communitybridge · nickmango · Aug 30, 2023 · Aug 30, 2023 · Aug 31, 2023 · Aug 31, 2023
diff --git a/.github/workflows/build-docker-pr.yml b/.github/workflows/build-docker-pr.yml
@@ -0,0 +1,82 @@
+---
+# Copyright The Linux Foundation and each contributor to CommunityBridge.
+# SPDX-License-Identifier: MIT
+
+name: Build Docker in DEV
+on:
+  pull_request:
+    branches:
+      - main
+
+env:
+  AWS_REGION: us-east-1
+  AWS_ECR_REGION: us-east-1
+  AWS_PROFILE: lf-cla
+  STAGE: dev
+  REPOSITORY: lfx-easycla-dev
+  ECR_HOST: ${{secrets.AWS_ACCOUNT_ID}}.dkr.ecr.us-east-1.amazonaws.com
+
+jobs:
+  build-docker-dev:
+    runs-on: ubuntu-latest
+    environment: dev
+    steps:
+      - uses: actions/checkout@v3
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Available Build Platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
+      - name: Configure AWS Credentials
+        uses: aws-actions/configure-aws-credentials@v1
+        with:
+          aws-access-key-id: ${{ secrets.AWS_ACCESS_KEY }}
+          aws-secret-access-key: ${{ secrets.AWS_SECRET_KEY }}
+          aws-region: us-east-1
+          role-duration-seconds: 900
+      - name: Setup AWS Profile
+        run: |
+          echo "Installing Profile '${AWS_PROFILE}'..."
+          mkdir -p ~/.aws
+
+          touch ~/.aws/config
+          if ! grep -q AWS_PROFILE ~/.aws/config; then
+            printf "[profile ${AWS_PROFILE}]\nregion=${AWS_REGION}\noutput=json" > ~/.aws/config
+            echo "Added ${AWS_PROFILE} profile to ~/.aws/config"
+          else
+            echo "Skipped adding ${AWS_PROFILE} to ~/.aws/config - already there"
+          fi
+
+          touch ~/.aws/credentials
+          if ! grep -q AWS_PROFILE ~/.aws/credentials; then
+            printf "[${AWS_PROFILE}]\naws_access_key_id=${{ secrets.AWS_ACCESS_KEY }}\naws_secret_access_key=${{ secrets.AWS_SECRET_KEY }}" > ~/.aws/credentials
+            echo "Added ${AWS_PROFILE} profile to ~/.aws/credentials"
+          else
+            echo "Skipped adding ${AWS_PROFILE} to ~/.aws/credentials - already there"
+          fi
+
+          if ! grep -q AWS_PROFILE ${HOME}/.bashrc; then
+            echo "export AWS_PROFILE=${AWS_PROFILE}" >> ${HOME}/.bashrc
+            echo "Added ${AWS_PROFILE} profile to ${HOME}/.bashrc"
+          else
+            echo "Skipped adding ${AWS_PROFILE} to ${HOME}/.bashrc - already there"
+          fi
+
+      - name: Build Docker Image
+        working-directory: cla-backend
+        run:  |
+          # Create a new builder, named container, that uses the Docker container driver
+          echo "Creating a new builder container..."
+          docker buildx create --name container --driver=docker-container
+
+          echo "Building image with tag: ${ECR_HOST}/${REPOSITORY}:${{github.sha}}"
+          docker buildx build --platform=linux/arm64 --builder=container --tag ${ECR_HOST}/${REPOSITORY}:${{github.sha}} .
+          echo "Building image with tag: ${ECR_HOST}/${REPOSITORY}:latest"
+          docker buildx build --platform=linux/arm64 --builder=container --tag ${ECR_HOST}/${REPOSITORY}:latest .
+
+          # Note, unlike when using the default docker driver, images built with the docker-container driver must be explicitly loaded into the local image store. Use the --load flag
+          echo "Loading the image into the image store..."
+          docker buildx build --platform=linux/arm64 --builder=container --load --tag ${ECR_HOST}/${REPOSITORY}:${{github.sha}} .
+          docker buildx build --platform=linux/arm64 --builder=container --load --tag ${ECR_HOST}/${REPOSITORY}:latest .
diff --git a/.github/workflows/build-pr.yml b/.github/workflows/build-pr.yml
@@ -52,6 +52,7 @@ jobs:
         working-directory: cla-backend
         run: |
           pip install -r requirements.txt
+          pip install -r requirements-test.txt
 
       - name: Python Lint
         working-directory: cla-backend

diff --git a/.github/workflows/deploy-dev.yml b/.github/workflows/deploy-dev.yml
@@ -10,8 +10,11 @@ on:
 
 env:
   AWS_REGION: us-east-1
+  AWS_ECR_REGION: us-east-1
   AWS_PROFILE: lf-cla
   STAGE: dev
+  REPOSITORY: lfx-easycla-dev
+  ECR_HOST: ${{secrets.AWS_ACCOUNT_ID}}.dkr.ecr.us-east-1.amazonaws.com
 
 jobs:
   build-deploy-dev:
@@ -25,6 +28,13 @@ jobs:
           go-version: '1.20.1'
       - name: Go Version
         run: go version
+      - name: Set up QEMU
+        uses: docker/setup-qemu-action@v2
+      - name: Set up Docker Buildx
+        id: buildx
+        uses: docker/setup-buildx-action@v2
+      - name: Available Build Platforms
+        run: echo ${{ steps.buildx.outputs.platforms }}
       - name: Setup Node
         uses: actions/setup-node@v3
         with:
@@ -88,9 +98,9 @@ jobs:
       - name: Python Setup
         working-directory: cla-backend
         run: |
+          pip install --upgrade pip
           pip install -r requirements.txt
-
-
+          pip install -r requirements-test.txt
 
       - name: Python Lint
         working-directory: cla-backend
@@ -108,6 +118,28 @@ jobs:
           AUTH0_PLATFORM_CLIENT_SECRET: ${{ secrets.AUTH0_PLATFORM_CLIENT_SECRET }}
           AUTH0_PLATFORM_AUDIENCE: https://api-gw.dev.platform.linuxfoundation.org/
 
+      - name: Build Docker Image
+        working-directory: cla-backend
+        run:  |
+          # Create a new builder, named container, that uses the Docker container driver
+          echo "Creating a new builder container..."
+          docker buildx create --name container --driver=docker-container
+
+          echo "Building image with tag: ${ECR_HOST}/${REPOSITORY}:${{github.sha}}"
+          docker buildx build --platform=linux/arm64 --builder=container --tag ${ECR_HOST}/${REPOSITORY}:${{github.sha}} .
+          echo "Building image with tag: ${ECR_HOST}/${REPOSITORY}:latest"
+          docker buildx build --platform=linux/arm64 --builder=container --tag ${ECR_HOST}/${REPOSITORY}:latest .
+
+          # Note, unlike when using the default docker driver, images built with the docker-container driver must be explicitly loaded into the local image store. Use the --load flag
+          echo "Loading the image into the image store..."
+          docker buildx build --platform=linux/arm64 --builder=container --load --tag ${ECR_HOST}/${REPOSITORY}:${{github.sha}} .
+          docker buildx build --platform=linux/arm64 --builder=container --load --tag ${ECR_HOST}/${REPOSITORY}:latest .
+      - name: Publish Docker Image
+        run: |
+          aws ecr get-login-password --region ${AWS_ECR_REGION} | docker login --username AWS --password-stdin ${ECR_HOST}
+          docker push ${ECR_HOST}/${REPOSITORY}:${{github.sha}}
+          docker push ${ECR_HOST}/${REPOSITORY}:latest
+
       - name: Go Setup
         working-directory: cla-backend-go
         run: |

diff --git a/cla-backend-go/.golangci.yaml b/cla-backend-go/.golangci.yaml
@@ -33,10 +33,10 @@ linters-settings:
     # default is false: such cases aren't reported by default.
     check-blank: true
   govet:
-    check-shadowing: true
-    fieldalignment: true
-  revive:
-    ignore-generated-header: true
+    enable-all: true
+    #check-shadowing: true
+    #fieldalignment: true
+  revive: # golint was replaced by revive
     min-confidence: 0
     rules:
       # Recommended in Revive docs
@@ -48,12 +48,14 @@ linters-settings:
   goconst:
     min-len: 2
     min-occurrences: 2
+  gocyclo:
+    min-complexity: 40
 
 linters:
   disable-all: true
   enable:
-    - revive
-    - govet
+    - revive # 'golint' is deprecated (since v1.41.0), replaced by revive
+    #  - govet
     - errcheck
     - ineffassign
     - typecheck
@@ -63,14 +65,13 @@ linters:
     - goimports
     - gosec
     - megacheck # (staticcheck + gosimple + unused in one linter)
-    - depguard
     - unconvert
     - unparam
     - unused
     - nakedret
-    #- maligned # The repository of the linter has been archived by the owner.  Replaced by govet 'fieldalignment'.
+    # - depguard # recently, this error is showing up: import '....' is not allowed from list 'Main' (depguard) for all the packages
+    #- maligned is deprecated (since v1.38.0), replaced by govet 'fieldalignment'.
     #- dupl
-    - bodyclose
 
 issues:
   exclude-use-default: false

diff --git a/cla-backend-go/Makefile b/cla-backend-go/Makefile
@@ -35,7 +35,7 @@ ifeq "$(shell uname -s)" "Linux"
 endif
 
 LINT_TOOL=$(shell go env GOPATH)/bin/golangci-lint
-LINT_VERSION=v1.51.2
+LINT_VERSION=v1.54.2
 SWAGGER_DIR=$(ROOT_DIR)/swagger
 SWAGGER_BIN_DIR=/usr/local/bin
 SWAGGER_TOOL_VERSION=v0.30.3

diff --git a/cla-backend-go/package.json b/cla-backend-go/package.json
@@ -43,6 +43,7 @@
     "minimist": "^1.2.6",
     "normalize-url": "^4.5.1",
     "qs": "^6.11.0",
+    "semver": "^7.5.4",
     "set-value": "^4.0.1",
     "simple-git": "^3.16.0",
     "ws": "^7.4.6",

diff --git a/cla-backend-go/signatures/constants.go b/cla-backend-go/signatures/constants.go
@@ -19,7 +19,7 @@ const SignatureGitHubOrgApprovalListColumn = "github_org_whitelist" // TODO: ren
 const SignatureGitlabUsernameApprovalListColumn = "gitlab_username_approval_list"
 
 // SignatureGitlabOrgApprovalListColumn is the name of the signature column for gitlab organization approval lists
-const SignatureGitlabOrgApprovalListColumn = "gitlab_org_approval_list"
+const SignatureGitlabOrgApprovalListColumn = "gitlab_org_approval_list" // nolint G101: Potential hardcoded credentials (gosec)
 
 // SignatureUserGitHubUsername is the name of the signature column for user gitlab username
 const SignatureUserGitHubUsername = "user_github_username"

diff --git a/cla-backend-go/signatures/repository.go b/cla-backend-go/signatures/repository.go
@@ -556,7 +556,7 @@ func (repo repository) GetIndividualSignature(ctx context.Context, claGroupID, u
 		log.WithFields(f).Warnf("found multiple matching ICLA signatures - found %d total", len(sigs))
 	}
 
-	return sigs[0], nil
+	return sigs[0], nil // nolint G602: Potentially accessing slice out of bounds (gosec)
 }
 
 // GetCorporateSignature returns the signature record for the specified CLA Group and Company ID
@@ -665,7 +665,7 @@ func (repo repository) GetCorporateSignature(ctx context.Context, claGroupID, co
 		log.WithFields(f).Warnf("found multiple matching ICLA signatures - found %d total", len(sigs))
 	}
 
-	return sigs[0], nil
+	return sigs[0], nil // nolint G602: Potentially accessing slice out of bounds (gosec)
 }
 
 // GetActivePullRequestMetadata returns the pull request metadata for the given user ID

diff --git a/cla-backend-go/v2/metrics/repository.go b/cla-backend-go/v2/metrics/repository.go
@@ -88,10 +88,10 @@ const (
 	MetricTypeCompany                = "company"
 	MetricTypeProject                = "project"
 	MetricTypeCompanyProject         = "company_project"
-	MetricTypeClaManagerDistribution = "cla_manager_distribution"
+	MetricTypeClaManagerDistribution = "cla_manager_distribution" // nolint G101: Potential hardcoded credentials (gosec)
 
 	IDTotalCount             = "total_count"
-	IDClaManagerDistribution = "cla_manager_distribution"
+	IDClaManagerDistribution = "cla_manager_distribution" // nolint G101: Potential hardcoded credentials (gosec)
 )
 
 func newMetrics() *Metrics {

diff --git a/cla-backend-go/yarn.lock b/cla-backend-go/yarn.lock
@@ -2313,17 +2313,10 @@ seek-bzip@^1.0.5:
   dependencies:
     commander "^2.8.1"
 
-semver@^5.5.0:
-  version "5.7.1"
-  resolved "https://registry.npmjs.org/semver/-/semver-5.7.1.tgz"
-
-semver@^6.0.0:
-  version "6.3.0"
-  resolved "https://registry.npmjs.org/semver/-/semver-6.3.0.tgz"
-
-semver@^7.3.2, semver@^7.3.5, semver@^7.3.8, semver@^7.5.1:
-  version "7.5.1"
-  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.1.tgz#c90c4d631cf74720e46b21c1d37ea07edfab91ec"
+semver@^5.5.0, semver@^6.0.0, semver@^7.3.2, semver@^7.3.5, semver@^7.3.8, semver@^7.5.1, semver@^7.5.4:
+  version "7.5.4"
+  resolved "https://registry.yarnpkg.com/semver/-/semver-7.5.4.tgz#483986ec4ed38e1c6c48c34894a9182dbff68a6e"
+  integrity sha512-1bCSESV6Pv+i21Hvpxp3Dx+pSD8lIPt8uVjRrxAUt/nbswYc+tK6Y2btiULjd4+fnq15PX+nqQDC7Oft7WkwcA==
   dependencies:
     lru-cache "^6.0.0"
 

diff --git a/cla-backend/Dockerfile b/cla-backend/Dockerfile
@@ -0,0 +1,16 @@
+# Copyright The Linux Foundation and each contributor to CommunityBridge.
+# SPDX-License-Identifier: MIT
+
+FROM public.ecr.aws/lambda/python:3.7
+
+# Copy requirements.txt
+COPY requirements.txt ${LAMBDA_TASK_ROOT}
+
+# Copy function code
+COPY *.py cla ${LAMBDA_TASK_ROOT}
+
+# Install the specified packages
+RUN pip install -r requirements.txt
+
+# Set the CMD to your handler (could also be done as a parameter override outside of the Dockerfile)
+CMD [ "wsgi_handler.handler" ]
diff --git a/cla-backend/README.md b/cla-backend/README.md
@@ -0,0 +1,15 @@
+# Python Backend Notes
+
+## Setup
+
+```bash
+pip3 install -r requirements.txt
+```
+## Dependency Tree
+
+To show the dependency tree of the project, run the following commands:
+
+```bash
+pip install pipdeptree
+pipdeptree -fl
+```
diff --git a/cla-backend/cla/docusign_auth.py b/cla-backend/cla/docusign_auth.py
@@ -39,6 +39,9 @@ def request_access_token() -> str:
             "scope": "signature impersonation"
         }
         cla.log.debug(f'Claims: {claims}')
+        # Note from the docs: If you are planning on encoding or decoding tokens using certain digital signature
+        # algorithms # (like RSA or ECDSA), you will need to install the cryptography library. This can be installed
+        # explicitly, or as a required extra in the pyjwt requirement: $ pip install pyjwt[crypto]
         encoded_jwt = jwt.encode(claims, INTEGRATION_SECRET.encode(), algorithm='RS256')
 
         payload = {
@@ -54,7 +57,7 @@ def request_access_token() -> str:
         else:
             cla.log.error('Unable to request access token from DocuSign OAuth2 service: ' + str(data))
             raise Exception('Unable to request access token from DocuSign OAuth2 service: ' + str(data))
-        
+
     except Exception as err:
         cla.log.error('Unable to request access token from DocuSign OAuth2 service: ' + str(err))
         raise err