Merge remote-tracking branch 'origin/master'

Author: peterpeterparker

infra/default.nix

@@ -6,12 +6,9 @@ rec
       ''
         cp ${pkgs.wai-lambda.wai-lambda-js-wrapper} main.js
         # Can't be called 'main' otherwise lambda tries to load it
-        cp "${handlerStatic}/bin/handler" main_hs
-        cp ${./google-public-keys.json} google-public-keys.json
+        cp "${handler}/bin/handler" main_hs
         mkdir $out
-        ${pkgs.zip}/bin/zip \
-          -r $out/function.zip \
-          main.js main_hs google-public-keys.json
+        ${pkgs.zip}/bin/zip -r $out/function.zip main.js main_hs
       '';
 
   # TODO: move all other builders to this
@@ -25,7 +22,22 @@ rec
       ''
         cp ${pkgs.wai-lambda.wai-lambda-js-wrapper} main.js
         # Can't be called 'main' otherwise lambda tries to load it
-        cp "${unsplashProxyStatic}/bin/unsplash-proxy" main_hs
+        cp "${unsplashProxy}/bin/unsplash-proxy" main_hs
+        mkdir $out
+        ${pkgs.zip}/bin/zip -r $out/function.zip main.js main_hs
+      '';
+
+  function-google-key-updater-path =
+    { path = builtins.seq
+        (builtins.readDir function-google-key-updater) "${function-google-key-updater}/function.zip";
+    } ;
+
+  function-google-key-updater =
+    pkgs.runCommand "build-lambda" {}
+      ''
+        cp ${pkgs.wai-lambda.wai-lambda-js-wrapper} main.js
+        # Can't be called 'main' otherwise lambda tries to load it
+        cp "${googleKeyUpdater}/bin/google-key-updater" main_hs
         mkdir $out
         ${pkgs.zip}/bin/zip -r $out/function.zip main.js main_hs
       '';
@@ -40,7 +52,7 @@ rec
       ''
         cp ${pkgs.wai-lambda.wai-lambda-js-wrapper} main.js
         # Can't be called 'main' otherwise lambda tries to load it
-        cp "${handlerStatic}/bin/presenter" main_hs
+        cp "${handler}/bin/presenter" main_hs
         cp ${deckdeckgo-starter-dist}/dist.tar dist.tar
         mkdir -p $out
         ${pkgs.zip}/bin/zip -r $out/function.zip main.js main_hs dist.tar
@@ -49,7 +61,7 @@ rec
   deckdeckgo-starter-dist =
     with
       { napalm = import pkgs.sources.napalm { inherit pkgs;} ; };
-    pkgs.runCommand "deckdeckgo-starter" { buildInputs = [ pkgs.nodejs-10_x ]; }
+    pkgs.runCommand "deckdeckgo-starter" { buildInputs = [ pkgs.nodejs ]; }
       ''
         cp -r ${napalm.buildPackage pkgs.sources.deckdeckgo-starter {}}/* .
         chmod +w -R _napalm-install
@@ -67,7 +79,9 @@ rec
       { pkg = pkgs.haskellPackages.developPackage { root = ./handler; } ; };
     pkg.overrideAttrs(attr: {
       buildInputs = with pkgs;
-        [ niv terraform awscli postgresql moreutils minio ];
+        [ terraform awscli postgresql moreutils minio ];
+      LANG = "en_US.UTF-8";
+      LOCALE_ARCHIVE = "${pkgs.glibcLocales}/lib/locale/locale-archive";
       shellHook =
       let
         pgutil = pkgs.callPackage ./pgutil.nix {};
@@ -156,19 +170,23 @@ rec
             ghci -Wall unsplash-proxy/Main.hs
          }
 
+         function repl_google_key_updater() {
+            ghci -Wall google-key-updater/Main.hs
+         }
+
          function repl() {
             repl_handler
          }
 
         '';
      });
 
-  handlerStatic = pkgs.haskellPackagesStatic.deckdeckgo-handler;
   handler = pkgs.haskellPackages.deckdeckgo-handler;
 
-  unsplashProxyStatic = pkgs.haskellPackagesStatic.unsplash-proxy;
   unsplashProxy = pkgs.haskellPackages.unsplash-proxy;
 
+  googleKeyUpdater = pkgs.haskellPackages.google-key-updater;
+
   dynamoJar = pkgs.runCommand "dynamodb-jar" { buildInputs = [ pkgs.gnutar ]; }
   ''
   mkdir -p $out
@@ -243,9 +261,7 @@ rec
       ${pgutil.start_pg}
 
       echo "Running tests"
-      NIX_REDIRECTS=/etc/protocols=${pkgs.iana-etc}/etc/protocols \
-        LD_PRELOAD="${pkgs.libredirect}/lib/libredirect.so" \
-        GOOGLE_PUBLIC_KEYS="${pkgs.writeText "google-x509" (builtins.toJSON googleResp)}" \
+      GOOGLE_PUBLIC_KEYS="${pkgs.writeText "google-x509" (builtins.toJSON googleResp)}" \
         FIREBASE_PROJECT_ID="my-project-id" \
         FIREBASE_PROJECT_ID="my-project-id" \
         AWS_DEFAULT_REGION=us-east-1 \

infra/google-key-updater/Main.hs

@@ -0,0 +1,103 @@
+{-# LANGUAGE TypeOperators #-}
+{-# LANGUAGE OverloadedStrings #-}
+{-# LANGUAGE LambdaCase #-}
+{-# LANGUAGE DerivingStrategies #-}
+{-# LANGUAGE GeneralizedNewtypeDeriving #-}
+{-# LANGUAGE DataKinds #-}
+
+
+module Main (main) where
+
+import qualified Network.AWS.Data.Body as Body
+import Control.Monad
+import Data.Aeson ((.:))
+import System.Environment (getEnv)
+import UnliftIO
+import qualified Data.Aeson as Aeson
+import qualified Data.Aeson.Internal as Aeson
+import qualified Data.Aeson.Parser as Aeson
+import qualified Data.Aeson.Parser.Internal as Aeson
+import qualified Data.Aeson.Types as Aeson
+import qualified Data.ByteString as BS
+import qualified Data.ByteString.Char8 as BS8
+import qualified Data.ByteString.Lazy as BL
+import qualified Data.Text as T
+import qualified Network.AWS as Aws
+import qualified Network.AWS.S3 as S3
+import qualified Network.HTTP.Simple as HTTP
+import qualified Network.Wai.Handler.Lambda as Lambda
+
+main :: IO ()
+main = do
+    hSetBuffering stdin LineBuffering
+    hSetBuffering stdout LineBuffering
+
+    liftIO $ putStrLn "Booting..."
+    env <- Aws.newEnv Aws.Discover
+
+    bucketName <- getEnv "META_BUCKET_NAME"
+    let bucket = S3.BucketName (T.pack bucketName)
+    putStrLn $ "Bucket is: " <> show bucket
+
+    liftIO $ putStrLn "Booted!"
+
+
+    putStrLn "entering loop..."
+    forever $ do
+      line <- BS8.getLine
+      putStrLn $ "Got line!: " <> show line
+      case decodeInput (pure . const ()) line of
+        Right (fp, ()) -> do
+          putStrLn $ "Got input!"
+          keys <- HTTP.getResponseBody <$>
+            HTTP.httpBS ( HTTP.parseRequest_
+            "https://www.googleapis.com/robot/v1/metadata/x509/[email protected]"
+            )
+
+          print keys
+
+          let body = Body.toBody keys
+          let okey = "google-public-keys"
+
+          runAWS env (
+            Aws.send $ S3.putObject bucket okey body
+            ) >>= \case
+              Right {} -> do
+                putStrLn $ "uploaded new keys"
+              Left e -> error $ "Error in put: " <> show e
+
+          Lambda.writeFileAtomic fp (BL.toStrict $ Aeson.encode ())
+        Left e -> error $ show e
+
+decodeInput
+  :: (Aeson.Value -> Aeson.Parser a)
+  -> BS.ByteString
+  -> Either (Aeson.JSONPath, String) (FilePath, a)
+decodeInput parseEvent =
+    Aeson.eitherDecodeStrictWith Aeson.jsonEOF $ Aeson.iparse $
+      Aeson.withObject "input" $ \obj ->
+        (,) <$>
+          obj .: "responseFile" <*>
+          (obj .: "request" >>= parseEvent)
+-- main = putStrLn "hello!"
+-- main =
+    -- runAWS env (
+      -- Aws.send $ S3.putObject bucket okey body
+      -- ) >>= \case
+        -- Right {} -> do
+          -- putStrLn $ "uploaded new keys"
+        -- Left e -> error $ "Error in put: " <> show e
+  -- where
+    -- okey = undefined
+    -- bucket = undefined
+    -- body = undefined
+    -- env = undefined
+
+
+runAWS :: MonadIO m => Aws.Env -> Aws.AWS a -> m (Either SomeException a)
+runAWS env =
+    liftIO .
+    tryAny .
+    Aws.runResourceT .
+    Aws.runAWS env .
+    Aws.within Aws.NorthVirginia

infra/google-key-updater/package.yaml

@@ -0,0 +1,26 @@
+name: google-key-updater
+license: AGPL-3
+
+executable:
+    main: Main.hs
+
+dependencies:
+    - aeson
+    - base
+    - bytestring
+    - http-client
+    - http-client-tls
+    - http-conduit
+    - http-types
+    - servant
+    - servant-client
+    - servant-server
+    - text
+    - wai
+    - wai-cors
+    - unliftio
+    - wai-lambda
+    - warp
+    - amazonka
+    - amazonka-core
+    - amazonka-s3

infra/google-public-keys.json

@@ -0,0 +1,147 @@
+variable "meta-bucket-name" {
+  type = "string"
+  default = "deckdeckgo-beta-meta"
+}
+
+resource "aws_s3_bucket" "meta" {
+  bucket = "${var.meta-bucket-name}"
+}
+
+
+resource "aws_lambda_function" "google_key_updater" {
+  function_name    = "deckdeckgo-google-key-updater-lambda"
+  filename         = "${data.external.build-function-google-key-updater.result.path}"
+
+  # TODO: need a big *ss timeout on this one
+  timeout          = 5
+  handler          = "main.handler"
+  runtime          = "nodejs8.10"
+
+  role             = "${aws_iam_role.iam_for_lambda_google_key_updater.arn}"
+
+  environment {
+    variables = {
+      META_BUCKET_NAME = "${aws_s3_bucket.meta.bucket}"
+    }
+  }
+}
+
+data "external" "build-function-google-key-updater" {
+  program = [
+    "nix", "eval",
+    "(import ./default.nix).function-google-key-updater-path", "--json"
+  ]
+}
+
+resource "aws_iam_role" "iam_for_lambda_google_key_updater" {
+  name = "deckdeckgo-google-key-updater-lambda-iam"
+
+  assume_role_policy = <<EOF
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": "sts:AssumeRole",
+      "Principal": {
+        "Service": "lambda.amazonaws.com"
+      },
+      "Effect": "Allow",
+      "Sid": ""
+    }
+  ]
+}
+EOF
+
+}
+
+#resource "aws_lambda_event_source_mapping" "google_key_updater" {
+  #event_source_arn = "${aws_sqs_queue.presentation_deploy.arn}"
+  #enabled          = true
+  #function_name    = "${aws_lambda_function.presenter.function_name}"
+  #batch_size       = 1
+#}
+
+
+# TODO: needed as well, but later on, when we actually hit PG
+#resource "aws_iam_role_policy_attachment" "role_attach_lambdavpc" {
+  #role = "${aws_iam_role.iam_for_lambda.name}"
+  #policy_arn = "arn:aws:iam::aws:policy/service-role/AWSLambdaVPCAccessExecutionRole"
+#}
+
+# XXX: looks like Lambda needs to be redeploy for the policy to take effect
+# TODO: auto redeploy on policy change
+data "aws_iam_policy_document" "policy_for_lambda_google_key_updater" {
+
+  # Give access to CloudWatch
+  statement {
+    actions = [
+      "logs:CreateLogStream",
+      "logs:PutLogEvents",
+    ]
+
+    resources = ["${aws_cloudwatch_log_group.google-key-updater.arn}"]
+  }
+
+  # Give access to CloudWatch
+  statement {
+    actions = [
+      "ec2:DescribeInstances",
+      "ec2:CreateNetworkInterface",
+      "ec2:AttachNetworkInterface",
+      "ec2:DescribeNetworkInterfaces",
+      "ec2:DeleteNetworkInterface"
+    ]
+
+    resources = [ "*" ]
+  }
+
+  # TODO
+  #statement {
+    #actions = [
+      #"s3:ListBucket",
+    #]
+
+    #resources = [ "${aws_s3_bucket.presentations.arn}" ]
+  #}
+
+  statement {
+    actions = [
+      "s3:PutObject",
+      "s3:DeleteObject",
+    ]
+
+    resources = [ "${aws_s3_bucket.meta.arn}/*" ]
+  }
+
+}
+
+resource "aws_iam_role_policy" "policy_for_lambda_google_key_updater" {
+  name   = "deckdeckgo-google-key-updater-lambda-policy"
+  role   = "${aws_iam_role.iam_for_lambda_google_key_updater.id}"
+  policy = "${data.aws_iam_policy_document.policy_for_lambda_google_key_updater.json}"
+}
+
+resource "aws_cloudwatch_log_group" "google-key-updater" {
+  name              = "/aws/lambda/${aws_lambda_function.google_key_updater.function_name}"
+  retention_in_days = "7"
+}
+
+resource "aws_cloudwatch_event_rule" "every_five_minutes" {
+    name = "every-five-minutes"
+    description = "Fires every five minutes"
+    schedule_expression = "rate(5 minutes)"
+}
+
+resource "aws_cloudwatch_event_target" "update_google_keys_every_five_minutes" {
+    rule = "${aws_cloudwatch_event_rule.every_five_minutes.name}"
+    target_id = "google_key_updater"
+    arn = "${aws_lambda_function.google_key_updater.arn}"
+}
+
+resource "aws_lambda_permission" "allow_cloudwatch_to_call_google_key_updater" {
+    statement_id = "AllowExecutionFromCloudWatch"
+    action = "lambda:InvokeFunction"
+    function_name = "${aws_lambda_function.google_key_updater.function_name}"
+    principal = "events.amazonaws.com"
+    source_arn = "${aws_cloudwatch_event_rule.every_five_minutes.arn}"
+}