nex_client 0.17.0 → 0.18.0.pre1

data/lib/nex_client/commands/waf.rb

@@ -0,0 +1,134 @@
+# frozen_string_literal: true
+
+module NexClient
+  module Commands
+    module Waf
+      extend Helpers
+
+      WAF_TITLE = "WAF Rules".colorize(:cyan)
+      WAF_HEADERS = ['Rule Group','Value'].map(&:upcase)
+
+      DEFAULT_WAF_RULES = {
+        mode: "SIMULATE",
+        ignore_rule: [],
+        ignore_ruleset: [],
+        add_ruleset_string: [],
+        sieve_rule: []
+      }.stringify_keys.freeze
+
+      def self.configure(c)
+        c.syntax = 'nex-cli apps:waf APP_NAME [options]'
+        c.summary = 'Manage Web Application Firewall rules'
+        c.description = <<~HEREDOC
+          Manage Web Application Firewall Rules
+
+          Specify a JSON (.json) or YAML (.yml) file describing the security rules to apply/ignore. If no files are specified you will be prompted to
+          paste rules in JSON format in the terminal.
+          The WAF always runs in SIMULATE mode by default - this means security events will be logged but no requests will be blocked.
+
+          The list of base rules applied by default is available here: https://github.com/p0pr0ck5/lua-resty-waf/tree/master/rules
+
+          The base WAF behaviour can be extended by passing a JSON (or YAML) manifest to '--ruleset' with the following format:
+            {
+              // Whether the WAF should be enabled, disabled or do log-only
+              // 'ACTIVE', 'INACTIVE' or 'SIMULATE'
+              "mode": "SIMULATE",
+
+              // Array of rule IDs to ignore
+              "ignore_rule": [],
+
+              // Array of rulesets to ignore
+              "ignore_ruleset": [],
+
+              // Array of ['rulename','rule'] objects
+              "add_ruleset_string": [],
+
+              // Rules sieves allow you to apply/ignore rules based on a
+              // specific context such as request parameters
+              // Array of ['rule_id', [{ sieve_cond }, { sieve_cond }] ] objects
+              "sieve_rule": []
+            }
+          See this for more info: https://github.com/p0pr0ck5/lua-resty-waf
+          See this for rule sieves: https://github.com/p0pr0ck5/lua-resty-waf/wiki/Rule-Sieves
+
+        HEREDOC
+        c.example 'update WAF rules via command line prompt', 'nex-cli apps:waf myapp --ruleset'
+        c.example 'update WAF rules via file input', 'nex-cli apps:waf myapp --ruleset /tmp/myruleset.json'
+        c.option '--ruleset [PATH]', String, 'specify web application firewall rules using JSON or YAML file (prompt will appear otherwise). [restart required]'
+        c.option '--clear-ruleset', String, 'remove all rules and revert back to SIMULATE mode'
+
+        c.action do |args, options|
+          manage(args, options)
+        end
+      end
+
+      def self.manage(args, opts)
+        name = args.first
+        app = NexClient::App.find(name: name).first
+
+        # Display error
+        unless app
+          error("Error! Could not find app: #{name}")
+          return false
+        end
+
+        a = update(app, opts)
+        show(a)
+      end
+
+      def self.update(app, opts)
+        # Deep duplicate
+        app_opts = Marshal.load(Marshal.dump((app.opts || {})))
+
+        # Clear all constraints
+        if opts.clear_ruleset
+          app_opts.delete('waf_rules')
+        end
+
+        # Add WAF rules
+        if opts.ruleset.present?
+          waf_rules = begin
+            if opts.ruleset.is_a?(String)
+              hash_from_file(opts.ruleset)
+            else
+              val = ask("Copy/paste your WAF configuration below in JSON format:") { |q| q.gather = "" }
+              JSON.parse(val.join(""))
+            end
+          end
+
+          app_opts['waf_rules'] = waf_rules
+        end
+
+        # Update policies
+        if app.opts != app_opts
+          app.update_attributes({ opts: app_opts })
+          success("Successfully updated WAF rules. Please restart your app to apply these changes...")
+        end
+
+        # Return updated app
+        app
+      end
+
+      def self.show(app)
+        ruleset = DEFAULT_WAF_RULES.merge(app.opts['waf_rules'] || {})
+
+        table = Terminal::Table.new title: WAF_TITLE, headings: WAF_HEADERS do |t|
+          ruleset.each do |group,val|
+            formatted_val = case
+                            when val.blank?
+                              'None'
+                            when val.is_a?(Hash) || val.is_a?(Array)
+                              JSON.pretty_generate(val)
+                            else
+                              val
+                            end
+
+            t.add_row([group, formatted_val])
+          end
+        end
+        puts table
+        puts "\n"
+      end
+    end
+  end
+end

data/lib/nex_client/cube_instance.rb

@@ -23,5 +23,14 @@ module NexClient
 
     # PATCH <api_root>/cube_instances/:id/stop
     custom_endpoint :stop, on: :member, request_method: :patch
+
+    # Common name
+    def self.entity_name
+      'cube'
+    end
+
+    def self.main_key
+      :uuid
+    end
   end
 end

data/lib/nex_client/exec_cmd.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+module NexClient
+  class ExecCmd < BaseResource
+    property :name, type: :string
+    property :status, type: :string
+    property :script, type: :text
+    property :opts, type: :text
+    property :output, type: :string
+    property :local, type: :boolean
+    property :parallel, type: :boolean
+
+    has_one :executor, polymorphic: true
+
+    # PATCH <api_root>/exec_cmds/:id/execute
+    custom_endpoint :execute, on: :member, request_method: :patch
+  end
+end

data/lib/nex_client/faraday_middleware.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+require 'colorize'
+
+module NexClient
+  module FaradayMiddleware
+    autoload :HandleNexApiErrors, 'nex_client/faraday_middleware/handle_nex_api_errors'
+  end
+end

data/lib/nex_client/faraday_middleware/handle_nex_api_errors.rb

@@ -0,0 +1,39 @@
+module NexClient
+  module FaradayMiddleware
+    class MfaTokenInvalidError < Faraday::Error::ClientError
+    end
+
+    class HandleNexApiErrors < Faraday::Response::Middleware
+      ClientErrorStatuses = 400...600
+
+      def call(env)
+        env[:last_request_body] = env[:body]
+        super
+      end
+
+      def on_complete(env)
+        case env[:status]
+        when 404
+          raise Faraday::Error::ResourceNotFound, response_values(env)
+        when 407
+          # mimic the behavior that we get with proxy requests with HTTPS
+          raise Faraday::Error::ConnectionFailed, %{407 "Proxy Authentication Required "}
+        when 499
+          if !env.request_headers['X-MFA-Token'] && NexClient.interactive?
+            env.request_headers['X-MFA-Token'] = ask("Enter your MFA token: ")
+            env[:body] = env[:last_request_body] # after failure env[:body] is set to the response body
+            call(env)
+          else
+            raise MfaTokenInvalidError, response_values(env)
+          end
+        when ClientErrorStatuses
+          raise Faraday::Error::ClientError, response_values(env)
+        end
+      end
+
+      def response_values(env)
+        {:status => env.status, :headers => env.response_headers, :body => env.body}
+      end
+    end
+  end
+end

data/lib/nex_client/version.rb

@@ -1,3 +1,3 @@
 module NexClient
-  VERSION ||= '0.17.0'
+  VERSION ||= '0.18.0.pre1'
 end

data/spec/nex_client/app_spec.rb

@@ -4,6 +4,8 @@ describe NexClient::App do
   subject { described_class.new(id: 1) }
   let(:api_key) { ENV['NEX_API_KEY'] }
 
+  it_behaves_like NexClient::BaseResource
+
   describe 'restart' do
     let!(:stub) { stub_request(:patch, "#{api_key}:@nex-test.com/api/v1/apps/#{subject.id}/restart") }
     before { subject.restart }

data/spec/nex_client/cube_instance_spec.rb

@@ -4,6 +4,8 @@ describe NexClient::CubeInstance do
   subject { described_class.new(id: 1) }
   let(:api_key) { ENV['NEX_API_KEY'] }
 
+  it_behaves_like NexClient::BaseResource
+
   describe 'restart' do
     let!(:stub) { stub_request(:patch, "#{api_key}:@nex-test.com/api/v1/cube_instances/#{subject.id}/restart") }
     before { subject.restart }

data/spec/nex_client/exec_cmd_spec.rb

@@ -0,0 +1,14 @@
+require 'spec_helper'
+
+describe NexClient::ExecCmd do
+  subject { described_class.new(id: 1) }
+  let(:api_key) { ENV['NEX_API_KEY'] }
+
+  it_behaves_like NexClient::BaseResource
+
+  describe 'execute' do
+    let!(:stub) { stub_request(:patch, "#{api_key}:@nex-test.com/api/v1/exec_cmds/#{subject.id}/execute") }
+    before { subject.execute }
+    it { expect(stub).to have_been_requested }
+  end
+end

data/spec/shared/base_resource.rb

@@ -0,0 +1,38 @@
+require 'spec_helper'
+
+shared_examples NexClient::BaseResource do
+  let(:resource_api_name) { described_class.to_s.split('::').last.underscore.pluralize }
+  let(:api_key) { ENV['NEX_API_KEY'] }
+  let(:api_host) { 'nex-test.com' }
+
+  describe 'basic authentication' do
+    let!(:stub) { stub_request(:get, "#{api_key}:@#{api_host}/api/v1/#{resource_api_name}") }
+    before { described_class.all }
+    it { expect(stub).to have_been_requested }
+  end
+
+  describe 'non-interactive MFA authentication' do
+    subject { described_class.all }
+
+    before { stub_request(:get, "#{api_key}:@#{api_host}/api/v1/#{resource_api_name}").to_return(status: 499) }
+    it { is_expected_block.to raise_error(NexClient::FaradayMiddleware::MfaTokenInvalidError) }
+  end
+
+  describe 'successful interactive MFA authentication' do
+    subject { described_class.all }
+
+    before { allow(NexClient).to receive(:interactive?).and_return(true) }
+    before { stub_request(:get, "#{api_key}:@#{api_host}/api/v1/#{resource_api_name}").to_return(status: 499).then.to_return(status: 200) }
+    before { expect_any_instance_of(Object).to receive(:ask).with("Enter your MFA token: ").and_return('12345') }
+    it { is_expected.to eq([]) }
+  end
+
+  describe 'failed interactive MFA authentication' do
+    subject { described_class.all }
+
+    before { allow(NexClient).to receive(:interactive?).and_return(true) }
+    before { stub_request(:get, "#{api_key}:@#{api_host}/api/v1/#{resource_api_name}").to_return(status: 499).then.to_return(status: 499) }
+    before { expect_any_instance_of(Object).to receive(:ask).with("Enter your MFA token: ").and_return('12345') }
+    it { is_expected_block.to raise_error(NexClient::FaradayMiddleware::MfaTokenInvalidError) }
+  end
+end

data/spec/spec_helper.rb

@@ -4,8 +4,14 @@ ENV['NEX_ENV'] = 'test'
 $:.unshift File.expand_path("../../lib", __FILE__)
 
 require 'nex_client'
+require 'nex_client/cli'
 require 'webmock/rspec'
 
+# Add helper and shared specs folders
+spec_dir = File.dirname(File.absolute_path(__FILE__))
+Dir[File.join(spec_dir,"support/**/*.rb")].each { |f| require f }
+Dir[File.join(spec_dir,"shared/**/*.rb")].each { |f| require f }
+
 RSpec.configure do |config|
   # rspec-expectations config goes here. You can use an alternate
   # assertion/expectation library such as wrong or the stdlib/minitest
@@ -37,57 +43,6 @@ RSpec.configure do |config|
   # triggering implicit auto-inclusion in groups with matching metadata.
   config.shared_context_metadata_behavior = :apply_to_host_groups
 
-# The settings below are suggested to provide a good initial experience
-# with RSpec, but feel free to customize to your heart's content.
-=begin
-  # This allows you to limit a spec run to individual examples or groups
-  # you care about by tagging them with `:focus` metadata. When nothing
-  # is tagged with `:focus`, all examples get run. RSpec also provides
-  # aliases for `it`, `describe`, and `context` that include `:focus`
-  # metadata: `fit`, `fdescribe` and `fcontext`, respectively.
-  config.filter_run_when_matching :focus
-
-  # Allows RSpec to persist some state between runs in order to support
-  # the `--only-failures` and `--next-failure` CLI options. We recommend
-  # you configure your source control system to ignore this file.
-  config.example_status_persistence_file_path = "spec/examples.txt"
-
-  # Limits the available syntax to the non-monkey patched syntax that is
-  # recommended. For more details, see:
-  #   - http://rspec.info/blog/2012/06/rspecs-new-expectation-syntax/
-  #   - http://www.teaisaweso.me/blog/2013/05/27/rspecs-new-message-expectation-syntax/
-  #   - http://rspec.info/blog/2014/05/notable-changes-in-rspec-3/#zero-monkey-patching-mode
-  config.disable_monkey_patching!
-
-  # This setting enables warnings. It's recommended, but in some cases may
-  # be too noisy due to issues in dependencies.
-  config.warnings = true
-
-  # Many RSpec users commonly either run the entire suite or an individual
-  # file, and it's useful to allow more verbose output when running an
-  # individual spec file.
-  if config.files_to_run.one?
-    # Use the documentation formatter for detailed output,
-    # unless a formatter has already been configured
-    # (e.g. via a command-line flag).
-    config.default_formatter = 'doc'
-  end
-
-  # Print the 10 slowest examples and example groups at the
-  # end of the spec run, to help surface which specs are running
-  # particularly slow.
-  config.profile_examples = 10
-
-  # Run specs in random order to surface order dependencies. If you find an
-  # order dependency and want to debug it, you can fix the order by providing
-  # the seed, which is printed after each run.
-  #     --seed 1234
-  config.order = :random
-
-  # Seed global randomization in this process using the `--seed` CLI option.
-  # Setting this allows you to use `--seed` to deterministically reproduce
-  # test failures related to randomization by passing the same `--seed` value
-  # as the one that triggered the failure.
-  Kernel.srand config.seed
-=end
+  # Allow is_expected_block to be called instead of: expect { subject }
+  config.include IsExpectedBlock
 end

data/spec/support/is_expected_block.rb

@@ -0,0 +1,5 @@
+module IsExpectedBlock
+  def is_expected_block
+    expect { subject }
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: nex_client
 version: !ruby/object:Gem::Version
-  version: 0.17.0
+  version: 0.18.0.pre1
 platform: ruby
 authors:
 - Arnaud Lachaume
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-10 00:00:00.000000000 Z
+date: 2018-07-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: json_api_client
@@ -144,18 +144,26 @@ files:
 - lib/nex_client/commands/cube_instances.rb
 - lib/nex_client/commands/cube_templates.rb
 - lib/nex_client/commands/domains.rb
+- lib/nex_client/commands/events.rb
 - lib/nex_client/commands/exec_tasks.rb
 - lib/nex_client/commands/helpers.rb
+- lib/nex_client/commands/ip_whitelisting.rb
+- lib/nex_client/commands/logs.rb
 - lib/nex_client/commands/organizations.rb
+- lib/nex_client/commands/policies.rb
 - lib/nex_client/commands/racks.rb
 - lib/nex_client/commands/ssl_certificates.rb
 - lib/nex_client/commands/users.rb
+- lib/nex_client/commands/waf.rb
 - lib/nex_client/compute_rack.rb
 - lib/nex_client/cube_instance.rb
 - lib/nex_client/cube_template.rb
 - lib/nex_client/domain.rb
 - lib/nex_client/event.rb
+- lib/nex_client/exec_cmd.rb
 - lib/nex_client/exec_task.rb
+- lib/nex_client/faraday_middleware.rb
+- lib/nex_client/faraday_middleware/handle_nex_api_errors.rb
 - lib/nex_client/gateway_rack.rb
 - lib/nex_client/me.rb
 - lib/nex_client/organization.rb
@@ -167,7 +175,10 @@ files:
 - lib/nex_client/version.rb
 - spec/nex_client/app_spec.rb
 - spec/nex_client/cube_instance_spec.rb
+- spec/nex_client/exec_cmd_spec.rb
+- spec/shared/base_resource.rb
 - spec/spec_helper.rb
+- spec/support/is_expected_block.rb
 homepage: https://maestrano.com
 licenses:
 - Apache-2.0
@@ -183,16 +194,19 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.6.14
 signing_key: 
 specification_version: 4
 summary: Maestrano Nex!™ Client
 test_files:
 - spec/nex_client/app_spec.rb
 - spec/nex_client/cube_instance_spec.rb
+- spec/nex_client/exec_cmd_spec.rb
+- spec/shared/base_resource.rb
 - spec/spec_helper.rb
+- spec/support/is_expected_block.rb