Merge branch 'develop', prepare 3.3.0

Author: yamalight

README.md

@@ -15,9 +15,11 @@ Exoframe is a self-hosted tool that allows simple one-command deployments using
 - SSH key based auth
 - Rolling updates
 - Deploy tokens (e.g. to deploy from CI)
+- Deploy secrets (e.g. to hide sensitive env vars)
 - Automated HTTPS setup via letsencrypt \*
 - Automated gzip compression \*
 - Rate-limit support \*
+- Basic HTTP Auth support \*
 - Simple access to the logs of deployments
 - Docker-compose support
 - Multiple deployment endpoints and multi-user support

docs/Advanced.md

@@ -49,3 +49,26 @@ This will define how many requests (`average`) over given time (`period`) can be
 For the example above - an average of 5 requests every 3 seconds is allowed with busts of up to 10 requests.
 
 For more information, see [Traefik rate-limiting docs](https://docs.traefik.io/configuration/commons/#rate-limiting).
+
+## Secrets
+
+Exoframe allows you to create server-side secret values that can be used during service deployments.
+To use secrets you first need to create one. This can be done by running:
+
+```
+$ exoframe secret new
+```
+
+Once you specify the name and value, Exoframe server will create new secret _for your current user_.
+After creation the secret can be used in `exoframe.json` config file by using secret name and prefixing it with `@`, like so (in this example the secret was name `my-secret`):
+
+```json
+"env": {
+  "SECRET_KEY": "@my-secret"
+},
+```
+
+Current caveats:
+
+- Currently secrets only work for environment variables
+- Currently secrets work only for normal deployments (any template or recipe that uses `startFromParams` won't have secrets expanded)

docs/Basics.md

@@ -45,21 +45,22 @@ You can find the list of available recipes [on npm](https://www.npmjs.com/search
 
 ## Commands
 
-| Command           | Description                                                          |
-| ----------------- | -------------------------------------------------------------------- |
-| deploy [path]     | Deploy specified path                                                |
-| config            | Generate or update project config for current path                   |
-| list              | List currently deployed projects                                     |
-| rm <id>           | Remove existing deployment or project                                |
-| log <id>          | Get logs for existing deployment or project                          |
-| template [ls, rm] | Add, list or remove deployment templates from the server             |
-| setup [recipe]    | Setup a complex recipe deployment                                    |
-| token [ls, rm]    | Generate, list or remove deployment tokens                           |
-| login             | Login into Exoframe server                                           |
-| endpoint [url]    | Selects or adds the endpoint of Exoframe server                      |
-| rm-endpoint [url] | Removes an existing endpoint of Exoframe server                      |
-| update [target]   | Gets current versions or updates given target (server, traefik, all) |
-| completion        | Generates bash completion script                                     |
+| Command              | Description                                                          |
+| -------------------- | -------------------------------------------------------------------- |
+| deploy [path]        | Deploy specified path                                                |
+| config               | Generate or update project config for current path                   |
+| list                 | List currently deployed projects                                     |
+| rm <id>              | Remove existing deployment or project                                |
+| log <id>             | Get logs for existing deployment or project                          |
+| template [ls, rm]    | Add, list or remove deployment templates from the server             |
+| setup [recipe]       | Setup a complex recipe deployment                                    |
+| token [ls, rm]       | Generate, list or remove deployment tokens                           |
+| secret [new, ls, rm] | Create, list or remove deployment secrets                            |
+| login                | Login into Exoframe server                                           |
+| endpoint [url]       | Selects or adds the endpoint of Exoframe server                      |
+| rm-endpoint [url]    | Removes an existing endpoint of Exoframe server                      |
+| update [target]      | Gets current versions or updates given target (server, traefik, all) |
+| completion           | Generates bash completion script                                     |
 
 ## Project config file
 
@@ -88,7 +89,9 @@ Config file has the following structure:
   // object of key-values for env vars [optional]
   // no env vars are assigned by default
   "env": {
-    "ENV_VAR": "123"
+    "ENV_VAR": "123",
+    // you can use secrets to hide sensitive values from env vars
+    "OTHER_VAR": "@my-secret"
   },
   // internal hostname for container [optional]
   // see docker docs for more info

package.json

@@ -1,6 +1,6 @@
 {
   "name": "exoframe",
-  "version": "3.2.0",
+  "version": "3.3.0-dev",
   "description": "Exoframe is a self-hosted tool that allows simple one-command deployments using Docker",
   "main": "index.js",
   "repository": "git@github.com:exoframejs/exoframe.git",

src/commands/secrets.js

@@ -0,0 +1,164 @@
+// npm packages
+const got = require('got');
+const chalk = require('chalk');
+const inquirer = require('inquirer');
+
+// our packages
+const {userConfig, isLoggedIn, logout} = require('../config');
+
+exports.command = ['secret [cmd]'];
+exports.describe = 'create, list or remove deployment secrets';
+exports.builder = {
+  cmd: {
+    default: 'new',
+    description: 'command to execute [new | ls | rm]',
+  },
+};
+exports.handler = async args => {
+  if (!isLoggedIn()) {
+    return;
+  }
+
+  // services request url
+  const remoteUrl = `${userConfig.endpoint}/secrets`;
+  // get command
+  const {cmd} = args;
+  // if remove or ls - fetch secrets from remote, then do work
+  if (cmd === 'ls' || cmd === 'rm') {
+    console.log(
+      chalk.bold(`${cmd === 'ls' ? 'Listing' : 'Removing'} deployment secret${cmd === 'ls' ? 's' : ''} for:`),
+      userConfig.endpoint
+    );
+
+    // get secrets from server
+    // construct shared request params
+    const options = {
+      method: 'GET',
+      headers: {
+        Authorization: `Bearer ${userConfig.token}`,
+      },
+      json: true,
+    };
+    // try sending request
+    let secrets = [];
+    try {
+      const {body} = await got(remoteUrl, options);
+      secrets = body.secrets;
+    } catch (e) {
+      // if authorization is expired/broken/etc
+      if (e.statusCode === 401) {
+        logout(userConfig);
+        console.log(chalk.red('Error: authorization expired!'), 'Please, relogin and try again.');
+        return;
+      }
+
+      console.log(chalk.red('Error getting deployment secrets:'), e.toString());
+      return;
+    }
+
+    if (cmd === 'ls') {
+      console.log(chalk.bold('Got saved secrets:'));
+      console.log('');
+      secrets.map(t =>
+        console.log(`  > ${chalk.green(`@${t.name}`)} ${chalk.gray(`[${new Date(t.meta.created).toLocaleString()}]`)}`)
+      );
+      if (!secrets.length) {
+        console.log('  > No deployment secrets available!');
+      }
+      return;
+    }
+
+    const prompts = [];
+    prompts.push({
+      type: 'list',
+      name: 'rmSecret',
+      message: 'Choose secret to remove:',
+      choices: secrets.map(t => t.name),
+    });
+    const {rmSecret} = await inquirer.prompt(prompts);
+
+    // construct shared request params
+    const rmOptions = {
+      method: 'DELETE',
+      headers: {
+        Authorization: `Bearer ${userConfig.token}`,
+      },
+      json: true,
+      body: {
+        secretName: rmSecret,
+      },
+    };
+    try {
+      const {body, statusCode} = await got(remoteUrl, rmOptions);
+      if (statusCode !== 204) {
+        console.log(chalk.red('Error removing deployment secret!'), body.reason || 'Please try again!');
+        return;
+      }
+      console.log(chalk.green('Deployment secret successfully removed!'));
+    } catch (e) {
+      // if authorization is expired/broken/etc
+      if (e.statusCode === 401) {
+        logout(userConfig);
+        console.log(chalk.red('Error: authorization expired!'), 'Please, relogin and try again.');
+        return;
+      }
+
+      console.log(chalk.red('Error removing secret:'), e.toString());
+      return;
+    }
+
+    return;
+  }
+
+  console.log(chalk.bold('Generating new deployment secret for:'), userConfig.endpoint);
+
+  // ask for secret name and value
+  const prompts = [];
+  prompts.push({
+    type: 'input',
+    name: 'secretName',
+    message: 'Secret name:',
+    validate: input => input && input.length > 0,
+    filter: input => input.trim(),
+  });
+  prompts.push({
+    type: 'input',
+    name: 'secretValue',
+    message: 'Secret value:',
+    validate: input => input && input.length > 0,
+    filter: input => input.trim(),
+  });
+  const {secretName, secretValue} = await inquirer.prompt(prompts);
+
+  // construct shared request params
+  const options = {
+    method: 'POST',
+    headers: {
+      Authorization: `Bearer ${userConfig.token}`,
+    },
+    json: true,
+    body: {
+      secretName,
+      secretValue,
+    },
+  };
+  // try sending request
+  try {
+    const {body} = await got(remoteUrl, options);
+    console.log(chalk.bold('New secret generated:'));
+    console.log('');
+    console.log(`Name: ${body.name}`);
+    console.log(`Value: ${body.value}`);
+    console.log('');
+    console.log(chalk.yellow('WARNING!'), `Make sure to write it down, you will not be able to get it's value again!`);
+  } catch (e) {
+    // if authorization is expired/broken/etc
+    if (e.statusCode === 401) {
+      logout(userConfig);
+      console.log(chalk.red('Error: authorization expired!'), 'Please, relogin and try again.');
+      return;
+    }
+
+    console.log(chalk.red('Error generating deployment secret:'), e.toString());
+  }
+};

src/index.js

@@ -23,6 +23,7 @@ const token = require('./commands/token');
 const update = require('./commands/update');
 const template = require('./commands/template');
 const setup = require('./commands/setup');
+const secrets = require('./commands/secrets');
 
 // init program
 yargs
@@ -41,4 +42,5 @@ yargs
   .command(config)
   .command(update)
   .command(template)
-  .command(setup).argv;
+  .command(setup)
+  .command(secrets).argv;

test/__snapshots__/secrets.test.js.snap

@@ -0,0 +1,103 @@
+// Jest Snapshot v1, https://goo.gl/fbAQLP
+
+exports[`Should create new secret 1`] = `
+Array [
+  Array [
+    "Generating new deployment secret for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "New secret generated:",
+  ],
+  Array [
+    "",
+  ],
+  Array [
+    "Name: test",
+  ],
+  Array [
+    "Value: 12345",
+  ],
+  Array [
+    "",
+  ],
+  Array [
+    "WARNING!",
+    "Make sure to write it down, you will not be able to get it's value again!",
+  ],
+]
+`;
+
+exports[`Should deauth on 401 on creation 1`] = `
+Array [
+  Array [
+    "Generating new deployment secret for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "Error: authorization expired!",
+    "Please, relogin and try again.",
+  ],
+]
+`;
+
+exports[`Should deauth on 401 on list 1`] = `
+Array [
+  Array [
+    "Listing deployment secrets for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "Error: authorization expired!",
+    "Please, relogin and try again.",
+  ],
+]
+`;
+
+exports[`Should list secrets 1`] = `
+Array [
+  Array [
+    "Listing deployment secrets for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "Got saved secrets:",
+  ],
+  Array [
+    "",
+  ],
+  Array [
+    "  > @test []",
+  ],
+]
+`;
+
+exports[`Should list zero secrets 1`] = `
+Array [
+  Array [
+    "Listing deployment secrets for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "Got saved secrets:",
+  ],
+  Array [
+    "",
+  ],
+  Array [
+    "  > No deployment secrets available!",
+  ],
+]
+`;
+
+exports[`Should remove secret 1`] = `
+Array [
+  Array [
+    "Removing deployment secret for:",
+    "http://localhost:8080",
+  ],
+  Array [
+    "Deployment secret successfully removed!",
+  ],
+]
+`;