constellation/internal/api/client/client.go

/*
Copyright (c) Edgeless Systems GmbH

SPDX-License-Identifier: AGPL-3.0-only
*/

/*
Package client provides a client for the versions API.

The client needs to be authenticated with AWS. It should be used in internal
development and CI tools for administrative tasks. For just fetching information
from the API, use the fetcher package instead.

Needed IAM permissions for read mode:
- "s3:GetObject"
- "s3:ListBucket"

Additional needed IAM permissions for write mode:
- "s3:PutObject"
- "s3:DeleteObject"
- "cloudfront:CreateInvalidation"

Thread-safety of the bucket is not guaranteed. The client is not thread-safe.

Each sub-API included in the Constellation Resource API should define it's resources by implementing types that implement apiObject.
The new package can then call this package's Fetch and Update functions to get/modify resources from the API.
*/
package client

import (
	"bytes"
	"context"
	"encoding/json"
	"errors"
	"fmt"
	"time"

	"github.com/aws/aws-sdk-go-v2/aws"
	awsconfig "github.com/aws/aws-sdk-go-v2/config"
	s3manager "github.com/aws/aws-sdk-go-v2/feature/s3/manager"
	"github.com/aws/aws-sdk-go-v2/service/cloudfront"
	cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"
	"github.com/aws/aws-sdk-go-v2/service/s3"
	s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"
	"github.com/edgelesssys/constellation/v2/internal/logger"
	"go.uber.org/zap"
)

// Client is the client for the versions API.
type Client struct {
	config                       aws.Config
	cloudfrontClient             *cloudfront.Client
	s3Client                     *s3.Client
	uploadClient                 *s3manager.Uploader
	bucket                       string
	distributionID               string
	cacheInvalidationWaitTimeout time.Duration

	dirtyPaths []string // written paths to be invalidated
	DryRun     bool     // no write operations are performed

	Log *logger.Logger
}

// NewReadOnlyClient creates a new read-only client.
// This client can be used to fetch objects but cannot write updates.
func NewReadOnlyClient(ctx context.Context, region, bucket, distributionID string,
	log *logger.Logger,
) (*Client, error) {
	cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))
	if err != nil {
		return nil, err
	}
	s3c := s3.NewFromConfig(cfg)

	return &Client{
		config:         cfg,
		s3Client:       s3c,
		bucket:         bucket,
		distributionID: distributionID,
		DryRun:         true,
		Log:            log,
	}, nil
}

// NewClient creates a new client for the versions API.
func NewClient(ctx context.Context, region, bucket, distributionID string, dryRun bool,
	log *logger.Logger,
) (*Client, error) {
	cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))
	if err != nil {
		return nil, err
	}

	cloudfrontC := cloudfront.NewFromConfig(cfg)
	s3C := s3.NewFromConfig(cfg)
	uploadC := s3manager.NewUploader(s3C)

	return &Client{
		config:                       cfg,
		cloudfrontClient:             cloudfrontC,
		s3Client:                     s3C,
		uploadClient:                 uploadC,
		bucket:                       bucket,
		distributionID:               distributionID,
		DryRun:                       dryRun,
		Log:                          log,
		cacheInvalidationWaitTimeout: 10 * time.Minute,
	}, nil
}

// InvalidateCache invalidates the CDN cache for the paths that have been written.
// The function should be deferred after the client has been created.
func (c *Client) InvalidateCache(ctx context.Context) error {
	if len(c.dirtyPaths) == 0 {
		c.Log.Debugf("No dirty paths, skipping cache invalidation")
		return nil
	}

	if c.DryRun {
		c.Log.With(zap.String("distributionID", c.distributionID), zap.Strings("dirtyPaths", c.dirtyPaths)).Debugf("DryRun: cloudfront create invalidation")
		return nil
	}

	c.Log.Debugf("Paths to invalidate: %v", c.dirtyPaths)

	in := &cloudfront.CreateInvalidationInput{
		DistributionId: &c.distributionID,
		InvalidationBatch: &cftypes.InvalidationBatch{
			CallerReference: ptr(fmt.Sprintf("%d", time.Now().Unix())),
			Paths: &cftypes.Paths{
				Items:    c.dirtyPaths,
				Quantity: ptr(int32(len(c.dirtyPaths))),
			},
		},
	}
	invalidation, err := c.cloudfrontClient.CreateInvalidation(ctx, in)
	if err != nil {
		return fmt.Errorf("creating invalidation: %w", err)
	}

	c.Log.Debugf("Waiting for invalidation %s to complete", *invalidation.Invalidation.Id)
	waiter := cloudfront.NewInvalidationCompletedWaiter(c.cloudfrontClient)
	waitIn := &cloudfront.GetInvalidationInput{
		DistributionId: &c.distributionID,
		Id:             invalidation.Invalidation.Id,
	}
	if err := waiter.Wait(ctx, waitIn, c.cacheInvalidationWaitTimeout); err != nil {
		return fmt.Errorf("waiting for invalidation to complete: %w", err)
	}

	return nil
}

// DeletePath deletes all objects at a given path from a s3 bucket.
func (c *Client) DeletePath(ctx context.Context, path string) error {
	listIn := &s3.ListObjectsV2Input{
		Bucket: &c.bucket,
		Prefix: &path,
	}
	c.Log.Debugf("Listing objects in %s", path)
	objs := []s3types.Object{}
	out := &s3.ListObjectsV2Output{IsTruncated: true}
	for out.IsTruncated {
		var err error
		out, err = c.s3Client.ListObjectsV2(ctx, listIn)
		if err != nil {
			return fmt.Errorf("listing objects in %s: %w", path, err)
		}
		objs = append(objs, out.Contents...)
	}
	c.Log.Debugf("Found %d objects in %s", len(objs), path)

	if len(objs) == 0 {
		c.Log.Warnf("Path %s is already empty", path)
		return nil
	}

	objIDs := make([]s3types.ObjectIdentifier, len(objs))
	for i, obj := range objs {
		objIDs[i] = s3types.ObjectIdentifier{Key: obj.Key}
	}

	if c.DryRun {
		c.Log.Debugf("DryRun: Deleting %d objects with IDs %v", len(objs), objIDs)
		return nil
	}

	c.dirtyPaths = append(c.dirtyPaths, "/"+path)

	deleteIn := &s3.DeleteObjectsInput{
		Bucket: &c.bucket,
		Delete: &s3types.Delete{
			Objects: objIDs,
		},
	}
	c.Log.Debugf("Deleting %d objects in %s", len(objs), path)
	if _, err := c.s3Client.DeleteObjects(ctx, deleteIn); err != nil {
		return fmt.Errorf("deleting objects in %s: %w", path, err)
	}

	return nil
}

func ptr[T any](t T) *T {
	return &t
}

type apiObject interface {
	ValidateRequest() error
	Validate() error
	JSONPath() string
}

// Fetch fetches the given apiObject from the public Constellation CDN.
func Fetch[T apiObject](ctx context.Context, c *Client, obj T) (T, error) {
	if err := obj.ValidateRequest(); err != nil {
		return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)
	}

	in := &s3.GetObjectInput{
		Bucket: &c.bucket,
		Key:    ptr(obj.JSONPath()),
	}

	c.Log.Debugf("Fetching %T from s3: %s", obj, obj.JSONPath())
	out, err := c.s3Client.GetObject(ctx, in)
	var noSuchkey *s3types.NoSuchKey
	if errors.As(err, &noSuchkey) {
		return *new(T), &NotFoundError{err: err}
	} else if err != nil {
		return *new(T), fmt.Errorf("getting s3 object at %s: %w", obj.JSONPath(), err)
	}
	defer out.Body.Close()

	var newObj T
	if err := json.NewDecoder(out.Body).Decode(&newObj); err != nil {
		return *new(T), fmt.Errorf("decoding %T: %w", obj, err)
	}

	if newObj.Validate() != nil {
		return *new(T), fmt.Errorf("received invalid %T: %w", newObj, newObj.Validate())
	}

	return newObj, nil
}

// Update creates/updates the given apiObject in the public Constellation CDN.
func Update[T apiObject](ctx context.Context, c *Client, obj T) error {
	if err := obj.Validate(); err != nil {
		return fmt.Errorf("validating %T struct: %w", obj, err)
	}

	rawJSON, err := json.Marshal(obj)
	if err != nil {
		return fmt.Errorf("marshaling %T struct: %w", obj, err)
	}

	if c.DryRun {
		c.Log.With(zap.String("bucket", c.bucket), zap.String("key", obj.JSONPath()), zap.String("body", string(rawJSON))).Debugf("DryRun: s3 put object")
		return nil
	}

	in := &s3.PutObjectInput{
		Bucket: &c.bucket,
		Key:    ptr(obj.JSONPath()),
		Body:   bytes.NewBuffer(rawJSON),
	}

	c.dirtyPaths = append(c.dirtyPaths, "/"+obj.JSONPath())

	c.Log.Debugf("Uploading %T to s3: %v", obj, obj.JSONPath())
	if _, err := c.uploadClient.Upload(ctx, in); err != nil {
		return fmt.Errorf("uploading %T: %w", obj, err)
	}

	return nil
}

// NotFoundError is an error that is returned when a resource is not found.
type NotFoundError struct {
	err error
}

func (e *NotFoundError) Error() string {
	return fmt.Sprintf("the requested resource was not found: %s", e.err.Error())
}

func (e *NotFoundError) Unwrap() error {
	return e.err
}
api: restructure api pkg (#1851) * api: rename AttestationVersionRepo to Client * api: move client into separate subpkg for clearer import paths. * api: rename configapi -> attestationconfig * api: rename versionsapi -> versions * api: rename sut to client * api: split versionsapi client and make it public * api: split versionapi fetcher and make it public * config: move attestationversion type to config * api: fix attestationconfig client test Co-authored-by: Adrian Stobbe <stobbe.adrian@gmail.com> 2023-06-02 07:19:23 +00:00			`/*`
			`Copyright (c) Edgeless Systems GmbH`

			`SPDX-License-Identifier: AGPL-3.0-only`
			`*/`

			`/*`
			`Package client provides a client for the versions API.`

			`The client needs to be authenticated with AWS. It should be used in internal`
			`development and CI tools for administrative tasks. For just fetching information`
			`from the API, use the fetcher package instead.`

			`Needed IAM permissions for read mode:`
			`- "s3:GetObject"`
			`- "s3:ListBucket"`

			`Additional needed IAM permissions for write mode:`
			`- "s3:PutObject"`
			`- "s3:DeleteObject"`
			`- "cloudfront:CreateInvalidation"`

			`Thread-safety of the bucket is not guaranteed. The client is not thread-safe.`

			`Each sub-API included in the Constellation Resource API should define it's resources by implementing types that implement apiObject.`
			`The new package can then call this package's Fetch and Update functions to get/modify resources from the API.`
			`*/`
			`package client`

			`import (`
			`"bytes"`
			`"context"`
			`"encoding/json"`
			`"errors"`
			`"fmt"`
			`"time"`

			`"github.com/aws/aws-sdk-go-v2/aws"`
			`awsconfig "github.com/aws/aws-sdk-go-v2/config"`
			`s3manager "github.com/aws/aws-sdk-go-v2/feature/s3/manager"`
			`"github.com/aws/aws-sdk-go-v2/service/cloudfront"`
			`cftypes "github.com/aws/aws-sdk-go-v2/service/cloudfront/types"`
			`"github.com/aws/aws-sdk-go-v2/service/s3"`
			`s3types "github.com/aws/aws-sdk-go-v2/service/s3/types"`
			`"github.com/edgelesssys/constellation/v2/internal/logger"`
			`"go.uber.org/zap"`
			`)`

			`// Client is the client for the versions API.`
			`type Client struct {`
			`config aws.Config`
			`cloudfrontClient *cloudfront.Client`
			`s3Client *s3.Client`
			`uploadClient *s3manager.Uploader`
			`bucket string`
			`distributionID string`
			`cacheInvalidationWaitTimeout time.Duration`

			`dirtyPaths []string // written paths to be invalidated`
			`DryRun bool // no write operations are performed`

			`Log *logger.Logger`
			`}`

			`// NewReadOnlyClient creates a new read-only client.`
			`// This client can be used to fetch objects but cannot write updates.`
			`func NewReadOnlyClient(ctx context.Context, region, bucket, distributionID string,`
			`log *logger.Logger,`
			`) (*Client, error) {`
			`cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))`
			`if err != nil {`
			`return nil, err`
			`}`
			`s3c := s3.NewFromConfig(cfg)`

			`return &Client{`
			`config: cfg,`
			`s3Client: s3c,`
			`bucket: bucket,`
			`distributionID: distributionID,`
			`DryRun: true,`
			`Log: log,`
			`}, nil`
			`}`

			`// NewClient creates a new client for the versions API.`
			`func NewClient(ctx context.Context, region, bucket, distributionID string, dryRun bool,`
			`log *logger.Logger,`
			`) (*Client, error) {`
			`cfg, err := awsconfig.LoadDefaultConfig(ctx, awsconfig.WithRegion(region))`
			`if err != nil {`
			`return nil, err`
			`}`

			`cloudfrontC := cloudfront.NewFromConfig(cfg)`
			`s3C := s3.NewFromConfig(cfg)`
			`uploadC := s3manager.NewUploader(s3C)`

			`return &Client{`
			`config: cfg,`
			`cloudfrontClient: cloudfrontC,`
			`s3Client: s3C,`
			`uploadClient: uploadC,`
			`bucket: bucket,`
			`distributionID: distributionID,`
			`DryRun: dryRun,`
			`Log: log,`
			`cacheInvalidationWaitTimeout: 10 * time.Minute,`
			`}, nil`
			`}`

			`// InvalidateCache invalidates the CDN cache for the paths that have been written.`
			`// The function should be deferred after the client has been created.`
			`func (c *Client) InvalidateCache(ctx context.Context) error {`
			`if len(c.dirtyPaths) == 0 {`
			`c.Log.Debugf("No dirty paths, skipping cache invalidation")`
			`return nil`
			`}`

			`if c.DryRun {`
			`c.Log.With(zap.String("distributionID", c.distributionID), zap.Strings("dirtyPaths", c.dirtyPaths)).Debugf("DryRun: cloudfront create invalidation")`
			`return nil`
			`}`

			`c.Log.Debugf("Paths to invalidate: %v", c.dirtyPaths)`

			`in := &cloudfront.CreateInvalidationInput{`
			`DistributionId: &c.distributionID,`
			`InvalidationBatch: &cftypes.InvalidationBatch{`
			`CallerReference: ptr(fmt.Sprintf("%d", time.Now().Unix())),`
			`Paths: &cftypes.Paths{`
			`Items: c.dirtyPaths,`
			`Quantity: ptr(int32(len(c.dirtyPaths))),`
			`},`
			`},`
			`}`
			`invalidation, err := c.cloudfrontClient.CreateInvalidation(ctx, in)`
			`if err != nil {`
			`return fmt.Errorf("creating invalidation: %w", err)`
			`}`

			`c.Log.Debugf("Waiting for invalidation %s to complete", *invalidation.Invalidation.Id)`
			`waiter := cloudfront.NewInvalidationCompletedWaiter(c.cloudfrontClient)`
			`waitIn := &cloudfront.GetInvalidationInput{`
			`DistributionId: &c.distributionID,`
			`Id: invalidation.Invalidation.Id,`
			`}`
			`if err := waiter.Wait(ctx, waitIn, c.cacheInvalidationWaitTimeout); err != nil {`
			`return fmt.Errorf("waiting for invalidation to complete: %w", err)`
			`}`

			`return nil`
			`}`

			`// DeletePath deletes all objects at a given path from a s3 bucket.`
			`func (c *Client) DeletePath(ctx context.Context, path string) error {`
			`listIn := &s3.ListObjectsV2Input{`
			`Bucket: &c.bucket,`
			`Prefix: &path,`
			`}`
			`c.Log.Debugf("Listing objects in %s", path)`
			`objs := []s3types.Object{}`
			`out := &s3.ListObjectsV2Output{IsTruncated: true}`
			`for out.IsTruncated {`
			`var err error`
			`out, err = c.s3Client.ListObjectsV2(ctx, listIn)`
			`if err != nil {`
			`return fmt.Errorf("listing objects in %s: %w", path, err)`
			`}`
			`objs = append(objs, out.Contents...)`
			`}`
			`c.Log.Debugf("Found %d objects in %s", len(objs), path)`

			`if len(objs) == 0 {`
			`c.Log.Warnf("Path %s is already empty", path)`
			`return nil`
			`}`

			`objIDs := make([]s3types.ObjectIdentifier, len(objs))`
			`for i, obj := range objs {`
			`objIDs[i] = s3types.ObjectIdentifier{Key: obj.Key}`
			`}`

			`if c.DryRun {`
			`c.Log.Debugf("DryRun: Deleting %d objects with IDs %v", len(objs), objIDs)`
			`return nil`
			`}`

			`c.dirtyPaths = append(c.dirtyPaths, "/"+path)`

			`deleteIn := &s3.DeleteObjectsInput{`
			`Bucket: &c.bucket,`
			`Delete: &s3types.Delete{`
			`Objects: objIDs,`
			`},`
			`}`
			`c.Log.Debugf("Deleting %d objects in %s", len(objs), path)`
			`if _, err := c.s3Client.DeleteObjects(ctx, deleteIn); err != nil {`
			`return fmt.Errorf("deleting objects in %s: %w", path, err)`
			`}`

			`return nil`
			`}`

			`func ptr[T any](t T) *T {`
			`return &t`
			`}`

			`type apiObject interface {`
			`ValidateRequest() error`
			`Validate() error`
			`JSONPath() string`
			`}`

			`// Fetch fetches the given apiObject from the public Constellation CDN.`
			`func Fetch[T apiObject](ctx context.Context, c *Client, obj T) (T, error) {`
			`if err := obj.ValidateRequest(); err != nil {`
			`return *new(T), fmt.Errorf("validating request for %T: %w", obj, err)`
			`}`

			`in := &s3.GetObjectInput{`
			`Bucket: &c.bucket,`
			`Key: ptr(obj.JSONPath()),`
			`}`

			`c.Log.Debugf("Fetching %T from s3: %s", obj, obj.JSONPath())`
			`out, err := c.s3Client.GetObject(ctx, in)`
			`var noSuchkey *s3types.NoSuchKey`
			`if errors.As(err, &noSuchkey) {`
			`return *new(T), &NotFoundError{err: err}`
			`} else if err != nil {`
			`return *new(T), fmt.Errorf("getting s3 object at %s: %w", obj.JSONPath(), err)`
			`}`
			`defer out.Body.Close()`

			`var newObj T`
			`if err := json.NewDecoder(out.Body).Decode(&newObj); err != nil {`
			`return *new(T), fmt.Errorf("decoding %T: %w", obj, err)`
			`}`

			`if newObj.Validate() != nil {`
			`return *new(T), fmt.Errorf("received invalid %T: %w", newObj, newObj.Validate())`
			`}`

			`return newObj, nil`
			`}`

			`// Update creates/updates the given apiObject in the public Constellation CDN.`
			`func Update[T apiObject](ctx context.Context, c *Client, obj T) error {`
			`if err := obj.Validate(); err != nil {`
			`return fmt.Errorf("validating %T struct: %w", obj, err)`
			`}`

			`rawJSON, err := json.Marshal(obj)`
			`if err != nil {`
			`return fmt.Errorf("marshaling %T struct: %w", obj, err)`
			`}`

			`if c.DryRun {`
			`c.Log.With(zap.String("bucket", c.bucket), zap.String("key", obj.JSONPath()), zap.String("body", string(rawJSON))).Debugf("DryRun: s3 put object")`
			`return nil`
			`}`

			`in := &s3.PutObjectInput{`
			`Bucket: &c.bucket,`
			`Key: ptr(obj.JSONPath()),`
			`Body: bytes.NewBuffer(rawJSON),`
			`}`

			`c.dirtyPaths = append(c.dirtyPaths, "/"+obj.JSONPath())`

			`c.Log.Debugf("Uploading %T to s3: %v", obj, obj.JSONPath())`
			`if _, err := c.uploadClient.Upload(ctx, in); err != nil {`
			`return fmt.Errorf("uploading %T: %w", obj, err)`
			`}`

			`return nil`
			`}`

			`// NotFoundError is an error that is returned when a resource is not found.`
			`type NotFoundError struct {`
			`err error`
			`}`

			`func (e *NotFoundError) Error() string {`
			`return fmt.Sprintf("the requested resource was not found: %s", e.err.Error())`
			`}`

			`func (e *NotFoundError) Unwrap() error {`
			`return e.err`
			`}`