communitybridge · lukaszgryglicki · Dec 4, 2024 · Nov 20, 2024 · Nov 20, 2024 · Nov 26, 2024
diff --git a/.gitignore b/.gitignore
@@ -241,3 +241,7 @@ dist/*
 api-postman/*
 
 cla-backend/run-python-test-example-*.py
+
+# LG
+out
+*.secret
diff --git a/aws_env.md b/aws_env.md
@@ -0,0 +1,130 @@
+# Setting up AWS environment
+
+You need to have MFA enabled for your AWS user, your `~/.aws/config` shoudl look like this:
+```
+[profile lfproduct-dev]
+role_arn = arn:aws:iam::395594542180:role/product-contractors-role
+source_profile = lfproduct
+region = us-east-1
+output = json
+
+[profile lfproduct-test]
+role_arn = arn:aws:iam::726224182707:role/product-contractors-role
+source_profile = lfproduct
+region = us-east-1
+output = json
+
+[profile lfproduct-staging]
+role_arn = arn:aws:iam::844390194980:role/product-contractors-role
+source_profile = lfproduct
+region = us-east-1
+output = json
+
+[profile lfproduct-prod]
+role_arn = arn:aws:iam::716487311010:role/product-contractors-role
+source_profile = lfproduct
+region = us-east-1
+output = json
+
+[default]
+region = us-east-1
+output = json
+```
+
+It defines 4 profiles to use: `dev`, `staging`, `test` and `prod`.
+
+You will be using one of them.
+
+
+Your `~/.aws/credentials` file shoudl initially look like this (replace `redacted`):
+```
+[lfproduct-long-term]
+aws_secret_access_key = [access_key_redacted]
+aws_access_key_id = [key_id_redacted]
+aws_mfa_device = arn:aws:iam::[arn_number_redacted]:mfa/[your_aws_user_redacted]
+
+[default]
+aws_access_key_id = [key_id_redacted]
+aws_secret_access_key = [access_key_redacted]
+```
+
+Now every 36 hours or less you need to refresh your MFA key by calling: `aws-mfa --force --duration 129600 --profile lfproduct`.
+
+When called it adds or replaces the following section (`[lfproduct]` which is used as a source profile for `dev`, `test`, `staging` or `prod` in aws config) in `~/.aws/credentials`:
+```
+[lfproduct]
+assumed_role = False
+aws_access_key_id = [key_id_redacted]
+aws_secret_access_key = [secret_access_key_redacted]
+aws_session_token = [session_token_redacted]
+aws_security_token = [session_token_redacted]
+expiration = 2024-11-28 16:54:59 [now + 36 hours]
+
+```
+
+
+Once you have all of this, you must set a correct set of environment variables to run either `python` or `golang` backends.
+
+To do so you need to get credentials for a specific profile `lfproduct-`: `dev`, `test`, `staging`, `prod`. To see full one-time set of credentials you can call:
+- for `dev`:  `` aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session ``.
+- for `prod`: `` aws sts assume-role --role-arn arn:aws:iam::716487311010:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-prod-session ``.
+
+Note - just replace the iam::[number] depending on environment type (`[stage]`) and update `lfproduct-[stage]-name`.
+
+You can set up a script like `setenv.sh` which will set all required variables, example for `dev`:
+```
+#!/bin/bash
+
+rm -rf /tmp/aws
+cp -R /root/.aws /tmp/.aws
+
+data="$(aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session)"
+export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
+export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
+export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+
+export AWS_SDK_LOAD_CONFIG=true
+export AWS_PROFILE='lfproduct-dev'
+export AWS_REGION='us-east-1'
+export AWS_DEFAULT_REGION='us-east-1'
+export DYNAMODB_AWS_REGION='us-east-1'
+export REGION='us-east-1'
+
+export PRODUCT_DOMAIN='dev.lfcla.com'
+export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
+export PORT='5000'
+export STAGE='dev'
+# export STAGE='local'
+export GH_ORG_VALIDATION=false
+export DISABLE_LOCAL_PERMISSION_CHECKS=true
+export COMPANY_USER_VALIDATION=false
+export CLA_SIGNATURE_FILES_BUCKET=cla-signature-files-dev
+```
+
+Call it via `` . ./setenv.sh ``  or `` source setenv.sh `` to execute in the current shell.
+
+You can reset environment variables by exiting the shell session or calling the following `unsetenv.sh` in the current shell via: `` . ./unsetenv.sh `` or `` source unsetenv.sh ``:
+```
+#!/bin/bash
+rm -rf /tmp/.aws
+unset AWS_PROFILE
+unset AWS_REGION
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset PRODUCT_DOMAIN
+unset ROOT_DOMAIN
+unset PORT
+unset STAGE
+unset AWS_SESSION_TOKEN
+unset AWS_SECURITY_TOKEN
+unset GH_ORG_VALIDATION
+unset DISABLE_LOCAL_PERMISSION_CHECKS
+unset COMPANY_USER_VALIDATION
+unset CLA_SIGNATURE_FILES_BUCKET
+unset DYNAMODB_AWS_REGION
+unset REGION
+unset AWS_ROLE_ARN
+unset AWS_TOKEN_SERIAL
+unset AWS_SDK_LOAD_CONFIG
+```
diff --git a/dev.md b/dev.md
@@ -133,6 +133,46 @@ locally and simply point to the DEV environment. The `STAGE` environment
 variable controls where we point. Make sure you export/provide/setup the AWS
 properties in order to connect.
 
+
+When running on Linux it looks like `.venv` sets $HOME to /tmp, and then python backend is looking for the AWS config file in `~/.aws/config`
+This means it ends up in `/tmp/.aws/config`. You can use the following scritp to activate your environment (`setenv.secret`) via: `source setenv.secret`:
+```
+#!/bin/bash
+rm -rf /tmp/aws
+cp -R ~/.aws /tmp/.aws
+export AWS_SDK_LOAD_CONFIG=1
+export AWS_PROFILE='lfproduct-dev'
+export AWS_REGION='us-east-1'
+data="$(aws sts assume-role --role-arn arn:aws:iam::395594542180:role/product-contractors-role --profile lfproduct --role-session-name lfproduct-dev-session)"
+export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
+export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
+export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+export PRODUCT_DOMAIN='dev.lfcla.com'
+export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
+export PORT='5000'
+export STAGE='dev'
+```
+
+And the following one to unset the environment:
+```
+#!/bin/bash
+rm -rf /tmp/.aws
+unset AWS_SDK_LOAD_CONFIG=1
+unset AWS_PROFILE
+unset AWS_REGION
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset AWS_SESSION_TOKEN
+unset AWS_SECURITY_TOKEN
+unset PRODUCT_DOMAIN
+unset ROOT_DOMAIN
+unset PORT
+unset STAGE
+```
+
+Please refer to [aws_env.md](aws_env.md) for more details.
+
 ## Run the Python Backend
 
 ```bash
@@ -162,6 +202,9 @@ open http://localhost:5000/v2/health
 open http://localhost:5000/v2/user/<some_uuid_from_users_table>
 ```
 
+To expose service running on the localhost to the outside world use: `` ./utils/ngrok.sh ``.
+And then tets via: `` API_URL='https://[redacted].ngrok-free.app' ./scripts/health.sh `` from another host (anywhere in the world).
+
 ## Building and Running the Go Backend
 
 Current Endpoints:
@@ -331,9 +374,9 @@ First build and setup the environment.  Then simply run it:
 
 ```bash
 # Mac
-./cla-mac
+./bin/cla-mac
 # or linux
-./cla 
+./bin/cla
 ```
 
 You should see the typical diagnostic details on startup indicating that it

diff --git a/setenv.sh b/setenv.sh
@@ -0,0 +1,29 @@
+#!/bin/bash
+
+rm -rf /tmp/aws
+cp -R /root/.aws /tmp/.aws
+
+dev_arn="$(cat ./product-contractors-role.dev.secret)"
+data="$(aws sts assume-role --role-arn ${dev_arn} --profile lfproduct --role-session-name lfproduct-dev-session)"
+export AWS_ACCESS_KEY_ID="$(echo "${data}" | jq -r '.Credentials.AccessKeyId')"
+export AWS_SECRET_ACCESS_KEY="$(echo "${data}" | jq -r '.Credentials.SecretAccessKey')"
+export AWS_SESSION_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+export AWS_SECURITY_TOKEN="$(echo "${data}" | jq -r '.Credentials.SessionToken')"
+export GITHUB_OAUTH_TOKEN="$(cat /etc/github/oauth)"
+
+export AWS_SDK_LOAD_CONFIG=true
+export AWS_PROFILE='lfproduct-dev'
+export AWS_REGION='us-east-1'
+export AWS_DEFAULT_REGION='us-east-1'
+export DYNAMODB_AWS_REGION='us-east-1'
+export REGION='us-east-1'
+
+export PRODUCT_DOMAIN='dev.lfcla.com'
+export ROOT_DOMAIN='lfcla.dev.platform.linuxfoundation.org'
+export PORT='5000'
+export STAGE='dev'
+# export STAGE='local'
+export GH_ORG_VALIDATION=false
+export DISABLE_LOCAL_PERMISSION_CHECKS=true
+export COMPANY_USER_VALIDATION=false
+export CLA_SIGNATURE_FILES_BUCKET=cla-signature-files-dev
diff --git a/unsetenv.sh b/unsetenv.sh
@@ -0,0 +1,22 @@
+#!/bin/bash
+rm -rf /tmp/.aws
+unset AWS_PROFILE
+unset AWS_REGION
+unset AWS_ACCESS_KEY_ID
+unset AWS_SECRET_ACCESS_KEY
+unset PRODUCT_DOMAIN
+unset ROOT_DOMAIN
+unset PORT
+unset STAGE
+unset AWS_SESSION_TOKEN
+unset AWS_SECURITY_TOKEN
+unset GH_ORG_VALIDATION
+unset DISABLE_LOCAL_PERMISSION_CHECKS
+unset COMPANY_USER_VALIDATION
+unset CLA_SIGNATURE_FILES_BUCKET
+unset DYNAMODB_AWS_REGION
+unset REGION
+unset AWS_ROLE_ARN
+unset AWS_TOKEN_SERIAL
+unset AWS_SDK_LOAD_CONFIG
+unset GITHUB_OAUTH_TOKEN
diff --git a/utils/describe_table.sh b/utils/describe_table.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+aws --profile lfproduct-dev dynamodb describe-table --table-name cla-dev-signatures
diff --git a/utils/example_pytest.sh b/utils/example_pytest.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+pytest -vvv -s cla/tests/unit/test_docusign_models.py -p no:warnings -k test_request_individual_signature
diff --git a/utils/health_python_v2.sh b/utils/health_python_v2.sh
@@ -0,0 +1,7 @@
+#!/bin/bash
+# API_URL=https://[xyz].ngrok-free.app (defaults to localhost:5000)
+if [ -z "$API_URL" ]
+then
+  export API_URL="http://localhost:5000"
+fi
+curl -s "${API_URL}/v2/health" | jq -r '.'
diff --git a/utils/lookup_company.sh b/utils/lookup_company.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+aws --profile lfproduct-dev dynamodb query --table-name cla-dev-companies --index-name company-name-index --key-condition-expression "company_name = :name" --expression-attribute-values  '{":name":{"S":"Google LLC"}}'
diff --git a/utils/lookup_project.sh b/utils/lookup_project.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+aws --profile lfproduct-dev dynamodb query --table-name cla-dev-projects --index-name project-name-lower-search-index --key-condition-expression "project_name_lower  = :name" --expression-attribute-values  '{":name":{"S":"child group earths"}}'
diff --git a/utils/lookup_user.sh b/utils/lookup_user.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+aws --profile lfproduct-dev dynamodb query --table-name cla-dev-users --index-name github-username-index --key-condition-expression "user_github_username = :name" --expression-attribute-values  '{":name":{"S":"lukaszgryglicki"}}'
diff --git a/utils/ngrok.sh b/utils/ngrok.sh
@@ -0,0 +1,2 @@
+#!/bin/bash
+ngrok http http://localhost:5000
diff --git a/utils/request_corporate_signature_post.sh b/utils/request_corporate_signature_post.sh
@@ -0,0 +1,59 @@
+#!/bin/bash
+# API_URL=https://[xyz].ngrok-free.app (defaults to localhost:5000)
+# company_id='862ff296-6508-4f10-9147-2bc2dd7bfe80'
+# project_id='88ee12de-122b-4c46-9046-19422054ed8d'
+# return_url_type='github'
+# return_url='http://localhost'
+# TOKEN='...' - Auth0 JWT bearer token
+# DEBUG=1 TOKEN="$(cat ./auth0.token.secret)" ./utils/request_corporate_signature_post.sh 862ff296-6508-4f10-9147-2bc2dd7bfe80 88ee12de-122b-4c46-9046-19422054ed8d github 'http://localhost'
+# TODO: this is WIP atm (due to AUTH0 token and X-ACL missing)
+
+if [ -z "$TOKEN" ]
+then
+  source ./auth0_token.secret
+fi
+
+if [ -z "$TOKEN" ]
+then
+  echo "$0: TOKEN not specified and unable to obtain one"
+  exit 1
+fi
+
+if [ -z "$1" ]
+then
+  echo "$0: you need to specify company_id as a 1st parameter"
+  exit 1
+fi
+export company_id="$1"
+
+if [ -z "$2" ]
+then
+  echo "$0: you need to specify project_id as a 2nd parameter"
+  exit 2
+fi
+export project_id="$2"
+
+if [ -z "$3" ]
+then
+  echo "$0: you need to specify return_url_type as a 3rd parameter: github|gitlab|gerrit"
+  exit 3
+fi
+export return_url_type="$3"
+
+if [ -z "$4" ]
+then
+  echo "$0: you need to specify return_url as a 4th parameter"
+  exit 4
+fi
+export return_url="$4"
+
+if [ -z "$API_URL" ]
+then
+  export API_URL="http://localhost:5000"
+fi
+
+if [ ! -z "$DEBUG" ]
+then
+  echo "curl -s -XPOST -H 'Authorization: Bearer ${TOKEN}' -H 'Content-Type: application/json' '${API_URL}/v4/request-corporate-signature' -d '{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}' | jq -r '.'"
+fi
+curl -s -XPOST -H "Authorization: Bearer ${TOKEN}" -H "Content-Type: application/json" "${API_URL}/v4/request-corporate-signature" -d "{\"project_id\":\"${project_id}\",\"company_id\":\"${company_id}\",\"return_url_type\":\"${return_url_type}\",\"return_url\":\"${return_url}\"}" | jq -r '.'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/bash
		aws --profile lfproduct-dev dynamodb describe-table --table-name cla-dev-signatures
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/bash
		pytest -vvv -s cla/tests/unit/test_docusign_models.py -p no:warnings -k test_request_individual_signature
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		#!/bin/bash
		aws --profile lfproduct-dev dynamodb query --table-name cla-dev-companies --index-name company-name-index --key-condition-expression "company_name = :name" --expression-attribute-values '{":name":{"S":"Google LLC"}}'