@metaplay/metaplay-auth 1.4.1 → 1.5.0

package/src/stackapi.ts

@@ -1,80 +1,11 @@
-import { isValidFQDN, getGameserverAdminUrl } from './utils.js'
 import { logger } from './logging.js'
-import { dump } from 'js-yaml'
-import { getUserinfo } from './auth.js'
+import { type EnvironmentDetails } from './targetenvironment.js'
 
-interface AwsCredentialsResponse {
-  AccessKeyId: string
-  SecretAccessKey: string
-  SessionToken: string
-  Expiration: string
-}
-
-export interface GameserverId {
-  gameserver?: string
-  organization?: string
-  project?: string
-  environment?: string
-}
-
-interface KubeConfig {
-  apiVersion?: string
-  kind: string
-  'current-context': string
-  clusters: KubeConfigCluster[]
-  contexts: KubeConfigContext[]
-  users: KubeConfigUser[]
-  preferences?: any
-}
-
-interface KubeConfigCluster {
-  cluster: {
-    'certificate-authority-data': string
-    server: string
-  }
-  name: string
-}
-
-interface KubeConfigContext {
-  context: {
-    cluster: string
-    user: string
-    namespace?: string
-  }
-  name: string
-}
-
-interface KubeConfigUser {
-  name: string
-  user: {
-    token?: string
-    exec?: {
-      command: string
-      args: string[]
-      apiVersion: string
-    }
-  }
-}
-
-interface KubeExecCredential {
-  apiVersion: string
-  kind: string
-  spec: {
-    cluster?: {
-      server: string
-      certificateAuthorityData: string
-    }
-  }
-  status: {
-    token: string
-    expirationTimestamp: string
-  }
-}
+export const defaultStackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
 
 export class StackAPI {
   private readonly accessToken: string
-
-  private readonly _stackApiBaseUrl: string
+  private readonly stackApiBaseUrl: string
 
   constructor (accessToken: string, stackApiBaseUrl: string | undefined) {
     if (accessToken == null) {
@@ -84,262 +15,36 @@ export class StackAPI {
     this.accessToken = accessToken
 
     if (stackApiBaseUrl) {
-      this._stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
-    } else {
-      this._stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
-    }
-  }
-
-  async getAwsCredentials (gs: GameserverId): Promise<AwsCredentialsResponse> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/aws`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/aws`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`
-    } else {
-      throw new Error('Invalid arguments for getAwsCredentials')
-    }
-
-    logger.debug(`Getting AWS credentials from ${url}...`)
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch AWS credentials: ${response.statusText}, response code=${response.status}`)
-    }
-
-    return await response.json()
-  }
-
-  async getKubeConfig (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`
-    } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
-    }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch KubeConfigs: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  /**
-   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
-   * access credentials each time the kubeconfig is used.
-   * @param gs Game server environment to get credentials for.
-   * @returns The kubeconfig YAML.
-   */
-  async getKubeConfigExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    let gsSlug = ''
-    const execArgs = ['get-kubernetes-execcredential']
-    if (gs.gameserver != null) {
-      const adminUrl = getGameserverAdminUrl(gs.gameserver)
-      url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      gsSlug = gs.gameserver
-      execArgs.push('--gameserver', gs.gameserver)
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-      gsSlug = `${gs.organization}.${gs.project}.${gs.environment}`
-      execArgs.push(`${gs.organization}-${gs.project}-${gs.environment}`)
+      this.stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
     } else {
-      throw new Error('Invalid arguments for getKubeConfigExecCredential')
-    }
-
-    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
+      this.stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
     }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes KubeConfig: ${response.statusText}`)
-    }
-
-    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
-    let kubeExecCredential
-    try {
-      kubeExecCredential = await response.json() as KubeExecCredential
-    } catch {
-      throw new Error('Failed to fetch Kubernetes KubeConfig: the server response is not JSON')
-    }
-
-    if (!kubeExecCredential.spec.cluster) {
-      throw new Error('Received kubeExecCredential with missing spec.cluster')
-    }
-
-    let namespace = 'default'
-    let user = 'user'
-
-    try {
-      const environment = await this.getEnvironmentDetails(gs)
-      namespace = environment.deployment?.kubernetes_namespace ?? namespace
-    } catch (e) {
-      logger.debug('Failed to get environment details, using defaults', e)
-    }
-
-    try {
-      const userinfo = await getUserinfo(this.accessToken)
-      user = userinfo.sub ?? user
-    } catch (e) {
-      logger.debug('Failed to get userinfo, using defaults', e)
-    }
-
-    const kubeConfig: KubeConfig = {
-      apiVersion: 'v1',
-      kind: 'Config',
-      'current-context': gsSlug,
-      clusters: [
-        {
-          cluster: {
-            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
-            server: kubeExecCredential.spec.cluster.server
-          },
-          name: kubeExecCredential.spec.cluster.server
-        }
-      ],
-      contexts: [
-        {
-          context: {
-            cluster: kubeExecCredential.spec.cluster.server,
-            namespace,
-            user
-          },
-          name: gsSlug,
-        }
-      ],
-      users: [
-        {
-          name: user,
-          user: {
-            exec: {
-              apiVersion: 'client.authentication.k8s.io/v1beta1',
-              command: 'metaplay-auth', // todo: figure out how to refer to metaplay-auth itself
-              args: execArgs,
-            }
-          }
-        }
-      ],
-    }
-
-    // return as yaml for easier consumption
-    return dump(kubeConfig)
   }
 
-  async getKubeExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s?type=execcredential`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-    } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
-
+  async resolveManagedEnvironmentFQDN (organization: string, project: string, environment: string): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v1/servers/${organization}/${project}/${environment}`
+    logger.debug(`Getting environment information from ${url}...`)
     const response = await fetch(url, {
-      method: 'POST',
+      method: 'GET',
       headers: {
         Authorization: `Bearer ${this.accessToken}`,
         'Content-Type': 'application/json'
       }
     })
 
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes ExecCredential: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  async getEnvironmentDetails (gs: GameserverId): Promise<any> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/environment`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/deployments/${gs.gameserver}`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`
-    } else {
-      throw new Error('Invalid arguments for environment details')
+    // Throw on server errors (eg, forbidden)
+    if (!response.ok) {
+      const errorData = await response.json()
+      throw new Error(`Failed to fetch environment details with error ${response.status}: ${JSON.stringify(errorData)}`)
     }
 
-    logger.debug(`Getting environment details from ${url}...`)
-    const response = await fetch(url, {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch environment details: ${response.statusText}`)
+    // Sanity check that response is of the right structure
+    const envDetails = await response.json() as EnvironmentDetails
+    logger.debug(`Received environment details: ${JSON.stringify(envDetails)}`)
+    if (!envDetails.deployment) {
+      throw new Error(`Received invalid environment details -- missing .deployment: ${JSON.stringify(envDetails)}`)
     }
 
-    return await response.json()
+    return envDetails.deployment.server_hostname
   }
 }

package/src/targetenvironment.ts

@@ -0,0 +1,307 @@
+import { logger } from './logging.js'
+import { dump } from 'js-yaml'
+import { getUserinfo } from './auth.js'
+import { isRunningUnderNpx } from './utils.js'
+import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
+import { defaultStackApiBaseUrl } from './stackapi.js'
+
+interface AwsCredentialsResponse {
+  AccessKeyId: string
+  SecretAccessKey: string
+  SessionToken: string
+  Expiration: string
+}
+
+export interface DeploymentDetails {
+  server_hostname: string
+  kubernetes_namespace: string
+  ecr_repo: string
+  aws_region: string
+}
+
+export interface EnvironmentDetails {
+  deployment: DeploymentDetails
+}
+
+interface KubeConfig {
+  apiVersion?: string
+  kind: string
+  'current-context': string
+  clusters: KubeConfigCluster[]
+  contexts: KubeConfigContext[]
+  users: KubeConfigUser[]
+  preferences?: any
+}
+
+interface KubeConfigCluster {
+  cluster: {
+    'certificate-authority-data': string
+    server: string
+  }
+  name: string
+}
+
+interface KubeConfigContext {
+  context: {
+    cluster: string
+    user: string
+    namespace?: string
+  }
+  name: string
+}
+
+interface KubeConfigUser {
+  name: string
+  user: {
+    token?: string
+    exec?: {
+      command: string
+      args: string[]
+      apiVersion: string
+    }
+  }
+}
+
+interface KubeExecCredential {
+  apiVersion: string
+  kind: string
+  spec: {
+    cluster?: {
+      server: string
+      certificateAuthorityData: string
+    }
+  }
+  status: {
+    token: string
+    expirationTimestamp: string
+  }
+}
+
+export interface DockerCredentials {
+  username: string
+  password: string
+  registryUrl: string
+}
+
+export class TargetEnvironment {
+  private readonly accessToken: string
+  private readonly environmentDomain: string
+  private readonly stackApiBaseUrl: string
+  private readonly environmentApiBaseUrl: string
+  private readonly organization?: string
+  private readonly project?: string
+  private readonly environment?: string
+
+  constructor (accessToken: string, environmentDomain: string, stackApiBaseUrl: string, environmentApiBaseUrl: string, organization?: string, project?: string, environment?: string) {
+    this.accessToken = accessToken
+    this.environmentDomain = environmentDomain
+    this.stackApiBaseUrl = stackApiBaseUrl
+    this.environmentApiBaseUrl = environmentApiBaseUrl
+    this.organization = organization
+    this.project = project
+    this.environment = environment
+  }
+
+  async fetchJson<T> (url: string, method: string): Promise<T> {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        'Content-Type': 'application/json'
+      }
+    })
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
+    }
+
+    return await response.json() as T
+  }
+
+  async fetchText (url: string, method: string): Promise<string> {
+    let response
+    try {
+      response = await fetch(url, {
+        method,
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`,
+          'Content-Type': 'application/json'
+        }
+      })
+    } catch (error: any) {
+      logger.error(`Failed to fetch ${method} ${url}:`, error)
+      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
+        throw new Error(`Failed to to fetch ${url}: SSL certificate validation failed. Is someone trying to tamper with your internet connection?`)
+      }
+      throw new Error(`Failed to fetch ${url}: ${error}`)
+    }
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}`)
+    }
+
+    return await response.text()
+  }
+
+  async getAwsCredentials (): Promise<AwsCredentialsResponse> {
+    const url = `${this.environmentApiBaseUrl}/credentials/aws`
+    logger.debug(`Fetching AWS credentials from ${url}...`)
+    return await this.fetchJson<AwsCredentialsResponse>(url, 'POST')
+  }
+
+  async getKubeConfig (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s`
+    logger.debug(`Getting KubeConfig from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  /**
+   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
+   * access credentials each time the kubeconfig is used.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigExecCredential (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
+
+    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+    let kubeExecCredential: KubeExecCredential
+    try {
+      kubeExecCredential = await this.fetchJson<KubeExecCredential>(url, 'POST')
+    } catch {
+      throw new Error('Failed to fetch Kubernetes KubeConfig')
+    }
+
+    if (!kubeExecCredential.spec.cluster) {
+      throw new Error('Received kubeExecCredential with missing spec.cluster')
+    }
+
+    // Fetch environment namespace
+    const environment = await this.getEnvironmentDetails()
+    const namespace = environment.deployment?.kubernetes_namespace
+    if (!namespace) {
+      throw new Error('Environment details did not contain a valid Kubernetes namespace')
+    }
+
+    // Fetch user id
+    const userinfo = await getUserinfo(this.accessToken)
+    const userId = userinfo.email
+
+    // Resolve the environment identity (prefer org-proj-env or fall back to FQDN)
+    const envId = this.organization ? `${this.organization}-${this.project}-${this.environment}` : this.environmentDomain
+
+    // Resolve invocation for getting the kubeconfig exec credential
+    let execCmd = 'metaplay-auth'
+    let execArgs =
+      ['get-kubernetes-execcredential']
+        .concat(this.stackApiBaseUrl !== defaultStackApiBaseUrl ? ['--stack-api', this.stackApiBaseUrl] : [])
+        .concat([envId])
+
+    // If running under npx, use npx also for getting the kube exec credential
+    if (isRunningUnderNpx()) {
+      execCmd = 'npx'
+      execArgs = [
+        '--yes', // For NPX to silently install or update
+        '@metaplay/metaplay-auth@latest',
+        ...execArgs
+      ]
+    }
+
+    const kubeConfig: KubeConfig = {
+      apiVersion: 'v1',
+      kind: 'Config',
+      'current-context': envId,
+      clusters: [
+        {
+          cluster: {
+            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
+            server: kubeExecCredential.spec.cluster.server
+          },
+          name: kubeExecCredential.spec.cluster.server
+        }
+      ],
+      contexts: [
+        {
+          context: {
+            cluster: kubeExecCredential.spec.cluster.server,
+            namespace,
+            user: userId
+          },
+          name: envId,
+        }
+      ],
+      users: [
+        {
+          name: userId,
+          user: {
+            exec: {
+              apiVersion: 'client.authentication.k8s.io/v1beta1',
+              command: execCmd,
+              args: execArgs
+            }
+          }
+        }
+      ],
+    }
+
+    // return as yaml for easier consumption
+    return dump(kubeConfig)
+  }
+
+  async getKubeExecCredential (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  async getEnvironmentDetails (): Promise<EnvironmentDetails> {
+    // \note If invoking StackAPI via the https://<environment>/.infra, we need to add '/environment' to the path
+    const urlSuffix = this.environmentApiBaseUrl.endsWith('.infra') ? '/environment' : ''
+    const url = this.environmentApiBaseUrl + urlSuffix
+    logger.debug(`Getting environment details from ${url}...`)
+    return await this.fetchJson<EnvironmentDetails>(url, 'GET')
+  }
+
+  async getDockerCredentials (): Promise<DockerCredentials> {
+    // Get environment info (for AWS region)
+    logger.debug('Get environment info')
+    const envInfo = await this.getEnvironmentDetails()
+
+    // Fetch AWS credentials from Metaplay cloud
+    logger.debug('Get AWS credentials from Metaplay')
+    const awsCredentials = await this.getAwsCredentials()
+
+    // Create ECR client with credentials
+    logger.debug('Create ECR client')
+    const client = new ECRClient({
+      credentials: {
+        accessKeyId: awsCredentials.AccessKeyId,
+        secretAccessKey: awsCredentials.SecretAccessKey,
+        sessionToken: awsCredentials.SessionToken
+      },
+      region: envInfo.deployment.aws_region
+    })
+
+    // Fetch the ECR docker authentication token
+    logger.debug('Fetch ECR login credentials from AWS')
+    const command = new GetAuthorizationTokenCommand({})
+    const response = await client.send(command)
+    if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken || !response.authorizationData[0].proxyEndpoint) {
+      throw new Error('Received an empty authorization token response for ECR repository')
+    }
+
+    // Parse username and password from the response (separated by a ':')
+    logger.debug('Parse ECR response')
+    const registryUrl = response.authorizationData[0].proxyEndpoint
+    const authorization64 = response.authorizationData[0].authorizationToken
+    const authorization = Buffer.from(authorization64, 'base64').toString()
+    const [username, password] = authorization.split(':')
+    logger.debug(`ECR: username=${username}, proxyEndpoint=${registryUrl}`)
+
+    return {
+      username,
+      password,
+      registryUrl
+    } satisfies DockerCredentials
+  }
+}