Merge pull request #152 from fensak-io/main

Release

Author: yorinasub17

config/custom-environment-variables.json5

@@ -5,6 +5,7 @@
 {
   env: "FENSAK_ENV",
   appURL: "FENSAK_APP_URL",
+  dashboardAppURL: "FENSAK_DASHBOARD_APP_URL",
   configFileSizeLimit: {
     __name: "FENSAK_CONFIG_FILE_SIZE_LIMIT",
     __format: "number",
@@ -21,8 +22,8 @@
     __name: "FENSAK_PLAN_REPO_LIMITS",
     __format: "json",
   },
-  plansAllowedMultipleOrgs: {
-    __name: "FENSAK_PLANS_ALLOWED_MULTIPLE_ORGS",
+  plansAllowedMultipleAccounts: {
+    __name: "FENSAK_PLANS_ALLOWED_MULTIPLE_ACCOUNTS",
     __format: "json",
   },
   managementAPI: {
@@ -31,6 +32,10 @@
       __format: "boolean",
     },
     eventSecretKey: "FENSAK_MANAGEMENT_API_EVENT_SECRET_KEY",
+    sharedCryptoEncryptionKeys: {
+      __name: "FENSAK_MANAGEMENT_API_SHARED_CRYPTO_ENCRYPTION_KEYS",
+      __format: "json",
+    },
     allowedCORSOrigins: {
       __name: "FENSAK_MANAGEMENT_API_ALLOWED_CORS_ORIGINS",
       __format: "json",

config/default.json5

@@ -12,6 +12,10 @@
   // The URL where the app is hosted. Used for constructing self-referencing URLs for the app.
   appURL: "",
 
+  // The URL where the dashboard app is hosted. Used for constructing redirecting URLs for certain workflows
+  // (e.g., post install redirect for BitBucket).
+  dashboardAppURL: "",
+
   // The maximum size of config files that can be accepted (in bytes).
   configFileSizeLimit: 1024000,
 
@@ -28,8 +32,8 @@
     "": 5,
   },
 
-  // A list of subscription plan names that are allowed to link multiple Orgs.
-  plansAllowedMultipleOrgs: [],
+  // A list of subscription plan names that are allowed to link multiple Accounts.
+  plansAllowedMultipleAccounts: [],
 
   /**
    * Settings related to the management API.
@@ -41,6 +45,9 @@
     // The secret key for signing webhook events.
     eventSecretKey: "",
 
+    // A set of shared secret keys to use for encrypting secrets that can be decrypted by multiple Fensak services.
+    sharedCryptoEncryptionKeys: [],
+
     // Allowed CORS origins.
     allowedCORSOrigins: [],
   },

deployments/dev/app.docker-compose.yml

@@ -34,6 +34,7 @@ services:
       - "FENSAK_GITHUB_OAUTH_APP_CLIENT_ID"
       - "FENSAK_GITHUB_OAUTH_APP_CLIENT_SECRET"
       - "FENSAK_MANAGEMENT_API_EVENT_SECRET_KEY"
+      - "FENSAK_MANAGEMENT_API_SHARED_CRYPTO_ENCRYPTION_KEYS"
       - "FENSAK_MANAGEMENT_API_ALLOWED_CORS_ORIGINS"
       - "FENSAK_PLAN_REPO_LIMITS"
       - "FENSAK_PLANS_ALLOWED_MULTIPLE_ORGS"

logging/logger.ts

@@ -43,10 +43,12 @@ export function logConfig(): void {
     logger.info(`\t- ${key}: ${repoLimits[key]}`);
   }
 
-  const plansAllowedMultipleOrgs = config.get("plansAllowedMultipleOrgs");
-  if (plansAllowedMultipleOrgs.length > 0) {
-    logger.info("plansAllowedMultipleOrgs:");
-    for (const plan of plansAllowedMultipleOrgs) {
+  const plansAllowedMultipleAccounts = config.get(
+    "plansAllowedMultipleAccounts",
+  );
+  if (plansAllowedMultipleAccounts.length > 0) {
+    logger.info("plansAllowedMultipleAccounts:");
+    for (const plan of plansAllowedMultipleAccounts) {
       logger.info(`\t- ${plan}`);
     }
   } else {

mgmt/accounts.ts

@@ -0,0 +1,140 @@
+// Copyright (c) Fensak, LLC.
+// SPDX-License-Identifier: AGPL-3.0-or-later OR BUSL-1.1
+
+import { Octokit } from "../deps.ts";
+
+import {
+  FensakConfigSource,
+  getBitBucketWorkspace,
+  getComputedFensakConfig,
+  getGitHubOrgRecord,
+} from "../svcdata/mod.ts";
+import { isOrgManager } from "../ghstd/mod.ts";
+
+export interface Account {
+  source: "github" | "bitbucket";
+  slug: string;
+  app_is_installed: boolean;
+  dotfensak_ready: boolean;
+  subscription_id: string | null;
+}
+
+/**
+ * Filters down the given GitHub Orgs (identified by slug) based on whether the authenticated user of the Octokit client
+ * is an admin of the org.
+ */
+export async function filterAllowedGitHubOrgsForAuthenticatedUser(
+  octokit: Octokit,
+  slugs: string[],
+): Promise<Account[]> {
+  const orgData = await Promise.all(slugs.map((sl) => getGitHubOrgRecord(sl)));
+  const allowedOrgs = await Promise.all(
+    orgData.map(async (od): Promise<Account | null> => {
+      if (od.value == null) {
+        return null;
+      }
+
+      const isAllowed = await isOrgManager(octokit, od.value.name);
+      if (!isAllowed) {
+        return null;
+      }
+
+      const maybeCfg = await getComputedFensakConfig(
+        FensakConfigSource.GitHub,
+        od.value.name,
+      );
+
+      return {
+        source: "github",
+        slug: od.value.name,
+        app_is_installed: od.value.installationID != null,
+        dotfensak_ready: maybeCfg != null,
+        subscription_id: od.value.subscriptionID,
+      };
+    }),
+  );
+  const out: Account[] = [];
+  for (const o of allowedOrgs) {
+    if (!o) {
+      continue;
+    }
+    out.push(o);
+  }
+  return out;
+}
+
+/**
+ * Filters down the given BitBucket Workspaces (identified by slug) based on whether the authenticated user
+ * is an admin of the workspace.
+ */
+export async function filterAllowedBitBucketWorkspacesForAuthenticatedUser(
+  token: string,
+  slugs: string[],
+): Promise<Account[]> {
+  const wsLookup = await getWorkspacePermissionLookup(token);
+  const wsData = await Promise.all(
+    slugs.map((sl) => getBitBucketWorkspace(sl)),
+  );
+  const allowedWS = await Promise.all(
+    wsData.map(async (ws): Promise<Account | null> => {
+      if (ws.value == null) {
+        return null;
+      }
+
+      const isAllowed = wsLookup[ws.value.name] === "owner";
+      if (!isAllowed) {
+        return null;
+      }
+
+      const maybeCfg = await getComputedFensakConfig(
+        FensakConfigSource.BitBucket,
+        ws.value.name,
+      );
+
+      return {
+        source: "bitbucket",
+        slug: ws.value.name,
+        app_is_installed: ws.value.securityContext != null,
+        dotfensak_ready: maybeCfg != null,
+        subscription_id: ws.value.subscriptionID,
+      };
+    }),
+  );
+  const out: Account[] = [];
+  for (const w of allowedWS) {
+    if (!w) {
+      continue;
+    }
+    out.push(w);
+  }
+  return out;
+}
+
+export async function getWorkspacePermissionLookup(
+  token: string,
+): Promise<Record<string, "owner" | "member">> {
+  const wsUPath = "/user/permissions/workspaces";
+  const wsResp = await fetch(
+    `https://api.bitbucket.org/2.0${wsUPath}`,
+    {
+      method: "GET",
+      headers: {
+        Authorization: `Bearer ${token}`,
+        Accept: "application/json",
+      },
+    },
+  );
+  if (!wsResp.ok) {
+    const rtext = await wsResp.text();
+    throw new Error(
+      `BitBucket API Error for url path ${wsUPath} (${wsResp.status}): ${rtext}`,
+    );
+  }
+  const data = await wsResp.json();
+
+  const wsPermissionLookup: Record<string, "owner" | "member"> = {};
+  for (const wm of data.values) {
+    wsPermissionLookup[wm.workspace.slug] = wm.permission as "owner" | "member";
+  }
+  return wsPermissionLookup;
+}

mgmt/mod.ts

@@ -8,5 +8,5 @@
  * - Subscription Event hooks
  */
 export * from "./events.ts";
-export * from "./organization.ts";
+export * from "./accounts.ts";
 export * from "./subscription_events.ts";