@govuk-pay/cli 0.0.53 → 0.0.55

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@govuk-pay/cli",
-  "version": "0.0.53",
+  "version": "0.0.55",
   "description": "GOV.UK Pay Command Line Interface",
   "bin": {
     "pay": "bin/cli.js",

package/readme.md

@@ -23,9 +23,10 @@ once it's installed you can run it using `pay [arguments]` or `payx [arguments]`
 If you'd rather not install it globally you can run it using `npx @govuk-pay/cli`.
 
 We're in the process of porting the existing Ruby CLI into typescript, we've tried to make that process
-transparent to the users of the CLI.  Most of the commands rely on the existing ruby implementation therefore
-you'll need `rbenv` installed with `bundler` installed into it.  When handing over to ruby we use `zsh` by default,
-if you want a different shell or `rbenv` you can set the following environment variables:
+transparent to the users of the CLI. None of the commands now rely on the ruby implementation, but you can 
+(for now) still execute the ruby versions by using `pay legacy`. You'll need `rbenv` installed with `bundler
+installed into it. When handing over to ruby we use `zsh` by default, if you want a different shell or `rbenv`
+you can set the following environment variables:
 
  - `PAY_CLI_RBENV_COMMAND` - defaults to `rbenv`
  - `PAY_CLI_SHELL_COMMAND` - defaults to `zsh`

package/resources/pay-local/config/service_config.yaml

@@ -144,11 +144,13 @@ selfservice:
   type: node
   proxy: true
   naxsi: true
+  is_bundled: true
   db: false
   port: 9400
   debug_port: 9401
   healthcheck: true
   proxy_port: 39000
+  entrypoint_override_local: 'sh -c "npm ci && npm run dev"'
   clusters:
     - admin
     - endtoend

package/resources/pay-local/templates/docker-compose.hbs

@@ -138,7 +138,11 @@ services:
       test: ["CMD", "wget", "-Y", "off", "-O", "/dev/null", "http://{{name}}:{{port}}/healthcheck"]
       interval: 10s
       timeout: 5s
+      {{#ifBoth isBundled localBuild}}
+      retries: 20
+      {{else}}
       retries: 12
+      {{/ifBoth}}
     env_file:
       - {{../defaultServiceConfigsPath}}/services/{{name}}.env
       {{#ifFileExists environmentOverrideFilePath}}
@@ -147,9 +151,12 @@ services:
     {{#ifBoth ../mountLocalNodeApps localBuild}}
     volumes:
       - "$WORKSPACE/pay-{{../name}}:/app"
-      {{#if ../../mountPayJSCommons}}
+    {{#if ../isBundled}}
+      - {{../name}}_node_modules:/app/node_modules
+    {{/if}}
+    {{#if ../../mountPayJSCommons}}
       - "$WORKSPACE/pay-js-commons:/pay-js-commons"
-      {{/if}}
+    {{/if}}
     {{/ifBoth}}
     environment:
       - BIND_HOST=0.0.0.0
@@ -281,5 +288,10 @@ networks:
 
 volumes:
   {{#each dbServices}}
-    {{name}}:
+  {{name}}:
+  {{/each}}
+  {{#each nodeApps}}
+  {{#if isBundled}}
+  {{name}}_node_modules:
+  {{/if}}
   {{/each}}

package/src/commands/local/config/pay_local_cluster.js

@@ -180,7 +180,8 @@ function payServiceFromPayServiceConfig(config, upOptions, environmentOverridesP
         imageTag: localBuild ? 'local' : 'latest-master',
         requiresLocalStack: sqsQueues.length > 0 || snsTopics.length > 0,
         entrypointOverrideLocal: config.entrypoint_override_local,
-        environmentOverrideFilePath: node_path_1.default.join(environmentOverridesPath, `${config.name}.env`)
+        environmentOverrideFilePath: node_path_1.default.join(environmentOverridesPath, `${config.name}.env`),
+        isBundled: config.is_bundled
     };
 }
 function dbServiceFromPayServiceConfig(config) {

package/src/commands/secrets/config/config.types.js

@@ -1,7 +1,12 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.SERVICE_NAMES = exports.ENVIRONMENT_NAMES = exports.SECRET_SOURCES = void 0;
-exports.SECRET_SOURCES = ['ssm', 'pay-low-pass', 'value'];
+exports.SECRET_SOURCES = [
+    'bitwarden-cli',
+    'pay-low-pass',
+    'ssm',
+    'value'
+];
 exports.ENVIRONMENT_NAMES = [
     'deploy',
     'deploy-7',

package/src/commands/secrets/config/secrets/bitwarden_cli.js

@@ -0,0 +1,4 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BITWARDEN_CLI_CONFIG = void 0;
+exports.BITWARDEN_CLI_CONFIG = {};

package/src/commands/secrets/config/secrets.js

@@ -1,12 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.getSecretConfig = exports.configuredSecretsForServiceInEnv = exports.SECRET_SOURCE_PRECEDENCE = exports.SECRETS = void 0;
+const bitwarden_cli_1 = require("./secrets/bitwarden_cli");
 const pay_low_pass_1 = require("./secrets/pay_low_pass");
 const config_types_1 = require("./config.types");
 const service_secrets_1 = require("./service_secrets");
 const ssm_1 = require("./secrets/ssm");
 const value_1 = require("./secrets/value");
 exports.SECRETS = {
+    'bitwarden-cli': bitwarden_cli_1.BITWARDEN_CLI_CONFIG,
     ssm: ssm_1.SSM_CONFIG,
     'pay-low-pass': pay_low_pass_1.PAY_LOW_PASS_CONFIG,
     value: value_1.VALUE_CONFIG
@@ -17,6 +19,7 @@ exports.SECRETS = {
  */
 exports.SECRET_SOURCE_PRECEDENCE = [
     'value',
+    'bitwarden-cli',
     'pay-low-pass',
     'ssm'
 ];

package/src/commands/secrets/providers/bitwarden_cli.js

@@ -0,0 +1,98 @@
+"use strict";
+Object.defineProperty(exports, "__esModule", { value: true });
+exports.BitwardenCLIProvider = void 0;
+const child_process_1 = require("child_process");
+const providers_types_1 = require("./providers.types");
+class BitwardenCLIProvider extends providers_types_1.AbstractSecretProvider {
+    bitwardenUnlockToken;
+    constructor(env, secretSource) {
+        super(env, secretSource);
+        this.bitwardenUnlockToken = checkBitwardenStatus();
+    }
+    async get(secretConfig) {
+        const env = {
+            ...process.env
+        };
+        if (this.bitwardenUnlockToken !== undefined) {
+            env.BW_SESSION = this.bitwardenUnlockToken;
+        }
+        const bwGetPasswordResult = (0, child_process_1.spawnSync)('bw', ['get', 'password', secretConfig.secretSourceValue], {
+            env
+        });
+        if (bwGetPasswordResult.status !== 0) {
+            if (bwGetPasswordResult.stderr.toString().includes('Not found.')) {
+                console.error(`Secret ${secretConfig.secretSourceValue} not found in bitwarden. This can either be because it doesn't exist, or you don't have access`);
+                return undefined;
+            }
+            console.error('Unknown error when trying to get the password from bitwarden, output from the get follows:');
+            console.error(bwGetPasswordResult.output.toString());
+            process.exit(1);
+        }
+        return bwGetPasswordResult.stdout.toString();
+    }
+}
+exports.BitwardenCLIProvider = BitwardenCLIProvider;
+function checkBitwardenStatus() {
+    const bwAvailableResult = (0, child_process_1.spawnSync)('command', ['-v', 'bw'], { shell: true });
+    if (bwAvailableResult.status !== 0) {
+        console.error('You need to install the bitwarden CLI before you can source secrets from it: `brew install bitwarden-cli`');
+        process.exit(1);
+    }
+    const bwStatusResult = (0, child_process_1.spawnSync)('bw', ['status']);
+    if (bwStatusResult.status !== 0) {
+        console.error('Could not check the login status of the bitwarden cli with command `bw status`. Output from the command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    let bwStatusJson;
+    try {
+        bwStatusJson = JSON.parse(bwStatusResult.stdout.toString());
+    }
+    catch (e) {
+        console.error('An error occured when trying to parse the JSON output of `bw status`. The output of that command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    if (!('status' in bwStatusJson)) {
+        console.error('The JSON output of `bw status` did not contain a \'status\' key. The output of that command follows:');
+        console.error(bwStatusResult.output.toString());
+        process.exit(1);
+    }
+    if (bwStatusJson.status === 'unauthenticated') {
+        console.error('Error: You are not authenticated in the bitwarden cli, you need to run `bw login` and login');
+        process.exit(1);
+    }
+    else if (bwStatusJson.status === 'locked') {
+        console.warn('Your bitwarden cli is logged in, but locked. Executing `bw unlock`, please enter your master password when prompted');
+        return unlockBitWarden();
+    }
+    else if (bwStatusJson.status === 'unlocked') {
+        return undefined;
+    }
+}
+function unlockBitWarden() {
+    const bwUnlockResult = (0, child_process_1.spawnSync)('bw', ['unlock'], {
+        shell: true,
+        stdio: ['inherit', 'pipe', 'inherit']
+    });
+    if (bwUnlockResult.status !== 0) {
+        console.error('Failed to unlock your bitwarden vault.');
+        process.exit(1);
+    }
+    const lineWithToken = bwUnlockResult.stdout.toString().split('\n').find((line) => {
+        return line.startsWith('$ export BW_SESSION=');
+    });
+    if (lineWithToken === undefined) {
+        console.error('Could not find the BW_SESSION token in the `bw unlock` output. Looking for a line that starts with `$ export BW_SESSION=`. Got:');
+        console.error(bwUnlockResult.output.toString());
+        process.exit(1);
+    }
+    const sessionToken = lineWithToken.substring(lineWithToken.indexOf('"') + 1, lineWithToken.lastIndexOf('"'));
+    if (sessionToken.length === 0 || sessionToken.startsWith('$ export BW_SESSION=') || sessionToken.includes('"')) {
+        console.error('The session token we read from `bw unlock` does not look correct. Output from the command follows');
+        console.error(bwUnlockResult.output.toString());
+        process.exit(1);
+    }
+    console.warn('Bitwarden unlocked');
+    return sessionToken;
+}

package/src/commands/secrets/providers/factory.js

@@ -1,12 +1,14 @@
 "use strict";
 Object.defineProperty(exports, "__esModule", { value: true });
 exports.providerFor = void 0;
+const bitwarden_cli_1 = require("./bitwarden_cli");
 const pass_repo_1 = require("./pass_repo");
 const ssm_1 = require("./ssm");
 const value_1 = require("./value");
 const providers = {
-    ssm: {},
+    'bitwarden-cli': {},
     'pay-low-pass': {},
+    ssm: {},
     value: {}
 };
 function providerFor(secretConfig) {
@@ -25,6 +27,10 @@ function providerFor(secretConfig) {
                 memoisedProvider = new ssm_1.SSMProvider(secretConfig.environment, secretConfig.source);
                 break;
             }
+            case 'bitwarden-cli': {
+                memoisedProvider = new bitwarden_cli_1.BitwardenCLIProvider(secretConfig.environment, secretConfig.source);
+                break;
+            }
         }
         providers[secretConfig.source][secretConfig.environment] = memoisedProvider;
     }