@govuk-pay/cli 0.0.2 → 0.0.4

package/resources/legacy-ruby-cli/lib/pay_cli/commands/local.rb

@@ -0,0 +1,430 @@
+require 'English'
+require 'erb'
+require 'yaml'
+require 'rest-client'
+require 'rotp'
+require 'base32'
+require 'securerandom'
+require 'active_support'
+require 'active_support/core_ext'
+require 'digest'
+require 'mkmf'
+require 'pathname'
+
+REQUIRES_COMPILATION = %w[frontend products-ui selfservice toolbox].freeze
+
+class PayCLI::Commands::Local < Thor
+  map "up" => :launch
+  desc 'launch | up [--cluster <cluster>] [--local <app>] [--proxy] [--apps] [--rebuild]',
+       'Launch a predefined cluster, or a user specified list of apps.' \
+       ' Specify a list of apps that should use your locally checked out code using --local'
+  option :local, :type => :array, :default => []
+  option :proxy, :type => :boolean, :default => false
+  option :cluster, :enum => ['admin', 'card', 'paymentlinks', 'webhooks', 'endtoend', 'java', 'toolbox']
+  option :apps, :type => :array
+  option :rebuild, :type => :boolean, :default => true
+  option :experimental, :type => :boolean, :default => false
+  option :pull, :type => :boolean, :default => true, :desc => "Pull the latest versions of containers prior to launching, override with --no-pull"
+
+  def launch()
+    all = options[:experimental] ? Config::all : Config.boring
+    if options[:cluster]
+      cluster = options[:cluster]
+      warn "🚀  Launching #{cluster} cluster 🚀\n\n"
+      apps = Config::cluster cluster, all
+    elsif options[:apps]
+      cluster = 'custom'
+      warn "🚀  Launching #{options[:apps]} 🚀\n\n"
+      apps = Config::filter options[:apps], all
+    else
+      cluster = 'all'
+      apps = all
+    end
+
+    @node_apps = Config::node apps
+    @java_apps = Config::java apps
+
+    local_app_names = options.fetch :local
+    @local_node_apps = Config.local local_app_names, @node_apps
+    @local_java_apps = Config.local local_app_names, @java_apps
+    @remote_node_apps = Config.remote local_app_names, @node_apps
+    @remote_java_apps = Config.remote local_app_names, @java_apps
+
+    @dbs = Config.db_configs Config.has_db apps
+    @queue_apps = Config.has_queue apps
+    @sns_topic_apps = Config.has_sns_topics apps
+
+    # Force restart of localstack (which mocks aws services)
+    Docker.remove('localstack') if Config.uses_localstack(apps)
+
+    @proxies = if options[:proxy] then Config::proxy_configs Config::has_proxy apps else [] end
+
+    @localstack_init_file = File.realpath(
+      File.join(__dir__, 'local', 'files', 'localstack', 'init-aws.sh')
+    )
+
+    if options[:rebuild]
+      check_for_workspace_env
+
+      threads = []
+      (@local_java_apps + @local_node_apps).each do |app|
+        check_for_local_repo("pay-#{app[:name]}")
+        check_cardid_data if app[:name] == 'cardid'
+
+        threads << Thread.new do
+          ws_dir = Pathname.new(ENV['WORKSPACE']).join("pay-#{app[:name]}")
+
+          if RUBY_PLATFORM.include? 'arm64'
+            arm_dockerfile = ws_dir.join('m1', 'arm64.Dockerfile')
+            dockerfile = arm_dockerfile.exist? ? arm_dockerfile : ws_dir.join('Dockerfile')
+
+            warn "🐋  generating arm64 governmentdigitalservice/pay-#{app[:name]}:local from #{dockerfile}"
+            `(cd #{ws_dir} && docker build -q . -f #{dockerfile} --load -t governmentdigitalservice/pay-#{app[:name]}:local)`
+          else
+            warn "🐋  generating governmentdigitalservice/pay-#{app[:name]}:local"
+            `(cd #{ws_dir} && docker build -q -t governmentdigitalservice/pay-#{app[:name]}:local .)`
+          end
+
+          report_status! $CHILD_STATUS, app[:name], 'loading image for'
+        end
+      end
+
+      threads.each(&:join)
+    end
+
+    Docker::write_compose_file cluster, binding
+
+    if cluster.include? 'endtoend'
+      warn "💁  Here are the endtoend environment variables\n\n#{Config::write_end_to_end_config binding}\n\n"
+    end
+
+    puts Docker::pull cluster if options[:pull]
+    puts Docker::up cluster
+
+    AppClient::wait_for_apps apps
+    AppClient::report_state apps
+  end
+
+  desc 'down --cluster <cluster>',
+       'Bring down a cluster'
+  option :cluster, :enum => ['admin', 'card', 'paymentlinks', 'webhooks', 'endtoend']
+  def down()
+    cluster = options[:cluster]
+    warn "🛬  bringing down #{cluster} cluster"
+    puts Docker::down cluster
+  end
+
+  desc 'healthcheck <cluster>',
+       "Healthcheck"
+
+  def healthcheck(cluster)
+    AppClient::report_state Config::cluster cluster, Config::all
+  end
+
+  desc 'nuke',
+       "Kill and completely destroy all containers previously started by pay local"
+
+  def nuke
+    warn "💥  Nuking all containers previously started by pay local 💥"
+    warn "🚨  WARNING - this deletes the database files too, stop it now or accept your fate 🚨"
+
+    Config::all.each do |app|
+      Docker::remove("#{app[:name]}")
+      Docker::remove("#{app[:name]}-proxy") if app[:proxy]
+      Docker::remove("#{app[:name]}_db") if app[:db]
+    end
+    Docker::remove('localstack')
+    Docker::remove('localRedis')
+  end
+
+  desc 'restart',
+       'Restart a container and waits for it to be healthy.'
+
+  def restart(app_name)
+    warn "😅  restarting #{app_name}"
+
+    puts `docker restart #{app_name}`
+    app = Config::app_by_name(app_name)
+    AppClient::wait_for_apps(app)
+    AppClient::report_state(app)
+  end
+
+  desc 'paymentlink',
+       'Create a new payment link, requires an api token.'
+  option :api_key, :required => true
+
+  def paymentlink
+    product = AppClient::create_payment_link options.fetch :api_key
+
+    links = {}
+    product["_links"].each {|link| links[link["rel"]] = link["href"]}
+
+    warn links
+    `open #{links["pay"]}`
+  end
+
+  map :populate => :user
+  desc 'user',
+       'create a local user'
+  option :create_payments, :type => :boolean, :default => true
+
+  def user
+    warn '🏗️🏗  Constructing useful things for you...'
+    gateway_account_ids = []
+
+    service = AppClient::create_service()
+    service_id = service.fetch('external_id')
+
+    if AppClient::is_app_up?('connector')
+      warn '💳  Card connector is up, creating card gateway account and API Token'
+      card_account = AppClient::create_account(service_id)
+      card_gateway_account_id = extract_gateway_account_id(card_account)
+      card_token = AppClient::create_token(card_gateway_account_id)
+      gateway_account_ids.push(card_gateway_account_id)
+      if options[:create_payments] and AppClient::is_app_up? 'publicapi'
+        warn '💸  Creating payments in card sandbox gateway account'
+        (1..11).to_a.each  do
+          sleep 1
+          (1..5).to_a.each {AppClient::create_payment card_token}
+        end
+      end
+    end
+
+    warn '🤓  Creating admin user for service'
+    user = AppClient::create_user(gateway_account_ids: gateway_account_ids)
+    warn '😎  Creating read only user for service'
+    AppClient::create_user(gateway_account_ids: gateway_account_ids, role_name: 'view-only')
+
+    otp_key = user['otp_key']
+
+    warn TTY::Table.new([
+       ['📧  Email', user[:email]],
+       ['🛂  Password', user[:password]],
+       ['🔑  OTP key', otp_key],
+       ['📱  OTP token', generate_otp_token(otp_key)],
+       ['💁  Service ID', service_id],
+       ['💳  Card gateway account ID', card_gateway_account_id],
+       ['🎫  Card API token', card_token],
+    ]).render(:unicode, padding: 1, multiline: true)
+
+    pbcopy user[:email]
+
+    if AppClient::is_proxy_up? 'selfservice'
+      browse 'selfservice', true
+    elsif AppClient::is_app_up? 'selfservice'
+      browse 'selfservice'
+    end
+  end
+
+  desc 'account',
+       'create a local gateway account'
+  option :service_id
+
+  def account
+    service_id = options.fetch(:service_id, AppClient::create_service().fetch('external_id'))
+    warn "#{AppClient::create_account(service_id).to_json}"
+  end
+
+
+  desc 'token',
+       'create a token'
+  option :gateway_account_id
+
+  def token
+    service = AppClient::create_service()
+    service_id = service.fetch('external_id')
+    gateway_account_id = options.fetch(
+        :gateway_account_id,
+        extract_gateway_account_id( AppClient::create_account service_id)
+    )
+    newToken = AppClient::create_token gateway_account_id
+    warn newToken
+    pbcopy newToken
+  end
+
+  desc 'payment',
+       'create a payment'
+  option :api_key
+  option :email_collection_mode, :default => 'MANDATORY', :enum => ['MANDATORY', 'OPTIONAL', 'OFF']
+
+  def payment
+    api_token = options.fetch(:api_key, false)
+
+    unless api_token
+      warn "👔  Creating gateway account and service"
+
+      email_settings = { email_collection_mode: "#{options.fetch(:email_collection_mode)}" }
+
+      service = AppClient::create_service()
+      service_id = service.fetch('external_id')
+
+      gateway_account_id = extract_gateway_account_id(AppClient::create_account(service_id, email_settings))
+
+      api_token = AppClient::create_token(gateway_account_id)
+
+      warn TTY::Table.new([
+           ['🆔  Gateway account ID', gateway_account_id],
+           ['💁  Service ID', service_id]
+     ]).render(:unicode, padding: 1, multiline: true)
+    end
+
+    warn "💸  Creating payment"
+
+    payment = AppClient::create_payment(api_token)
+    payment_id = payment.fetch('payment_id')
+
+    warn TTY::Table.new([
+       ['💷  Payment ID', payment_id],
+       ['🎫  API token', api_token]
+    ]).render(:unicode, padding: 1, multiline: true)
+
+    next_url = payment.dig('_links', 'next_url', 'href')
+    `open #{next_url}`
+  end
+
+  desc 'otp <key>',
+       'create otp code'
+
+  def otp(key)
+    otp = generate_otp_token(key)
+    warn otp
+    pbcopy otp
+  end
+
+  desc 'db <app_name>',
+       'Connect to <app_name> database, optionally using psql inside the apps database ' \
+       'container (note this means you wont get, or save, your psql history)'
+  option :docker, type: :boolean, default: false
+
+  def db(app_name)
+    if options[:docker]
+      _db_with_docker(app_name)
+    elsif find_executable('psql').nil?
+      warn 'PSQL installation not found locally'
+      _db_with_docker(app_name)
+    else
+      _db_with_local_psql(app_name)
+    end
+  end
+
+  desc 'browse <service>',
+       'browse to local service'
+
+  def browse(app_name, proxy = false)
+    url = base_url(app_name, proxy)
+    `open #{url}`
+  end
+
+  desc 'url <service>',
+       'copy base URL of local service to clipboard'
+
+  def url(app_name, proxy = false)
+    pbcopy base_url(app_name, proxy)
+  end
+
+  no_commands do
+    def generate_otp_token(otp_key)
+      /^[A-Z2-7]+$/.match(otp_key) ? ROTP::TOTP.new(otp_key).now : ROTP::TOTP.new(Base32.encode(otp_key)).now
+    end
+
+    def pbcopy(input)
+      str = input.to_s
+      IO.popen('pbcopy', 'w') { |f| f << str }
+      warn "📋 “#{str}” copied to clipboard"
+      str
+    end
+
+    def extract_gateway_account_id(account)
+      account.fetch('gateway_account_external_id', account.fetch('gateway_account_id'))
+    end
+
+    def base_url(app_name, proxy)
+      if proxy then
+        AppClient::base_proxy_url app_name
+      else
+        AppClient::base_url app_name
+      end
+    end
+
+    def report_status!(child_status, name, action='building')
+      emoji = child_status.success? ? '✅' : '🔴'
+      status = child_status.success? ? 'success' : 'failure'
+
+      warn "#{emoji}  #{action} #{name} was a #{status}"
+    end
+
+    def check_for_workspace_env
+      unless ENV.include? 'WORKSPACE'
+        abort '❌ Environment variable WORKSPACE must be set. ' \
+          'It should be the directory which contains all your other pay-* repos'
+      end
+
+      unless Dir.exist?(ENV['WORKSPACE'])
+        abort "❌ Environment variable WORKSPACE is set to #{ENV['WORKSPACE']} which does not exist." \
+          'It must point to the directory which contains all your other pay-* repos'
+      end
+    end
+
+    def check_for_local_repo(repo_name)
+      repo_path = File.join(ENV['WORKSPACE'], repo_name)
+
+      unless Dir.exist?(repo_path)
+        abort "❌ Repo #{repo_name} does not exist in #{ENV['WORKSPACE']}, "\
+          "you need to clone it with `git clone git@github.com:alphagov/#{repo_name}.git #{repo_path}"
+      end
+    end
+
+    def check_cardid_data
+      cardid_path = File.join(ENV['WORKSPACE'], 'pay-cardid')
+
+      unless Dir.exist?(File.join(cardid_path, 'data', 'sources'))
+        abort '❌ pay-cardid does not have the cardid-data submodule updated. '\
+          'Run `git submodule update --init && git -C data pull origin master` in '\
+          "#{cardid_path} to init and update the cardid-data submodule"
+      end
+    end
+
+    def npm_install(repo_name)
+      repo_path = File.join(ENV['WORKSPACE'], repo_name)
+      `cd #{repo_path} && npm install >>/dev/null 2>&1`
+    end
+
+    def npm_run_compile(repo_name)
+      repo_path = File.join(ENV['WORKSPACE'], repo_name)
+      `cd #{repo_path} && npm run compile >>/dev/null 2>&1`
+    end
+
+    def get_image_from_dockerfile_in_repo(repo_name)
+      repo_path = File.join(ENV['WORKSPACE'], repo_name)
+      m1_dockerfile_path = File.join(repo_path, 'm1', 'arm64.Dockerfile')
+      default_dockerfile_path = File.join(repo_path, 'Dockerfile')
+
+      dockerfile_path =
+        if RUBY_PLATFORM.include?('arm64') && File.exist?(m1_dockerfile_path)
+          m1_dockerfile_path
+        else
+          default_dockerfile_path
+        end
+
+      PayCLI::Commands::Local::ImageExtractor.parse_image_without_sha(dockerfile_path)
+    end
+
+    def _db_with_docker(app_name)
+      normalised_app_name = app_name.tr('-', '_')
+
+      warn 'Running psql in running app db container.'
+      warn 'Note: This means you wont have a psql history, and one will not survive restarts of pay local'
+
+      exec "docker exec -ti -e PGPASSWORD=mysecretpassword #{normalised_app_name}_db \
+            psql --host localhost  --user #{normalised_app_name} --dbname #{normalised_app_name}"
+    end
+
+    def _db_with_local_psql(app_name)
+      normalised_app_name = app_name.tr('-', '_')
+
+      port = Config.all.select { |app| app[:name] == app_name }.map { |app| app[:db_port] }.first
+      exec "PGPASSWORD=mysecretpassword \
+        psql -h localhost -p #{port} -U #{normalised_app_name} -d #{normalised_app_name}"
+    end
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/schema.rb

@@ -0,0 +1,36 @@
+module PayCLI::Commands::Schema
+  def self.usage!
+    STDERR.puts <<~USAGE
+      pay schema ...
+
+      Use this command to generate metadata including ER diagrams for a microservice database.
+
+      Usage
+      - `pay schema [microservice]`    : microservice [connector, adminusers, publicauth, products]
+
+    USAGE
+    exit
+  end
+
+  def self.start!
+    args = ARGV[1..-1] || []
+    usage! if args.empty?
+
+    service = args.first
+    generate_schema service
+  end
+
+  def self.generate_schema(service)
+    begin
+      pay_scripts_absolute_path = File.expand_path('../../../../../pay-scripts', __dir__)
+
+      scripts_dir = ENV['PAY_SCRIPTS_DIR'] || pay_scripts_absolute_path
+      exec "#{scripts_dir}/generate-db-design.sh #{service} --browse"
+    rescue => error
+      puts '`pay-scripts` repository is not found or not latest.'
+      puts 'Make sure repository is latest and is available in the location below or set $PAY_SCRIPTS_DIR environment for location'
+      puts "Location : " + pay_scripts_absolute_path
+    end
+  end
+
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/secrets.rb

@@ -0,0 +1,114 @@
+require 'tty-table'
+
+
+class PayCLI::Commands::Secrets < Thor
+  desc 'fetch <env> <service> <secret_name> --use-ssm ',
+       'Fetches a <named secret> for <service> for <env>, if use-ssm is set then get the secret from ssm'
+  method_option :use_ssm, :aliases => "-s", :desc => "Query ssm to get the value"
+  def fetch(env, service, secret_name)
+    PayCLI::StopYubicoAuthenticator.stop_yubico_authenticator!
+    secret_value = PayCLI::Secrets.fetch! env, service, secret_name, options[:use_ssm]
+
+    STDERR.puts "Found value for #{secret_name} in #{env} for #{service}"
+    print secret_value.chomp
+  end
+
+  desc 'audit <service> <env1> [<env2> ... <envn>]',
+       'Audits secrets for <service> for the given <envs*>'
+  def audit(service, *envs)
+    PayCLI::StopYubicoAuthenticator.stop_yubico_authenticator!
+    STDERR.puts "Auditing secrets for #{service} in #{envs.inspect}"
+
+    secrets_for_env = PayCLI::Secrets.secrets_for_service service
+    secrets_in_envs = PayCLI::Secrets.secrets_in_envs_for_service envs, service
+
+    header = [service].concat(envs)
+    rows = secrets_for_env.map do |secret|
+      [secret].concat(
+        envs.map { |e| secrets_in_envs[e].include?(secret) ? '✓' : '' }
+      )
+    end
+    footer = ["Other"].concat(
+      envs.map { |e| (secrets_in_envs[e] - secrets_for_env).join("\n") }
+    )
+
+    table = TTY::Table.new [header] + rows + [footer]
+    STDERR.puts table.render(
+      :unicode,
+      alignment: :center,
+      padding:   1,
+      multiline: true,
+    )
+  end
+
+  desc 'copy <service> <src_env> <dest_env>',
+       'Copies secrets for <service> from <src_env> to <dest_env>'
+  def copy(service, src_env, dest_env)
+    PayCLI::StopYubicoAuthenticator.stop_yubico_authenticator!
+    PayCLI::Secrets.secrets_in_envs_for_service(
+      [src_env],
+      service
+    )[src_env].each do |secret_name|
+      secret_value = PayCLI::Secrets::fetch_secret_for_service_from_env(
+        src_env, service, secret_name
+      )
+
+      old_value = PayCLI::Secrets::fetch_single_secret_from_env_for_service!(
+        dest_env,
+        service,
+        secret_name
+      )
+
+      if old_value == secret_value
+        STDERR.puts "✅   Copying #{secret_name} into #{dest_env} for #{service} would apply no change"
+        next
+      end
+
+      STDERR.puts PayCLI::Secrets.diff_table(
+        old_value,
+        secret_value
+      )
+
+      STDERR.puts "❓  Update value of #{secret_name} in #{dest_env} for #{service}?"
+      if (STDERR.print "   Type 'yes' exactly > "; STDIN.gets.chomp == 'yes')
+
+        STDERR.puts "✅   Updated #{secret_name} in #{dest_env}"
+        PayCLI::Secrets::write_secret_for_service_in_env!(
+          dest_env,
+          service,
+          secret_name,
+          secret_value
+        )
+      end
+    end
+  end
+
+  desc 'provision <service> <env>',
+       'Provisions secrets from config for <service> in <env>'
+  def provision(service, env)
+    PayCLI::StopYubicoAuthenticator.stop_yubico_authenticator!
+    PayCLI::Secrets.secrets_for_service(service).each do |secret_name|
+      old_value = PayCLI::Secrets::fetch_single_secret_from_env_for_service!(
+        env,
+        service,
+        secret_name
+      )
+      new_value = PayCLI::Secrets::fetch!(env, service, secret_name)
+
+      if old_value == new_value
+        STDERR.puts "✅   Provisioning #{secret_name} in #{env} for #{service} would apply no change"
+        next
+      end
+
+      STDERR.puts "❓  Update value of #{secret_name} in #{env} for #{service}?"
+      STDERR.puts PayCLI::Secrets.diff_table(
+        old_value,
+        new_value
+      )
+      if (STDERR.print "   Type 'yes' exactly > "; STDIN.gets.chomp == 'yes')
+        PayCLI::Secrets.write_secret_for_service_in_env!(env,service,secret_name, new_value)
+        STDERR.puts "✅   Updated #{secret_name} for #{service} in #{env}"
+      end
+    end
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/ssm.rb

@@ -0,0 +1,111 @@
+require 'aws-sdk-ec2'
+require 'aws-sdk-autoscaling'
+require 'aws-sdk-elasticloadbalancing'
+
+module PayCLI::Commands::Ssm
+
+  def self.usage!
+    STDERR.puts <<~USAGE
+      pay ssm ...
+
+      - `pay ssm ci-5 build` - connect to build (jenkins) in ci-5
+      - `pay ssm test-12 i-123456` - connect to instance i-123456 in test-12
+      - `pay ssm staging-2 asg toolbox` - connect to a box in the toolbox asg
+
+    USAGE
+    exit
+  end
+
+  def self.start!
+    args = ARGV[1..-1] || []
+    usage! if args.empty?
+
+    PayCLI::StopYubicoAuthenticator.stop_yubico_authenticator!
+
+    env, *args = args
+    usage! if args.length < 1
+    PayCLI::Environment.setup! env
+
+    resource, resource_name, *args = args
+    server_roles = ['build', 'deploy', 'admin', 'bastion']
+
+    instance_id = case
+    when resource.match(/^i-/)
+      resource
+    when server_roles.include?(resource)
+      get_instance_id env, resource
+    when resource == 'asg'
+      get_asg_instance_id env, resource_name
+    when resource == 'app'
+      warn <<~WARN
+
+        `pay ssm app ...` no longer works since the move to fargate.
+
+        Please see usage below for other examples
+
+      WARN
+      usage!
+    else
+      abort "Unknown resource type #{resource}"
+    end
+
+    warn <<~WARN
+      \e[33m
+      ⚠️  WARNING: When using SSM, any and all activity you perform may be getting logged for security auditing purposes (think PCI).
+         Avoid sending or accessing \e[4manything\e[24m that could cause a security breach, such as:
+
+          • Secret API Keys or Tokens
+          • Credentials or Passwords
+          • Cardholder Data or Personally-Identifiable Information (PII)
+          • Anything else that may be protected by GDPR or PCI-DSS
+          • Anything classified as GSC 'Secret' or above
+
+         If you have a problem with this or aren't sure, use Ctrl-C \e[4mright now\e[24m and discontinue your SSM session.
+      \e[0m
+    WARN
+    sleep(5)
+    start_ssm_session(instance_id, env)
+  end
+
+  def self.get_instance_id(env, resource)
+    ec2_client = Aws::EC2::Client.new
+    instances = ec2_client.describe_instances({
+      filters: [
+        {name: 'tag:Environment', values: [env]},
+        {name: 'tag:Role', values: [resource == 'admin' ? 'bastion' : resource]}
+      ]
+    }).reservations.first.instances
+
+    abort "No healthy admin instances found" if instances.empty?
+
+    instances.first.instance_id
+  end
+
+  def self.get_asg_instance_id(env, service)
+    STDERR.puts "Getting instance_id from asg #{service} in #{env}"
+
+    asg_name   = PayCLI::Naming.asg_name(env, service)
+    asg_client = Aws::AutoScaling::Client.new
+
+    asgs       = asg_client.describe_auto_scaling_groups({
+      auto_scaling_group_names: [asg_name],
+    }).auto_scaling_groups
+    abort "No ASGs found for #{service} -> #{asg_name}" if asgs.empty?
+
+    instances = asgs.first.instances
+    abort "No instances found for #{service} -> #{asg_name}" if instances.empty?
+
+    instances.first.instance_id
+  end
+
+  def self.start_ssm_session(instance_id, env)
+    STDERR.puts "SSM to instance #{instance_id} in #{env}"
+
+    pid = spawn(
+      "aws ssm start-session --target \"#{instance_id}\"",
+      in: STDIN, out: STDOUT, err: STDERR
+    )
+    Process.wait pid
+    exit $CHILD_STATUS.exitstatus
+  end
+end