Allow passing in a custom deploy key into vip app deploy

src/bin/vip-app-deploy.ts

@@ -23,9 +23,11 @@ import {
 	WithId,
 	UploadArguments,
 } from '../lib/client-file-uploader';
-import { gates } from '../lib/custom-deploy/custom-deploy';
+import { validateCustomDeployKey, gates } from '../lib/custom-deploy/custom-deploy';
 import { trackEventWithEnv } from '../lib/tracker';
 
+const CUSTOM_DEPLOY_KEY = process.env.CUSTOM_DEPLOY_KEY || '';
+
 const appQuery = `
 	id,
 	name,
@@ -118,6 +120,11 @@ export async function appDeployCmd( arg: string[] = [], opts: Record< string, un
 	const envId = env.id as number;
 	const track = trackEventWithEnv.bind( null, appId, envId );
 
+	if ( CUSTOM_DEPLOY_KEY ) {
+		debug( 'Validating custom deploy key...' );
+		await validateCustomDeployKey( CUSTOM_DEPLOY_KEY, envId );
+	}
+
 	await gates( app, env, fileMeta );
 
 	await track( 'deploy_app_command_execute' );

src/lib/api.ts

@@ -30,15 +30,13 @@ export function enableGlobalGraphQLErrorHandling(): void {
 	globalGraphQLErrorHandlingEnabled = true;
 }
 
-export default async function API( { exitOnError = true } = {} ): Promise<
-	ApolloClient< NormalizedCacheObject >
-> {
-	const authToken = await Token.get();
-	const headers = {
-		'User-Agent': env.userAgent,
-		Authorization: `Bearer ${ authToken.raw }`,
-	};
-
+export default async function API( {
+	exitOnError = true,
+	customAuthToken,
+}: {
+	exitOnError?: boolean;
+	customAuthToken?: string;
+} = {} ): Promise< ApolloClient< NormalizedCacheObject > > {
 	const errorLink = onError( ( { networkError, graphQLErrors } ) => {
 		if ( networkError && 'statusCode' in networkError && networkError.statusCode === 401 ) {
 			console.error(
@@ -59,8 +57,8 @@ export default async function API( { exitOnError = true } = {} ): Promise<
 		}
 	} );
 
-	const withToken = setContext( async (): Promise< { token: Token } > => {
-		const token = await Token.get();
+	const withToken = setContext( async (): Promise< { token: Token | { raw: string } } > => {
+		const token = customAuthToken ? { raw: customAuthToken } : await Token.get();
 
 		return { token };
 	} );
@@ -71,6 +69,7 @@ export default async function API( { exitOnError = true } = {} ): Promise<
 
 		operation.setContext( {
 			headers: {
+				'User-Agent': env.userAgent,
 				Authorization: `Bearer ${ token.raw }`,
 			},
 		} );
@@ -82,7 +81,6 @@ export default async function API( { exitOnError = true } = {} ): Promise<
 
 	const httpLink = new HttpLink( {
 		uri: API_URL,
-		headers,
 		fetch: http,
 		fetchOptions: {
 			agent: proxyAgent,

src/lib/custom-deploy/custom-deploy.ts

@@ -1,6 +1,8 @@
 import fs from 'fs';
+import gql from 'graphql-tag';
 
 import { App, AppEnvironment } from '../../graphqlTypes';
+import API from '../../lib/api';
 import * as exit from '../../lib/cli/exit';
 import { checkFileAccess, getFileSize, isFile, FileMeta } from '../../lib/client-file-uploader';
 import { GB_IN_BYTES } from '../../lib/constants/file-size';
@@ -14,6 +16,32 @@ export function isSupportedApp( app: App ): boolean {
 	return WORDPRESS_SITE_TYPE_IDS.includes( app.typeId as number );
 }
 
+export async function validateCustomDeployKey(
+	customDeployKey: string,
+	envId: number
+): Promise< void > {
+	if ( customDeployKey.length === 0 ) {
+		exit.withError( 'Valid custom deploy key is required.' );
+	}
+
+	const VALIDATE_CUSTOM_DEPLOY_ACCESS_MUTATION = gql`
+	mutation ValidateCustomDeployAccess {
+		validateCustomDeployAccess( input: { environmentIds: ${ envId } } ) {
+			success
+		}
+	}
+`;
+
+	const api = await API( { customAuthToken: customDeployKey } );
+	try {
+		await api.mutate( { mutation: VALIDATE_CUSTOM_DEPLOY_ACCESS_MUTATION } );
+	} catch ( error ) {
+		exit.withError(
+			`Unauthorized: Invalid or non-existent custom deploy key for environment ${ envId }.`
+		);
+	}
+}
+
 /**
  * @param {FileMeta} fileMeta
  */