Add support for whitelisting bots

Signed-off-by: Lukasz Gryglicki <[email protected]>

Author: lukaszgryglicki

cla-backend/cla/models/dynamo_models.py

@@ -3901,6 +3901,7 @@ class Meta:
     branch_protection_enabled = BooleanAttribute(null=True)
     enabled = BooleanAttribute(null=True)
     note = UnicodeAttribute(null=True)
+    skip_cla = MapAttribute(of=UnicodeAttribute, null=True)
 
 
 class GitHubOrg(model_interfaces.GitHubOrg):  # pylint: disable=too-many-public-methods
@@ -3910,7 +3911,7 @@ class GitHubOrg(model_interfaces.GitHubOrg):  # pylint: disable=too-many-public-
 
     def __init__(
             self, organization_name=None, organization_installation_id=None, organization_sfid=None,
-            auto_enabled=False, branch_protection_enabled=False, note=None, enabled=True
+            auto_enabled=False, branch_protection_enabled=False, note=None, enabled=True, skip_cla=None,
     ):
         super(GitHubOrg).__init__()
         self.model = GitHubOrgModel()
@@ -3923,6 +3924,7 @@ def __init__(
         self.model.branch_protection_enabled = branch_protection_enabled
         self.model.note = note
         self.model.enabled = enabled
+        self.model.skip_cla = skip_cla
 
     def __str__(self):
         return (
@@ -3933,8 +3935,9 @@ def __str__(self):
             f'organization company id: {self.model.organization_company_id}, '
             f'auto_enabled: {self.model.auto_enabled},'
             f'branch_protection_enabled: {self.model.branch_protection_enabled},'
-            f'note: {self.model.note}'
-            f'enabled: {self.model.enabled}'
+            f'note: {self.model.note},'
+            f'enabled: {self.model.enabled},'
+            f'skip_cla: {self.model.skip_cla}'
         )
 
     def to_dict(self):
@@ -3980,6 +3983,9 @@ def get_auto_enabled(self):
     def get_branch_protection_enabled(self):
         return self.model.branch_protection_enabled
 
+    def get_skip_cla(self):
+        return self.model.skip_cla
+
     def get_note(self):
         """
         Getter for the note.
@@ -4017,6 +4023,9 @@ def set_auto_enabled(self, auto_enabled):
     def set_branch_protection_enabled(self, branch_protection_enabled):
         self.model.branch_protection_enabled = branch_protection_enabled
 
+    def set_skip_cla(self, skip_cla):
+        self.model.skip_cla = skip_cla
+
     def set_note(self, note):
         self.model.note = note
 

cla-backend/cla/models/event_types.py

@@ -48,3 +48,4 @@ class EventType(Enum):
     RepositoryRemoved = "Repository Removed"
     RepositoryDisable = "Repository Disabled"
     RepositoryEnabled = "Repository Enabled"
+    BypassCLA = "Bypass CLA"

cla-backend/cla/models/github_models.py

@@ -7,19 +7,21 @@
 import concurrent.futures
 import json
 import os
+import re
 import base64
 import binascii
 import threading
 import time
 import uuid
-from typing import List, Optional, Union
+from typing import List, Optional, Union, Tuple
 
 import cla
 import falcon
 import github
 from cla.controllers.github_application import GitHubInstallation
 from cla.models import DoesNotExist, repository_service_interface
-from cla.models.dynamo_models import GitHubOrg, Repository
+from cla.models.dynamo_models import GitHubOrg, Repository, Event
+from cla.models.event_types import EventType
 from cla.user import UserCommitSummary
 from cla.utils import (append_project_version_to_url, get_project_instance,
                        set_active_pr_metadata)
@@ -736,6 +738,11 @@ def update_merge_group(self, installation_id, github_repository_id, merge_group_
         for user_commit_summary in commit_authors:
             handle_commit_from_user(project, user_commit_summary, signed, missing)
 
+        # Skip whitelisted bots per org/repo GitHub login/email regexps
+        # repo can be defined as '*' (all repos) or re:<regexp> (regexp to match repo name) or 'repo-name' for exact match
+        # the same for value which is GitHub login match then ; separator and then email match (same matching via * or re:<regexp> or exact-match) 
+        missing, signed = self.skip_whitelisted_bots(github_org, repository.get_repository_name(), missing)
+
         # update Merge group status
         self.update_merge_group_status(
             installation_id, github_repository_id, pull_request, merge_group_sha, signed, missing, project.get_version()
@@ -896,6 +903,10 @@ def update_change_request(self, installation_id, github_repository_id, change_re
         for future in concurrent.futures.as_completed(futures):
             cla.log.debug(f"{fn} - ThreadClosed for handle_commit_from_user")
 
+        # Skip whitelisted bots per org/repo GitHub login/email regexps
+        # repo can be defined as '*' (all repos) or re:<regexp> (regexp to match repo name) or 'repo-name' for exact match
+        # the same for value which is GitHub login match then ; separator and then email match (same matching via * or re:<regexp> or exact-match) 
+        missing, signed = self.skip_whitelisted_bots(github_org, repository.get_repository_name(), missing)
         # At this point, the signed and missing lists are now filled and updated with the commit user info
 
         cla.log.debug(
@@ -915,6 +926,155 @@ def update_change_request(self, installation_id, github_repository_id, change_re
             project_version=project.get_version(),
         )
 
+    def property_matches(self, pattern, value):
+        """
+        Returns True if value matches the pattern.
+        - '*' matches anything
+        - 're:...' matches regex - value must be set
+        - otherwise, exact match
+        """
+        try:
+            if pattern == '*':
+                return True
+            if pattern.startswith('re:'):
+                regex = pattern[3:]
+                return value is not None and re.search(regex, value) is not None
+            return value == pattern
+        except Exception as exc:
+            cla.log.warning("Error in property_matches: pattern=%s, value=%s, exc=%s", pattern, value, exc)
+            return False
+
+    def is_actor_skipped(self, actor, config):
+        """
+        Returns True if the actor should be skipped (whitelisted) based on config pattern.
+        config: '<username_pattern>:<email_pattern>'
+        """
+        try:
+            if ';' not in config:
+                return False
+            username_pattern, email_pattern = config.split(';', 1)
+            username = getattr(actor, "author_login", None)
+            email = getattr(actor, "author_email", None)
+            return self.property_matches(username_pattern, username) and self.property_matches(email_pattern, email)
+        except Exception as exc:
+            cla.log.warning("Error in is_actor_skipped: config=%s, actor=%s, exc=%s", config, actor, exc)
+            return False
+
+    def strip_org(self, repo_full):
+        if '/' in repo_full:
+            return repo_full.split('/', 1)[1]
+        return repo_full
+
+    def skip_whitelisted_bots(self, org_model, org_repo, actors_missing_cla) -> Tuple[List[UserCommitSummary], List[UserCommitSummary]]:
+        """
+        Check if the actors are whitelisted based on the skip_cla configuration.
+        Returns a tuple of two lists:
+        - actors_missing_cla: actors who still need to sign the CLA after checking skip_cla
+        - whitelisted_actors: actors who are skipped due to skip_cla configuration
+        :param org_model: The GitHub organization model instance.
+        :param org_repo: The repository name in the format 'org/repo'.
+        :param actors_missing_cla: List of UserCommitSummary objects representing actors who are missing CLA.
+        :return: Tuple of (actors_missing_cla, whitelisted_actors)
+        : in cla-{stage}-github-orgs table there can be a skip_cla field which is a dict with the following structure:
+        {
+            "repo-name": "<username_pattern>;<email_pattern>",
+            "re:repo-regexp": "<username_pattern>;<email_pattern>",
+            "*": "<username_pattern>;<email_pattern>"
+        }
+        where:
+        - repo-name is the exact repository name (e.g., "my-org/my-repo")
+        - re:repo-regexp is a regex pattern to match repository names
+        - * is a wildcard that applies to all repositories
+        - <username_pattern> is a GitHub username pattern (exact match or regex prefixed by re: or match all '*')
+        - <email_pattern> is a GitHub email pattern (exact match or regex prefixed by re: or match all '*')
+        :note: The username and email patterns are separated by a semicolon (;).
+        :note: If the skip_cla is not set, it will skip the whitelisted bots check.
+        """
+        try:
+            repo = self.strip_org(org_repo)
+            skip_cla = org_model.get_skip_cla()
+            if skip_cla is None:
+                cla.log.debug("skip_cla is not set, skipping whitelisted bots check")
+                return actors_missing_cla, []
+
+            if hasattr(skip_cla, "as_dict"):
+                skip_cla = skip_cla.as_dict()
+            config = ''
+            # 1. Exact match
+            if repo in skip_cla:
+                cla.log.debug("skip_cla config found for repo %s: %s (exact hit)", repo, skip_cla[repo])
+                config = skip_cla[repo]
+
+            # 2. Regex pattern (if no exact hit)
+            if config == '':
+                cla.log.debug("No skip_cla config found for repo %s, checking regex patterns", repo)
+                for k, v in skip_cla.items():
+                    if not isinstance(k, str) or not k.startswith("re:"):
+                        continue
+                    pattern = k[3:]
+                    try:
+                        if re.search(pattern, repo):
+                            config = v
+                            cla.log.debug("Found skip_cla config for repo %s: %s via regex pattern: %s", repo, config, pattern)
+                            break
+                    except re.error as e:
+                        cla.log.warning("Invalid regex in skip_cla: %s (%s)", k, e)
+                        continue
+
+            # 3. Wildcard fallback
+            if config == '' and '*' in skip_cla:
+                cla.log.debug("No skip_cla config found for repo %s, using wildcard config", repo)
+                config = skip_cla['*']
+
+            # 4. No match
+            if config == '':
+                cla.log.debug("No skip_cla config found for repo %s, skipping whitelisted bots check", repo)
+                return actors_missing_cla, []
+
+            out_actors_missing_cla = []
+            whitelisted_actors = []
+            for actor in actors_missing_cla:
+                try:
+                    if self.is_actor_skipped(actor, config):
+                        actor_data = "id='{}',login='{}',username='{}',email='{}'".format(
+                            getattr(actor, "author_id", "(null)"),
+                            getattr(actor, "author_login", "(null)"),
+                            getattr(actor, "author_username", "(null)"),
+                            getattr(actor, "author_email", "(null)"),
+                        )
+                        msg = "Skipping CLA check for repo='{}', actor: {} due to skip_cla config: '{}'".format(
+                            org_repo,
+                            actor_data,
+                            config,
+                        )
+                        cla.log.info(msg)
+                        ev = Event.create_event(
+                            event_type=EventType.BypassCLA,
+                            event_data=msg,
+                            event_summary=msg,
+                            event_user_name=actor_data,
+                            contains_pii=True,
+                        )
+                        actor.authorized = True
+                        whitelisted_actors.append(actor)
+                        continue
+                except Exception as e:
+                    cla.log.warning(
+                        "Error checking skip_cla for actor '%s' (login='%s', email='%s'): %s",
+                        actor, getattr(actor, "author_login", None), getattr(actor, "author_email", None), e,
+                    )
+                out_actors_missing_cla.append(actor)
+
+            return out_actors_missing_cla, whitelisted_actors
+        except Exception as exc:
+            cla.log.error(
+                "Exception in skip_whitelisted_bots: %s (repo=%s, actors=%s). Disabling skip_cla logic for this run.",
+                exc, repo, actors
+            )
+            # Always return all actors if something breaks
+            return actors_missing_cla, []
+
+
     def get_pull_request(self, github_repository_id, pull_request_number, installation_id):
         """
         Helper method to get the pull request object from GitHub.

cla-backend/cla/routes.py

@@ -1841,6 +1841,9 @@ def user_from_session(request, response):
     Will return 200 and user data if there is an active GitHub session
     Can return 404 on OAuth2 errors
     """
+    # https://github.com/sun-test-org/repo1/pull/215
+    # from cla.models.github_models import GitHub
+    # GitHub().process_opened_pull_request({"pull_request":{"number":215}, "repository":{"id":614349032}, "installation":{"id":35275118}})
     raw_redirect = request.params.get('get_redirect_url', 'false').lower()
     get_redirect_url = raw_redirect in ('1', 'true', 'yes')
     return cla.controllers.repository_service.user_from_session(get_redirect_url, request, response)

utils/describe_all.sh

@@ -0,0 +1,17 @@
+#!/bin/bash
+if [ -z "$STAGE" ]
+then
+  export STAGE=dev
+fi
+if [ -z "$REGION" ]
+then
+  export REGION=us-east-1
+fi
+> all-tables.secret
+./utils/list_tables.sh | sed 's/[", ]//g' | grep -v '^$' | while read -r table; do
+  tab="${table#cla-${STAGE}-}"
+  echo -n "Processing table $tab ..."
+  echo "Table: $tab" >> all-tables.secret
+  ALL=1 ./utils/scan.sh "${tab}" >> all-tables.secret
+  echo 'done'
+done

utils/describe_table.sh

@@ -8,9 +8,14 @@ if [ -z "${STAGE}" ]
 then
   export STAGE=dev
 fi
-
+if [ -z "$REGION" ]
+then
+  REGION=us-east-1
+fi
 if [ ! -z "${DEBUG}" ]
 then
-  echo "aws --profile \"lfproduct-${STAGE}\" dynamodb describe-table --table-name \"cla-${STAGE}-${1}\""
+  echo "aws --profile \"lfproduct-${STAGE}\" --region \"${REGION}\" dynamodb describe-table --table-name \"cla-${STAGE}-${1}\""
+  aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb describe-table --table-name "cla-${STAGE}-${1}"
+else
+  aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb describe-table --table-name "cla-${STAGE}-${1}" | jq -r '.Table.AttributeDefinitions'
 fi
-aws --profile "lfproduct-${STAGE}" dynamodb describe-table --table-name "cla-${STAGE}-${1}"

utils/list_tables.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+if [ -z "$STAGE" ]
+then
+  STAGE=dev
+fi
+if [ -z "$REGION" ]
+then
+  REGION=us-east-1
+fi
+aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb list-tables | grep "cla-${STAGE}-"

utils/skip_cla_entry.sh

@@ -0,0 +1,75 @@
+#!/bin/bash
+# MODE=mode ./utils/skip_cla_entry.sh sun-test-org '*' 'copilot-swe-agent[bot]' '*'
+# put-item    Overwrites the entire item (skip_cla and all other attributes if needed)
+# add-key     Adds or updates a key/value inside the skip_cla map (preserves other keys)
+# delete-key  Removes a key from the skip_cla map
+# delete-item Deletes the entire DynamoDB item (removes the whole row)
+#
+# MODE=add-key ./utils/skip_cla_entry.sh sun-test-org 'repo1' 're:vee?rendra' '*'
+# ./utils/scan.sh github-orgs organization_name sun-test-org
+
+if [ -z "$MODE" ]
+then
+  echo "$0: MODE must be set, valid values are: put-item, add-key, delete-key, delete-item"
+  exit 1
+fi
+
+if [ -z "$STAGE" ]; then
+  STAGE=dev
+fi
+if [ -z "$REGION" ]; then
+  REGION=us-east-1
+fi
+
+case "$MODE" in
+  put-item)
+    if ( [ -z "${1}" ] || [ -z "${2}" ] || [ -z "${3}" ] || [ -z "${4}" ] ); then
+      echo "Usage: $0 <organization_name> <repo or *> <bot username> <email regexp>"
+      exit 1
+    fi
+    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
+      --table-name "cla-${STAGE}-github-orgs" \
+      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
+      --update-expression 'SET skip_cla = :val' \
+      --expression-attribute-values "{\":val\": {\"M\": {\"${2}\":{\"S\":\"${3};${4}\"}}}}"
+    ;;
+  add-key)
+    if ( [ -z "${1}" ] || [ -z "${2}" ] || [ -z "${3}" ] || [ -z "${4}" ] ); then
+      echo "Usage: $0 <organization_name> <repo or *> <bot username> <email regexp>"
+      exit 1
+    fi
+    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
+      --table-name "cla-${STAGE}-github-orgs" \
+      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
+      --update-expression "SET skip_cla.#repo = :val" \
+      --expression-attribute-names "{\"#repo\": \"${2}\"}" \
+      --expression-attribute-values "{\":val\": {\"S\": \"${3};${4}\"}}"
+    ;;
+  delete-key)
+    if ( [ -z "${1}" ] || [ -z "${2}" ] ); then
+      echo "Usage: $0 <organization_name> <repo or *>"
+      exit 1
+    fi
+    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
+      --table-name "cla-${STAGE}-github-orgs" \
+      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
+      --update-expression "REMOVE skip_cla.#repo" \
+      --expression-attribute-names "{\"#repo\": \"${2}\"}"
+    ;;
+  delete-item)
+    if [ -z "${1}" ]; then
+      echo "Usage: $0 <organization_name>"
+      exit 1
+    fi
+    aws --profile "lfproduct-${STAGE}" --region "${REGION}" dynamodb update-item \
+      --table-name "cla-${STAGE}-github-orgs" \
+      --key "{\"organization_name\": {\"S\": \"${1}\"}}" \
+      --update-expression "REMOVE skip_cla"
+    ;;
+  *)
+    echo "$0: Unknown MODE: $MODE"
+    echo "Valid values are: put-item, add-key, delete-key, delete-item"
+    exit 1
+    ;;
+esac
+