy imports only when actually fetching; the pure-replay path
# shouldn't pay for httpx + pycryptodome import time.
import httpx
from Crypto.Cipher import AES
try:
with httpx.Client(timeout=60.0) as c:
r = c.get(url)
r.raise_for_status()
blob = r.content
except httpx.HTTPError as e:
print(f" encrypted-external fetch failed for {json_path.name}: {e}")
return None
if len(blob) < 16:
print(f" encrypted-external blob too short ({len(blob)} B): {json_path.name}")
return None
ct, tag = blob[:-16], blob[-16:]
try:
cipher = AES.new(bytes.fromhex(key_hex), AES.MODE_GCM, nonce=bytes.fromhex(iv_hex))
gz = cipher.decrypt_and_verify(ct, tag)
plain_bytes = gzip.decompress(gz)
except Exception as e: # noqa: BLE001 — any crypto / gzip failure
print(f" encrypted-external decrypt failed for {json_path.name}: {e}")
return None
plain = plain_bytes.decode("utf-8", errors="replace")
try:
cache.write_text(plain, encoding="utf-8")
except OSError:
pass # caching is best-effort; skip if we can't write
return plain
def split_plaintext_by_doctype(plain: str) -> Iterator[tuple[str, str]]:
"""Walk a multi-doc plaintext op-stream and yield ``(doc_label, sub_text)``
per inner document.
Pro 2.x's encrypted blob bundles N FOOTPRINTs + 1 PCB (or N SYMBOLs +
1 SCH for schematic blobs). Each inner doc starts with a fresh
``["DOCTYPE", "<KIND>", "<version>"]`` line. We split on those.
The label is the HEAD op's `uuid` field if present, else
``<doctype_kind>_<index>``.
"""
cur_lines: list[str] = []
cur_uuid: str | None = None
cur_kind: str | None = None
idx = 0
def flush() -> tuple[str, str] | None:
nonlocal cur_lines, cur_uuid, cur_kind, idx
if not cur_lines:
return None
label = cur_uuid or f"{(cur_kind or 'doc').lower()}_{idx}"
idx += 1
text = "\n".join(cur_lines)
cur_lines = []
cur_uuid = None
cur_kind = None
return (label, text)
for line in plain.splitlines():
stripped = line.strip()
if not stripped:
continue
try:
arr = json.loads(stripped)
except json.JSONDecodeError:
cur_lines.append(line)
continue
if not isinstance(arr, list) or not arr:
continue
if arr[0] == "DOCTYPE":
# Boundary: flush previous doc (if any), start new
prev = flush()
if prev is not None:
yield prev
cur_kind = arr[1] if len(arr) > 1 else None
cur_lines.append(line)
continue
if arr[0] == "HEAD" and len(arr) > 1 and isinstance(arr[1], dict):
cur_uuid = arr[1].get("uuid") or cur_uuid
cur_lines.append(line)
last = flush()
if last is not None:
yield last
def write_pro2_doc(
json_path: Path,
*,