Add documentation and updates to code

Signed-off-by: Lukasz Gryglicki <[email protected]>

Author: lukaszgryglicki

README.md

@@ -61,6 +61,10 @@ The following diagram explains the EasyCLA architecture.
 
 ![CLA Architecture](.gitbook/assets/easycla-architecture-overview.png)
 
+## Bot Whitelisting
+
+For whitelisting bots please see the [Whitelisting Bots](WHITELISTING_BOTS.md) documentation.
+
 ## EasyCLA Release Process
 
 The following diagram illustrates the EasyCLA release process:

WHITELISTING_BOTS.md

@@ -0,0 +1,111 @@
+## Whitelisting Bots
+
+You can allow specific bot users to automatically pass the CLA check. 
+
+This can be done on the GitHub organization level by setting the `skip_cla` property on `cla-{stage}-github-orgs` DynamoDB table.
+
+This property is a Map attribute that contains mapping from repository pattern to bot username and email pattern.
+
+Each pattern is a string and can be one of three possible types:
+- `"name"` - exact match for repository name, GitHub username, or email address.
+- `"re:regexp"` - regular expression match for repository name, GitHub username, or email address.
+- `"*"` - matches all.
+
+So the format is like `"repository_pattern": "github_username_pattern;email_pattern"`.
+
+There can be multiple entries under one Github Organization DynamoDB entry.
+
+Example:
+```
+{
+(...)
+    "organization_name": {
+      "S": "linuxfoundation"
+    },
+    "skip_cla": {
+      "M": {
+        "*": {
+          "S": "copilot-swe-agent[bot];*"
+        },
+        "repo1": {
+          "S": "re:vee?rendra;*"
+        }
+      }
+    },
+(...)
+}
+```
+
+Algorithm to match pattern is as follows:
+- First we check repository name for exact match. Repository name is without the organization name, so for `https://github.com/linuxfoundation/easycla` it is just `easycla`. If we find an entry in `skip_cla` for `easycla` that entry is used and we stop searching.
+- If no exact match is found, we check for regular expression match. Only keys starting with `re:` are considered. If we find a match, we use that entry and stop searching.
+- If no match is found, we check for `*` entry. If it exists, we use that entry and stop searching.
+- If no match is found, we don't skip CLA check.
+- Now when we have the entry, it is in the following format: `github_username_pattern;email_pattern`.
+- We check both GitHub username and email address against the patterns. Algorith is the same - username and email patterns can be either direct match or `re:regexp` or `*`.
+- If both username and email match the patterns, we skip CLA check. If username or email is not set but the pattern is `*` it means hit.
+- So setting pattern to `username_pattern;*` means that we only check for username match and assume all emails are valid.
+- If we set `repo_pattern` to `*` it means that this configuration applies to all repositories in the organization. If there are also specific repository patterns, they will be checked first.
+
+
+There is a script that allows you to update the `skip_cla` property in the DynamoDB table. It is located in `utils/skip_cla_entry.sh`. You can run it like this:
+- `` MODE=mode ./utils/skip_cla_entry.sh 'org-name' 'repo-pattern' 'github-username-pattern' 'email-pattern' ``.
+- `` MODE=add-key ./utils/skip_cla_entry.sh 'sun-test-org' '*' 'copilot-swe-agent[bot]' '*' ``.
+
+`MODE` can be one of:
+- `put-item`: Overwrites/adds the entire `skip_cla` property. Needs all 4 arguments org, repo, username and email.
+- `add-key`: Adds or updates a key/value inside the `skip_cla` map (preserves other keys). Needs all 4 args.
+- `delete-key`: Removes a key from the `skip_cla` map. Needs 2 arguments: org and repo.
+- `delete-item`: Deletes the entire `skip_cla` item. Needs 1 argument: org.
+
+
+You can also use AWS CLI to update the `skip_cla` property. Here is an example command:
+
+To add a new `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression 'SET skip_cla = :val' \
+  --expression-attribute-values '{":val": {"M": {"re:^easycla":{"S":"copilot-swe-agent[bot];*"}}}}'
+```
+
+To add a new key to an existing `skip_cla` entry (or replace the existing key):
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "SET skip_cla.#repo = :val" \
+  --expression-attribute-names '{"#repo": "re:^easycla"}' \
+  --expression-attribute-values '{":val": {"S": "copilot-swe-agent[bot];*"}}'
+```
+
+To delete a key from an existing `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "REMOVE skip_cla.#repo" \
+  --expression-attribute-names '{"#repo": "re:^easycla"}'
+```
+
+To delete the entire `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "REMOVE skip_cla"
+```
+
+To see given organization's entry: `./utils/scan.sh github-orgs organization_name sun-test-org`.
+
+Or using AWS CLI:
+
+``` 
+aws --profile "lfproduct-prod" dynamodb scan --table-name "cla-prod-github-orgs" --filter-expression "contains(organization_name,:v)" --expression-attribute-values "{\":v\":{\"S\":\"linuxfoundation\"}}" --max-items 100 | jq -r '.Items'
+```
+

cla-backend/cla/models/github_models.py

@@ -961,6 +961,9 @@ def is_actor_skipped(self, actor, config):
             return False
 
     def strip_org(self, repo_full):
+        """
+        Removes the organization part from the repository name.
+        """
         if '/' in repo_full:
             return repo_full.split('/', 1)[1]
         return repo_full
@@ -982,7 +985,7 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
             "*": "<username_pattern>;<email_pattern>"
         }
         where:
-        - repo-name is the exact repository name (e.g., "my-org/my-repo")
+        - repo-name is the exact repository name under given org (e.g., "my-repo" not "my-org/my-repo")
         - re:repo-regexp is a regex pattern to match repository names
         - * is a wildcard that applies to all repositories
         - <username_pattern> is a GitHub username pattern (exact match or regex prefixed by re: or match all '*')
@@ -994,41 +997,41 @@ def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tupl
             repo = self.strip_org(org_repo)
             skip_cla = org_model.get_skip_cla()
             if skip_cla is None:
-                cla.log.debug("skip_cla is not set, skipping whitelisted bots check")
+                cla.log.debug("skip_cla is not set on '%s', skipping whitelisted bots check", org_repo)
                 return actors_missing_cla, []
 
             if hasattr(skip_cla, "as_dict"):
                 skip_cla = skip_cla.as_dict()
             config = ''
             # 1. Exact match
             if repo in skip_cla:
-                cla.log.debug("skip_cla config found for repo %s: %s (exact hit)", repo, skip_cla[repo])
+                cla.log.debug("skip_cla config found for repo %s: %s (exact hit)", org_repo, skip_cla[repo])
                 config = skip_cla[repo]
 
             # 2. Regex pattern (if no exact hit)
             if config == '':
-                cla.log.debug("No skip_cla config found for repo %s, checking regex patterns", repo)
+                cla.log.debug("No skip_cla config found for repo %s, checking regex patterns", org_repo)
                 for k, v in skip_cla.items():
                     if not isinstance(k, str) or not k.startswith("re:"):
                         continue
                     pattern = k[3:]
                     try:
                         if re.search(pattern, repo):
                             config = v
-                            cla.log.debug("Found skip_cla config for repo %s: %s via regex pattern: %s", repo, config, pattern)
+                            cla.log.debug("Found skip_cla config for repo %s: %s via regex pattern: %s", org_repo, config, pattern)
                             break
                     except re.error as e:
-                        cla.log.warning("Invalid regex in skip_cla: %s (%s)", k, e)
+                        cla.log.warning("Invalid regex in skip_cla: %s (%s) for repo: %s", k, e, org_repo)
                         continue
 
             # 3. Wildcard fallback
             if config == '' and '*' in skip_cla:
-                cla.log.debug("No skip_cla config found for repo %s, using wildcard config", repo)
+                cla.log.debug("No skip_cla config found for repo %s, using wildcard config", org_repo)
                 config = skip_cla['*']
 
             # 4. No match
             if config == '':
-                cla.log.debug("No skip_cla config found for repo %s, skipping whitelisted bots check", repo)
+                cla.log.debug("No skip_cla config found for repo %s, skipping whitelisted bots check", org_repo)
                 return actors_missing_cla, []
 
             out_actors_missing_cla = []

utils/skip_cla_entry.sh

@@ -1,9 +1,9 @@
 #!/bin/bash
 # MODE=mode ./utils/skip_cla_entry.sh sun-test-org '*' 'copilot-swe-agent[bot]' '*'
-# put-item    Overwrites the entire item (skip_cla and all other attributes if needed)
+# put-item    Overwrites/adds the entire `skip_cla` entry.
 # add-key     Adds or updates a key/value inside the skip_cla map (preserves other keys)
 # delete-key  Removes a key from the skip_cla map
-# delete-item Deletes the entire DynamoDB item (removes the whole row)
+# delete-item Deletes the entire `skip_cla`entry.
 #
 # MODE=add-key ./utils/skip_cla_entry.sh sun-test-org 'repo1' 're:vee?rendra' '*'
 # ./utils/scan.sh github-orgs organization_name sun-test-org
@@ -27,44 +27,44 @@ case "$MODE" in
       echo "Usage: $0 <organization_name> <repo or *> <bot username> <email regexp>"
       exit 1
     fi
-    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
-      --table-name "cla-${STAGE}-github-orgs" \
-      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
+    CMD="aws --profile \"lfproduct-${STAGE}\" --region \"${REGION}\" dynamodb update-item \
+      --table-name \"cla-${STAGE}-github-orgs\" \
+      --key '{\"organization_name\": {\"S\": \"${1}\"}}' \
       --update-expression 'SET skip_cla = :val' \
-      --expression-attribute-values "{\":val\": {\"M\": {\"${2}\":{\"S\":\"${3};${4}\"}}}}"
+      --expression-attribute-values '{\":val\": {\"M\": {\"${2}\":{\"S\":\"${3};${4}\"}}}}'"
     ;;
   add-key)
     if ( [ -z "${1}" ] || [ -z "${2}" ] || [ -z "${3}" ] || [ -z "${4}" ] ); then
       echo "Usage: $0 <organization_name> <repo or *> <bot username> <email regexp>"
       exit 1
     fi
-    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
-      --table-name "cla-${STAGE}-github-orgs" \
-      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
-      --update-expression "SET skip_cla.#repo = :val" \
-      --expression-attribute-names "{\"#repo\": \"${2}\"}" \
-      --expression-attribute-values "{\":val\": {\"S\": \"${3};${4}\"}}"
+    CMD="aws --profile \"lfproduct-${STAGE}\" --region \"${REGION}\" dynamodb update-item \
+      --table-name \"cla-${STAGE}-github-orgs\" \
+      --key '{\"organization_name\": {\"S\": \"${1}\"}}' \
+      --update-expression 'SET skip_cla.#repo = :val' \
+      --expression-attribute-names '{\"#repo\": \"${2}\"}' \
+      --expression-attribute-values '{\":val\": {\"S\": \"${3};${4}\"}}'"
     ;;
   delete-key)
     if ( [ -z "${1}" ] || [ -z "${2}" ] ); then
       echo "Usage: $0 <organization_name> <repo or *>"
       exit 1
     fi
-    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
-      --table-name "cla-${STAGE}-github-orgs" \
-      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
-      --update-expression "REMOVE skip_cla.#repo" \
-      --expression-attribute-names "{\"#repo\": \"${2}\"}"
+    CMD="aws --profile \"lfproduct-${STAGE}\" --region \"${REGION}\" dynamodb update-item \
+      --table-name \"cla-${STAGE}-github-orgs\" \
+      --key '{\"organization_name\": {\"S\": \"${1}\"}}' \
+      --update-expression 'REMOVE skip_cla.#repo' \
+      --expression-attribute-names '{\"#repo\": \"${2}\"}'"
     ;;
   delete-item)
     if [ -z "${1}" ]; then
       echo "Usage: $0 <organization_name>"
       exit 1
     fi
-    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
-      --table-name "cla-${STAGE}-github-orgs" \
-      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
-      --update-expression "REMOVE skip_cla"
+    CMD="aws --profile \"lfproduct-${STAGE}\" --region \"${REGION}\" dynamodb update-item \
+      --table-name \"cla-${STAGE}-github-orgs\" \
+      --key '{\"organization_name\": {\"S\": \"${1}\"}}' \
+      --update-expression 'REMOVE skip_cla'"
     ;;
   *)
     echo "$0: Unknown MODE: $MODE"
@@ -73,3 +73,10 @@ case "$MODE" in
     ;;
 esac
 
+if [ ! -z "$DEBUG" ]
+then
+  echo "$CMD"
+fi
+
+eval $CMD
+