Merge pull request #144 from filecoin-project/feat/auto-clone-repo

Added WIP create secret

Author: clriesco

.github/workflows/deploy_to_prod.yml

@@ -51,6 +51,7 @@ jobs:
             "environment": { 
               "GH_PRIVATE_KEY": "${{secrets.GH_PRIVATE_KEY}}",
               "GITHUB_APP_ID": "${{vars.GH_APP_ID}}",
+              "GITHUB_INSTALLATION_ID": "${{vars.GH_INSTALLATION_ID}}",
               "FILPLUS_ENV": "prod",
               "RUST_LOG": "debug",
               "BOT_USER": "${{vars.BOT_USER}}",

.github/workflows/deploy_to_staging.yml

@@ -69,6 +69,7 @@ jobs:
                 "GH_PRIVATE_KEY": "${{secrets.GH_PRIVATE_KEY}}",
                 "DB_URL": "${{secrets.DB_URL}}",
                 "GITHUB_APP_ID": "${{vars.GH_APP_ID}}",
+                "GITHUB_INSTALLATION_ID": "${{vars.GH_INSTALLATION_ID}}",
                 "FILPLUS_ENV": "prod",
                 "RUST_LOG": "debug",
                 "BOT_USER": "${{vars.BOT_USER}}",

.github/workflows/end_to_end_tests.yml

@@ -11,11 +11,12 @@ jobs:
   end_to_end_tests:
     name: Perform end-to-end tests
     runs-on: ubuntu-latest
+    environment: staging
 
     steps:
     - uses: actions/checkout@v3
     - name: Run tests
       env: 
-        GH_PRIVATE_KEY: ${{ secrets.GH_STAGING_PRIVATE_KEY }}
-        DB_URL: ${{secrets.STAGING_DB_URL}}
-      run: cargo test -- --nocapture
+        GH_PRIVATE_KEY: ${{ secrets.GH_PRIVATE_KEY }}
+        DB_URL: ${{secrets.DB_URL}}
+      run: cargo test -- --nocapture

fplus-database/src/config.rs

@@ -1,21 +1,24 @@
-use log::warn;
+use std::env;
+use log::error;
 
 /**
- * Get an environment variable or a default value
+ * Get an environment variable or exit the program if not set
  * 
  * # Arguments
- * @param key: &str - The environment variable key
- * @param default: &str - The default value
+ * * `key` - The environment variable key
  * 
  * # Returns
- * @return String - The value of the environment variable or the default value
+ * * The value of the environment variable
+ * 
+ * # Panics
+ * * Exits the program if the environment variable is not set
  */
-pub fn get_env_var_or_default(key: &str, default: &str) -> String {
-    match std::env::var(key) {
+pub fn get_env_or_throw(key: &str) -> String {
+    match env::var(key) {
         Ok(val) => val,
         Err(_) => {
-            warn!("{} not set, using default value: {}", key, default);
-            default.to_string()
+            error!("Environment variable '{}' not set. Exiting program.", key);
+            std::process::exit(1);
         }
     }
-}
+}

fplus-database/src/lib.rs

@@ -5,7 +5,7 @@ pub mod config;
 use sea_orm::{Database, DatabaseConnection, DbErr};
 use once_cell::sync::Lazy;
 use std::sync::Mutex;
-use crate::config::get_env_var_or_default;
+use crate::config::get_env_or_throw;
 
 /**
  * The global database connection
@@ -29,7 +29,7 @@ pub fn init() {
  * @return Result<DatabaseConnection, sea_orm::DbErr> - The result of the operation
  */
 pub async fn setup() -> Result<(), DbErr> {
-    let database_url = get_env_var_or_default("DB_URL", "");
+    let database_url = get_env_or_throw("DB_URL");
     let db_conn = Database::connect(&database_url).await?;
     let mut db_conn_global = DB_CONN.lock().unwrap();
     *db_conn_global = Some(db_conn);

fplus-lib/Cargo.toml

@@ -14,7 +14,7 @@ http = "0.2.9"
 hyper = "0.14.26"
 hyper-rustls = "0.24.0"
 jsonwebtoken = "8.3.0"
-octocrab = "0.25.1"
+octocrab = "0.26.0"
 serde = { version =  "1.0.164", features = ["derive", "std",
 "serde_derive", "alloc", "rc"] } 
 env_logger = "0.10.0"
@@ -27,7 +27,8 @@ reqwest = { version = "0.11.18", features = ["json"] }
 futures = "0.3.28"
 tokio = { version = "1.32.0", features = ["rt", "macros"] }
 uuidv4 = "1.0.0"
-rayon = "1.8.0"
+rayon = "1.8.0" 
 log = "0.4.20"
 once_cell = "1.19.0"
+libsodium-sys-stable = "1.20.4"
 fplus-database = { path = "../fplus-database", version = "1.0.19"}

fplus-lib/src/config.rs

@@ -9,13 +9,14 @@ pub fn default_env_vars() -> &'static HashMap<&'static str, &'static str> {
         m.insert("GITHUB_OWNER", "filecoin-project");
         m.insert("GITHUB_REPO", "filecoin-plus-falcon");
         m.insert("GITHUB_APP_ID", "826129");
-        m.insert("GITHUB_INSTALLATION_ID", "48206379");
+        m.insert("GITHUB_INSTALLATION_ID", "48299904");
         m.insert("RUST_LOG", "info");
         m.insert("RUST_BACKTRACE", "1");
         m.insert("DB_URL", "");
         m.insert("ALLOCATOR_GOVERNANCE_REPO", "Allocator-Governance-Staging");
         m.insert("ALLOCATOR_GOVERNANCE_OWNER", "fidlabs");
         m.insert("BOT_USER", "filplus-allocators-staging-bot[bot]");
+        m.insert("BACKEND_URL", "https://fp-core.dp04sa0tdc6pk.us-east-1.cs.amazonlightsail.com");
 
         m
     })

fplus-lib/src/core/allocator/mod.rs

@@ -94,6 +94,10 @@ pub async fn is_allocator_repo_created(owner: &str, repo: &str) -> Result<bool,
 pub async fn create_allocator_repo(owner: &str, repo: &str) -> Result<(), LDNError> {
     let gh = github_async_new(owner.to_string(), repo.to_string()).await;
     let mut dirs = Vec::new();
+    let backend_url = get_env_var_or_default("BACKEND_URL");
+    gh.create_or_update_secret("BACKEND_URL", &backend_url).await.map_err(|e| {
+        LDNError::Load(format!("Failed to create or update secret in GitHub. Reason: {}", e))
+    })?;
     dirs.push("".to_string());
 
     while dirs.len() > 0 {

fplus-lib/src/external_services/github.rs

@@ -7,12 +7,16 @@ use hyper_rustls::HttpsConnectorBuilder;
 use octocrab::auth::AppAuth;
 use octocrab::models::issues::{Comment, Issue};
 use octocrab::models::pulls::PullRequest;
-use octocrab::models::repos::{Branch, ContentItems, FileDeletion, FileUpdate};
+use octocrab::models::repos::{Branch, ContentItems, FileDeletion, FileUpdate, secrets::CreateRepositorySecret};
 use octocrab::models::{InstallationId, IssueState, Label};
 use octocrab::params::{pulls::State as PullState, State};
 use octocrab::service::middleware::base_uri::BaseUriLayer;
 use octocrab::service::middleware::extra_headers::ExtraHeadersLayer;
 use octocrab::{AuthState, Error as OctocrabError, Octocrab, OctocrabBuilder, Page};
+use libsodium_sys as sodium;
+
+use base64::{encode, decode};
+
 use serde::{Deserialize, Serialize};
 use std::sync::Arc;
 
@@ -134,6 +138,7 @@ impl GithubWrapper {
         let client = hyper::Client::builder()
             .pool_idle_timeout(std::time::Duration::from_secs(15))
             .build(connector);
+        
         let key = jsonwebtoken::EncodingKey::from_rsa_pem(gh_private_key.as_bytes()).unwrap();
         let octocrab = OctocrabBuilder::new_empty()
             .with_service(client)
@@ -730,4 +735,57 @@ impl GithubWrapper {
 
         Ok(contents_items)
     }
+
+    /**
+     * Create or update a secret in the repository
+     * This function will receive the secret name and value and will create or update the secret in the repository
+     * The secret value will be encrypted using the public key of the repository, as required by the GitHub API
+     * More information here: https://docs.github.com/en/rest/actions/secrets?apiVersion=2022-11-28#create-or-update-a-repository-secret
+     */
+    pub async fn create_or_update_secret(
+        &self,
+        secret_name: &str,
+        secret_value: &str,
+    ) -> Result<(), OctocrabError> {
+        let pk = self
+            .inner
+            .repos(&self.owner, &self.repo)
+            .secrets()
+            .get_public_key()
+            .await?;
+    
+        let pk_bytes = match decode(pk.key) {
+            Ok(bytes) => bytes,
+            Err(e) => {
+                log::error!("Failed to decode public key: {:?}", e);
+                return Ok(());
+            }
+        };
+        assert_eq!(pk_bytes.len(), sodium::crypto_box_PUBLICKEYBYTES as usize, "Invalid public key length");
+        //Create a buffer to store the encrypted secret
+        let mut encrypted_secret = vec![0u8; sodium::crypto_box_SEALBYTES as usize + secret_value.len()];
+        //Encrypt the secret using the public key
+        let _encrypt_res = unsafe {
+            sodium::crypto_box_seal(
+                encrypted_secret.as_mut_ptr(),
+                secret_value.as_ptr(),
+                secret_value.len() as u64,
+                pk_bytes.as_ptr(),
+            )
+        };
+        //Encode the encrypted secret to base64
+        let encrypted_secret_base64 = encode(&encrypted_secret);
+
+        //Encrypt using libsodium
+        let _create_secret_res = self
+            .inner
+            .repos(&self.owner, &self.repo)
+            .secrets()
+            .create_or_update_secret(secret_name, &CreateRepositorySecret{
+                key_id: &pk.key_id,
+                encrypted_value: &encrypted_secret_base64,
+            })
+            .await?;
+        Ok(())
+    }
 }