Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: refactor deployer to run locally without auth #810

Merged
merged 16 commits into from
May 2, 2023
Merged
Show file tree
Hide file tree
Changes from 12 commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
41 changes: 11 additions & 30 deletions CONTRIBUTING.md
Original file line number Diff line number Diff line change
Expand Up @@ -155,52 +155,33 @@ make docker-compose.rendered.yml
docker compose -f docker-compose.rendered.yml up provisioner
oddgrd marked this conversation as resolved.
Show resolved Hide resolved
```

This starts the provisioner and the auth service, while preventing `gateway` from starting up. Next up we need to
insert an admin user into the `auth` state using the ID of the `auth` container and the auth CLI `init` command:
This starts the provisioner and the auth service, while preventing `gateway` from starting up.
Next up we need to insert an admin user into the `auth` state using the ID of the `auth`
container and the auth CLI `init` command:

```bash
AUTH_CONTAINER_ID=$(docker ps -aqf "name=shuttle-auth") \
iulianbarbu marked this conversation as resolved.
Show resolved Hide resolved
docker exec $AUTH_CONTAINER_ID ./usr/local/bin/service \
--state=/var/lib/shuttle-auth \
init --name admin --key test-key
```
> Note: if you have done this already for this container you will get a "UNIQUE constraint failed"
> error, you can ignore this.

Before we can run commands against a local deployer, we need to get a valid JWT and set it in our
`.config/shuttle/config.toml` as our `api_key`. By running the following curl command, we will request
that our api-key in the `Authorization` header be converted to a JWT, which will be returned in the response:
We need to make sure we're logged in with the same key we inserted for the admin user in the
previous step:

```bash
curl -H "Authorization: Bearer test-key" localhost:8008/auth/key
cargo shuttle login --api-key test-key
```

Now copy the `token` value (just the value, not the key) from the curl response, and write it to your shuttle
config (which will be a file named `config.toml` in a directory named `shuttle` in one of
[these places](https://docs.rs/dirs/latest/dirs/fn.config_dir.html) depending on your OS).
We're now ready to start a local run of the deployer:

```bash
# replace <jwt> with the token from the previous command
echo "api_key = '<jwt>'" > ~/.config/shuttle/config.toml
cargo run -p shuttle-deployer -- --provisioner-address http://localhost:5000 --auth-uri http://localhost:8008 --proxy-fqdn local.rs --admin-secret test-key --local --project <project_name>
```

> Note: The JWT will expire in 15 minutes, at which point you need to run the commands again.
> If you have [`jq`](https://github.com/stedolan/jq/wiki/Installation) installed you can combine
> the two above commands into the following:
```bash
curl -s -H "Authorization: Bearer test-key" localhost:8008/auth/key \
| jq -r '.token' \
| read token; echo "api_key='$token'" > ~/.config/shuttle/config.toml
```

Finally we need to comment out the admin layer in the deployer handlers. So in `deployer/handlers/mod.rs`,
in the `make_router` function comment out this line: `.layer(AdminSecretLayer::new(admin_secret))`.

And that's it, we're ready to start our deployer!

```bash
cargo run -p shuttle-deployer -- --provisioner-address http://localhost:8000 --proxy-fqdn local.rs --admin-secret test-key --project <project_name>
```

The `--admin-secret` can safely be changed to your api-key to make testing easier. While `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
The `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
oddgrd marked this conversation as resolved.
Show resolved Hide resolved

### Using Podman instead of Docker

Expand Down
27 changes: 21 additions & 6 deletions Cargo.lock

Some generated files are not rendered by default. Learn more about how customized files appear on GitHub.

6 changes: 1 addition & 5 deletions Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -16,11 +16,7 @@ members = [
exclude = [
"e2e",
"examples",
"resources/aws-rds",
"resources/persist",
"resources/secrets",
"resources/shared-db",
"resources/static-folder",
"resources",
"services",
]

Expand Down
28 changes: 4 additions & 24 deletions auth/src/user.rs
Original file line number Diff line number Diff line change
Expand Up @@ -9,7 +9,7 @@ use axum::{
};
use rand::distributions::{Alphanumeric, DistString};
use serde::{Deserialize, Deserializer, Serialize};
use shuttle_common::claims::Scope;
use shuttle_common::claims::{Scope, ScopeBuilder};
use sqlx::{query, Row, SqlitePool};
use tracing::{trace, Span};

Expand Down Expand Up @@ -185,33 +185,13 @@ pub enum AccountTier {

impl From<AccountTier> for Vec<Scope> {
fn from(tier: AccountTier) -> Self {
let mut base = vec![
Scope::Deployment,
Scope::DeploymentPush,
Scope::Logs,
Scope::Service,
Scope::ServiceCreate,
Scope::Project,
Scope::ProjectCreate,
Scope::Resources,
Scope::ResourcesWrite,
Scope::Secret,
Scope::SecretWrite,
];
let mut builder = ScopeBuilder::new();

if tier == AccountTier::Admin {
base.append(&mut vec![
Scope::User,
Scope::UserCreate,
Scope::AcmeCreate,
Scope::CustomDomainCreate,
Scope::CustomDomainCertificateRenew,
Scope::GatewayCertificateRenew,
Scope::Admin,
]);
builder = builder.with_admin()
}

base
builder.build()
}
}

Expand Down
2 changes: 1 addition & 1 deletion common/Cargo.toml
Original file line number Diff line number Diff line change
Expand Up @@ -94,4 +94,4 @@ ring = { workspace = true }
tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
tower = { workspace = true, features = ["util"] }
tracing-fluent-assertions = "0.3.0"
tracing-subscriber = { version = "0.3", default-features = false }
tracing-subscriber = { workspace = true }
49 changes: 49 additions & 0 deletions common/src/claims.rs
Original file line number Diff line number Diff line change
Expand Up @@ -88,6 +88,55 @@ pub enum Scope {
Admin,
}

/// Standard scopes for new users.
const BASE_SCOPES: [Scope; 11] = [
Scope::Deployment,
Scope::DeploymentPush,
Scope::Logs,
Scope::Service,
Scope::ServiceCreate,
Scope::Project,
Scope::ProjectCreate,
Scope::Resources,
Scope::ResourcesWrite,
Scope::Secret,
Scope::SecretWrite,
];

/// Additional scopes for admin users.
const ADMIN_SCOPES: [Scope; 7] = [
Scope::User,
Scope::UserCreate,
Scope::AcmeCreate,
Scope::CustomDomainCreate,
Scope::CustomDomainCertificateRenew,
Scope::GatewayCertificateRenew,
Scope::Admin,
];
oddgrd marked this conversation as resolved.
Show resolved Hide resolved

pub struct ScopeBuilder(Vec<Scope>);

impl ScopeBuilder {
pub fn new() -> Self {
Self(BASE_SCOPES.to_vec())
}

pub fn with_admin(mut self) -> Self {
self.0.extend(ADMIN_SCOPES.into_iter());
self
}

pub fn build(self) -> Vec<Scope> {
self.0
}
}

impl Default for ScopeBuilder {
fn default() -> Self {
Self::new()
}
}

#[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
pub struct Claim {
/// Expiration time (as UTC timestamp).
Expand Down
4 changes: 4 additions & 0 deletions deployer/src/args.rs
Original file line number Diff line number Diff line change
Expand Up @@ -50,4 +50,8 @@ pub struct Args {
/// Uri to folder to store all artifacts
#[clap(long, default_value = "/tmp")]
pub artifacts_path: PathBuf,

/// Run deployer without auth locally
#[arg(long)]
pub local: bool,
}
86 changes: 86 additions & 0 deletions deployer/src/handlers/local.rs
Original file line number Diff line number Diff line change
@@ -0,0 +1,86 @@
use std::net::Ipv4Addr;

use axum::{
headers::{authorization::Bearer, Authorization, Cookie, Header, HeaderMapExt},
http::Request,
middleware::Next,
response::Response,
Extension,
};
use hyper::{
client::{connect::dns::GaiResolver, HttpConnector},
Body, Client, StatusCode, Uri,
};
use hyper_reverse_proxy::ReverseProxy;
use once_cell::sync::Lazy;
use serde_json::Value;
use tracing::error;

static PROXY_CLIENT: Lazy<ReverseProxy<HttpConnector<GaiResolver>>> =
Lazy::new(|| ReverseProxy::new(Client::new()));

/// This middleware proxies a request to the auth service to get a JWT, which we need to access
/// the deployer endpoints, and we'll also need it in the claim layer of the provisioner and runtime
/// clients.
///
/// Follow the steps in https://github.com/shuttle-hq/shuttle/blob/main/CONTRIBUTING.md#testing-deployer-only
/// to learn how to insert an admin user in the auth state.
///
/// WARNING: do not set this layer in production.
pub async fn set_jwt_bearer<B>(
Extension(auth_uri): Extension<Uri>,
mut request: Request<B>,
next: Next<B>,
) -> Result<Response, StatusCode> {
let mut auth_details = None;

if let Some(bearer) = request.headers().typed_get::<Authorization<Bearer>>() {
auth_details = Some(make_token_request("/auth/key", bearer));
}

if let Some(cookie) = request.headers().typed_get::<Cookie>() {
auth_details = Some(make_token_request("/auth/session", cookie));
}

if let Some(token_request) = auth_details {
let response = PROXY_CLIENT
.call(
Ipv4Addr::LOCALHOST.into(),
&auth_uri.to_string(),
token_request,
)
.await
.expect("failed to proxy request to auth service");

let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
let convert: Value = serde_json::from_slice(&body)
.expect("failed to deserialize body as JSON, did you login?");

let token = convert["token"]
.as_str()
.expect("response body should have a token");

request
.headers_mut()
.typed_insert(Authorization::bearer(token).expect("to set JWT token"));

let response = next.run(request).await;

Ok(response)
} else {
error!("No api-key bearer token or cookie found, make sure you are logged in.");
Err(StatusCode::UNAUTHORIZED)
}
}

fn make_token_request(uri: &str, header: impl Header) -> Request<Body> {
let mut token_request = Request::builder().uri(uri);
token_request
.headers_mut()
.expect("manual request to be valid")
.typed_insert(header);

token_request
.body(Body::empty())
.expect("manual request to be valid")
}
Loading