cased-ruby 0.3.3 → 0.4.4

data/lib/cased/cli/asciinema/writer.rb

@@ -0,0 +1,69 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Cased
+  module CLI
+    # Spec: https://github.com/asciinema/asciinema/blob/develop/doc/asciicast-v2.md
+    module Asciinema
+      class Writer
+        VERSION = 2
+
+        attr_accessor :width
+        attr_accessor :height
+        attr_reader :command
+        attr_reader :stream
+        attr_reader :started_at
+        attr_reader :finished_at
+
+        def initialize(command: [], width: 80, height: 24)
+          @command = command
+          @width = width
+          @height = height
+          @stream = []
+          @started_at = Time.now
+        end
+
+        def <<(output)
+          stream << [Time.now - started_at, 'o', output]
+        end
+
+        def time
+          @started_at = Time.now
+          ret = yield
+          @finished_at = Time.now
+          ret
+        end
+
+        def to_cast
+          # In the event we didn't run the writer in a #time block, we should
+          # set the finished time if it isn't set.
+          @finished_at ||= Time.now
+
+          File.new(header, stream).to_cast
+        end
+
+        def header
+          {
+            'version' => VERSION,
+            'env' => {
+              'SHELL' => ENV['SHELL'],
+              'TERM' => ENV['TERM'],
+            },
+            'width' => width,
+            'height' => height,
+            'command' => command.join(' '),
+          }.tap do |h|
+            if started_at
+              h['timestamp'] = started_at.to_i
+            end
+
+            if started_at && finished_at
+              h['duration'] = finished_at - started_at
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cased/cli/authentication.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+require 'pathname'
+
+module Cased
+  module CLI
+    class Authentication
+      attr_reader :directory
+      attr_reader :credentials_path
+      attr_writer :token
+
+      def initialize(token: nil)
+        @token = token || Cased.config.guard_user_token
+        @directory = Pathname.new(File.expand_path('~/.cguard'))
+        @credentials_path = @directory.join('credentials')
+      end
+
+      def exists?
+        !token.nil?
+      end
+
+      def token
+        @token ||= begin
+          credentials_path.read
+        rescue Errno::ENOENT
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/cased/cli/identity.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Cased
+  module CLI
+    class Identity
+      def initialize
+        @timeout = 30
+      end
+
+      def identify
+        response = Cased.clients.cli.post('cli/applications/users/identify')
+        case response.status
+        when 201 # Created
+          url = response.body.fetch('url')
+          Cased::CLI::Log.log 'To login, please visit:'
+          puts url
+          poll(response.body['api_url'])
+        when 401 # Unauthorized
+          false
+        end
+      end
+
+      def poll(poll_url)
+        count = 0
+        user_id = nil
+        ip_address = nil
+
+        while user_id.nil?
+          count += 1
+          response = Cased.clients.cli.get(poll_url)
+          if response.success?
+            user_id = response.body.dig('user', 'id')
+            ip_address = response.body.fetch('ip_address')
+          else
+            sleep 1
+          end
+        end
+
+        [user_id, ip_address]
+      end
+    end
+  end
+end

data/lib/cased/cli/interactive_session.rb

@@ -0,0 +1,121 @@
+# frozen_string_literal: true
+
+require 'cased/cli/session'
+
+module Cased
+  module CLI
+    # InteractiveSession is responsible for initiating a Cased CLI session and
+    # responding to all its possible states.
+    #
+    # InteractiveSession is intended to be used where a TTY is present to handle
+    # the entire flow from authentication, reason required, waiting for
+    # approval, canceled, or timed out.
+    class InteractiveSession
+      def self.start(reason: nil, command: nil, metadata: {})
+        return Cased::CLI::Session.current if Cased::CLI::Session.current&.approved?
+
+        Cased::CLI::Log.log 'Running under Cased CLI.'
+
+        new(reason: reason, command: command, metadata: metadata).create
+      end
+
+      attr_reader :session
+
+      def initialize(reason: nil, command: nil, metadata: {})
+        @session = Cased::CLI::Session.new(
+          reason: reason,
+          command: command,
+          metadata: metadata,
+        )
+      end
+
+      def create
+        signal_handler = Signal.trap('SIGINT') do
+          if session.requested?
+            Cased::CLI::Log.log 'Exiting and canceling request…'
+            session.cancel
+            exit 0
+          elsif signal_handler.respond_to?(:call)
+            # We need to call the original handler if we exit this interactive
+            # session successfully
+            signal_handler.call
+          else
+            raise Interrupt
+          end
+        end
+
+        if session.create
+          handle_state(session.state)
+        elsif session.reauthenticate?
+          Cased::CLI::Log.log "You must re-authenticate with Cased due to recent changes to this application's settings."
+
+          identity = Cased::CLI::Identity.new
+          token, ip_address = identity.identify
+          session.authentication.token = token
+          session.forwarded_ip_address = ip_address
+
+          create
+        elsif session.unauthorized?
+          if session.authentication.exists?
+            Cased::CLI::Log.log "Existing credentials at #{session.authentication.credentials_path} are not valid."
+          else
+            Cased::CLI::Log.log "Could not find credentials at #{session.authentication.credentials_path}, looking up now…"
+          end
+
+          identity = Cased::CLI::Identity.new
+          token, ip_address = identity.identify
+          session.authentication.token = token
+          session.forwarded_ip_address = ip_address
+
+          create
+        elsif session.reason_required?
+          reason_prompt && create
+        else
+          Cased::CLI::Log.log 'Could not start CLI session.'
+          exit 1 if Cased.config.guard_deny_if_unreachable?
+        end
+
+        session
+      end
+
+      private
+
+      def reason_prompt
+        print Cased::CLI::Log.string 'Please enter a reason for access: '
+        session.reason = STDIN.gets.chomp
+      end
+
+      def wait_for_approval
+        sleep 1
+        session.refresh && handle_state(session.state)
+      end
+
+      def waiting_for_approval_message
+        return if defined?(@waiting_for_approval_message_displayed)
+
+        motd = session.guard_application.dig('settings', 'message_of_the_day')
+        waiting_message = motd.blank? ? 'Approval request sent…' : motd
+        Cased::CLI::Log.log "#{waiting_message} (id: #{session.id})"
+        @waiting_for_approval_message_displayed = true
+      end
+
+      def handle_state(state)
+        case state
+        when 'approved'
+          Cased::CLI::Log.log 'CLI session has been approved'
+          session.record
+        when 'requested'
+          waiting_for_approval_message
+          wait_for_approval
+        when 'denied'
+          Cased::CLI::Log.log 'CLI session has been denied'
+          exit 1
+        when 'timed_out'
+          Cased::CLI::Log.log 'CLI session has timed out'
+        when 'canceled'
+          Cased::CLI::Log.log 'CLI session has been canceled'
+        end
+      end
+    end
+  end
+end

data/lib/cased/cli/log.rb

@@ -0,0 +1,27 @@
+# frozen_string_literal: true
+
+module Cased
+  module CLI
+    module Log
+      CLEAR   = "\e[0m"
+      YELLOW  = "\e[33m"
+      BOLD    = "\e[1m"
+
+      def self.string(text)
+        [color('[cased]', YELLOW, true), text].join(' ')
+      end
+
+      def self.log(text)
+        puts string(text)
+      ensure
+        STDOUT.flush
+      end
+
+      def self.color(text, color, bold = false)
+        color = self.class.const_get(color.upcase) if color.is_a?(Symbol)
+        bold  = bold ? BOLD : ''
+        "#{bold}#{color}#{text}#{CLEAR}"
+      end
+    end
+  end
+end

data/lib/cased/cli/recorder.rb

@@ -0,0 +1,58 @@
+# frozen_string_literal: true
+
+require 'subprocess'
+
+module Cased
+  module CLI
+    class Recorder
+      KEY = 'CASED_CLI_RECORDING'
+      TRUE = '1'
+
+      attr_reader :command
+      attr_reader :events
+      attr_reader :started_at
+      attr_reader :width
+      attr_reader :height
+      attr_reader :options
+      attr_accessor :writer
+
+      # @return [Boolean] if CLI session is being recorded.
+      def self.recording?
+        ENV[KEY] == TRUE
+      end
+
+      def initialize(command, env: {})
+        @command = command
+        @events = []
+        @width = Subprocess.check_output(%w[tput cols]).strip.to_i
+        @height = Subprocess.check_output(%w[tput lines]).strip.to_i
+
+        subprocess_env = ENV.to_h.dup
+        subprocess_env[KEY] = TRUE
+        subprocess_env.merge!(env)
+        @writer = Cased::CLI::Asciinema::Writer.new(
+          command: command,
+          width: width,
+          height: height,
+        )
+
+        @options = {
+          stdout: Subprocess::PIPE,
+          env: subprocess_env,
+        }
+      end
+
+      def start
+        writer.time do
+          Subprocess.check_call(command, options) do |t|
+            t.communicate do |stdout, _stderr|
+              STDOUT.write(stdout)
+
+              writer << stdout.gsub("\n", "\r\n")
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/cased/cli/session.rb

@@ -0,0 +1,292 @@
+# frozen_string_literal: true
+
+require 'cased/cli/authentication'
+require 'cased/cli/identity'
+require 'cased/cli/recorder'
+require 'cased/model'
+
+module Cased
+  module CLI
+    class Session
+      include Cased::Model
+
+      def self.find(guard_session_id)
+        authentication = Cased::CLI::Authentication.new
+
+        response = Cased.clients.cli.get("cli/sessions/#{guard_session_id}", user_token: authentication.token)
+        new.tap do |session|
+          session.session = response.body
+        end
+      end
+
+      # If we're inside of a recorded session we can lookup the session
+      # we're in.
+      def self.current
+        @current ||= if ENV['GUARD_SESSION_ID']
+          Cased::CLI::Session.find(ENV['GUARD_SESSION_ID'])
+        end
+      end
+
+      def self.current?
+        current.present?
+      end
+
+      class << self
+        attr_writer :current
+      end
+
+      # @return [Cased::CLI::Authentication]
+      attr_reader :authentication
+
+      # Public: The CLI session ID
+      # @example
+      #   session.id #=> "guard_session_1oFqm5GBQYwhH8pfIpnS0A5QgFJ"
+      # @return [String, nil]
+      attr_reader :id
+
+      # Public: The CLI session web URL
+      # @example
+      #   session.url #=> "https://api.cased.com/cli/programs/ruby/sessions/guard_session_1oFqm5GBQYwhH8pfIpnS0A5QgFJ"
+      # @return [String, nil]
+      attr_reader :url
+
+      # Public: The CLI session API URL
+      # @example
+      #   session.api_url #=> "https://api.cased.com/cli/sessions/guard_session_1oFqm5GBQYwhH8pfIpnS0A5QgFJ"
+      # @return [String, nil]
+      attr_reader :api_url
+
+      # Public: The CLI session record API URL
+      # @example
+      #   session.api_record_url #=> "https://api.cased.com/cli/sessions/guard_session_1oFqm5GBQYwhH8pfIpnS0A5QgFJ/record"
+      # @return [String, nil]
+      attr_reader :api_record_url
+
+      # Public: The current state the CLI session is in
+      # @example
+      #   session.api_url #=> "approved"
+      # @return [String, nil]
+      attr_reader :state
+
+      # Public: Command that invoked CLI session.
+      # @example
+      #   session.command #=> "/usr/local/bin/rails console"
+      # @return [String]
+      attr_accessor :command
+
+      # Public: Additional user supplied metadata about the CLI session.
+      # @example
+      #   session.metadata #=> {"hostname" => "Mac.local"}
+      # @return [Hash]
+      attr_accessor :metadata
+
+      # Public: The user supplied reason for the CLI session for taking place.
+      # @example
+      #   session.reason #=> "Investigating customer support ticket."
+      # @return [String, nil]
+      attr_accessor :reason
+
+      # Public: The forwarded IP V4 or IP V6 address of the user that initiated
+      # the CLI session.
+      #
+      # @example
+      #   session.forwarded_ip_address #=> "1.1.1.1"
+      # @return [String, nil]
+      attr_accessor :forwarded_ip_address
+
+      # Public: The client's IP V4 or IP V6 address that initiated the CLI session.
+      # @example
+      #   session.ip_address #=> "1.1.1.1"
+      # @return [String, nil]
+      attr_reader :ip_address
+
+      # Public: The Cased user that requested the CLI session.
+      # @example
+      #   session.requester #=> {"id" => "user_1oFqlROLNRGVLOXJSsHkJiVmylr"}
+      # @return [Hash, nil]
+      attr_reader :requester
+
+      # Public: The Cased user that requested the CLI session.
+      # @example
+      #   session.responded_at #=> "2021-02-10 12:08:44 -0800"
+      # @return [Time, nil]
+      attr_reader :responded_at
+
+      # Public: The Cased user that responded to the CLI session.
+      # @example
+      #   session.responder #=> {"id" => "user_1oFqlROLNRGVLOXJSsHkJiVmylr"}
+      # @return [Hash, nil]
+      attr_reader :responder
+
+      # Public: The CLI application that the CLI session belongs to.
+      # @example
+      #   session.guard_application #=> {"id" => "guard_application_1oFqltbMqSEtJQKRCAYQNrQoXsS"}
+      # @return [Hash, nil]
+      attr_reader :guard_application
+
+      def initialize(reason: nil, command: nil, metadata: {}, authentication: nil)
+        @authentication = authentication || Cased::CLI::Authentication.new
+        @reason = reason
+        @command = command || [$PROGRAM_NAME, *ARGV].join(' ')
+        @metadata = metadata
+        @requester = {}
+        @responder = {}
+        @guard_application = {}
+      end
+
+      def to_s
+        command
+      end
+
+      def to_param
+        id
+      end
+
+      def session=(session)
+        @error = nil
+        @id = session.fetch('id')
+        @api_url = session.fetch('api_url')
+        @api_record_url = session.fetch('api_record_url')
+        @url = session.fetch('url')
+        @state = session.fetch('state')
+        @command = session.fetch('command')
+        @metadata = session.fetch('metadata')
+        @reason = session.fetch('reason')
+        @forwarded_ip_address = session.fetch('forwarded_ip_address')
+        @ip_address = session.fetch('ip_address')
+        @requester = session.fetch('requester')
+        @responded_at = session['responded_at']
+        @responder = session['responder'] || {}
+        @guard_application = session.fetch('guard_application')
+      end
+
+      def requested?
+        state == 'requested'
+      end
+
+      def approved?
+        state == 'approved'
+      end
+
+      def denied?
+        state == 'denied'
+      end
+
+      def canceled?
+        state == 'canceled'
+      end
+
+      def timed_out?
+        state == 'timed_out'
+      end
+
+      def refresh
+        return false unless api_url
+
+        response = Cased.clients.cli.get(api_url, user_token: authentication.token)
+        self.session = response.body
+      end
+
+      def error?
+        !error.nil?
+      end
+
+      def success?
+        id && !error?
+      end
+
+      def reason_required?
+        error == :reason_required || guard_application.dig('settings', 'reason_required')
+      end
+
+      def unauthorized?
+        error == :unauthorized
+      end
+
+      def reauthenticate?
+        error == :reauthenticate
+      end
+
+      def record_output?
+        guard_application.dig('settings', 'record_output') || false
+      end
+
+      def record
+        return false unless recordable? && record_output?
+
+        Cased::CLI::Log.log 'CLI session is now recording'
+
+        recorder = Cased::CLI::Recorder.new(command.split(' '), env: {
+          'GUARD_SESSION_ID' => id,
+          'GUARD_APPLICATION_ID' => guard_application.fetch('id'),
+          'GUARD_USER_TOKEN' => requester.fetch('id'),
+        })
+        recorder.start
+
+        Cased.clients.cli.put(api_record_url,
+          recording: recorder.writer.to_cast,
+          user_token: authentication.token)
+
+        Cased::CLI::Log.log 'CLI session recorded'
+      end
+
+      def create
+        return false unless id.nil?
+
+        response = Cased.clients.cli.post('cli/sessions',
+          user_token: authentication.token,
+          forwarded_ip_address: forwarded_ip_address,
+          reason: reason,
+          metadata: metadata,
+          command: command)
+        if response.success?
+          self.session = response.body
+        else
+          case response.body['error']
+          when 'reason_required'
+            @error = :reason_required
+          when 'unauthorized'
+            @error = :unauthorized
+          when 'reauthenticate'
+            @error = :reauthenticate
+          else
+            @error = true
+            return false
+          end
+        end
+
+        response.success?
+      end
+
+      def cancel
+        response = Cased.clients.cli.post("#{api_url}/cancel", user_token: authentication.token)
+        self.session = response.body
+
+        canceled?
+      end
+
+      def cased_category
+        :cli
+      end
+
+      def cased_id
+        id
+      end
+
+      def cased_context(category: cased_category)
+        {
+          "#{category}_id".to_sym => cased_id,
+          category.to_sym => to_s,
+        }
+      end
+
+      def recordable?
+        STDOUT.isatty
+      end
+
+      private
+
+      attr_reader :error
+    end
+  end
+end