@metaplay/metaplay-auth 1.5.0 → 1.6.0

package/src/targetenvironment.ts

@@ -3,7 +3,6 @@ import { dump } from 'js-yaml'
 import { getUserinfo } from './auth.js'
 import { isRunningUnderNpx } from './utils.js'
 import { ECRClient, GetAuthorizationTokenCommand } from '@aws-sdk/client-ecr'
-import { defaultStackApiBaseUrl } from './stackapi.js'
 
 interface AwsCredentialsResponse {
   AccessKeyId: string
@@ -58,6 +57,7 @@ interface KubeConfigUser {
       command: string
       args: string[]
       apiVersion: string
+      interactiveMode: string
     }
   }
 }
@@ -85,53 +85,48 @@ export interface DockerCredentials {
 
 export class TargetEnvironment {
   private readonly accessToken: string
-  private readonly environmentDomain: string
+  private readonly humanId: string
   private readonly stackApiBaseUrl: string
-  private readonly environmentApiBaseUrl: string
-  private readonly organization?: string
-  private readonly project?: string
-  private readonly environment?: string
 
-  constructor (accessToken: string, environmentDomain: string, stackApiBaseUrl: string, environmentApiBaseUrl: string, organization?: string, project?: string, environment?: string) {
+  constructor(accessToken: string, humanId: string, stackApiBaseUrl: string) {
     this.accessToken = accessToken
-    this.environmentDomain = environmentDomain
+    this.humanId = humanId
     this.stackApiBaseUrl = stackApiBaseUrl
-    this.environmentApiBaseUrl = environmentApiBaseUrl
-    this.organization = organization
-    this.project = project
-    this.environment = environment
   }
 
-  async fetchJson<T> (url: string, method: string): Promise<T> {
+  async fetchJson<T>(url: string, method: string): Promise<T> {
     const response = await fetch(url, {
       method,
       headers: {
         Authorization: `Bearer ${this.accessToken}`,
-        'Content-Type': 'application/json'
-      }
+        'Content-Type': 'application/json',
+      },
     })
 
     if (response.status !== 200) {
       throw new Error(`Failed to fetch ${method} ${url}: ${response.statusText}, response code=${response.status}`)
     }
 
-    return await response.json() as T
+    return (await response.json()) as T
   }
 
-  async fetchText (url: string, method: string): Promise<string> {
+  async fetchText(url: string, method: string): Promise<string> {
+    // eslint-disable-next-line @typescript-eslint/init-declarations
     let response
     try {
       response = await fetch(url, {
         method,
         headers: {
           Authorization: `Bearer ${this.accessToken}`,
-          'Content-Type': 'application/json'
-        }
+          'Content-Type': 'application/json',
+        },
       })
     } catch (error: any) {
       logger.error(`Failed to fetch ${method} ${url}:`, error)
       if (error.cause?.code === 'UNABLE_TO_VERIFY_LEAF_SIGNATURE') {
-        throw new Error(`Failed to to fetch ${url}: SSL certificate validation failed. Is someone trying to tamper with your internet connection?`)
+        throw new Error(
+          `Failed to to fetch ${url}: SSL certificate validation failed. Is someone trying to tamper with your internet connection?`
+        )
       }
       throw new Error(`Failed to fetch ${url}: ${error}`)
     }
@@ -143,14 +138,22 @@ export class TargetEnvironment {
     return await response.text()
   }
 
-  async getAwsCredentials (): Promise<AwsCredentialsResponse> {
-    const url = `${this.environmentApiBaseUrl}/credentials/aws`
+  /**
+   * Get AWS credentials for the target environment from Metaplay cloud.
+   * @returns The AWS credentials.
+   */
+  async getAwsCredentials(): Promise<AwsCredentialsResponse> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/aws`
     logger.debug(`Fetching AWS credentials from ${url}...`)
     return await this.fetchJson<AwsCredentialsResponse>(url, 'POST')
   }
 
-  async getKubeConfig (): Promise<string> {
-    const url = `${this.environmentApiBaseUrl}/credentials/k8s`
+  /**
+   * Get a short-lived kubeconfig with the access credentials embedded in the kubeconfig file.
+   * @returns The kubeconfig YAML.
+   */
+  async getKubeConfigWithEmbeddedCredentials(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s`
     logger.debug(`Getting KubeConfig from ${url}...`)
     return await this.fetchText(url, 'POST')
   }
@@ -160,16 +163,17 @@ export class TargetEnvironment {
    * access credentials each time the kubeconfig is used.
    * @returns The kubeconfig YAML.
    */
-  async getKubeConfigExecCredential (): Promise<string> {
-    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+  async getKubeConfigWithExecCredential(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s?type=execcredential`
     logger.debug(`Getting Kubernetes KubeConfig from ${url}...`)
 
     // get the execcredential and morph it into a kubeconfig which calls metaplay-auth for the token
+    // eslint-disable-next-line @typescript-eslint/init-declarations
     let kubeExecCredential: KubeExecCredential
     try {
       kubeExecCredential = await this.fetchJson<KubeExecCredential>(url, 'POST')
     } catch {
-      throw new Error('Failed to fetch Kubernetes KubeConfig')
+      throw new Error(`Failed to fetch Kubernetes KubeConfig from ${url}`)
     }
 
     if (!kubeExecCredential.spec.cluster) {
@@ -187,15 +191,11 @@ export class TargetEnvironment {
     const userinfo = await getUserinfo(this.accessToken)
     const userId = userinfo.email
 
-    // Resolve the environment identity (prefer org-proj-env or fall back to FQDN)
-    const envId = this.organization ? `${this.organization}-${this.project}-${this.environment}` : this.environmentDomain
-
     // Resolve invocation for getting the kubeconfig exec credential
     let execCmd = 'metaplay-auth'
-    let execArgs =
-      ['get-kubernetes-execcredential']
-        .concat(this.stackApiBaseUrl !== defaultStackApiBaseUrl ? ['--stack-api', this.stackApiBaseUrl] : [])
-        .concat([envId])
+    let execArgs = ['get-kubernetes-execcredential']
+      .concat(['--stack-api', this.stackApiBaseUrl]) // include URL to avoid lookups from portal
+      .concat([this.humanId]) // use the immutable humanId to tolerate slug renaming
 
     // If running under npx, use npx also for getting the kube exec credential
     if (isRunningUnderNpx()) {
@@ -203,32 +203,32 @@ export class TargetEnvironment {
       execArgs = [
         '--yes', // For NPX to silently install or update
         '@metaplay/metaplay-auth@latest',
-        ...execArgs
+        ...execArgs,
       ]
     }
 
     const kubeConfig: KubeConfig = {
       apiVersion: 'v1',
       kind: 'Config',
-      'current-context': envId,
+      'current-context': this.humanId, // use immutable humanId
       clusters: [
         {
           cluster: {
             'certificate-authority-data': kubeExecCredential.spec.cluster.certificateAuthorityData,
-            server: kubeExecCredential.spec.cluster.server
+            server: kubeExecCredential.spec.cluster.server,
           },
-          name: kubeExecCredential.spec.cluster.server
-        }
+          name: kubeExecCredential.spec.cluster.server,
+        },
       ],
       contexts: [
         {
           context: {
             cluster: kubeExecCredential.spec.cluster.server,
             namespace,
-            user: userId
+            user: userId,
           },
-          name: envId,
-        }
+          name: this.humanId, // use immutable humanId
+        },
       ],
       users: [
         {
@@ -237,10 +237,11 @@ export class TargetEnvironment {
             exec: {
               apiVersion: 'client.authentication.k8s.io/v1beta1',
               command: execCmd,
-              args: execArgs
-            }
-          }
-        }
+              args: execArgs,
+              interactiveMode: 'Never',
+            },
+          },
+        },
       ],
     }
 
@@ -248,21 +249,19 @@ export class TargetEnvironment {
     return dump(kubeConfig)
   }
 
-  async getKubeExecCredential (): Promise<string> {
-    const url = `${this.environmentApiBaseUrl}/credentials/k8s?type=execcredential`
+  async getKubeExecCredential(): Promise<string> {
+    const url = `${this.stackApiBaseUrl}/v0/credentials/${this.humanId}/k8s?type=execcredential`
     logger.debug(`Getting Kubernetes ExecCredential from ${url}...`)
     return await this.fetchText(url, 'POST')
   }
 
-  async getEnvironmentDetails (): Promise<EnvironmentDetails> {
-    // \note If invoking StackAPI via the https://<environment>/.infra, we need to add '/environment' to the path
-    const urlSuffix = this.environmentApiBaseUrl.endsWith('.infra') ? '/environment' : ''
-    const url = this.environmentApiBaseUrl + urlSuffix
+  async getEnvironmentDetails(): Promise<EnvironmentDetails> {
+    const url = `${this.stackApiBaseUrl}/v0/deployments/${this.humanId}`
     logger.debug(`Getting environment details from ${url}...`)
     return await this.fetchJson<EnvironmentDetails>(url, 'GET')
   }
 
-  async getDockerCredentials (): Promise<DockerCredentials> {
+  async getDockerCredentials(): Promise<DockerCredentials> {
     // Get environment info (for AWS region)
     logger.debug('Get environment info')
     const envInfo = await this.getEnvironmentDetails()
@@ -277,16 +276,21 @@ export class TargetEnvironment {
       credentials: {
         accessKeyId: awsCredentials.AccessKeyId,
         secretAccessKey: awsCredentials.SecretAccessKey,
-        sessionToken: awsCredentials.SessionToken
+        sessionToken: awsCredentials.SessionToken,
       },
-      region: envInfo.deployment.aws_region
+      region: envInfo.deployment.aws_region,
     })
 
     // Fetch the ECR docker authentication token
     logger.debug('Fetch ECR login credentials from AWS')
     const command = new GetAuthorizationTokenCommand({})
     const response = await client.send(command)
-    if (!response.authorizationData || response.authorizationData.length === 0 || !response.authorizationData[0].authorizationToken || !response.authorizationData[0].proxyEndpoint) {
+    if (
+      !response.authorizationData ||
+      response.authorizationData.length === 0 ||
+      !response.authorizationData[0].authorizationToken ||
+      !response.authorizationData[0].proxyEndpoint
+    ) {
       throw new Error('Received an empty authorization token response for ECR repository')
     }
 
@@ -301,7 +305,7 @@ export class TargetEnvironment {
     return {
       username,
       password,
-      registryUrl
+      registryUrl,
     } satisfies DockerCredentials
   }
 }

package/src/utils.ts

@@ -1,5 +1,8 @@
 import { spawn } from 'child_process'
+import { logger } from './logging.js'
 import path from 'path'
+import yaml from 'js-yaml'
+import * as semver from 'semver'
 
 /**
  * Checks if the given string is a fully qualified domain name (FQDN).
@@ -7,7 +10,7 @@ import path from 'path'
  * @param domain The domain name to check.
  * @returns true if the domain is a valid FQDN, false otherwise.
  */
-export function isValidFQDN (domain: string): boolean {
+export function isValidFQDN(domain: string): boolean {
   const fqdnRegex = /^(?=.{1,253}$)(([a-zA-Z0-9]([a-zA-Z0-9-]{0,61}[a-zA-Z0-9])?\.)+[a-zA-Z]{2,})$/
 
   return fqdnRegex.test(domain)
@@ -19,7 +22,12 @@ export function isValidFQDN (domain: string): boolean {
  * @param urlString The HTTP URL string to be split.
  * @returns An object containing the scheme, hostname, port, and subpaths.
  */
-export function splitUrlComponents (urlString: string): { scheme: string, hostname: string, port: string | null, subpaths: string | null } {
+export function splitUrlComponents(urlString: string): {
+  scheme: string
+  hostname: string
+  port: string | null
+  subpaths: string | null
+} {
   try {
     const url = new URL(urlString)
 
@@ -32,50 +40,55 @@ export function splitUrlComponents (urlString: string): { scheme: string, hostna
     const subpaths = url.pathname.slice(1) ?? null
 
     return { scheme, hostname, port, subpaths }
+    // eslint-disable-next-line @typescript-eslint/no-unused-vars
   } catch (error) {
     throw new Error('Invalid URL')
   }
 }
 
-export function getGameserverAdminUrl (uri: string): string {
-  const parts = uri.split('.')
-
-  const hostname = parts[0]
-  const domain = uri.substring(hostname.length + 1)
-
-  return `${hostname}-admin.${domain}`
-}
-
 export interface ExecuteCommandResult {
   exitCode: number | null
   stdout: any[]
   stderr: any[]
 }
 
+export interface ExecuteCommandOptions {
+  /**
+   * Should the stdin/stdout/stderr be inherited from the parent process? If false, the outputs are buffered for reading later.
+   */
+  inheritStdio?: boolean
+  /**
+   * Environment variables to pass in. Does not inherit parent process env. Use current process env if not specified.
+   */
+  env?: NodeJS.ProcessEnv
+}
+
 /**
  * Run a child process and return an awaitable Promise.
  *
  * @param command Name of the command/binary to execute.
- * @param args List of arugments to pass to the child process.
- * @param inheritStdio Should the stdin/stdout/stderr be inherited from the parent process? If false, the outputs are buffered for reading later.
- * @param env Environment variables to pass in. Does not inherit parent process env. Use current process env if not specified.
+ * @param args List of arguments to pass to the child process.
  * @returns Awaitable promise with the result of the execution.
  */
-export async function executeCommand (command: string, args: string[], inheritStdio: boolean, env?: NodeJS.ProcessEnv): Promise<ExecuteCommandResult> {
+export async function executeCommand(
+  command: string,
+  args: string[],
+  options?: { inheritStdio?: boolean; env?: NodeJS.ProcessEnv }
+): Promise<ExecuteCommandResult> {
   return await new Promise((resolve, reject) => {
     const childProcess = spawn(command, args, {
-      stdio: inheritStdio ? 'inherit' : undefined,
-      env,
+      stdio: options?.inheritStdio ? 'inherit' : undefined,
+      env: options?.env,
     })
-    let stdout: any[] = []
-    let stderr: any[] = []
+    const stdout: string[] = []
+    const stderr: string[] = []
 
-    childProcess.stdout?.on('data', (data) => {
-      stdout += data
+    childProcess.stdout?.on('data', (data: string) => {
+      stdout.push(data)
     })
 
-    childProcess.stderr?.on('data', (data) => {
-      stderr += data
+    childProcess.stderr?.on('data', (data: string) => {
+      stderr.push(data)
     })
 
     // If program runs to completion, resolve promise with success
@@ -84,16 +97,12 @@ export async function executeCommand (command: string, args: string[], inheritSt
     })
 
     childProcess.on('error', (err) => {
-      reject(
-        new Error(
-          `Failed to execute command '${command} ${args.join(' ')}': ${err.message}`
-        )
-      )
+      reject(new Error(`Failed to execute command '${command} ${args.join(' ')}': ${err.message}`))
     })
   })
 }
 
-export function isRunningUnderNpx () {
+export function isRunningUnderNpx(): boolean {
   // console.log('process.argv:', process.argv)
   const matchBinary = (binaryPath: string, binaryName: string): boolean => {
     const binary = path.basename(binaryPath, path.extname(binaryPath)) // drop path and extension
@@ -123,3 +132,85 @@ export function isRunningUnderNpx () {
 
   return false
 }
+
+/**
+ * Join a set of path segments and return result with Unix path separators ('/').
+ * @param paths Individual path segments to join
+ * @returns Joined path
+ */
+export function pathJoin(...paths: string[]): string {
+  return path.join(...paths).replaceAll('\\', '/')
+}
+
+/**
+ * Remove a trailing slash from a URL.
+ * @param url URL to remove the trailing slash from.
+ * @returns URL without a trailing slash.
+ */
+export function removeTrailingSlash(url: string): string {
+  return url.replace(/\/+$/, '')
+}
+
+/**
+ * Entry in the Helm chart repository index.
+ */
+interface HelmChartEntry {
+  name: string
+  version: string
+  description?: string
+  apiVersion?: string
+  appVersion?: string
+  urls: string[]
+}
+
+/**
+ * The index of the Helm chart repository. Contains an entry for each of published chart version.
+ */
+interface HelmChartRepoIndex {
+  apiVersion: string
+  entries: Record<string, HelmChartEntry[]>
+  generated: string
+}
+
+/**
+ * Fetch the available versions of a specific Helm chart from a repository.
+ * @param repository URL of the Helm chart repository. No trailing slash allowed.
+ * @param chartName Name of the Helm chart.
+ * @returns List of available Helm chart versions.
+ */
+export async function fetchHelmChartVersions(repository: string, chartName: string): Promise<string[]> {
+  // Fetch the index.yaml file from the repository
+  logger.debug(`Fetching Helm chart versions from '${repository}'...`)
+  const response: Response = await fetch(`${repository}/index.yaml`)
+  const indexYaml: string = await response.text()
+
+  // Parse the YAML index file
+  const repoIndex: HelmChartRepoIndex = yaml.load(indexYaml) as HelmChartRepoIndex
+
+  // Grab all versions >= 0.5.0 -- older are considered legacy
+  const chartVersions = repoIndex.entries[chartName]
+    .map((entry) => entry.version)
+    .filter((version) => semver.gte(version, '0.5.0'))
+  return chartVersions
+}
+
+/**
+ * Resolve the best matching version from a list of versions that satisfy a semver range.
+ * @param versions List of versions to resolve from.
+ * @param range Semver range to satisfy.
+ * @returns The best (latest) matching version or null if no versions satisfy the range.
+ */
+export function resolveBestMatchingVersion(versions: string[], range: semver.Range | null): string | null {
+  // Filter versions that satisfy the range -- range==null means 'latest' == include all versions
+  const satisfyingVersions = range ? versions.filter((version) => semver.satisfies(version, range)) : versions
+  logger.debug(`Satisfying versions: ${satisfyingVersions.join(', ')}`)
+
+  // If no versions satisfy the range, return null
+  if (satisfyingVersions.length === 0) {
+    return null
+  }
+
+  // Sort the versions to get the highest one that matches the range
+  const sortedVersions = satisfyingVersions.sort(semver.rcompare)
+  return sortedVersions[0]
+}

package/src/version.ts

@@ -1 +1 @@
-export const PACKAGE_VERSION = '1.5.0'
+export const PACKAGE_VERSION = "1.6.0"