firespring_dev_commands 1.3.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: d6f07bb537b2a77642593e6f28ad14791810c0395b56eb73b7dfe062f414491c
+  data.tar.gz: 6fd0bb605fb7fa4fe17f5baf565003a960479774b0f0d83a4c5c3b6cf1ceacd9
+SHA512:
+  metadata.gz: a8f58eca8af848da446bd775e0fb7a329cf94188abe44ae6a6ce4b7f074cf09a6d7a8598bbd4a8e1cdd69031dae586380d543f28b398821c5f63ac4c53fbe13d
+  data.tar.gz: 2edd0e114d231fbc3019d4c4235a51629df99e91dcd49c4ca4b0d03ee40cbf7ee8d2639670e4f5613f0027cfdb89b6b3ad204cd5856e9896099381fbbad2b2d7

data/LICENSE

@@ -0,0 +1,21 @@
+The MIT License (MIT)
+
+Copyright (c) 2022 Firespring
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

data/README.md

@@ -0,0 +1,83 @@
+# Firespring Dev Commands
+This project is for maintaining your local development environment using a Firespring supported library of commands
+
+### Usage
+* To use a released version of the library, add the following to your Gemfile
+```
+gem 'firespring_dev_commands', '~> 0.0.1'
+```
+
+* To use a local version of the library, add the following to your Gemfile
+  * This is not common
+  * It is mostly used for testing local changes before the gem is released
+```
+gem 'firespring_dev_commands', path: '/path/to/firespring/dev-commands-ruby'
+```
+
+* Add the following to your Rakefile
+```
+require 'rubygems'
+require 'bundler/setup'
+require 'firespring_dev_commands'
+```
+
+* (optional) Add any firespring_dev_command templates you wish to use
+```
+# Create default tasks
+Dev::Template::Docker::Default.new
+Dev::Template::Docker::Application.new('foo')
+Dev::Template::Docker::Node::Application.new('foo')
+```
+* If you run `rake -T` now, you should have base rake commands and application rake commands for an app called `foo`
+
+* (optinoal) Add AWS login template commands
+```
+# Configure AWS accounts and create tasks
+Dev::Aws::Account::configure do |c|
+  c.root = Dev::Aws::Account::Info.new('Foo Root', '1234')
+  c.children = [Dev::Aws::Account::Info.new('Foo Dev', '5678')]
+end
+Dev::Template::Aws.new
+```
+* Now you should be able to log in to the 1234 account and switch to your personal role in the 5678 account
+* If you specify a "registry" id in the Account configure you will be logged in ECR inside the system docker so you can pull and push images
+
+### Development
+* Clone the repo
+* Change code
+  * Build test image
+    * `rake build`
+  * Connect to the test image
+    * `rake app:sh`
+* Ensure ruby lints pass
+  * `rake app:ruby:lint` or `rake app:ruby:lint:fix`
+* Ensure tests pass
+  * `rake app:ruby:test`
+* Update the gem version appropriately
+  * We use semantic versioning
+  * https://semver.org/
+* Open a pull request and add reviewers
+
+### Publishing
+* After your changes have been approved, run the `rake release` command
+  * You will receive an error if you try to re-publish an existing version of the gem
+  * Theoretically you could yank an existing version and re-publish if necessary
+
+# Concepts
+### Config
+* Many of the classes have a configure singleton which can be used to set global configs
+  * These configs should then be the default used when instantiating the object
+  * The configs should always be over-writable when instantiating the object
+
+### Templates
+* The templates should have as little code/logic in them as possible
+  * This is to help with re-usability
+  * Instead, create the bulk of the logic in the ruby files so that if a user wants to modify it they can re-use those ruby methods in a task of their own making
+* Naming of the templates generally follows `rake <thing>:<language (optional)>:action:<modifier (optional)`
+  * e.g. `rake build`, `rake app:up`, `rake app:php:test:unit`
+
+### TODOs
+* Consider publishing a docker image which you can run the commands in
+  * So you don't need ruby on your local system
+* Add LOTS of tests to get code coverage to 100%
+

data/lib/firespring_dev_commands/audit/report/item.rb

@@ -0,0 +1,33 @@
+module Dev
+  class Audit
+    class Report
+      # This class contains audit report items and their associated data
+      class Item
+        attr_accessor :id, :name, :title, :url, :severity, :version
+
+        def initialize(id:, name:, title:, url:, severity:, version:)
+          @id = id
+          @name = name
+          @title = title
+          @url = url
+          @severity = severity
+          @version = version
+        end
+
+        # Returns a string representation of this audit report item
+        def to_s
+          [
+            '+-------------------+----------------------------------------------------------------------------------+',
+            format('| %s | %-80s |', format('%-17s', 'Severity').green, severity),
+            format('| %s | %-80s |', format('%-17s', 'Package').green, name),
+            format('| %s | %-80s |', format('%-17s', 'Id').green, id),
+            format('| %s | %-80s |', format('%-17s', 'Title').green, title),
+            format('| %s | %-80s |', format('%-17s', 'URL').green, url),
+            format('| %s | %-80s |', format('%-17s', 'Affected versions').green, version),
+            '+-------------------+----------------------------------------------------------------------------------+'
+          ].join("\n")
+        end
+      end
+    end
+  end
+end

data/lib/firespring_dev_commands/audit/report/levels.rb

@@ -0,0 +1,36 @@
+module Dev
+  class Audit
+    class Report
+      # Contains constants representing different audit report severity levels
+      class Level
+        # "info" severity level
+        INFO = 'info'.freeze
+
+        # "low" severity level
+        LOW = 'low'.freeze
+
+        # "moderate" severity level
+        MODERATE = 'moderate'.freeze
+
+        # "high" severity level
+        HIGH = 'high'.freeze
+
+        # "critical" severity level
+        CRITICAL = 'critical'.freeze
+
+        # "unknown" severity level
+        UNKNOWN = 'unknown'.freeze
+      end
+
+      # All supported audit report levels in ascending order of severity
+      LEVELS = [
+        Level::INFO,
+        Level::LOW,
+        Level::MODERATE,
+        Level::HIGH,
+        Level::CRITICAL,
+        Level::UNKNOWN
+      ].freeze
+    end
+  end
+end

data/lib/firespring_dev_commands/audit/report.rb

@@ -0,0 +1,49 @@
+module Dev
+  # Class containing security audit information
+  class Audit
+    # The class containing standardized information about an audit report
+    class Report
+      attr_accessor :items, :min_severity, :ignorelist, :filtered_items
+
+      def initialize(
+        items,
+        min_severity: ENV.fetch('MIN_SEVERITY', nil),
+        ignorelist: ENV['IGNORELIST'].to_s.split(/\s*,\s*/)
+      )
+        # Items should be an array of Item objects
+        @items = Array(items)
+        raise 'items must all be report items' unless @items.all?(Dev::Audit::Report::Item)
+
+        @min_severity = min_severity || Level::HIGH
+        @ignorelist = Array(ignorelist).compact
+      end
+
+      # Get all severities greater than or equal to the minimum severity
+      def desired_severities
+        LEVELS.slice(LEVELS.find_index(min_severity)..-1)
+      end
+
+      # Run the filters against the report items and filter out any which should be excluded
+      def filtered_items
+        @filtered_items ||= items.select { |it| desired_severities.include?(it.severity) }.select { |it| ignorelist.none?(it.id) }
+      end
+
+      # Output the text of the filtered report items
+      # Exit with a non-zero status if any vulnerabilities were found
+      def check
+        puts(to_s)
+        exit(1) unless filtered_items.empty?
+      end
+
+      # Returns a string representation of this audit report
+      def to_s
+        return 'No security vulnerabilities found'.green if filtered_items.empty?
+
+        [].tap do |ary|
+          ary << "Found #{filtered_items.length} security vulnerabilities:".white.on_red
+          filtered_items.each { |item| ary << item.to_s }
+        end.join("\n")
+      end
+    end
+  end
+end

data/lib/firespring_dev_commands/aws/account/info.rb

@@ -0,0 +1,15 @@
+module Dev
+  class Aws
+    class Account
+      # Class which contains information about the Aws account
+      class Info
+        attr_accessor :name, :id
+
+        def initialize(name, id)
+          @name = name
+          @id = id
+        end
+      end
+    end
+  end
+end

data/lib/firespring_dev_commands/aws/account.rb

@@ -0,0 +1,164 @@
+module Dev
+  class Aws
+    # Class containing useful methods for interacting with the Aws account
+    class Account
+      # Config object for setting top level Aws account config options
+      Config = Struct.new(:root, :children, :default, :registry)
+
+      # Instantiates a new top level config object if one hasn't already been created
+      # Yields that config object to any given block
+      # Returns the resulting config object
+      def self.config
+        @config ||= Config.new
+        yield(@config) if block_given?
+        @config
+      end
+
+      # Alias the config method to configure for a slightly clearer access syntax
+      class << self
+        alias_method :configure, :config
+      end
+
+      # The name of the file containing the Aws settings
+      CONFIG_FILE = "#{Dev::Aws::CONFIG_DIR}/config".freeze
+
+      attr_accessor :root, :children, :default, :registry
+
+      # Instantiate an account object
+      # Requires that root account and at least one child account have been configured
+      # All accounts must be of type Dev::Aws::Account::Info
+      # If a registry is configured then the user will be logged in to ECR when they log in to the account
+      def initialize
+        raise 'Root account must be configured' unless self.class.config.root.is_a?(Dev::Aws::Account::Info)
+        raise 'Child accounts must be configured' if self.class.config.children.empty? || !self.class.config.children.all?(Dev::Aws::Account::Info)
+
+        @root = self.class.config.root
+        @children = self.class.config.children
+        @default = self.class.config.default
+        @registry = self.class.config.registry
+      end
+
+      # Returns all configured account information objects
+      def all
+        @all ||= ([root] + children).sort_by(&:name)
+      end
+
+      # Returns the name portion of all configured account information objects
+      def all_names
+        @all_names ||= all.map(&:name)
+      end
+
+      # Returns the id portion of all configured account information objects
+      def all_accounts
+        @all_accounts ||= all.map(&:id)
+      end
+
+      # Look up the account name for the given account id
+      def name_by_account(account)
+        all.find { |it| it.id == account }.name
+      end
+
+      # Setup base Aws settings
+      def base_setup!
+        # Make the base config directory
+        FileUtils.mkdir_p(Dev::Aws::CONFIG_DIR)
+
+        puts
+        puts 'Configuring default login values'
+
+        # Write region and mfa serial to config file
+        cfgini = IniFile.new(filename: "#{Dev::Aws::CONFIG_DIR}/config", default: 'default')
+        defaultini = cfgini['default']
+
+        region_default = defaultini['region'] || ENV['AWS_DEFAULT_REGION'] || Dev::Aws::DEFAULT_REGION
+        defaultini['region'] = Dev::Common.new.ask('Default region name', region_default)
+
+        mfa_default = defaultini['mfa_serial'] || ENV['AWS_MFA_ARN'] || "arn:aws:iam::#{root}:mfa/#{ENV.fetch('USERNAME', nil)}"
+        defaultini['mfa_serial'] = Dev::Common.new.ask('Default mfa arn', mfa_default)
+
+        session_name_default = defaultini['role_session_name'] || "#{ENV.fetch('USERNAME', nil)}_cli"
+        defaultini['role_session_name'] = Dev::Common.new.ask('Default session name', session_name_default)
+
+        duration_default = defaultini['session_duration'] || 36_000
+        defaultini['session_duration'] = Dev::Common.new.ask('Default session duration in seconds', duration_default)
+
+        cfgini.write
+      end
+
+      # Setup Aws account specific settings
+      def setup!(account)
+        # Run base setup if it doesn't exist
+        Rake::Task['aws:configure:default'].invoke unless File.exist?(CONFIG_FILE)
+
+        puts
+        puts "Configuring #{account} login values"
+
+        write!(account)
+        puts
+      end
+
+      # Write Aws account specific settings to the config file
+      def write!(account)
+        raise 'Configure default account settings first (rake aws:configure:default)' unless File.exist?(CONFIG_FILE)
+
+        # Parse the ini file and load values
+        cfgini = IniFile.new(filename: CONFIG_FILE, default: 'default')
+        defaultini = cfgini['default']
+        profileini = cfgini["profile #{account}"]
+
+        profileini['source_profile'] = account
+
+        region_default = profileini['region'] || defaultini['region'] || ENV['AWS_DEFAULT_REGION'] || Dev::Aws::DEFAULT_REGION
+        profileini['region'] = Dev::Common.new.ask('Default region name', region_default)
+
+        role_default = profileini['role_arn'] || "arn:aws:iam::#{account}:role/ReadonlyAccessRole"
+        profileini['role_arn'] = Dev::Common.new.ask('Default role arn', role_default)
+
+        cfgini.write
+      end
+
+      # Menu to select one of the Aws child accounts
+      def select
+        # If there is only one child account, use that
+        return children.first.id if children.length == 1
+
+        # Output a list for the user to select from
+        puts 'Account Selection:'
+        children.each_with_index do |account, i|
+          printf "  %2s) %-20s    %s\n", i + 1, account.name, account.id
+        end
+        selection = Dev::Common.new.ask('Enter the number of the account you wish to log in to', select_default)
+        number = selection.to_i
+        raise "Invalid selection: #{selection}" if number < 1
+
+        # If the selection is 3 characters or more, assume they entered the full account number
+        if selection.length > 3
+          raise "Invalid selection: #{selection}" unless all_accounts.include?(selection)
+
+          return selection
+        end
+
+        # Otherwise they probably entered the number of the account to use
+        # Use the number as the index for lookup in accounts array and then get the value of that number
+        raise "Invalid selection: #{selection}" unless children.length >= number
+
+        children[number - 1].id
+      end
+
+      # Method of determining what the appropriate default account is for the select menu
+      # Filters out the account you are currently logged in to if it's no longer
+      # an option on the project you are currently trying to login on
+      def select_default
+        # If we are currently logged in to one of the configured accounts, use it as the default
+        account_id = Dev::Env.new(Dev::Aws::Profile::CONFIG_FILE).get(Dev::Aws::Profile::IDENTIFIER)
+        return account_id if all_accounts.include?(account_id)
+
+        # Otherwise, if a default is configured, use that
+        return default if default
+
+        # Otherwise, just return the first account
+        children.first.id
+      end
+    end
+  end
+end

data/lib/firespring_dev_commands/aws/cloudformation/parameters.rb

@@ -0,0 +1,26 @@
+module Dev
+  class Aws
+    class Cloudformation
+      # Class which contains Parameters for a Aws cloudformation stack
+      class Parameters
+        attr_accessor :parameters
+
+        def initialize(parameters = {})
+          raise 'parameters should be a hash' unless parameters.is_a?(Hash)
+
+          @parameters = parameters
+        end
+
+        # Returns the given parameters in their default format. Can be passed to a create or update command
+        def default
+          parameters.map { |k, v| {parameter_key: k, parameter_value: v} }
+        end
+
+        # Returns the given parameters all set to use the previous values specified in their templates
+        def preserve
+          parameters.map { |k, _| {parameter_key: k, use_previous_value: true} }
+        end
+      end
+    end
+  end
+end

data/lib/firespring_dev_commands/aws/cloudformation.rb

@@ -0,0 +1,188 @@
+require 'securerandom'
+require 'aws-sdk-s3'
+require 'aws-sdk-cloudformation'
+
+module Dev
+  class Aws
+    # Class for performing cloudformation functions
+    class Cloudformation
+      # Not Started status
+      NOT_STARTED = :not_started
+
+      # Started status
+      STARTED = :started
+
+      # No Changes status
+      NO_CHANGES = :no_changes
+
+      # Failed status
+      FAILED = :failed
+
+      # Finished status
+      FINISHED = :finished
+
+      attr_accessor :client, :name, :template_filename, :parameters, :capabilities, :failure_behavior, :state
+
+      def initialize(name, template_filename, parameters: Dev::Aws::Cloudformation::Parameters.new, capabilities: [], failure_behavior: 'ROLLBACK')
+        raise 'parameters must be an intsance of parameters' unless parameters.is_a?(Dev::Aws::Cloudformation::Parameters)
+
+        @client = nil
+        @name = name
+        @template_filename = template_filename
+        @parameters = parameters
+        @capabilities = capabilities
+        @failure_behavior = failure_behavior
+        @state = NOT_STARTED
+      end
+
+      # Create/set a new client if none is present
+      # Return the client
+      def client
+        @client ||= ::Aws::CloudFormation::Client.new
+      end
+
+      # Create the cloudformation stack
+      def create(should_wait: true)
+        # Call upload function to get the s3 url
+        template_url = upload(template_filename)
+
+        # Create the cloudformation stack
+        client.create_stack(
+          stack_name: name,
+          template_url: template_url,
+          parameters: parameters.default,
+          capabilities: capabilities,
+          on_failure: failure_behavior
+        )
+        @state = STARTED
+        LOG.info "#{name} stack create started at #{Time.now.to_s.light_yellow}"
+
+        # return if we aren't waiting here
+        return unless should_wait
+
+        # Wait if we are supposed to wait
+        create_wait
+        @state = FINISHED
+        LOG.info "#{name} stack create finished at #{Time.now.to_s.light_yellow}"
+      rescue => e
+        LOG.error "Error creating stack: #{e.message}"
+        @state = FAILED
+      end
+
+      # Update the cloudformation stack
+      def update(should_wait: true)
+        # Call upload function to get the s3 url
+        template_url = upload(template_filename)
+
+        # Update the cloudformation stack
+        client.update_stack(
+          stack_name: name,
+          template_url: template_url,
+          parameters: parameters.preserve,
+          capabilities: capabilities
+        )
+        @state = STARTED
+        LOG.info "#{name} stack update started at #{Time.now.to_s.light_yellow}"
+
+        # return if we aren't waiting here
+        return unless should_wait
+
+        # Wait if we are supposed to wait
+        update_wait
+        @state = FINISHED
+        LOG.info "#{name} stack update finished at #{Time.now.to_s.light_yellow}"
+      rescue => e
+        if /no updates/i.match?(e.message)
+          LOG.info "No updates to needed on #{name}".light_yellow
+          @state = NO_CHANGES
+        else
+
+          LOG.error "Error updating stack: #{e.message}"
+          @state = FAILED
+        end
+      end
+
+      # Delete the cloudformation stack
+      def delete(should_wait: true)
+        # Delete the cloudformation stack
+        client.delete_stack(stack_name: name)
+        @state = STARTED
+        LOG.info "#{name} stack delete started at #{Time.now.to_s.light_yellow}"
+
+        # Return if we aren't waiting here
+        return unless should_wait
+
+        # Wait if we are supposed to wait
+        delete_wait
+        @state = FINISHED
+        LOG.info "#{name} stack delete finished at #{Time.now.to_s.light_yellow}"
+      rescue => e
+        LOG.error "Error deleting stack: #{e.message}"
+        @state = FAILED
+      end
+
+      # Wait for create complete
+      def create_wait
+        wait(name, :create_complete)
+      end
+
+      # Wait for update complete
+      def update_wait
+        wait(name, :update_complete)
+      end
+
+      # Wait for delete complete
+      def delete_wait
+        wait(name, :delete_complete)
+      end
+
+      # Wait for the stack name to complete the specified type of action
+      # Defaults to exists
+      def wait(stack_name, type = 'exists', max_attempts: 360, delay: 5)
+        # Don't wait if there's nothing to wait for
+        return if no_changes? || finished?
+
+        client.wait_until(
+          :"stack_#{type}",
+          {stack_name: stack_name},
+          {max_attempts: max_attempts, delay: delay}
+        )
+      rescue ::Aws::Waiters::Errors::WaiterFailed => e
+        raise "Action failed to complete: #{e.message}"
+      end
+
+      # State matches the not started state
+      def not_started?
+        state == NOT_STARTED
+      end
+
+      # State matches the started state
+      def started?
+        state == STARTED
+      end
+
+      # State matches the no_changes state
+      def no_changes?
+        state == NO_CHANGES
+      end
+
+      # State matches the failed state
+      def failed?
+        state == FAILED
+      end
+
+      # State matches the finished state
+      def finished?
+        state == FINISHED
+      end
+
+      # Uploads the filename to the cloudformation templates bucket and returns the url of the file
+      private def upload(filename)
+        s3 = Dev::Aws::S3.new
+        template_bucket = s3.cf_bucket.name
+        key = "#{File.basename(filename)}/#{SecureRandom.uuid}"
+        s3.put(bucket: template_bucket, key: key, filename: filename)
+      end
+    end
+  end
+end