save state lock requests in their own model

Author: cnuss

src/controllers/ControllerV1.ts

@@ -13,7 +13,7 @@ import {
   Tags,
   TsoaResponse,
 } from 'tsoa';
-import { StateLockRequest } from '../models/interfaces';
+import { StateLockRequest } from '../models/interfaces/StateLockRequest';
 import { GithubService } from '../services/GithubService';
 import { StateService } from '../services/StateService';
 
@@ -44,7 +44,8 @@ export class ControllerV1 extends Controller {
     @Body() state: any,
     @Res() res: TsoaResponse<200, void>,
   ): Promise<void> {
-    const identity = await this.githubService.getIdentity(request);
+    const stateLockRequest = await this.stateService.getRequest(id);
+    const identity = await this.githubService.getIdentity(request, stateLockRequest);
     await this.stateService.saveState(identity, id, state);
     const response = res(200);
     return response;
@@ -53,22 +54,24 @@ export class ControllerV1 extends Controller {
   @Put('lock')
   public async lockState(
     @Request() request: HttpRequest,
-    @Body() stateLockRequest: StateLockRequest,
+    @Body() lockRequest: StateLockRequest,
     @Res() res: TsoaResponse<200, boolean>,
   ): Promise<boolean> {
-    const identity = await this.githubService.getIdentity(request);
-    await this.stateService.lockState(identity, stateLockRequest, 30);
+    const stateLockRequest = await this.stateService.saveRequest(lockRequest);
+    const identity = await this.githubService.getIdentity(request, stateLockRequest);
+    await this.stateService.lockState(identity, stateLockRequest);
     const response = res(200, true);
     return response;
   }
 
   @Delete('lock')
   public async unlockState(
     @Request() request: HttpRequest,
-    @Body() stateLockRequest: StateLockRequest,
+    @Body() lockRequest: StateLockRequest,
     @Res() res: TsoaResponse<200, boolean>,
   ): Promise<boolean> {
-    const identity = await this.githubService.getIdentity(request);
+    const stateLockRequest = await this.stateService.getRequest(lockRequest.ID);
+    const identity = await this.githubService.getIdentity(request, stateLockRequest);
     await this.stateService.unlockState(identity, stateLockRequest);
     const response = res(200, true);
     return response;

src/controllers/HealthController.ts

@@ -3,7 +3,7 @@ import packageJson from '../../package.json';
 
 export type HealthResponse = {
   name: string;
-  healty: boolean;
+  healthy: boolean;
   now: Date;
   version: string;
 };
@@ -15,7 +15,7 @@ export class HealthController extends Controller {
   public async get(): Promise<HealthResponse> {
     return {
       name: packageJson.name,
-      healty: true,
+      healthy: true,
       now: new Date(),
       version: packageJson.version,
     };

src/models/StateLockRequestModel.ts

@@ -0,0 +1,59 @@
+import {
+  Joi,
+  Model,
+  SERVICE_NAME,
+  STAGE,
+  Table,
+  unmarshallDynamoDBImage,
+} from '@scaffoldly/serverless-util';
+import { StreamRecord } from 'aws-lambda';
+import { StateLockRequest } from './interfaces/StateLockRequest';
+import { stateLockRequest } from './schemas/StateLockRequest';
+
+const TABLE_SUFFIX = '';
+
+export class StateLockRequestModel {
+  public readonly table: Table<StateLockRequest>;
+
+  public readonly model: Model<StateLockRequest>;
+
+  constructor() {
+    this.table = new Table(TABLE_SUFFIX, SERVICE_NAME, STAGE, stateLockRequest, 'pk', 'sk', [
+      { hashKey: 'sk', rangeKey: 'pk', name: 'sk-pk-index', type: 'global' },
+    ]);
+
+    this.model = this.table.model;
+  }
+
+  // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
+  static prefix = (col: 'pk' | 'sk', value?: any): string => {
+    if (col === 'pk') {
+      return `lock_${value || ''}`;
+    }
+    return `statelock`;
+  };
+
+  // eslint-disable-next-line @typescript-eslint/explicit-module-boundary-types
+  static isStateLock = (record: StreamRecord): boolean => {
+    if (!record) {
+      return false;
+    }
+
+    const check = unmarshallDynamoDBImage(record.Keys) as { pk: string; sk: string };
+
+    if (!check.pk || !check.sk || typeof check.pk !== 'string' || typeof check.sk !== 'string') {
+      return false;
+    }
+
+    const { pk, sk } = check;
+
+    try {
+      Joi.assert(pk, stateLockRequest.pk);
+      Joi.assert(sk, stateLockRequest.sk);
+    } catch (e) {
+      return false;
+    }
+
+    return true;
+  };
+}

src/models/schemas/StateLock.ts

@@ -1,15 +1,5 @@
 import Joi from 'joi';
 
-export const stateLockRequest = Joi.object({
-  ID: Joi.string().required(),
-  Operation: Joi.string().required(),
-  Info: Joi.string().allow('').optional(),
-  Who: Joi.string().required(),
-  Version: Joi.string().required(),
-  Created: Joi.string().required(),
-  Path: Joi.string().allow('').required(),
-}).label('StateLockRequest');
-
 export const stateLock = {
   pk: Joi.string()
     .regex(/github_(.*)/) // github_${orgId}
@@ -25,8 +15,6 @@ export const stateLock = {
   id: Joi.string().required(),
   path: Joi.string().allow('').required(),
   lockedBy: Joi.string().required(),
-  request: stateLockRequest.required(),
-  expires: Joi.number().required(),
 };
 
 export const stateLockSchema = Joi.object(stateLock).label('StateLock');

src/models/schemas/StateLockRequest.ts

@@ -0,0 +1,27 @@
+import Joi from 'joi';
+
+export const stateLockRequest = {
+  pk: Joi.string()
+    .regex(/lock_(.*)/) // lock_${ID}
+    .optional(),
+  sk: Joi.string()
+    .regex(/statelock/) // statelock
+    .optional(),
+  ID: Joi.string().required(),
+  Operation: Joi.string().required(),
+  Info: Joi.string().allow('').optional(),
+  Who: Joi.string().required(),
+  Version: Joi.string().required(),
+  Created: Joi.string().required(),
+  Path: Joi.string().allow('').required(),
+  stateLock: Joi.object({
+    pk: Joi.string().required(),
+    sk: Joi.string().required(),
+  }).optional(),
+  identity: Joi.object({
+    pk: Joi.string().required(),
+    sk: Joi.string().required(),
+  }),
+};
+
+export const stateLockRequestSchema = Joi.object(stateLockRequest).label('StateLockRequest');

src/services/GithubService.ts

@@ -4,6 +4,7 @@ import { TerraformError } from '../interfaces/errors';
 import { Identity } from '../models/interfaces';
 import crypto from 'crypto';
 import { IdentityModel } from '../models/IdentityModel';
+import { StateLockRequest } from '../models/interfaces/StateLockRequest';
 // import seedrandom from 'seedrandom';
 
 export type IdentityWithToken = Identity & {
@@ -25,7 +26,10 @@ export class GithubService {
     this.identityModel = new IdentityModel();
   }
 
-  public getIdentity = async (request: HttpRequest): Promise<IdentityWithToken> => {
+  public getIdentity = async (
+    request: HttpRequest,
+    stateLockRequest?: StateLockRequest,
+  ): Promise<IdentityWithToken> => {
     const { authorization } = request.headers;
     if (!authorization) {
       throw new TerraformError(401);
@@ -46,11 +50,6 @@ export class GithubService {
 
     const [username, password] = decoded.split(':');
 
-    // Unauthenticated state storage for localstack
-    if (username === 'localstack' && password === 'localstack') {
-      return this.inferLocalstackIdentity();
-    }
-
     let owner: string | undefined;
     let repo: string | undefined;
     let workspace: string | undefined;
@@ -80,7 +79,7 @@ export class GithubService {
     }
 
     try {
-      const identity = await this.inferIdentity(password, owner, repo, workspace);
+      const identity = await this.inferIdentity(password, owner, repo, workspace, stateLockRequest);
 
       console.log(
         `Using identity: ${identity.owner}/${identity.repo} [${identity.ownerId}/${identity.repoId}]`,
@@ -101,24 +100,31 @@ export class GithubService {
     owner?: string,
     repo?: string,
     workspace?: string,
+    stateLockRequest?: StateLockRequest,
   ): Promise<Identity> => {
     const tokenSha = crypto.createHash('sha256').update(auth).digest().toString('base64');
 
     console.log(
-      `Inferring identity (auth: ${auth} sha: ${tokenSha} owner: ${owner}, repo: ${repo}, workspace: ${workspace})`,
+      `Inferring identity (auth: ${auth} sha: ${tokenSha} owner: ${owner}, repo: ${repo}, workspace: ${workspace}, stateLockRequest; ${stateLockRequest})`,
     );
 
-    // TODO Expire stored identities
-    const storedIdentity = await this.identityModel.model.get(
-      IdentityModel.prefix('pk', tokenSha),
-      IdentityModel.prefix('sk'),
-    );
+    let storedIdentity: Identity | undefined;
+
+    if (stateLockRequest && stateLockRequest.identity) {
+      const { pk, sk } = stateLockRequest.identity;
 
-    if (storedIdentity) {
-      // Terraform planfiles contain backend configurations from plan operations
-      // Return the previously known identy from the plan operation
+      const identity = await this.identityModel.model.get(pk, sk);
+
+      if (identity) {
+        storedIdentity = identity.attrs;
+      }
+    }
+
+    if (storedIdentity && stateLockRequest && stateLockRequest.Operation === 'OperationTypeApply') {
+      // Terraform planfiles contain credentials from plan operations
+      // Return the previously known identity from the plan operation
       console.log(`Found previously known identity (sha: ${tokenSha})`);
-      return { ...storedIdentity.attrs, workspace: workspace || 'default' };
+      return { ...storedIdentity, workspace: workspace || 'default' };
     }
 
     const octokit = new Octokit({ auth });
@@ -212,33 +218,4 @@ export class GithubService {
       `Unable to determine owner and/or repository from token privileges. Ensure \`username\` is in the format of \`{owner}/{repository}\`, and the provided \`password\` (a GitHub token) has access to that repository.`,
     );
   };
-
-  // TODO: support 'who' from State Lock Request
-  private inferLocalstackIdentity = (who = 'unknown@unknown'): IdentityWithToken => {
-    const tokenSha = crypto.createHash('sha256').update(who).digest().toString('base64');
-
-    const [username, host] = who.split('@');
-    if (!username || !host) {
-      throw new Error(`Invalid format for \`Who\` on state lock request`);
-    }
-
-    // Set IDs as negative so they're clearly out of valid range
-    // const ownerId = seedrandom(host).int32() * -1;
-    // const repoId = seedrandom(username).int32() * -1;
-
-    return {
-      pk: IdentityModel.prefix('pk', tokenSha),
-      sk: IdentityModel.prefix('sk'),
-      owner: host,
-      ownerId: -1,
-      repo: username,
-      repoId: -1,
-      token: who,
-      tokenSha: tokenSha,
-      workspace: 'default',
-      meta: {
-        name: 'localstack',
-      },
-    };
-  };
 }