Add rules (#171)

* step 1: restore from our earlier iteration

* Very rough first pass on create

* Better name

* Wrap up editor prompt / rules create flow

* Rules: CRUD is done

* Cleanup

* Lint

* Finalize rules

Pick 5 templates to start.

* Tweak flags so we don't repeat ourselves too much

* Add docs for flags.Required()

* Switch to using new ansi.Waiting for most cases

* Ask name after fetching rule

* Subtle fix: update && not required should not prompt

* Cleanup

* Add a note for now that we're going to do something for next time

* Remove `Required()` use

* Amend to have AlwaysPrompt logic

internal/auth/auth.go

@@ -27,6 +27,7 @@ var requiredScopes = []string{
 	"offline_access", // <-- to get a refresh token.
 	"create:clients", "delete:clients", "read:clients", "update:clients",
 	"create:resource_servers", "delete:resource_servers", "read:resource_servers", "update:resource_servers",
+	"create:rules", "delete:rules", "read:rules", "update:rules",
 	"read:client_keys", "read:logs",
 }
 

internal/auth/auth_test.go

@@ -7,6 +7,7 @@ func TestRequiredScopes(t *testing.T) {
 		crudResources := []string{
 			"clients",
 			"resource_servers",
+			"rules",
 		}
 		crudPrefixes := []string{"create:", "delete:", "read:", "update:"}
 

internal/auth0/auth0.go

@@ -15,6 +15,7 @@ type API struct {
 	Client          ClientAPI
 	Log             LogAPI
 	ResourceServer  ResourceServerAPI
+	Rule            RuleAPI
 }
 
 func NewAPI(m *management.Management) *API {
@@ -26,6 +27,7 @@ func NewAPI(m *management.Management) *API {
 		Client:          m.Client,
 		Log:             m.Log,
 		ResourceServer:  m.ResourceServer,
+		Rule:            m.Rule,
 	}
 }
 

internal/auth0/rule.go

@@ -0,0 +1,25 @@
+//go:generate mockgen -source=rule.go -destination=rule_mock.go -package=auth0
+
+package auth0
+
+import "gopkg.in/auth0.v5/management"
+
+type RuleAPI interface {
+	// Create a new rule.
+	//
+	// Note: Changing a rule's stage of execution from the default `login_success`
+	// can change the rule's function signature to have user omitted.
+	Create(r *management.Rule, opts ...management.RequestOption) error
+
+	// Retrieve rule details. Accepts a list of fields to include or exclude in the result.
+	Read(id string, opts ...management.RequestOption) (r *management.Rule, err error)
+
+	// Update an existing rule.
+	Update(id string, r *management.Rule, opts ...management.RequestOption) error
+
+	// Delete a rule.
+	Delete(id string, opts ...management.RequestOption) error
+
+	// List all rules.
+	List(opts ...management.RequestOption) (r *management.RuleList, err error)
+}

internal/cli/apps.go

@@ -49,11 +49,12 @@ var (
 		IsRequired: false,
 	}
 	appCallbacks = Flag{
-		Name:       "Callback URLs",
-		LongForm:   "callbacks",
-		ShortForm:  "c",
-		Help:       "After the user authenticates we will only call back to any of these URLs. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native apps, all callbacks should use protocol https://.",
-		IsRequired: false,
+		Name:         "Callback URLs",
+		LongForm:     "callbacks",
+		ShortForm:    "c",
+		Help:         "After the user authenticates we will only call back to any of these URLs. You can specify multiple valid URLs by comma-separating them (typically to handle different environments like QA or testing). Make sure to specify the protocol (https://) otherwise the callback may fail in some cases. With the exception of custom URI schemes for native apps, all callbacks should use protocol https://.",
+		IsRequired:   false,
+		AlwaysPrompt: true,
 	}
 	appOrigins = Flag{
 		Name:       "Allowed Origin URLs",

internal/cli/cli.go

@@ -381,3 +381,11 @@ func prepareInteractivity(cmd *cobra.Command) {
 		})
 	}
 }
+
+func flagOptionsFromMapping(mapping map[string]string) []string {
+	result := make([]string, 0, len(mapping))
+	for k := range mapping {
+		result = append(result, k)
+	}
+	return result
+}

internal/cli/data/rule-template-add-email-to-access-token.js

@@ -0,0 +1,8 @@
+function addEmailToAccessToken(user, context, callback) {
+  // This rule adds the authenticated user's email address to the access token.
+
+  var namespace = 'https://example.com/';
+
+  context.accessToken[namespace + 'email'] = user.email;
+  return callback(null, user, context);
+}

internal/cli/data/rule-template-check-last-password-reset.js

@@ -0,0 +1,12 @@
+function checkLastPasswordReset(user, context, callback) {
+  function daydiff(first, second) {
+    return (second - first) / (1000 * 60 * 60 * 24);
+  }
+
+  const last_password_change = user.last_password_reset || user.created_at;
+
+  if (daydiff(new Date(last_password_change), new Date()) > 30) {
+    return callback(new UnauthorizedError('please change your password'));
+  }
+  callback(null, user, context);
+}

internal/cli/data/rule-template-empty-rule.js

@@ -0,0 +1,3 @@
+function(user, context, cb) {
+  cb(null, user, context);
+}

internal/cli/data/rule-template-ip-address-allow-list.js

@@ -0,0 +1,12 @@
+function ipAddressAllowList(user, context, callback) {
+  const allowlist = ['1.2.3.4', '2.3.4.5']; // authorized IPs
+  const userHasAccess = allowlist.some(function (ip) {
+    return context.request.ip === ip;
+  });
+
+  if (!userHasAccess) {
+    return callback(new Error('Access denied from this IP address.'));
+  }
+
+  return callback(null, user, context);
+}

internal/cli/data/rule-template-ip-address-deny-list.js

@@ -0,0 +1,14 @@
+function ipAddressDenylist(user, context, callback) {
+  const denylist = ['1.2.3.4', '2.3.4.5']; // unauthorized IPs
+  const notAuthorized = denylist.some(function (ip) {
+    return context.request.ip === ip;
+  });
+
+  if (notAuthorized) {
+    return callback(
+      new UnauthorizedError('Access denied from this IP address.')
+    );
+  }
+
+  return callback(null, user, context);
+}

internal/cli/flags.go

@@ -7,11 +7,12 @@ import (
 )
 
 type Flag struct {
-	Name       string
-	LongForm   string
-	ShortForm  string
-	Help       string
-	IsRequired bool
+	Name         string
+	LongForm     string
+	ShortForm    string
+	Help         string
+	IsRequired   bool
+	AlwaysPrompt bool
 }
 
 func (f Flag) GetName() string {
@@ -94,14 +95,6 @@ func selectFlag(cmd *cobra.Command, f *Flag, value interface{}, options []string
 	return nil
 }
 
-func shouldAsk(cmd *cobra.Command, f *Flag, isUpdate bool) bool {
-	if isUpdate {
-		return shouldPromptWhenFlagless(cmd, f.LongForm)
-	}
-
-	return shouldPrompt(cmd, f.LongForm)
-}
-
 func registerString(cmd *cobra.Command, f *Flag, value *string, defaultValue string, isUpdate bool) {
 	cmd.Flags().StringVarP(value, f.LongForm, f.ShortForm, defaultValue, f.Help)
 
@@ -134,6 +127,18 @@ func registerBool(cmd *cobra.Command, f *Flag, value *bool, defaultValue bool, i
 	}
 }
 
+func shouldAsk(cmd *cobra.Command, f *Flag, isUpdate bool) bool {
+	if isUpdate {
+		if !f.AlwaysPrompt {
+			return false
+		}
+
+		return shouldPromptWhenFlagless(cmd, f.LongForm)
+	}
+
+	return shouldPrompt(cmd, f.LongForm)
+}
+
 func markFlagRequired(cmd *cobra.Command, f *Flag, isUpdate bool) error {
 	if f.IsRequired && !isUpdate {
 		return cmd.MarkFlagRequired(f.LongForm)

internal/cli/root.go

@@ -80,6 +80,7 @@ func Execute() {
 	rootCmd.AddCommand(loginCmd(cli))
 	rootCmd.AddCommand(tenantsCmd(cli))
 	rootCmd.AddCommand(appsCmd(cli))
+	rootCmd.AddCommand(rulesCmd(cli))
 	rootCmd.AddCommand(quickstartsCmd(cli))
 	rootCmd.AddCommand(apisCmd(cli))
 	rootCmd.AddCommand(testCmd(cli))