Update shell implementation for deno

Author: zph

ext/deno/runbook/deno.json

@@ -0,0 +1,6 @@
+{
+  "imports": {
+    "dax": "jsr:@david/dax@^0.42.0",
+    "@std/assert": "jsr:@std/assert@1"
+  }
+}

ext/deno/runbook/deno.lock

@@ -0,0 +1,51 @@
+import * as log from "jsr:@std/log";
+
+export const timestampISOLocal = (date: Date) => {
+  // subtract the offset from t
+  const offset = date.getTime() - date.getTimezoneOffset() * 60 * 1000;
+  // create shifted Date object
+  const local = new Date(offset);
+  // convert to ISO format string
+  return local.toISOString();
+};
+
+// Using .cache to avoid spreading temporary files across the repo
+// and to be clear that they're transient
+export const fileHandler = new log.FileHandler("INFO", {
+  filename: [
+    // TODO: decide how to populate this
+    Deno.env.get("RUNBOOK_DIR"),
+    "runbooks",
+    ".cache",
+    "logs",
+    "audit",
+    "output.log",
+  ].join("/"),
+  formatter: (record) =>
+    JSON.stringify({
+      level: record.levelName,
+      message: record.msg,
+      ts: timestampISOLocal(record.datetime),
+      name: record.loggerName,
+      // Note this requires we use logs with only a type signature of `log.info("message", {})`
+      // not variadric usage
+      args: record.args[0],
+    }),
+});
+
+log.setup({
+  handlers: {
+    // TODO: decide on re-enabling fileHandler
+    // file: fileHandler,
+    console: new log.ConsoleHandler("INFO"),
+  },
+
+  loggers: {
+    default: {
+      level: "INFO",
+      handlers: ["console"],
+    },
+  },
+});
+
+export { log };

ext/deno/runbook/log.ts

@@ -1,7 +1,9 @@
+export * from "./shell.ts";
+
 // Mod.ts for runbook-deno helpers
 // Default Setup
 // See deno dax module for capabilities, including $.request, retry, etc
-import {CommandBuilder, build$} from "jsr:@david/dax";
+import {CommandBuilder, build$} from "dax";
 
 const commandBuilder = new CommandBuilder()
   .stdout("inheritPiped")

ext/deno/runbook/mod.ts

@@ -0,0 +1,35 @@
+export interface Secrets {
+  [key: string]: () => Promise<string>;
+}
+
+export class SecureEnvironment {
+  #secrets: Secrets;
+  constructor(secrets: Secrets) {
+    this.#secrets = secrets;
+  }
+
+  async load(): Promise<{ [key: string]: string }> {
+    const acc: { [key: string]: string } = {};
+    for await (const [k, v] of Object.entries(this.#secrets)) {
+      const resolved = await v();
+      acc[k] = resolved;
+    }
+
+    // Ensure that we don't have overlapping secret keys
+    // because they will have undefined behavior during
+    // replacements
+    this.ensureNonOverlappingKeys(acc);
+    return acc;
+  }
+
+  ensureNonOverlappingKeys(kvs: { [key: string]: string }) {
+    const keys = Object.keys(kvs);
+    keys.forEach((key, _i) => {
+      keys.forEach((kx, _ix) => {
+        if (kx.includes(key) && key !== kx) {
+          throw new Error(`Secrets cannot overlap: ${key} and ${kx}`);
+        }
+      });
+    });
+  }
+}

ext/deno/runbook/secrets.ts

@@ -0,0 +1,33 @@
+import {
+  GetParameterCommand,
+  SSMClient,
+} from "npm:@aws-sdk/client-ssm@^3.315.0";
+
+const REGION = 'us-east-1'
+
+export const getParameterByNameBuilder = async (region: string): Promise<(name: string) => Promise<string>> => {
+  return async (name: string) => {
+    const ssmClient = new SSMClient({ region: REGION });
+    try {
+      const { Parameter } = await ssmClient.send(
+        new GetParameterCommand({
+          Name: name,
+          WithDecryption: true,
+        }),
+      );
+
+      if (Parameter?.Value == null) {
+        throw new Error(
+          `No parameters found for ${name}.`,
+        );
+      }
+
+      return Parameter.Value;
+    } finally {
+      ssmClient.destroy();
+    }
+
+  }
+};
+
+export const getParameterByName = getParameterByNameBuilder(REGION)

ext/deno/runbook/secrets/aws_parameter_store.ts

@@ -0,0 +1,15 @@
+import { $ } from "jsr:@david/dax";
+
+export async function getTokenFromVaultByPath(path: string) {
+  const hasOp = await $.which("op");
+  if (hasOp) {
+    const result = await $
+      .raw`op read "${path}"`
+      .text();
+    return result.trim();
+  } else {
+    throw new Error(
+      "No way to get slack token from vault. Appears that 1password cli is failing. See 1password cli setup instructions and Try again.",
+    );
+  }
+}

ext/deno/runbook/secrets/one_password_cli.ts

@@ -0,0 +1,35 @@
+export interface SecureCommandResultParams {
+  timing: {
+    duration_ms: number;
+    start: string;
+    end: string;
+  };
+  ts: string;
+  code: number;
+  command: string;
+  stdout: string;
+  stderr: string;
+}
+
+export interface SecureCommandResultRaw {
+  // stdout is the output of the command with trimEnd() applied
+  stdout: string;
+  stderr: string;
+  code: number;
+  command: string;
+}
+
+export type RunOptions = {
+  stdin?: string;
+  verbose?: boolean;
+  // TODO(zph): thread this through
+  //env?: SecureEnvironment;
+  noThrow?: boolean;
+  dryRun?: boolean;
+};
+
+export interface CommandResultStub {
+  stdout: string;
+  stderr: string;
+  code: number;
+}