@tremorvideo/blink-cli/src/doctor/check-aws.js

const ini = require('ini')
const chalk = require('chalk')
const fs = require('fs-extra')
const fsOpts = { encoding: 'utf8' }
const verifyAccess = require('../login/verify-aws-access')
const { indent, bulletize } = require('./indent-bullet')
const indent2 = indent.bind(null, 2)

const lsCred = 'ls -l ~/.aws/credentials'
const catCred = 'cat ~/.aws/credentials'
const chmodCred = 'chmod 644 ~/.aws/credentials'
const chownCred = 'sudo chown `whoami` ~/.aws/credentials'

const credFormat = `[default]
aws_access_key_id = ALPHANUMERIC20CHARS1
aws_secret_access_key = ALPHANUMERICand+and/and40charactersEXACT`
const logCred = `Log the contents of your credentials file with the following command:
  ${chalk.italic.gray(catCred)}`
const awsFail = 'Connection to AWS S3 failed'
const badCreds = `Check the internet connection and then confirm the
AWS access ID and secret in ~/.aws/credentials are correct.`
const newCreds = chalk`To enter new credentials, run {italic.gray blink login}`
const noCredFile = `The credentials file was not found
The AWS Access Key Id and AWS Secret Access Key should be
included in a file named "credentials" located at ~/.aws/`
const writePermissions = 'No write permissions for the AWS credentials file located at ~/.aws/'
const readPermissions = 'No read permissions for the AWS credentials file located at ~/.aws/'
const logCredPerm = `Check permission with the following command:
  ${chalk.italic.gray(lsCred)}`
const fixPermissions = `If the user shows as 'root' and/or not your username, try the following:
  ${chalk.italic.gray(chownCred)}
If the file permissions do not match "-rw-r--r--", try the following:
  ${chalk.italic.gray(chmodCred)}`
const credAccess = 'There is a problem accessing the AWS credentials file located at ~/.aws/'
const credParse = `Could not parse the AWS credentials file located at ~/.aws/
Check the formatting of the file contents`
const credDefault = `The AWS credentials file is missing the default profile
Add the default profile to the credentials file located at ~/.aws/
or run "blink login" and provide a valid AWS access ID and secret`
const noAwsId = `There is no key "aws_access_key_id" for the default profile or it is
not assigned a value in the credentials file located at ~/.aws/`
const awsIdLength = 'The aws_access_key_id must be exactly 20 characters long, yours is'
const awsIdChars = 'The aws_access_key_id must only contain alphanumeric characters'
const noAwsSecret = `There is no key "aws_secret_access_key" for the default profile or it is
not assigned a value in the credentials file located at ~/.aws/`
const awsSecretLength = 'The aws_secret_access_key must be exactly 40 characters long, yours is'
const awsSecretChars = 'The aws_secret_access_key must only contain numbers, letters, +, and /'
const loginFix = chalk`Run {italic.gray blink login} and provide a valid AWS access ID and secret`
const permFormat = `Output should resemble the following:
[permissions] [links] [user] ...`

module.exports = async ({ env }) => {
  const warnings = []
  const credPath = `${env.home}/.aws/credentials`
  // check write permissions of AWS credentials file
  try {
    await fs.access(credPath, fs.constants.W_OK)
  } catch (err) {
    if (err.code === 'EACCES') warnings.push(`${writePermissions}\n${indent2(`${logCredPerm}\n${permFormat}\n${fixPermissions}`)}`)
  }
  // check S3 access
  try {
    await verifyAccess()
  } catch (err) {
    let bullets = []
    // check read permissions of AWS credentials file
    try {
      const data = await fs.readFile(credPath, fsOpts)
      // parse credentials file
      try {
        const config = ini.parse(data)
        // check for default profile
        if (!config.default || typeof config.default !== 'object') {
          bullets.push(`${credDefault}\nExample file contents:\n${indent2(credFormat)}\n${logCred}`)
        } else {
          const contentErrors = []
          const creds = config.default
          // check aws_access_key_id
          if (!creds.aws_access_key_id || typeof creds.aws_access_key_id !== 'string') {
            contentErrors.push(`${noAwsId}\n${loginFix}\n${logCred}`)
          } else {
            if (creds.aws_access_key_id.length !== 20) {
              contentErrors.push(`${awsIdLength} ${creds.aws_access_key_id.length}\n${loginFix}\n${logCred}`)
            }
            if (/[^\w]/.test(creds.aws_access_key_id)) {
              contentErrors.push(`${awsIdChars}\n${loginFix}\n${logCred}`)
            }
          }
          // check aws_secret_access_key
          if (!creds.aws_secret_access_key || typeof creds.aws_secret_access_key !== 'string') {
            contentErrors.push(`${noAwsSecret}\n${loginFix}\n${logCred}`)
          } else {
            if (creds.aws_secret_access_key.length !== 40) {
              contentErrors.push(`${awsSecretLength} ${creds.aws_secret_access_key.length}\n${loginFix}\n${logCred}`)
            }
            if (/[^\w/+]/.test(creds.aws_secret_access_key)) {
              contentErrors.push(`${awsSecretChars}\n${loginFix}\n${logCred}`)
            }
          }
          if (contentErrors.length) {
            bullets = bullets.concat(contentErrors)
          } else {
            // no other problems detected, credentials must not be valid
            bullets.push(`${badCreds}\n${logCred}\n${newCreds}`)
          }
        }
      } catch (err) {
        bullets.push(`${credParse}\nExample file contents:\n${indent2(credFormat)}`)
      }
    } catch (err) {
      if (err.code === 'ENOENT') bullets.push(`${noCredFile}\nExample file contents:\n${indent2(credFormat)}\n${loginFix}`)
      else if (err.code === 'EACCES') bullets.push(`${readPermissions}\n${logCredPerm}\n${permFormat}\n${fixPermissions}`)
      else bullets.push(`${credAccess}\n${logCredPerm}\n${permFormat}\n${fixPermissions}`)
    }
    warnings.push(`${awsFail}\n${indent2(bullets.map(bulletize).join('\n'))}`)
  }
  return { warnings, details: [] }
}