Merge pull request #4826 from linuxfoundation/unicron-4803-4820

Unicron 4803 4820

Author: lukaszgryglicki

cla-backend-go/github/github_repository.go

@@ -78,15 +78,35 @@ type gqlRequest struct {
 }
 
 type gqlError struct {
-	Message string `json:"message"`
-	Type    string `json:"type,omitempty"` // sometimes "RATE_LIMITED"
+	Message    string         `json:"message"`
+	Type       string         `json:"type,omitempty"` // sometimes "RATE_LIMITED"
+	Path       []interface{}  `json:"path,omitempty"`
+	Extensions map[string]any `json:"extensions,omitempty"`
 }
 
 type gqlResponse struct {
 	Data   json.RawMessage `json:"data"`
 	Errors []gqlError      `json:"errors,omitempty"`
 }
 
+type GraphQLError struct {
+	Errs []gqlError
+}
+
+func (e *GraphQLError) Error() string {
+	if len(e.Errs) == 0 {
+		return "graphql: unknown error"
+	}
+	msg := "graphql: "
+	for i, ge := range e.Errs {
+		msg += fmt.Sprintf("#%d: %s (type=%s path=%v)", i+1, ge.Message, ge.Type, ge.Path)
+		if i < len(e.Errs)-1 {
+			msg += "; "
+		}
+	}
+	return msg
+}
+
 // doGraphQL posts to /graphql using v3 client and unmarshals the "data" field into v.
 // No retries; if GraphQL returns "errors", returns an error.
 func doGraphQL(ctx context.Context, c *github.Client, query string, variables map[string]interface{}, v any) (*github.Response, error) {
@@ -95,14 +115,16 @@ func doGraphQL(ctx context.Context, c *github.Client, query string, variables ma
 	if err != nil {
 		return nil, err
 	}
+	req.Header.Set("Accept", "application/vnd.github+json")
+	req.Header.Set("Content-Type", "application/json")
+	req.Header.Set("X-GitHub-Api-Version", "2022-11-28")
 	var gr gqlResponse
 	resp, err := c.Do(ctx, req, &gr)
 	if err != nil {
 		return resp, err
 	}
 	if len(gr.Errors) > 0 {
-		first := gr.Errors[0]
-		return resp, fmt.Errorf("graphql error: %s", first.Message)
+		return resp, &GraphQLError{Errs: gr.Errors}
 	}
 	if v != nil && len(gr.Data) > 0 {
 		if err := json.Unmarshal(gr.Data, v); err != nil {

cla-backend-go/v2/cla_manager/emails.go

@@ -313,7 +313,8 @@ func (s *service) SendDesigneeEmailToUserWithNoLFID(ctx context.Context, input D
 	// Parse the provided user's name
 	userFirstName, userLastName := utils.GetFirstAndLastName(input.userWithNoLFIDName)
 
-	return acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
+	// Send invitation for the primary CLA role (e.g., cla-manager-designee)
+	inviteErr := acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
 		InviteUserFirstName: userFirstName,
 		InviteUserLastName:  userLastName,
 		InviteUserEmail:     input.userWithNoLFIDEmail,
@@ -326,6 +327,48 @@ func (s *service) SendDesigneeEmailToUserWithNoLFID(ctx context.Context, input D
 		EmailContent:        body,
 		Automate:            false,
 	})
+	if inviteErr != nil {
+		log.WithFields(f).WithError(inviteErr).Warnf("failed to send primary role invitation")
+		return inviteErr
+	}
+
+	// Also send invitation for the "contact" role which is required to access Corporate Console
+	// This is sent at organization scope (not project|organization)
+	contactSubject := fmt.Sprintf("EasyCLA: Invitation to access Corporate Console for %s", input.companyName)
+	contactBody, contactBodyErr := emails.RenderV2ToCLAManagerDesigneeTemplate(s.emailTemplateService, input.projectSFIDs,
+		emails.V2ToCLAManagerDesigneeTemplateParams{
+			CommonEmailParams: emails.CommonEmailParams{
+				RecipientName: input.userWithNoLFIDName,
+				CompanyName:   input.companyName,
+			},
+			Contributor: input.contributorModel,
+		}, emails.V2DesigneeToUserWithNoLFIDTemplate, emails.V2DesigneeToUserWithNoLFIDTemplateName)
+
+	if contactBodyErr != nil {
+		log.WithFields(f).WithError(contactBodyErr).Warnf("failed to render contact role invitation email template")
+		// Don't return error, as the primary invitation was successful
+	} else {
+		log.WithFields(f).Debug("sending contact role invite request...")
+		contactInviteErr := acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
+			InviteUserFirstName: userFirstName,
+			InviteUserLastName:  userLastName,
+			InviteUserEmail:     input.userWithNoLFIDEmail,
+			RoleName:            utils.ContactRole,
+			Scope:               "organization", // Contact role is at organization scope only
+			ProjectSFID:         "",             // Not applicable for organization scope
+			OrganizationSFID:    input.organizationID,
+			InviteType:          "userinvite",
+			Subject:             contactSubject,
+			EmailContent:        contactBody,
+			Automate:            false,
+		})
+		if contactInviteErr != nil {
+			log.WithFields(f).WithError(contactInviteErr).Warnf("failed to send contact role invitation, but primary invitation succeeded")
+			// Don't return error, as the primary invitation was successful
+		}
+	}
+
+	return nil
 }
 
 // sendEmailToUserWithNoLFID helper function to send email to a given user with no LFID
@@ -364,8 +407,9 @@ func (s *service) SendEmailToUserWithNoLFID(ctx context.Context, input EmailToUs
 	userFirstName, userLastName := utils.GetFirstAndLastName(input.userWithNoLFIDName)
 
 	log.WithFields(f).Debug("sending user invite request...")
-	//return acsClient.SendUserInvite(ctx, &userWithNoLFIDEmail, role, utils.ProjectOrgScope, projectID, organizationID, "userinvite", &subject, &body, automate)
-	return acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
+
+	// Send invitation for the primary CLA role (e.g., cla-manager-designee)
+	inviteErr := acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
 		InviteUserFirstName: userFirstName,
 		InviteUserLastName:  userLastName,
 		InviteUserEmail:     input.userWithNoLFIDEmail,
@@ -378,4 +422,45 @@ func (s *service) SendEmailToUserWithNoLFID(ctx context.Context, input EmailToUs
 		EmailContent:        body,
 		Automate:            false,
 	})
+	if inviteErr != nil {
+		log.WithFields(f).WithError(inviteErr).Warnf("failed to send primary role invitation")
+		return inviteErr
+	}
+
+	// Also send invitation for the "contact" role which is required to access Corporate Console
+	// This is sent at organization scope (not project|organization)
+	contactSubject := fmt.Sprintf("EasyCLA: Invitation to access Corporate Console for %s", input.companyName)
+	contactBody, contactBodyErr := emails.RenderV2CLAManagerToUserWithNoLFIDTemplate(s.emailTemplateService, input.projectID, emails.V2CLAManagerToUserWithNoLFIDTemplateParams{
+		CommonEmailParams: emails.CommonEmailParams{
+			RecipientName: input.userWithNoLFIDName,
+			CompanyName:   input.companyName,
+		},
+		RequesterUserName: input.requesterUsername,
+		RequesterEmail:    input.requesterEmail,
+	})
+	if contactBodyErr != nil {
+		log.WithFields(f).WithError(contactBodyErr).Warnf("failed to render contact role invitation email template")
+		// Don't return error, as the primary invitation was successful
+	} else {
+		log.WithFields(f).Debug("sending contact role invite request...")
+		contactInviteErr := acsClient.SendUserInvite(ctx, &v2AcsService.SendUserInviteInput{
+			InviteUserFirstName: userFirstName,
+			InviteUserLastName:  userLastName,
+			InviteUserEmail:     input.userWithNoLFIDEmail,
+			RoleName:            utils.ContactRole,
+			Scope:               "organization", // Contact role is at organization scope only
+			ProjectSFID:         "",             // Not applicable for organization scope
+			OrganizationSFID:    input.organizationID,
+			InviteType:          "userinvite",
+			Subject:             contactSubject,
+			EmailContent:        contactBody,
+			Automate:            false,
+		})
+		if contactInviteErr != nil {
+			log.WithFields(f).WithError(contactInviteErr).Warnf("failed to send contact role invitation, but primary invitation succeeded")
+			// Don't return error, as the primary invitation was successful
+		}
+	}
+
+	return nil
 }

cla-backend-go/v2/cla_manager/service.go

@@ -414,6 +414,28 @@ func (s *service) CreateCLAManagerDesignee(ctx context.Context, companyID string
 	log.WithFields(f).Debugf("created user role organization scope for user: %s, with role: %s with role ID: %s using project|org: %s|%s...",
 		userEmail, utils.CLADesigneeRole, roleID, projectSFID, v1CompanyModel.CompanyExternalID)
 
+	// Also assign the "contact" role which is required to access the Corporate Console
+	log.WithFields(f).Debugf("loading role ID for %s...", utils.ContactRole)
+	contactRoleID, contactErr := acServiceClient.GetRoleID(utils.ContactRole)
+	if contactErr != nil {
+		log.WithFields(f).Warnf("Problem getting role ID for contact role, error: %+v - continuing without contact role", contactErr)
+	} else {
+		log.WithFields(f).Debugf("creating contact role organization scope for user: %s, with role: %s with role ID: %s using org: %s...",
+			userEmail, utils.ContactRole, contactRoleID, v1CompanyModel.CompanyExternalID)
+		contactScopeErr := orgClient.CreateOrgUserRoleOrgScope(ctx, userEmail, v1CompanyModel.CompanyExternalID, contactRoleID)
+		if contactScopeErr != nil {
+			// Ignore conflict - role has already been assigned - otherwise, log error but don't fail
+			if _, ok := contactScopeErr.(*organizations.CreateOrgUsrRoleScopesConflict); !ok {
+				log.WithFields(f).Warnf("problem creating contact role org scope for email: %s, companySFID: %s, error: %+v - continuing without contact role", userEmail, v1CompanyModel.CompanyExternalID, contactScopeErr)
+			} else {
+				log.WithFields(f).Debugf("contact role already assigned for user: %s, companySFID: %s", userEmail, v1CompanyModel.CompanyExternalID)
+			}
+		} else {
+			log.WithFields(f).Debugf("successfully created contact role organization scope for user: %s, with role: %s with role ID: %s using org: %s",
+				userEmail, utils.ContactRole, contactRoleID, v1CompanyModel.CompanyExternalID)
+		}
+	}
+
 	// Log Event
 	s.eventService.LogEventWithContext(ctx,
 		&events.LogEventArgs{

cla-backend/cla/models/github_models.py

@@ -707,7 +707,7 @@ def update_merge_group_status(
 
         # Create the commit status on the merge commit
         if self.client is None:
-            self.client = self._get_github_client(installation_id)
+            self.client = get_github_integration_client(installation_id)
 
         # Get repository
         cla.log.debug(f"{fn} - Getting repository by ID: {repository_id}")
@@ -2148,14 +2148,24 @@ def pygithub_graphql(g, query: str, variables: dict | None = None):
     try:
         # LG: note that this uses internal PyGithub API - may break in future versions:
         # g._Github__requester.requestJsonAndCheck
-        headers, data = g._Github__requester.requestJsonAndCheck(
+        if hasattr(g, "graphql"):
+            return g.graphql(query, variables or {})
+
+        headers = {
+            "Accept": "application/vnd.github+json",
+            "Content-Type": "application/json",
+        }
+        _, data = g._Github__requester.requestJsonAndCheck(
             "POST",
             "/graphql",
             input={"query": query, "variables": variables or {}},
+            headers=headers,
         )
         if isinstance(data, dict) and data.get("errors"):
-            msg = data["errors"][0].get("message", "GraphQL error")
-            cla.log.error(f"GraphQL errors: {msg} (all={data['errors']!r})")
+            errs = data["errors"]
+            paths = [e.get("path") for e in errs]
+            msgs = [e.get("message") for e in errs]
+            cla.log.error(f"GraphQL errors: {msgs} (paths={paths}, all={errs!r})")
             return None
         return data.get("data")
     except Exception as exc:
@@ -2288,7 +2298,16 @@ def get_pr_commit_count_gql(g, owner: str, repo: str, number: int) -> int | None
         if data is None:
             cla.log.debug(f"get_pr_commit_count_gql: no data returned")
             return None
-        return data["repository"]["pullRequest"]["commits"]["totalCount"]
+        repo_obj = data.get("repository")
+        if not repo_obj:
+            cla.log.debug("get_pr_commit_count_gql: repository null (no access?)")
+            return None
+        pr = repo_obj.get("pullRequest")
+        if not pr:
+            cla.log.debug("get_pr_commit_count_gql: pullRequest null (bad number or no access?)")
+            return None
+        commits = pr.get("commits") or {}
+        return commits.get("totalCount")
     except Exception as e:
         cla.log.debug(f"get_pr_commit_count_gql: failed to fetch count: {e}")
         return None

set-easycla-github-token.sh

@@ -0,0 +1,2 @@
+#!/bin/bash
+export GITHUB_OAUTH_TOKEN="$(cat ./easycla-github-oauth-token.secret)"

utils/copy_prod_case_7.sh

@@ -0,0 +1,4 @@
+#!/bin/bash
+repo_id=$(STAGE=prod ./utils/scan.sh repositories repository_name 'fluxnova-modeler' | jq -r '.[0].repository_id.S')
+./utils/copy_prod_to_dev.sh repositories repository_id "${repo_id}"
+STAGE=dev ./utils/scan.sh repositories repository_name 'fluxnova-modeler'

utils/github_pat_check.sh

@@ -0,0 +1,45 @@
+#!/bin/bash
+# Quick test for GitHub PAT GraphQL permissions
+# ./utils/github_pat_check.sh "$(cat ./easycla-github-oauth-token.secret)" finos fluxnova-modeler 85
+# ./utils/github_pat_check.sh "$(cat /etc/github/oauth)" cncf devstats 114
+
+if ( [ -z "$1" ] || [ -z "$2" ] || [ -z "$3" ] || [ -z "$4" ] )
+then
+    echo "Usage: $0 YOUR_GITHUB_TOKEN org repo pr-number"
+    echo "Example: $0 ghp_xxxxxxxxxxxxxxxxxxxx cncf devstats 114"
+    exit 1
+fi
+
+TOKEN="$1"
+ORG="$2"
+REPO="$3"
+PR="$4"
+echo "Testing GitHub PAT GraphQL with token: ${TOKEN:0:4} for $ORG/$REPO PR:$PR..."
+
+echo -e "\n1. Testing Simple GraphQL Query:"
+echo "--------------------------------"
+curl -s -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d '{"query":"query { viewer { login } }"}' \
+     https://api.github.com/graphql
+
+echo -e "\n\n2. Checking Token Scopes:"
+echo "------------------------"
+curl -s -I -H "Authorization: Bearer $TOKEN" \
+     https://api.github.com/user | grep -i "x-oauth-scopes" || echo "No scopes header found"
+
+echo -e "\n\n3. Testing Repository Access:"
+echo "----------------------------"
+curl -s -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d '{"query":"query { repository(owner:\"'"$ORG"'\", name:\"'"$REPO"'\") { name } }"}' \
+     https://api.github.com/graphql
+
+echo -e "\n\n4. Testing PR Commits (the failing query):"
+echo "------------------------------------------"
+curl -s -H "Authorization: Bearer $TOKEN" \
+     -H "Content-Type: application/json" \
+     -d '{"query":"query { repository(owner:\"'"$ORG"'\", name:\"'"$REPO"'\") { pullRequest(number:'$PR') { commits(first:1) { nodes { commit { oid } } } } } }"}' \
+     https://api.github.com/graphql
+
+echo -e "\n"