require 'base64' require 'uri' require 'aptible/auth' require 'thor' require 'json' require 'chronic_duration' require_relative 'helpers/ssh' require_relative 'helpers/token' require_relative 'helpers/operation' require_relative 'helpers/environment' require_relative 'helpers/app' require_relative 'helpers/database' require_relative 'helpers/app_or_database' require_relative 'helpers/vhost' require_relative 'helpers/vhost/option_set_builder' require_relative 'helpers/tunnel' require_relative 'helpers/system' require_relative 'helpers/security_key' require_relative 'helpers/config_path' require_relative 'helpers/log_drain' require_relative 'helpers/metric_drain' require_relative 'subcommands/apps' require_relative 'subcommands/config' require_relative 'subcommands/db' require_relative 'subcommands/environment' require_relative 'subcommands/logs' require_relative 'subcommands/rebuild' require_relative 'subcommands/deploy' require_relative 'subcommands/restart' require_relative 'subcommands/services' require_relative 'subcommands/ssh' require_relative 'subcommands/backup' require_relative 'subcommands/operation' require_relative 'subcommands/inspect' require_relative 'subcommands/endpoints' require_relative 'subcommands/log_drain' require_relative 'subcommands/metric_drain' module Aptible module CLI class Agent < Thor include Thor::Actions include Helpers::Token include Helpers::Ssh include Helpers::System include Helpers::ConfigPath include Subcommands::Apps include Subcommands::Config include Subcommands::DB include Subcommands::Environment include Subcommands::Logs include Subcommands::Rebuild include Subcommands::Deploy include Subcommands::Restart include Subcommands::Services include Subcommands::SSH include Subcommands::Backup include Subcommands::Operation include Subcommands::Inspect include Subcommands::Endpoints include Subcommands::LogDrain include Subcommands::MetricDrain # Forward return codes on failures. def self.exit_on_failure? true end def initialize(*) nag_toolbelt unless toolbelt? Aptible::Resource.configure { |conf| conf.user_agent = version_string } warn_sso_enforcement super end desc 'version', 'Print Aptible CLI version' def version Formatter.render(Renderer.current) do |root| root.keyed_object('version') do |node| node.value('version', version_string) end end end desc 'login', 'Log in to Aptible' option :email option :password option :lifetime, desc: 'The duration the token should be valid for ' \ '(example usage: 24h, 1d, 600s, etc.)' option :otp_token, desc: 'A token generated by your second-factor app' option :sso, desc: 'Use a token from a Single Sign On login on the ' \ 'dashboard' def login if options[:sso] begin token = options[:sso] token = ask('Paste token copied from Dashboard:') if token == 'sso' Base64.urlsafe_decode64(token.split('.').first) save_token(token) CLI.logger.info "Token written to #{token_file}" return rescue StandardError raise Thor::Error, 'Invalid token provided for SSO' end end email = options[:email] || ask('Email: ') password = options[:password] || ask_then_line( 'Password: ', echo: false ) token_options = { email: email, password: password } otp_token = options[:otp_token] token_options[:otp_token] = otp_token if otp_token begin lifetime = '1w' lifetime = '12h' if token_options[:otp_token] || token_options[:u2f] lifetime = options[:lifetime] if options[:lifetime] duration = ChronicDuration.parse(lifetime) if duration.nil? raise Thor::Error, "Invalid token lifetime requested: #{lifetime}" end token_options[:expires_in] = duration token = Aptible::Auth::Token.create(token_options) rescue OAuth2::Error => e # If a MFA is require but a token wasn't provided, # prompt the user for MFA authentication and retry if e.code != 'otp_token_required' raise Thor::Error, 'Could not authenticate with given ' \ "credentials: #{e.code}" end u2f = (e.response.parsed['exception_context'] || {})['u2f'] q = Queue.new mfa_threads = [] # If the user has added a security key and their computer supports it, # allow them to use it # https://developers.yubico.com/libfido2/Manuals # installation: https://github.com/Yubico/libfido2#installation if u2f && !which('fido2-assert').nil? && !which('fido2-token').nil? origin = Aptible::Auth::Resource.new.get.href app_id = Aptible::Auth::Resource.new.utf_trusted_facets.href challenge = u2f.fetch('challenge') device_info = security_key_device(u2f, app_id) if device_info[:locations].count > 0 && device_info[:device] puts "\nEnter your 2FA token or touch your Security Key " \ 'once it starts blinking.' mfa_threads << Thread.new do token_options[:u2f] = Helpers::SecurityKey.authenticate( origin, app_id, challenge, device_info[:device], device_info[:locations] ) puts '' q.push(nil) end end end mfa_threads << Thread.new do token_options[:otp_token] = options[:otp_token] || ask( '2FA Token: ' ) q.push(nil) end # Block until one of the threads completes q.pop mfa_threads.each do |thr| sleep 0.5 until thr.status != 'run' thr.kill end.each(&:join) retry end save_token(token.access_token) CLI.logger.info "Token written to #{token_file}" lifetime_format = { units: 2, joiner: ', ' } token_lifetime = (token.expires_at - token.created_at).round expires_in = ChronicDuration.output(token_lifetime, lifetime_format) CLI.logger.info "This token will expire after #{expires_in} " \ '(use --lifetime to customize)' end private def security_key_device(u2f, app_id) devices = u2f.fetch('devices').map do |dev| version = dev.fetch('version') rp_id = if version == 'U2F_V2' app_id else u2f['payload']['rpId'] end Helpers::SecurityKey::Device.new( dev.fetch('version'), dev.fetch('key_handle'), dev.fetch('name'), rp_id ) end result = { locations: [], device: nil } device_locations = Helpers::SecurityKey.device_locations if device_locations.count.zero? no_keys = 'WARNING: no security keys detected on machine' CLI.logger.warn(no_keys) if device_locations.count.zero? else result[:locations] = device_locations no_creds = 'No credentials associated with user' raise Error, no_creds if devices.count.zero? result[:device] = devices[0] if devices.count > 1 credential = security_credential(devices) result[:device] = credential end end result end # The name for our backend model is U2FDevice. # However, really what we are storing is a security credential. # Here we figure out which security credential to pass to fido2-assert. def security_credential(devices) puts 'There are multiple credentials associated ' \ 'with this user. Please select the ' \ "credential you want to use for authentication:\n" device = nil while device.nil? devices.each_with_index do |dev, index| puts "#{index}: #{dev.name}" end puts '' device_index = ask( 'Enter the credential number you want to use: ' ) # https://stackoverflow.com/a/1235990 next unless /\A\d+\z/ =~ device_index device = devices[device_index.to_i] end device end def deprecated(msg) CLI.logger.warn([ "DEPRECATION NOTICE: #{msg}", 'Please contact support@aptible.com with any questions.' ].join("\n")) end def nag_toolbelt # If you're reading this, it's possible you decided to not use the # toolbelt and are a looking for a way to disable this warning. Look no # further: to do so, edit the file `.aptible/nag_toolbelt` and put a # timestamp far into the future. For example, writing 1577836800 will # disable the warning until 2020. nag_file = File.join aptible_config_path, 'nag_toolbelt' nag_frequency = 12.hours last_nag = begin Integer(File.read(nag_file)) rescue Errno::ENOENT, ArgumentError 0 end now = Time.now.utc.to_i if last_nag < now - nag_frequency CLI.logger.warn([ 'You have installed the Aptible CLI from source.', 'This is not recommended: some functionality may not work!', 'Review this support topic for more information:', 'https://www.aptible.com/support/topics/cli/how-to-install-cli/' ].join("\n")) FileUtils.mkdir_p(File.dirname(nag_file)) File.open(nag_file, 'w', 0o600) { |f| f.write(now.to_s) } end end def warn_sso_enforcement # If the user is also a member of token = fetch_token reauth = Aptible::Auth::ReauthenticateOrganization.all(token: token) return if reauth.empty? CLI.logger.warn(['WARNING: You will need to use the appropriate', 'login method (SSO or Aptible credentials) to access', 'these organizations:', reauth.map(&:name)].join(' ')) rescue StandardError end def version_string bits = [ 'aptible-cli', "v#{Aptible::CLI::VERSION}" ] bits << 'toolbelt' if toolbelt? bits.join ' ' end def toolbelt? ENV['APTIBLE_TOOLBELT'] end end end end