feat: refactor deployer to run locally without auth

CONTRIBUTING.md

@@ -155,52 +155,33 @@ make docker-compose.rendered.yml
 docker compose -f docker-compose.rendered.yml up provisioner
 ```
 
-This starts the provisioner and the auth service, while preventing `gateway` from starting up. Next up we need to
-insert an admin user into the `auth` state using the ID of the `auth` container and the auth CLI `init` command:
+This starts the provisioner and the auth service, while preventing `gateway` from starting up.
+Next up we need to insert an admin user into the `auth` state using the ID of the `auth`
+container and the auth CLI `init` command:
 
 ```bash
 AUTH_CONTAINER_ID=$(docker ps -aqf "name=shuttle-auth") \
     docker exec $AUTH_CONTAINER_ID ./usr/local/bin/service \
     --state=/var/lib/shuttle-auth \
     init --name admin --key test-key
 ```
+> Note: if you have done this already for this container you will get a "UNIQUE constraint failed"
+> error, you can ignore this.
 
-Before we can run commands against a local deployer, we need to get a valid JWT and set it in our
-`.config/shuttle/config.toml` as our `api_key`. By running the following curl command, we will request
-that our api-key in the `Authorization` header be converted to a JWT, which will be returned in the response:
+We need to make sure we're logged in with the same key we inserted for the admin user in the
+previous step:
 
 ```bash
-curl -H "Authorization: Bearer test-key" localhost:8008/auth/key
+cargo shuttle login --api-key test-key
 ```
 
-Now copy the `token` value (just the value, not the key) from the curl response, and write it to your shuttle
-config (which will be a file named `config.toml` in a directory named `shuttle` in one of 
-[these places](https://docs.rs/dirs/latest/dirs/fn.config_dir.html) depending on your OS).
+We're now ready to start a local run of the deployer:
 
 ```bash
-# replace <jwt> with the token from the previous command
-echo "api_key = '<jwt>'" > ~/.config/shuttle/config.toml
+cargo run -p shuttle-deployer -- --provisioner-address http://localhost:5000 --auth-uri http://localhost:8008 --proxy-fqdn local.rs --admin-secret test-key --local --project <project_name>
 ```
 
-> Note: The JWT will expire in 15 minutes, at which point you need to run the commands again.
-> If you have [`jq`](https://github.com/stedolan/jq/wiki/Installation) installed you can combine
-> the two above commands into the following:
-```bash
-curl -s -H "Authorization: Bearer test-key" localhost:8008/auth/key \
-    | jq -r '.token' \
-    | read token; echo "api_key='$token'" > ~/.config/shuttle/config.toml
-```
-
-Finally we need to comment out the admin layer in the deployer handlers. So in `deployer/handlers/mod.rs`,
-in the `make_router` function comment out this line: `.layer(AdminSecretLayer::new(admin_secret))`.
-
-And that's it, we're ready to start our deployer!
-
-```bash
-cargo run -p shuttle-deployer -- --provisioner-address http://localhost:8000 --proxy-fqdn local.rs --admin-secret test-key --project <project_name>
-```
-
-The `--admin-secret` can safely be changed to your api-key to make testing easier. While `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
+The `<project_name>` needs to match the name of the project that will be deployed to this deployer. This is the `Cargo.toml` or `Shuttle.toml` name for the project.
 
 ### Using Podman instead of Docker
 

Cargo.toml

@@ -16,11 +16,7 @@ members = [
 exclude = [
   "e2e",
   "examples",
-  "resources/aws-rds",
-  "resources/persist",
-  "resources/secrets",
-  "resources/shared-db",
-  "resources/static-folder",
+  "resources",
   "services",
 ]
 

auth/src/user.rs

@@ -9,7 +9,7 @@ use axum::{
 };
 use rand::distributions::{Alphanumeric, DistString};
 use serde::{Deserialize, Deserializer, Serialize};
-use shuttle_common::claims::Scope;
+use shuttle_common::claims::{Scope, ScopeBuilder};
 use sqlx::{query, Row, SqlitePool};
 use tracing::{trace, Span};
 
@@ -185,33 +185,13 @@ pub enum AccountTier {
 
 impl From<AccountTier> for Vec<Scope> {
     fn from(tier: AccountTier) -> Self {
-        let mut base = vec![
-            Scope::Deployment,
-            Scope::DeploymentPush,
-            Scope::Logs,
-            Scope::Service,
-            Scope::ServiceCreate,
-            Scope::Project,
-            Scope::ProjectCreate,
-            Scope::Resources,
-            Scope::ResourcesWrite,
-            Scope::Secret,
-            Scope::SecretWrite,
-        ];
+        let mut builder = ScopeBuilder::new();
 
         if tier == AccountTier::Admin {
-            base.append(&mut vec![
-                Scope::User,
-                Scope::UserCreate,
-                Scope::AcmeCreate,
-                Scope::CustomDomainCreate,
-                Scope::CustomDomainCertificateRenew,
-                Scope::GatewayCertificateRenew,
-                Scope::Admin,
-            ]);
+            builder = builder.with_admin()
         }
 
-        base
+        builder.build()
     }
 }
 

common/Cargo.toml

@@ -94,4 +94,4 @@ ring = { workspace = true }
 tokio = { workspace = true, features = ["macros", "rt-multi-thread"] }
 tower = { workspace = true, features = ["util"] }
 tracing-fluent-assertions = "0.3.0"
-tracing-subscriber = { version = "0.3", default-features = false }
+tracing-subscriber = { workspace = true }

common/src/claims.rs

@@ -88,6 +88,49 @@ pub enum Scope {
     Admin,
 }
 
+/// Standard scopes for new users.
+const BASE_SCOPES: [Scope; 11] = [
+    Scope::Deployment,
+    Scope::DeploymentPush,
+    Scope::Logs,
+    Scope::Service,
+    Scope::ServiceCreate,
+    Scope::Project,
+    Scope::ProjectCreate,
+    Scope::Resources,
+    Scope::ResourcesWrite,
+    Scope::Secret,
+    Scope::SecretWrite,
+];
+
+/// Additional scopes for admin users.
+const ADMIN_SCOPES: [Scope; 7] = [
+    Scope::User,
+    Scope::UserCreate,
+    Scope::AcmeCreate,
+    Scope::CustomDomainCreate,
+    Scope::CustomDomainCertificateRenew,
+    Scope::GatewayCertificateRenew,
+    Scope::Admin,
+];
+
+pub struct ScopeBuilder(Vec<Scope>);
+
+impl ScopeBuilder {
+    pub fn new() -> Self {
+        Self(BASE_SCOPES.to_vec())
+    }
+
+    pub fn with_admin(mut self) -> Self {
+        self.0.extend(ADMIN_SCOPES.into_iter());
+        self
+    }
+
+    pub fn build(self) -> Vec<Scope> {
+        self.0
+    }
+}
+
 #[derive(Clone, Debug, Deserialize, Serialize, Eq, PartialEq)]
 pub struct Claim {
     /// Expiration time (as UTC timestamp).

deployer/src/args.rs

@@ -50,4 +50,8 @@ pub struct Args {
     /// Uri to folder to store all artifacts
     #[clap(long, default_value = "/tmp")]
     pub artifacts_path: PathBuf,
+
+    /// Run deployer without auth locally
+    #[arg(long)]
+    pub local: bool,
 }

deployer/src/handlers/local.rs

@@ -0,0 +1,86 @@
+use std::net::Ipv4Addr;
+
+use axum::{
+    headers::{authorization::Bearer, Authorization, Cookie, Header, HeaderMapExt},
+    http::Request,
+    middleware::Next,
+    response::Response,
+    Extension,
+};
+use hyper::{
+    client::{connect::dns::GaiResolver, HttpConnector},
+    Body, Client, StatusCode, Uri,
+};
+use hyper_reverse_proxy::ReverseProxy;
+use once_cell::sync::Lazy;
+use serde_json::Value;
+use tracing::error;
+
+static PROXY_CLIENT: Lazy<ReverseProxy<HttpConnector<GaiResolver>>> =
+    Lazy::new(|| ReverseProxy::new(Client::new()));
+
+/// This middleware proxies a request to the auth service to get a JWT, which we need to access
+/// the deployer endpoints, and we'll also need it in the claim layer of the provisioner and runtime
+/// clients.
+///
+/// Follow the steps in https://github.com/shuttle-hq/shuttle/blob/main/CONTRIBUTING.md#testing-deployer-only
+/// to learn how to insert an admin user in the auth state.
+///
+/// WARNING: do not set this layer in production.
+pub async fn set_jwt_bearer<B>(
+    Extension(auth_uri): Extension<Uri>,
+    mut request: Request<B>,
+    next: Next<B>,
+) -> Result<Response, StatusCode> {
+    let mut auth_details = None;
+
+    if let Some(bearer) = request.headers().typed_get::<Authorization<Bearer>>() {
+        auth_details = Some(make_token_request("/auth/key", bearer));
+    }
+
+    if let Some(cookie) = request.headers().typed_get::<Cookie>() {
+        auth_details = Some(make_token_request("/auth/session", cookie));
+    }
+
+    if let Some(token_request) = auth_details {
+        let response = PROXY_CLIENT
+            .call(
+                Ipv4Addr::LOCALHOST.into(),
+                &auth_uri.to_string(),
+                token_request,
+            )
+            .await
+            .expect("failed to proxy request to auth service");
+
+        let body = hyper::body::to_bytes(response.into_body()).await.unwrap();
+        let convert: Value = serde_json::from_slice(&body)
+            .expect("failed to deserialize body as JSON, did you login?");
+
+        let token = convert["token"]
+            .as_str()
+            .expect("response body should have a token");
+
+        request
+            .headers_mut()
+            .typed_insert(Authorization::bearer(token).expect("to set JWT token"));
+
+        let response = next.run(request).await;
+
+        Ok(response)
+    } else {
+        error!("No api-key bearer token or cookie found, make sure you are logged in.");
+        Err(StatusCode::UNAUTHORIZED)
+    }
+}
+
+fn make_token_request(uri: &str, header: impl Header) -> Request<Body> {
+    let mut token_request = Request::builder().uri(uri);
+    token_request
+        .headers_mut()
+        .expect("manual request to be valid")
+        .typed_insert(header);
+
+    token_request
+        .body(Body::empty())
+        .expect("manual request to be valid")
+}