alchemy-effect 0.0.0 → 0.2.0

package/src/aws/bundle.ts

@@ -0,0 +1,5 @@
+import * as Effect from "effect/Effect";
+import esbuild from "esbuild";
+
+export const bundle = (props: esbuild.BuildOptions) =>
+  Effect.promise(() => esbuild.build(props));

package/src/aws/client.ts

@@ -0,0 +1,47 @@
+import { LogLevel } from "effect";
+import type * as Context from "effect/Context";
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import * as Logger from "effect/Logger";
+import * as Redacted from "effect/Redacted";
+import type { AWSClientConfig } from "itty-aws";
+import { Credentials } from "./credentials.ts";
+import { Region } from "./region.ts";
+
+export type TagInstance<T> = T extends new (_: never) => infer R ? R : never;
+
+export const createAWSServiceClientLayer =
+  <Tag extends Context.Tag<any, any>, Client>(
+    tag: Tag,
+    clss: new (config: AWSClientConfig) => Client,
+  ) =>
+  () =>
+    Layer.effect(
+      tag,
+      Effect.gen(function* () {
+        const region = yield* Region;
+        const credentials = yield* Credentials;
+        //
+        const client = new clss({
+          region,
+          credentials: {
+            accessKeyId: Redacted.value(credentials.accessKeyId),
+            secretAccessKey: Redacted.value(credentials.secretAccessKey),
+            sessionToken: credentials.sessionToken
+              ? Redacted.value(credentials.sessionToken)
+              : undefined,
+          },
+        });
+        return new Proxy(client as any, {
+          get:
+            (target: any, prop) =>
+            (...args: any[]) =>
+              target[prop](...args).pipe(
+                // TODO(sam): make it easier to set log lever for a client
+                Logger.withMinimumLogLevel(
+                  process.env.DEBUG ? LogLevel.Debug : LogLevel.Info,
+                ),
+              ),
+        });
+      }),
+    ) as Layer.Layer<TagInstance<Tag>, never, Region | Credentials>;

package/src/aws/credentials.ts

@@ -0,0 +1,409 @@
+import {
+  fromContainerMetadata as _fromContainerMetadata,
+  fromEnv as _fromEnv,
+  fromHttp as _fromHttp,
+  fromIni as _fromIni,
+  fromInstanceMetadata as _fromInstanceMetadata,
+  fromNodeProviderChain as _fromNodeProviderChain,
+  fromProcess as _fromProcess,
+  fromTokenFile as _fromTokenFile,
+  fromWebToken as _fromWebToken,
+} from "@aws-sdk/credential-providers";
+
+import { FileSystem, HttpClient } from "@effect/platform";
+import * as ini from "@smithy/shared-ini-file-loader";
+import {
+  type AwsCredentialIdentity,
+  type AwsCredentialIdentityProvider,
+} from "@smithy/types";
+import * as Console from "effect/Console";
+import * as Context from "effect/Context";
+import * as Data from "effect/Data";
+import * as Effect from "effect/Effect";
+import * as Layer from "effect/Layer";
+import * as Option from "effect/Option";
+import * as Redacted from "effect/Redacted";
+import { createHash } from "node:crypto";
+import * as path from "node:path";
+import { parseIni, parseSSOSessionData } from "./parse-ini.ts";
+import { AwsProfile } from "./profile.ts";
+
+export class Credentials extends Context.Tag("AWS::Credentials")<
+  Credentials,
+  {
+    accessKeyId: Redacted.Redacted<string>;
+    secretAccessKey: Redacted.Redacted<string>;
+    sessionToken: Redacted.Redacted<string> | undefined;
+    expiration?: number;
+  }
+>() {}
+
+export const fromAwsCredentialIdentity = (identity: AwsCredentialIdentity) =>
+  Credentials.of({
+    accessKeyId: Redacted.make(identity.accessKeyId),
+    secretAccessKey: Redacted.make(identity.secretAccessKey),
+    sessionToken: identity.sessionToken
+      ? Redacted.make(identity.sessionToken)
+      : undefined,
+    expiration: identity.expiration?.getTime(),
+  });
+
+const createLayer = (provider: (config: {}) => AwsCredentialIdentityProvider) =>
+  Layer.effect(
+    Credentials,
+    Effect.gen(function* () {
+      return fromAwsCredentialIdentity(
+        yield* Effect.promise(() => provider({})()),
+      );
+    }),
+  );
+
+export const fromCredentials = (credentials: AwsCredentialIdentity) =>
+  Layer.succeed(Credentials, fromAwsCredentialIdentity(credentials));
+
+export const fromEnv = () => createLayer(_fromEnv);
+
+export const fromChain = () => createLayer(() => _fromNodeProviderChain());
+
+// export const fromSSO = () => createLayer(_fromSSO);
+
+export const fromIni = () => createLayer(_fromIni);
+
+export const fromContainerMetadata = () => createLayer(_fromContainerMetadata);
+
+export const fromHttp = () => createLayer(_fromHttp);
+
+export const fromInstanceMetadata = (
+  ...parameters: Parameters<typeof _fromInstanceMetadata>
+) => createLayer(() => _fromInstanceMetadata(...parameters));
+
+export const fromProcess = () => createLayer(_fromProcess);
+
+export const fromTokenFile = () => createLayer(_fromTokenFile);
+
+export const fromWebToken = (...parameters: Parameters<typeof _fromWebToken>) =>
+  createLayer(() => _fromWebToken(...parameters));
+
+export const ssoRegion = (region: string) => Layer.succeed(SsoRegion, region);
+
+/**
+ * The time window (5 mins) that SDK will treat the SSO token expires in before the defined expiration date in token.
+ * This is needed because server side may have invalidated the token before the defined expiration date.
+ */
+const EXPIRE_WINDOW_MS = 5 * 60 * 1000;
+
+const REFRESH_MESSAGE = `To refresh this SSO session run 'aws sso login' with the corresponding profile.`;
+
+export class SsoRegion extends Context.Tag("AWS::SsoRegion")<
+  SsoRegion,
+  string
+>() {}
+export class SsoStartUrl extends Context.Tag("AWS::SsoStartUrl")<
+  SsoStartUrl,
+  string
+>() {}
+
+export class ProfileNotFound extends Data.TaggedError(
+  "Alchemy::AWS::ProfileNotFound",
+)<{
+  message: string;
+  profile: string;
+}> {}
+
+export class ConflictingSSORegion extends Data.TaggedError(
+  "Alchemy::AWS::ConflictingSSORegion",
+)<{
+  message: string;
+  ssoRegion: string;
+  profile: string;
+}> {}
+
+export class ConflictingSSOStartUrl extends Data.TaggedError(
+  "Alchemy::AWS::ConflictingSSOStartUrl",
+)<{
+  message: string;
+  ssoStartUrl: string;
+  profile: string;
+}> {}
+
+export class InvalidSSOProfile extends Data.TaggedError(
+  "Alchemy::AWS::InvalidSSOProfile",
+)<{
+  message: string;
+  profile: string;
+  missingFields: string[];
+}> {}
+
+export class InvalidSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::InvalidSSOToken",
+)<{
+  message: string;
+  sso_session: string;
+}> {}
+
+export class ExpiredSSOToken extends Data.TaggedError(
+  "Alchemy::AWS::ExpiredSSOToken",
+)<{
+  message: string;
+  profile: string;
+}> {}
+
+export interface AwsProfileConfig {
+  sso_session?: string;
+  sso_account_id?: string;
+  sso_role_name?: string;
+  region?: string;
+  output?: string;
+  sso_start_url?: string;
+  sso_region?: string;
+}
+export interface SsoProfileConfig extends AwsProfileConfig {
+  sso_start_url: string;
+  sso_region: string;
+  sso_account_id: string;
+  sso_role_name: string;
+}
+
+export const fromSSO = () =>
+  Layer.effect(
+    Credentials,
+    Effect.gen(function* () {
+      const client = yield* HttpClient.HttpClient;
+      const fs = yield* FileSystem.FileSystem;
+      const profileName = Option.getOrElse(
+        yield* Effect.serviceOption(AwsProfile),
+        () => "default",
+      );
+
+      const profiles: {
+        [profileName: string]: AwsProfileConfig;
+      } = yield* Effect.promise(() =>
+        ini.parseKnownFiles({ profile: profileName }),
+      );
+
+      const profile = profiles[profileName];
+
+      if (!profile) {
+        yield* Effect.fail(
+          new ProfileNotFound({
+            message: `Profile ${profileName} not found`,
+            profile: profileName,
+          }),
+        );
+      }
+
+      const awsDir = path.join(ini.getHomeDir(), ".aws");
+      const configPath = path.join(awsDir, "config");
+      const cachePath = path.join(awsDir, "sso", "cache");
+
+      if (profile.sso_session) {
+        const ssoRegion = Option.getOrUndefined(
+          yield* Effect.serviceOption(SsoRegion),
+        );
+        const ssoStartUrl = Option.getOrElse(
+          yield* Effect.serviceOption(SsoStartUrl),
+          () => profile.sso_start_url,
+        );
+
+        const ssoSessions = yield* fs.readFileString(configPath).pipe(
+          Effect.flatMap((config) =>
+            Effect.promise(async () => parseIni(config)),
+          ),
+          Effect.map(parseSSOSessionData),
+        );
+        const session = ssoSessions[profile.sso_session];
+        if (ssoRegion && ssoRegion !== session.sso_region) {
+          yield* Effect.fail(
+            new ConflictingSSORegion({
+              message: `Conflicting SSO region`,
+              ssoRegion: ssoRegion,
+              profile: profile.sso_session,
+            }),
+          );
+        }
+        if (ssoStartUrl && ssoStartUrl !== session.sso_start_url) {
+          yield* Effect.fail(
+            new ConflictingSSOStartUrl({
+              message: `Conflicting SSO start url`,
+              ssoStartUrl: ssoStartUrl,
+              profile: profile.sso_session,
+            }),
+          );
+        }
+        profile.sso_region = session.sso_region;
+        profile.sso_start_url = session.sso_start_url;
+
+        const ssoFields = [
+          "sso_start_url",
+          "sso_account_id",
+          "sso_region",
+          "sso_role_name",
+        ] as const satisfies (keyof SsoProfileConfig)[];
+        const missingFields = ssoFields.filter((field) => !profile[field]);
+        if (missingFields.length > 0) {
+          yield* Effect.fail(
+            new InvalidSSOProfile({
+              profile: profileName,
+              missingFields,
+              message:
+                `Profile is configured with invalid SSO credentials. Required parameters "sso_account_id", ` +
+                `"sso_region", "sso_role_name", "sso_start_url". Got ${Object.keys(
+                  profile,
+                ).join(
+                  ", ",
+                )}\nReference: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html`,
+            }),
+          );
+        }
+
+        const hasher = createHash("sha1");
+        const cacheName = hasher.update(profile.sso_session).digest("hex");
+        const ssoTokenFilepath = path.join(cachePath, `${cacheName}.json`);
+        const cachedCredsFilePath = path.join(
+          cachePath,
+          `${cacheName}.credentials.json`,
+        );
+
+        const cachedCreds = yield* fs.readFileString(cachedCredsFilePath).pipe(
+          Effect.map((text) => JSON.parse(text)),
+          Effect.catchAll(() => Effect.void),
+        );
+
+        const isExpired = (expiry: number | string | undefined) => {
+          return (
+            expiry === undefined ||
+            new Date(expiry).getTime() - Date.now() <= EXPIRE_WINDOW_MS
+          );
+        };
+
+        if (cachedCreds && !isExpired(cachedCreds.expiry)) {
+          return Credentials.of({
+            accessKeyId: Redacted.make(cachedCreds.accessKeyId),
+            secretAccessKey: Redacted.make(cachedCreds.secretAccessKey),
+            sessionToken: cachedCreds.sessionToken
+              ? Redacted.make(cachedCreds.sessionToken)
+              : undefined,
+            expiration: cachedCreds.expiry,
+          });
+        }
+
+        const ssoToken = yield* fs.readFileString(ssoTokenFilepath).pipe(
+          Effect.map((text) => JSON.parse(text) as SSOToken),
+          Effect.catchAll(() =>
+            Effect.fail(
+              new InvalidSSOToken({
+                message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+                sso_session: profile.sso_session!,
+              }),
+            ),
+          ),
+        );
+
+        if (isExpired(ssoToken.expiresAt)) {
+          yield* Console.log(
+            `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+          );
+          yield* Effect.fail(
+            new ExpiredSSOToken({
+              message: `The SSO session token associated with profile=${profileName} was not found or is invalid. ${REFRESH_MESSAGE}`,
+              profile: profileName,
+            }),
+          );
+        }
+
+        const response = yield* client.get(
+          `https://portal.sso.${profile.sso_region}.amazonaws.com/federation/credentials?account_id=${profile.sso_account_id}&role_name=${profile.sso_role_name}`,
+          {
+            headers: {
+              "User-Agent": "alchemy.run",
+              "Content-Type": "application/json",
+              "x-amz-sso_bearer_token": ssoToken.accessToken,
+            },
+          },
+        );
+
+        const credentials = (
+          (yield* response.json) as {
+            roleCredentials: {
+              accessKeyId: string;
+              secretAccessKey: string;
+              sessionToken: string;
+              expiration: number;
+            };
+          }
+        ).roleCredentials;
+
+        yield* fs.writeFileString(
+          cachedCredsFilePath,
+          JSON.stringify({
+            accessKeyId: credentials.accessKeyId,
+            secretAccessKey: credentials.secretAccessKey,
+            sessionToken: credentials.sessionToken,
+            expiry: credentials.expiration,
+          }),
+        );
+
+        return Credentials.of({
+          accessKeyId: Redacted.make(credentials.accessKeyId),
+          secretAccessKey: Redacted.make(credentials.secretAccessKey),
+          sessionToken: Redacted.make(credentials.sessionToken),
+          expiration: credentials.expiration,
+        });
+      }
+
+      return yield* Effect.fail(
+        new ProfileNotFound({
+          message: `Profile ${profileName} not found`,
+          profile: profileName,
+        }),
+      );
+    }),
+  );
+
+/**
+ * Cached SSO token retrieved from SSO login flow.
+ * @public
+ */
+export interface SSOToken {
+  /**
+   * A base64 encoded string returned by the sso-oidc service.
+   */
+  accessToken: string;
+
+  /**
+   * The expiration time of the accessToken as an RFC 3339 formatted timestamp.
+   */
+  expiresAt: string;
+
+  /**
+   * The token used to obtain an access token in the event that the accessToken is invalid or expired.
+   */
+  refreshToken?: string;
+
+  /**
+   * The unique identifier string for each client. The client ID generated when performing the registration
+   * portion of the OIDC authorization flow. This is used to refresh the accessToken.
+   */
+  clientId?: string;
+
+  /**
+   * A secret string generated when performing the registration portion of the OIDC authorization flow.
+   * This is used to refresh the accessToken.
+   */
+  clientSecret?: string;
+
+  /**
+   * The expiration time of the client registration (clientId and clientSecret) as an RFC 3339 formatted timestamp.
+   */
+  registrationExpiresAt?: string;
+
+  /**
+   * The configured sso_region for the profile that credentials are being resolved for.
+   */
+  region?: string;
+
+  /**
+   * The configured sso_start_url for the profile that credentials are being resolved for.
+   */
+  startUrl?: string;
+}

package/src/aws/dynamodb/attribute-value.ts

@@ -0,0 +1,240 @@
+import * as Data from "effect/Data";
+import * as Effect from "effect/Effect";
+import * as S from "effect/Schema";
+import type { AttributeValue, ScalarAttributeType } from "itty-aws/dynamodb";
+import {
+  getSetValueAST,
+  isClassSchema,
+  isListSchema,
+  isMapSchema,
+  isNumberSchema,
+  isRecordLikeSchema,
+  isRecordSchema,
+  isSetSchema,
+  isStringSchema,
+  isStructSchema,
+} from "../../schema.ts";
+
+// this seems important for handling S.Struct.Fields https://effect.website/docs/schema/classes/#recursive-types-with-different-encoded-and-type
+// interface CategoryEncoded extends Schema.Struct.Encoded<typeof fields> { .. }
+
+export class InvalidAttributeValue extends Data.TaggedError(
+  "InvalidAttributeValue",
+)<{
+  message: string;
+  value: any;
+}> {}
+
+export const toAttributeValue: (
+  value: any,
+) => Effect.Effect<AttributeValue, InvalidAttributeValue, never> = Effect.fn(
+  function* (value: any) {
+    if (value === undefined) {
+      return {
+        NULL: false,
+      };
+    } else if (value === null) {
+      return {
+        NULL: true,
+      };
+    } else if (typeof value === "boolean") {
+      return {
+        BOOL: value,
+      };
+    } else if (typeof value === "string") {
+      return {
+        S: value,
+      };
+    } else if (typeof value === "number") {
+      return {
+        N: value.toString(10),
+      };
+    } else if (Array.isArray(value)) {
+      return {
+        L: yield* Effect.all(value.map(toAttributeValue)),
+      };
+    } else if (value instanceof Set) {
+      const setType = getType(value);
+      if (setType === "EMPTY_SET") {
+        return {
+          SS: [],
+        };
+      } else if (Array.isArray(setType)) {
+        return {
+          L: yield* Effect.all(setType.map(toAttributeValue)),
+        };
+      } else if (setType === "SS") {
+        return {
+          SS: Array.from(value.values()),
+        };
+      } else if (setType === "NS") {
+        return {
+          NS: Array.from(value.values()).map((value) => value.toString(10)),
+        };
+      } else if (setType === "BS") {
+        return {
+          BS: Array.from(value.values()),
+        };
+      } else {
+        return {
+          L: yield* Effect.all(
+            Array.from(value.values()).map(toAttributeValue),
+          ),
+        };
+      }
+    } else if (Buffer.isBuffer(value)) {
+      return {
+        B: new Uint8Array(value),
+      };
+    } else if (value instanceof File) {
+      return {
+        B: new Uint8Array(yield* Effect.promise(() => value.arrayBuffer())),
+      };
+    } else if (value instanceof Uint8Array) {
+      return {
+        B: value,
+      };
+    } else if (value instanceof ArrayBuffer) {
+      return {
+        B: new Uint8Array(value),
+      };
+    } else if (typeof value === "object") {
+      return {
+        M: Object.fromEntries(
+          yield* Effect.all(
+            Object.entries(value).map(([key, value]) =>
+              toAttributeValue(value).pipe(Effect.map((value) => [key, value])),
+            ),
+          ),
+        ),
+      };
+    }
+
+    return yield* Effect.fail(
+      new InvalidAttributeValue({
+        message: `Unknown value type: ${typeof value}`,
+        value,
+      }),
+    );
+  },
+);
+
+export const fromAttributeValue = (value: AttributeValue): any => {
+  if (value.NULL) {
+    return null;
+  } else if (typeof value.BOOL === "boolean") {
+    return value.BOOL;
+  } else if (value.L) {
+    return value.L.map(fromAttributeValue);
+  } else if (value.M) {
+    return Object.fromEntries(
+      Object.entries(value.M).map(([key, value]) => [
+        key,
+        fromAttributeValue(value),
+      ]),
+    );
+  } else if (value.N) {
+    return parseFloat(value.N);
+  } else if (value.S) {
+    // how do we know if this is a date?
+    return value.S;
+  } else if (value.SS) {
+    return new Set(value.SS);
+  } else if (value.NS) {
+    return new Set(value.NS);
+  } else if (value.BS) {
+    return new Set(value.BS);
+  } else {
+    throw new Error(`Unknown attribute value: ${JSON.stringify(value)}`);
+  }
+};
+
+type ValueType =
+  | "L"
+  | "BOOL"
+  | "EMPTY_SET"
+  | "M"
+  | "NULL"
+  | "N"
+  | "M"
+  | "S"
+  | "SS"
+  | "BS"
+  | "NS"
+  | "undefined";
+
+const getType = (value: any): ValueType | ValueType[] => {
+  if (value === undefined) {
+    return "undefined";
+  } else if (value === null) {
+    return "NULL";
+  } else if (typeof value === "boolean") {
+    return "BOOL";
+  } else if (typeof value === "string") {
+    return "S";
+  } else if (typeof value === "number") {
+    return "N";
+  } else if (Array.isArray(value)) {
+    return "L";
+  } else if (value instanceof Set) {
+    return value.size === 0
+      ? "EMPTY_SET"
+      : (() => {
+          const types = Array.from(value.values())
+            .flatMap(getType)
+            .filter((type, i, arr) => arr.indexOf(type) === i);
+
+          return types.length === 1
+            ? types[0] === "S"
+              ? "SS"
+              : types[0] === "N"
+                ? "NS"
+                : types[0] === "BOOL"
+                  ? "BS"
+                  : types[0]
+            : "L";
+        })();
+  } else if (value instanceof Map) {
+    return "M";
+  } else if (typeof value === "object") {
+    return "M";
+  } else {
+    throw new Error(`Unknown value type: ${typeof value}`);
+  }
+};
+
+export const isScalarAttributeType = (
+  type: string,
+): type is ScalarAttributeType => {
+  return type === "S" || type === "N" || type === "B";
+};
+
+export const toAttributeType = (schema: S.Schema<any>) => {
+  if (isStringSchema(schema)) {
+    return "S";
+  } else if (isNumberSchema(schema)) {
+    return "N";
+  } else if (isRecordLikeSchema(schema)) {
+    return "M";
+  } else if (isStringSetSchema(schema)) {
+    return "SS";
+  } else if (isNumberSetSchema(schema)) {
+    return "NS";
+  } else if (isListSchema(schema)) {
+    return "L";
+  }
+  return "S";
+};
+
+export const isMapSchemaType = (schema: S.Schema<any>) =>
+  isMapSchema(schema) ||
+  isRecordSchema(schema) ||
+  isStructSchema(schema) ||
+  isClassSchema(schema) ||
+  false;
+
+export const isStringSetSchema = (schema: S.Schema<any>) =>
+  isSetSchema(schema) && isStringSchema(getSetValueAST(schema));
+
+export const isNumberSetSchema = (schema: S.Schema<any>) =>
+  isSetSchema(schema) && isNumberSchema(getSetValueAST(schema));