Time is of the essence: Make an impact using Firehose Events

FirehoseFeatureHave you ever experienced the drive you get when you act on a sudden opportunity that really makes a valuable impact on something? On the other hand, have you ever experienced the disappointment of a missed opportunity?

Let’s face it, every user action can be translated into a short window of opportunity that requires our attention, otherwise, it will be lost forever. Every department in an organization is responsible for ensuring the best possible user experience, and many times we only get one chance to create an impactful initial impression that really makes the difference. So, how can we do this? One of the ways to do this is using JFrog Bintray’s Firehose Events.

We are constantly tracking, measuring and analyzing our user’s behaviors. Most of the time we look back at the user activity that has already happened and try to figure out where we can make improvements. For example, we can measure the number of downloads for any given time, and get valuable insights into the usage of our repositories using JFrog Bintray’s Premium Dashboard. We can even use Live Logs to get detailed stats, including a live download feed as it happens. But what about looking at what’s happening right now, in real-time

What are firehose events?

Bintray’s Firehose Events API enables us to receive live notifications (event triggers / user actions) for a variety of interactions with repositories, and respond to them in real-time with automated activities. Here are the events that you can register for, and some interesting things you can do with them:

  • Successful and failed logins: Repeated failed login attempts for scoped users can trigger an email alert to administrators
  • Downloading a file/artifact: Successful downloads can trigger an engagement email
  • Uploading a file/artifact: Very large uploads can trigger an email alert
  • Usage thresholds: Approaching the storage limit for your repositories can trigger an instant message
  • Deleting a file/artifact: Deleted packages can trigger an alert

Wrapping up with JFrog CLI

Yet again, JFrog CLI provides a convenient and simple interface for your automation scripts. It wraps the Firehose Events API and connects to an Event Notification Stream offering two main advantages in doing so:

  • Automatic reconnect: If the connection to Bintray is lost, JFrog CLI will automatically reconnect you to make sure that none of the events are lost.
  • Event filtering: You might not be interested in all the events coming out of the firehose. The CLI lets you filter out events, by event type, letting you focus only on those that are interesting to you.

Let’s take a look at a simple example. We can use the Firehose Events API to post to a Slack channel and provide a live stream of notifications.

To get events posted to a slack channel, all you have to do is first create a Slack channel, then connect to the event notification stream (Firehose), and pipe the stream to the Slack channel using something as simple as cURL calling the Slack API.

This example uses Bash, JFrog CLI, jq, and cURL. First, you’ll need to install JFrog CLI. Then wrap the following snippet within a script, and run it:

# Connect to the event notification stream
./jfrog bt st  --user= --key= --include="download" |
while read line
# Extract the path from the whole event response
  path=$(echo $line | jq .path -r)
  curl   -H"Content-Type:application/json" --data "{\"text\":\"File Downloaded: $path\"}"

This is just a simple example of how you can react to Firehose API events. The more creative and inventive Bintray users may come up with ideas like running analytics, creating live graphs and dashboards, issuing relevant alerts, and anything else your imagination can conjure up.

Upgrade to Bintray Enterprise!

IP Restriction with White CIDR and Black CIDR

IP restrictionImagine this scenario. Your flagship product is doing OK; you’re getting downloads. Nevertheless, increasing sales is always a top priority, so you decide to create a free OSS version to boost usage and generate more awareness in the market. It’s also a great product, free to download, and is a great teaser for the upsell to your commercial version. So you upload the OSS version to your organization’s public repository on Bintray. After a while, you check its stats and are delighted to see thousands of downloads, and yet, there’s no buzz. If so many people are downloading your package, why is nobody talking about it? After checking your logs, you discover that most of those downloads you were so happy about are from the same set of IP addresses.

Someone is reverse-spamming you, and you need to block them.

Geo-Restriction could do the job, but then you don’t want to restrict whole countries at a time. You need something more targeted. Bintray’s new capability for IP restriction will do the job.

IP restriction is very similar to geo-restriction, only instead of defining your whitelist and blacklist as countries, you define them as a range of IP addresses using CIDRs. This gives you much more control letting you allow or block download at any level of granularity down to a single specific IP address. Whatever IP those bots are operating from can now be easily blocked so you can get the real download statistics you were interested in.

You can define your CIDR whitelist and blacklist through Bintray’s REST API or in the Edit Repository page.

IP restriction

Note that if there are any overlapping IPs, (i.e. IP addresses that are included in CIDRs that are in both the whitelist and the blacklist), then blacklisting them takes precedence. And if you accidentally list the exact same CIDR in both the whitelist AND the blacklist, Bintray will catch that and issue an error.

Ready to use IP restrictions? Get a quote for an enterprise account and ask for a free trial.

Keep Your Secrets Safe by Serving Encrypted Files

encrypted_280x215aOnce you have uploaded your content into Bintray private repositories, it’s pretty safe through Bintray’s management of users, organizations, and teams. But what happens when you need to send a private file to someone else? Signed URLs give you an easy way to do that. Just generate your URL signing key and use the URL signing API call to create the URL. You can even make the URL valid for only a limited period of time. Now all you need to do is send the URL to the right person.

But what happens if the URL or the downloaded file gets into the wrong hands? Suddenly the file containing a license key/sensitive company information/anything-else-you-badly-wanted-to-keep-private is exposed..

Well, worry no more.  Bintray can now protect you from that kind of unwanted exposure.

On-the-fly file encryption

Bintray can now encrypt your file, on-the-fly, before it is downloaded through the signed URL. It works like this:

  • Upload your file (either manually through the website or using the REST API) into one of your private repositories.
  • Now you can generate the signed URL which will download the file.
    Nothing new yet, but here’s the thing.
    Now you can also attach a secret to the signed URL and tell Bintray to encrypt the file before it is downloaded. Bintray uses AES 256 CBC encryption for which you can provide your own secret key or ask Bintray to create one for you.
  • Now you can provide your customer with your secret through an alternative communications channel.
  • Once your customer has downloaded the file, they can use the secret key to decrypt the file using an OpenSSL command line. In other words, they need both the signed URL and the secret key.

Let’s See It In Action

Let’s assume we have a top secret “message.txt” file in a repo. We’ll use the REST API to create the signed URL:

curl -X POST -H "Content-Type: application/json" https://bintray.com/api/v1/signed_url/bintray/repo/message.txt?encrypt=true --data '{"valid_for_secs": 3600, "secret" : "my secret"}'

200 OK
"url": "https://dl.bintray.com/bintray/repo/message.txt?expiry=1461681694199&id=fHObRX27TU3EEpjQYIj9HFhbthU%2BPkkD4iXkRibKBYQvTFqlXP9tPUGlk5Xm3qE3&signature=nDt3t7Wj%2BP1B6chQ3AEt8iwaeowWuK66eQTP2tvgfa3AfmSAvR3IrPuVkP3tx90ihT2vMT9m1trJQ6IJZiVdSA%3D%3D"

If you don’t supply a secret, Bintray will create one for you and return it as an Http header: X-Bintray-Secret. Note that for that extra bit of security we limited the validity of the URL to 3600 seconds.

Your customer can now download the file from the returned URL:

curl -o message.txt "https://dl.bintray.com/bintray/repo/message.txt?expiry=1461681694199&id=fHObRX27TU3EEpjQYIj9HFhbthU%2BPkkD4iXkRibKBYQvTFqlXP9tPUGlk5Xm3qE3&signature=nDt3t7Wj%2BP1B6chQ3AEt8iwaeowWuK66eQTP2tvgfa3AfmSAvR3IrPuVkP3tx90ihT2vMT9m1trJQ6IJZiVdSA%3D%3D"

You can choose any secured way to send the user the secret. For example: phone or text message.

Now, to decrypt the file, your customer can use OpenSSL:

$ openssl enc -aes-256-cbc -d -in <encrypted file name> -out <decrypted file name output>

The tool will prompt your customer for the secret and then proceed to decrypt the file.

That’s how you keep your secrets safe. Enjoy!