diff --git a/.snyk b/.snyk index 212a26fe5..b7931a355 100644 --- a/.snyk +++ b/.snyk @@ -17,3 +17,7 @@ exclude: # (a graphql `Login` field) as a hardcoded credential. It is a public # identifier in test data, not a secret. See kosli-dev/server#5479. - internal/github/build_pr_evidence_test.go + # False positive: Snyk Code flags the hardcoded test session token (auth_token) + # in this test-user fixture as a secret. It is fake test data, not a real + # credential, and is used only to seed the local integration-test server. + - server-scripts/create_standalone_test_users.py diff --git a/bin/reset-or-start-server.sh b/bin/reset-or-start-server.sh index efbf34a4e..f51678915 100755 --- a/bin/reset-or-start-server.sh +++ b/bin/reset-or-start-server.sh @@ -24,10 +24,16 @@ check_success() restart_server() { echo restarting server ... - ./bin/docker_login_aws.sh staging + # Only remote (digest-pinned) images need an AWS login and pull. The local-image + # flow uses the plain "merkely" tag, which is built locally — skip both. + if [[ "$KOSLI_SERVER_IMAGE" == *"@sha256:"* ]]; then + ./bin/docker_login_aws.sh staging + docker pull "${KOSLI_SERVER_IMAGE}" || true + else + echo "local image — skipping AWS login and pull" + fi docker compose down || true echo -e "\033[38;5;208musing server image\033[0m ${KOSLI_SERVER_IMAGE}" - docker pull ${KOSLI_SERVER_IMAGE} || true docker compose up -d ./mongo/ip_wait.sh localhost:9010/minio/health/live ./mongo/ip_wait.sh localhost:8001/ready @@ -46,5 +52,5 @@ else fi echo creating test users on server ... -docker exec $container_name /demo/create_standalone_test_users.py +docker exec $container_name /app/test/create_standalone_test_users.py check_success diff --git a/server-scripts/create_standalone_test_users.py b/server-scripts/create_standalone_test_users.py new file mode 100755 index 000000000..3f9fd45bc --- /dev/null +++ b/server-scripts/create_standalone_test_users.py @@ -0,0 +1,47 @@ +#!/usr/bin/env python3 + +# Creates the standalone test users used by the Kosli CLI integration tests. +# +# This script is owned by the CLI repo (the test users are CLI test data). It is +# mounted into the server container at /app/test via docker-compose and executed +# there, so it relies on the server's `lib` and `model` packages being importable +# via PYTHONPATH=/app/src. + +import hashlib + +from lib import Sku +from model import Organizations, Users + +# key == person-id, value == api-key +CLI_TEST_USERS = { + "docs-cmd-test-user": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ImNkNzg4OTg5In0.e8i_lA_QrEhFncb05Xw6E_tkCHU9QfcY4OLTVUCHffY", + "acme-org": "v3OWZiYWu9G2IMQStYg9BcPQUQ88lJNNnTJTNq8jfvmkR1C5wVpHSs7F00JcB5i6OGeUzrKt3CwRq7ndcN4TTfMeo8ASVJ5NdHpZT7DkfRfiFvm8s7GbsIHh2PtiQJYs2UoN13T8DblV5C4oKb6-yWH73h67OhotPlKfVKazR-c", + "iu-org": "qM9u2_grv6pJLbACwsMMMT5LIQy82tQj2k1zjZnlXti1smnFaGwCKW4jzk0La7ae9RrSYvEwCXSsXknD6YZqd-onLaaIUUKtEn6-B6yh53vWIe9EC5u85FCbKZjFbaicp_d0Me0Zcqq_KcCgrAZRX9xggl_pBb2oaCsNdllqNjk", + "system-tests-user": "95-IeGBfyKdTteLdKidiAnXk6uMmV6jTkGM9v3DEtrQ", +} + + +def create_standalone_test_users(test_users): + users = Users() + orgs = Organizations() + + for user_name, api_key in test_users.items(): + uid = hashlib.sha256(user_name.encode("utf-8")).hexdigest()[0:24] + login_data = { + "userId": uid, + "name": user_name, + "email": "default@example.com", + "picture": "", + } + users.create("descope", login_data) + user = users.find_by_auth_user_id(login_data["userId"]) + user.completed_signup = True + user.add_api_key(api_key=api_key, setting_user=user, expires_at=0, description="") + # fixed auth_token so tests have a stable session token to authenticate with + user.auth_token = "213c18081df7f738ec479107b86f97ec678b1d54" + + orgs.create_shared(f"{user_name}-shared", sku=Sku().existing_orgs, owner=user) + + +if __name__ == "__main__": + create_standalone_test_users(CLI_TEST_USERS)