nocoffee-kamal 2.3.0.1

data/lib/kamal/env_file.rb

@@ -0,0 +1,44 @@
+# Encode an env hash as a string where secret values have been looked up and all values escaped for Docker.
+class Kamal::EnvFile
+  def initialize(env)
+    @env = env
+  end
+
+  def to_s
+    env_file = StringIO.new.tap do |contents|
+      @env.each do |key, value|
+        contents << docker_env_file_line(key, value)
+      end
+    end.string
+
+    # Ensure the file has some contents to avoid the SSHKIT empty file warning
+    env_file.presence || "\n"
+  end
+
+  def to_io
+    StringIO.new(to_s)
+  end
+
+  alias to_str to_s
+
+  private
+    def docker_env_file_line(key, value)
+      "#{key}=#{escape_docker_env_file_value(value)}\n"
+    end
+
+    # Escape a value to make it safe to dump in a docker file.
+    def escape_docker_env_file_value(value)
+      # keep non-ascii(UTF-8) characters as it is
+      value.to_s.scan(/[\x00-\x7F]+|[^\x00-\x7F]+/).map do |part|
+        part.ascii_only? ? escape_docker_env_file_ascii_value(part) : part
+      end.join
+    end
+
+    def escape_docker_env_file_ascii_value(value)
+      # Doublequotes are treated literally in docker env files
+      # so remove leading and trailing ones and unescape any others
+      value.to_s.dump[1..-2]
+        .gsub(/\\"/, "\"")
+        .gsub(/\\#/, "#")
+    end
+end

data/lib/kamal/git.rb

@@ -0,0 +1,27 @@
+module Kamal::Git
+  extend self
+
+  def used?
+    system("git rev-parse")
+  end
+
+  def user_name
+    `git config user.name`.strip
+  end
+
+  def email
+    `git config user.email`.strip
+  end
+
+  def revision
+    `git rev-parse HEAD`.strip
+  end
+
+  def uncommitted_changes
+    `git status --porcelain`.strip
+  end
+
+  def root
+    `git rev-parse --show-toplevel`.strip
+  end
+end

data/lib/kamal/secrets/adapters/base.rb

@@ -0,0 +1,23 @@
+class Kamal::Secrets::Adapters::Base
+  delegate :optionize, to: Kamal::Utils
+
+  def fetch(secrets, account:, from: nil)
+    check_dependencies!
+    session = login(account)
+    full_secrets = secrets.map { |secret| [ from, secret ].compact.join("/") }
+    fetch_secrets(full_secrets, account: account, session: session)
+  end
+
+  private
+    def login(...)
+      raise NotImplementedError
+    end
+
+    def fetch_secrets(...)
+      raise NotImplementedError
+    end
+
+    def check_dependencies!
+      raise NotImplementedError
+    end
+end

data/lib/kamal/secrets/adapters/bitwarden.rb

@@ -0,0 +1,81 @@
+class Kamal::Secrets::Adapters::Bitwarden < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      status = run_command("status")
+
+      if status["status"] == "unauthenticated"
+        run_command("login #{account.shellescape}", raw: true)
+        status = run_command("status")
+      end
+
+      if status["status"] == "locked"
+        session = run_command("unlock --raw", raw: true).presence
+        status = run_command("status", session: session)
+      end
+
+      raise RuntimeError, "Failed to login to and unlock Bitwarden" unless status["status"] == "unlocked"
+
+      run_command("sync", session: session, raw: true)
+      raise RuntimeError, "Failed to sync Bitwarden" unless $?.success?
+
+      session
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      {}.tap do |results|
+        items_fields(secrets).each do |item, fields|
+          item_json = run_command("get item #{item.shellescape}", session: session, raw: true)
+          raise RuntimeError, "Could not read #{item} from Bitwarden" unless $?.success?
+          item_json = JSON.parse(item_json)
+          if fields.any?
+            results.merge! fetch_secrets_from_fields(fields, item, item_json)
+          elsif item_json.dig("login", "password")
+            results[item] = item_json.dig("login", "password")
+          elsif item_json["fields"]&.any?
+            fields = item_json["fields"].pluck("name")
+            results.merge! fetch_secrets_from_fields(fields, item, item_json)
+          else
+            raise RuntimeError, "Item #{item} is not a login type item and no fields were specified"
+          end
+        end
+      end
+    end
+
+    def fetch_secrets_from_fields(fields, item, item_json)
+      fields.to_h do |field|
+        item_field = item_json["fields"].find { |f| f["name"] == field }
+        raise RuntimeError, "Could not find field #{field} in item #{item} in Bitwarden" unless item_field
+        value = item_field["value"]
+        [ "#{item}/#{field}", value ]
+      end
+    end
+
+    def items_fields(secrets)
+      {}.tap do |items|
+        secrets.each do |secret|
+          item, field = secret.split("/")
+          items[item] ||= []
+          items[item] << field
+        end
+      end
+    end
+
+    def signedin?(account)
+      run_command("status")["status"] != "unauthenticated"
+    end
+
+    def run_command(command, session: nil, raw: false)
+      full_command = [ *("BW_SESSION=#{session.shellescape}" if session), "bw", command ].join(" ")
+      result = `#{full_command}`.strip
+      raw ? result : JSON.parse(result)
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "Bitwarden CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `bw --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/last_pass.rb

@@ -0,0 +1,39 @@
+class Kamal::Secrets::Adapters::LastPass < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      unless loggedin?(account)
+        `lpass login #{account.shellescape}`
+        raise RuntimeError, "Failed to login to LastPass" unless $?.success?
+      end
+    end
+
+    def loggedin?(account)
+      `lpass status --color never`.strip == "Logged in as #{account}."
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      items = `lpass show #{secrets.map(&:shellescape).join(" ")} --json`
+      raise RuntimeError, "Could not read #{secrets} from LastPass" unless $?.success?
+
+      items = JSON.parse(items)
+
+      {}.tap do |results|
+        items.each do |item|
+          results[item["fullname"]] = item["password"]
+        end
+
+        if (missing_items = secrets - results.keys).any?
+          raise RuntimeError, "Could not find #{missing_items.join(", ")} in LassPass"
+        end
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "LastPass CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `lpass --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/one_password.rb

@@ -0,0 +1,70 @@
+class Kamal::Secrets::Adapters::OnePassword < Kamal::Secrets::Adapters::Base
+  delegate :optionize, to: Kamal::Utils
+
+  private
+    def login(account)
+      unless loggedin?(account)
+        `op signin #{to_options(account: account, force: true, raw: true)}`.tap do
+          raise RuntimeError, "Failed to login to 1Password" unless $?.success?
+        end
+      end
+    end
+
+    def loggedin?(account)
+      `op account get --account #{account.shellescape} 2> /dev/null`
+      $?.success?
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      {}.tap do |results|
+        vaults_items_fields(secrets).map do |vault, items|
+          items.each do |item, fields|
+            fields_json = JSON.parse(op_item_get(vault, item, fields, account: account, session: session))
+            fields_json = [ fields_json ] if fields.one?
+
+            fields_json.each do |field_json|
+              # The reference is in the form `op://vault/item/field[/field]`
+              field = field_json["reference"].delete_prefix("op://").delete_suffix("/password")
+              results[field] = field_json["value"]
+            end
+          end
+        end
+      end
+    end
+
+    def to_options(**options)
+      optionize(options.compact).join(" ")
+    end
+
+    def vaults_items_fields(secrets)
+      {}.tap do |vaults|
+        secrets.each do |secret|
+          secret = secret.delete_prefix("op://")
+          vault, item, *fields = secret.split("/")
+          fields << "password" if fields.empty?
+
+          vaults[vault] ||= {}
+          vaults[vault][item] ||= []
+          vaults[vault][item] << fields.join(".")
+        end
+      end
+    end
+
+    def op_item_get(vault, item, fields, account:, session:)
+      labels = fields.map { |field| "label=#{field}" }.join(",")
+      options = to_options(vault: vault, fields: labels, format: "json", account: account, session: session.presence)
+
+      `op item get #{item.shellescape} #{options}`.tap do
+        raise RuntimeError, "Could not read #{fields.join(", ")} from #{item} in the #{vault} 1Password vault" unless $?.success?
+      end
+    end
+
+    def check_dependencies!
+      raise RuntimeError, "1Password CLI is not installed" unless cli_installed?
+    end
+
+    def cli_installed?
+      `op --version 2> /dev/null`
+      $?.success?
+    end
+end

data/lib/kamal/secrets/adapters/test.rb

@@ -0,0 +1,14 @@
+class Kamal::Secrets::Adapters::Test < Kamal::Secrets::Adapters::Base
+  private
+    def login(account)
+      true
+    end
+
+    def fetch_secrets(secrets, account:, session:)
+      secrets.to_h { |secret| [ secret, secret.reverse ] }
+    end
+
+    def check_dependencies!
+      # no op
+    end
+end

data/lib/kamal/secrets/adapters.rb

@@ -0,0 +1,14 @@
+require "active_support/core_ext/string/inflections"
+module Kamal::Secrets::Adapters
+  def self.lookup(name)
+    name = "one_password" if name.downcase == "1password"
+    name = "last_pass" if name.downcase == "lastpass"
+    adapter_class(name)
+  end
+
+  def self.adapter_class(name)
+    Object.const_get("Kamal::Secrets::Adapters::#{name.camelize}").new
+  rescue NameError => e
+    raise RuntimeError, "Unknown secrets adapter: #{name}"
+  end
+end

data/lib/kamal/secrets/dotenv/inline_command_substitution.rb

@@ -0,0 +1,32 @@
+class Kamal::Secrets::Dotenv::InlineCommandSubstitution
+  class << self
+    def install!
+      ::Dotenv::Parser.substitutions.map! { |sub| sub == ::Dotenv::Substitutions::Command ? self : sub }
+    end
+
+    def call(value, _env, overwrite: false)
+      # Process interpolated shell commands
+      value.gsub(Dotenv::Substitutions::Command.singleton_class::INTERPOLATED_SHELL_COMMAND) do |*|
+        # Eliminate opening and closing parentheses
+        command = $LAST_MATCH_INFO[:cmd][1..-2]
+
+        if $LAST_MATCH_INFO[:backslash]
+          # Command is escaped, don't replace it.
+          $LAST_MATCH_INFO[0][1..]
+        else
+          if command =~ /\A\s*kamal\s*secrets\s+/
+            # Inline the command
+            inline_secrets_command(command)
+          else
+            # Execute the command and return the value
+            `#{command}`.chomp
+          end
+        end
+      end
+    end
+
+    def inline_secrets_command(command)
+      Kamal::Cli::Main.start(command.shellsplit[1..] + [ "--inline" ]).chomp
+    end
+  end
+end

data/lib/kamal/secrets.rb

@@ -0,0 +1,42 @@
+require "dotenv"
+
+class Kamal::Secrets
+  Kamal::Secrets::Dotenv::InlineCommandSubstitution.install!
+
+  def initialize(destination: nil)
+    @destination = destination
+    @mutex = Mutex.new
+  end
+
+  def [](key)
+    # Fetching secrets may ask the user for input, so ensure only one thread does that
+    @mutex.synchronize do
+      secrets.fetch(key)
+    end
+  rescue KeyError
+    if secrets_files.present?
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found in #{secrets_files.join(", ")}"
+    else
+      raise Kamal::ConfigurationError, "Secret '#{key}' not found, no secret files (#{secrets_filenames.join(", ")}) provided"
+    end
+  end
+
+  def to_h
+    secrets
+  end
+
+  def secrets_files
+    @secrets_files ||= secrets_filenames.select { |f| File.exist?(f) }
+  end
+
+  private
+    def secrets
+      @secrets ||= secrets_files.inject({}) do |secrets, secrets_file|
+        secrets.merge!(::Dotenv.parse(secrets_file))
+      end
+    end
+
+    def secrets_filenames
+      [ ".kamal/secrets-common", ".kamal/secrets#{(".#{@destination}" if @destination)}" ]
+    end
+end

data/lib/kamal/sshkit_with_ext.rb

@@ -0,0 +1,142 @@
+require "sshkit"
+require "sshkit/dsl"
+require "net/scp"
+require "active_support/core_ext/hash/deep_merge"
+require "json"
+require "concurrent/atomic/semaphore"
+
+class SSHKit::Backend::Abstract
+  def capture_with_info(*args, **kwargs)
+    capture(*args, **kwargs, verbosity: Logger::INFO)
+  end
+
+  def capture_with_debug(*args, **kwargs)
+    capture(*args, **kwargs, verbosity: Logger::DEBUG)
+  end
+
+  def capture_with_pretty_json(*args, **kwargs)
+    JSON.pretty_generate(JSON.parse(capture(*args, **kwargs)))
+  end
+
+  def puts_by_host(host, output, type: "App")
+    puts "#{type} Host: #{host}\n#{output}\n\n"
+  end
+
+  # Our execution pattern is for the CLI execute args lists returned
+  # from commands, but this doesn't support returning execution options
+  # from the command.
+  #
+  # Support this by using kwargs for CLI options and merging with the
+  # args-extracted options.
+  module CommandEnvMerge
+    private
+
+    # Override to merge options returned by commands in the args list with
+    # options passed by the CLI and pass them along as kwargs.
+    def command(args, options)
+      more_options, args = args.partition { |a| a.is_a? Hash }
+      more_options << options
+
+      build_command(args, **more_options.reduce(:deep_merge))
+    end
+
+    # Destructure options to pluck out env for merge
+    def build_command(args, env: nil, **options)
+      # Rely on native Ruby kwargs precedence rather than explicit Hash merges
+      SSHKit::Command.new(*args, **default_command_options, **options, env: env_for(env))
+    end
+
+    def default_command_options
+      { in: pwd_path, host: @host, user: @user, group: @group }
+    end
+
+    def env_for(env)
+      @env.to_h.merge(env.to_h)
+    end
+  end
+  prepend CommandEnvMerge
+end
+
+class SSHKit::Backend::Netssh::Configuration
+  attr_accessor :max_concurrent_starts
+end
+
+class SSHKit::Backend::Netssh
+  module LimitConcurrentStartsClass
+    attr_reader :start_semaphore
+
+    def configure(&block)
+      super &block
+      # Create this here to avoid lazy creation by multiple threads
+      if config.max_concurrent_starts
+        @start_semaphore = Concurrent::Semaphore.new(config.max_concurrent_starts)
+      end
+    end
+  end
+
+  class << self
+    prepend LimitConcurrentStartsClass
+  end
+
+  module LimitConcurrentStartsInstance
+    private
+      def with_ssh(&block)
+        host.ssh_options = self.class.config.ssh_options.merge(host.ssh_options || {})
+        self.class.pool.with(
+          method(:start_with_concurrency_limit),
+          String(host.hostname),
+          host.username,
+          host.netssh_options,
+          &block
+        )
+      end
+
+      def start_with_concurrency_limit(*args)
+        if self.class.start_semaphore
+          self.class.start_semaphore.acquire do
+            Net::SSH.start(*args)
+          end
+        else
+          Net::SSH.start(*args)
+        end
+      end
+  end
+
+  prepend LimitConcurrentStartsInstance
+end
+
+class SSHKit::Runner::Parallel
+  # SSHKit joins the threads in sequence and fails on the first error it encounters, which means that we wait threads
+  # before the first failure to complete but not for ones after.
+  #
+  # We'll patch it to wait for them all to complete, and to record all the threads that errored so we can see when a
+  # problem occurs on multiple hosts.
+  module CompleteAll
+    def execute
+      threads = hosts.map do |host|
+        Thread.new(host) do |h|
+          backend(h, &block).run
+        rescue ::StandardError => e
+          e2 = SSHKit::Runner::ExecuteError.new e
+          raise e2, "Exception while executing #{host.user ? "as #{host.user}@" : "on host "}#{host}: #{e.message}"
+        end
+      end
+
+      exceptions = []
+      threads.each do |t|
+        begin
+          t.join
+        rescue SSHKit::Runner::ExecuteError => e
+          exceptions << e
+        end
+      end
+      if exceptions.one?
+        raise exceptions.first
+      elsif exceptions.many?
+        raise exceptions.first, [ "Exceptions on #{exceptions.count} hosts:", exceptions.map(&:message) ].join("\n")
+      end
+    end
+  end
+
+  prepend CompleteAll
+end

data/lib/kamal/tags.rb

@@ -0,0 +1,40 @@
+require "time"
+
+class Kamal::Tags
+  attr_reader :config, :tags
+
+  class << self
+    def from_config(config, **extra)
+      new(**default_tags(config), **extra)
+    end
+
+    def default_tags(config)
+      { recorded_at: Time.now.utc.iso8601,
+        performer: Kamal::Git.email.presence || `whoami`.chomp,
+        destination: config.destination,
+        version: config.version,
+        service_version: service_version(config),
+        service: config.service }
+    end
+
+    def service_version(config)
+      [ config.service, config.abbreviated_version ].compact.join("@")
+    end
+  end
+
+  def initialize(**tags)
+    @tags = tags.compact
+  end
+
+  def env
+    tags.transform_keys { |detail| "KAMAL_#{detail.upcase}" }
+  end
+
+  def to_s
+    tags.values.map { |value| "[#{value}]" }.join(" ")
+  end
+
+  def except(*tags)
+    self.class.new(**self.tags.except(*tags))
+  end
+end

data/lib/kamal/utils/sensitive.rb

@@ -0,0 +1,20 @@
+require "active_support/core_ext/module/delegation"
+require "sshkit"
+
+class Kamal::Utils::Sensitive
+  # So SSHKit knows to redact these values.
+  include SSHKit::Redaction
+
+  attr_reader :unredacted, :redaction
+  delegate :to_s, to: :unredacted
+  delegate :inspect, to: :redaction
+
+  def initialize(value, redaction: "[REDACTED]")
+    @unredacted, @redaction = value, redaction
+  end
+
+  # Sensitive values won't leak into YAML output.
+  def encode_with(coder)
+    coder.represent_scalar nil, redaction
+  end
+end