etna 0.1.28 → 0.1.33

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f72e476ca58afe56ac2d2334ae35dfe159409892f54bda2624b73d83da574309
-  data.tar.gz: 89e4ccce963ca79bddcd668da5817c94d95ce609612d2d34a635707588dfe88a
+  metadata.gz: 49dacbad5431a0004c77536e600b8f46ee544effb472a459cd9205cb6d3d0aed
+  data.tar.gz: 669d95414188d35adcff630545dde4d49caa43c064a7db3cfc19bf81fba6eff8
 SHA512:
-  metadata.gz: 76f01865ad042215703f305f1ceaf7eeee4febacb114490481e91c9cbbfbf83bedb004d725d18f90d4ffa34efb8ed91741c91e0244fb60f704fba7e3f2e65057
-  data.tar.gz: e8c352582c61d655881d8290a3be01a03cd27c4b3167d60bab077256a5222cfba94a7401130cff14582230fdcef2068498abaf66fda4176b0c3fc486b3cf202e
+  metadata.gz: d1089f55be44686e14264f9b0df51b926a1ad758d40944010ca4fee40e69ced8d6be1cdaf452dc9ea6e05ab0fb099b597b6c4746f2bee400b090be4ec7a9ec56
+  data.tar.gz: d28be042a1210b12472a39502fa3ae8164ff4cd0ee3a2e0b552fb2f520ff5863d15cf88e7d66b9776aa6c7ecd54e1795e3527a16bdb5f7e6f860b944a87a20eb

data/etna.completion

@@ -32,7 +32,7 @@ arg_flag_completion_names="$arg_flag_completion_names  "
 multi_flags="$multi_flags  "
 while [[ "$#" != "0" ]]; do
 if [[ "$#" == "1" ]];  then
-all_completion_names="help models project"
+all_completion_names="help models project token"
 all_completion_names="$all_completion_names $all_flag_completion_names"
 if [[ -z "$(echo $all_completion_names | xargs)" ]]; then
 return
@@ -722,6 +722,120 @@ else
 return
 fi
 done
+elif [[ "$1" == "token" ]]; then
+shift
+all_flag_completion_names="$all_flag_completion_names  "
+arg_flag_completion_names="$arg_flag_completion_names  "
+multi_flags="$multi_flags  "
+while [[ "$#" != "0" ]]; do
+if [[ "$#" == "1" ]];  then
+all_completion_names="generate help"
+all_completion_names="$all_completion_names $all_flag_completion_names"
+if [[ -z "$(echo $all_completion_names | xargs)" ]]; then
+return
+fi
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+elif [[ "$1" == "generate" ]]; then
+shift
+all_flag_completion_names="$all_flag_completion_names --task --project-name "
+arg_flag_completion_names="$arg_flag_completion_names --project-name "
+multi_flags="$multi_flags  "
+declare _completions_for_project_name="__project_name__"
+while [[ "$#" != "0" ]]; do
+if [[ "$#" == "1" ]];  then
+all_completion_names=""
+all_completion_names="$all_completion_names $all_flag_completion_names"
+if [[ -z "$(echo $all_completion_names | xargs)" ]]; then
+return
+fi
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+elif [[ -z "$(echo $all_flag_completion_names | xargs)" ]]; then
+return
+elif [[ "$all_flag_completion_names" =~ $1\  ]]; then
+if ! [[ "$multi_flags" =~ $1\  ]]; then
+all_flag_completion_names="${all_flag_completion_names//$1\ /}"
+fi
+a=$1
+shift
+if [[ "$arg_flag_completion_names" =~ $a\  ]]; then
+if [[ "$#" == "1" ]];  then
+a="${a//--/}"
+a="${a//-/_}"
+i="_completions_for_$a"
+all_completion_names="${!i}"
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+fi
+shift
+fi
+else
+return
+fi
+done
+return
+elif [[ "$1" == "help" ]]; then
+shift
+all_flag_completion_names="$all_flag_completion_names  "
+arg_flag_completion_names="$arg_flag_completion_names  "
+multi_flags="$multi_flags  "
+while [[ "$#" != "0" ]]; do
+if [[ "$#" == "1" ]];  then
+all_completion_names=""
+all_completion_names="$all_completion_names $all_flag_completion_names"
+if [[ -z "$(echo $all_completion_names | xargs)" ]]; then
+return
+fi
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+elif [[ -z "$(echo $all_flag_completion_names | xargs)" ]]; then
+return
+elif [[ "$all_flag_completion_names" =~ $1\  ]]; then
+if ! [[ "$multi_flags" =~ $1\  ]]; then
+all_flag_completion_names="${all_flag_completion_names//$1\ /}"
+fi
+a=$1
+shift
+if [[ "$arg_flag_completion_names" =~ $a\  ]]; then
+if [[ "$#" == "1" ]];  then
+a="${a//--/}"
+a="${a//-/_}"
+i="_completions_for_$a"
+all_completion_names="${!i}"
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+fi
+shift
+fi
+else
+return
+fi
+done
+return
+elif [[ -z "$(echo $all_flag_completion_names | xargs)" ]]; then
+return
+elif [[ "$all_flag_completion_names" =~ $1\  ]]; then
+if ! [[ "$multi_flags" =~ $1\  ]]; then
+all_flag_completion_names="${all_flag_completion_names//$1\ /}"
+fi
+a=$1
+shift
+if [[ "$arg_flag_completion_names" =~ $a\  ]]; then
+if [[ "$#" == "1" ]];  then
+a="${a//--/}"
+a="${a//-/_}"
+i="_completions_for_$a"
+all_completion_names="${!i}"
+COMPREPLY=($(compgen -W "$all_completion_names" -- "$1"))
+return
+fi
+shift
+fi
+else
+return
+fi
+done
 elif [[ -z "$(echo $all_flag_completion_names | xargs)" ]]; then
 return
 elif [[ "$all_flag_completion_names" =~ $1\  ]]; then

data/lib/commands.rb

@@ -91,6 +91,36 @@ class EtnaApp
   class Administrate
     include Etna::CommandExecutor
 
+    class Token
+      include Etna::CommandExecutor
+
+      class Generate < Etna::Command
+        include WithLogger
+
+        boolean_flags << "--task"
+        string_flags << "--project-name"
+        string_flags << "--email"
+
+        def execute(email:, task: false, project_name: nil)
+          # the token is not required, but can be used if available
+          # to generate a task token, so we pass it in here
+          janus_client = Etna::Clients::Janus.new(
+            token: ENV['TOKEN'],
+            ignore_ssl: EtnaApp.instance.config(:ignore_ssl),
+            **EtnaApp.instance.config(:janus, EtnaApp.instance.environment))
+
+          generate_token_workflow = Etna::Clients::Janus::GenerateTokenWorkflow.new(
+            janus_client: janus_client,
+            token_type: task ? 'task' : 'login',
+            email: email,
+            project_name: project_name,
+            private_key_file: EtnaApp.instance.config(:private_key, EtnaApp.instance.environment)
+          )
+          generate_token_workflow.generate!
+        end
+      end
+    end
+
     class Project
       include Etna::CommandExecutor
 

data/lib/etna/application.rb

@@ -91,6 +91,10 @@ module Etna::Application
     (ENV["#{self.class.name.upcase}_ENV"] || :development).to_sym
   end
 
+  def id
+    ENV["APP_NAME"] || self.class.name.snake_case.split(/::/).last
+  end
+
   def find_descendents(klass)
     ObjectSpace.each_object(Class).select do |k|
       k < klass

data/lib/etna/auth.rb

@@ -70,6 +70,29 @@ module Etna
       return route && route.noauth?
     end
 
+    def janus_approved?(payload, token, request)
+      route = server.find_route(request)
+
+      # some routes don't need janus approval
+      return true if route && route.ignore_janus?
+
+      # only process task tokens right now
+      return true unless payload['task']
+
+      return false unless application.config(:janus) && application.config(:janus)[:host]
+
+      janus_client = Etna::Clients::Janus.new(
+        token: token,
+        host: application.config(:janus)[:host]
+      )
+
+      response = janus_client.validate_task_token()
+
+      return false unless response.code == '200'
+
+      return true
+    end
+
     def approve_user(request)
       token = request.cookies[application.config(:token_name)] || auth(request, :etna)
 
@@ -77,6 +100,8 @@ module Etna
 
       begin
         payload, header = application.sign.jwt_decode(token)
+
+        return false unless janus_approved?(payload, token, request)
         return request.env['etna.user'] = Etna::User.new(payload.map{|k,v| [k.to_sym, v]}.to_h, token)
       rescue
         # bail out if anything goes wrong

data/lib/etna/client.rb

@@ -17,6 +17,36 @@ module Etna
 
     attr_reader :routes
 
+    def with_headers(headers, &block)
+      @request_headers = headers.compact
+      result = instance_eval(&block)
+      @request_headers = nil
+      return result
+    end
+
+    def signed_route_path(route, params)
+      path = route_path(route,params)
+
+      signatory = params.delete(:signatory)
+
+      return path unless signatory
+
+      hmac = Etna::Hmac.new(
+        signatory,
+        method: route[:method],
+        host: URI(@host).host,
+        path: path,
+        expiration: (DateTime.now + 10).iso8601,
+        id: signatory.id,
+        nonce: SecureRandom.hex,
+        headers: params.except(*route[:params].map(&:to_sym))
+      )
+
+      url_params = hmac.url_params(route[:method] == 'GET')
+
+      return url_params[:path] + '?' + url_params[:query]
+    end
+
     def route_path(route, params)
       Etna::Route.path(route[:route], params)
     end
@@ -60,14 +90,19 @@ module Etna
       @routes.each do |route|
         next unless route[:name]
         self.define_singleton_method(route[:name]) do |params = {}|
-
           missing_params = (route[:params] - params.keys.map(&:to_s))
+
           unless missing_params.empty?
             raise ArgumentError, "Missing required #{missing_params.size > 1 ?
                 'params' : 'param'} #{missing_params.join(', ')}"
           end
 
-          response = send(route[:method].downcase, route_path(route, params), params)
+          response = send(
+            route[:method].downcase,
+            signed_route_path(route, params),
+            params
+          )
+
           if block_given?
             yield response
           else
@@ -83,7 +118,7 @@ module Etna
 
     def body_request(type, endpoint, params = {}, &block)
       uri = request_uri(endpoint)
-      req = type.new(uri.request_uri, request_params)
+      req = type.new(uri.request_uri, request_headers)
       req.body = params.to_json
       request(uri, req, &block)
     end
@@ -96,7 +131,7 @@ module Etna
       else
         uri.query = URI.encode_www_form(params)
       end
-      req = type.new(uri.request_uri, request_params)
+      req = type.new(uri.request_uri, request_headers)
       request(uri, req, &block)
     end
 
@@ -104,12 +139,14 @@ module Etna
       URI("#{@host}#{endpoint}")
     end
 
-    def request_params
+    def request_headers
       {
           'Content-Type' => 'application/json',
           'Accept' => 'application/json, text/*',
           'Authorization' => "Etna #{@token}"
-      }
+      }.update(
+        @request_headers || {}
+      )
     end
 
     def status_check!(response)

data/lib/etna/clients/base_client.rb

@@ -8,10 +8,9 @@ module Etna
       attr_reader :host, :token, :ignore_ssl
       def initialize(host:, token:, ignore_ssl: false)
         raise "#{self.class.name} client configuration is missing host." unless host
-        raise "#{self.class.name} client configuration is missing token." unless token
 
         @token = token
-        raise "Your token is expired." if token_expired?
+        raise "Your token is expired." if token && token_expired?
 
         @etna_client = ::Etna::Client.new(
           host,
@@ -36,4 +35,4 @@ module Etna
       end
     end
   end
-end
+end

data/lib/etna/clients/janus.rb

@@ -1,2 +1,3 @@
 require_relative './janus/client'
 require_relative './janus/models'
+require_relative './janus/workflows'

data/lib/etna/clients/janus/client.rb

@@ -57,6 +57,25 @@ module Etna
 
         TokenResponse.new(token)
       end
+
+      def validate_task_token(validate_task_token_request = ValidateTaskTokenRequest.new)
+        token = nil
+        @etna_client.post('/api/tokens/task/validate', validate_task_token_request)
+      end
+
+      def get_nonce
+        @etna_client.get('/api/tokens/nonce').body
+      end
+
+      def generate_token(token_type, signed_nonce: nil, project_name: nil)
+        response = @etna_client.with_headers(
+          'Authorization' => signed_nonce ? "Signed-Nonce #{signed_nonce}" : nil
+        ) do
+          post('/api/tokens/generate', token_type: token_type, project_name: project_name)
+        end
+
+        response.body
+      end
     end
   end
 end

data/lib/etna/clients/janus/models.rb

@@ -51,6 +51,12 @@ module Etna
         end
       end
 
+      class ValidateTaskTokenRequest
+        def map
+          []
+        end
+      end
+
       class HtmlResponse
         attr_reader :raw
 
@@ -76,4 +82,4 @@ module Etna
       end
     end
   end
-end
+end

data/lib/etna/clients/janus/workflows.rb

@@ -0,0 +1 @@
+require_relative './workflows/generate_token_workflow'

data/lib/etna/clients/janus/workflows/generate_token_workflow.rb

@@ -0,0 +1,77 @@
+# Base workflow for setting up a project by a super user.
+# 1) Creates the project in janus
+# 2) Adds administrator(s) to Janus
+# 3) Refreshes the user's token with the new privileges.
+# 4) Creates the project in .
+
+require 'base64'
+require 'json'
+require 'ostruct'
+require_relative '../models'
+
+module Etna
+  module Clients
+    class Janus
+      class GenerateTokenWorkflow < Struct.new(:janus_client, :email, :project_name, :token_type, :private_key_file, keyword_init: true)
+        def generate!
+          nonce = janus_client.get_nonce
+
+          unless email
+            puts "Email address for #{janus_client.host} account?"
+            email = STDIN.gets.chomp
+          end
+
+          if use_nonce?
+            until private_key_file
+              puts "Location of private key file?"
+              private_key_file = ::File.expand_path(STDIN.gets.chomp)
+              unless File.exists?(private_key_file)
+                puts "No such file."
+                private_key_file = nil
+              end
+            end
+          end
+
+          if needs_project_name?
+            puts "Project name?"
+            project_name = STDIN.gets.chomp
+          end
+          
+          token = janus_client.generate_token(token_type, signed_nonce: use_nonce? ? signed_nonce(nonce) : nil, project_name: project_name)
+
+          puts token
+        end
+
+        private
+
+        def signed_nonce(nonce)
+          private_key = OpenSSL::PKey::RSA.new(File.read(private_key_file))
+
+          txt_to_sign = "#{nonce}.#{Base64.strict_encode64(email)}"
+
+          sig = Base64.strict_encode64(
+            private_key.sign(OpenSSL::Digest::SHA256.new,txt_to_sign)
+          )
+
+          "#{txt_to_sign}.#{sig}"
+        end
+
+        def use_nonce?
+          !task_token? || !janus_client.token
+        end
+
+        def needs_project_name?
+          task_token? && !project_name
+        end
+
+        def task_token?
+          token_type == 'task'
+        end
+
+        def user
+          @user ||= JSON.parse(Base64.urlsafe_decode64(magma_client.token.split('.')[1]))
+        end
+      end
+    end
+  end
+end