load-file?

you could define the start server task separately like i do https://github.com/bob-cd/bob/blob/main/apiserver/bb.edn#L9 and then call it at the right place like https://github.com/bob-cd/bob/blob/main/apiserver/bb.edn#L51

awesome, thx!

though I would still need to find out how to kill the running task…

Shell returns a process which you can kill with process/destroy

but that would require that I use the 2nd approach, of starting the server manually via shell/sh from the smoke test, right?

the (clojure ...) task is shelling out to run a JVM anyways. Not sure if it returns a process but doing (shell "clojure ...") would definitely will

checking if the clojure task gives a process back

clojure also returns a process that can be destroy-ed

awesome

you might need p/destroy-tree to kill all children processes too

But can I communicate the output of one task ( the clojure process) to another task, to destroy it there?

You can have a dependency on that task, then you will have its value

:depends [run-app]
:task (do (whatever) (p/destroy-tree run-app))

if this sounds too complicated, just write a babashka script to do all of this manually

This sounds fine, thank you!

FYI I ended up starting the server manually from my script. For the interested: https://github.com/fulcrologic/fulcro-rad-demo/pull/42/files#diff-c9346137b015156901cb500b96f00582ba4ff714a3cd3fabd9a6cdc93496e4cfR20

Yeah, sometimes that's just the easiest way to do things

I have an environment variable for AWS_PROFILE which works in bash with aws sts get-caller-identity. This env-var is valid inside the bb repl session. I'm getting this output:

DEBUG [com.grzm.awyeah.credentials:?] - Unable to fetch credentials from system properties.
DEBUG [com.grzm.awyeah.credentials:?] - Unable to fetch credentials from aws profiles file.
DEBUG [com.grzm.awyeah.credentials:?] - Unable to fetch credentials from any source.

I have a custom (babashka) script that fetches credentials via aws sso. Then elsewhere i insert these credentials in awyeah as session credentials. Is that what you mean?

not really, but I think it would be a work-around maybe... If you set up AWS_PROFILE to a config in your ~/.aws/config which has been configure with aws sso configure, the session is valid, and you are using on of the official AWS SDK's (incl aws cli) ... then you can make API calls. IE - not required to set access-key-id and secret-access-key directly

Not sure how aws sso configure works exactly. But im using the official cli tool as well. Via a profile with credential_process it uses my custom script. Which i believe is faster than the official versions

AWS docs here: https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-sso.html

Maybe you have a different use case then me. Im mostly using it for scripts that are not running for a very long time

Curious to hear what you find though. Ill post what i have as a bbin script later

The way I’ve done this before is using a script that performs the SSO login, then writes the credentials and session token to ~/.aws/config. You can then set AWS_PROFILE to that and awyeah-api’s resolver will work with it. You may need a bit of magic to refresh the credentials once they expire with a long-running REPL session.

This https://github.com/grzm/awyeah-api#differences-from-aws-api looks relevant (a different use case obviously but the same reasoning may apply in your situation): > My use case is short-lived scripts, where JVM start-up time can dwarf script execution time: credentials don't have much time to get stale. If I had longer-lived processes, start-up time wouldn't be an issue and I'd just use the Clojure.

I'm not super worried about refreshing the session once it expires. I've seen the disclaimer and I'm ok with it. For a profile that has been set up with aws configure sso the actual credentials are contained in a file beneath ~/.aws/sso/cache/*.json. so... I think it is imaginable for awyeah to read the credentials from there.

This makes sense, but I often have REPL sessions open for days or weeks whilst I’m developing a script, so creds refresh is always something I implement. I’ll look into how to do this with awyeah-api just for fun. 🙂

@U054AT6KT I have done this in the past with aws-api and a few others too. These two issues give some examples for what I think you want https://github.com/cognitect-labs/aws-api/search?q=credential_process&type=issues

You can take a look at https://github.com/wanishing/awyeah-graalvm/blob/main/src/mal/sso_credentials_provider.clj. It’s a minimal example of using s3 client with sso credentials provider.

I somehow think I might be doing something wrong with providing the private key but I tried different approaches (`keys/str->private-key`) with similar results

You might be using wrong openssl command? Quickly looking here: https://unix.stackexchange.com/questions/610039/how-to-do-hmacsha256-using-openssl-from-terminal > I got this working. All I had to do is use openssl sha256 instead of openssl dgst -sha256.

hm, the issue is I need what the dgst version gave me

I got that from a reference for an API I’m targeting. So maybe I’m looking at the wrong thing in buddy actually…

Is the output of your function base64 encoded while dgst produces hex-encoded version?

dgst returns bytes which I’m then converting with base64 on the command line

How come? https://www.openssl.org/docs/man1.1.1/man1/openssl-dgst.html > The digest functions output the message digest of a supplied file or files in hexadecimal.

Anyway, you can very quickly see if that's the case from the encoding's alphabet But it could be the reason why your function returns a shorter string.

echo -n test | openssl dgst -sha256 -sign private.pem
��DK��Ɂ���z�VQ[�zxw�-J��Ë�˺�/����V#�� �J���RS�iB;/�j�p۽L..�h˨�մ�d_u�|�̩j�8�\�����;��qT�R����N��7:�L�l$T��[m�~�3����⏎

Ah, I see - I missed the -sign switch. That would be the problem I think. MAC is a symmetric algorithm while you (with the openssl command) seem to be producing an assymetric-cryptography signature

I used something like this before - not sure if that's similar to what you need

(require '[buddy.sign.compact :as compact-sign])
(require '[buddy.core.keys :as buddy-keys])

(def sign-algorithm :es256)
(def signing-keys :start
  {:private-key (buddy-keys/private-key private-key-path)
   :public-key (buddy-keys/public-key public-key-path)})

(compact-sign/sign data (:private-key signing-keys) {:alg sign-algorithm})

ahh that looks very promising!

I guess i was a bit on the wrong track there

Hm, that seems to pull in nippy which makes me think it’s probably not what I’m looking for…

Yes, you are right. After looking into sign implemntation it's obvious that it's doing much more.

(defn sign
  "Sign arbitrary length string/byte array using
  compact sigining method."
  [data key & [{:keys [alg compress]
                :or {alg :hs256 compress true}}]]
  (let [input (serialize data compress)
        salt (nonce/random-bytes 12)
        stamp (codecs/long->bytes (util/now))
        signature (-> (bytes/concat input salt stamp)
                      (calculate-signature key alg))]
    (str/join "." [(bytes->base64str input)
                   (bytes->base64str signature)
                   (bytes->base64str salt)
                   (bytes->base64str stamp)])))

(def my-private-key (buddy-keys/private-key "my.pem"))
(require '[buddy.core.dsa :as dsa])
(dsa/sign (.getBytes "test") {:alg :ecdsa+sha256 :key my-private-key})

(let [signature  (dsa/sign (.getBytes "test") {:alg :ecdsa+sha256 :key my-private-key})]
    (with-open [out (io/output-stream (io/file "test.sign.clojure"))]
      (.write out signature)))

echo -n test | openssl dgst -sha256 -verify my.pub.pem -signature test.sign.clojure
Verified OK

Just seeing this now.. I ended up with something like this in JVM Clojure:

(defn sign
  "RSA private key signing of a message. Takes message as string"
  [message]
  (let [msg-data (.getBytes message)]
    (->> (doto (java.security.Signature/getInstance "SHA256withRSA")
           (.initSign private-key (java.security.SecureRandom.))
           (.update msg-data))
         (.sign)
         (.encodeToString (java.util.Base64/getEncoder)))))

On the front page now, ➕ !!!

Whoa cool!

Hmm I'm actually not sure whether Transit is really supported anymore... Seems broken in Python since 3.3...

transit is supported for pods and yes, the pods library works on the JVM as well

Perfect, thanks