feat: simplify the connect cloudtty flow (#747)

* feat: update cloudtty shell endpoint and schema

* test: token

* feat: add cloudtty v2 endpoint

* fix: update session middleware for cloudtty endpoint

---------

Co-authored-by: Dennis van Kekem <38350840+dennisvankekem@users.noreply.github.com>

Author: ferruhcihan

src/api/v1/cloudtty.ts

@@ -5,22 +5,23 @@ import { OpenApiRequestExt } from 'src/otomi-models'
 const debug = Debug('otomi:api:v1:cloudtty')
 
 export default function (): OperationHandlerArray {
-  const post: Operation = [
-    async ({ otomi, body }: OpenApiRequestExt, res): Promise<void> => {
-      debug(`connectCloudtty`)
-      const v = await otomi.connectCloudtty(body)
+  const get: Operation = [
+    async ({ otomi, query, user: sessionUser }: OpenApiRequestExt, res): Promise<void> => {
+      debug(`connectCloudtty - ${sessionUser.email} - ${sessionUser.sub}`)
+      const { teamId }: { teamId: string } = query as { teamId: string }
+      const v = await otomi.connectCloudtty(teamId, sessionUser)
       res.json(v)
     },
   ]
   const del: Operation = [
-    async ({ otomi, body }: OpenApiRequestExt, res): Promise<void> => {
-      debug(`deleteCloudtty`)
-      await otomi.deleteCloudtty(body)
+    async ({ otomi, user: sessionUser }: OpenApiRequestExt, res): Promise<void> => {
+      debug(`deleteCloudtty - ${sessionUser.email} - ${sessionUser.sub}`)
+      await otomi.deleteCloudtty(sessionUser)
       res.json({})
     },
   ]
   const api = {
-    post,
+    get,
     delete: del,
   }
   return api

src/api/v2/cloudtty.ts

@@ -0,0 +1,28 @@
+import Debug from 'debug'
+import { Operation, OperationHandlerArray } from 'express-openapi'
+import { OpenApiRequestExt } from 'src/otomi-models'
+
+const debug = Debug('otomi:api:v2:cloudtty')
+
+export default function (): OperationHandlerArray {
+  const get: Operation = [
+    async ({ otomi, query, user: sessionUser }: OpenApiRequestExt, res): Promise<void> => {
+      debug(`connectCloudtty - ${sessionUser.email} - ${sessionUser.sub}`)
+      const { teamId }: { teamId: string } = query as { teamId: string }
+      const v = await otomi.connectCloudtty(teamId, sessionUser)
+      res.json(v)
+    },
+  ]
+  const del: Operation = [
+    async ({ otomi, user: sessionUser }: OpenApiRequestExt, res): Promise<void> => {
+      debug(`deleteCloudtty - ${sessionUser.email} - ${sessionUser.sub}`)
+      await otomi.deleteCloudtty(sessionUser)
+      res.json({})
+    },
+  ]
+  const api = {
+    get,
+    delete: del,
+  }
+  return api
+}

src/k8s_operations.ts

@@ -3,7 +3,7 @@ import Debug from 'debug'
 import * as fs from 'fs'
 import * as yaml from 'js-yaml'
 import { promisify } from 'util'
-import { AplBuildResponse, AplSecretResponse, AplServiceResponse, AplWorkloadResponse, Cloudtty } from './otomi-models'
+import { AplBuildResponse, AplSecretResponse, AplServiceResponse, AplWorkloadResponse } from './otomi-models'
 
 const debug = Debug('otomi:api:k8sOperations')
 
@@ -93,13 +93,21 @@ export async function checkPodExists(namespace: string, podName: string): Promis
   }
 }
 
-export async function k8sdelete({ emailNoSymbols, isAdmin, userTeams }: Cloudtty) {
+export async function k8sdelete({
+  sub,
+  isPlatformAdmin,
+  userTeams,
+}: {
+  sub: string
+  isPlatformAdmin: boolean
+  userTeams: string[]
+}): Promise<void> {
   const kc = new k8s.KubeConfig()
   kc.loadFromDefault()
   const k8sApi = kc.makeApiClient(k8s.CoreV1Api)
   const customObjectsApi = kc.makeApiClient(k8s.CustomObjectsApi)
   const rbacAuthorizationV1Api = kc.makeApiClient(k8s.RbacAuthorizationV1Api)
-  const resourceName = emailNoSymbols
+  const resourceName = sub
   const namespace = 'team-admin'
   try {
     const apiVersion = 'v1beta1'
@@ -118,7 +126,7 @@ export async function k8sdelete({ emailNoSymbols, isAdmin, userTeams }: Cloudtty
 
     await k8sApi.deleteNamespacedServiceAccount(`tty-${resourceName}`, namespace)
     await k8sApi.deleteNamespacedPod(`tty-${resourceName}`, namespace)
-    if (!isAdmin) {
+    if (!isPlatformAdmin) {
       for (const team of userTeams!) {
         await rbacAuthorizationV1Api.deleteNamespacedRoleBinding(`tty-${team}-${resourceName}-rolebinding`, team)
       }

src/middleware/jwt.ts

@@ -49,7 +49,6 @@ export function getUser(user: JWT, otomi: OtomiStack): SessionUser {
 }
 
 export function jwtMiddleware(): RequestHandler {
-  // eslint-disable-next-line @typescript-eslint/no-misused-promises
   return async function nextHandler(req: OpenApiRequestExt, res, next): Promise<any> {
     const token = req.header('Authorization')
     const otomi = await getSessionStack() // we can use the readonly version

src/middleware/session.ts

@@ -1,4 +1,3 @@
-/* eslint-disable @typescript-eslint/no-use-before-define */
 import Debug from 'debug'
 import { RequestHandler } from 'express'
 import 'express-async-errors'
@@ -88,7 +87,7 @@ export function sessionMiddleware(server: http.Server): RequestHandler {
       email: socket.email,
     })
   })
-  // eslint-disable-next-line @typescript-eslint/no-misused-promises
+
   return async function nextHandler(req: OpenApiRequestExt, res, next): Promise<any> {
     if (!env.isTest && (!readOnlyStack || !readOnlyStack.isLoaded)) throw new ApiNotReadyError()
     const { email } = req.user || {}
@@ -97,9 +96,8 @@ export function sessionMiddleware(server: http.Server): RequestHandler {
     req.otomi = roStack
 
     if (['post', 'put', 'delete'].includes(req.method.toLowerCase())) {
-      // in the cloudtty or workloadCatalog endpoint(s), don't need to create a session
-      if (req.path === '/v1/cloudtty' || req.path === '/v1/workloadCatalog' || req.path === '/v1/createWorkloadCatalog')
-        return next()
+      // in the workloadCatalog endpoint(s), don't need to create a session
+      if (req.path === '/v1/workloadCatalog' || req.path === '/v1/createWorkloadCatalog') return next()
       // bootstrap session stack with unique sessionId to manipulate data
       const sessionId = uuidv4() as string
       // eslint-disable-next-line no-param-reassign

src/openapi/api.yaml

@@ -1432,18 +1432,44 @@ paths:
               schema:
                 type: string
 
+  '/v2/cloudtty':
+    get:
+      operationId: connectAplCloudtty
+      description: Get a cloudtty iFrameUrl
+      x-aclSchema: Cloudtty
+      parameters:
+        - name: teamId
+          in: query
+          description: Id of the team
+          schema:
+            type: string
+      responses:
+        <<: *DefaultPostResponses
+        '200':
+          description: Successfully stored cloudtty configuration
+          content:
+            application/json:
+              schema:
+                $ref: '#/components/schemas/Cloudtty'
+    delete:
+      operationId: deleteAplCloudtty
+      description: Delete cloudtty url
+      x-aclSchema: Cloudtty
+      responses:
+        '200':
+          description: Successfully removed cloudtty url
+
   '/v1/cloudtty':
-    post:
+    get:
       operationId: connectCloudtty
-      description: Create a cloudtty url
+      description: Get a cloudtty iFrameUrl
       x-aclSchema: Cloudtty
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/Cloudtty'
-        description: Cloudtty object
-        required: true
+      parameters:
+        - name: teamId
+          in: query
+          description: Id of the team
+          schema:
+            type: string
       responses:
         <<: *DefaultPostResponses
         '200':
@@ -1456,13 +1482,6 @@ paths:
       operationId: deleteCloudtty
       description: Delete cloudtty url
       x-aclSchema: Cloudtty
-      requestBody:
-        content:
-          application/json:
-            schema:
-              $ref: '#/components/schemas/Cloudtty'
-        description: Cloudtty object
-        required: true
       responses:
         '200':
           description: Successfully removed cloudtty url

src/openapi/cloudtty.yaml

@@ -18,27 +18,5 @@ Cloudtty:
   type: object
   x-externalDocsPath: docs/for-devs/console/cloudtty
   properties:
-    id:
-      type: string
-    teamId:
-      $ref: 'definitions.yaml#/idName'
-    domain:
-      $ref: 'definitions.yaml#/wordCharacterPattern'
-    emailNoSymbols:
-      $ref: 'definitions.yaml#/wordCharacterPattern'
     iFrameUrl:
       $ref: 'definitions.yaml#/wordCharacterPattern'
-    isAdmin:
-      type: boolean
-      default: false
-    userTeams:
-      type: array
-      items:
-        type: string
-    sub:
-      $ref: 'definitions.yaml#/wordCharacterPattern'
-  required:
-    - teamId
-    - domain
-    - emailNoSymbols
-    - isAdmin

src/otomi-stack.ts

@@ -1635,32 +1635,44 @@ export default class OtomiStack {
     return (await getKubernetesVersion()) as string
   }
 
-  async connectCloudtty(data: Cloudtty): Promise<Cloudtty | any> {
+  async connectCloudtty(teamId: string, sessionUser: SessionUser): Promise<Cloudtty> {
+    if (!sessionUser.sub) {
+      debug('No user sub found, cannot connect to shell.')
+      throw new OtomiError(500, 'No user sub found, cannot connect to shell.')
+    }
+    const userTeams = sessionUser.teams.map((teamName) => `team-${teamName}`)
     const variables = {
-      FQDN: data.domain,
-      EMAIL: data.emailNoSymbols,
-      SUB: data.sub,
+      FQDN: '',
+      SUB: sessionUser.sub,
+    }
+    try {
+      const { cluster } = this.getSettings(['cluster'])
+      variables.FQDN = cluster?.domainSuffix || ''
+    } catch (error) {
+      debug('Error getting cluster settings for cloudtty:', error.message)
+    }
+    if (!variables.FQDN) {
+      debug('No cluster domain suffix found, cannot connect to shell.')
+      throw new OtomiError(500, 'No cluster domain suffix found, cannot connect to shell.')
     }
 
-    const { userTeams } = data
-
-    // if cloudtty does not exists then check if the pod is running and return it
-    if (await checkPodExists('team-admin', `tty-${data.emailNoSymbols}`)) {
-      return { ...data, iFrameUrl: `https://tty.${data.domain}/${data.emailNoSymbols}` }
+    // if cloudtty shell does not exists then check if the pod is running and return it
+    if (await checkPodExists('team-admin', `tty-${sessionUser.sub}`)) {
+      return { iFrameUrl: `https://tty.${variables.FQDN}/${sessionUser.sub}` }
     }
 
     if (await pathExists('/tmp/ttyd.yaml')) await unlink('/tmp/ttyd.yaml')
 
     //if user is admin then read the manifests from ./dist/src/ttyManifests/adminTtyManifests
-    const files = data.isAdmin
+    const files = sessionUser.isPlatformAdmin
       ? await readdir('./dist/src/ttyManifests/adminTtyManifests', 'utf-8')
       : await readdir('./dist/src/ttyManifests', 'utf-8')
     const filteredFiles = files.filter((file) => file.startsWith('tty'))
     const variableKeys = Object.keys(variables)
 
     const podContentAddTargetTeam = (fileContent) => {
       const regex = new RegExp(`\\$TARGET_TEAM`, 'g')
-      return fileContent.replace(regex, data.teamId)
+      return fileContent.replace(regex, teamId)
     }
 
     // iterates over the rolebinding file and replace the $TARGET_TEAM with the team name for teams
@@ -1676,41 +1688,45 @@ export default class OtomiStack {
 
     const fileContents = await Promise.all(
       filteredFiles.map(async (file) => {
-        let fileContent = data.isAdmin
+        let fileContent = sessionUser.isPlatformAdmin
           ? await readFile(`./dist/src/ttyManifests/adminTtyManifests/${file}`, 'utf-8')
           : await readFile(`./dist/src/ttyManifests/${file}`, 'utf-8')
         variableKeys.forEach((key) => {
           const regex = new RegExp(`\\$${key}`, 'g')
-          fileContent = fileContent.replace(regex, variables[key])
+          fileContent = fileContent.replace(regex, variables[key] as string)
         })
         if (file === 'tty_02_Pod.yaml') fileContent = podContentAddTargetTeam(fileContent)
-        if (!data.isAdmin && file === 'tty_03_Rolebinding.yaml') fileContent = rolebindingContentsForUsers(fileContent)
+        if (!sessionUser.isPlatformAdmin && file === 'tty_03_Rolebinding.yaml')
+          fileContent = rolebindingContentsForUsers(fileContent)
         return fileContent
       }),
     )
     await writeFile('/tmp/ttyd.yaml', fileContents, 'utf-8')
     await apply('/tmp/ttyd.yaml')
-    await watchPodUntilRunning('team-admin', `tty-${data.emailNoSymbols}`)
+    await watchPodUntilRunning('team-admin', `tty-${sessionUser.sub}`)
 
     // check the pod every 30 minutes and terminate it after 2 hours of inactivity
     const ISACTIVE_INTERVAL = 30 * 60 * 1000
     const TERMINATE_TIMEOUT = 2 * 60 * 60 * 1000
     const intervalId = setInterval(() => {
-      getCloudttyActiveTime('team-admin', `tty-${data.emailNoSymbols}`).then((activeTime: number) => {
+      getCloudttyActiveTime('team-admin', `tty-${sessionUser.sub}`).then((activeTime: number) => {
         if (activeTime > TERMINATE_TIMEOUT) {
-          this.deleteCloudtty(data)
+          this.deleteCloudtty(sessionUser)
           clearInterval(intervalId)
           debug(`Cloudtty terminated after ${TERMINATE_TIMEOUT / (60 * 60 * 1000)} hours of inactivity`)
         }
       })
     }, ISACTIVE_INTERVAL)
 
-    return { ...data, iFrameUrl: `https://tty.${data.domain}/${data.emailNoSymbols}` }
+    return { iFrameUrl: `https://tty.${variables.FQDN}/${sessionUser.sub}` }
   }
 
-  async deleteCloudtty(data: Cloudtty) {
+  async deleteCloudtty(sessionUser: SessionUser): Promise<void> {
+    const { sub, isPlatformAdmin, teams } = sessionUser as { sub: string; isPlatformAdmin: boolean; teams: string[] }
+    const userTeams = teams.map((teamName) => `team-${teamName}`)
     try {
-      if (await checkPodExists('team-admin', `tty-${data.emailNoSymbols}`)) await k8sdelete(data)
+      if (await checkPodExists('team-admin', `tty-${sessionUser.sub}`))
+        await k8sdelete({ sub, isPlatformAdmin, userTeams })
     } catch (error) {
       debug('Failed to delete cloudtty')
     }

src/ttyManifests/adminTtyManifests/tty_00_Authz.yaml

@@ -1,15 +1,16 @@
 apiVersion: security.istio.io/v1beta1
 kind: AuthorizationPolicy
 metadata:
-  name: tty-$EMAIL
+  name: tty-$SUB
   namespace: team-admin
 spec:
   selector:
     matchLabels:
-      app: tty-$EMAIL
+      app: tty-$SUB
   action: ALLOW
   rules:
     - when:
         - key: request.auth.claims[sub]
           values: ['$SUB']
 ---
+

src/ttyManifests/adminTtyManifests/tty_01_Sa.yaml

@@ -1,7 +1,7 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
-  name: tty-$EMAIL
+  name: tty-$SUB
   namespace: team-admin
 ---