@govuk-pay/cli 0.0.3 → 0.0.4

package/resources/legacy-ruby-cli/config/service_secrets.yml

@@ -0,0 +1,174 @@
+---
+adminusers:
+  - DB_USER
+  - DB_PASSWORD
+  - NOTIFY_API_KEY
+  - NOTIFY_SECRET
+  - SENTRY_DSN
+alb_and_s3_logging_pipeline:
+  - firehose_hec_token
+amazon-managed-prometheus:
+  - pager_duty_cloudwatch_integration_url_in_hours_only
+  - pager_duty_cloudwatch_integration_url_24_7_p1
+cardid:
+  - SENTRY_DSN
+connector:
+  - DB_USER
+  - DB_PASSWORD
+  - NOTIFY_SECRET
+  - NOTIFY_API_KEY
+  - GDS_CONNECTOR_STRIPE_AUTH_TOKEN
+  - GDS_CONNECTOR_STRIPE_AUTH_LIVE_TOKEN
+  - GDS_CONNECTOR_STRIPE_WEBHOOK_SIGN_SECRET
+  - GDS_CONNECTOR_STRIPE_WEBHOOK_LIVE_SIGN_SECRET
+  - GDS_CONNECTOR_STRIPE_CONNECT_APPLICATION_WEBHOOK_LIVE_SIGN_SECRET
+  - GDS_CONNECTOR_STRIPE_CONNECT_APPLICATION_WEBHOOK_TEST_SIGN_SECRET
+  - WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE
+  - WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY
+  - WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_CERTIFICATE_SECONDARY
+  - WORLDPAY_APPLE_PAY_PAYMENT_PROCESSING_PRIVATE_KEY_SECONDARY
+  - SENTRY_DSN
+  - SANDBOX_AUTH_TOKEN
+deploy:
+  - PAGER_DUTY_CLOUDWATCH_INTEGRATION_URL
+  - PAGER_DUTY_CLOUDWATCH_INTEGRATION_URL_STAGING
+pact-broker:
+  - master_db_user
+  - master_db_password
+  - db_user
+  - db_password
+pact-broker-auth:
+  - pact-broker-basic-auth-password
+  - pact-broker-basic-auth-username
+failwhale:
+  - google-analytics-id
+frontend:
+  - GOOGLE_PAY_MERCHANT_ID
+  - GOOGLE_PAY_MERCHANT_ID_2
+  - SESSION_ENCRYPTION_KEY
+  - SESSION_ENCRYPTION_KEY_2
+  - AB_TEST_THRESHOLD
+  - WORLDPAY_APPLE_PAY_MERCHANT_ID
+  - WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE
+  - WORLDPAY_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY
+  - STRIPE_APPLE_PAY_MERCHANT_ID
+  - STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE
+  - STRIPE_APPLE_PAY_MERCHANT_ID_CERTIFICATE_KEY
+  - STRIPE_TEST_PUBLISHABLE_API_KEY
+  - STRIPE_LIVE_PUBLISHABLE_API_KEY
+  - SENTRY_DSN
+  - SENTRY_CSP_REPORT_URI
+network:
+  - PAGER_DUTY_CLOUDWATCH_ALB_INTEGRATION_URL
+publicapi:
+  - TOKEN_API_HMAC_SECRET
+  - SENTRY_DSN
+publicauth:
+  - DB_USER
+  - DB_PASSWORD
+  - TOKEN_DB_BCRYPT_SALT
+  - TOKEN_API_HMAC_SECRET
+  - SENTRY_DSN
+product-page:
+  - pager_duty_cloudwatch_integration_url
+products:
+  - DB_USER
+  - DB_PASSWORD
+  - SENTRY_DSN
+products-ui:
+  - SESSION_ENCRYPTION_KEY
+  - SENTRY_DSN
+  - GOOGLE_RECAPTCHA_SECRET_KEY
+  - GOOGLE_RECAPTCHA_SITE_KEY
+  - GOOGLE_RECAPTCHA_ENTERPRISE_PROJECT_ID
+selfservice:
+  - SESSION_ENCRYPTION_KEY
+  - ZENDESK_API_KEY
+  - ZENDESK_USER
+  - STRIPE_ACCOUNT_API_KEY
+  - SENTRY_DSN
+performance-slack:
+  - SLACK_URI
+ledger:
+  - DB_PASSWORD
+  - DB_USER
+  - SENTRY_DSN
+webhooks:
+  - DB_PASSWORD
+  - DB_USER
+  - SENTRY_DSN
+toolbox:
+  - AUTH_GITHUB_CLIENT_ID
+  - AUTH_GITHUB_CLIENT_SECRET
+  - AUTH_GITHUB_VIEW_ONLY_TEAM_ID
+  - AUTH_GITHUB_USER_SUPPORT_TEAM_ID
+  - AUTH_GITHUB_ADMIN_TEAM_ID
+  - STRIPE_ACCOUNT_API_KEY
+  - STRIPE_ACCOUNT_TEST_API_KEY
+  - SENTRY_DSN
+  - ZENDESK_API_KEY
+  - ZENDESK_USER
+cd-pay-deploy:
+  - cf-password
+  - cf-username
+  - docker-password
+  - docker-username
+  - docker-email
+  - docker-access-token
+  - end-to-end/docker-password
+  - end-to-end/docker-username
+  - end-to-end/docker-email
+  - end-to-end/docker-access-token
+  - github-access-token
+  - pact-broker-username
+  - pact-broker-password
+  - pact-broker/cf-password
+  - pact-broker/cf-username
+  - pact-broker/pact-broker-password
+  - pact-broker/pact-broker-username
+  - pay_aws_deploy_account_id
+  - pay_aws_prod_account_id
+  - pay_aws_staging_account_id
+  - pay_aws_test_account_id
+  - slack-notification-secret
+cd-pay-dev:
+  - cf-password
+  - cf-username
+  - docker-email
+  - docker-username
+  - docker-password
+  - docker-access-token
+  - github-access-token
+  - pact-broker-username
+  - pact-broker-password
+  - pay_aws_deploy_account_id
+  - pay_aws_staging_account_id
+  - pay_aws_test_account_id
+  - pay_aws_ci_account_id
+  - pay_aws_dev_account_id
+  - pay-js-commons/github-access-token
+  - pr-ci/github-access-token
+  - pr-ci/pact-broker-username
+  - pr-ci/pact-broker-password
+  - slack-notification-secret
+  - smartpay-expected-password
+  - smartpay-expected-user
+  - worldpay-expected-password
+  - worldpay-expected-user
+cd-main:
+  - docker-email
+  - docker-username
+  - docker-password
+  - docker-access-token
+  - slack-notification-secret
+webhooks_intrusion_monitoring:
+  - pager_duty_cloudwatch_integration_url
+stubs:
+  - smartpay-expected-password
+  - smartpay-expected-user
+  - worldpay-expected-password
+  - worldpay-expected-user
+codebuild:
+  - docker-username
+  - docker-access-token
+  - github-access-token

package/resources/legacy-ruby-cli/lib/pay_cli/aws/document.rb

@@ -0,0 +1,23 @@
+require 'date'
+require 'English'
+require 'aws-sdk-core'
+
+module PayCLI::Aws
+  class Document
+    def self.security_group_rules!(env)
+       PayCLI::Environment.setup! env
+       ec2 = Aws::EC2::Client.new()
+       vpc_options =  {
+         :filters  => [{ name: "tag:Name" , values: ["#{env}-vpc"] } ]
+       }
+       vpcs = ec2.describe_vpcs(vpc_options)
+       vpc_id = vpcs[:vpcs][0][:vpc_id]
+       STDERR.puts "Got vpc id #{vpc_id} for #{env}"
+       STDERR.puts "Querying aws for security groups and using aws_security_viz to write diagram to security-group-visualisation-latest.svg "
+       pid = system  "bash", "-c" ,"aws_security_viz -o <(aws ec2 describe-security-groups --filters Name=vpc-id,Values=#{vpc_id}) -f security-group-visualisation-latest.svg --color"
+       STDERR.puts "Copy security-group-visualisation-latest.svg in the current directory to https://github.com/alphagov/pay-team-manual/blob/master/images/security-group-visualisation-latest.svg and review"
+       exit $CHILD_STATUS.exitstatus
+    end
+
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/aws/services.rb

@@ -0,0 +1,47 @@
+module PayCLI::Aws::Services
+  def self.wait_for(env, service_name, desired_count)
+    STDERR.puts "🔵  Waiting until >= #{desired_count} of #{service_name}"
+
+    service = ::Aws::ECS::Client.new
+      .describe_services(services: ["#{service_name}"], cluster: env)
+      .services.first
+    lb = service.load_balancers.first
+    tg_arn = lb.target_group_arn
+
+    lb_client = ::Aws::ElasticLoadBalancingV2::Client.new
+
+    (1..).each do |attempt|
+      STDERR.print "\r💤  Waiting (attempt #{attempt})"
+
+      healths = lb_client
+	      .describe_target_health(target_group_arn: tg_arn)
+	      .target_health_descriptions
+
+      healthy_services = healths.select { |h| h.target_health.state == 'healthy' }
+
+      STDERR.print " | Found #{healthy_services.count} healthy #{service_name}"
+
+      break if healthy_services.count >= desired_count
+      sleep 5
+    end
+  end
+
+  def self.scale(env, service_name, desired_count, wait=false)
+    ecs_client = Aws::ECS::Client.new
+
+    STDERR.puts "Scaling desired tasks of #{service_name} in #{env} to #{desired_count}"
+    begin
+        ecs_client
+          .update_service(
+           cluster: env,
+           service: service_name,
+           desired_count: desired_count
+        )
+        STDERR.puts "✅ Scaled #{service_name} in #{env} to #{desired_count}"
+    rescue ::Aws::ECS::Errors::ClientException
+        STDERR.puts "❌ Scaled failed for #{service_name} in #{env} to #{desired_count}"
+    end
+
+    wait_for(env, service_name, desired_count) if wait
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/aws/tokens.rb

@@ -0,0 +1,161 @@
+require 'date'
+require 'English'
+require 'open3'
+
+class PayCLI::Aws::Tokens
+  attr_reader :account, :logger
+
+  def initialize(account, logger: PayCLI::Logger)
+    @account = account
+    @logger = logger
+  end
+
+  def self.setup!(account)
+    self.new(account).ensure!
+  end
+
+  def session_exists_in_env?
+    if ENV.has_key?('AWS_VAULT') && env_has_session_expiration_token?
+      ENV['AWS_VAULT'] == account && Time.parse(get_session_expiration_timestamp) > Time.now
+    end
+  end
+
+  def aws_vault_profiles
+    @aws_vault_profiles ||= begin
+      output, err, status = Open3.capture3("aws-vault list")
+      if status.success?
+        lines = output.lines[2..-1]
+                      .map { |l| l.split(/ +/) }
+
+        lines.inject({}) do |memo, (profile,credentials,sessions)|
+          memo.merge(profile => {
+            credentials: credentials,
+            sessions: sessions
+          })
+        end
+      else
+        logger.error "Unable to invoke aws-vault list due to:\n#{err}"
+        abort
+      end
+    end
+  end
+
+  def session_exists_in_aws_vault?
+    aws_vault_profiles.fetch(account, {}).fetch(:sessions, '-') != '-'
+  end
+
+  def ensure!
+    if !aws_vault_profiles.has_key?(account)
+      help_message_lines = %{
+      The '#{account}' profile has not been set up in aws-vault.
+
+      Ensure that the profile is listed in ~/.aws/config and then add it using `aws-vault add`.
+
+      You probably want to copy your credentials from ~/.aws/credentials.
+
+      The first time you use aws-vault you'll be prompted to create a keychain and set a password.
+
+      After adding each set of credentials to aws-vault, please delete them from the ~/.aws/credentials file
+
+      For more info on aws-vault see:
+        https://github.com/99designs/aws-vault#quick-start
+
+      Currently configured profiles are:
+      }.gsub(/^      /,'').lines[1..-1].map(&:chomp)
+
+      help_message_lines.each do |line|
+        logger.error line.chomp
+      end
+
+      output, err, status = Open3.capture3("aws-vault list")
+      output.lines.each do |line|
+        logger.error "  " + line.chomp
+      end
+      abort
+    end
+
+    if session_exists_in_env?
+      return
+    end
+
+    if session_exists_in_aws_vault?
+      logger.info("Using open aws-vault session for profile '#{account}'")
+    else
+      logger.info("Opening AWS STS session for profile '#{account}' using aws-vault")
+    end
+
+    ENV['YKMAN_OATH_CREDENTIAL_NAME'] ||= get_oath_credential_name(account)
+    output, err, status = Open3.capture3(%{aws-vault exec "#{account}" --prompt ykman -- env})
+
+    if status.success?
+      creds = output.lines.map {|l| l.chomp.split("=", 2)}.select {|k,v| k =~ /^AWS/}
+
+      creds.each do |k,v|
+        ENV[k] = v
+      end
+
+      minutes_remaining = ((Time.parse(get_session_expiration_timestamp) - Time.now) / 60).to_i
+      logger.info "Got credentials for #{account}, expiring in #{minutes_remaining} minutes"
+      if minutes_remaining < 15
+        logger.warn "Only #{minutes_remaining} minutes remaining on the session. Type \"yes\" to continue else exit and run \'aws-vault clear #{account}\' to clear and run again"
+        unless STDIN.gets.chomp == 'yes'
+          logger.info "Exiting"
+          exit 0
+        end
+      end
+    else
+      logger.error "Unable to get credentials for #{account} due to:\n#{err}"
+      abort
+    end
+  rescue Errno::ENOENT => e
+    if e.message =~ /aws-vault/
+      logger.error "It looks like aws-vault is not installed. Please run `pay doctor` for help"
+      abort
+    end
+  end
+
+  def env_has_session_expiration_token?
+    ENV.include?("AWS_CREDENTIAL_EXPIRATION") || ENV.include?("AWS_SESSION_EXPIRATION")
+  end
+
+  def get_session_expiration_timestamp
+    if ENV.include? "AWS_CREDENTIAL_EXPIRATION"
+      return ENV["AWS_CREDENTIAL_EXPIRATION"]
+    end
+
+    if ENV.include? "AWS_SESSION_EXPIRATION"
+      return ENV["AWS_SESSION_EXPIRATION"]
+    end
+
+    logger.error "Neither an AWS_SESSION_EXPIRATION nor an AWS_CREDENTIAL_EXPIRATION env var set"
+    abort
+  end
+
+  def get_oath_credential_name(account)
+    c = PayCLI::YkmanOathCredentialConfig.new
+    c.lookup(account)
+  end
+
+  def time_distance(from, to)
+    distance = (to - from)
+    parts = {}
+    parts[:second] = (distance % 60).floor
+    if distance > 60
+      parts[:minute] = (distance / 60).floor
+    end
+
+    if parts.fetch(:minute, 0) > 3
+      parts.delete(:second)
+    end
+
+    %I{minute second}.select {|k| parts.has_key?(k)}.map {|k| pluralise(parts[k], k.to_s) }.join(" ")
+  end
+
+  def pluralise(num, singular)
+    if num == 1
+      "#{num} #{singular}"
+    else
+      "#{num} #{singular}s"
+    end
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/aws.rb

@@ -0,0 +1,51 @@
+require 'English'
+require 'aws-sdk-route53'
+
+class PayCLI::Commands::Aws < Thor
+  desc 'token <account>', 'fetches a token for <account>'
+  def token(account)
+    PayCLI::Aws::Tokens.setup!(account)
+    STDERR.puts "Found token for #{account}, printing to STDOUT"
+    STDERR.puts "If you aren't already, run this inside $() to set env vars"
+    %w{AWS_ACCESS_KEY_ID AWS_SECRET_ACCESS_KEY AWS_SESSION_TOKEN}.each do |varname|
+      puts "export #{varname}=#{ENV[varname]}"
+    end
+    STDERR.puts "Outputted token for #{account} successfully"
+    exit 0
+  end
+
+  desc 'cli <account>', 'opens aws-shell with credentials for <account>'
+  def cli(account)
+    PayCLI::Environment.setup! account
+
+    STDERR.puts
+
+    pid = spawn(
+      'aws-shell',
+      in: STDIN, out: STDOUT, err: STDERR
+    )
+    Process.wait pid
+    exit $CHILD_STATUS.exitstatus
+  end
+
+  desc 'cmd <account> <*args>',
+       'runs args in aws with credentials for <account>'
+  def cmd(account, *args)
+    PayCLI::Environment.setup! account
+
+    pid = spawn(
+      "aws #{args.join(' ')}",
+      in: STDIN, out: STDOUT, err: STDERR
+    )
+    Process.wait pid
+    exit $CHILD_STATUS.exitstatus
+  end
+
+  desc 'document_security_groups <env>',
+       'creates the documentation for the security groups for PCI for <env>'
+  def document_security_groups(account)
+    PayCLI::Environment.setup! account
+    PayCLI::Aws::Document.security_group_rules! account
+  end
+
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/browse.rb

@@ -0,0 +1,31 @@
+require 'English'
+
+class PayCLI::Commands::Browse < Thor
+  desc 'manual', 'browses the pay team manual'
+  def manual
+    STDERR.puts 'Opening the team manual'
+    `open https://manual.payments.service.gov.uk`
+    exit $CHILD_STATUS.exitstatus
+  end
+
+  desc 'repo', 'browses the pay-infra github repo'
+  def repo
+    STDERR.puts 'Opening the pay-infra github repository'
+    `open https://github.com/alphagov/pay-infra`
+    exit $CHILD_STATUS.exitstatus
+  end
+
+  desc 'status', 'browses the pay status page'
+  def status
+    STDERR.puts 'Opening the status page'
+    `open http://payments.statuspage.io`
+    exit $CHILD_STATUS.exitstatus
+  end
+
+  desc 'concourse', 'browses the concourse page'
+  def concourse
+    STDERR.puts 'Opening the concourse page'
+    `open https://pay-cd.deploy.payments.service.gov.uk/`
+    exit $CHILD_STATUS.exitstatus
+  end
+end

package/resources/legacy-ruby-cli/lib/pay_cli/commands/doctor.rb

@@ -0,0 +1,154 @@
+require 'fileutils'
+require 'yaml'
+
+class PayCLI::Commands::Doctor
+  def start!
+    check_ruby_version!
+    check_path!
+    check_old_pay_config_dir!
+    check_secrets_file!
+    check_pay_low_pass!
+    check_terraform!
+    check_aws!
+    check_aws_vault!
+    ensure_executable!("session-manager-plugin", "Needed for SSM: brew install session-manager-plugin")
+  end
+
+  def check_ruby_version!
+    repo_version = File.read(File.join(
+      PayCLI::Config::CLI_PATH, '.ruby-version'
+    )).chomp
+
+    if repo_version == RUBY_VERSION
+      STDERR.puts "✅  ruby version is correct"
+    else
+      STDERR.puts "🔥  ruby version is not correct"
+      STDERR.puts "🔥    Repo version: #{repo_version}"
+      STDERR.puts "🔥    Ruby version: #{RUBY_VERSION}"
+    end
+  end
+
+  def check_secrets_file!
+    secrets_template = <<~SECRETS
+      ---
+      test-12:
+        terraform: {}
+        connector: {}
+      ...
+    SECRETS
+
+    secrets_explainer = <<~EXPLAIN
+      # We want to ensure that the local secrets file looks like
+      # Env (map)
+      #   Service (map)
+      #     SecretName => SecretValue
+    EXPLAIN
+
+    if File.exist? PayCLI::Config::LOCAL_SECRETS_PATH
+      STDERR.puts "✅  Local secrets file already exists"
+    else
+      STDERR.puts "🔧  Making local secrets file"
+      FileUtils.mkdir_p File.dirname(PayCLI::Config::LOCAL_SECRETS_PATH)
+      File.write(PayCLI::Config::LOCAL_SECRETS_PATH, secrets_template)
+    end
+
+    secrets_content   = YAML.load_file(PayCLI::Config::LOCAL_SECRETS_PATH)
+    # keys is necessary otherwise yaml gets unwound
+    secrets_are_correct = secrets_content.keys.all? do |env|
+      secrets = secrets_content[env]
+      unless secrets.class == Hash
+        false
+      else
+        if secrets.empty?
+          secrets.class == Hash
+        else
+          # necessary otherwise we get yaml mangling and get the wrong type
+          first_value = secrets[secrets.keys.first]
+          first_value.class == Hash
+        end
+      end
+    end
+
+    if secrets_are_correct
+      STDERR.puts "✅  Local secrets looks okay"
+    else
+      STDERR.puts "🔥  Local secrets file is most likely out of date"
+      STDERR.puts "🔥  Example of a good secrets file:"
+      STDERR.puts "# #{PayCLI::Config::LOCAL_SECRETS_PATH}"
+      STDERR.puts secrets_template
+      STDERR.puts '# end of file'
+      STDERR.puts secrets_explainer
+    end
+  end
+
+  def check_old_pay_config_dir!
+    old_secrets_dir = File.dirname(
+      PayCLI::Config::LOCAL_SECRETS_PATH.gsub('.govuk-', '.')
+    )
+
+    if File.exist? old_secrets_dir
+      STDERR.puts "🔥  Old pay config directory still exists (#{old_secrets_dir})"
+    else
+      STDERR.puts "✅  Old pay config directory deleted"
+    end
+  end
+
+  def check_path!
+    if ENV['PATH'] =~ %r{pay-infra/cli}
+      STDERR.puts "✅  PATH looks okay"
+    else
+      STDERR.puts "🔥  PATH does not contain pay-infra/cli"
+    end
+  end
+
+  def check_pay_low_pass!
+    pay_low_pass_path = File.expand_path(File.join(
+      PayCLI::Config::PROJECT_PATH, '..', 'pay-low-pass'
+    ))
+    if File.exist? pay_low_pass_path
+      STDERR.puts "✅  pay-low-pass is in the right place"
+    else
+      STDERR.puts "🔥  pay-low-pass is not present in #{pay_low_pass_path}"
+    end
+  end
+
+  def check_terraform!
+    ensure_executable!("terraform")
+  end
+
+  def check_aws!
+    ensure_executable!("aws")
+    ensure_executable!("aws-shell")
+  end
+
+  def ensure_executable!(executable, instructions_if_missing = nil)
+    `which "#{executable}"`.chomp
+    if $?.success?
+      STDERR.puts "✅  #{executable} is in your path"
+    else
+      STDERR.puts ["🔥  #{executable} is not in your path", instructions_if_missing].compact.join(". ")
+    end
+  end
+
+  def check_aws_vault!
+    version = `aws-vault --version 2>&1`.chomp
+    if !$?.success?
+      STDERR.puts "🔥  you need to install aws-vault v6.0.0 or greater: brew install aws-vault"
+      return false
+    end
+
+    installed_version = Gem::Version.new(version.gsub(/^v/,""))
+
+    required_version = Gem::Version.new("6.0.0")
+
+    if installed_version < required_version
+      STDERR.puts "🔥  you need to install aws-vault v#{required_version} or greater, but you have #{installed_version}"
+      STDERR.puts "💻  run the following in your terminal:"
+      STDERR.puts "    brew upgrade aws-vault"
+      return false
+    else
+      STDERR.puts "✅  aws-vault #{required_version} or greater is in your path"
+    end
+  end
+
+end