Merge pull request #4725 from linuxfoundation/unicron-4701-allow-bots-to-skip-cla

Add support for whitelisting bots

Author: lukaszgryglicki

README.md

@@ -61,6 +61,10 @@ The following diagram explains the EasyCLA architecture.
 
 ![CLA Architecture](.gitbook/assets/easycla-architecture-overview.png)
 
+## Bot Whitelisting
+
+For whitelisting bots please see the [Whitelisting Bots](WHITELISTING_BOTS.md) documentation.
+
 ## EasyCLA Release Process
 
 The following diagram illustrates the EasyCLA release process:

WHITELISTING_BOTS.md

@@ -0,0 +1,111 @@
+## Whitelisting Bots
+
+You can allow specific bot users to automatically pass the CLA check.
+
+This can be done on the GitHub organization level by setting the `skip_cla` property on `cla-{stage}-github-orgs` DynamoDB table.
+
+This property is a Map attribute that contains mapping from repository pattern to bot username and email pattern.
+
+Each pattern is a string and can be one of three possible types:
+- `"name"` - exact match for repository name, GitHub username, or email address.
+- `"re:regexp"` - regular expression match for repository name, GitHub username, or email address.
+- `"*"` - matches all.
+
+So the format is like `"repository_pattern": "github_username_pattern;email_pattern"`.
+
+There can be multiple entries under one Github Organization DynamoDB entry.
+
+Example:
+```
+{
+(...)
+    "organization_name": {
+      "S": "linuxfoundation"
+    },
+    "skip_cla": {
+      "M": {
+        "*": {
+          "S": "copilot-swe-agent[bot];*"
+        },
+        "repo1": {
+          "S": "re:vee?rendra;*"
+        }
+      }
+    },
+(...)
+}
+```
+
+Algorithm to match pattern is as follows:
+- First we check repository name for exact match. Repository name is without the organization name, so for `https://github.com/linuxfoundation/easycla` it is just `easycla`. If we find an entry in `skip_cla` for `easycla` that entry is used and we stop searching.
+- If no exact match is found, we check for regular expression match. Only keys starting with `re:` are considered. If we find a match, we use that entry and stop searching.
+- If no match is found, we check for `*` entry. If it exists, we use that entry and stop searching.
+- If no match is found, we don't skip CLA check.
+- Now when we have the entry, it is in the following format: `github_username_pattern;email_pattern`.
+- We check both GitHub username and email address against the patterns. Algorith is the same - username and email patterns can be either direct match or `re:regexp` or `*`.
+- If both username and email match the patterns, we skip CLA check. If username or email is not set but the pattern is `*` it means hit.
+- So setting pattern to `username_pattern;*` means that we only check for username match and assume all emails are valid.
+- If we set `repo_pattern` to `*` it means that this configuration applies to all repositories in the organization. If there are also specific repository patterns, they will be checked first.
+
+
+There is a script that allows you to update the `skip_cla` property in the DynamoDB table. It is located in `utils/skip_cla_entry.sh`. You can run it like this:
+- `` MODE=mode ./utils/skip_cla_entry.sh 'org-name' 'repo-pattern' 'github-username-pattern' 'email-pattern' ``.
+- `` MODE=add-key ./utils/skip_cla_entry.sh 'sun-test-org' '*' 'copilot-swe-agent[bot]' '*' ``.
+
+`MODE` can be one of:
+- `put-item`: Overwrites/adds the entire `skip_cla` property. Needs all 4 arguments org, repo, username and email.
+- `add-key`: Adds or updates a key/value inside the `skip_cla` map (preserves other keys). Needs all 4 args.
+- `delete-key`: Removes a key from the `skip_cla` map. Needs 2 arguments: org and repo.
+- `delete-item`: Deletes the entire `skip_cla` item. Needs 1 argument: org.
+
+
+You can also use AWS CLI to update the `skip_cla` property. Here is an example command:
+
+To add a new `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression 'SET skip_cla = :val' \
+  --expression-attribute-values '{":val": {"M": {"re:^easycla":{"S":"copilot-swe-agent[bot];*"}}}}'
+```
+
+To add a new key to an existing `skip_cla` entry (or replace the existing key):
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "SET skip_cla.#repo = :val" \
+  --expression-attribute-names '{"#repo": "re:^easycla"}' \
+  --expression-attribute-values '{":val": {"S": "copilot-swe-agent[bot];*"}}'
+```
+
+To delete a key from an existing `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "REMOVE skip_cla.#repo" \
+  --expression-attribute-names '{"#repo": "re:^easycla"}'
+```
+
+To delete the entire `skip_cla` entry:
+
+```
+aws --profile "lfproduct-prod" --region "us-east-1" dynamodb update-item \
+  --table-name "cla-prod-github-orgs" \
+  --key '{"organization_name": {"S": "linuxfoundation"}}' \
+  --update-expression "REMOVE skip_cla"
+```
+
+To see given organization's entry: `./utils/scan.sh github-orgs organization_name sun-test-org`.
+
+Or using AWS CLI:
+
+```
+aws --profile "lfproduct-prod" dynamodb scan --table-name "cla-prod-github-orgs" --filter-expression "contains(organization_name,:v)" --expression-attribute-values "{\":v\":{\"S\":\"linuxfoundation\"}}" --max-items 100 | jq -r '.Items'
+```
+

cla-backend-go/events/event_data.go

@@ -457,6 +457,23 @@ type CorporateSignatureSignedEventData struct {
 	SignatoryName string
 }
 
+// BypassCLAEventData event data model
+type BypassCLAEventData struct {
+	Repo   string
+	Config string
+	Actor  string
+}
+
+func (ed *BypassCLAEventData) GetEventDetailsString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("repo='%s', config='%s', actor='%s'", ed.Repo, ed.Config, ed.Actor)
+	return data, true
+}
+
+func (ed *BypassCLAEventData) GetEventSummaryString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("repo='%s', config='%s', actor='%s'", ed.Repo, ed.Config, ed.Actor)
+	return data, true
+}
+
 func (ed *CorporateSignatureSignedEventData) GetEventDetailsString(args *LogEventArgs) (string, bool) {
 	data := fmt.Sprintf("The signature was signed for the project %s and company %s by %s", args.ProjectName, ed.CompanyName, ed.SignatoryName)
 	if args.UserName != "" {

cla-backend-go/events/event_types.go

@@ -99,4 +99,6 @@ const (
 
 	IndividualSignatureSigned = "individual.signature.signed"
 	CorporateSignatureSigned  = "corporate.signature.signed"
+
+	BypassCLA = "Bypass CLA"
 )

cla-backend-go/github/bots.go

@@ -0,0 +1,218 @@
+// Copyright The Linux Foundation and each contributor to CommunityBridge.
+// SPDX-License-Identifier: MIT
+
+package github
+
+import (
+	"fmt"
+	"regexp"
+	"strings"
+
+	"github.com/linuxfoundation/easycla/cla-backend-go/events"
+	"github.com/linuxfoundation/easycla/cla-backend-go/gen/v1/models"
+	log "github.com/linuxfoundation/easycla/cla-backend-go/logging"
+	"github.com/sirupsen/logrus"
+)
+
+// propertyMatches returns true if value matches the pattern.
+// - "*" matches anything
+// - "re:..." matches regex (value must be non-empty)
+// - otherwise, exact match
+func propertyMatches(pattern, value string) bool {
+	f := logrus.Fields{
+		"functionName": "github.propertyMatches",
+		"pattern":      pattern,
+		"value":        value,
+	}
+	if pattern == "*" {
+		return true
+	}
+	if value == "" {
+		return false
+	}
+	if strings.HasPrefix(pattern, "re:") {
+		regex := pattern[3:]
+		re, err := regexp.Compile(regex)
+		if err != nil {
+			log.WithFields(f).Debugf("Error in propertyMatches: bad regexp: %s, error: %v", regex, err)
+			return false
+		}
+		return re.MatchString(value)
+	}
+	return value == pattern
+}
+
+// stripOrg removes the organization part from the repository name.
+// If input is "org/repo", returns "repo". If no "/", returns input unchanged.
+func stripOrg(repoFull string) string {
+	idx := strings.Index(repoFull, "/")
+	if idx >= 0 && idx+1 < len(repoFull) {
+		return repoFull[idx+1:]
+	}
+	return repoFull
+}
+
+// isActorSkipped returns true if the given actor should be skipped according to the skip_cla config pattern.
+// config format: "<username_pattern>;<email_pattern>"
+// Actor.CommitAuthor.Login and Actor.CommitAuthor.Email should be *string, can be nil.
+func isActorSkipped(actor *UserCommitSummary, config string) bool {
+	f := logrus.Fields{
+		"functionName": "github.isActorSkipped",
+		"config":       config,
+	}
+	// Defensive: must have exactly one ';'
+	if !strings.Contains(config, ";") {
+		log.WithFields(f).Debugf("Invalid skip_cla config format: %s, expected '<username_pattern>;<email_pattern>'", config)
+		return false
+	}
+	parts := strings.SplitN(config, ";", 2)
+	if len(parts) != 2 {
+		return false
+	}
+	usernamePattern := parts[0]
+	emailPattern := parts[1]
+	var (
+		username string
+		email    string
+	)
+	if actor != nil && actor.CommitAuthor != nil && actor.CommitAuthor.Login != nil {
+		username = *actor.CommitAuthor.Login
+	}
+	if actor != nil && actor.CommitAuthor != nil && actor.CommitAuthor.Email != nil {
+		email = *actor.CommitAuthor.Email
+	}
+
+	return propertyMatches(usernamePattern, username) && propertyMatches(emailPattern, email)
+}
+
+// SkipWhitelistedBots- check if the actors are whitelisted based on the skip_cla configuration.
+// Returns two lists:
+// - actors still missing cla: actors who still need to sign the CLA after checking skip_cla
+// - whitelisted actors: actors who are skipped due to skip_cla configuration
+// :param orgModel: The GitHub organization model instance.
+// :param orgRepo: The repository name in the format 'org/repo'.
+// :param actorsMissingCla: List of UserCommitSummary objects representing actors who are missing CLA.
+// :return: two arrays (actors still missing CLA, whitelisted actors)
+// : in cla-{stage}-github-orgs table there can be a skip_cla field which is a dict with the following structure:
+//
+//	{
+//	    "repo-name": "<username_pattern>;<email_pattern>",
+//	    "re:repo-regexp": "<username_pattern>;<email_pattern>",
+//	    "*": "<username_pattern>;<email_pattern>"
+//	}
+//
+// where:
+//   - repo-name is the exact repository name under given org (e.g., "my-repo" not "my-org/my-repo")
+//   - re:repo-regexp is a regex pattern to match repository names
+//   - * is a wildcard that applies to all repositories
+//   - <username_pattern> is a GitHub username pattern (exact match or regex prefixed by re: or match all '*')
+//   - <email_pattern> is a GitHub email pattern (exact match or regex prefixed by re: or match all '*')
+//     The username and email patterns are separated by a semicolon (;).
+//     If the skip_cla is not set, it will skip the whitelisted bots check.
+func SkipWhitelistedBots(ev events.Service, orgModel *models.GithubOrganization, orgRepo, projectID string, actorsMissingCLA []*UserCommitSummary) ([]*UserCommitSummary, []*UserCommitSummary) {
+	repo := stripOrg(orgRepo)
+	f := logrus.Fields{
+		"functionName": "github.SkipWhitelistedBots",
+		"orgRepo":      orgRepo,
+		"repo":         repo,
+		"projectID":    projectID,
+	}
+	outActorsMissingCLA := []*UserCommitSummary{}
+	whitelistedActors := []*UserCommitSummary{}
+
+	skipCLA := orgModel.SkipCla
+	if skipCLA == nil {
+		log.WithFields(f).Debug("skip_cla is not set, skipping whitelisted bots check")
+		return actorsMissingCLA, []*UserCommitSummary{}
+	}
+
+	var config string
+
+	// 1. Exact match
+	if val, ok := skipCLA[repo]; ok {
+		config = val
+		log.WithFields(f).Debugf("skip_cla config found for repo (exact hit): '%s'", config)
+	}
+
+	// 2. Regex match (if no exact hit)
+	if config == "" {
+		log.WithFields(f).Debug("No skip_cla config found for repo, checking regex patterns")
+		for k, v := range skipCLA {
+			if !strings.HasPrefix(k, "re:") {
+				continue
+			}
+			pattern := k[3:]
+			re, err := regexp.Compile(pattern)
+			if err != nil {
+				log.WithFields(f).Warnf("Invalid regex in skip_cla: '%s': %+v", pattern, err)
+				continue
+			}
+			if re.MatchString(repo) {
+				config = v
+				log.WithFields(f).Debugf("Found skip_cla config for repo via regex pattern: '%s'", config)
+				break
+			}
+		}
+	}
+
+	// 3. Wildcard fallback
+	if config == "" {
+		if val, ok := skipCLA["*"]; ok {
+			config = val
+			log.WithFields(f).Debugf("No skip_cla config found for repo, using wildcard config: '%s'", config)
+		}
+	}
+
+	// 4. No match
+	if config == "" {
+		log.WithFields(f).Debug("No skip_cla config found for repo, skipping whitelisted bots check")
+		return actorsMissingCLA, []*UserCommitSummary{}
+	}
+	const nullStr = "(null)"
+
+	for _, actor := range actorsMissingCLA {
+		if isActorSkipped(actor, config) {
+			if actor == nil {
+				continue
+			}
+			id, login, username, email := nullStr, nullStr, nullStr, nullStr
+			if actor.CommitAuthor != nil && actor.CommitAuthor.ID != nil {
+				id = fmt.Sprintf("%v", *actor.CommitAuthor.ID)
+			}
+			if actor.CommitAuthor != nil && actor.CommitAuthor.Login != nil {
+				login = *actor.CommitAuthor.Login
+			}
+			if actor.CommitAuthor != nil && actor.CommitAuthor.Name != nil {
+				username = *actor.CommitAuthor.Name
+			}
+			if actor.CommitAuthor != nil && actor.CommitAuthor.Email != nil {
+				email = *actor.CommitAuthor.Email
+			}
+			actorData := fmt.Sprintf("id='%v',login='%v',username='%v',email='%v'", id, login, username, email)
+			msg := fmt.Sprintf(
+				"Skipping CLA check for repo='%s', actor: %s due to skip_cla config: '%s'",
+				orgRepo, actorData, config,
+			)
+			log.WithFields(f).Info(msg)
+			eventData := events.BypassCLAEventData{
+				Repo:   orgRepo,
+				Config: config,
+				Actor:  actorData,
+			}
+			ev.LogEvent(&events.LogEventArgs{
+				EventType: events.BypassCLA,
+				EventData: &eventData,
+				UserID:    id,
+				UserName:  login,
+				ProjectID: projectID,
+			})
+			log.WithFields(f).Debugf("event logged")
+			actor.Authorized = true
+			whitelistedActors = append(whitelistedActors, actor)
+		} else {
+			outActorsMissingCLA = append(outActorsMissingCLA, actor)
+		}
+	}
+
+	return outActorsMissingCLA, whitelistedActors
+}