@hyperdrive.bot/cli 1.0.2

package/dist/utils/auth-flow.js

@@ -0,0 +1,477 @@
+import { CognitoIdentityClient, GetCredentialsForIdentityCommand, GetIdCommand } from '@aws-sdk/client-cognito-identity';
+import { CognitoIdentityProviderClient, InitiateAuthCommand, } from '@aws-sdk/client-cognito-identity-provider';
+import axios from 'axios';
+import crypto from 'crypto';
+import { existsSync, mkdirSync, writeFileSync } from 'fs';
+import { createServer } from 'http';
+import open from 'open';
+import { homedir } from 'os';
+import { join } from 'path';
+import { parse } from 'url';
+import { TenantService } from '../services/tenant-service.js';
+/**
+ * Generate PKCE code verifier (random base64url string)
+ */
+export function generateCodeVerifier() {
+    return crypto.randomBytes(32).toString('base64url');
+}
+/**
+ * Generate PKCE code challenge (SHA256 hash of verifier)
+ */
+export function generateCodeChallenge(verifier) {
+    return crypto.createHash('sha256').update(verifier).digest('base64url');
+}
+/**
+ * Build Cognito authorization URL with PKCE parameters
+ */
+export function buildAuthUrl(tenantConfig, codeChallenge, port) {
+    // CLI only needs these scopes to authenticate and get AWS credentials via Identity Pool
+    // - openid: Required for OIDC authentication
+    // - email: User's email address (used by Identity Pool)
+    // - profile: User's profile information
+    const requiredScopes = 'openid email profile';
+    const params = new URLSearchParams({
+        client_id: tenantConfig.cognitoClientId,
+        code_challenge: codeChallenge,
+        code_challenge_method: 'S256',
+        redirect_uri: `http://localhost:${port}/callback`,
+        response_type: 'code',
+        scope: requiredScopes,
+    });
+    return `https://${tenantConfig.cognitoDomain}/oauth2/authorize?${params}`;
+}
+/**
+ * Start local HTTP server to receive OAuth callback
+ * Returns a promise that resolves with the authorization code
+ */
+export function startCallbackServer(port, timeout) {
+    return new Promise((resolve, reject) => {
+        let timeoutId = null;
+        const server = createServer((req, res) => {
+            const { pathname, query } = parse(req.url || '', true);
+            if (pathname === '/callback') {
+                if (timeoutId) {
+                    clearTimeout(timeoutId);
+                }
+                if (query.code) {
+                    // Success response
+                    res.writeHead(200, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <!DOCTYPE html>
+            <html>
+              <head>
+                <title>Hyperdrive - Authentication Successful</title>
+                <style>
+                  body {
+                    font-family: -apple-system, BlinkMacSystemFont, 'Segoe UI', sans-serif;
+                    display: flex;
+                    align-items: center;
+                    justify-content: center;
+                    height: 100vh;
+                    margin: 0;
+                    background: linear-gradient(135deg, #667eea 0%, #764ba2 100%);
+                  }
+                  .container {
+                    text-align: center;
+                    background: white;
+                    padding: 3rem;
+                    border-radius: 1rem;
+                    box-shadow: 0 20px 25px -5px rgba(0, 0, 0, 0.1);
+                    max-width: 400px;
+                  }
+                  .checkmark {
+                    width: 80px;
+                    height: 80px;
+                    border-radius: 50%;
+                    display: block;
+                    stroke-width: 4;
+                    stroke: #10B981;
+                    stroke-miterlimit: 10;
+                    margin: 0 auto 1.5rem;
+                    animation: fill 0.4s ease-in-out 0.4s forwards, scale 0.3s ease-in-out 0.9s both;
+                  }
+                  .checkmark-circle {
+                    stroke-dasharray: 166;
+                    stroke-dashoffset: 166;
+                    stroke-width: 4;
+                    stroke-miterlimit: 10;
+                    stroke: #10B981;
+                    fill: none;
+                    animation: stroke 0.6s cubic-bezier(0.65, 0, 0.45, 1) forwards;
+                  }
+                  .checkmark-check {
+                    transform-origin: 50% 50%;
+                    stroke-dasharray: 48;
+                    stroke-dashoffset: 48;
+                    animation: stroke 0.3s cubic-bezier(0.65, 0, 0.45, 1) 0.8s forwards;
+                  }
+                  @keyframes stroke {
+                    100% { stroke-dashoffset: 0; }
+                  }
+                  @keyframes scale {
+                    0%, 100% { transform: none; }
+                    50% { transform: scale3d(1.1, 1.1, 1); }
+                  }
+                  h1 { color: #1F2937; margin: 0 0 0.5rem; }
+                  p { color: #6B7280; margin: 0 0 1.5rem; }
+                  .close-btn {
+                    background: #667eea;
+                    color: white;
+                    border: none;
+                    padding: 0.75rem 2rem;
+                    border-radius: 0.5rem;
+                    font-size: 1rem;
+                    cursor: pointer;
+                    transition: background 0.2s;
+                  }
+                  .close-btn:hover { background: #5a67d8; }
+                </style>
+              </head>
+              <body>
+                <div class="container">
+                  <svg class="checkmark" xmlns="http://www.w3.org/2000/svg" viewBox="0 0 52 52">
+                    <circle class="checkmark-circle" cx="26" cy="26" r="25" fill="none"/>
+                    <path class="checkmark-check" fill="none" d="M14.1 27.2l7.1 7.2 16.7-16.8"/>
+                  </svg>
+                  <h1>Authentication Successful!</h1>
+                  <p>You can close this window and return to the CLI.</p>
+                  <button class="close-btn" onclick="window.close()">Close Window</button>
+                </div>
+                <script>setTimeout(() => window.close(), 3000);</script>
+              </body>
+            </html>
+          `);
+                    server.close();
+                    resolve(query.code);
+                }
+                else if (query.error) {
+                    // Error response
+                    res.writeHead(400, { 'Content-Type': 'text/html' });
+                    res.end(`
+            <h1>Authentication Failed</h1>
+            <p>Error: ${query.error}</p>
+            <p>Description: ${query.error_description || 'Unknown error'}</p>
+          `);
+                    server.close();
+                    reject(new Error(`Authentication failed: ${query.error}`));
+                }
+            }
+            else {
+                res.writeHead(404);
+                res.end('Not Found');
+            }
+        });
+        server.listen(port, 'localhost');
+        server.on('error', (err) => {
+            if (timeoutId) {
+                clearTimeout(timeoutId);
+            }
+            reject(new Error(`Failed to start callback server: ${err.message}`));
+        });
+        // Set timeout for authentication
+        timeoutId = setTimeout(() => {
+            server.close();
+            reject(new Error('Authentication timed out. Please try again.'));
+        }, timeout);
+    });
+}
+/**
+ * Exchange authorization code for Cognito tokens
+ */
+export async function exchangeCodeForTokens(tenantConfig, code, codeVerifier, port) {
+    try {
+        const response = await axios.post(`https://${tenantConfig.cognitoDomain}/oauth2/token`, new URLSearchParams({
+            client_id: tenantConfig.cognitoClientId,
+            code,
+            code_verifier: codeVerifier,
+            grant_type: 'authorization_code',
+            redirect_uri: `http://localhost:${port}/callback`,
+        }), {
+            headers: { 'Content-Type': 'application/x-www-form-urlencoded' },
+        });
+        return response.data;
+    }
+    catch (error) {
+        if (axios.isAxiosError(error)) {
+            throw new Error(`Token exchange failed: ${error.response?.data?.error_description || error.message}`);
+        }
+        throw error;
+    }
+}
+/**
+ * Get AWS credentials from Cognito Identity Pool
+ */
+export async function getAWSCredentials(tenantConfig, idToken) {
+    const client = new CognitoIdentityClient({ region: tenantConfig.region });
+    try {
+        // Step 1: Get Identity ID
+        const getIdResponse = await client.send(new GetIdCommand({
+            IdentityPoolId: tenantConfig.cognitoIdentityPoolId,
+            Logins: {
+                [`cognito-idp.${tenantConfig.region}.amazonaws.com/${tenantConfig.cognitoUserPoolId}`]: idToken,
+            },
+        }));
+        if (!getIdResponse.IdentityId) {
+            throw new Error('Failed to get Identity ID from Cognito');
+        }
+        // Step 2: Get temporary AWS credentials
+        const getCredentialsResponse = await client.send(new GetCredentialsForIdentityCommand({
+            IdentityId: getIdResponse.IdentityId,
+            Logins: {
+                [`cognito-idp.${tenantConfig.region}.amazonaws.com/${tenantConfig.cognitoUserPoolId}`]: idToken,
+            },
+        }));
+        if (!getCredentialsResponse.Credentials) {
+            throw new Error('Failed to get AWS credentials from Cognito');
+        }
+        const { AccessKeyId, Expiration, SecretKey, SessionToken } = getCredentialsResponse.Credentials;
+        if (!AccessKeyId || !SecretKey || !SessionToken || !Expiration) {
+            throw new Error('Incomplete AWS credentials received from Cognito');
+        }
+        return {
+            accessKeyId: AccessKeyId,
+            expiration: Expiration,
+            secretAccessKey: SecretKey,
+            sessionToken: SessionToken,
+        };
+    }
+    catch (error) {
+        if (error instanceof Error) {
+            throw new Error(`Failed to obtain AWS credentials: ${error.message}`);
+        }
+        throw error;
+    }
+}
+/**
+ * Save credentials to domain-specific path (always required)
+ */
+export function saveCredentials(credentials, domain) {
+    // Prevent saving test/mock credentials to production path
+    const testPatterns = ['test-client-id', 'us-east-1_TEST', 'test-identity', 'test.auth.amazoncognito'];
+    const credString = JSON.stringify(credentials);
+    for (const pattern of testPatterns) {
+        if (credString.includes(pattern)) {
+            throw new Error(`Refusing to save credentials containing test value: "${pattern}". This looks like test data.`);
+        }
+    }
+    if (!domain) {
+        throw new Error('Domain is required to save credentials');
+    }
+    const credDir = join(homedir(), '.hyperdrive');
+    const credPath = join(credDir, `credentials.${domain}`);
+    // Create directory if it doesn't exist
+    if (!existsSync(credDir)) {
+        mkdirSync(credDir, { recursive: true });
+    }
+    // Write credentials with secure file permissions
+    writeFileSync(credPath, JSON.stringify(credentials, null, 2), { mode: 0o600 });
+}
+/**
+ * Get the path to the credentials file for a domain
+ */
+export function getCredentialsPath(domain) {
+    if (!domain) {
+        throw new Error('Domain is required to get credentials path');
+    }
+    return join(homedir(), '.hyperdrive', `credentials.${domain}`);
+}
+/**
+ * Execute the complete OAuth PKCE authentication flow
+ *
+ * This function orchestrates the entire authentication flow:
+ * 1. Bootstrap tenant to get Cognito config
+ * 2. Generate PKCE codes
+ * 3. Start callback server
+ * 4. Open browser for authentication
+ * 5. Wait for callback with timeout
+ * 6. Exchange code for tokens
+ * 7. Get AWS credentials from Identity Pool
+ * 8. Save credentials to file
+ *
+ * @param options - Configuration options for the auth flow
+ * @returns AuthResult indicating success or failure
+ */
+export async function executeAuthFlow(options) {
+    const { callbackPort = 8765, logger, tenantDomain, timeout = 300000 } = options;
+    const tenantService = new TenantService();
+    try {
+        // Step 1: Bootstrap tenant to get Cognito config
+        const tenantConfig = await tenantService.fetchTenantConfig(tenantDomain);
+        // Step 2: Generate PKCE parameters
+        const codeVerifier = generateCodeVerifier();
+        const codeChallenge = generateCodeChallenge(codeVerifier);
+        // Step 3: Start local callback server and get promise for auth code
+        const authCodePromise = startCallbackServer(callbackPort, timeout);
+        // Step 4: Open browser for authentication
+        const authUrl = buildAuthUrl(tenantConfig, codeChallenge, callbackPort);
+        // Display URL to user in case browser opens in wrong profile
+        if (logger) {
+            logger(`Opening browser for authentication...`);
+            logger(`If browser doesn't open or opens in wrong profile, copy this URL:`);
+            logger(`  ${authUrl}`);
+            logger('');
+        }
+        await open(authUrl);
+        // Step 5: Wait for callback with auth code
+        const code = await authCodePromise;
+        // Step 6: Exchange code for tokens
+        const tokens = await exchangeCodeForTokens(tenantConfig, code, codeVerifier, callbackPort);
+        // Step 7: Get AWS credentials from Cognito Identity Pool
+        const awsCredentials = await getAWSCredentials(tenantConfig, tokens.id_token);
+        // Step 8: Save credentials
+        saveCredentials({
+            ...tokens,
+            apiUrl: tenantConfig.apiUrl,
+            awsCredentials,
+            cognitoConfig: {
+                clientId: tenantConfig.cognitoClientId,
+                domain: tenantConfig.cognitoDomain,
+                identityPoolId: tenantConfig.cognitoIdentityPoolId,
+                userPoolId: tenantConfig.cognitoUserPoolId,
+            },
+            obtainedAt: new Date().toISOString(),
+            region: tenantConfig.region,
+            tenantDomain: tenantConfig.tenantDomain,
+            tenantId: tenantConfig.tenantId,
+        }, tenantConfig.tenantDomain);
+        return { success: true };
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        return { error: errorMessage, success: false };
+    }
+}
+/**
+ * Execute CI authentication flow using USER_PASSWORD_AUTH
+ *
+ * This is for non-interactive CI/CD environments where browser-based
+ * OAuth is not possible. Uses Cognito's USER_PASSWORD_AUTH flow.
+ *
+ * @param options - CI authentication options
+ * @returns AuthResult indicating success or failure
+ */
+export async function executeCIAuthFlow(options) {
+    const { logger, password, tenantDomain, username } = options;
+    const tenantService = new TenantService();
+    try {
+        // Step 1: Bootstrap tenant to get Cognito config
+        if (logger)
+            logger('Fetching tenant configuration...');
+        const tenantConfig = await tenantService.fetchTenantConfig(tenantDomain);
+        // Step 2: Authenticate with Cognito using USER_PASSWORD_AUTH
+        if (logger)
+            logger('Authenticating with Cognito...');
+        const cognitoClient = new CognitoIdentityProviderClient({ region: tenantConfig.region });
+        let authResult;
+        try {
+            const initiateAuthResponse = await cognitoClient.send(new InitiateAuthCommand({
+                AuthFlow: 'USER_PASSWORD_AUTH',
+                AuthParameters: {
+                    PASSWORD: password,
+                    USERNAME: username,
+                },
+                ClientId: tenantConfig.cognitoClientId,
+            }));
+            // Handle NEW_PASSWORD_REQUIRED challenge (first login with temp password)
+            if (initiateAuthResponse.ChallengeName === 'NEW_PASSWORD_REQUIRED') {
+                throw new Error('This CI account requires a password change on first login.\n' +
+                    'Please log in interactively once with: hd auth login --domain ' + tenantDomain + '\n' +
+                    'Or create a new CI account with: hd ci account create');
+            }
+            authResult = initiateAuthResponse.AuthenticationResult;
+        }
+        catch (error) {
+            const err = error;
+            if (err.name === 'NotAuthorizedException') {
+                throw new Error('Invalid token. Check your HD_TOKEN environment variable.');
+            }
+            if (err.name === 'UserNotFoundException') {
+                throw new Error('CI token not found or revoked. Create a new one with: hd ci account create');
+            }
+            throw error;
+        }
+        if (!authResult || !authResult.IdToken) {
+            throw new Error('Authentication failed: No tokens received from Cognito');
+        }
+        if (logger)
+            logger('Authentication successful!');
+        // Step 3: Get AWS credentials from Cognito Identity Pool
+        if (logger)
+            logger('Obtaining AWS credentials...');
+        const awsCredentials = await getAWSCredentials(tenantConfig, authResult.IdToken);
+        // Step 4: Save credentials
+        if (logger)
+            logger('Saving credentials...');
+        saveCredentials({
+            access_token: authResult.AccessToken || '',
+            apiUrl: tenantConfig.apiUrl,
+            awsCredentials,
+            cognitoConfig: {
+                clientId: tenantConfig.cognitoClientId,
+                domain: tenantConfig.cognitoDomain,
+                identityPoolId: tenantConfig.cognitoIdentityPoolId,
+                userPoolId: tenantConfig.cognitoUserPoolId,
+            },
+            expires_in: authResult.ExpiresIn || 3600,
+            id_token: authResult.IdToken,
+            obtainedAt: new Date().toISOString(),
+            refresh_token: authResult.RefreshToken || '',
+            region: tenantConfig.region,
+            tenantDomain: tenantConfig.tenantDomain,
+            tenantId: tenantConfig.tenantId,
+            token_type: authResult.TokenType || 'Bearer',
+        }, tenantConfig.tenantDomain);
+        return { success: true };
+    }
+    catch (error) {
+        const errorMessage = error instanceof Error ? error.message : String(error);
+        return { error: errorMessage, success: false };
+    }
+}
+/**
+ * Check if running in a CI environment
+ */
+export function isCI() {
+    return !!(process.env.CI ||
+        process.env.GITHUB_ACTIONS ||
+        process.env.GITLAB_CI ||
+        process.env.JENKINS_URL ||
+        process.env.CIRCLECI ||
+        process.env.BUILDKITE ||
+        process.env.TRAVIS ||
+        process.env.CODEBUILD_BUILD_ID);
+}
+/**
+ * Decode a CI token into username and password
+ * Token format: hd_sk_{base64url(username:password)}
+ */
+export function decodeToken(token) {
+    if (!token.startsWith('hd_sk_')) {
+        return null;
+    }
+    try {
+        const encoded = token.slice(6); // Remove 'hd_sk_' prefix
+        const decoded = Buffer.from(encoded, 'base64url').toString('utf-8');
+        const colonIndex = decoded.indexOf(':');
+        if (colonIndex === -1) {
+            return null;
+        }
+        return {
+            password: decoded.slice(colonIndex + 1),
+            username: decoded.slice(0, colonIndex),
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Get CI credentials from HD_TOKEN environment variable
+ */
+export function getCICredentials() {
+    const token = process.env.HD_TOKEN;
+    if (!token) {
+        return null;
+    }
+    return decodeToken(token);
+}

package/dist/utils/git-flow.d.ts

@@ -0,0 +1,72 @@
+/**
+ * Options for executing the Git connect flow
+ */
+export interface GitConnectOptions {
+    callbackPort?: number;
+    logger?: (message: string) => void;
+    provider?: 'github' | 'gitlab';
+    timeout?: number;
+}
+/**
+ * Git installation info returned from API
+ */
+export interface GitInstallationInfo {
+    accountLogin?: string;
+    gitlabUsername?: string;
+    provider: 'github' | 'gitlab';
+}
+/**
+ * Result of the Git connect flow
+ */
+export interface GitConnectResult {
+    accountName?: string;
+    error?: string;
+    installations?: GitInstallationInfo[];
+    provider?: 'github' | 'gitlab';
+    skipped?: boolean;
+    success: boolean;
+}
+/**
+ * Internal callback server result
+ */
+interface CallbackResult {
+    error?: string;
+    success: boolean;
+}
+/**
+ * Prompt user to select a Git provider
+ *
+ * @param includeSkip - Whether to include a "Skip for now" option
+ * @returns Selected provider or 'skip'
+ */
+export declare function promptGitProvider(includeSkip?: boolean): Promise<'github' | 'gitlab' | 'skip'>;
+/**
+ * Stop the callback server if running
+ */
+export declare function stopCallbackServer(): void;
+/**
+ * Start local HTTP server to receive OAuth callback
+ *
+ * @param expectedState - State parameter to validate against
+ * @param port - Port to listen on (default: 8765)
+ * @param timeout - Timeout in milliseconds (default: 5 minutes)
+ * @param logger - Optional logging function
+ * @returns Promise resolving with callback result
+ */
+export declare function waitForCallback(expectedState: string, port?: number, timeout?: number, logger?: (message: string) => void): Promise<CallbackResult>;
+/**
+ * Execute the Git provider OAuth connection flow
+ *
+ * This function handles:
+ * 1. Provider selection (if not specified)
+ * 2. OAuth initiation via API
+ * 3. Starting local callback server
+ * 4. Opening browser for authorization
+ * 5. Waiting for callback with timeout
+ * 6. Fetching and returning connected installations
+ *
+ * @param options - Configuration options for the Git connect flow
+ * @returns GitConnectResult indicating success or failure
+ */
+export declare function executeGitConnect(options?: GitConnectOptions): Promise<GitConnectResult>;
+export {};