vgs-cli 0.0.1.dev0__py3-none-any.whl

vgscli/auth_server.py

@@ -0,0 +1,131 @@
+import os
+import threading
+import time
+import webbrowser
+from urllib.parse import urlencode
+
+import click
+from vgs.sdk import auth_api
+from vgs.sdk.utils import is_port_accessible
+
+from vgscli.auth_utils import code_challenge, generate_code_verifier
+from vgscli.callback_server import RequestServer
+from vgscli.keyring_token_util import KeyringTokenUtil
+from vgscli.token_handler import CodeHandler
+
+
+class AuthServer:
+    env_url = {
+        "dev": "https://auth.verygoodsecurity.io",
+        "prod": "https://auth.verygoodsecurity.com",
+    }
+    token_util = KeyringTokenUtil()
+    token_handler = CodeHandler()
+
+    # Api
+    CLIENT_ID = "vgs-cli-public"
+    SCOPES = "idp openid"
+    AUTH_URL = "{base_url}/auth/realms/vgs/protocol/openid-connect/auth"
+    CALLBACK_PATH = "/callback"
+
+    # AuthZ
+    code_verifier = generate_code_verifier()
+    code_method = "S256"
+    oauth_access_token = None
+
+    # Server constants.
+    # Ports have been chosen based on Unassigned port list: https://www.iana.org/assignments/service-names-port-numbers/service-names-port-numbers.xhtml?&page=111
+    ports = [7745, 8390, 9056]
+    host = os.getenv("AUTH_SERVER_BIND_IP", "127.0.0.1")
+    accessible_port = None
+    app = None
+
+    def __init__(self, environment):
+        self.accessible_port = next(
+            port for port in self.ports if is_port_accessible(self.host, port)
+        )
+        self.app = RequestServer(self.host, self.accessible_port)
+        self.environment = environment
+        self.auth_api = auth_api.create_api(environment)
+
+    def login(self, environment, **kwargs):
+        thread = self.ServerThread(self.app)
+        thread.daemon = True
+        thread.start()
+
+        query = {
+            "client_id": self.CLIENT_ID,
+            "code_challenge": code_challenge(self.code_verifier),
+            "code_challenge_method": self.code_method,
+            "redirect_uri": self.__get_host() + "/callback",
+            "response_type": "code",
+            "scope": self.SCOPES,
+        }
+
+        idp = kwargs.get("idp")
+        if idp:
+            query["kc_idp_hint"] = idp
+
+        url = (
+            self.AUTH_URL.format(base_url=self.env_url[environment])
+            + f"?{urlencode(query)}"
+        )
+
+        if kwargs.get("open_browser", True):
+            if not webbrowser.open(url, new=1, autoraise=True):
+                click.echo(
+                    f"Could not open the default browser. Follow the link below to log in:\n{url}"
+                )
+        else:
+            click.echo(f"Follow the link below to log in:\n{url}")
+
+        while self.token_handler.get_code() is None:
+            time.sleep(1)
+        self.retrieve_access_token()
+
+        return self.token_util.get_access_token()
+
+    def logout(self):
+        auth_api.logout(
+            self.auth_api,
+            self.CLIENT_ID,
+            self.token_util.get_access_token(),
+            self.token_util.get_refresh_token(),
+        )
+
+    def refresh_authentication(self):
+        self.token_util.put_tokens(
+            auth_api.refresh_token(
+                self.auth_api, refresh_token=self.token_util.get_refresh_token()
+            ).body
+        )
+
+    def retrieve_access_token(self):
+        callback_url = self.__get_host() + self.CALLBACK_PATH
+        response = auth_api.get_token(
+            self.auth_api,
+            self.token_handler.get_code(),
+            self.code_verifier,
+            callback_url,
+        )
+        self.set_access_token(response.body)
+
+    def set_access_token(self, token):
+        self.token_util.put_tokens(token)
+
+    def __get_host(self):
+        return "http://" + self.host + ":" + str(self.accessible_port)
+
+    def client_credentials_login(self, client_id, secret):
+        response = auth_api.get_auto_token(
+            self.auth_api, client_id=client_id, client_secret=secret
+        )
+        self.set_access_token(response.body)
+
+    class ServerThread(threading.Thread):
+        def __init__(self, app):
+            self.app = app
+            threading.Thread.__init__(self)
+
+        def run(self):
+            self.app.run()

vgscli/auth_utils.py

@@ -0,0 +1,24 @@
+import base64
+import hashlib
+import random
+import string
+
+
+def generate_code_verifier(stringLength=64):
+    password_characters = string.ascii_letters + string.digits
+    return "".join(random.choice(password_characters) for i in range(stringLength))
+
+
+def code_challenge(code_verifier):
+    sha_signature = __sha256(code_verifier.encode())
+    return __base64_url_encode(sha_signature).decode("UTF-8").split("=")[0]
+
+
+def __sha256(buffer):
+    m = hashlib.sha256()
+    m.update(buffer)
+    return m.digest()
+
+
+def __base64_url_encode(random_bytes):
+    return base64.urlsafe_b64encode(random_bytes)

vgscli/callback_server.py

@@ -0,0 +1,41 @@
+from http.server import BaseHTTPRequestHandler, HTTPServer
+from urllib import parse
+
+from vgscli.keyring_token_util import KeyringTokenUtil
+from vgscli.token_handler import CodeHandler
+
+token_util = KeyringTokenUtil()
+token_handler = CodeHandler()
+
+
+class RequestHandler(BaseHTTPRequestHandler):
+    def do_GET(self):
+        if self.path.startswith("/callback"):
+            params = parse.parse_qs(self.path.split("?")[1])
+            token = params["code"][0]
+            token_handler.put_code(token)
+        self.send_response(200)
+        self.end_headers()
+        self.wfile.write("Go back to terminal".encode("utf-8"))
+        return
+
+    def log_message(self, format, *args):
+        return
+
+
+class RequestServer:
+
+    server = None
+    host = "localhost"
+    port = 8080
+
+    def __init__(self, host, port):
+        self.host = host
+        self.port = port
+
+    def run(self):
+        self.server = HTTPServer((self.host, self.port), RequestHandler)
+        self.server.serve_forever()
+
+    def close(self):
+        self.server.server_close()

vgscli/cert_manager_api.py

@@ -0,0 +1,34 @@
+from simple_rest_client.api import API
+from simple_rest_client.resource import Resource
+
+from vgscli._version import __version__
+
+CERT_MANAGER_URLS = {
+    "dev": "https://cert-manager-api.verygoodsecurity.io",
+    "prod": "https://cert-manager.apps.verygoodvault.com",
+}
+
+
+class CertificatesResource(Resource):
+    actions = {"list": {"method": "GET", "url": "api/certificates"}}
+
+
+def create_cert_manager_api(vault_id, environment, token):
+    env = (environment or "prod").lower()
+    base_url = CERT_MANAGER_URLS.get(env, CERT_MANAGER_URLS["prod"])
+    api = API(
+        api_root_url=base_url,
+        params={},
+        headers={
+            "VGS-Tenant": vault_id,
+            "Content-Type": "application/json",
+            "Accept": "application/json",
+            "User-Agent": f"VGS CLI {__version__}",
+            "Authorization": f"Bearer {token}",
+        },
+        timeout=30,
+        append_slash=False,
+        json_encode_body=True,
+    )
+    api.add_resource(resource_name="certificates", resource_class=CertificatesResource)
+    return api

vgscli/cli/__init__.py

@@ -0,0 +1,23 @@
+import click
+from vgs.sdk.account_mgmt import AccountMgmtAPI
+from vgs.sdk.vault_mgmt import VaultMgmtAPI
+
+from vgscli.auth import handshake, token_util
+
+
+def create_account_mgmt_api(ctx: click.Context) -> AccountMgmtAPI:
+    environment = ctx.obj.env
+
+    handshake(ctx, environment)
+    access_token = token_util.get_access_token()
+
+    return AccountMgmtAPI(access_token, environment)
+
+
+def create_vault_mgmt_api(ctx: click.Context, root_url: str) -> VaultMgmtAPI:
+    environment = ctx.obj.env
+
+    handshake(ctx, environment)
+    access_token = token_util.get_access_token()
+
+    return VaultMgmtAPI(access_token, root_url)

vgscli/cli/commands/__init__.py

@@ -0,0 +1,3 @@
+from .apply import apply
+from .generate import generate
+from .get import get

vgscli/cli/commands/apply.py

@@ -0,0 +1,307 @@
+import logging
+import time
+from typing import Optional
+
+import click
+from click_plugins import with_plugins
+from simple_rest_client import exceptions
+from simple_rest_client.exceptions import ClientError
+from vgs.sdk.errors import RouteNotValidError
+from vgs.sdk.routes import dump_yaml, normalize, sync_all_routes
+from vgs.sdk.vaults_api import create_api as create_vaults_api
+
+from vgscli.auth import handshake, token_util
+from vgscli.cli import create_account_mgmt_api, create_vault_mgmt_api
+from vgscli.cli.types import ResourceId, ResourceIdParamType
+from vgscli.cli_utils import (
+    dump_camelized_yaml,
+    iter_entry_points,
+    validate_multi_yaml,
+    validate_yaml,
+)
+from vgscli.errors import ServiceClientCreationError, VgsCliError, handle_errors
+
+logger = logging.getLogger()
+
+
+@with_plugins(iter_entry_points("vgs.apply.plugins"))
+@click.group("apply")
+def apply() -> None:
+    """
+    Create or update a VGS resource.
+    """
+    pass
+
+
+@apply.command("service-account")
+@click.option(
+    "-O",
+    "--organization",
+    "org_id",
+    type=ResourceIdParamType(prefix="AC"),
+    help="ID of the organization to associate the vault with.",
+)
+@click.option(
+    "--file",
+    "-f",
+    type=click.File(),
+    help="Configuration to apply.",
+    required=True,
+)
+@click.pass_context
+@handle_errors()
+def apply_service_account(ctx: click.Context, org_id: ResourceId, file) -> None:
+    """
+    Create a Service Account client.
+    """
+    data = validate_yaml(file, "validation-schemas/service-account-schema.yaml")["data"]
+
+    account_mgmt = create_account_mgmt_api(ctx)
+    try:
+        # noinspection PyUnresolvedReferences
+        response = account_mgmt.service_accounts.create(
+            org_id.base58,
+            body={
+                "data": {
+                    "attributes": {
+                        "name": data["name"],
+                        "annotations": data.pop("annotations", {}),
+                        "vaults": data.get("vaults", []),
+                        "scopes": data["scopes"],
+                        "access_token_lifespan": data.get("accessTokenLifespan", None),
+                    }
+                }
+            },
+        )
+    except ClientError as cause:
+        raise ServiceClientCreationError(cause)
+
+    attributes = response.body["data"]["attributes"]
+
+    data["clientId"] = attributes["client_id"]
+    data["clientSecret"] = attributes["client_secret"]
+
+    # NOTE: Annotations are excluded from the output as they are undesirably camelized
+    # (e.g., "vgs.io/vault-id" becomes "vgs.io/vaultId")
+
+    click.echo(
+        dump_camelized_yaml(
+            {
+                "apiVersion": "1.0.0",
+                "kind": "ServiceAccount",
+                "data": data,
+            }
+        )
+    )
+
+
+@apply.command("vault")
+@click.option(
+    "-O",
+    "--organization",
+    "org_id",
+    type=ResourceIdParamType(prefix="AC"),
+    help="ID of the organization to associate the vault with.",
+)
+@click.option(
+    "--file",
+    "-f",
+    type=click.File(),
+    help="Configuration to apply.",
+    required=True,
+)
+@click.pass_context
+@handle_errors()
+def apply_vault(ctx: click.Context, org_id: Optional[ResourceId], file) -> None:
+    """
+    Create a new VGS vault.
+    """
+    data = validate_yaml(file, "validation-schemas/vault-schema.yaml")["data"]
+
+    # kubectl behavior
+    if "organizationId" in data:
+        if org_id and org_id.base58 != data["organizationId"]:
+            raise VgsCliError(
+                f"Ambiguous organization ID. "
+                f"Run the command with '--organization={data['organizationId']}' to resolve."
+            )
+    else:
+        if not org_id:
+            raise VgsCliError(
+                "Missing organization ID. Pass the '--organization' option to resolve."
+            )
+
+        data["organizationId"] = org_id.base58
+
+    account_mgmt = create_account_mgmt_api(ctx)
+
+    # noinspection PyUnresolvedReferences
+    response = account_mgmt.vaults.create_or_update(
+        body={
+            "data": {
+                "attributes": {
+                    "name": data["name"],
+                    "environment": data["environment"],
+                },
+                "type": "vaults",
+                "relationships": {
+                    "organization": {
+                        "data": {"type": "organizations", "id": data["organizationId"]}
+                    }
+                },
+            }
+        }
+    )
+
+    attributes = response.body["data"]["attributes"]
+
+    data["id"] = attributes["identifier"]
+    data["credentials"] = {
+        "username": attributes["credentials"]["key"],
+        "password": attributes["credentials"]["secret"],
+    }
+
+    vault_mgmt = create_vault_mgmt_api(
+        ctx, response.body["data"]["links"]["vault_management_api"]
+    )
+
+    while True:
+        # noinspection PyUnresolvedReferences
+        response = vault_mgmt.vaults.retrieve(
+            data["id"], headers={"VGS-Tenant": data["id"]}
+        )
+        if response.body["data"]["attributes"]["state"] == "PROVISIONED":
+            break
+        time.sleep(2)
+
+    click.echo(
+        dump_camelized_yaml(
+            {
+                "apiVersion": "1.0.0",
+                "kind": "Vault",
+                "data": data,
+            }
+        )
+    )
+
+
+def sync_http_route(payload, ctx, vault_id):
+    handshake(ctx, ctx.obj.env)
+
+    vault_management_api = create_vaults_api(
+        ctx, vault_id, ctx.obj.env, token_util.get_access_token()
+    )
+    route_id = payload["spec"]["id"]
+    try:
+        # api expects it to be wrapped in data attribute
+        response = vault_management_api.routes.update(
+            route_id, body={"data": payload["spec"]}
+        )
+    except exceptions.ClientError as e:
+        error_msg = "\n".join([error["detail"] for error in e.response.body["errors"]])
+        raise RouteNotValidError(error_msg)
+    if ctx.obj.debug:
+        click.echo(f"Received raw response {response}")
+    logger.debug(response)
+    # TODO: this flilth can be removed after the normalize_one function is exposed.
+    payload = normalize([response.body["data"]])[0]
+    if ctx.obj.debug:
+        click.echo(f"Normalized body {payload}")
+    payload = wrap_in_http_envelope(payload)
+    if ctx.obj.debug:
+        click.echo(f"Wrapped body {payload}")
+    click.echo(f"Route {route_id} processed")
+    return payload
+
+
+def wrap_in_http_envelope(payload):
+    # TODO: this either needs to come from the API or we should add support for versioning in the client (yuk)
+    envelope = {
+        "apiVersion": "vault.vgs.io/v1",
+        "kind": "HttpRoute",
+        "metadata": {"name": payload["id"]},
+        "spec": payload,
+    }
+    return envelope
+
+
+def sync_mft_route(payload, ctx, vault_id):
+    print("Sync MFT Route")
+    print(payload, ctx, vault_id)
+
+
+def no_op(*_):
+    print("No Op")
+
+
+HANDLERS = {
+    ("vault.vgs.io/v1", "HttpRoute"): sync_http_route,
+    ("mft.vgs.io/v1beta", "MftRoute"): sync_mft_route,
+}
+
+
+@apply.command("vault-resources")
+@click.option("--vault", "-V", help="Vault ID", required=True)
+@click.option(
+    "--file",
+    "-f",
+    type=click.File(),
+    help="Configuration to apply.",
+    required=True,
+)
+@click.option("--dry-run", default=False)
+@click.pass_context
+@handle_errors()
+def all_vault_resources(
+    ctx: click.Context, vault: Optional[ResourceId], file, dry_run
+) -> None:
+    """
+    Apply all vault resources (routes, preferences, certificates) to a single vault.
+    """
+    parsed_resources = validate_multi_yaml(
+        file, "validation-schemas/vault-resources.yaml"
+    )
+    for resource in parsed_resources:
+        if dry_run:
+            print(
+                f"Pretending to send {resource['apiVersion']} {resource['kind']} {resource['metadata']['name']} to server"
+            )
+        else:
+            # for each resource find handler.
+            logger.info(
+                f"Processing {resource['apiVersion']} {resource['kind']} {resource['metadata']['name']} to server"
+            )
+            response_payload = HANDLERS.get(
+                (resource["apiVersion"], resource["kind"]), no_op
+            )(resource, ctx, vault)
+            if response_payload:
+                print(dump_yaml(response_payload))
+
+
+@apply.command("routes")
+@click.option("--vault", "-V", help="Vault ID", required=True)
+@click.option(
+    "--filename",
+    "-f",
+    help="Filename for the input data",
+    type=click.File("r"),
+    required=True,
+)
+@click.pass_context
+@handle_errors()
+def apply_routes(ctx, vault, filename):
+    """
+    Create or update VGS routes.
+    """
+    handshake(ctx, ctx.obj.env)
+
+    route_data = filename.read()
+    vault_management_api = create_vaults_api(
+        ctx, vault, ctx.obj.env, token_util.get_access_token()
+    )
+    sync_all_routes(
+        vault_management_api,
+        route_data,
+        lambda route_id: click.echo(f"Route {route_id} processed"),
+    )
+    click.echo(f"Routes updated successfully for vault {vault}")

vgscli/cli/commands/generate.py

@@ -0,0 +1,134 @@
+import click
+from click_plugins import with_plugins
+from jinja2 import Environment, PackageLoader, StrictUndefined, UndefinedError
+
+from vgscli.cli import create_account_mgmt_api, create_vault_mgmt_api
+from vgscli.cli.types import Variable, VariableParamType
+from vgscli.cli_utils import dump_camelized_yaml, iter_entry_points, read_file
+from vgscli.errors import handle_errors
+
+
+@with_plugins(iter_entry_points("vgs.generate.plugins"))
+@click.group("generate")
+def generate() -> None:
+    """
+    Output a VGS resource template. Edited templates can be applied with a
+    corresponding command.
+    """
+    pass
+
+
+@generate.command("vault")
+@handle_errors()
+def generate_vault() -> None:
+    """
+    Output a vault template.
+    """
+    click.echo(read_file("resource-templates/vault-template.yaml"), nl=False)
+
+
+@generate.command("access-credentials")
+@click.option("--vault", "-V", help="Vault ID", required=True)
+@click.pass_context
+@handle_errors()
+def generate_access_credentials(ctx, vault):
+    """
+    Generate a VGS access-credential
+    """
+    account_mgmt = create_account_mgmt_api(ctx)
+
+    response = account_mgmt.vaults.get_by_id(vault)
+
+    vault_mgmt = create_vault_mgmt_api(
+        ctx, response.body["data"][0]["links"]["vault_management_api"]
+    )
+
+    response = vault_mgmt.credentials.create(headers={"VGS-Tenant": vault})
+
+    click.echo(
+        dump_camelized_yaml(
+            {
+                "apiVersion": "1.0.0",
+                "kind": "AccessCredentials",
+                "data": response.body["data"],
+            }
+        )
+    )
+
+
+@generate.command("http-route")
+@handle_errors()
+def generate_route():
+    """
+    Generate a VGS HTTP Route
+    """
+    click.echo(read_file("resource-templates/http-route-template.yaml"), nl=False)
+
+
+@generate.command("mft-route")
+@handle_errors()
+def generate_route():
+    """
+    Generate a VGS MFT Route
+    """
+    click.echo(read_file("resource-templates/mft-route-template.yaml"), nl=False)
+
+
+@generate.command("service-account")
+@click.option(
+    "--template",
+    "-t",
+    type=click.Choice(
+        ["vgs-cli", "calm", "checkout", "sub-account-checkout", "payments-admin"]
+    ),
+    help="Predefined service account template configuration",
+    required=True,
+)
+@click.option(
+    "--var",
+    "variables",
+    type=VariableParamType(),
+    multiple=True,
+    help="Template variables.",
+)
+@click.option(
+    "--vault",
+    "vaults",
+    type=click.STRING,
+    multiple=True,
+    help="Service Account accessible vaults",
+)
+@click.pass_context
+@handle_errors()
+def generate_service_account(ctx, template, variables, vaults):
+    """
+    Output a Service Account template.
+    """
+    environment = Environment(
+        loader=PackageLoader(
+            package_name="vgscli", package_path="resource-templates/service-account"
+        ),
+        undefined=StrictUndefined,
+    )
+
+    def cli_warn(msg):
+        click.echo(click.style("Warning!", fg="yellow") + " " + msg, err=True)
+
+    def cli_fail(msg):
+        click.echo(click.style("Error!", fg="red") + " " + msg, err=True)
+        ctx.exit(1)
+
+    environment.globals["cli_warn"] = cli_warn
+    environment.globals["cli_fail"] = cli_fail
+
+    variables = variables + (Variable("vaults", vaults),)
+    try:
+        template = environment.get_template(f"{template}.yaml")
+        click.echo(template.render(**{var.name: var.value for var in variables}))
+    except UndefinedError as error:
+        click.echo(
+            click.style("Error!", fg="red") + f" Could not render service "
+            f"account template: {error}. "
+            f"Please use '--var variable=value' to pass required variable."
+        )
+        ctx.exit(1)