Revert "feat: read legacy s3 key from s3 for artifact API requests [3/4]" (#1120)

Author: n1ru4l

integration-tests/testkit/flow.ts

@@ -1,5 +1,6 @@
 import { gql } from '@app/gql';
 import { fetch } from '@whatwg-node/fetch';
+import { OperationBodyByHashInput } from './../../packages/web/app/src/graphql/index';
 import type {
   AnswerOrganizationTransferRequestInput,
   CreateOrganizationInput,
@@ -9,7 +10,6 @@ import type {
   DeleteTokensInput,
   EnableExternalSchemaCompositionInput,
   InviteToOrganizationByEmailInput,
-  OperationBodyByHashInput,
   OperationsStatsSelectorInput,
   OrganizationMemberAccessInput,
   OrganizationSelectorInput,

integration-tests/tests/api/artifacts-cdn.spec.ts

@@ -24,33 +24,29 @@ const s3Client = new S3Client({
   forcePathStyle: true,
 });
 
-async function deleteS3Object(s3Client: S3Client, bucketName: string, keysToDelete: Array<string>) {
-  if (keysToDelete.length) {
-    const deleteObjectsCommand = new DeleteObjectsCommand({
-      Bucket: bucketName,
-      Delete: { Objects: keysToDelete.map(key => ({ Key: key })) },
-    });
-
-    await s3Client.send(deleteObjectsCommand);
-  }
-}
-
 async function deleteAllS3BucketObjects(s3Client: S3Client, bucketName: string) {
   const listObjectsCommand = new ListObjectsCommand({
     Bucket: bucketName,
   });
   const result = await s3Client.send(listObjectsCommand);
-  const keysToDelete: Array<string> = [];
+  const keysToDelete: Array<{ Key: string }> = [];
 
   if (result.Contents) {
     for (const item of result.Contents) {
       if (item.Key) {
-        keysToDelete.push(item.Key);
+        keysToDelete.push({ Key: item.Key });
       }
     }
   }
 
-  await deleteS3Object(s3Client, bucketName, keysToDelete);
+  if (keysToDelete.length) {
+    const deleteObjectsCommand = new DeleteObjectsCommand({
+      Bucket: bucketName,
+      Delete: { Objects: keysToDelete },
+    });
+
+    await s3Client.send(deleteObjectsCommand);
+  }
 }
 
 async function fetchS3ObjectArtifact(
@@ -159,55 +155,6 @@ function runArtifactsCDNTests(
       expect(isMatch).toEqual(true);
     });
 
-    test.concurrent(
-      'deleting (legacy) cdn access token from s3 revokes artifact cdn access',
-      async () => {
-        const { createOrg } = await initSeed().createOwner();
-        const { createProject } = await createOrg();
-        const { createToken, target } = await createProject(ProjectType.Single);
-        const writeToken = await createToken({
-          targetScopes: [TargetAccessScope.RegistryRead, TargetAccessScope.RegistryWrite],
-        });
-
-        const publishSchemaResult = await writeToken
-          .publishSchema({
-            author: 'Kamil',
-            commit: 'abc123',
-            sdl: `type Query { ping: String }`,
-          })
-          .then(r => r.expectNoGraphQLErrors());
-
-        const cdnAccess = await writeToken.createCdnAccess();
-        const endpointBaseUrl = await getBaseEndpoint();
-
-        // First roundtrip
-        const url = buildEndpointUrl(endpointBaseUrl, target!.id, 'sdl');
-        let response = await fetch(url, {
-          method: 'GET',
-          headers: {
-            'x-hive-cdn-key': cdnAccess.token,
-          },
-        });
-        expect(response.status).toEqual(200);
-        expect(await response.text()).toMatchInlineSnapshot(`
-        "type Query {
-          ping: String
-        }"
-        `);
-
-        await deleteS3Object(s3Client, 'artifacts', [`cdn-legacy-keys/${target.id}`]);
-
-        // Second roundtrip
-        response = await fetch(url, {
-          method: 'GET',
-          headers: {
-            'x-hive-cdn-key': cdnAccess.token,
-          },
-        });
-        expect(response.status).toEqual(403);
-      },
-    );
-
     test.concurrent('access SDL artifact with valid credentials', async () => {
       const { createOrg } = await initSeed().createOwner();
       const { createProject } = await createOrg();
@@ -419,6 +366,7 @@ function runArtifactsCDNTests(
 
         expect(response.status).toEqual(200);
         const result = await response.json();
+        console.log(result);
         expect(result.data.__schema.types).toContainEqual({
           name: 'Query',
           fields: [{ name: 'ping' }],

packages/services/api/package.json

@@ -42,7 +42,6 @@
   },
   "devDependencies": {
     "@graphql-hive/core": "0.2.3",
-    "@hive/cdn-script": "workspace:*",
     "@hive/emails": "workspace:*",
     "@hive/schema": "workspace:*",
     "@hive/storage": "workspace:*",

packages/services/api/src/create.ts

@@ -1,5 +1,4 @@
 import { createApplication, Scope } from 'graphql-modules';
-import { AwsClient } from '@hive/cdn-script/aws';
 import { activityModule } from './modules/activity';
 import { adminModule } from './modules/admin';
 import { alertsModule } from './modules/alerts';
@@ -55,6 +54,7 @@ import {
   USAGE_ESTIMATION_SERVICE_CONFIG,
   UsageEstimationServiceConfig,
 } from './modules/usage-estimation/providers/tokens';
+import { AwsClient } from './shared/aws';
 
 const modules = [
   sharedModule,

packages/services/cdn-worker/src/artifact-storage-reader.ts renamed to packages/services/api/src/modules/schema/providers/artifact-storage-reader.ts

@@ -1,7 +1,7 @@
 /**
  * IMPORTANT NOTE: This file needs to be kept platform-agnostic, don't use any Node.js specific APIs.
  */
-import { AwsClient } from './aws';
+import { AwsClient } from '../../../shared/aws';
 
 const presignedUrlExpirationSeconds = 60;
 
@@ -17,22 +17,32 @@ export type ArtifactsType = SDLArtifactTypes | 'metadata' | 'services' | 'superg
  */
 export class ArtifactStorageReader {
   private publicUrl: URL | null;
+  private awsClient: AwsClient;
+  private s3Endpoint: string;
 
   constructor(
-    private s3: {
-      client: AwsClient;
+    s3Config: {
+      accessKeyId: string;
+      secretAccessKey: string;
       endpoint: string;
-      bucketName: string;
     },
+    private bucketName: string,
     /** The public URL in case the public S3 endpoint differs from the internal S3 endpoint. E.g. within a docker network. */
     publicUrl: string | null,
   ) {
     this.publicUrl = publicUrl ? new URL(publicUrl) : null;
+    this.awsClient = new AwsClient({
+      accessKeyId: s3Config.accessKeyId,
+      secretAccessKey: s3Config.secretAccessKey,
+      region: 'auto',
+      service: 's3',
+    });
+    this.s3Endpoint = s3Config.endpoint;
   }
 
   private async generatePresignedGetUrl(key: string): Promise<string> {
-    const signedUrl = await this.s3.client.sign(
-      [this.s3.endpoint, this.s3.bucketName, key].join('/'),
+    const signedUrl = await this.awsClient.sign(
+      this.s3Endpoint + `/` + this.bucketName + '/' + key,
       {
         method: 'GET',
         aws: { signQuery: true },
@@ -66,8 +76,8 @@ export class ArtifactStorageReader {
 
     const key = buildArtifactStorageKey(targetId, artifactType);
 
-    const response = await this.s3.client.fetch(
-      [this.s3.endpoint, this.s3.bucketName, key].join('/'),
+    const response = await this.awsClient.fetch(
+      this.s3Endpoint + '/' + this.bucketName + '/' + key,
       {
         method: 'HEAD',
       },

packages/services/api/src/modules/schema/providers/artifact-storage-writer.ts

@@ -1,6 +1,6 @@
 import { Inject } from 'graphql-modules';
-import { buildArtifactStorageKey } from '@hive/cdn-script/artifact-storage-reader';
 import { S3_CONFIG, type S3Config } from '../../shared/providers/s3-config';
+import { buildArtifactStorageKey } from './artifact-storage-reader';
 
 const artifactMeta = {
   sdl: {

packages/services/api/src/modules/shared/providers/s3-config.ts

@@ -1,5 +1,5 @@
 import { InjectionToken } from 'graphql-modules';
-import type { AwsClient } from '@hive/cdn-script/aws';
+import type { AwsClient } from '../../../shared/aws';
 
 export interface S3Config {
   client: AwsClient;

packages/services/cdn-worker/src/aws.ts renamed to packages/services/api/src/shared/aws.ts

@@ -12,13 +12,13 @@
     "graphql": "^16.0.0"
   },
   "dependencies": {
-    "bcryptjs": "2.4.3",
     "graphql": "16.6.0",
     "toucan-js": "2.7.0",
     "zod": "3.20.2"
   },
   "devDependencies": {
     "@cloudflare/workers-types": "4.20221111.1",
+    "@hive/api": "workspace:*",
     "@types/service-worker-mock": "2.0.1",
     "@whatwg-node/fetch": "0.6.2",
     "@whatwg-node/server": "0.5.7",

packages/services/cdn-worker/package.json

@@ -1,8 +1,9 @@
 import itty from 'itty-router';
 import zod from 'zod';
+import type { ArtifactsType } from '@hive/api/src/modules/schema/providers/artifact-storage-reader';
 import { createFetch, type Request } from '@whatwg-node/fetch';
-import { type Analytics, createAnalytics } from './analytics';
-import { type ArtifactsType } from './artifact-storage-reader';
+import type { Analytics } from './analytics';
+import { createAnalytics } from './analytics';
 import { InvalidAuthKeyResponse, MissingAuthKeyResponse } from './errors';
 import type { KeyValidator } from './key-validation';
 

packages/services/cdn-worker/src/artifact-handler.ts

@@ -1,10 +1,9 @@
 import { createServer } from 'http';
 import itty from 'itty-router';
 import { json, withParams } from 'itty-router-extras';
+import { ArtifactStorageReader } from '@hive/api/src/modules/schema/providers/artifact-storage-reader';
 import { createServerAdapter } from '@whatwg-node/server';
 import { createArtifactRequestHandler } from './artifact-handler';
-import { ArtifactStorageReader } from './artifact-storage-reader';
-import { AwsClient } from './aws';
 import './dev-polyfill';
 import { devStorage } from './dev-polyfill';
 import { createRequestHandler } from './handler';
@@ -13,38 +12,41 @@ import { createIsKeyValid } from './key-validation';
 // eslint-disable-next-line no-process-env
 const PORT = process.env.PORT ? parseInt(process.env.PORT, 10) : 4010;
 
-declare let S3_ENDPOINT: string;
-declare let S3_ACCESS_KEY_ID: string;
-declare let S3_SECRET_ACCESS_KEY: string;
-declare let S3_BUCKET_NAME: string;
-declare let S3_PUBLIC_URL: string;
-
-const s3 = {
-  client: new AwsClient({
-    accessKeyId: S3_ACCESS_KEY_ID,
-    secretAccessKey: S3_SECRET_ACCESS_KEY,
-    service: 's3',
-  }),
-  bucketName: S3_BUCKET_NAME,
-  endpoint: S3_ENDPOINT,
-};
-
 /**
  * KV Storage for the CDN
  */
 // eslint-disable-next-line @typescript-eslint/ban-ts-comment
 // @ts-ignore
 declare let HIVE_DATA: KVNamespace;
 
+/**
+ * Secret used to sign the CDN keys
+ */
+declare let KEY_DATA: string;
+
 const handleRequest = createRequestHandler({
   getRawStoreValue: value => HIVE_DATA.get(value),
-  isKeyValid: createIsKeyValid({ s3, waitUntil: null, getCache: () => null }),
+  isKeyValid: createIsKeyValid({ keyData: KEY_DATA }),
 });
 
-const artifactStorageReader = new ArtifactStorageReader(s3, S3_PUBLIC_URL);
+declare let S3_ENDPOINT: string;
+declare let S3_ACCESS_KEY_ID: string;
+declare let S3_SECRET_ACCESS_KEY: string;
+declare let S3_BUCKET_NAME: string;
+declare let S3_PUBLIC_URL: string;
+
+const artifactStorageReader = new ArtifactStorageReader(
+  {
+    accessKeyId: S3_ACCESS_KEY_ID,
+    secretAccessKey: S3_SECRET_ACCESS_KEY,
+    endpoint: S3_ENDPOINT,
+  },
+  S3_BUCKET_NAME,
+  S3_PUBLIC_URL,
+);
 
 const handleArtifactRequest = createArtifactRequestHandler({
-  isKeyValid: createIsKeyValid({ s3, waitUntil: null, getCache: () => null }),
+  isKeyValid: createIsKeyValid({ keyData: KEY_DATA }),
   async getArtifactAction(targetId, artifactType, eTag) {
     return artifactStorageReader.generateArtifactReadUrl(targetId, artifactType, eTag);
   },