granted package missing assumego symlink

jpeeler commented 1 month ago

package name

common-fate/granted

aqua version

aqua -v
aqua version 2.34.0 (2f9cc345c3c49b9a0c8fcd9d8e1c461bbd8fd533)

Environment

OS: macOS
CPU Architecture: arm64

Overview

Missing assumego symlink.

How to reproduce

Install the package, observe contents of ls -l $(dirname $(aqua which granted)).

$ ls -l $(dirname $(aqua which granted))
total 69880
-rwxr-xr-x  1 jeffrey  staff      5793 Sep 24 19:48 assume
-rw-r--r--  1 jeffrey  staff      2163 Sep 24 16:53 assume.bat
-rw-r--r--  1 jeffrey  staff      3145 Sep 24 16:53 assume.fish
-rw-r--r--  1 jeffrey  staff      2726 Sep 24 16:53 assume.ps1
-rwxr-xr-x  1 jeffrey  staff  35754576 Sep 24 16:53 granted

# aqua.yaml
- name: common-fate/granted@v0.34.1

Sorry got template fatigue.

All that needs to be done is to symlink assumego -> granted, and ensure that assume is callable.

Can look at the brew package to confirm that's what they do.

suzuki-shunsuke commented 1 month ago

Thank you for reporting this issue.

I'm not familiar with granted, so I'm looking into it.

https://docs.commonfate.io/granted/getting-started#installing-the-cli

macOS Manual install

curl -OL https://releases.commonfate.io/granted/v0.31.0/granted_0.31.0_darwin_x86_64.tar.gz
sudo tar -zxvf ./granted_0.31.0_darwin_x86_64.tar.gz -C /usr/local/bin/
ln -s /usr/local/bin/granted /usr/local/bin/assumego

The assumego path is symlinked to granted so that they can both share keychain items without additional prompts. The homebrew install does this automatically but for a manual install on MacOS you’ll need to do it yourself.

assume

#!/bin/sh

#GRANTED_FLAG - what assumego told the shell to do
#GRANTED_n - the data from assumego

# pass an environment variable to the Go binary if the Granted alias hasn't been configured
_this_type=$(type -- "${0##*/}" 2>&1)
# If the type command failed, this is probably a sourced
# file because $0 will be the login shell, e.g., -bash.
# In that case the output will typically contain 'not found'.
# In the case of zsh, the output will contain the word 'alias'.
# shellcheck disable=SC3028
if [ "${_this_type#*not found}" != "$_this_type" ] ||
    [ "${_this_type#*alias}" != "$_this_type" ] || 
    [ "${BASH_SOURCE:-$0}" != "${0}" ]; then
  GRANTED_RETURN_STATUS="true"
  export GRANTED_ALIAS_CONFIGURED="true"
fi

# in some cases such as github actions, the SHELL env var is not available to the program
# so here we set it explicitly
GRANTED_OUTPUT=$(assumego "$@")

# ...

The asset *.tar.gz has a script assume
assume executes assumego
assumego is a symbolic link of granted

So we need to add assume and assumego

files:
  - name: assume
  - name: assumego
    src: granted

~~Seems like assumego isn't necessary on Linux.~~

https://docs.commonfate.io/granted/getting-started#installing-the-cli

Linux (manual)

curl -OL releases.commonfate.io/granted/v0.31.0/granted_0.31.0_linux_x86_64.tar.gz
sudo tar -zxvf ./granted_0.31.0_linux_x86_64.tar.gz -C /usr/local/bin/

suzuki-shunsuke commented 1 month ago

https://github.com/aquaproj/aqua-registry/pull/27178

suzuki-shunsuke commented 1 month ago

I'm trying granted, but when I run assume nothing happens. 🤔

$ granted -v
Granted version: 0.34.1

$ assume

$ echo $?
0

When I install granted by Homebrew, it works.

$ which granted
/opt/homebrew/bin/granted

$ assume
[i] Thanks for using Granted!
[i] By default, Granted will open the AWS console with this browser: Chrome
[!] Granted works best with Firefox but also supports Chrome, Brave, and Edge (https://docs.commonfate.io/granted/introduction#supported-browsers). You can change this setting later by running 'granted browser set'
? Use Firefox as default Granted browser? (Y/n) 
[✘] interrupt

When I install granted and assume by aqua and execute assume directly, it doesn't work.

$ /Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/http/releases.commonfate.io/granted/v0.34.1/granted_0.34.1_darwin_arm64.tar.gz/assume

$ echo $?
0

When I install granted manually according to the official guide, it works. 🤔

$ curl -OL https://releases.commonfate.io/granted/v0.34.1/granted_0.34.1_darwin_arm64.tar.gz
$ tar -zxvf ./granted_0.34.1_darwin_arm64.tar.gz -C ~/bin/
$ ln -s ~/bin/granted ~/bin/assumego
$ assume
[i] Thanks for using Granted!
[i] By default, Granted will open the AWS console with this browser: Chrome
[!] Granted works best with Firefox but also supports Chrome, Brave, and Edge (https://docs.commonfate.io/granted/introduction#supported-browsers). You can change this setting later by running 'granted browser set'
? Use Firefox as default Granted browser? (Y/n) 
[✘] interrupt

jpeeler commented 1 month ago

Hrm, I'm not sure how all the pathing needs to be, but I can probably help if you tell me how to update the package (no version bumps?) locally.

Maybe for later, but surely every OS needs the same symlink? As you noticed, every assume script (even powershell) calls assumego.

suzuki-shunsuke commented 1 month ago

Hrm, I'm not sure how all the pathing needs to be, but I can probably help if you tell me how to update the package (no version bumps?) locally.

$ aqua -v
aqua version 2.34.0 (2f9cc345c3c49b9a0c8fcd9d8e1c461bbd8fd533)

$ cat aqua.yaml 
registries:
- type: standard
  ref: b41e531dc4dcef03ad38e3fdf18b9052a7752a10
packages:
- name: common-fate/granted@v0.34.1

$ aqua i

$ which assume
/Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/assume
$ which assumego
/Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/assumego
$ which granted 
/Users/shunsukesuzuki/.local/share/aquaproj-aqua/bin/granted

$ granted -v
Granted version: 0.34.1

$ assume

$ echo $?
0

jpeeler commented 1 month ago

Not sure how much you want to investigate this, but perhaps adding a set -x in the second line of the assume script will reveal more information? The pathing looks correct. Does assumego execute?

Can I run aqua and have the same state locally?

suzuki-shunsuke commented 1 month ago

perhaps adding a set -x in the second line of the assume script will reveal more information?

Maybe. I'll try it.

Does assumego execute?

I think so.

$ AQUA_LOG_LEVEL=debug assume
# ...
DEBU[0000] execute the command                           aqua_version=2.34.0 env=darwin/arm64 exe_name=assumego package_name=common-fate/granted package_version=v0.34.1 program=aqua

Can I run aqua and have the same state locally?

Yes, I think you would be able to reproduce the issue locally using the above code.

registries:
- type: standard
  ref: b41e531dc4dcef03ad38e3fdf18b9052a7752a10
packages:
- name: common-fate/granted@v0.34.1

jpeeler commented 1 month ago

After updating the ref in my aqua.yaml file, removing the package aqua rm -m pl granted, and reinstalling, I am now able to replicate.

The assume command should be a shell script, but it's the granted binary. It's supposed to be assumego -> granted. Hopefully that's enough to proceed.

Are there packaging docs somewhere for trying locally? I wasn't able to find that.

suzuki-shunsuke commented 1 month ago

Do you want to fix registry locally? If so,

git clone https://github.com/aquaproj/aqua-registry
cd aqua-registry
aqua policy allow
vi pkgs/common-fate/granted/registry.yaml
aqua g -i common-fate/granted
aqua i -l
cmdx gr

assume

ref.

https://aquaproj.github.io/docs/products/aqua-registry/contributing/ https://aquaproj.github.io/docs/develop-registry/

jpeeler commented 1 month ago

Thanks for the pointers. It seems that due to my lack of understanding of aqua I made a mistake. The reason I thought the binary was the same is I didn't notice that each package binary is symlinked to aqua-proxy.

Due to the aqua-proxy symlink, I'm not sure if aqua can be made to work with granted as is. As I pointed out above, granted reads args[0] to determine which code to call. When executing assumego, I assume args gets replaced with aqua-proxy and therefore granted operation gets called instead of assume.

Though it looks like at one time the proxy was passing all args, where as now the first element is not. So maybe this can be made to work.

suzuki-shunsuke commented 1 month ago

Maybe you're aware, but how aqua executes tools is described here.

https://aquaproj.github.io/docs/reference/lazy-install#how-does-lazy-install-work

Each files in AQUA_ROOT_DIR/bin directory are symlinks to aqua-proxy. aqua-proxy executes aqua exec -- args[0] arg..., and aqua exec finds the tool and executes args[0] arg.... In case of assume, args[0] is assume. When assume is executed, aqua executes the shell script assume.

$ aqua which assume
/Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/http/releases.commonfate.io/granted/v0.34.1/granted_0.34.1_darwin_arm64.tar.gz/assume

assume executes assumego. When assumego is executed, aqua executes granted, and args[0] is not assumego but the absolute path of granted.

$ aqua which assumego
/Users/shunsukesuzuki/.local/share/aquaproj-aqua/pkgs/http/releases.commonfate.io/granted/v0.34.1/granted_0.34.1_darwin_arm64.tar.gz/granted

Seems like granted changes the behavior based on args[0].

https://github.com/common-fate/granted/blob/e8de3ec7d62d543062d8be802b27abb3d8fac429/cmd/granted/main.go#L37-L44

    // Use a single binary to keep keychain ACLs simple, swapping behavior via argv[0]
    var app *cli.App
    switch filepath.Base(os.Args[0]) {
    case "assumego", "assumego.exe", "dassumego", "dassumego.exe":
        app = assume.GetCliApp()
    default:
        app = granted.GetCliApp()
    }

So I guess assumego doesn't work as expected.

suzuki-shunsuke commented 1 month ago

I found a way to work.

aqua rm -m l assumego # Remove the symlink of assumego
vi ~/bin/assumego # Create a shell script of assume
chmod a+x ~/bin/assumego

~/bin/assumego

#!/usr/bin/env bash

set -eu

granted=$(aqua which granted) # Get the absolute path of granted
exec -a assumego "$granted" "$@" # Execute granted changing args[0] to `assumego` by `exec -a assumego`

Then assume works.

$ assume                  
[i] Thanks for using Granted!
[i] By default, Granted will open the AWS console with this browser: Chrome
[!] Granted works best with Firefox but also supports Chrome, Brave, and Edge (https://docs.commonfate.io/granted/introduction#supported-browsers). You can change this setting later by running 'granted browser set'
? Use Firefox as default Granted browser? (Y/n) 
[✘] interrupt

jpeeler commented 1 month ago

Cool, any chance that this can be made to work out of the box?

suzuki-shunsuke commented 1 month ago

I think we need to remove the link to assumego from the package and ask users to create the shell script assumego.

suzuki-shunsuke commented 1 month ago

https://github.com/aquaproj/aqua-registry/pull/27243

I'll remove assumego from files and add the guide in the package description.

suzuki-shunsuke commented 1 month ago

I'll look into whether aqua can change args[0] when executing tools.

suzuki-shunsuke commented 1 month ago

I created an issue.

https://github.com/aquaproj/aqua/issues/3130

I thought we can change args[0] easily in Go, but it didn't. https://github.com/aquaproj/aqua/issues/3130#issuecomment-2378114812 I'm looking into how to change args[0] in Go.

suzuki-shunsuke commented 1 month ago

Resolved.

https://github.com/aquaproj/aqua/issues/3130#issuecomment-2381038770

aquaproj / aqua-registry