aptible-cli 0.16.2 → 0.16.3

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: c50391308952a422d84f497808c25fbaf4c405730497266a299e69b632f37887
-  data.tar.gz: 6146d0c3dc58d7ef9786f95a341a22d500689c42f67ed48c0b824f62a2f250c6
+  metadata.gz: 3eb92fffdc685a61fd06c0d5b38b485395eccb0e1762d8efeab0514e74c61b6b
+  data.tar.gz: 2237aacb034a1f7f7b1ae41328f0c05ee9393b7d48d6bdca93ca72072e867183
 SHA512:
-  metadata.gz: 156abd2537b61dd8416ce75f6b8389e807306869254bef47db51c80e081a433e3b802483327748c0bb18c9c5691dd537fc14f4f536c55505f01e8c7aa2a86849
-  data.tar.gz: eec30d958642888b92418343ded298ba9ddb49b370395795281e4390494c0a480c771b202b0e7845c1a953c43354cb9aa3404f31589146741fe6d6e2c91f1707
+  metadata.gz: c3ad2d2c88fa090eb8f65a9f4b91b1c3bccf180764a69ef6d60c3f068e37b6fafbbea515f9a6451b2983aa6e44dcd82bee1020003069e644c3389a2011207764
+  data.tar.gz: 63cc2f56d9f14f9c5981cae0df45d1de16bf03ee714ddb8635641176ad8f6315d1a00ca154b8ad377274a7494d8ca268e9873ea0b51eb1aa8186a1094f444ad6

data/README.md

@@ -48,6 +48,7 @@ Commands:
   aptible db:execute HANDLE SQL_FILE [--on-error-stop]                                                                               # Executes sql against a database
   aptible db:list                                                                                                                    # List all databases
   aptible db:reload HANDLE                                                                                                           # Reload a database
+  aptible db:replicate HANDLE REPLICA_HANDLE [--container-size SIZE_MB] [--size SIZE_GB]                                             # Create a replica/follower of a database
   aptible db:restart HANDLE [--container-size SIZE_MB] [--size SIZE_GB]                                                              # Restart a database
   aptible db:tunnel HANDLE                                                                                                           # Create a local tunnel to a database
   aptible db:url HANDLE                                                                                                              # Display a database URL

data/lib/aptible/cli/agent.rb

@@ -15,6 +15,8 @@ require_relative 'helpers/app_or_database'
 require_relative 'helpers/vhost'
 require_relative 'helpers/vhost/option_set_builder'
 require_relative 'helpers/tunnel'
+require_relative 'helpers/system'
+require_relative 'helpers/security_key'
 
 require_relative 'subcommands/apps'
 require_relative 'subcommands/config'
@@ -39,6 +41,7 @@ module Aptible
 
       include Helpers::Token
       include Helpers::Ssh
+      include Helpers::System
       include Subcommands::Apps
       include Subcommands::Config
       include Subcommands::DB
@@ -83,8 +86,9 @@ module Aptible
       option :otp_token, desc: 'A token generated by your second-factor app'
       def login
         email = options[:email] || ask('Email: ')
-        password = options[:password] || ask('Password: ', echo: false)
-        puts ''
+        password = options[:password] || ask_then_line(
+          'Password: ', echo: false
+        )
 
         token_options = { email: email, password: password }
 
@@ -93,7 +97,7 @@ module Aptible
 
         begin
           lifetime = '1w'
-          lifetime = '12h' if token_options[:otp_token]
+          lifetime = '12h' if token_options[:otp_token] || token_options[:u2f]
           lifetime = options[:lifetime] if options[:lifetime]
 
           duration = ChronicDuration.parse(lifetime)
@@ -104,14 +108,63 @@ module Aptible
           token_options[:expires_in] = duration
           token = Aptible::Auth::Token.create(token_options)
         rescue OAuth2::Error => e
-          if e.code == 'otp_token_required'
-            token_options[:otp_token] = options[:otp_token] ||
-                                        ask('2FA Token: ')
-            retry
+          # If a MFA is require but a token wasn't provided,
+          # prompt the user for MFA authentication and retry
+          if e.code != 'otp_token_required'
+            raise Thor::Error, 'Could not authenticate with given ' \
+                               "credentials: #{e.code}"
           end
 
-          raise Thor::Error, 'Could not authenticate with given credentials: ' \
-                             "#{e.code}"
+          u2f = (e.response.parsed['exception_context'] || {})['u2f']
+
+          q = Queue.new
+          mfa_threads = []
+
+          # If the user has added a security key and their computer supports it,
+          # allow them to use it
+          if u2f && !which('u2f-host').nil?
+            origin = Aptible::Auth::Resource.new.get.href
+            app_id = Aptible::Auth::Resource.new.utf_trusted_facets.href
+
+            challenge = u2f.fetch('challenge')
+
+            devices = u2f.fetch('devices').map do |dev|
+              Helpers::SecurityKey::Device.new(
+                dev.fetch('version'), dev.fetch('key_handle')
+              )
+            end
+
+            puts 'Enter your 2FA token or touch your Security Key once it ' \
+                 'starts blinking.'
+
+            mfa_threads << Thread.new do
+              token_options[:u2f] = Helpers::SecurityKey.authenticate(
+                origin, app_id, challenge, devices
+              )
+
+              puts ''
+
+              q.push(nil)
+            end
+          end
+
+          mfa_threads << Thread.new do
+            token_options[:otp_token] = options[:otp_token] || ask(
+              '2FA Token: '
+            )
+
+            q.push(nil)
+          end
+
+          # Block until one of the threads completes
+          q.pop
+
+          mfa_threads.each do |thr|
+            sleep 0.5 until thr.status != 'run'
+            thr.kill
+          end.each(&:join)
+
+          retry
         end
 
         save_token(token.access_token)

data/lib/aptible/cli/helpers/database.rb

@@ -47,6 +47,21 @@ module Aptible
           databases_from_handle(dest_handle, source.account).first
         end
 
+        def replicate_database(source, dest_handle, options)
+          replication_params = {
+            type: 'replicate',
+            handle: dest_handle,
+            container_size: options[:container_size],
+            disk_size: options[:size]
+          }.reject { |_, v| v.nil? }
+          op = source.create_operation!(replication_params)
+          attach_to_operation_logs(op)
+
+          replica = databases_from_handle(dest_handle, source.account).first
+          attach_to_operation_logs(replica.operations.last)
+          replica
+        end
+
         # Creates a local tunnel and yields the helper
 
         def with_local_tunnel(credential, port = 0)

data/lib/aptible/cli/helpers/security_key.rb

@@ -0,0 +1,136 @@
+module Aptible
+  module CLI
+    module Helpers
+      module SecurityKey
+        U2F_LOGGER = Logger.new(
+          ENV['U2F_DEBUG'] ? STDERR : File.open(File::NULL, 'w')
+        )
+
+        class AuthenticatorParameters
+          attr_reader :origin, :challenge, :app_id, :version, :key_handle
+          attr_reader :request
+
+          def initialize(origin, challenge, app_id, device)
+            @origin = origin
+            @challenge = challenge
+            @app_id = app_id
+            @version = device.version
+            @key_handle = device.key_handle
+
+            @request = {
+              'challenge' => challenge,
+              'appId' => app_id,
+              'version' => version,
+              'keyHandle' => key_handle
+            }
+          end
+        end
+
+        class ThrottledAuthenticator
+          attr_reader :pid
+
+          def initialize(auth, pid)
+            @auth = auth
+            @pid = pid
+          end
+
+          def exited(_status)
+            [Authenticator.spawn(@auth), nil]
+          end
+
+          def self.spawn(auth)
+            pid = Process.spawn(
+              'sleep', '2',
+              in: :close, out: :close, err: :close,
+              close_others: true
+            )
+
+            U2F_LOGGER.debug("#{self} #{auth.key_handle}: spawned #{pid}")
+
+            new(auth, pid)
+          end
+        end
+
+        class Authenticator
+          attr_reader :pid
+
+          def initialize(auth, pid, out_read, err_read)
+            @auth = auth
+            @pid = pid
+            @out_read = out_read
+            @err_read = err_read
+          end
+
+          def exited(status)
+            out, err = [@out_read, @err_read].map(&:read).map(&:chomp)
+
+            if status.exitstatus == 0
+              U2F_LOGGER.info("#{self.class} #{@auth.key_handle}: ok: #{out}")
+              [nil, JSON.parse(out)]
+            else
+              U2F_LOGGER.warn("#{self.class} #{@auth.key_handle}: err: #{err}")
+              [ThrottledAuthenticator.spawn(@auth), nil]
+            end
+          ensure
+            [@out_read, @err_read].each(&:close)
+          end
+
+          def self.spawn(auth)
+            in_read, in_write = IO.pipe
+            out_read, out_write = IO.pipe
+            err_read, err_write = IO.pipe
+
+            pid = Process.spawn(
+              'u2f-host', '-aauthenticate', '-o', auth.origin,
+              in: in_read, out: out_write, err: err_write,
+              close_others: true
+            )
+
+            U2F_LOGGER.debug("#{self} #{auth.key_handle}: spawned #{pid}")
+
+            [in_read, out_write, err_write].each(&:close)
+
+            in_write.write(auth.request.to_json)
+            in_write.close
+
+            new(auth, pid, out_read, err_read)
+          end
+        end
+
+        class Device
+          attr_reader :version, :key_handle
+
+          def initialize(version, key_handle)
+            @version = version
+            @key_handle = key_handle
+          end
+        end
+
+        def self.authenticate(origin, app_id, challenge, devices)
+          procs = Hash[devices.map do |device|
+            params = AuthenticatorParameters.new(
+              origin, challenge, app_id, device
+            )
+            w = Authenticator.spawn(params)
+            [w.pid, w]
+          end]
+
+          begin
+            loop do
+              pid, status = Process.wait2
+              w = procs.delete(pid)
+              raise "waited unknown pid: #{pid}" if w.nil?
+
+              r, out = w.exited(status)
+
+              procs[r.pid] = r if r
+              return out if out
+            end
+          ensure
+            procs.values.map(&:pid).each { |p| Process.kill(:SIGTERM, p) }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aptible/cli/helpers/system.rb

@@ -0,0 +1,26 @@
+module Aptible
+  module CLI
+    module Helpers
+      module System
+        def which(cmd)
+          exts = ENV['PATHEXT'] ? ENV['PATHEXT'].split(';') : ['']
+
+          ENV['PATH'].split(File::PATH_SEPARATOR).each do |path|
+            exts.each do |ext|
+              exe = File.join(path, "#{cmd}#{ext}")
+              return exe if File.executable?(exe) && !File.directory?(exe)
+            end
+          end
+
+          nil
+        end
+
+        def ask_then_line(*args)
+          ret = ask(*args)
+          puts ''
+          ret
+        end
+      end
+    end
+  end
+end

data/lib/aptible/cli/subcommands/db.rb

@@ -114,6 +114,19 @@ module Aptible
               render_database(database, database.account)
             end
 
+            desc 'db:replicate HANDLE REPLICA_HANDLE ' \
+                 '[--container-size SIZE_MB] [--size SIZE_GB]',
+                 'Create a replica/follower of a database'
+            option :environment
+            option :container_size, type: :numeric
+            option :size, type: :numeric
+            define_method 'db:replicate' do |source_handle, dest_handle|
+              source = ensure_database(options.merge(db: source_handle))
+              CLI.logger.info "Replicating #{source_handle}..."
+              database = replicate_database(source, dest_handle, options)
+              render_database(database.reload, database.account)
+            end
+
             desc 'db:dump HANDLE [pg_dump options]',
                  'Dump a remote database to file'
             option :environment

data/lib/aptible/cli/version.rb

@@ -1,5 +1,5 @@
 module Aptible
   module CLI
-    VERSION = '0.16.2'.freeze
+    VERSION = '0.16.3'.freeze
   end
 end

data/spec/aptible/cli/agent_spec.rb

@@ -30,10 +30,15 @@ describe Aptible::CLI::Agent do
     let(:created_at) { Time.now }
     let(:expires_at) { created_at + 1.week }
 
-    before do
-      m = -> (code) { @code = code }
-      OAuth2::Error.send :define_method, :initialize, m
+    def make_oauth2_error(code, ctx = nil)
+      parsed = { 'error' => code }
+      parsed['exception_context'] = ctx if ctx
+      response = double('response', parsed: parsed, body: "error #{code}")
+      allow(response).to receive(:error=)
+      OAuth2::Error.new(response)
+    end
 
+    before do
       allow(token).to receive(:access_token).and_return 'access_token'
       allow(token).to receive(:created_at).and_return created_at
       allow(token).to receive(:expires_at).and_return expires_at
@@ -55,7 +60,7 @@ describe Aptible::CLI::Agent do
 
     it 'should raise an error if authentication fails' do
       allow(Aptible::Auth::Token).to receive(:create)
-        .and_raise(OAuth2::Error, 'foo')
+        .and_raise(make_oauth2_error('foo'))
       expect do
         subject.login
       end.to raise_error 'Could not authenticate with given credentials: foo'
@@ -87,7 +92,7 @@ describe Aptible::CLI::Agent do
       expect { subject.login }.to raise_error(/Invalid token lifetime/)
     end
 
-    context 'with OTP' do
+    context 'with 2FA' do
       let(:email) { 'foo@example.org' }
       let(:password) { 'bar' }
       let(:token) { '123456' }
@@ -124,7 +129,7 @@ describe Aptible::CLI::Agent do
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, expires_in: 1.week.seconds)
             .once
-            .and_raise(OAuth2::Error, 'otp_token_required')
+            .and_raise(make_oauth2_error('otp_token_required'))
 
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, otp_token: token,
@@ -139,7 +144,7 @@ describe Aptible::CLI::Agent do
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, expires_in: 1.day.seconds)
             .once
-            .and_raise(OAuth2::Error, 'otp_token_required')
+            .and_raise(make_oauth2_error('otp_token_required'))
 
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, otp_token: token,
@@ -155,17 +160,104 @@ describe Aptible::CLI::Agent do
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, expires_in: 1.week.seconds)
             .once
-            .and_raise(OAuth2::Error, 'otp_token_required')
+            .and_raise(make_oauth2_error('otp_token_required'))
 
           expect(Aptible::Auth::Token).to receive(:create)
             .with(email: email, password: password, otp_token: token,
                   expires_in: 12.hours.seconds)
             .once
-            .and_raise(OAuth2::Error, 'foo')
+            .and_raise(make_oauth2_error('foo'))
 
           expect { subject.login }.to raise_error(/Could not authenticate/)
         end
       end
+
+      context 'with U2F' do
+        before do
+          allow(subject).to receive(:options)
+            .and_return(email: email, password: password)
+        end
+
+        it 'shouldn\'t use U2F if not supported' do
+          allow(subject).to receive(:which)
+            .and_return(nil)
+
+          e = make_oauth2_error(
+            'otp_token_required',
+            'u2f' => {
+              'challenge' => 'some 123',
+              'devices' => [
+                { 'version' => 'U2F_V2', 'key_handle' => '123' },
+                { 'version' => 'U2F_V2', 'key_handle' => '456' }
+              ]
+            }
+          )
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, expires_in: 1.week.seconds)
+            .once
+            .and_raise(e)
+
+          expect(Aptible::CLI::Helpers::SecurityKey).not_to \
+            receive(:authenticate)
+
+          expect(subject).to receive(:ask).with('2FA Token: ')
+            .once
+            .and_return(token)
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, otp_token: token,
+                  expires_in: 12.hours.seconds)
+            .once
+            .and_return(token)
+
+          subject.login
+        end
+
+        it 'should call into U2F if supported' do
+          allow(subject).to receive(:which).and_return('u2f-host')
+          allow(subject).to receive(:ask).with('2FA Token: ') { sleep }
+
+          e = make_oauth2_error(
+            'otp_token_required',
+            'u2f' => {
+              'challenge' => 'some 123',
+              'devices' => [
+                { 'version' => 'U2F_V2', 'key_handle' => '123' },
+                { 'version' => 'U2F_V2', 'key_handle' => '456' }
+              ]
+            }
+          )
+
+          u2f = double('u2f response')
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, expires_in: 1.week.seconds)
+            .once
+            .and_raise(e)
+
+          expect(subject).to receive(:puts).with(/security key/i)
+
+          expect(Aptible::CLI::Helpers::SecurityKey).to receive(:authenticate)
+            .with(
+              'https://auth.aptible.com/',
+              'https://auth.aptible.com/u2f/trusted_facets',
+              'some 123',
+              array_including(
+                instance_of(Aptible::CLI::Helpers::SecurityKey::Device),
+                instance_of(Aptible::CLI::Helpers::SecurityKey::Device)
+              )
+            ).and_return(u2f)
+
+          expect(Aptible::Auth::Token).to receive(:create)
+            .with(email: email, password: password, u2f: u2f,
+                  expires_in: 12.hours.seconds)
+            .once
+            .and_return(token)
+
+          subject.login
+        end
+      end
     end
   end
 

data/spec/aptible/cli/subcommands/db_spec.rb

@@ -439,6 +439,62 @@ describe Aptible::CLI::Agent do
     end
   end
 
+  describe '#db:replicate' do
+    let(:databases) { [] }
+    before { allow(Aptible::Api::Database).to receive(:all) { databases } }
+
+    def expect_replicate_database(opts = {})
+      master = Fabricate(:database, handle: 'master')
+      databases << master
+      replica = Fabricate(:database,
+                          account: master.account,
+                          handle: 'replica')
+
+      op = Fabricate(:operation)
+
+      params = { type: 'replicate', handle: 'replica' }.merge(opts)
+      params[:disk_size] = params.delete(:size) if params[:size]
+      expect(master).to receive(:create_operation!)
+        .with(**params).and_return(op)
+
+      expect(subject).to receive(:attach_to_operation_logs).with(op) do
+        databases << replica
+        replica
+      end
+
+      provision = Fabricate(:operation)
+
+      expect(replica).to receive_message_chain(:operations, :last)
+        .and_return(provision)
+
+      expect(subject).to receive(:attach_to_operation_logs).with(provision)
+
+      expect(replica).to receive(:reload).and_return(replica)
+
+      subject.options = opts
+      subject.send('db:replicate', 'master', 'replica')
+
+      expect(captured_logs).to match(/replicating master/i)
+    end
+
+    it 'allows replicating an existing database' do
+      expect_replicate_database
+    end
+
+    it 'allows replicating a database with a container size' do
+      expect_replicate_database(container_size: 40)
+    end
+
+    it 'allows replicating a database with a disk size' do
+      expect_replicate_database(size: 40)
+    end
+
+    it 'fails if the DB is not found' do
+      expect { subject.send('db:replicate', 'nope', 'replica') }
+        .to raise_error(Thor::Error, 'Could not find database nope')
+    end
+  end
+
   describe '#db:dump' do
     it 'should fail if database is non-existent' do
       allow(Aptible::Api::Database).to receive(:all) { [] }

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: aptible-cli
 version: !ruby/object:Gem::Version
-  version: 0.16.2
+  version: 0.16.3
 platform: ruby
 authors:
 - Frank Macreery
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2019-07-11 00:00:00.000000000 Z
+date: 2019-10-24 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aptible-resource
@@ -277,7 +277,9 @@ files:
 - lib/aptible/cli/helpers/database.rb
 - lib/aptible/cli/helpers/environment.rb
 - lib/aptible/cli/helpers/operation.rb
+- lib/aptible/cli/helpers/security_key.rb
 - lib/aptible/cli/helpers/ssh.rb
+- lib/aptible/cli/helpers/system.rb
 - lib/aptible/cli/helpers/token.rb
 - lib/aptible/cli/helpers/tunnel.rb
 - lib/aptible/cli/helpers/vhost.rb
@@ -373,7 +375,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.7.6
+rubygems_version: 2.7.6.2
 signing_key: 
 specification_version: 4
 summary: Command-line interface for Aptible services