@metaplay/metaplay-auth 1.4.2 → 1.5.0

package/src/targetenvironment.ts

@@ -0,0 +1,307 @@
+import { logger } from './logging.js'
+import { dump } from 'js-yaml'
+import { getUserinfo } from './auth.js'
+import { isRunningUnderNpx } from './utils.js'
+import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
+import { defaultStackApiBaseUrl } from './stackapi.js'
+
+interface AwsCredentialsResponse {
+  AccessKeyId: string
+  SecretAccessKey: string
+  SessionToken: string
+  Expiration: string
+}
+
+export interface DeploymentDetails {
+  server_hostname: string
+  kubernetes_namespace: string
+  ecr_repo: string
+  aws_region: string
+}
+
+export interface EnvironmentDetails {
+  deployment: DeploymentDetails
+}
+
+interface KubeConfig {
+  apiVersion?: string
+  kind: string
+  'current-context': string
+  clusters: KubeConfigCluster[]
+  contexts: KubeConfigContext[]
+  users: KubeConfigUser[]
+  preferences?: any
+}
+
+interface KubeConfigCluster {
+  cluster: {
+    'certificate-authority-data': string
+    server: string
+  }
+  name: string
+}
+
+interface KubeConfigContext {
+  context: {
+    cluster: string
+    user: string
+    namespace?: string
+  }
+  name: string
+}
+
+interface KubeConfigUser {
+  name: string
+  user: {
+    token?: string
+    exec?: {
+      command: string
+      args: string[]
+      apiVersion: string
+    }
+  }
+}
+
+interface KubeExecCredential {
+  apiVersion: string
+  kind: string
+  spec: {
+    cluster?: {
+      server: string
+      certificateAuthorityData: string
+    }
+  }
+  status: {
+    token: string
+    expirationTimestamp: string
+  }
+}
+
+export interface DockerCredentials {
+  username: string
+  password: string
+  registryUrl: string
+}
+
+export class TargetEnvironment {
+  private readonly accessToken: string
+  private readonly environmentDomain: string
+  private readonly stackApiBaseUrl: string
+  private readonly environmentApiBaseUrl: string
+  private readonly organization?: string
+  private readonly project?: string
+  private readonly environment?: string
+
+  constructor (accessToken: string, environmentDomain: string, stackApiBaseUrl: string, environmentApiBaseUrl: string, organization?: string, project?: string, environment?: string) {
+    this.accessToken = accessToken
+    this.environmentDomain = environmentDomain
+    this.stackApiBaseUrl = stackApiBaseUrl
+    this.environmentApiBaseUrl = environmentApiBaseUrl
+    this.organization = organization
+    this.project = project
+    this.environment = environment
+  }
+
+  async fetchJson<T> (url: string, method: string): Promise<T> {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        'Content-Type': 'application/json'
+      }
+    })
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
+    }
+
+    return await response.json() as T
+  }
+
+  async fetchText (url: string, method: string): Promise<string> {
+    let response
+    try {
+      response = await fetch(url, {
+        method,
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`,
+          'Content-Type': 'application/json'
+        }
+      })
+    } catch (error: any) {
+      logger.error(`Failed to fetch ${method} ${url}:`, error)
+      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
+        throw new Error(`Failed to to fetch ${url}: SSL certificate validation failed. Is someone trying to tamper with your internet connection?`)
+      }
+      throw new Error(`Failed to fetch ${url}: ${error}`)
+    }
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}`)
+    }
+
+    return await response.text()
+  }
+
+  async getAwsCredentials (): Promise<AwsCredentialsResponse> {
+    const url = `${this.environmentApiBaseUrl}/credentials/aws`
+    logger.debug(`Fetching AWS credentials from ${url}...`)
+    return await this.fetchJson<AwsCredentialsResponse>(url, 'POST')
+  }
+
+  async getKubeConfig (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s`
+    logger.debug(`Getting KubeConfig from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  /**
+   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
+   * access credentials each time the kubeconfig is used.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigExecCredential (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
+
+    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+    let kubeExecCredential: KubeExecCredential
+    try {
+      kubeExecCredential = await this.fetchJson<KubeExecCredential>(url, 'POST')
+    } catch {
+      throw new Error('Failed to fetch Kubernetes KubeConfig')
+    }
+
+    if (!kubeExecCredential.spec.cluster) {
+      throw new Error('Received kubeExecCredential with missing spec.cluster')
+    }
+
+    // Fetch environment namespace
+    const environment = await this.getEnvironmentDetails()
+    const namespace = environment.deployment?.kubernetes_namespace
+    if (!namespace) {
+      throw new Error('Environment details did not contain a valid Kubernetes namespace')
+    }
+
+    // Fetch user id
+    const userinfo = await getUserinfo(this.accessToken)
+    const userId = userinfo.email
+
+    // Resolve the environment identity (prefer org-proj-env or fall back to FQDN)
+    const envId = this.organization ? `${this.organization}-${this.project}-${this.environment}` : this.environmentDomain
+
+    // Resolve invocation for getting the kubeconfig exec credential
+    let execCmd = 'metaplay-auth'
+    let execArgs =
+      ['get-kubernetes-execcredential']
+        .concat(this.stackApiBaseUrl !== defaultStackApiBaseUrl ? ['--stack-api', this.stackApiBaseUrl] : [])
+        .concat([envId])
+
+    // If running under npx, use npx also for getting the kube exec credential
+    if (isRunningUnderNpx()) {
+      execCmd = 'npx'
+      execArgs = [
+        '--yes', // For NPX to silently install or update
+        '@metaplay/metaplay-auth@latest',
+        ...execArgs
+      ]
+    }
+
+    const kubeConfig: KubeConfig = {
+      apiVersion: 'v1',
+      kind: 'Config',
+      'current-context': envId,
+      clusters: [
+        {
+          cluster: {
+            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
+            server: kubeExecCredential.spec.cluster.server
+          },
+          name: kubeExecCredential.spec.cluster.server
+        }
+      ],
+      contexts: [
+        {
+          context: {
+            cluster: kubeExecCredential.spec.cluster.server,
+            namespace,
+            user: userId
+          },
+          name: envId,
+        }
+      ],
+      users: [
+        {
+          name: userId,
+          user: {
+            exec: {
+              apiVersion: 'client.authentication.k8s.io/v1beta1',
+              command: execCmd,
+              args: execArgs
+            }
+          }
+        }
+      ],
+    }
+
+    // return as yaml for easier consumption
+    return dump(kubeConfig)
+  }
+
+  async getKubeExecCredential (): Promise<string> {
+    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  async getEnvironmentDetails (): Promise<EnvironmentDetails> {
+    // \note If invoking StackAPI via the https://<environment>/.infra, we need to add '/environment' to the path
+    const urlSuffix = this.environmentApiBaseUrl.endsWith('.infra') ? '/environment' : ''
+    const url = this.environmentApiBaseUrl + urlSuffix
+    logger.debug(`Getting environment details from ${url}...`)
+    return await this.fetchJson<EnvironmentDetails>(url, 'GET')
+  }
+
+  async getDockerCredentials (): Promise<DockerCredentials> {
+    // Get environment info (for AWS region)
+    logger.debug('Get environment info')
+    const envInfo = await this.getEnvironmentDetails()
+
+    // Fetch AWS credentials from Metaplay cloud
+    logger.debug('Get AWS credentials from Metaplay')
+    const awsCredentials = await this.getAwsCredentials()
+
+    // Create ECR client with credentials
+    logger.debug('Create ECR client')
+    const client = new ECRClient({
+      credentials: {
+        accessKeyId: awsCredentials.AccessKeyId,
+        secretAccessKey: awsCredentials.SecretAccessKey,
+        sessionToken: awsCredentials.SessionToken
+      },
+      region: envInfo.deployment.aws_region
+    })
+
+    // Fetch the ECR docker authentication token
+    logger.debug('Fetch ECR login credentials from AWS')
+    const command = new GetAuthorizationTokenCommand({})
+    const response = await client.send(command)
+    if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken || !response.authorizationData[0].proxyEndpoint) {
+      throw new Error('Received an empty authorization token response for ECR repository')
+    }
+
+    // Parse username and password from the response (separated by a ':')
+    logger.debug('Parse ECR response')
+    const registryUrl = response.authorizationData[0].proxyEndpoint
+    const authorization64 = response.authorizationData[0].authorizationToken
+    const authorization = Buffer.from(authorization64, 'base64').toString()
+    const [username, password] = authorization.split(':')
+    logger.debug(`ECR: username=${username}, proxyEndpoint=${registryUrl}`)
+
+    return {
+      username,
+      password,
+      registryUrl
+    } satisfies DockerCredentials
+  }
+}

package/src/utils.ts

@@ -1,8 +1,5 @@
 import { spawn } from 'child_process'
-
-export function stackApiBaseFromOptions (arg: string, options: Record<string, any>): string {
-  return ''
-}
+import path from 'path'
 
 /**
  * Checks if the given string is a fully qualified domain name (FQDN).
@@ -49,15 +46,27 @@ export function getGameserverAdminUrl (uri: string): string {
   return `${hostname}-admin.${domain}`
 }
 
-interface CommandResult {
-  code: number | null
+export interface ExecuteCommandResult {
+  exitCode: number | null
   stdout: any[]
   stderr: any[]
 }
 
-export async function executeCommand (command: string, args: string[]): Promise<CommandResult> {
+/**
+ * Run a child process and return an awaitable Promise.
+ *
+ * @param command Name of the command/binary to execute.
+ * @param args List of arugments to pass to the child process.
+ * @param inheritStdio Should the stdin/stdout/stderr be inherited from the parent process? If false, the outputs are buffered for reading later.
+ * @param env Environment variables to pass in. Does not inherit parent process env. Use current process env if not specified.
+ * @returns Awaitable promise with the result of the execution.
+ */
+export async function executeCommand (command: string, args: string[], inheritStdio: boolean, env?: NodeJS.ProcessEnv): Promise<ExecuteCommandResult> {
   return await new Promise((resolve, reject) => {
-    const childProcess = spawn(command, args) //, { stdio: 'inherit' }) -- this pipes stdout & stderr to our output
+    const childProcess = spawn(command, args, {
+      stdio: inheritStdio ? 'inherit' : undefined,
+      env,
+    })
     let stdout: any[] = []
     let stderr: any[] = []
 
@@ -71,7 +80,7 @@ export async function executeCommand (command: string, args: string[]): Promise<
 
     // If program runs to completion, resolve promise with success
     childProcess.on('close', (code) => {
-      resolve({ code, stdout, stderr })
+      resolve({ exitCode: code, stdout, stderr })
     })
 
     childProcess.on('error', (err) => {
@@ -83,3 +92,34 @@ export async function executeCommand (command: string, args: string[]): Promise<
     })
   })
 }
+
+export function isRunningUnderNpx () {
+  // console.log('process.argv:', process.argv)
+  const matchBinary = (binaryPath: string, binaryName: string): boolean => {
+    const binary = path.basename(binaryPath, path.extname(binaryPath)) // drop path and extension
+    return binary === binaryName
+  }
+
+  // Check if 'npx' is the invoked binary (this check is not sufficient as it can also be 'node')
+  if (matchBinary(process.argv[0], 'npx')) {
+    return true
+  }
+
+  // Check if the script path contains a known npx temporary directory pattern
+  const scriptPath = process.argv[1]
+  if (scriptPath?.includes(`${path.sep}_npx${path.sep}`)) {
+    return true
+  }
+
+  // Check if the environment variable 'npm_execpath' is exactly 'npx'
+  if (process.env.npm_execpath && matchBinary(process.env.npm_execpath, 'npx')) {
+    return true
+  }
+
+  // Check if the environment variable '_' ends with 'npx' (specific to npx usage)
+  if (process.env._ && matchBinary(process.env._, 'npx')) {
+    return true
+  }
+
+  return false
+}

package/src/version.ts

@@ -0,0 +1 @@
+export const PACKAGE_VERSION = '1.5.0'