@metaplay/metaplay-auth 1.2.0 → 1.3.0

package/src/stackapi.ts

@@ -1,5 +1,7 @@
 import { isValidFQDN, getGameserverAdminUrl } from './utils.js'
 import { logger } from './logging.js'
+import { dump } from 'js-yaml'
+import { getUserinfo } from './auth.js'
 
 interface AwsCredentialsResponse {
   AccessKeyId: string
@@ -8,34 +10,84 @@ interface AwsCredentialsResponse {
   Expiration: string
 }
 
-interface GameserverId {
+export interface GameserverId {
   gameserver?: string
   organization?: string
   project?: string
   environment?: string
 }
 
+interface KubeConfig {
+  apiVersion?: string
+  kind: string
+  'current-context': string
+  clusters: KubeConfigCluster[]
+  contexts: KubeConfigContext[]
+  users: KubeConfigUser[]
+  preferences?: any
+}
+
+interface KubeConfigCluster {
+  cluster: {
+    'certificate-authority-data': string
+    server: string
+  }
+  name: string
+}
+
+interface KubeConfigContext {
+  context: {
+    cluster: string
+    user: string
+    namespace?: string
+  }
+  name: string
+}
+
+interface KubeConfigUser {
+  name: string
+  user: {
+    token?: string
+    exec?: {
+      command: string
+      args: string[]
+      apiVersion: string
+    }
+  }
+}
+
+interface KubeExecCredential {
+  apiVersion: string
+  kind: string
+  spec: {
+    cluster?: {
+      server: string
+      certificateAuthorityData: string
+    }
+  }
+  status: {
+    token: string
+    expirationTimestamp: string
+  }
+}
+
 export class StackAPI {
   private readonly accessToken: string
 
-  private _stack_api_base_uri: string
+  private readonly _stackApiBaseUrl: string
 
-  constructor (accessToken: string) {
+  constructor (accessToken: string, stackApiBaseUrl: string | undefined) {
     if (accessToken == null) {
       throw new Error('accessToken must be provided')
     }
 
     this.accessToken = accessToken
-    this._stack_api_base_uri = 'https://infra.p1.metaplay.io/stackapi'
-  }
-
-  get stack_api_base_uri (): string {
-    return this._stack_api_base_uri.replace(/\/$/, '')
-  }
 
-  set stack_api_base_uri (uri: string) {
-    uri = uri.replace(/\/$/, '') // Remove trailing slash
-    this._stack_api_base_uri = uri
+    if (stackApiBaseUrl) {
+      this._stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
+    } else {
+      this._stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
+    }
   }
 
   async getAwsCredentials (gs: GameserverId): Promise<AwsCredentialsResponse> {
@@ -45,10 +97,10 @@ export class StackAPI {
         const adminUrl = getGameserverAdminUrl(gs.gameserver)
         url = `https://${adminUrl}/.infra/credentials/aws`
       } else {
-        url = `${this.stack_api_base_uri}/v0/credentials/${gs.gameserver}/aws`
+        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/aws`
       }
     } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`
+      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`
     } else {
       throw new Error('Invalid arguments for getAwsCredentials')
     }
@@ -76,10 +128,10 @@ export class StackAPI {
         const adminUrl = getGameserverAdminUrl(gs.gameserver)
         url = `https://${adminUrl}/.infra/credentials/k8s`
       } else {
-        url = `${this.stack_api_base_uri}/v0/credentials/${gs.gameserver}/k8s`
+        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s`
       }
     } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`
+      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`
     } else {
       throw new Error('Invalid arguments for getKubeConfig')
     }
@@ -101,6 +153,145 @@ export class StackAPI {
     return await response.text()
   }
 
+  /**
+   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
+   * access credentials each time the kubeconfig is used.
+   * @param gs Game server environment to get credentials for.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigExecCredential (gs: GameserverId): Promise<string> {
+    let url = ''
+    let gsSlug = ''
+    const execArgs = ['get-kubernetes-execcredential']
+    if (gs.gameserver != null) {
+      const adminUrl = getGameserverAdminUrl(gs.gameserver)
+      url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
+      gsSlug = gs.gameserver
+      execArgs.push('--gameserver', gs.gameserver)
+    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
+      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
+      gsSlug = `${gs.organization}.${gs.project}.${gs.environment}`
+      execArgs.push('--organization', gs.organization, '--project', gs.project, '--environment', gs.environment)
+    } else {
+      throw new Error('Invalid arguments for getKubeConfigExecCredential')
+    }
+
+    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        'Content-Type': 'application/json'
+      }
+    })
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch Kubernetes KubeConfig: ${response.statusText}`)
+    }
+
+    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+    let kubeExecCredential
+    try {
+      kubeExecCredential = await response.json() as KubeExecCredential
+    } catch {
+      throw new Error('Failed to fetch Kubernetes KubeConfig: the server response is not JSON')
+    }
+
+    if (!kubeExecCredential.spec.cluster) {
+      throw new Error('Received kubeExecCredential with missing spec.cluster')
+    }
+
+    let namespace = 'default'
+    let user = 'user'
+
+    try {
+      const environment = await this.getEnvironmentDetails(gs)
+      namespace = environment.deployment?.kubernetes_namespace ?? namespace
+    } catch (e) {
+      logger.debug('Failed to get environment details, using defaults', e)
+    }
+
+    try {
+      const userinfo = await getUserinfo(this.accessToken)
+      user = userinfo.sub ?? user
+    } catch (e) {
+      logger.debug('Failed to get userinfo, using defaults', e)
+    }
+
+    const kubeConfig: KubeConfig = {
+      apiVersion: 'v1',
+      kind: 'Config',
+      'current-context': gsSlug,
+      clusters: [
+        {
+          cluster: {
+            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
+            server: kubeExecCredential.spec.cluster.server
+          },
+          name: kubeExecCredential.spec.cluster.server
+        }
+      ],
+      contexts: [
+        {
+          context: {
+            cluster: kubeExecCredential.spec.cluster.server,
+            namespace,
+            user
+          },
+          name: gsSlug,
+        }
+      ],
+      users: [
+        {
+          name: user,
+          user: {
+            exec: {
+              apiVersion: 'client.authentication.k8s.io/v1beta1',
+              command: 'metaplay-auth', // todo: figure out how to refer to metaplay-auth itself
+              args: execArgs,
+            }
+          }
+        }
+      ],
+    }
+
+    // return as yaml for easier consumption
+    return dump(kubeConfig)
+  }
+
+  async getKubeExecCredential (gs: GameserverId): Promise<string> {
+    let url = ''
+    if (gs.gameserver != null) {
+      if (isValidFQDN(gs.gameserver)) {
+        const adminUrl = getGameserverAdminUrl(gs.gameserver)
+        url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
+      } else {
+        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s?type=execcredential`
+      }
+    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
+      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
+    } else {
+      throw new Error('Invalid arguments for getKubeConfig')
+    }
+
+    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
+
+    const response = await fetch(url, {
+      method: 'POST',
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        'Content-Type': 'application/json'
+      }
+    })
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch Kubernetes ExecCredential: ${response.statusText}`)
+    }
+
+    return await response.text()
+  }
+
   async getEnvironmentDetails (gs: GameserverId): Promise<any> {
     let url = ''
     if (gs.gameserver != null) {
@@ -108,10 +299,10 @@ export class StackAPI {
         const adminUrl = getGameserverAdminUrl(gs.gameserver)
         url = `https://${adminUrl}/.infra/environment`
       } else {
-        url = `${this.stack_api_base_uri}/v0/deployments/${gs.gameserver}`
+        url = `${this._stackApiBaseUrl}/v0/deployments/${gs.gameserver}`
       }
     } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this.stack_api_base_uri}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`
+      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`
     } else {
       throw new Error('Invalid arguments for environment details')
     }