Add authentication to the package server

Author: pbiggar

backend/experiments/CanvasHack/Main.fs

@@ -25,7 +25,10 @@ type CanvasHackConfig =
     CanvasId : Option<string>
 
     [<Legivel.Attributes.YamlField("main")>]
-    Main : string }
+    Main : string
+
+    [<Legivel.Attributes.YamlField("required-secrets")>]
+    requiredSecrets : Option<List<string>> }
 
 let parseYamlExn<'a> (filename : string) : 'a =
   let contents = System.IO.File.ReadAllText filename
@@ -56,7 +59,7 @@ let destroyCanvas (id : CanvasID) : Task<unit> =
   }
 
 
-let seedCanvas (canvasName : string) =
+let seedCanvas (canvasName : string) (secrets : Map<string, string>) =
   task {
     let canvasDir = $"{baseDir}/{canvasName}"
     let config = parseYamlExn<CanvasHackConfig> $"{canvasDir}/config.yml"
@@ -81,6 +84,21 @@ let seedCanvas (canvasName : string) =
     do! destroyCanvas canvasID
     do! LibCloud.Canvas.createWithExactID canvasID ownerID domain
 
+    match config.requiredSecrets with
+    | Some requiredSecrets ->
+      do!
+        requiredSecrets
+        |> Task.iterSequentially (fun secretName ->
+          task {
+            let secretValue =
+              Map.find secretName secrets
+              |> Exception.unwrapOptionInternal
+                "secret not found"
+                [ "secretName", secretName ]
+            do! LibCloud.Secret.insert canvasID secretName secretValue 0
+          })
+    | None -> ()
+
     let resolver =
       let builtIns =
         LibExecution.Builtin.combine
@@ -117,27 +135,6 @@ let seedCanvas (canvasName : string) =
     do! C.saveTLIDs canvasID tls
 
 
-    // now that the canvas has been seeded, load any secrets in a .secrets file
-    let secretsFileLocation = $"{canvasDir}/.secrets"
-
-    if System.IO.File.Exists secretsFileLocation then
-      // read this file
-      do!
-        secretsFileLocation
-        |> System.IO.File.ReadAllLines
-        |> Array.filter (String.startsWith "#" >> not)
-        |> Array.filter (String.isEmpty >> not)
-        |> Array.map (fun line ->
-          match line.Split('=') with
-          | [| key; value |] -> (key, value)
-          | _ -> Exception.raiseInternal "invalid .secrets file" [])
-        |> Array.toList
-        |> Task.iterSequentially (fun (k, v) ->
-          LibCloud.Secret.insert canvasID k v 0)
-    else
-      // we don't have secrets to load - we're done
-      ()
-
     let host = $"http://{domain}:{LibService.Config.bwdServerPort}"
     let experimentalHost = $"http://{domain}:{LibService.Config.bwdDangerServerPort}"
     print
@@ -152,15 +149,21 @@ let main (args : string[]) =
     initSerializers ()
 
     task {
-      match args with
-      | [||]
-      | [| "--help" |] ->
+      match Array.toList args with
+      | []
+      | [ "--help" ] ->
         print $"`canvas-hack {CommandNames.import}` to load dark-editor from disk"
 
-      | [| canvasName |]
-      | [| CommandNames.import; canvasName |] ->
+      | CommandNames.import :: canvasName :: secrets ->
         print $"Loading canvas {canvasName} from disk"
-        do! seedCanvas canvasName
+        let secrets =
+          secrets
+          |> List.map (fun s ->
+            match String.split "=" s with
+            | [ name; value ] -> name, value
+            | _ -> Exception.raiseInternal  $"Invalid secret {s}" [])
+          |> Map.ofList
+        do! seedCanvas canvasName secrets
 
       | _ ->
         let args = args |> Array.toList |> String.concat " "

backend/src/LocalExec/local-exec.dark

@@ -25,15 +25,16 @@ let listPackageFilesOnDisk (dir: String) : List<String> =
 
 
 let saveItemToCanvas
-  (host: String)
   (json: String)
+  (host: String)
+  (password: String)
   (name: String)
   : PACKAGE.Darklang.Stdlib.Result.Result<Unit, String> =
   let response =
     PACKAGE.Darklang.Stdlib.HttpClient.request
       "POST"
       $"{host}/{name}s"
-      []
+      [PACKAGE.Darklang.Stdlib.HttpClient.bearerToken password]
       (PACKAGE.Darklang.Stdlib.String.toBytes json)
 
   let errMsg = $"Error saving {name} to canvas"
@@ -51,6 +52,7 @@ let saveItemToCanvas
       Builtin.printLine
         $"Body: {response.body |> PACKAGE.Darklang.Stdlib.String.fromBytesWithReplacement}"
 
+      Builtin.printLine $"pw[{password}]"
       Builtin.printLine errMsg
       PACKAGE.Darklang.Stdlib.Result.Result.Error errMsg
   | Error err ->
@@ -62,7 +64,8 @@ let saveItemToCanvas
 
 
 let loadPackageFileIntoDarkCanvas
-  (host : string)
+  (host: String)
+  (password: String)
   (filename: String)
   : PACKAGE.Darklang.Stdlib.Result.Result<Unit, String> =
   let package =
@@ -78,44 +81,56 @@ let loadPackageFileIntoDarkCanvas
     |> PACKAGE.Darklang.Stdlib.List.map (fun fn ->
       let owner = fn.name.owner
       let modules = fn.name.modules |> PACKAGE.Darklang.Stdlib.String.join "."
-      let name = match fn.name.name with
-                     | FnName name -> name
+
+      let name =
+        match fn.name.name with
+        | FnName name -> name
+
       let version = PACKAGE.Darklang.Stdlib.Int64.toString_v0 fn.name.version
-      let name  = $"Function {owner}.{modules}.{name}_v{version}"
+      let name = $"Function {owner}.{modules}.{name}_v{version}"
 
       Builtin.printLine $"Saving {name}"
+
       fn
       |> Builtin.Json.serialize<PACKAGE.Darklang.LanguageTools.ProgramTypes.PackageFn.PackageFn>
-      |> saveItemToCanvas host "function")
+      |> saveItemToCanvas host password "function")
 
   let typeResults =
     package.types
     |> PACKAGE.Darklang.Stdlib.List.map (fun t ->
 
       let owner = t.name.owner
       let modules = t.name.modules |> PACKAGE.Darklang.Stdlib.String.join "."
-      let name = match t.name.name with
-                     | TypeName name -> name
+
+      let name =
+        match t.name.name with
+        | TypeName name -> name
+
       let version = PACKAGE.Darklang.Stdlib.Int64.toString_v0 t.name.version
-      let name  = $"Type {owner}.{modules}.{name}_v{version}"
+      let name = $"Type {owner}.{modules}.{name}_v{version}"
       Builtin.printLine $"Saving {name}"
+
       t
       |> Builtin.Json.serialize<PACKAGE.Darklang.LanguageTools.ProgramTypes.PackageType>
-      |> saveItemToCanvas host "type")
+      |> saveItemToCanvas host password "type")
 
   let constantResults =
     package.constants
     |> PACKAGE.Darklang.Stdlib.List.map (fun c ->
       let owner = c.name.owner
       let modules = c.name.modules |> PACKAGE.Darklang.Stdlib.String.join "."
-      let name = match c.name.name with
-                     | ConstantName name -> name
+
+      let name =
+        match c.name.name with
+        | ConstantName name -> name
+
       let version = PACKAGE.Darklang.Stdlib.Int64.toString_v0 c.name.version
-      let name  = $"Constant {owner}.{modules}.{name}_v{version}"
+      let name = $"Constant {owner}.{modules}.{name}_v{version}"
       Builtin.printLine $"Saving {name}"
+
       c
       |> Builtin.Json.serialize<PACKAGE.Darklang.LanguageTools.ProgramTypes.PackageConstant>
-      |> saveItemToCanvas host "constant")
+      |> saveItemToCanvas host password "constant")
 
   // Flatten all the result lists into one list
   let allResults =
@@ -174,7 +189,7 @@ let printAllPackagesInDb () : Unit =
 // parse args and execute
 type CliOptions =
   | Help
-  | LoadPackagesIntoDarkCanvas of String
+  | LoadPackagesIntoDarkCanvas of String * String
   | ListPackages
   | BadOption of String
 
@@ -184,7 +199,7 @@ let usage () : String =
     Options:
       -h, --help          Show this help message and exit
       load-packages-dlio  Load packages from disk into local dark packages canvas
-      load-packages-darklang-com  Load packages from disk into production packages canvas
+      load-packages-darklang-com PASSWORD Load packages from disk into production packages canvas
       list-packages       List packages
   "
 
@@ -199,8 +214,10 @@ let parseArgs (args: List<String>) : CliOptions =
   | [ "load-packages" ] ->
     CliOptions.BadOption
       "`load-packages` now executes in F# (not sure how you got here)"
-  | [ "load-packages-dlio" ] -> CliOptions.LoadPackagesIntoDarkCanvas "http://dark-packages.dlio.localhost:11003"
-  | [ "load-packages-darklang-com" ] -> CliOptions.LoadPackagesIntoDarkCanvas "https://packages.darklang.com"
+  | [ "load-packages-dlio" ] ->
+    CliOptions.LoadPackagesIntoDarkCanvas("http://dark-packages.dlio.localhost:11003", "password")
+  | [ "load-packages-darklang-com", password ] ->
+    CliOptions.LoadPackagesIntoDarkCanvas("https://packages.darklang.com", password)
 
   | _ -> CliOptions.BadOption "Invalid arguments"
 
@@ -216,8 +233,10 @@ let main (args: List<String>) : Int64 =
     printAllPackagesInDb ()
     0L
 
-  | LoadPackagesIntoDarkCanvas host ->
-    let files = (listPackageFilesOnDisk "/home/dark/app/packages") |> PACKAGE.Darklang.Stdlib.List.sort
+  | LoadPackagesIntoDarkCanvas(host, password) ->
+    let files =
+      (listPackageFilesOnDisk "/home/dark/app/packages")
+      |> PACKAGE.Darklang.Stdlib.List.sort
 
     // Wait for canvas to be ready
     let available =
@@ -228,11 +247,7 @@ let main (args: List<String>) : Int64 =
           match found with
           | Ok() -> PACKAGE.Darklang.Stdlib.Result.Result.Ok()
           | Error _ ->
-            (PACKAGE.Darklang.Stdlib.HttpClient.request
-              "GET"
-              $"{host}/health"
-              []
-              [])
+            (PACKAGE.Darklang.Stdlib.HttpClient.request "GET" $"{host}/health" [] [])
             |> PACKAGE.Darklang.Stdlib.Result.map (fun _ -> ())
             |> PACKAGE.Darklang.Stdlib.Result.mapError (fun err ->
               let errMsg = PACKAGE.Darklang.Stdlib.HttpClient.toString err
@@ -259,7 +274,7 @@ let main (args: List<String>) : Int64 =
             match acc with
             | Error _err -> acc
             | Ok() ->
-              match loadPackageFileIntoDarkCanvas host f with
+              match loadPackageFileIntoDarkCanvas host password f with
               | Error err ->
                 PACKAGE.Darklang.Stdlib.Result.Result.Error(
                   $"Failed to load packages from {f}:\n" ++ err

canvases/dark-packages/config.yml

@@ -1,3 +1,5 @@
 version: 2
 id: 11111111-1111-1111-1111-111111111112
 main: main
+required-secrets:
+  - AUTH_PASSWORD