google-ssl-cert 0.1.0

data/lib/google_ssl_cert/cli/prune.rb

@@ -0,0 +1,88 @@
+class GoogleSslCert::CLI
+  class Prune < Base
+    include GoogleSslCert::Helpers::ProjectNumber
+
+    def run
+      keep = @options[:keep] || 1
+      right = -1 - keep
+      certs = ssl_certs[0..right] || [] # delete all except the last cert
+
+      if certs.empty?
+        logger.info "No timestamped certs to prune with cert name: #{cert_base_name}"
+        return
+      end
+
+      preview_delete(certs) unless @options[:yes]
+      sure?
+      perform_delete(certs)
+    end
+
+    def preview_delete(certs)
+      logger.info "Will delete the following #{type} certs:"
+      certs.each do |cert|
+        logger.info "  #{cert.name}"
+      end
+    end
+
+    def perform_delete(certs)
+      certs.each do |cert|
+        delete(cert)
+      end
+    end
+
+    def delete(cert)
+      options = base_options.merge(ssl_certificate: cert.name)
+      ssl_service.delete(options)
+      logger.info "Deleted #{type} cert: #{cert.name}"
+    end
+
+    def type
+      global? ? "global" : "region"
+    end
+
+    # sadly the filter option doesnt support globs or regexp so will have to filter with ruby
+    def ssl_certs
+      resp = ssl_service.list(base_options)
+      resp.select do |ssl|
+        match?(ssl.name)
+      end.sort_by(&:name)
+    end
+
+    def match?(name)
+      !!(name =~ Regexp.new("^#{cert_base_name}-\\d{14}$"))
+    end
+
+    def cert_base_name
+      @cert_base_name = GoogleSslCert::Name.new(@options).base_name
+    end
+
+    def ssl_service
+      if global?
+        ssl_certificates
+      else
+        region_ssl_certificates
+      end
+    end
+
+    def base_options
+      options = { project: ENV['GOOGLE_PROJECT'] }
+      options[:region] = ENV['GOOGLE_REGION'] unless global?
+      options
+    end
+
+  private
+    def sure?(message="Are you sure?")
+      if @options[:yes]
+        sure = 'y'
+      else
+        print "#{message} (y/N) "
+        sure = $stdin.gets
+      end
+
+      unless sure =~ /^y/
+        puts "Whew! Exiting."
+        exit 0
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/cli/secret.rb

@@ -0,0 +1,15 @@
+class GoogleSslCert::CLI
+  class Secret < GoogleSslCert::Command
+    desc "save", "Save secret value"
+    long_desc Help.text("secret/save")
+    def save(name, value)
+      GoogleSslCert::Secret.new(options).save(name, value)
+    end
+
+    desc "get", "Get secret value"
+    def get(name)
+      value = GoogleSslCert::Secret.new(options).get(name)
+      puts "Secret name: #{name} value #{value}"
+    end
+  end
+end

data/lib/google_ssl_cert/cli.rb

@@ -0,0 +1,62 @@
+module GoogleSslCert
+  class CLI < Command
+    class_option :verbose, type: :boolean
+    class_option :noop, type: :boolean
+
+    secret_name_option = Proc.new do
+      option :secret_name, desc: "Secret name, conventionally matches the cert name"
+    end
+    global_option = Proc.new do
+      option :global, type: :boolean, default: true, desc: "Flag to create global vs region cert"
+    end
+    cert_name_option = Proc.new do
+      option :cert_name, desc: "Google SSL Cert name"
+    end
+
+    desc "create", "Create Google SSL Certificate and save to Secrets Manager"
+    long_desc Help.text(:create)
+    option :private_key, desc: "private key path"
+    option :certificate, desc: "certificate path"
+    option :save_secret, type: :boolean, default: true, desc: "whether or not to save to Google Secrets Manager"
+    option :extra_certs, desc: "Additional certs to be added to the secret value"
+    option :timestamp, type: :boolean, default: true, desc: "Auto-append timestamp to cert name. Appending a timestamp allows auto-pruning also"
+    option :prune, type: :boolean, default: true, desc: "Auto-prune old certs based on timestamp"
+    cert_name_option.call
+    secret_name_option.call
+    global_option.call
+    def create
+      Create.new(options).run
+    end
+
+    desc "prune", "prune Google SSL Certificate and save to Secrets Manager"
+    long_desc Help.text(:prune)
+    cert_name_option.call
+    global_option.call
+    option :yes, aliases: %w[y], type: :boolean, desc: "Skip 'are you sure' prompt"
+    option :keep, type: :numeric, default: 1, desc: "Number of certs to keep"
+    def prune
+      Prune.new(options).run
+    end
+
+    desc "secret SUBCOMMAND", "secret subcommands"
+    long_desc Help.text(:secret)
+    subcommand "secret", Secret
+
+    desc "completion *PARAMS", "Prints words for auto-completion."
+    long_desc Help.text(:completion)
+    def completion(*params)
+      Completer.new(CLI, *params).run
+    end
+
+    desc "completion_script", "Generates a script that can be eval to setup auto-completion."
+    long_desc Help.text(:completion_script)
+    def completion_script
+      Completer::Script.generate
+    end
+
+    desc "version", "prints version"
+    def version
+      puts VERSION
+    end
+  end
+end

data/lib/google_ssl_cert/command.rb

@@ -0,0 +1,89 @@
+require "thor"
+
+# Override thor's long_desc identation behavior
+# https://github.com/erikhuda/thor/issues/398
+class Thor
+  module Shell
+    class Basic
+      def print_wrapped(message, options = {})
+        message = "\n#{message}" unless message[0] == "\n"
+        stdout.puts message
+      end
+    end
+  end
+end
+
+module GoogleSslCert
+  class Command < Thor
+    class << self
+      def dispatch(m, args, options, config)
+        # Allow calling for help via:
+        #   google-ssl-cert command help
+        #   google-ssl-cert command -h
+        #   google-ssl-cert command --help
+        #   google-ssl-cert command -D
+        #
+        # as well thor's normal way:
+        #
+        #   google-ssl-cert help command
+        help_flags = Thor::HELP_MAPPINGS + ["help"]
+        if args.length > 1 && !(args & help_flags).empty?
+          args -= help_flags
+          args.insert(-2, "help")
+        end
+
+        #   google-ssl-cert version
+        #   google-ssl-cert --version
+        #   google-ssl-cert -v
+        version_flags = ["--version", "-v"]
+        if args.length == 1 && !(args & version_flags).empty?
+          args = ["version"]
+        end
+
+        super
+      end
+
+      # Override command_help to include the description at the top of the
+      # long_description.
+      def command_help(shell, command_name)
+        meth = normalize_command_name(command_name)
+        command = all_commands[meth]
+        alter_command_description(command)
+        super
+      end
+
+      def alter_command_description(command)
+        return unless command
+
+        # Add description to beginning of long_description
+        long_desc = if command.long_description
+            "#{command.description}\n\n#{command.long_description}"
+          else
+            command.description
+          end
+
+        # add reference url to end of the long_description
+        unless website.empty?
+          full_command = [command.ancestor_name, command.name].compact.join('-')
+          url = "#{website}/reference/google-ssl-cert-#{full_command}"
+          long_desc += "\n\nHelp also available at: #{url}"
+        end
+
+        command.long_description = long_desc
+      end
+      private :alter_command_description
+
+      # meant to be overriden
+      def website
+        ""
+      end
+
+      # https://github.com/erikhuda/thor/issues/244
+      # Deprecation warning: Thor exit with status 0 on errors. To keep this behavior, you must define `exit_on_failure?` in `Lono::CLI`
+      # You can silence deprecations warning by setting the environment variable THOR_SILENCE_DEPRECATION.
+      def exit_on_failure?
+        true
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/completer/script.rb

@@ -0,0 +1,8 @@
+class GoogleSslCert::Completer
+  class Script
+    def self.generate
+      bash_script = File.expand_path("script.sh", File.dirname(__FILE__))
+      puts "source #{bash_script}"
+    end
+  end
+end

data/lib/google_ssl_cert/completer/script.sh

@@ -0,0 +1,10 @@
+_google-ssl-cert() {
+  COMPREPLY=()
+  local word="${COMP_WORDS[COMP_CWORD]}"
+  local words=("${COMP_WORDS[@]}")
+  unset words[0]
+  local completion=$(google-ssl-cert completion ${words[@]})
+  COMPREPLY=( $(compgen -W "$completion" -- "$word") )
+}
+
+complete -F _google-ssl-cert google-ssl-cert

data/lib/google_ssl_cert/completer.rb

@@ -0,0 +1,159 @@
+=begin
+Code Explanation:
+
+There are 3 types of things to auto-complete:
+
+  1. command: the command itself
+  2. parameters: command parameters.
+  3. options: command options
+
+Here's an example:
+
+  mycli hello name --from me
+
+  * command: hello
+  * parameters: name
+  * option: --from
+
+When command parameters are done processing, the remaining completion words will be options.  We can tell that the command params are completed based on the method arity.
+
+## Arity
+
+For example, say you had a method for a CLI command with the following form:
+
+  ufo scale service count --cluster development
+
+It's equivalent ruby method:
+
+  scale(service, count) = has an arity of 2
+
+So typing:
+
+  ufo scale service count [TAB] # there are 3 parameters including the "scale" command according to Thor's CLI processing.
+
+So the completion should only show options, something like this:
+
+  --noop --verbose --cluster
+
+## Splat Arguments
+
+When the ruby method has a splat argument, it's arity is negative.  Here are some example methods and their arities.
+
+   ship(service) = 1
+   scale(service, count) = 2
+   ships(*services) = -1
+   foo(example, *rest) = -2
+
+Fortunately, negative and positive arity values are processed the same way. So we take simply take the absolute value of the arity and process it the same.
+
+Here are some test cases, hit TAB after typing the command:
+
+  google-ssl-cert completion
+  google-ssl-cert completion hello
+  google-ssl-cert completion hello name
+  google-ssl-cert completion hello name --
+  google-ssl-cert completion hello name --noop
+
+  google-ssl-cert completion
+  google-ssl-cert completion sub:goodbye
+  google-ssl-cert completion sub:goodbye name
+
+## Subcommands and Thor::Group Registered Commands
+
+Sometimes the commands are not simple thor commands but are subcommands or Thor::Group commands. A good specific example is the ufo tool.
+
+  * regular command: ufo ship
+  * subcommand: ufo docker
+  * Thor::Group command: ufo init
+
+Auto-completion accounts for each of these type of commands.
+=end
+module GoogleSslCert
+  class Completer
+    def initialize(command_class, *params)
+      @params = params
+      @current_command = @params[0]
+      @command_class = command_class # CLI initiall
+    end
+
+    def run
+      if subcommand?(@current_command)
+        subcommand_class = @command_class.subcommand_classes[@current_command]
+        @params.shift # destructive
+        Completer.new(subcommand_class, *@params).run # recursively use subcommand
+        return
+      end
+
+      # full command has been found!
+      unless found?(@current_command)
+        puts all_commands
+        return
+      end
+
+      # will only get to here if command aws found (above)
+      arity = @command_class.instance_method(@current_command).arity.abs
+      if @params.size > arity or thor_group_command?
+        puts options_completion
+      else
+        puts params_completion
+      end
+    end
+
+    def subcommand?(command)
+      @command_class.subcommands.include?(command)
+    end
+
+    # hacky way to detect that command is a registered Thor::Group command
+    def thor_group_command?
+      command_params(raw=true) == [[:rest, :args]]
+    end
+
+    def found?(command)
+      public_methods = @command_class.public_instance_methods(false)
+      command && public_methods.include?(command.to_sym)
+    end
+
+    # all top-level commands
+    def all_commands
+      commands = @command_class.all_commands.reject do |k,v|
+        v.is_a?(Thor::HiddenCommand)
+      end
+      commands.keys
+    end
+
+    def command_params(raw=false)
+      params = @command_class.instance_method(@current_command).parameters
+      # Example:
+      # >> Sub.instance_method(:goodbye).parameters
+      # => [[:req, :name]]
+      # >>
+      raw ? params : params.map!(&:last)
+    end
+
+    def params_completion
+      offset = @params.size - 1
+      offset_params = command_params[offset..-1]
+      command_params[offset..-1].first
+    end
+
+    def options_completion
+      used = ARGV.select { |a| a.include?('--') } # so we can remove used options
+
+      method_options = @command_class.all_commands[@current_command].options.keys
+      class_options = @command_class.class_options.keys
+
+      all_options = method_options + class_options + ['help']
+
+      all_options.map! { |o| "--#{o.to_s.gsub('_','-')}" }
+      filtered_options = all_options - used
+      filtered_options.uniq
+    end
+
+    # Useful for debugging. Using puts messes up completion.
+    def log(msg)
+      File.open("/tmp/complete.log", "a") do |file|
+        file.puts(msg)
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/global.rb

@@ -0,0 +1,12 @@
+module GoogleSslCert
+  class Global
+    def initialize(options={})
+      @options = options
+    end
+
+    def global?
+      default_global = !%w[0 false].include?(ENV['GSC_GLOBAL']) # nil will default to true
+      @options[:global].nil? ? default_global : @options[:global]
+    end
+  end
+end

data/lib/google_ssl_cert/google_services.rb

@@ -0,0 +1,30 @@
+require "google-cloud-resource_manager"
+require "google-cloud-secret_manager"
+require "google/cloud/compute/v1/region_ssl_certificates"
+require "google/cloud/compute/v1/ssl_certificates"
+
+module GoogleSslCert
+  module GoogleServices
+    extend Memoist
+
+    def region_ssl_certificates
+      Google::Cloud::Compute::V1::RegionSslCertificates::Rest::Client.new
+    end
+    memoize :region_ssl_certificates
+
+    def secret_manager_service
+      Google::Cloud::SecretManager.secret_manager_service
+    end
+    memoize :secret_manager_service
+
+    def ssl_certificates
+      Google::Cloud::Compute::V1::SslCertificates::Rest::Client.new
+    end
+    memoize :ssl_certificates
+
+    def resource_manager
+      Google::Cloud.new.resource_manager
+    end
+    memoize :resource_manager
+  end
+end

data/lib/google_ssl_cert/helpers/global.rb

@@ -0,0 +1,7 @@
+module GoogleSslCert::Helpers
+  module Global
+    def global?
+      GoogleSslCert::Global.new(@options).global?
+    end
+  end
+end

data/lib/google_ssl_cert/helpers/project_number.rb

@@ -0,0 +1,15 @@
+module GoogleSslCert::Helpers
+  module ProjectNumber
+  private
+    def parent
+      "projects/#{project_number}"
+    end
+
+    @@project_number = nil
+    def project_number
+      return @@project_number if @@project_number
+      project = resource_manager.project(ENV['GOOGLE_PROJECT'])
+      @@project_number = project.project_number
+    end
+  end
+end

data/lib/google_ssl_cert/logger.rb

@@ -0,0 +1,28 @@
+require 'logger'
+
+module GoogleSslCert
+  class Logger < ::Logger
+    def initialize(*args)
+      super
+      self.formatter = Formatter.new
+      self.level = log_level
+    end
+
+    def log_level
+      if ENV['DEBUG']
+        :debug
+      else
+        ENV['GSC_LOG_LEVEL'] || :info # note: only respected when config.logger not set in config/app.rb
+      end
+    end
+
+    def format_message(severity, datetime, progname, msg)
+      line = if @logdev.dev == $stdout || @logdev.dev == $stderr
+        msg # super simple format if stdout
+      else
+        super # use the configured formatter
+      end
+      line =~ /\n$/ ? line : "#{line}\n"
+    end
+  end
+end

data/lib/google_ssl_cert/logging.rb

@@ -0,0 +1,9 @@
+module GoogleSslCert
+  module Logging
+    extend Memoist
+
+    def logger
+      $logger ||= Logger.new($stderr)
+    end
+  end
+end

data/lib/google_ssl_cert/name.rb

@@ -0,0 +1,19 @@
+module GoogleSslCert
+  class Name
+    attr_reader :base_name
+    def initialize(options={})
+      @options = options
+      @base_name = @options[:cert_name] || default_cert_name
+    end
+
+    def generate
+      ts = Time.now.strftime("%Y%m%d%H%M%S") unless @options[:timestamp] == false # nil defaults to true
+      [@base_name, ts].compact.join('-')
+    end
+
+    def default_cert_name
+      type = @options[:global] ? "global" : ENV['GOOGLE_REGION']
+      ["google-ssl-cert", type].join('-')
+    end
+  end
+end

data/lib/google_ssl_cert/secret.rb

@@ -0,0 +1,86 @@
+module GoogleSslCert
+  class Secret < Base
+    extend Memoist
+
+    # CLI commands:
+    #   gcloud secrets create testsecret
+    #   gcloud secrets versions add testsecret --data-file="/tmp/testsecret.txt"
+    #
+    # Secret create API docs
+    #   https://cloud.google.com/secret-manager/docs/creating-and-accessing-secrets#secretmanager-create-secret-ruby
+    #   https://github.com/googleapis/google-cloud-ruby/blob/af60d07b8f134ebc35bee795d127be614abea353/google-cloud-secret_manager-v1/lib/google/cloud/secret_manager/v1/secret_manager_service/client.rb#L307
+    #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/create
+    # Secret Versions add API docs
+    #   https://github.com/googleapis/google-cloud-ruby/blob/af60d07b8f134ebc35bee795d127be614abea353/google-cloud-secret_manager-v1/lib/google/cloud/secret_manager/v1/secret_manager_service/client.rb#L379
+    #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets/addVersion
+    #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/SecretPayload
+    def save(name, value)
+      validate!
+      create_secret(name, value)
+      url_path = "#{parent}/secrets/#{name}"
+      secret_manager_service.add_secret_version(parent: url_path, payload: {data: value})
+      logger.info "Secret saved: name: #{name} value: #{value}"
+    rescue Google::Cloud::AlreadyExistsError => e
+      logger.error("#{e.class}: #{e.message}")
+    end
+
+    def create_secret(name, value)
+      secret = get_secret(name)
+      return if secret
+      secret_manager_service.create_secret(
+        parent: parent,
+        secret_id: name,
+        secret:    {
+          replication: {
+            automatic: {}
+          }
+        }
+      )
+    end
+
+    def get_secret(name)
+      url_path = "#{parent}/secrets/#{name}"
+      secret_manager_service.get_secret(name: url_path)
+    rescue Google::Cloud::NotFoundError
+      nil
+    rescue Google::Cloud::InvalidArgumentError => e
+      logger.fatal("ERROR: #{e.class}: #{e.message}\n")
+      logger.fatal("Expected format: [[a-zA-Z_0-9]+]")
+      exit 1
+    end
+
+    # CLI commands:
+    #   gcloud secrets list
+    #   gcloud secrets versions access latest --secret testsecret
+    #
+    # Secret access version API docs
+    #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/projects.secrets.versions/access
+    #   https://cloud.google.com/secret-manager/docs/reference/rest/v1/SecretPayload
+    def get(name)
+      version = @options[:version] || "latest"
+      url_path = "#{parent}/secrets/#{name}/versions/#{version}"
+      version = secret_manager_service.access_secret_version(name: url_path)
+      version.payload.data
+    rescue Google::Cloud::NotFoundError => e
+      logger.error "WARN: secret #{name.color(:yellow)} not found"
+      logger.error e.message
+      "NOT FOUND #{name}" # simple string so Kubernetes YAML is valid
+    end
+
+    def validate!
+      errors = []
+      secret_name = @options[:secret_name]
+      if @options[:save_secret] && !secret_name
+        errors << "ERROR: --secret-name must be provided or --no-save-secret option must be used"
+      end
+      # extra validation early to prevent google ssl cert from being created but the secret not being stored
+      if secret_name && secret_name !~ /^[a-zA-Z_\-0-9]+$/
+        errors << "ERROR: --secret-name invalid format. Expected format: [a-zA-Z_0-9]+" # Expected format taken from `gcloud secrets create`
+      end
+      unless errors.empty?
+        logger.error errors.join("\n")
+        exit 1
+      end
+    end
+  end
+end

data/lib/google_ssl_cert/version.rb

@@ -0,0 +1,3 @@
+module GoogleSslCert
+  VERSION = "0.1.0"
+end

data/lib/google_ssl_cert.rb

@@ -0,0 +1,13 @@
+$stdout.sync = true unless ENV["GOOGLE_SSL_CERT_STDOUT_SYNC"] == "0"
+
+$:.unshift(File.expand_path("../", __FILE__))
+
+require "google_ssl_cert/autoloader"
+GoogleSslCert::Autoloader.setup
+
+require "memoist"
+require "rainbow/ext/string"
+
+module GoogleSslCert
+  class Error < StandardError; end
+end