@metaplay/metaplay-auth 1.4.2 → 1.6.0

package/src/stackapi.ts

@@ -1,89 +1,9 @@
-import { isValidFQDN, getGameserverAdminUrl } from './utils.js'
-import { logger } from './logging.js'
-import { dump } from 'js-yaml'
-import { getUserinfo } from './auth.js'
-import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
-
-interface AwsCredentialsResponse {
-  AccessKeyId: string
-  SecretAccessKey: string
-  SessionToken: string
-  Expiration: string
-}
-
-export interface GameserverId {
-  gameserver?: string
-  organization?: string
-  project?: string
-  environment?: string
-}
-
-interface KubeConfig {
-  apiVersion?: string
-  kind: string
-  'current-context': string
-  clusters: KubeConfigCluster[]
-  contexts: KubeConfigContext[]
-  users: KubeConfigUser[]
-  preferences?: any
-}
-
-interface KubeConfigCluster {
-  cluster: {
-    'certificate-authority-data': string
-    server: string
-  }
-  name: string
-}
-
-interface KubeConfigContext {
-  context: {
-    cluster: string
-    user: string
-    namespace?: string
-  }
-  name: string
-}
-
-interface KubeConfigUser {
-  name: string
-  user: {
-    token?: string
-    exec?: {
-      command: string
-      args: string[]
-      apiVersion: string
-    }
-  }
-}
-
-interface KubeExecCredential {
-  apiVersion: string
-  kind: string
-  spec: {
-    cluster?: {
-      server: string
-      certificateAuthorityData: string
-    }
-  }
-  status: {
-    token: string
-    expirationTimestamp: string
-  }
-}
-
-export interface DockerCredentials {
-  username: string
-  password: string
-  registryUrl: string
-}
-
+// \note Unused right now but will likely need this back later
 export class StackAPI {
   private readonly accessToken: string
+  private readonly stackApiBaseUrl: string
 
-  private readonly _stackApiBaseUrl: string
-
-  constructor (accessToken: string, stackApiBaseUrl: string | undefined) {
+  constructor(accessToken: string, stackApiBaseUrl: string | undefined) {
     if (accessToken == null) {
       throw new Error('accessToken must be provided')
     }
@@ -91,305 +11,9 @@ export class StackAPI {
     this.accessToken = accessToken
 
     if (stackApiBaseUrl) {
-      this._stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
-    } else {
-      this._stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
-    }
-  }
-
-  async getAwsCredentials (gs: GameserverId): Promise<AwsCredentialsResponse> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/aws`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/aws`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/aws`
-    } else {
-      throw new Error('Invalid arguments for getAwsCredentials')
-    }
-
-    logger.debug(`Getting AWS credentials from ${url}...`)
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch AWS credentials: ${response.statusText}, response code=${response.status}`)
-    }
-
-    return await response.json()
-  }
-
-  async getKubeConfig (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s`
+      this.stackApiBaseUrl = stackApiBaseUrl.replace(/\/$/, '') // Remove trailing slash
     } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
+      this.stackApiBaseUrl = 'https://infra.p1.metaplay.io/stackapi'
     }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch KubeConfigs: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  /**
-   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
-   * access credentials each time the kubeconfig is used.
-   * @param gs Game server environment to get credentials for.
-   * @returns The kubeconfig YAML.
-   */
-  async getKubeConfigExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    let gsSlug = ''
-    const execArgs = ['get-kubernetes-execcredential']
-    if (gs.gameserver != null) {
-      const adminUrl = getGameserverAdminUrl(gs.gameserver)
-      url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      gsSlug = gs.gameserver
-      execArgs.push('--gameserver', gs.gameserver)
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-      gsSlug = `${gs.organization}.${gs.project}.${gs.environment}`
-      execArgs.push(`${gs.organization}-${gs.project}-${gs.environment}`)
-    } else {
-      throw new Error('Invalid arguments for getKubeConfigExecCredential')
-    }
-
-    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
-
-    let response
-    try {
-      response = await fetch(url, {
-        method: 'POST',
-        headers: {
-          Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
-      })
-    } catch (error: any) {
-      logger.error(`Failed to fetch kubeconfig from ${url}`)
-      logger.error('Fetch error details:', error)
-      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch kubeconfig: SSL certificate validation failed for ${url}. Is someone trying to tamper with your internet connection?`)
-      }
-      throw new Error(`Failed to fetch kubeconfig from ${url}: ${error}`)
-    }
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes KubeConfig: ${response.statusText}`)
-    }
-
-    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
-    let kubeExecCredential
-    try {
-      kubeExecCredential = await response.json() as KubeExecCredential
-    } catch {
-      throw new Error('Failed to fetch Kubernetes KubeConfig: the server response is not JSON')
-    }
-
-    if (!kubeExecCredential.spec.cluster) {
-      throw new Error('Received kubeExecCredential with missing spec.cluster')
-    }
-
-    let namespace = 'default'
-    let user = 'user'
-
-    try {
-      const environment = await this.getEnvironmentDetails(gs)
-      namespace = environment.deployment?.kubernetes_namespace ?? namespace
-    } catch (e) {
-      logger.debug('Failed to get environment details, using defaults', e)
-    }
-
-    try {
-      const userinfo = await getUserinfo(this.accessToken)
-      user = userinfo.sub ?? user
-    } catch (e) {
-      logger.debug('Failed to get userinfo, using defaults', e)
-    }
-
-    const kubeConfig: KubeConfig = {
-      apiVersion: 'v1',
-      kind: 'Config',
-      'current-context': gsSlug,
-      clusters: [
-        {
-          cluster: {
-            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
-            server: kubeExecCredential.spec.cluster.server
-          },
-          name: kubeExecCredential.spec.cluster.server
-        }
-      ],
-      contexts: [
-        {
-          context: {
-            cluster: kubeExecCredential.spec.cluster.server,
-            namespace,
-            user
-          },
-          name: gsSlug,
-        }
-      ],
-      users: [
-        {
-          name: user,
-          user: {
-            exec: {
-              apiVersion: 'client.authentication.k8s.io/v1beta1',
-              command: 'metaplay-auth', // todo: figure out how to refer to metaplay-auth itself
-              args: execArgs,
-            }
-          }
-        }
-      ],
-    }
-
-    // return as yaml for easier consumption
-    return dump(kubeConfig)
-  }
-
-  async getKubeExecCredential (gs: GameserverId): Promise<string> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/credentials/k8s?type=execcredential`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/credentials/${gs.gameserver}/k8s?type=execcredential`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}/credentials/k8s?type=execcredential`
-    } else {
-      throw new Error('Invalid arguments for getKubeConfig')
-    }
-
-    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
-
-    const response = await fetch(url, {
-      method: 'POST',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch Kubernetes ExecCredential: ${response.statusText}`)
-    }
-
-    return await response.text()
-  }
-
-  async getEnvironmentDetails (gs: GameserverId): Promise<any> {
-    let url = ''
-    if (gs.gameserver != null) {
-      if (isValidFQDN(gs.gameserver)) {
-        const adminUrl = getGameserverAdminUrl(gs.gameserver)
-        url = `https://${adminUrl}/.infra/environment`
-      } else {
-        url = `${this._stackApiBaseUrl}/v0/deployments/${gs.gameserver}`
-      }
-    } else if (gs.organization != null && gs.project != null && gs.environment != null) {
-      url = `${this._stackApiBaseUrl}/v1/servers/${gs.organization}/${gs.project}/${gs.environment}`
-    } else {
-      throw new Error('Invalid arguments for environment details')
-    }
-
-    logger.debug(`Getting environment details from ${url}...`)
-    const response = await fetch(url, {
-      method: 'GET',
-      headers: {
-        Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
-    })
-
-    if (response.status !== 200) {
-      throw new Error(`Failed to fetch environment details: ${response.statusText}`)
-    }
-
-    return await response.json()
-  }
-
-  async getDockerCredentials (gameserverId: GameserverId): Promise<DockerCredentials> {
-    // Get environment info (for AWS region)
-    logger.debug('Get environment info')
-    const envInfo = await this.getEnvironmentDetails(gameserverId)
-
-    // Fetch AWS credentials from Metaplay cloud
-    logger.debug('Get AWS credentials from Metaplay')
-    const awsCredentials = await this.getAwsCredentials(gameserverId)
-
-    // Create ECR client with credentials
-    logger.debug('Create ECR client')
-    const client = new ECRClient({
-      credentials: {
-        accessKeyId: awsCredentials.AccessKeyId,
-        secretAccessKey: awsCredentials.SecretAccessKey,
-        sessionToken: awsCredentials.SessionToken
-      },
-      region: envInfo.deployment.aws_region
-    })
-
-    // Fetch the ECR docker authentication token
-    logger.debug('Fetch ECR login credentials from AWS')
-    const command = new GetAuthorizationTokenCommand({})
-    const response = await client.send(command)
-    if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken || !response.authorizationData[0].proxyEndpoint) {
-      throw new Error('Received an empty authorization token response for ECR repository')
-    }
-
-    // Parse username and password from the response (separated by a ':')
-    logger.debug('Parse ECR response')
-    const registryUrl = response.authorizationData[0].proxyEndpoint
-    const authorization64 = response.authorizationData[0].authorizationToken
-    const authorization = Buffer.from(authorization64, 'base64').toString()
-    const [username, password] = authorization.split(':')
-    logger.debug(`ECR: username=${username}, proxyEndpoint=${registryUrl}`)
-
-    return {
-      username,
-      password,
-      registryUrl
-    } satisfies DockerCredentials
   }
 }

package/src/targetenvironment.ts

@@ -0,0 +1,311 @@
+import { logger } from './logging.js'
+import { dump } from 'js-yaml'
+import { getUserinfo } from './auth.js'
+import { isRunningUnderNpx } from './utils.js'
+import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
+
+interface AwsCredentialsResponse {
+  AccessKeyId: string
+  SecretAccessKey: string
+  SessionToken: string
+  Expiration: string
+}
+
+export interface DeploymentDetails {
+  server_hostname: string
+  kubernetes_namespace: string
+  ecr_repo: string
+  aws_region: string
+}
+
+export interface EnvironmentDetails {
+  deployment: DeploymentDetails
+}
+
+interface KubeConfig {
+  apiVersion?: string
+  kind: string
+  'current-context': string
+  clusters: KubeConfigCluster[]
+  contexts: KubeConfigContext[]
+  users: KubeConfigUser[]
+  preferences?: any
+}
+
+interface KubeConfigCluster {
+  cluster: {
+    'certificate-authority-data': string
+    server: string
+  }
+  name: string
+}
+
+interface KubeConfigContext {
+  context: {
+    cluster: string
+    user: string
+    namespace?: string
+  }
+  name: string
+}
+
+interface KubeConfigUser {
+  name: string
+  user: {
+    token?: string
+    exec?: {
+      command: string
+      args: string[]
+      apiVersion: string
+      interactiveMode: string
+    }
+  }
+}
+
+interface KubeExecCredential {
+  apiVersion: string
+  kind: string
+  spec: {
+    cluster?: {
+      server: string
+      certificateAuthorityData: string
+    }
+  }
+  status: {
+    token: string
+    expirationTimestamp: string
+  }
+}
+
+export interface DockerCredentials {
+  username: string
+  password: string
+  registryUrl: string
+}
+
+export class TargetEnvironment {
+  private readonly accessToken: string
+  private readonly humanId: string
+  private readonly stackApiBaseUrl: string
+
+  constructor(accessToken: string, humanId: string, stackApiBaseUrl: string) {
+    this.accessToken = accessToken
+    this.humanId = humanId
+    this.stackApiBaseUrl = stackApiBaseUrl
+  }
+
+  async fetchJson<T>(url: string, method: string): Promise<T> {
+    const response = await fetch(url, {
+      method,
+      headers: {
+        Authorization: `Bearer ${this.accessToken}`,
+        'Content-Type': 'application/json',
+      },
+    })
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
+    }
+
+    return (await response.json()) as T
+  }
+
+  async fetchText(url: string, method: string): Promise<string> {
+    // eslint-disable-next-line @typescript-eslint/init-declarations
+    let response
+    try {
+      response = await fetch(url, {
+        method,
+        headers: {
+          Authorization: `Bearer ${this.accessToken}`,
+          'Content-Type': 'application/json',
+        },
+      })
+    } catch (error: any) {
+      logger.error(`Failed to fetch ${method} ${url}:`, error)
+      if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
+        throw new Error(
+          `Failed to to fetch ${url}: SSL certificate validation failed. Is someone trying to tamper with your internet connection?`
+        )
+      }
+      throw new Error(`Failed to fetch ${url}: ${error}`)
+    }
+
+    if (response.status !== 200) {
+      throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}`)
+    }
+
+    return await response.text()
+  }
+
+  /**
+   * Get AWS credentials for the target environment from Metaplay cloud.
+   * @returns The AWS credentials.
+   */
+  async getAwsCredentials(): Promise<AwsCredentialsResponse> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/aws`
+    logger.debug(`Fetching AWS credentials from ${url}...`)
+    return await this.fetchJson<AwsCredentialsResponse>(url, 'POST')
+  }
+
+  /**
+   * Get a short-lived kubeconfig with the access credentials embedded in the kubeconfig file.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigWithEmbeddedCredentials(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s`
+    logger.debug(`Getting KubeConfig from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  /**
+   * Get a `kubeconfig` payload which invokes `metaplay-auth get-kubernetes-execcredential` to get the actual
+   * access credentials each time the kubeconfig is used.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigWithExecCredential(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
+
+    // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+    // eslint-disable-next-line @typescript-eslint/init-declarations
+    let kubeExecCredential: KubeExecCredential
+    try {
+      kubeExecCredential = await this.fetchJson<KubeExecCredential>(url, 'POST')
+    } catch {
+      throw new Error(`Failed to fetch Kubernetes KubeConfig from ${url}`)
+    }
+
+    if (!kubeExecCredential.spec.cluster) {
+      throw new Error('Received kubeExecCredential with missing spec.cluster')
+    }
+
+    // Fetch environment namespace
+    const environment = await this.getEnvironmentDetails()
+    const namespace = environment.deployment?.kubernetes_namespace
+    if (!namespace) {
+      throw new Error('Environment details did not contain a valid Kubernetes namespace')
+    }
+
+    // Fetch user id
+    const userinfo = await getUserinfo(this.accessToken)
+    const userId = userinfo.email
+
+    // Resolve invocation for getting the kubeconfig exec credential
+    let execCmd = 'metaplay-auth'
+    let execArgs = ['get-kubernetes-execcredential']
+      .concat(['--stack-api', this.stackApiBaseUrl]) // include URL to avoid lookups from portal
+      .concat([this.humanId]) // use the immutable humanId to tolerate slug renaming
+
+    // If running under npx, use npx also for getting the kube exec credential
+    if (isRunningUnderNpx()) {
+      execCmd = 'npx'
+      execArgs = [
+        '--yes', // For NPX to silently install or update
+        '@metaplay/metaplay-auth@latest',
+        ...execArgs,
+      ]
+    }
+
+    const kubeConfig: KubeConfig = {
+      apiVersion: 'v1',
+      kind: 'Config',
+      'current-context': this.humanId, // use immutable humanId
+      clusters: [
+        {
+          cluster: {
+            'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
+            server: kubeExecCredential.spec.cluster.server,
+          },
+          name: kubeExecCredential.spec.cluster.server,
+        },
+      ],
+      contexts: [
+        {
+          context: {
+            cluster: kubeExecCredential.spec.cluster.server,
+            namespace,
+            user: userId,
+          },
+          name: this.humanId, // use immutable humanId
+        },
+      ],
+      users: [
+        {
+          name: userId,
+          user: {
+            exec: {
+              apiVersion: 'client.authentication.k8s.io/v1beta1',
+              command: execCmd,
+              args: execArgs,
+              interactiveMode: 'Never',
+            },
+          },
+        },
+      ],
+    }
+
+    // return as yaml for easier consumption
+    return dump(kubeConfig)
+  }
+
+  async getKubeExecCredential(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s?type=execcredential`
+    logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
+    return await this.fetchText(url, 'POST')
+  }
+
+  async getEnvironmentDetails(): Promise<EnvironmentDetails> {
+    const url = `${this.stackApiBaseUrl}/v0/deployments/${this.humanId}`
+    logger.debug(`Getting environment details from ${url}...`)
+    return await this.fetchJson<EnvironmentDetails>(url, 'GET')
+  }
+
+  async getDockerCredentials(): Promise<DockerCredentials> {
+    // Get environment info (for AWS region)
+    logger.debug('Get environment info')
+    const envInfo = await this.getEnvironmentDetails()
+
+    // Fetch AWS credentials from Metaplay cloud
+    logger.debug('Get AWS credentials from Metaplay')
+    const awsCredentials = await this.getAwsCredentials()
+
+    // Create ECR client with credentials
+    logger.debug('Create ECR client')
+    const client = new ECRClient({
+      credentials: {
+        accessKeyId: awsCredentials.AccessKeyId,
+        secretAccessKey: awsCredentials.SecretAccessKey,
+        sessionToken: awsCredentials.SessionToken,
+      },
+      region: envInfo.deployment.aws_region,
+    })
+
+    // Fetch the ECR docker authentication token
+    logger.debug('Fetch ECR login credentials from AWS')
+    const command = new GetAuthorizationTokenCommand({})
+    const response = await client.send(command)
+    if (
+      !response.authorizationData ||
+      response.authorizationData.length === 0 ||
+      !response.authorizationData[0].authorizationToken ||
+      !response.authorizationData[0].proxyEndpoint
+    ) {
+      throw new Error('Received an empty authorization token response for ECR repository')
+    }
+
+    // Parse username and password from the response (separated by a ':')
+    logger.debug('Parse ECR response')
+    const registryUrl = response.authorizationData[0].proxyEndpoint
+    const authorization64 = response.authorizationData[0].authorizationToken
+    const authorization = Buffer.from(authorization64, 'base64').toString()
+    const [username, password] = authorization.split(':')
+    logger.debug(`ECR: username=${username}, proxyEndpoint=${registryUrl}`)
+
+    return {
+      username,
+      password,
+      registryUrl,
+    } satisfies DockerCredentials
+  }
+}