@govuk-pay/cli 0.0.2 → 0.0.4

package/resources/legacy-ruby-cli/lib/pay_cli/secrets.rb

@@ -0,0 +1,276 @@
+require 'open3'
+require 'pp'
+require 'yaml'
+
+require 'aws-sdk-ssm'
+require 'tty-table'
+
+module PayCLI::Secrets
+  SECRETS_FILE_PATH   = File.join(PayCLI::Config::CONFIG_PATH, 'secrets.yml')
+  GENERATE_FILE_PATH = File.join(PayCLI::Config::CONFIG_PATH, 'generate-secrets.yml')
+
+  SECRETS_PROVIDERS = Proc.new do
+    # We should produce a mapping of env -> secret_name -> provider
+    mapping = {}
+
+    generate_secrets_info = YAML.load_file(GENERATE_FILE_PATH)
+
+    YAML.load_file(SECRETS_FILE_PATH).each do |provider, environments|
+      environments.map do |env, secrets|
+        generate_secrets_info.each do |service, service_generate_names|
+          mapping[env] ||= {}
+          service_generate_names.each do | generate_info |
+            mapping[env][service] ||= {}
+            mapping[env][service][generate_info.first] = {
+              provider: 'generate',
+              detail: generate_info.last
+            }
+          end
+        end
+        secrets.each do |service, service_secrets|
+          mapping[env] ||= {}
+
+          service_secrets.each do |secret_info|
+            mapping[env][service] ||= {}
+
+            if secret_info.class == Array
+              secret_name = secret_info.first
+
+              mapping[env][service][secret_name] = {
+                provider: provider,
+                detail: secret_info.last
+              }
+            else
+              mapping[env][service][secret_info] = {
+                provider: provider,
+              }
+            end
+          end
+        end
+      end
+    end
+
+    mapping
+  end.call
+
+  def self.fetch!(env, service, key, query_ssm=false)
+    if query_ssm
+      STDERR.puts "Using ssm to lookup secret"
+      ssm_val =  self.fetch_single_secret_from_env_for_service!(env,service, key)
+      unless ssm_val
+         STDERR.puts "Could not find #{key} for #{service} in #{env} ssm"
+         exit 1
+      end
+      return ssm_val
+    end
+
+
+    unless PayCLI::Secrets::SECRETS_PROVIDERS.key? env
+      STDERR.puts "Could not find #{env} in secrets mapping #{SECRETS_FILE_PATH}"
+      exit 1
+    end
+
+    unless PayCLI::Secrets::SECRETS_PROVIDERS[env].key? service
+      STDERR.puts "Could not find #{service} in secrets mapping #{SECRETS_FILE_PATH} for #{env}"
+      exit 1
+    end
+
+    unless PayCLI::Secrets::SECRETS_PROVIDERS[env][service].key? key
+      STDERR.puts "Could not find #{key} in #{env} secrets mapping for #{service}"
+      exit 1
+    end
+
+    provider = PayCLI::Secrets::SECRETS_PROVIDERS[env][service][key][:provider]
+    STDERR.puts "Found provider #{provider} for key #{key} in #{env} for #{service}"
+
+    case provider
+    when 'local'
+      fetch_local! env, service, key
+    when 'generate'
+      generate! PayCLI::Secrets::SECRETS_PROVIDERS[env][service][key][:detail]
+    when 'value'
+      fetch_value! env, service, key
+    when 'pass'
+      fetch_pass! '', PayCLI::Secrets::SECRETS_PROVIDERS[env][service][key][:detail]
+    when /^pay-.*pass$/
+      pass_path = PayCLI::Secrets::SECRETS_PROVIDERS[env][service][key][:detail]
+      fetch_pay_pass! env, service, key, provider, pass_path
+    else
+      STDERR.puts "Provider #{provider} not supported"
+      exit 1
+    end
+  end
+
+  def self.generate!(detail)
+    puts "Generating #{detail}"
+    detail_array = detail.split(":")
+
+    abort "Incorrect format of generate detail #{detail}" unless detail_array.length == 2
+    method, length = detail_array
+    case method
+    when 'random'
+       SecureRandom.urlsafe_base64(length.to_i)
+    end
+  end
+
+  def self.fetch_pass!(path, pass_path)
+    env = {}
+    env['PASSWORD_STORE_DIR'] = path if path
+
+    stdin, stdout, wait_thr = Open3.popen2(env, "pass #{pass_path}")
+    password = stdout.readline.chomp
+    stdin.close
+    stdout.close
+    pass_status = wait_thr.value
+
+    abort "Pass failed, error above" unless pass_status.success?
+
+    password
+  end
+
+  def self.fetch_pay_pass!(env, service, key, provider, pass_path)
+    path = File.expand_path(File.join(
+        PayCLI::Config::PROJECT_PATH, '..', provider
+    ))
+
+    abort "Path #{path} doesn't exist" unless File.exist? path
+
+    STDERR.puts "Pulling secret #{key} from #{path} for #{service}"
+    fetch_pass! path, pass_path
+  end
+
+  def self.fetch_local!(env, service, key)
+    environments = YAML.load_file(PayCLI::Config::LOCAL_SECRETS_PATH)
+
+    value = environments.fetch(env, nil)&.fetch(service, nil)&.fetch(key, nil)
+    if value.nil?
+      STDERR.puts "Could not find #{key} in #{env} in local provider for #{service}"
+      exit 1
+    end
+
+    value
+  end
+
+  def self.fetch_value!(env, service, key)
+    PayCLI::Secrets::SECRETS_PROVIDERS
+      .fetch(env)
+      .fetch(service)
+      .fetch(key)
+      .fetch(:detail)
+  end
+
+  def self.secrets_for_service(service)
+    secrets_definition_path   = File.join(
+      PayCLI::Config::CONFIG_PATH, 'service_secrets.yml'
+    )
+    secrets_definitions = YAML.load_file(secrets_definition_path)
+
+    unless secrets_definitions.key? service
+      abort "Could not find secrets definition for #{service}"
+    end
+
+    secrets_definitions.fetch service
+  end
+
+  def self.fetch_single_secret_from_env_for_service!(env, service, name)
+    PayCLI::Environment.setup! env
+    ssm = Aws::SSM::Client.new
+
+    begin
+    secret_value = ssm.get_parameter({
+      name:            secret_name(env, service, name),
+      with_decryption: true
+    }).parameter.value
+    rescue Aws::SSM::Errors::ParameterNotFound
+      secret_value = nil
+    end
+
+    secret_value
+  end
+
+  def self.secrets_in_envs_for_service(envs, service)
+    accounts = envs.map { |e| e.split('-').first }.uniq
+    all_parameters = []
+
+    accounts.each do |acc|
+      PayCLI::Environment.setup! acc
+      ssm = Aws::SSM::Client.new
+
+      next_token = nil
+      loop do
+        STDERR.puts "Making request to AWS SSM for #{acc}"
+
+        opts = {}
+        opts[:next_token] = next_token unless next_token.nil?
+
+        response = ssm.describe_parameters(opts)
+
+        next_token = response.next_token
+        all_parameters += response.parameters
+
+        break if next_token.nil?
+      end
+    end
+
+    secrets_per_env = envs.map do |env|
+      secrets = all_parameters
+        .select { |p| p.name =~ /^#{env}_#{service}\./ }
+        .map    { |p| p.name }
+        .map    { |p| p.sub(/^#{env}_#{service}\./, '') }
+        .map    { |p| p.upcase }
+      [env, secrets]
+    end.to_h
+
+    secrets_per_env
+  end
+
+  def self.secret_name(env, service, name)
+    return _concourse_secret_name(service, name) if %w[cd-pay-dev cd-pay-deploy cd-main].include? service
+
+    "#{env}_#{service}.#{name}".downcase
+  end
+
+  def self._concourse_secret_name(service, name)
+    # Service name is `cd-pay-dev` but the ssm name is only `pay-dev` so remove the cd-
+    service = service[3..]
+
+    "/pay-cd/concourse/pipelines/#{service.downcase}/#{name}"
+  end
+
+  def self.write_secret_for_service_in_env!(env, service, name, value)
+    PayCLI::Environment.setup! env
+    ssm = Aws::SSM::Client.new
+
+    STDERR.puts "Updating value of #{name} in #{env} with #{value}"
+    ssm.put_parameter({
+      name:      secret_name(env, service, name),
+      type:      'SecureString',
+      value:     value,
+      overwrite: true,
+    })
+  end
+
+  def self.fetch_secret_for_service_from_env(env, service, name)
+    PayCLI::Environment.setup! env
+    ssm = Aws::SSM::Client.new
+
+    STDERR.puts "Fetching secret #{name} from #{env} / #{service}"
+
+    ssm.get_parameter({
+      name:            secret_name(env, service, name),
+      with_decryption: true
+    }).parameter.value
+  end
+
+  def self.diff_table(old_value, new_value)
+    TTY::Table.new([
+      ['Old',                '=>', 'New'],
+      [old_value,            '',   new_value]
+    ]).render(
+      :unicode,
+      alignment: :center,
+      padding:   1,
+      multiline: true,
+    )
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/stop_yubico_authenticator.rb

@@ -0,0 +1,10 @@
+class PayCLI::StopYubicoAuthenticator
+  def self.stop_yubico_authenticator!
+    if system("killall -0 yubioath-desktop")
+      puts "❓  Yubico Authenticator appears to be running. It can interfere with establishing SSH connections."
+      if (STDERR.print "    To stop Yubico Authenticator type 'yes' exactly > "; STDIN.gets.chomp == 'yes')
+        system("killall yubioath-desktop")
+      end
+    end
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/ykman_oath_credential_config.rb

@@ -0,0 +1,70 @@
+require "tty-prompt"
+require 'open3'
+
+class PayCLI::YkmanOathCredentialConfig
+  attr_reader :config_file_path, :logger
+
+  def initialize(config_file_path: nil, logger: PayCLI::Logger)
+    @config_file_path = config_file_path || default_config_file_path
+    @logger = logger
+  end
+
+  def lookup(account)
+    load!
+    if @config[:ykman_defaults].has_key?(account)
+      yk_name = @config[:ykman_defaults][account]
+      logger.info "Oath code name '#{yk_name}' is selected for '#{account}' in '#{config_file_path}'"
+      yk_name
+    else
+      prompt(account)
+    end
+  end
+
+  def save(account, yk_name)
+    load!
+    @config[:ykman_defaults][account] = yk_name
+    logger.info "Saved your preferred OATH code name for '#{account}' to '#{config_file_path}'"
+    save!
+  end
+
+  def prompt(account)
+    output, err, status = Open3.capture3(%{ykman oath accounts list})
+
+    yk_names = output.lines.map {|line| line.gsub(/ +([0-9]+|\[Touch Credential\])$/,"").chomp }
+
+    prompt = TTY::Prompt.new
+    yk_name = prompt.select("Which code from your yubikey would you like to use for the '#{account}' account?", yk_names)
+
+    if prompt.yes?("Remember this choice?")
+      save(account, yk_name)
+    end
+
+    yk_name
+  end
+
+private  
+  def default_config_file_path
+    Pathname.new(Dir.home) + ".govuk_pay_cli_config.yml"
+  end
+
+  def load!
+    @config ||= YAML.load(File.read(config_file_path))
+  rescue Errno::ENOENT
+    @config ||= {ykman_defaults: {}}
+  end
+
+  def save!
+    File.write(config_file_path, yaml_preamble + YAML.dump(@config))
+  end
+
+  def yaml_preamble
+<<-YAML_PREAMBLE
+# This file is automatically generated by the GOV.UK Pay CLI
+# You can edit settings here if you want
+# 
+# For more info see https://github.com/alphagov/pay-infra/tree/master/cli
+# 
+YAML_PREAMBLE
+  end
+
+end

package/resources/legacy-ruby-cli/lib/zeitwerk_setup.rb

@@ -0,0 +1,5 @@
+require 'zeitwerk'
+loader = Zeitwerk::Loader.new
+loader.push_dir(File.expand_path(__dir__))
+loader.inflector.inflect "pay_cli" => "PayCLI"
+loader.setup # ready!

package/resources/legacy-ruby-cli/package-lock.json

@@ -0,0 +1,6 @@
+{
+  "name": "cli",
+  "lockfileVersion": 2,
+  "requires": true,
+  "packages": {}
+}

package/resources/legacy-ruby-cli/rds_access/connect.sh

@@ -0,0 +1,149 @@
+#!/bin/bash
+
+# Temporary script for tunneling to RDS during development of the bastion solution
+
+set -euo pipefail
+
+function usage() {
+  echo "Usage: $0 <environment> <app>"
+  echo
+  echo "Examples:"
+  echo "    $0 test-12 adminusers"
+  echo "    $0 test-perf-1 ledger"
+  exit 1
+}
+
+function is_help_arg() {
+  if [ "$1" == "-h" ] || [ "$1" == "--help" ]; then
+    return 0
+  fi
+
+  return 1
+}
+
+if [ "$#" -ne 2 ]; then
+  usage
+fi
+
+ENVIRONMENT="$1"
+APP="$2"
+if [[ -z $ENVIRONMENT ]] || [[ -z $APP ]] || is_help_arg "$ENVIRONMENT" || is_help_arg "$APP"; then
+  usage
+fi
+
+for x in aws yq jq ssh-keygen aws-vault ssh
+do
+  if ! command -v $x &> /dev/null
+  then
+    echo "$x is not installed, exiting."
+    exit 1
+  fi
+done
+
+ACCOUNT="${ENVIRONMENT%%-*}"
+KEY_LOCATION="${TMPDIR}rds_tunnel_temp_key"
+
+function cleanup() {
+  echo "cleaning up..."
+  if rm "${KEY_LOCATION}"*; then
+    echo "Removed temp key pair";
+  else
+    echo "Failed to remove key pair from ${KEY_LOCATION}"
+  fi
+}
+
+trap cleanup EXIT
+
+echo "Finding bastion host"
+read -r bastion_instance_id availability_zone <<< "$(aws-vault exec "$ACCOUNT" -- \
+  aws autoscaling describe-auto-scaling-groups | \
+  jq --arg env "$ENVIRONMENT" '.AutoScalingGroups[] | select(.AutoScalingGroupName == $env + "-bastion").Instances[0] | "\(.InstanceId) \(.AvailabilityZone)"' -r)"
+
+if [[ -z $bastion_instance_id ]] || [[ -z $availability_zone ]]; then
+  echo "Failed to find bastion instance"
+  exit 1
+fi
+
+echo "Found bastion $bastion_instance_id"
+
+echo "Getting RDS endpoint"
+rds_endpoint="$(aws-vault exec "$ACCOUNT" -- \
+  aws rds describe-db-instances |\
+  jq --arg rds_instance "${ENVIRONMENT}-${APP}" '.DBInstances[] | select(.DBInstanceIdentifier | startswith($rds_instance)).Endpoint.Address' -r)"
+
+if [[ -z $rds_endpoint ]]; then
+  echo "Failed to find RDS endpoint"
+  exit 1
+fi
+echo "RDS endpoint is: ${rds_endpoint}"
+
+echo "Getting RDS instance engine version"
+engine_version=$(aws-vault exec "$ACCOUNT" -- \
+  aws rds describe-db-instances | \
+  jq -r --arg rds_instance "${ENVIRONMENT}-${APP}" '.DBInstances[] | select(.DBInstanceIdentifier | startswith($rds_instance)).EngineVersion')
+echo "RDS engine_version is ${engine_version}"
+
+echo "Generating ssh key pair, saving to ${KEY_LOCATION}"
+if ! ssh-keygen -q -t rsa -b 4096 -f "$KEY_LOCATION" -N ''; then
+  echo "Failed to generate ssh key pair"
+  exit 1
+fi
+
+echo "Uploading public key to bastion"
+if ! aws-vault exec "$ACCOUNT" -- \
+       aws ec2-instance-connect send-ssh-public-key \
+       --instance-id "$bastion_instance_id" \
+       --availability-zone "$availability_zone" \
+       --instance-os-user ec2-user \
+       --ssh-public-key "file://${KEY_LOCATION}.pub"; then
+
+  echo "Failed to upload public key to bastion"
+  exit 1
+fi
+
+yellow="\033[0;33m"
+reset="\033[0m"
+ul="\033[4m"
+ulstop="\033[24m"
+
+echo -e "${yellow}     ${reset}"
+echo -e "${yellow} ⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).${reset}"
+echo -e "${yellow}     Avoid sending or accessing ${ul}anything${ulstop} that could cause a security breach, such as:${reset}"
+echo -e "${yellow}     ${reset}"
+echo -e "${yellow}     • Secret API Keys or Tokens${reset}"
+echo -e "${yellow}     • Credentials or Passwords${reset}"
+echo -e "${yellow}     • Cardholder Data or Personally-Identifiable Information (PII)${reset}"
+echo -e "${yellow}     • Anything else that may be protected by GDPR or PCI-DSS${reset}"
+echo -e "${yellow}     • Anything classified as GSC 'Secret' or above${reset}"
+echo -e "${yellow}     ${reset}"
+echo -e "${yellow}     If you have a problem with this or aren\'t sure, use Ctrl-C ${ul}right now${ulstop} and discontinue your SSM session.${reset}"
+echo -e "${yellow}     ${reset}"
+
+echo "Opening tunnel to rds"
+if ! aws-vault exec "$ACCOUNT" -- \
+      ssh -i "$KEY_LOCATION"  -N -f -M -S temp-ssh.sock \
+      -L 65432:"$rds_endpoint":5432 ec2-user@"$bastion_instance_id" \
+      -o "UserKnownHostsFile=/dev/null" \
+      -o "StrictHostKeyChecking=no" \
+      -o IdentitiesOnly=yes \
+      -o ProxyCommand="aws ssm start-session --target %h --document-name AWS-StartSSHSession --parameters portNumber=%p"; then
+  echo "Failed to open tunnel to RDS"
+  exit 1
+fi
+
+SOURCE_DIRECTORY=$(dirname "$BASH_SOURCE")
+DB_USER=$(yq eval ".value.$ENVIRONMENT.$APP.DB_USER" < "${SOURCE_DIRECTORY}/../config/secrets.yml")
+
+echo -e "Connected tunnel to $APP RDS database in $ENVIRONMENT on port 65432\n"
+echo "Copy DB credentials to clipboard (in another window) using pay-low-pass:"
+echo -e "  pay-low-pass aws/rds/application_users/$ACCOUNT/$DB_USER | pbcopy\n"
+echo "Alternatively, fetch credentials from pay secrets:"
+echo -e "  pay secrets fetch $ENVIRONMENT $APP DB_PASSWORD | pbcopy\n"
+echo "Open psql with:"
+echo -e "  psql -h localhost -p 65432 -U $DB_USER -d $APP\n"
+echo "Alternatively connect using docker instead of needing psql installed locally and set the password automatically using pay-low-pass:"
+echo -e "   docker run --rm -ti postgres:${engine_version}-alpine psql --host docker.for.mac.localhost --port 65432 --user $DB_USER --dbname $APP\n"
+echo "Or even more conveniently connect using a docker container and set the password automatically using pay-low-pass:"
+echo -e "   docker run -e \"PGPASSWORD=\$(pay-low-pass aws/rds/application_users/${ACCOUNT}/${DB_USER})\" --rm -ti postgres:${engine_version}-alpine psql --host docker.for.mac.localhost --port 65432 --user $DB_USER --dbname $APP\n"
+read -rsn1 -p "Press any key to close session."; echo
+ssh -O exit -S temp-ssh.sock '*'

package/resources/legacy-ruby-cli/spec/.rubocop.yml

@@ -0,0 +1,2 @@
+Metrics/BlockLength:
+  IgnoredMethods: ['describe', 'context']

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.complex

@@ -0,0 +1,34 @@
+# Preceeding comment
+
+
+FROM node:18.18.0-alpine3.18@sha256:619ce27eb37c7c0476bd518085bf1ba892e2148fc1ab5dbaff2f20c56e50444d as builder
+
+WORKDIR /app
+COPY package.json .
+COPY package-lock.json .
+RUN npm ci --quiet
+
+COPY . .
+RUN npm run compile
+
+FROM node:18.18.0-alpine3.18@sha256:619ce27eb37c7c0476bd518085bf1ba892e2148fc1ab5dbaff2f20c56e50444d as final
+
+RUN ["apk", "--no-cache", "upgrade"]
+
+RUN ["apk", "add", "--no-cache", "tini"]
+
+WORKDIR /app
+COPY . .
+RUN rm -rf ./test
+# Copy in compile assets and deps from build container
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/govuk_modules ./govuk_modules
+COPY --from=builder /app/public ./public
+RUN npm prune --omit=dev
+
+ENV PORT 9000
+EXPOSE 9000
+
+ENTRYPOINT ["tini", "--"]
+
+CMD ["npm", "start"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.complex_differing_froms

@@ -0,0 +1,33 @@
+# Preceeding comment
+
+FROM node:18.18.0-alpine3.18@sha256:619ce27eb37c7c0476bd518085bf1ba892e2148fc1ab5dbaff2f20c56e50444d as builder
+
+WORKDIR /app
+COPY package.json .
+COPY package-lock.json .
+RUN npm ci --quiet
+
+COPY . .
+RUN npm run compile
+
+FROM node:18.18.0-alpine3.18@sha256:619ce27eb37c7c0476bd518085bf1ba892e2148fc1ab5dbaff2f20c56e50444d as final
+
+RUN ["apk", "--no-cache", "upgrade"]
+
+RUN ["apk", "add", "--no-cache", "tini"]
+
+WORKDIR /app
+COPY . .
+RUN rm -rf ./test
+# Copy in compile assets and deps from build container
+COPY --from=builder /app/node_modules ./node_modules
+COPY --from=builder /app/govuk_modules ./govuk_modules
+COPY --from=builder /app/public ./public
+RUN npm prune --omit=dev
+
+ENV PORT 9000
+EXPOSE 9000
+
+ENTRYPOINT ["tini", "--"]
+
+CMD ["npm", "start"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.no_from

@@ -0,0 +1,3 @@
+ENV foo=bar
+
+CMD ["bash"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.simple

@@ -0,0 +1,5 @@
+FROM node:alpine-3.18
+
+ENV foo=bar
+
+CMD ["sh"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.simple_no_tag

@@ -0,0 +1,5 @@
+FROM node
+
+ENV foo=bar
+
+CMD ["sh"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.with_sha

@@ -0,0 +1,5 @@
+FROM node:alpine-3.18@sha256:3482a20c97e401b56ac50ba8920cc7b5b2022bfc6aa7d4e4c231755770cf892f
+
+ENV foo=bar
+
+CMD ["sh"]

package/resources/legacy-ruby-cli/spec/fixtures/dockerfile_examples/Dockerfile.with_sha_no_tag

@@ -0,0 +1,5 @@
+FROM node@sha256:b1fdeade9cae98c30bbd8087f26f8da404e6fc48bdd53772017855c1a1d32605
+
+ENV foo=bar
+
+CMD ["sh"]

package/resources/legacy-ruby-cli/spec/lib/pay_cli/commands/local/image_extractor_spec.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+RSpec.describe PayCLI::Commands::Local::ImageExtractor do
+  describe '.parse_image_without_sha' do
+    it 'gives the correct image name and tag on a simple dockerfile' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('simple'))
+      ).to eq('node:alpine-3.18')
+    end
+
+    it 'gives the correct image name and tag on a simple dockerfile with no image tag' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('simple_no_tag'))
+      ).to eq('node')
+    end
+
+    it 'gives the correct image name and tag on a dockerfile with an image sha and tag' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('with_sha'))
+      ).to eq('node:alpine-3.18')
+    end
+
+    it 'gives the correct image name and tag on a dockerfile with an image sha but no tag' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('with_sha_no_tag'))
+      ).to eq('node')
+    end
+
+    it 'gives the correct image name and tag on a complex dockerfile with multiple FROM lines' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('complex'))
+      ).to eq('node:18.18.0-alpine3.18')
+    end
+
+    it 'gives the first image name and tag on a complex dockerfile with multiple differing FROM lines' do
+      expect(
+        described_class.parse_image_without_sha(fixture_path('complex_differing_froms'))
+      ).to eq('node:18.18.0-alpine3.18')
+    end
+
+    it 'raises a DockerfileNotFound error if the dockerfile does not exist' do
+      expect { described_class.parse_image_without_sha(fixture_path('DOES_NOT_EXIST')) }
+        .to raise_error(PayCLI::Commands::Local::ImageExtractor::DockerfileNotFound)
+    end
+
+    it 'raises an ImageNotFoundInDockerfile error if the file does not contain a FROM line' do
+      expect { described_class.parse_image_without_sha(fixture_path('no_from')) }
+        .to raise_error(PayCLI::Commands::Local::ImageExtractor::ImageNotFoundInDockerfile)
+    end
+  end
+
+  def fixture_path(dockerfile_name)
+    File.join(__dir__, '..', '..', '..', '..', 'fixtures', 'dockerfile_examples', "Dockerfile.#{dockerfile_name}")
+  end
+end