vgs-cli 0.0.1.dev0__py3-none-any.whl

vgscli/errors.py

@@ -0,0 +1,263 @@
+import traceback
+import types
+from functools import wraps
+
+import click
+from click import Context, UsageError
+from click.exceptions import Abort, Exit
+from simple_rest_client import exceptions
+
+
+def is_debug(ctx) -> bool:
+    return bool(
+        getattr(ctx, "obj", None) and getattr(getattr(ctx, "obj", None), "debug", False)
+    )
+
+
+def get_error_details(e):
+    resp = getattr(e, "response", None)
+    body = getattr(resp, "body", None)
+    if isinstance(body, dict) and body.get("errors"):
+        return [x.get("detail") for x in body["errors"] if isinstance(x, dict)]
+    return None
+
+
+class VgsCliError(UsageError):
+    def __init__(self, message, ctx=None):
+        self.message = message
+        self.ctx = ctx
+
+    def show(self, file=None):
+        self.show_message()
+
+    def show_message(self):
+        debug = is_debug(self.ctx)
+        if debug:
+            click.echo(traceback.format_exc(), err=True)
+        click.echo(self.message, err=True)
+
+
+class VaultNotFoundError(VgsCliError):
+    def __init__(self, vault_id, ctx=None):
+        self.message = "Vault " + vault_id + " doesn't exist."
+        self.ctx = ctx
+
+
+class TokenNotValidError(VgsCliError):
+    def __init__(self, message=None, ctx=None):
+        self.message = (
+            message or "Please run `vgs login` because your session has been expired."
+        )
+        self.ctx = ctx
+
+
+class AuthenticationRequiredError(VgsCliError):
+    def __init__(self, ctx=None):
+        self.message = "Please run `vgs login` because your session has been expired."
+        self.ctx = ctx
+
+
+class AuthenticationError(VgsCliError):
+    def __init__(self, ctx=None, details=None):
+        debug = is_debug(ctx)
+        self.message = (
+            "Authentication error occurred"
+            if debug
+            else "Authentication error occurred."
+        )
+        if details:
+            self.message = "{message} {details}".format(
+                message=self.message, details=details
+            )
+        self.ctx = ctx
+
+
+class ClientCredentialsAuthenticationError(VgsCliError):
+    def __init__(self, ctx=None):
+        debug = is_debug(ctx)
+        self.message = (
+            """Authentication error occurred.
+
+NOTE: You may see this error if you're using an account with enabled OTP.
+Auto login via environment variables with OTP is not supported.
+ """
+            if debug
+            else """Authentication error occurred. (Run with --debug for a traceback.)
+
+NOTE: You may see this error if you're using an account with enabled OTP.
+Auto login via environment variables with OTP is not supported.
+ """
+        )
+        self.ctx = ctx
+
+
+class ApiError(VgsCliError):
+    def __init__(self, e, ctx=None):
+        details = get_error_details(e)
+        debug = is_debug(ctx)
+        if details:
+            self.message = f"API error occurred: {details}"
+        elif debug:
+            self.message = "API error occurred."
+        else:
+            self.message = "API error occurred. (Run with --debug for a traceback.)"
+        self.ctx = ctx
+
+
+class UnhandledError(VgsCliError):
+    def __init__(self, ctx=None):
+        debug = is_debug(ctx)
+        self.message = (
+            "An unexpected error occurred."
+            if debug
+            else "An unexpected error occurred. (Run with --debug for a traceback.)"
+        )
+        self.ctx = ctx
+
+
+class RouteNotValidError(VgsCliError):
+    def __init__(self, error_message: str, ctx=None):
+        debug = is_debug(ctx)
+        error_message = f"Route cannot be applied due to errors:\n{error_message}"
+        self.message = (
+            error_message
+            if debug
+            else f"{error_message} (Run with --debug for a traceback.)"
+        )
+        self.ctx = ctx
+
+
+class SchemaValidationError(VgsCliError):
+    def __init__(self, message, ctx=None):
+        self.message = f"Error during validation of the file input: {message}."
+        self.ctx = ctx
+
+
+class ServiceClientCreationError(VgsCliError):
+    def __init__(self, e, ctx=None):
+        details = get_error_details(e)
+        self.message = f"Service Account creation failed with error: {details}"
+        self.ctx = ctx
+
+
+class ServiceClientDeletionError(VgsCliError):
+    def __init__(self, e, ctx=None):
+        details = get_error_details(e)
+        self.message = f"Service Account deletion failed with error: {details}"
+        self.ctx = ctx
+
+
+class ServiceClientListingError(VgsCliError):
+    def __init__(self, e, ctx=None):
+        details = get_error_details(e)
+        self.message = f"Service Account listing failed with error: {details}"
+        self.ctx = ctx
+
+
+class NoSuchFileOrDirectoryError(VgsCliError):
+    def __init__(self, message, ctx=None):
+        self.message = f"No such file or directory: {message}"
+        self.ctx = ctx
+
+
+class InsufficientPermissionsError(VgsCliError):
+    def __init__(self, ctx=None):
+        self.message = (
+            "You don't have enough permissions to perform this operation. Please contact "
+            "support@verygoodsecurity.com. "
+        )
+        self.ctx = ctx
+
+
+class PermissionDeniedError(VgsCliError):
+    def __init__(self, ctx=None):
+        self.message = "You don't have enough permissions to the requested resource"
+        self.ctx = ctx
+
+
+class MaxNumberOfCredentialsExceededError(VgsCliError):
+    def __init__(self, ctx=None):
+        self.message = (
+            "Maximum number of access credentials (10 per vault) reached.. Please contact "
+            "support@verygoodsecurity.com to increase the limit. "
+        )
+        self.ctx = ctx
+
+
+def status_code_error(**kwargs):
+    def init(self, e, ctx=None):
+        status = getattr(getattr(e, "response", None), "status_code", None)
+        error_handler = kwargs.get(f"e{status}")
+        if error_handler:
+            self.message = (
+                error_handler(e)
+                if isinstance(error_handler, types.FunctionType)
+                else error_handler
+            )
+            self.ctx = ctx
+        else:
+            ApiError.__init__(self, e, ctx=ctx)
+
+    return type(
+        "StatusCodeError",
+        (ApiError,),
+        {"__init__": init},
+    )
+
+
+def handle_errors(**outer_kwargs):
+    def decorator_handle_errors(f):
+        @wraps(f)
+        def wrapper(*args, **kwargs):
+            try:
+                return f(*args, **kwargs)
+            except (Abort, Exit):
+                raise
+            except exceptions.ClientError as e:
+                ctx = args[0] if args and isinstance(args[0], Context) else None
+                if ctx:
+                    status = getattr(getattr(e, "response", None), "status_code", None)
+                    if status == 401:
+                        raise outer_kwargs.get(
+                            "TokenNotValidError", TokenNotValidError
+                        )(ctx=ctx)
+                    if status == 403:
+                        body = getattr(getattr(e, "response", None), "body", None)
+                        errors = body.get("errors") if isinstance(body, dict) else None
+                        detail = (
+                            (
+                                errors
+                                and isinstance(errors, list)
+                                and errors
+                                and errors[0].get("detail")
+                            )
+                            if errors
+                            else None
+                        )
+                        if detail and "Maximum number of access credentials" in detail:
+                            raise outer_kwargs.get(
+                                "MaxNumberOfCredentialsExceededError",
+                                MaxNumberOfCredentialsExceededError,
+                            )(ctx=ctx)
+                        if errors:
+                            raise outer_kwargs.get(
+                                "InsufficientPermissionsError",
+                                InsufficientPermissionsError,
+                            )(ctx=ctx)
+                        raise outer_kwargs.get(
+                            "PermissionDeniedError", PermissionDeniedError
+                        )(ctx=ctx)
+                    raise outer_kwargs.get("ApiError", ApiError)(e, ctx=ctx)
+                # No click.Context available; re-raise original error
+                raise
+            except (VgsCliError, click.BadParameter, click.BadArgumentUsage):
+                raise
+            except Exception:
+                ctx = args[0] if args and isinstance(args[0], Context) else None
+                if ctx:
+                    raise UnhandledError(ctx=ctx)
+                raise
+
+        return wrapper
+
+    return decorator_handle_errors

vgscli/file_token_util.py

@@ -0,0 +1,30 @@
+import os
+import tempfile
+
+import click
+from vgs.sdk.utils import is_file_accessible
+
+
+class FileTokenUtil:
+    def __init__(self, token_file_name):
+        temp_dir = tempfile.gettempdir()
+        self.temp_file = os.path.join(temp_dir, token_file_name)
+
+    @property
+    def exists(self):
+        return os.path.exists(self.temp_file)
+
+    def read_token(self):
+        with open(self.temp_file, "r+") as tmp:
+            return tmp.read()
+
+    def write_token(self, token):
+        with open(self.temp_file, "w+") as tmp:
+            tmp.write(token)
+        return token
+
+    def remove_token(self):
+        if is_file_accessible(self.temp_file, "r+"):
+            os.remove(self.temp_file)
+        else:
+            click.echo("No authenticated session", err=True)

vgscli/id_generator.py

@@ -0,0 +1,46 @@
+from typing import (
+    Optional,
+    Union,
+)
+from uuid import UUID
+
+import base58
+
+BASE58_ALPHABET = b"123456789abcdefghijkmnopqrstuvwxyzABCDEFGHJKLMNPQRSTUVWXYZ"
+
+
+def base58_to_uuid(public_id: str, prefix: Optional[str] = None) -> str:
+    """
+    >>> base58_to_uuid('fBpkbaCp2dqfowSaRDL3g7')
+    '765159e7-750c-4b0b-8be0-a07fbc8f3ac4'
+    >>> base58_to_uuid('ACgwBwv1PeYLXpxsMyrSKYbw', 'AC')
+    '7dbf495e-254b-4e76-aaab-1bb5b726a53a'
+    >>> base58_to_uuid('bPpQJd2cwkVewGNBtCYMC')
+    '0182a7e1-d2e9-48dc-805b-d79156802ce6'
+    >>> base58_to_uuid('3iEhRdf9YZCNViqA1FRU6')
+    '00525efa-b7f3-41c4-b315-8d1836c9ec89'
+    """
+    prefix = prefix or ""
+    return str(
+        UUID(
+            int=base58.b58decode_int(public_id[len(prefix) :], alphabet=BASE58_ALPHABET)
+        )
+    )
+
+
+def uuid_to_base58(internal_id: Union[UUID, str], prefix: Optional[str] = None) -> str:
+    """
+    >>> uuid_to_base58('765159e7-750c-4b0b-8be0-a07fbc8f3ac4', 'GR')
+    'GRfBpkbaCp2dqfowSaRDL3g7'
+    >>> uuid_to_base58('7dbf495e-254b-4e76-aaab-1bb5b726a53a')
+    'gwBwv1PeYLXpxsMyrSKYbw'
+    >>> uuid_to_base58('0182a7e1-d2e9-48dc-805b-d79156802ce6', 'GR')
+    'GRbPpQJd2cwkVewGNBtCYMC'
+    >>> uuid_to_base58('00525efa-b7f3-41c4-b315-8d1836c9ec89', 'GR')
+    'GR3iEhRdf9YZCNViqA1FRU6'
+    """
+    prefix = prefix or ""
+    uuid = internal_id if isinstance(internal_id, UUID) else UUID(hex=internal_id)
+    encoded = base58.b58encode_int(uuid.int, alphabet=BASE58_ALPHABET)
+
+    return f"{prefix}{encoded.decode()}"

vgscli/keyring_token_util.py

@@ -0,0 +1,128 @@
+import jwt
+import keyring
+from cryptography.fernet import Fernet
+from keyring.errors import PasswordDeleteError
+from vgs.sdk.utils import expired
+
+from vgscli.errors import TokenNotValidError
+from vgscli.file_token_util import FileTokenUtil
+
+
+class KeyringTokenUtil:
+    SERVICE_NAME = "vgs-cli"
+
+    ACCESS_TOKEN_KEY = "access_token"
+    REFRESH_TOKEN_KEY = "refresh_token"
+    ENCRYPT_TOKEN_SECRET_KEY = "vgs_encrypt_secret_key"
+
+    access_token_file = FileTokenUtil("vgs_access_token")
+    refresh_token_file = FileTokenUtil("vgs_refresh_token")
+
+    def put_encryption_secret(self, secret):
+        keyring.set_password(self.SERVICE_NAME, self.ENCRYPT_TOKEN_SECRET_KEY, secret)
+
+    def get_encryption_secret(self):
+        return keyring.get_credential(self.SERVICE_NAME, self.ENCRYPT_TOKEN_SECRET_KEY)
+
+    def remove_encryption_secret(self):
+        try:
+            keyring.delete_password(self.SERVICE_NAME, self.ENCRYPT_TOKEN_SECRET_KEY)
+        except PasswordDeleteError:
+            pass
+
+    def tokens_exist(self):
+        return self.access_token_file.exists and self.refresh_token_file.exists
+
+    def clear_tokens(self):
+        self.delete_access_token()
+        self.delete_refresh_token()
+
+    def validate_access_token(self):
+        if self.get_access_token():
+            token_json = jwt.decode(
+                self.get_access_token(), options={"verify_signature": False}
+            )
+            return not expired(token_json["exp"])
+        else:
+            raise TokenNotValidError("Access token not found")
+
+    def validate_refresh_token(self):
+        if self.get_refresh_token():
+            token_json = jwt.decode(
+                self.get_refresh_token(), options={"verify_signature": False}
+            )
+            if expired(token_json["exp"]):
+                raise TokenNotValidError("Refresh token expired")
+        else:
+            raise TokenNotValidError("Refresh token not found")
+
+    def is_access_token_valid(self) -> bool:
+        try:
+            return self.validate_access_token()
+        except TokenNotValidError:
+            return False
+
+    def is_access_token_azp_changed(self, azp) -> bool:
+        return (
+            jwt.decode(
+                self.get_access_token(), options={"verify_signature": False}
+            ).get("azp")
+            != azp
+        )
+
+    def put_tokens(self, response):
+        key = Fernet.generate_key()
+        cipher = Fernet(key)
+        self.remove_encryption_secret()
+        self.put_encryption_secret(str(key, "utf-8"))
+        self.access_token_file.write_token(
+            str(cipher.encrypt(response[self.ACCESS_TOKEN_KEY].encode()), "utf-8")
+        )
+
+        # https://datatracker.ietf.org/doc/html/rfc6749#section-4.4.3
+        if self.REFRESH_TOKEN_KEY in response:
+            self.refresh_token_file.write_token(
+                str(cipher.encrypt(response[self.REFRESH_TOKEN_KEY].encode()), "utf-8")
+            )
+
+    def put_access_token(self, token):
+        self.access_token_file.write_token(
+            str(self.fernet.encrypt(token.encode()), "utf-8")
+        )
+
+    def get_access_token(self):
+        try:
+            return str(
+                self.fernet.decrypt(self.access_token_file.read_token().encode()),
+                "utf-8",
+            )
+        except FileNotFoundError:
+            raise TokenNotValidError("Access token not found")
+
+    def delete_access_token(self):
+        self.access_token_file.remove_token()
+
+    def put_refresh_token(self, token):
+        self.refresh_token_file.write_token(
+            str(self.fernet.encrypt(token.encode()), "utf-8")
+        )
+
+    def get_refresh_token(self):
+        try:
+            return str(
+                self.fernet.decrypt(self.refresh_token_file.read_token().encode()),
+                "utf-8",
+            )
+        except FileNotFoundError:
+            raise TokenNotValidError("Refresh token not found")
+
+    def delete_refresh_token(self):
+        self.refresh_token_file.remove_token()
+
+    @property
+    def fernet(self):
+        secret = self.get_encryption_secret()
+        if not secret:
+            raise FileNotFoundError("Can't find secret in keystore")
+
+        return Fernet(secret.password.encode())

vgscli/resource-templates/http-route-template.yaml

@@ -0,0 +1,61 @@
+apiVersion: vault.vgs.io/v1
+kind: HttpRoute
+metadata:
+  name: your-name-here
+  labels:
+    vgs.io/vaultId: your-vault-id-here
+spec:
+  # TODO: Change this ID
+  id: &routeId 7478d3b7-beef-cafe-0000-000000000000
+  type: rule_chain
+  attributes:
+    id: *routeId
+    host_endpoint: httpbin.org
+    destination_override_endpoint: '*'
+    ordinal: 0
+    port: 0
+    protocol: http
+    source_endpoint: '*'
+    tags:
+      # TODO: add a good name
+      name: Display name of route here
+      # TODO: add version here
+      vgs.io/version: 0.1.0
+    # filters
+    entries:
+      # first filter - document here what it does
+      - classifiers: {}
+        config:
+          condition: OR
+          rules:
+            - expression:
+                field: PathInfo
+                operator: matches
+                type: string
+                values:
+                  - /post
+        id: 955834e8-beef-cafe-0000-000000000000
+        id_selector: null
+        operation: ENRICH
+        operations:
+          - name: github.com/verygoodsecurity/common/compute/larky/http/Process
+            parameters:
+              script: |
+                load('@stdlib//json', 'json')
+                load("@stdlib//builtins", "builtins")
+
+                load("@vgs//vault", "vault")
+
+                def process(input, ctx):
+                    # TODO: write your larky code here.
+
+                    return input
+        phase: REQUEST
+        public_token_generator: UUID
+        targets:
+          - body
+        token_manager: PERSISTENT
+        transformer: JSON_PATH
+        transformer_config:
+          - $.whatever_this_field_is_unused
+        transformer_config_map: null

vgscli/resource-templates/mft-route-template.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: mft.vgs.io/v1beta
+kind: MftRoute
+metadata:
+  name: my-mft-route
+  id: foo
+spec:
+  source: foo
+  destination: bar
+  filters: []

vgscli/resource-templates/service-account/calm.yaml

@@ -0,0 +1,16 @@
+apiVersion: 1.0.0
+kind: ServiceAccount
+data:
+  name: calm
+  {%- if vaults | length == 0 %}
+      {{ cli_fail("This template needs single vault to be specified. Please use '--vault <vault-identifier>' to pass the vault.") }}
+  {% elif vaults | length == 1 %}
+  vaults:
+    - {{ vaults[0] }}
+  {%- else %}
+      {{ cli_fail("This template doesn't allow multiple vaults.") }}
+  {% endif %}
+  scopes:
+    - name: cards:write
+    - name: network-tokens:write
+    - name: merchants:write

vgscli/resource-templates/service-account/checkout.yaml

@@ -0,0 +1,21 @@
+apiVersion: 1.0.0
+kind: ServiceAccount
+data:
+  name: {{ name }}
+  {%- if vaults | length == 0 %}
+      {{ cli_fail("This template needs single vault to be specified. Please use '--vault <vault-identifier>' to pass the vault.") }}
+  {% elif vaults | length == 1 %}
+  vaults:
+    - {{ vaults[0] }}
+  {%- else %}
+      {{ cli_fail("This template doesn't allow multiple vaults.") }}
+  {% endif %}
+  scopes:
+    - name: financial-instruments:write
+      optional: true
+    - name: transfers:write
+      optional: true
+    - name: orders:write
+      optional: true
+
+  accessTokenLifespan: 28800

vgscli/resource-templates/service-account/payments-admin.yaml

@@ -0,0 +1,25 @@
+apiVersion: 1.0.0
+kind: ServiceAccount
+data:
+  {%- if vaults | length == 0 %}
+      {{ cli_fail("This template needs single vault to be specified. Please use '--vault <vault-identifier>' to pass the vault.") }}
+  {%- elif vaults | length == 1 %}
+  name: payments-{{ vaults[0] }}
+  vaults:
+    - {{ vaults[0] }}
+  {%- else %}
+      {{ cli_fail("This template doesn't allow multiple vaults.") }}
+  {% endif %}
+  scopes:
+    - name: financial-instruments:admin
+    - name: gateways:admin
+    - name: rules:admin
+    - name: transfers:admin
+    - name: orders:admin
+    - name: threeds:admin
+    - name: sub-accounts:admin
+    - name: cards:write
+    - name: network-tokens:write
+    - name: merchants:write
+
+  accessTokenLifespan: 28800

vgscli/resource-templates/service-account/sub-account-checkout.yaml

@@ -0,0 +1,23 @@
+apiVersion: 1.0.0
+kind: ServiceAccount
+data:
+  name: {{ sub_account_id }}
+  annotations:
+    "vgs.io/sub-account": "{{ sub_account_id }}"
+  {%- if vaults | length == 0 %}
+      {{ cli_fail("This template needs single vault to be specified. Please use '--vault <vault-identifier>' to pass the vault.") }}
+  {% elif vaults | length == 1 %}
+  vaults:
+    - {{ vaults[0] }}
+  {%- else %}
+      {{ cli_fail("This template doesn't allow multiple vaults.") }}
+  {% endif %}
+  scopes:
+    - name: financial-instruments:write
+      optional: true
+    - name: transfers:write
+      optional: true
+    - name: orders:write
+      optional: true
+
+  accessTokenLifespan: 28800

vgscli/resource-templates/service-account/vgs-cli.yaml

@@ -0,0 +1,17 @@
+apiVersion: 1.0.0
+kind: ServiceAccount
+data:
+  name: vgs-cli
+  {%- if vaults | length == 0 %}
+      {{- cli_warn("Service Account won't have access to any vaults inside organization. If you need it to access vault(s) please use --vault <vault-identifier>.") or "" }}
+  {%- else %}
+  vaults:
+    {%- for vault_id in vaults %}
+    - {{ vault_id }}
+    {%- endfor %}
+  {%- endif %}
+  scopes:
+    - name: access-logs:read
+    - name: organizations:read
+    - name: routes:write
+    - name: vaults:write

vgscli/resource-templates/vault-template.yaml

@@ -0,0 +1,12 @@
+apiVersion: 1.0.0
+kind: Vault
+data:
+  # Name of the vault to create. (Must be between 3 and 50 characters long.)
+  name: Very Good Vault
+
+  # Environment to create the vault within.
+  # See https://www.verygoodsecurity.com/docs/terminology/vaults#environments
+  environment: SANDBOX
+
+  # ID of the organization to associate the vault with.
+  organizationId: AC6mGNNRecR7K5N7AjX5niz4