@govuk-pay/cli 0.0.49 → 0.0.51

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.49",
+  "version": "0.0.51",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",
@@ -14,10 +14,11 @@
     "node": ">= 18.x"
   },
   "dependencies": {
-    "@aws-sdk/client-ec2": "^3.641.0",
-    "@aws-sdk/client-ecs": "^3.637.0",
-    "@aws-sdk/client-rds": "^3.637.0",
-    "@aws-sdk/client-ssm": "^3.651.1",
+    "@aws-sdk/client-ec2": "^3.709.0",
+    "@aws-sdk/client-ecs": "^3.709.0",
+    "@aws-sdk/client-rds": "^3.709.0",
+    "@aws-sdk/client-ssm": "^3.709.0",
+    "@aws-sdk/client-sts": "^3.709.0",
     "handlebars": "^4.7.8",
     "openurl": "^1.1.1",
     "semver": "^7.6.3",

package/resources/legacy-ruby-cli/config/secrets.yml

@@ -331,6 +331,7 @@ pay-low-pass:
       DB_SUPPORT_PASSWORD_READWRITE:                aws/rds/support_readwrite_users/staging/ledger_support_readwrite # pragma: allowlist secret
       SENTRY_DSN:                                   sentry_io/ledger_dsn
     products:
+      DB_PASSWORD:                                  aws/rds/application_users/staging/products
       DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/staging/products_support_readonly # pragma: allowlist secret
       DB_SUPPORT_PASSWORD_READWRITE:                aws/rds/support_readwrite_users/staging/products_support_readwrite # pragma: allowlist secret
       SENTRY_DSN:                                   sentry_io/products_dsn
@@ -344,6 +345,7 @@ pay-low-pass:
       # the words 'Password Store'. They are not in pay-low-pass, so for now to stop them being overwritten I'm commenting them out
       # TOKEN_API_HMAC_SECRET:                        ""
     publicauth:
+      DB_PASSWORD:                                  aws/rds/application_users/staging/publicauth
       DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/staging/publicauth_support_readonly # pragma: allowlist secret
       DB_SUPPORT_PASSWORD_READWRITE:                aws/rds/support_readwrite_users/staging/publicauth_support_readwrite # pragma: allowlist secret
       SENTRY_DSN:                                   sentry_io/publicauth_dsn
@@ -438,6 +440,7 @@ pay-low-pass:
     product-page:
       pager_duty_cloudwatch_integration_url:        pager-duty/govuk-pay-product-page/amazon-cloudwatch-integration-url
     products:
+      DB_PASSWORD:                                  aws/rds/application_users/production/products
       DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/production/products_support_readonly # pragma: allowlist secret
       DB_SUPPORT_PASSWORD_READWRITE:                aws/rds/support_readwrite_users/production/products_support_readwrite # pragma: allowlist secret
       SENTRY_DSN:                                   sentry_io/products_dsn
@@ -449,6 +452,7 @@ pay-low-pass:
     publicapi:
       SENTRY_DSN:                                   sentry_io/publicapi_dsn
     publicauth:
+      DB_PASSWORD:                                  aws/rds/application_users/production/publicauth
       DB_SUPPORT_PASSWORD_READONLY:                 aws/rds/support_readonly_users/production/publicauth_support_readonly # pragma: allowlist secret
       DB_SUPPORT_PASSWORD_READWRITE:                aws/rds/support_readwrite_users/production/publicauth_support_readwrite # pragma: allowlist secret
       SENTRY_DSN:                                   sentry_io/publicauth_dsn

package/src/commands/tunnel.js

@@ -5,6 +5,7 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.handler = exports.builder = exports.desc = exports.command = void 0;
 const standardContent_js_1 = require("../core/standardContent.js");
+const configs_js_1 = require("../util/configs.js");
 const client_ec2_1 = require("@aws-sdk/client-ec2");
 const client_ecs_1 = require("@aws-sdk/client-ecs");
 const client_rds_1 = require("@aws-sdk/client-rds");
@@ -75,6 +76,7 @@ async function tunnelHandler(argv) {
     await (0, standardContent_js_1.showHeader)();
     const environment = argv.environment;
     const application = argv.application;
+    await (0, configs_js_1.checkAwsCredentials)(environment.split('-')[0]);
     console.log(`Opening a database tunnel to ${environment} ${application}`);
     let maximumDuration = 90;
     if (process.env.MAXIMUM_DURATION !== undefined) {
@@ -443,7 +445,7 @@ async function getDbUser(environment, application, dbAccessType) {
     }
     else {
         printError('Unable to get database username from Parameter Store');
-        return '';
+        throw new Error(`The parameter store parameter ${paramName} is missing in ${environment}`);
     }
 }
 function getPayLowPassDbSecretName(environment, user, dbAccessType) {

package/src/core/constants.js

@@ -1,33 +1,13 @@
 "use strict";
-var __createBinding = (this && this.__createBinding) || (Object.create ? (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    var desc = Object.getOwnPropertyDescriptor(m, k);
-    if (!desc || ("get" in desc ? !m.__esModule : desc.writable || desc.configurable)) {
-      desc = { enumerable: true, get: function() { return m[k]; } };
-    }
-    Object.defineProperty(o, k2, desc);
-}) : (function(o, m, k, k2) {
-    if (k2 === undefined) k2 = k;
-    o[k2] = m[k];
-}));
-var __setModuleDefault = (this && this.__setModuleDefault) || (Object.create ? (function(o, v) {
-    Object.defineProperty(o, "default", { enumerable: true, value: v });
-}) : function(o, v) {
-    o["default"] = v;
-});
-var __importStar = (this && this.__importStar) || function (mod) {
-    if (mod && mod.__esModule) return mod;
-    var result = {};
-    if (mod != null) for (var k in mod) if (k !== "default" && Object.prototype.hasOwnProperty.call(mod, k)) __createBinding(result, mod, k);
-    __setModuleDefault(result, mod);
-    return result;
+var __importDefault = (this && this.__importDefault) || function (mod) {
+    return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.APPLICATIONS = exports.ENVIRONMENTS = exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
-const path = __importStar(require("path"));
-exports.rootDir = path.resolve(__dirname, '..', '..');
-exports.rootDirForBuildTasks = exports.rootDir.endsWith('dist') ? path.resolve(exports.rootDir, '..') : exports.rootDir;
-exports.distDirForBuildTasks = path.join(exports.rootDirForBuildTasks, 'dist');
+exports.AWS_ACCOUNT_IDS = exports.APPLICATIONS = exports.ENVIRONMENTS = exports.distDirForBuildTasks = exports.rootDirForBuildTasks = exports.rootDir = void 0;
+const path_1 = __importDefault(require("path"));
+exports.rootDir = path_1.default.resolve(__dirname, '..', '..');
+exports.rootDirForBuildTasks = exports.rootDir.endsWith('dist') ? path_1.default.resolve(exports.rootDir, '..') : exports.rootDir;
+exports.distDirForBuildTasks = path_1.default.join(exports.rootDirForBuildTasks, 'dist');
 exports.ENVIRONMENTS = ['test-12', 'test-perf-1', 'staging-2', 'deploy-tooling', 'production-2'];
 exports.APPLICATIONS = [
     'adminusers',
@@ -46,6 +26,13 @@ exports.APPLICATIONS = [
     'toolbox',
     'webhooks'
 ];
+exports.AWS_ACCOUNT_IDS = {
+    dev: '673337093959',
+    test: '223851549868',
+    staging: '888564216586',
+    production: '092359438320',
+    deploy: '424875624006'
+};
 exports.default = {
     rootDir: exports.rootDir,
     distDirForBuildTasks: exports.distDirForBuildTasks,

package/src/util/configs.js

@@ -3,10 +3,12 @@ var __importDefault = (this && this.__importDefault) || function (mod) {
     return (mod && mod.__esModule) ? mod : { "default": mod };
 };
 Object.defineProperty(exports, "__esModule", { value: true });
-exports.workspaceEnvVar = exports.ensureConfigDirectory = exports.PAY_CLI_CONFIG_PATH = void 0;
+exports.checkAwsCredentials = exports.workspaceEnvVar = exports.ensureConfigDirectory = exports.PAY_CLI_CONFIG_PATH = void 0;
 const node_fs_1 = __importDefault(require("node:fs"));
 const node_os_1 = require("node:os");
 const node_path_1 = __importDefault(require("node:path"));
+const client_sts_1 = require("@aws-sdk/client-sts");
+const constants_1 = require("../core/constants");
 exports.PAY_CLI_CONFIG_PATH = node_path_1.default.join((0, node_os_1.homedir)(), '.pay-cli');
 /**
  * This function validates a config path within the pay cli config dir exists, if it does then it creates it.
@@ -45,3 +47,62 @@ function workspaceEnvVar() {
     return workspacePath;
 }
 exports.workspaceEnvVar = workspaceEnvVar;
+const AWS_ENV_VARS_TO_CHECK = [
+    'AWS_ACCESS_KEY_ID',
+    'AWS_SECRET_ACCESS_KEY',
+    'AWS_SESSION_TOKEN',
+    'AWS_CREDENTIAL_EXPIRATION'
+];
+/**
+ * This function checks if there are AWS credentials in the environment, that they are for a named account, and their expiry status.
+ * If there are none, or are some but they are expired, it will exit the program with an Error
+ * If there is less than 15 mins before expiry it will print a warning
+ *
+ * The accountName is intentionally a string and not a named type in order to mean the callers of this function don't need to implement
+ * validation checking of something passed in at runtime
+ */
+async function checkAwsCredentials(accountName) {
+    for (const envVar of AWS_ENV_VARS_TO_CHECK) {
+        if (process.env[envVar] === undefined || process.env[envVar] === null || process.env[envVar]?.trim() === '') {
+            console.error(`It looks like you do not have any AWS credentials in the environment (missing ${envVar}).`);
+            console.error('Perhaps you need to run this with aws-vault. E.g. `aws-vault exec test -- pay ...`');
+            process.exit(1);
+        }
+    }
+    const expirationTime = process.env.AWS_CREDENTIAL_EXPIRATION;
+    const expirationTimestamp = Date.parse(expirationTime);
+    const now = Date.now();
+    if (now >= expirationTimestamp) {
+        console.error(`There are AWS credentials in the env, but they have expired. They expired at ${expirationTime}`);
+        process.exit(1);
+    }
+    // 15 minutes * 60 seconds in a minute * 1000 ms in a second
+    if (now >= (expirationTimestamp - (15 * 60 * 1000))) {
+        console.warn(`WARNING: The AWS credentials will expire at ${expirationTime} which is within 15 minutes\n`);
+    }
+    await checkAwsCredentialsAreForAccount(accountName);
+}
+exports.checkAwsCredentials = checkAwsCredentials;
+/* This function will validate that the AWS credentials in the environment belong to the named account.
+ *
+ * If they are not then it will exit with an appropriate error
+ */
+async function checkAwsCredentialsAreForAccount(accountName) {
+    if (!Object.hasOwn(constants_1.AWS_ACCOUNT_IDS, accountName)) {
+        console.error(`AWS Account ${accountName} is unknown, perhaps you meant one of ${Object.keys(constants_1.AWS_ACCOUNT_IDS).join(',')}?`);
+        process.exit(1);
+    }
+    const typedAccountName = accountName;
+    const stsClient = new client_sts_1.STSClient();
+    const getCallerIdentityCommand = new client_sts_1.GetCallerIdentityCommand({});
+    const response = await stsClient.send(getCallerIdentityCommand);
+    if (response.Account === undefined) {
+        console.error('Error checking if AWS credentials are for the correct account, the response from AWS did not include an Account ID');
+        process.exit(1);
+    }
+    if (constants_1.AWS_ACCOUNT_IDS[typedAccountName] !== response.Account) {
+        console.error(`Error: You're trying to perform an action against AWS account '${accountName}'`);
+        console.error(`Your credentials are not for that account. Perhaps you need to run 'aws-vault exec ${accountName} -- ...`);
+        process.exit(1);
+    }
+}