feat: refactor deployer to run locally without auth (#810)

* feat: refactor deployer to run locally without auth * docs: update contributing deployer guide * refactor: workspace dep * fix: bump regex to 1.8.1 to fix 1.8.0 bug * fix: provisioner port for local deployer * refactor: renaming * feat: refactor to request token from auth * refactor: remove claims feature from deployer common * refactor: use key/cookie from original request * refactor: implement scopebuilder * fix: clippy * refactor: address review * refactor: auth container command * refactor: cleanup builder in start fn * docs: local arg docs
shuttle-hq · May 2, 2023 · 05d9266 · 05d9266
1 parent dbbc2a7
commit 05d9266
Show file tree

Hide file tree

Showing 10 changed files with 320 additions and 153 deletions.
diff --git a/CONTRIBUTING.md b/CONTRIBUTING.md
@@ -148,60 +148,54 @@ cargo run --manifest-path ../../../Cargo.toml --bin cargo-shuttle -- logs
 The steps outlined above starts all the services used by shuttle locally (ie. both `gateway` and `deployer`). However, sometimes you will want to quickly test changes to `deployer` only. To do this replace `make up` with the following:
 
 ```bash
-# first generate the local docker-compose file
+# if you didn't do this already, make the images
+USE_PANAMAX=disable make images
+
+# then generate the local docker-compose file
 make docker-compose.rendered.yml
 
 # then run it
 docker compose -f docker-compose.rendered.yml up provisioner
 ```
 
-This starts the provisioner and the auth service, while preventing `gateway` from starting up. Next up we need to
-insert an admin user into the `auth` state using the ID of the `auth` container and the auth CLI `init` command:
+This starts the provisioner and the auth service, while preventing `gateway` from starting up.
+Next up we need to insert an admin user into the `auth` state using the ID of the `auth`
+container and the auth CLI `init` command:
 
 ```bash
-AUTH_CONTAINER_ID=$(docker ps -aqf "name=shuttle-auth") \
+AUTH_CONTAINER_ID=$(docker ps -qf "name=auth") \
     docker exec $AUTH_CONTAINER_ID ./usr/local/bin/service \
     --state=/var/lib/shuttle-auth \
     init --name admin --key test-key
 ```
+> Note: if you have done this already for this container you will get a "UNIQUE constraint failed"
+> error, you can ignore this.
 
-Before we can run commands against a local deployer, we need to get a valid JWT and set it in our
-`.config/shuttle/config.toml` as our `api_key`. By running the following curl command, we will request
-that our api-key in the `Authorization` header be converted to a JWT, which will be returned in the response:
+We need to make sure we're logged in with the same key we inserted for the admin user in the
+previous step:
 
 ```bash
-curl -H "Authorization: Bearer test-key" localhost:8008/auth/key
+cargo shuttle login --api-key test-key
 ```
 
-Now copy the `token` value (just the value, not the key) from the curl response, and write it to your shuttle
-config (which will be a file named `config.toml` in a directory named `shuttle` in one of 
-[these places](https://docs.rs/dirs/latest/dirs/fn.config_dir.html) depending on your OS).
-
-```bash
-# replace <jwt> with the token from the previous command
-echo "api_key = '<jwt>'" > ~/.config/shuttle/config.toml
-```
+We're now ready to start a local run of the deployer:
 
-> Note: The JWT will expire in 15 minutes, at which point you need to run the commands again.
-> If you have [`jq`](https://github.com/stedolan/jq/wiki/Installation) installed you can combine
-> the two above commands into the following:
 ```bash
-curl -s -H "Authorization: Bearer test-key" localhost:8008/auth/key \
-    | jq -r '.token' \
-    | read token; echo "api_key='$token'" > ~/.config/shuttle/config.toml
+cargo run -p shuttle-deployer -- --provisioner-address http://localhost:5000 --auth-uri http://localhost:8008 --proxy-fqdn local.rs --admin-secret test-key --local --project <project_name>
 ```
 
-Finally we need to comment out the admin layer in the deployer handlers. So in `deployer/handlers/mod.rs`,
-in the `make_router` function comment out this line: `.layer(AdminSecretLayer::new(admin_secret))`.
+The `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
 
-And that's it, we're ready to start our deployer!
+Now that your local deployer is running, you can run commands against using the cargo-shuttle CLI.
+To do that you should navigate into an example, it needs to have the same project name as the
+one you submitted when starting the deployer above. Then you can use the CLI like you normally
+would:
 
 ```bash
-cargo run -p shuttle-deployer -- --provisioner-address http://localhost:8000 --proxy-fqdn local.rs --admin-secret test-key --project <project_name>
+# the manifest path is the path to the root shuttle manifest from the example directory
+cargo run --bin cargo-shuttle --manifest-path="../../../Cargo.toml" -- deploy
 ```
 
-The `--admin-secret` can safely be changed to your api-key to make testing easier. While `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
-
 ### Using Podman instead of Docker
 
 If you want to use Podman instead of Docker, you can configure the build process with environment variables.

diff --git a/Cargo.lock b/Cargo.lock
diff --git a/Cargo.toml b/Cargo.toml
@@ -16,11 +16,7 @@ members = [
 exclude = [
   "e2e",
   "examples",
-  "resources/aws-rds",
-  "resources/persist",
-  "resources/secrets",
-  "resources/shared-db",
-  "resources/static-folder",
+  "resources",
   "services",
 ]
 

diff --git a/auth/src/user.rs b/auth/src/user.rs
@@ -9,7 +9,7 @@ use axum::{
 };
 use rand::distributions::{Alphanumeric, DistString};
 use serde::{Deserialize, Deserializer, Serialize};
-use shuttle_common::claims::Scope;
+use shuttle_common::claims::{Scope, ScopeBuilder};
 use sqlx::{query, Row, SqlitePool};
 use tracing::{trace, Span};
 
@@ -185,33 +185,13 @@ pub enum AccountTier {
 
 impl From<AccountTier> for Vec<Scope> {
     fn from(tier: AccountTier) -> Self {
-        let mut base = vec![
-            Scope::Deployment,
-            Scope::DeploymentPush,
-            Scope::Logs,
-            Scope::Service,
-            Scope::ServiceCreate,
-            Scope::Project,
-            Scope::ProjectCreate,
-            Scope::Resources,
-            Scope::ResourcesWrite,
-            Scope::Secret,
-            Scope::SecretWrite,
-        ];
+        let mut builder = ScopeBuilder::new();
 
         if tier == AccountTier::Admin {
-            base.append(&mut vec![
-                Scope::User,
-                Scope::UserCreate,
-                Scope::AcmeCreate,
-                Scope::CustomDomainCreate,
-                Scope::CustomDomainCertificateRenew,
-                Scope::GatewayCertificateRenew,
-                Scope::Admin,
-            ]);
+            builder = builder.with_admin()
         }
 
-        base
+        builder.build()
     }
 }
 

diff --git a/common/Cargo.toml b/common/Cargo.toml
@@ -94,4 +94,4 @@ ring = { workspace = true }
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 tower = { workspace = true, features = ["util"] }
 tracing-fluent-assertions = "0.3.0"
-tracing-subscriber = { version = "0.3", default-features = false }
+tracing-subscriber = { workspace = true }
diff --git a/common/src/claims.rs b/common/src/claims.rs
@@ -88,6 +88,55 @@ pub enum Scope {
     Admin,
 }
 
+pub struct ScopeBuilder(Vec<Scope>);
+
+impl ScopeBuilder {
+    /// Create a builder with the standard scopes for new users.
+    pub fn new() -> Self {
+        Self(vec![
+            Scope::Deployment,
+            Scope::DeploymentPush,
+            Scope::Logs,
+            Scope::Service,
+            Scope::ServiceCreate,
+            Scope::Project,
+            Scope::ProjectCreate,
+            Scope::Resources,
+            Scope::ResourcesWrite,
+            Scope::Secret,
+            Scope::SecretWrite,
+        ])
+    }
+
+    /// Extend the current scopes with admin scopes.
+    pub fn with_admin(mut self) -> Self {
+        self.0.extend(vec![
+            Scope::Deployment,
+            Scope::DeploymentPush,
+            Scope::Logs,
+            Scope::Service,
+            Scope::ServiceCreate,
+            Scope::Project,
+            Scope::ProjectCreate,
+            Scope::Resources,
+            Scope::ResourcesWrite,
+            Scope::Secret,
+            Scope::SecretWrite,
+        ]);
+        self
+    }
+
+    pub fn build(self) -> Vec<Scope> {
+        self.0
+    }
+}
+
+impl Default for ScopeBuilder {
+    fn default() -> Self {
+        Self::new()
+    }
+}
+
 #[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
 pub struct Claim {
     /// Expiration time (as UTC timestamp).

diff --git a/deployer/src/args.rs b/deployer/src/args.rs
@@ -50,4 +50,8 @@ pub struct Args {
     /// Uri to folder to store all artifacts
     #[clap(long, default_value = "/tmp")]
     pub artifacts_path: PathBuf,
+
+    /// Add an auth layer to deployer for local development
+    #[arg(long)]
+    pub local: bool,
 }
diff --git a/deployer/src/handlers/local.rs b/deployer/src/handlers/local.rs
@@ -0,0 +1,86 @@
+use std::net::Ipv4Addr;
+
+use axum::{
+    headers::{authorization::Bearer, Authorization, Cookie, Header, HeaderMapExt},
+    http::Request,
+    middleware::Next,
+    response::Response,
+    Extension,
+};
+use hyper::{
+    client::{connect::dns::GaiResolver, HttpConnector},
+    Body, Client, StatusCode, Uri,
+};
+use hyper_reverse_proxy::ReverseProxy;
+use once_cell::sync::Lazy;
+use serde_json::Value;
+use tracing::error;
+
+static PROXY_CLIENT: Lazy<ReverseProxy<HttpConnector<GaiResolver>>> =
+    Lazy::new(|| ReverseProxy::new(Client::new()));
+
+/// This middleware proxies a request to the auth service to get a JWT, which we need to access
+/// the deployer endpoints, and we'll also need it in the claim layer of the provisioner and runtime
+/// clients.
+///
+/// Follow the steps in https://github.com/shuttle-hq/shuttle/blob/main/CONTRIBUTING.md#testing-deployer-only
+/// to learn how to insert an admin user in the auth state.
+///
+/// WARNING: do not set this layer in production.
+pub async fn set_jwt_bearer<B>(
+    Extension(auth_uri): Extension<Uri>,
+    mut request: Request<B>,
+    next: Next<B>,
+) -> Result<Response, StatusCode> {
+    let mut auth_details = None;
+
+    if let Some(bearer) = request.headers().typed_get::<Authorization<Bearer>>() {
+        auth_details = Some(make_token_request("/auth/key", bearer));
+    }
+
+    if let Some(cookie) = request.headers().typed_get::<Cookie>() {
+        auth_details = Some(make_token_request("/auth/session", cookie));
+    }
+
+    if let Some(token_request) = auth_details {
+        let response = PROXY_CLIENT
+            .call(
+                Ipv4Addr::LOCALHOST.into(),
+                &auth_uri.to_string(),
+                token_request,
+            )
+            .await
+            .expect("failed to proxy request to auth service");
+
+        let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
+        let convert: Value = serde_json::from_slice(&body)
+            .expect("failed to deserialize body as JSON, did you login?");
+
+        let token = convert["token"]
+            .as_str()
+            .expect("response body should have a token");
+
+        request
+            .headers_mut()
+            .typed_insert(Authorization::bearer(token).expect("to set JWT token"));
+
+        let response = next.run(request).await;
+
+        Ok(response)
+    } else {
+        error!("No api-key bearer token or cookie found, make sure you are logged in.");
+        Err(StatusCode::UNAUTHORIZED)
+    }
+}
+
+fn make_token_request(uri: &str, header: impl Header) -> Request<Body> {
+    let mut token_request = Request::builder().uri(uri);
+    token_request
+        .headers_mut()
+        .expect("manual request to be valid")
+        .typed_insert(header);
+
+    token_request
+        .body(Body::empty())
+        .expect("manual request to be valid")
+}