rename access-key to admin-secret (close hasura#1347) (hasura#1540)

Rename the admin secret key header used to access GraphQL engine from X-Hasura-Access-Key to X-Hasura-Admin-Secret.

Server CLI and console all support the older flag but marks it as deprecated.

Author: nizar-m

.circleci/config.yml

@@ -96,7 +96,7 @@ refs:
           GRAPHQL_ENGINE: '/build/_server_output/graphql-engine'
         command: |
           apt-get update
-          apt install --yes jq
+          apt install --yes jq curl
           OUTPUT_FOLDER=/build/_server_test_output/$PG_VERSION .circleci/test-server.sh
     - run:
         name: Generate coverage report
@@ -214,6 +214,37 @@ jobs:
     - image: circleci/postgres:9.5-alpine-postgis
       <<: *test_pg_env
 
+  test_cli_with_last_release:
+    docker:
+    - image: hasura/graphql-engine-cli-builder:v0.3
+    - image: circleci/postgres:10-alpine
+      environment:
+        POSTGRES_USER: gql_test
+        POSTGRES_DB: gql_test
+    working_directory: /go/src/github.com/hasura/graphql-engine
+    steps:
+    - checkout
+    - attach_workspace:
+        at: /build
+    - restore_cache:
+        keys:
+        - cli-vendor-{{ checksum "cli/Gopkg.toml" }}-{{ checksum "cli/Gopkg.lock" }}
+    - run:
+        name: get cli dependencies
+        working_directory: cli
+        command: make deps
+    - save_cache:
+        key: cli-vendor-{{ checksum "cli/Gopkg.toml" }}-{{ checksum "cli/Gopkg.lock" }}
+        paths:
+        - cli/vendor
+    - *wait_for_postgres
+    - run:
+        name: test cli
+        command: .circleci/test-cli-with-last-release.sh
+    - store_artifacts:
+        path: /build/_cli_output
+        destination: cli
+
   # test and build cli
   test_and_build_cli:
     docker:
@@ -350,6 +381,8 @@ workflows:
         - pytest_server_pg_10.6
         - pytest_server_pg_9.6
         - pytest_server_pg_9.5
+    - test_cli_with_last_release:
+        <<: *filter_only_vtags
     - test_and_build_cli:
         <<: *filter_only_vtags
         requires:
@@ -358,6 +391,7 @@ workflows:
         <<: *filter_only_vtags
         requires:
         - test_and_build_cli
+        - test_cli_with_last_release
     - deploy:
         <<: *filter_only_vtags_dev_release_branches
         requires:

.circleci/deploy.sh

@@ -103,6 +103,12 @@ setup_gcloud() {
     gcloud --quiet config set project ${GOOGLE_PROJECT_ID}
 }
 
+# push the server binary to google cloud storage
+push_server_binary() {
+    gsutil cp /build/_server_output/graphql-engine \
+              gs://graphql-engine-cdn.hasura.io/server/latest/linux-amd64  
+}
+
 # skip deploy for pull requests
 if [[ -n "${CIRCLE_PR_NUMBER:-}" ]]; then
     echo "not deploying for PRs"
@@ -134,6 +140,7 @@ deploy_console
 deploy_server
 if [[ ! -z "$CIRCLE_TAG" ]]; then
     deploy_server_latest
+    push_server_binary
     build_and_push_cli_migrations_image
     CHANGELOG_TEXT=$(changelog server)
     CHANGELOG_TEXT+=$(changelog cli)

.circleci/test-cli-with-last-release.sh

@@ -0,0 +1,51 @@
+#!/usr/bin/env bash
+
+set -euo pipefail
+IFS=$'\n\t'
+CLI_ROOT="${BASH_SOURCE[0]%/*}/../cli"
+
+wait_for_port() {
+    local PORT=$1
+    echo "waiting for $PORT"
+    for i in `seq 1 60`;
+    do
+      nc -z localhost $PORT && echo "port $PORT is ready" && return
+      echo -n .
+      sleep 1
+    done
+    echo "Failed waiting for $PORT" && exit 1
+}
+
+# get latest cli
+wget -O /bin/graphql-engine https://graphql-engine-cdn.hasura.io/server/latest/linux-amd64
+chmod +x /bin/graphql-engine
+
+cd "$CLI_ROOT"
+mkdir -p /build/_cli_output
+touch /build/_cli_output/server-last-release.log
+touch /build/_cli_output/server-last-release-secret.log
+
+# start graphql-engine without admin secret
+/bin/graphql-engine \
+    --database-url postgres://gql_test@localhost:5432/gql_test serve > /build/_cli_output/server-last-release.log 2>&1 &
+PID=$!
+
+wait_for_port 8080
+
+# test cli
+HASURA_GRAPHQL_TEST_ENDPOINT="http://localhost:8080" make test
+
+# kill the running server
+kill $PID
+
+# start graphql-engine with admin secret
+psql -U gql_test -h localhost -c 'CREATE DATABASE "gql_test_with_admin_secret";'
+/bin/graphql-engine \
+    --database-url postgres://gql_test@localhost:5432/gql_test_with_admin_secret serve --access-key "abcd" > /build/_cli_output/server-last-release-secret.log 2>&1 &
+PID=$!
+
+wait_for_port 8080
+
+# test cli
+GOCACHE=off HASURA_GRAPHQL_TEST_ENDPOINT="http://localhost:8080" HASURA_GRAPHQL_TEST_ADMIN_SECRET="abcd" make test
+kill $PID

.circleci/test-cli.sh

@@ -19,8 +19,9 @@ wait_for_port() {
 cd "$CLI_ROOT"
 mkdir -p /build/_cli_output
 touch /build/_cli_output/server.log
+touch /build/_cli_output/server-secret.log
 
-# start graphql-engine without access key
+# start graphql-engine without admin secret
 /build/_server_output/graphql-engine \
     --database-url postgres://gql_test@localhost:5432/gql_test serve > /build/_cli_output/server.log 2>&1 &
 PID=$!
@@ -31,14 +32,14 @@ wait_for_port 8080
 HASURA_GRAPHQL_TEST_ENDPOINT="http://localhost:8080" make test
 kill $PID
 
-# start graphql-engine with access key
-psql -U gql_test -h localhost -c 'CREATE DATABASE "gql_test_with_access";'
+# start graphql-engine with admin secret
+psql -U gql_test -h localhost -c 'CREATE DATABASE "gql_test_with_admin_secret";'
 /build/_server_output/graphql-engine \
-    --database-url postgres://gql_test@localhost:5432/gql_test_with_access serve --access-key "abcd" > /build/_cli_output/server.log 2>&1 &
+    --database-url postgres://gql_test@localhost:5432/gql_test_with_admin_secret serve --admin-secret "abcd" > /build/_cli_output/server-secret.log 2>&1 &
 PID=$!
 
 wait_for_port 8080
 
 # test cli
-GOCACHE=off HASURA_GRAPHQL_TEST_ENDPOINT="http://localhost:8080" HASURA_GRAPHQL_TEST_ACCESS_KEY="abcd" make test
+GOCACHE=off HASURA_GRAPHQL_TEST_ENDPOINT="http://localhost:8080" HASURA_GRAPHQL_TEST_ADMIN_SECRET="abcd" make test
 kill $PID

.circleci/test-deprecated-server-flags.sh

@@ -0,0 +1,105 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+CIRCLECI_FOLDER="${BASH_SOURCE[0]%/*}"
+cd $CIRCLECI_FOLDER
+CIRCLECI_FOLDER="$PWD"
+
+SERVER_ROOT="$CIRCLECI_FOLDER/../server"
+
+i=1
+echoInfo() {
+  echo -e "\033[36m$i. $*\033[0m"
+  i=$[i+1]
+}
+
+fail_if_port_busy() {
+    local PORT=$1
+    if nc -z localhost $PORT ; then
+        echo "Port $PORT is busy. Exiting"
+        exit 1
+    fi
+}
+
+wait_for_port() {
+    local PORT=$1
+    echo "waiting for $PORT"
+    for _ in $(seq 1 30);
+    do
+      nc -z localhost $PORT && echo "port $PORT is ready" && return
+      echo -n .
+      sleep 0.2
+    done
+    echo "Failed waiting for $PORT" && exit 1
+}
+
+test_export_metadata_with_access_key() {
+  curl -f   -d'{"type" : "export_metadata", "args" : {} }' localhost:8080/v1/query -H "X-Hasura-Access-Key: $1" > /dev/null
+}
+
+cd $SERVER_ROOT
+
+if [ -z "${HASURA_GRAPHQL_DATABASE_URL:-}" ] ; then
+	echo "Env var HASURA_GRAPHQL_DATABASE_URL is not set"
+	exit 1
+fi
+
+if ! stack --allow-different-user exec -- which graphql-engine > /dev/null && [ -z "${GRAPHQL_ENGINE:-}" ] ; then
+	echo "Do 'stack build' before tests, or export the location of executable in the GRAPHQL_ENGINE envirnoment variable"
+	exit 1
+fi
+
+GRAPHQL_ENGINE=${GRAPHQL_ENGINE:-"$(stack --allow-different-user exec -- which graphql-engine)"}
+if ! [ -x "$GRAPHQL_ENGINE" ] ; then
+	echo "$GRAPHQL_ENGINE is not present or is not an executable"
+	exit 1
+fi
+
+HGE_PID=""
+
+run_hge_with_flags() {
+    fail_if_port_busy 8080
+    set -x
+    stdbuf -o0 "$GRAPHQL_ENGINE" serve $*  > "$OUTPUT_FOLDER/graphql-engine.log" & HGE_PID=$!
+    set +x
+    wait_for_port 8080
+}
+
+kill_hge() {
+  kill $HGE_PID || true
+  wait $HGE_PID || true
+}
+
+trap kill_hge ERR
+trap kill_hge INT
+
+OUTPUT_FOLDER=${OUTPUT_FOLDER:-"$CIRCLECI_FOLDER/test-server-flags-output"}
+mkdir -p "$OUTPUT_FOLDER"
+
+################### Test deprecated flag --access-key
+
+key="HGE$RANDOM$RANDOM"
+
+run_hge_with_flags --access-key="$key"
+
+echoInfo "Test deprecated flag --access-key=XXXX"
+grep -F '"admin_secret_set":true' "$OUTPUT_FOLDER/graphql-engine.log" >/dev/null
+test_export_metadata_with_access_key "$key"
+
+kill_hge
+
+################## Test deprecated EnvVar HASURA_GRAPHQL_ACCESS_KEY=XXXX
+
+key="HGE$RANDOM$RANDOM"
+
+export HASURA_GRAPHQL_ACCESS_KEY="$key"
+
+run_hge_with_flags
+
+echoInfo "Test deprecated EnvVar HASURA_GRAPHQL_ACCESS_KEY=XXXX"
+grep -F '"admin_secret_set":true' "$OUTPUT_FOLDER/graphql-engine.log" >/dev/null || (cat "$OUTPUT_FOLDER/graphql-engine.log" && false)
+test_export_metadata_with_access_key "$key"
+
+kill_hge
+
+unset $HASURA_GRAPHQL_ACCESS_KEY