Merge pull request #4811 from linuxfoundation/unicron-logging-ecla-signed-events-and-updating-caches

Add logging of ECLA signed/ack events and invatlidate caches on those events

Author: lukaszgryglicki

cla-backend-go/events/event_data.go

@@ -457,6 +457,24 @@ type CorporateSignatureSignedEventData struct {
 	SignatoryName string
 }
 
+type EmployeeSignatureCreatedEventData struct {
+	ProjectName      string
+	ProjectID        string
+	CompanyName      string
+	CompanyID        string
+	EmployeeUserID   string
+	EmployeeUserName string
+}
+
+type EmployeeSignatureSignedEventData struct {
+	ProjectName      string
+	ProjectID        string
+	CompanyName      string
+	CompanyID        string
+	EmployeeUserID   string
+	EmployeeUserName string
+}
+
 // BypassCLAEventData event data model
 type BypassCLAEventData struct {
 	Repo   string
@@ -489,6 +507,16 @@ func (ed *CorporateSignatureSignedEventData) GetEventSummaryString(args *LogEven
 	return data, true
 }
 
+func (ed *EmployeeSignatureCreatedEventData) GetEventSummaryString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("The ECLA signature was created for the project %s and company %s by %s.", ed.ProjectName, ed.CompanyName, ed.EmployeeUserName)
+	return data, true
+}
+
+func (ed *EmployeeSignatureSignedEventData) GetEventSummaryString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("The ECLA signature was signed for the project %s and company %s by %s.", ed.ProjectName, ed.CompanyName, ed.EmployeeUserName)
+	return data, true
+}
+
 // GetEventDetailsString returns the details string for this event
 func (ed *SignatureAutoCreateECLAUpdatedEventData) GetEventDetailsString(args *LogEventArgs) (string, bool) {
 
@@ -2786,3 +2814,15 @@ func (ed *IndividualSignatureSignedEventData) GetEventDetailsString(args *LogEve
 		args.LfUsername, ed.ProjectName)
 	return data, false
 }
+
+func (ed *EmployeeSignatureCreatedEventData) GetEventDetailsString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("The user %s created an employee (ECLA) signature for project %s, company %s, employee %s.",
+		args.LfUsername, ed.ProjectName, ed.CompanyName, ed.EmployeeUserName)
+	return data, true
+}
+
+func (ed *EmployeeSignatureSignedEventData) GetEventDetailsString(args *LogEventArgs) (string, bool) {
+	data := fmt.Sprintf("The user %s signed an employee (ECLA) signature for project %s, company %s, employee %s.",
+		args.LfUsername, ed.ProjectName, ed.CompanyName, ed.EmployeeUserName)
+	return data, true
+}

cla-backend-go/events/event_types.go

@@ -97,8 +97,11 @@ const (
 	ProjectServiceCLADisabled      = "project.service.cla.disabled"
 	SignatureAutoCreateECLAUpdated = "signature.auto_create_ecla.updated"
 
+	EmployeeSignatureCreated = "employee.signature.created"
+
 	IndividualSignatureSigned = "individual.signature.signed"
 	CorporateSignatureSigned  = "corporate.signature.signed"
+	EmployeeSignatureSigned   = "employee.signature.signed"
 
 	BypassCLA = "Bypass CLA"
 )

cla-backend-go/github/github_repository.go

@@ -1629,7 +1629,7 @@ func UpdateCacheAfterSignature(ctx context.Context, user *models.User, projectID
 		ModelProjectUserCache.Set(projKey, user, true, affiliated)
 	}
 
-	log.WithFields(f).Infof("updated caches for user login=%q (GitHubID=%s), project=%s: marked as authorized for %d email(s)",
+	log.WithFields(f).Infof("updated caches for user login=%s (GitHubID=%s), project=%s: marked as authorized for %d email(s)",
 		loginLower, githubID, projectID, len(emails))
 
 	return nil

cla-backend-go/signatures/repository.go

@@ -2582,7 +2582,49 @@ func (repo repository) CreateProjectCompanyEmployeeSignature(ctx context.Context
 		log.WithFields(f).WithError(putErr).Warn("cannot create new signature record")
 		return putErr
 	}
-
+	// Log the event
+	eventDataCreated := events.EmployeeSignatureCreatedEventData{
+		ProjectName:      claGroupModel.ProjectName,
+		ProjectID:        claGroupModel.ProjectID,
+		CompanyName:      companyModel.CompanyName,
+		CompanyID:        companyModel.CompanyID,
+		EmployeeUserID:   employeeUserModel.UserID,
+		EmployeeUserName: employeeUserName,
+	}
+	log.WithFields(f).Debugf("logging event: %+v", eventDataCreated)
+	eventArgs := &events.LogEventArgs{
+		EventType:  events.EmployeeSignatureCreated,
+		ProjectID:  claGroupModel.ProjectID,
+		UserID:     employeeUserModel.UserID,
+		LfUsername: employeeUserModel.LfUsername,
+		EventData:  &eventDataCreated,
+		CLAGroupID: claGroupModel.ProjectID,
+	}
+	log.WithFields(f).Debugf("logging event: %+v", eventArgs)
+	repo.eventsService.LogEvent(eventArgs)
+	eventDataSigned := events.EmployeeSignatureSignedEventData{
+		ProjectName:      claGroupModel.ProjectName,
+		ProjectID:        claGroupModel.ProjectID,
+		CompanyName:      companyModel.CompanyName,
+		CompanyID:        companyModel.CompanyID,
+		EmployeeUserID:   employeeUserModel.UserID,
+		EmployeeUserName: employeeUserName,
+	}
+	log.WithFields(f).Debugf("logging event: %+v", eventDataSigned)
+	eventArgs = &events.LogEventArgs{
+		EventType:  events.EmployeeSignatureSigned,
+		ProjectID:  claGroupModel.ProjectID,
+		UserID:     employeeUserModel.UserID,
+		LfUsername: employeeUserModel.LfUsername,
+		EventData:  &eventDataSigned,
+		CLAGroupID: claGroupModel.ProjectID,
+	}
+	log.WithFields(f).Debugf("logging event: %+v", eventArgs)
+	repo.eventsService.LogEvent(eventArgs)
+	err = github.UpdateCacheAfterSignature(ctx, employeeUserModel, claGroupModel.ProjectID)
+	if err != nil {
+		log.WithFields(f).WithError(err).Warnf("unable to update cache for user: %s, project ID: %s", employeeUserName, claGroupModel.ProjectID)
+	}
 	return nil
 }
 

cla-backend-go/v2/sign/helpers.go

@@ -20,7 +20,7 @@ import (
 //nolint:gocyclo
 func (s service) updateChangeRequest(ctx context.Context, installationID, repositoryID, pullRequestID int64, projectID string) error {
 	f := logrus.Fields{
-		"functionName":  "v1.signatures.service.updateChangeRequest",
+		"functionName":  "v2.sign.helpers.updateChangeRequest",
 		"repositoryID":  repositoryID,
 		"pullRequestID": pullRequestID,
 		"projectID":     projectID,
@@ -104,7 +104,7 @@ func (s service) updateChangeRequest(ctx context.Context, installationID, reposi
 // true, true, nil if user has an ECLA (authorized, with company affiliation, no error)
 func (s service) hasUserSigned(ctx context.Context, user *models.User, projectID string) (*bool, *bool, error) {
 	f := logrus.Fields{
-		"functionName": "v1.signatures.service.hasUserSigned",
+		"functionName": "v2.sign.helpers.hasUserSigned",
 		"projectID":    projectID,
 		"user":         user,
 	}

cla-backend-go/v2/sign/service.go

@@ -613,10 +613,9 @@ func (s *service) SignedIndividualCallbackGithub(ctx context.Context, payload []
 		}
 		log.WithFields(f).Debugf("logging event: %+v", eventArgs)
 		s.eventsService.LogEvent(eventArgs)
-		err = github.UpdateCacheAfterSignature(context.Background(), claUser, signature.ProjectID)
+		err = github.UpdateCacheAfterSignature(ctx, claUser, signature.ProjectID)
 		if err != nil {
 			log.WithFields(f).WithError(err).Warnf("unable to update cache for user: %s, project ID: %s", claUser.Username, signature.ProjectID)
-			return nil
 		}
 
 	} else {
@@ -1227,10 +1226,9 @@ func (s *service) SignedCorporateCallback(ctx context.Context, payload []byte, c
 		CompanyID:   companyID,
 		CompanySFID: companyModel.CompanyExternalID,
 	})
-	err = github.UpdateCacheAfterSignature(context.Background(), user, signature.ProjectID)
+	err = github.UpdateCacheAfterSignature(ctx, user, signature.ProjectID)
 	if err != nil {
 		log.WithFields(f).WithError(err).Warnf("unable to update cache for company: %v, user: %s, project ID: %s", companyID, user.Username, signature.ProjectID)
-		return err
 	}
 
 	// Check if project is a gerrit instance

cla-backend/cla/models/docusign_models.py

@@ -776,6 +776,19 @@ def request_employee_signature(self, project_id, company_id, user_id, return_url
             event_summary=event_summary,
             contains_pii=True,
         )
+        Event.create_event(
+            event_type=EventType.EmployeeSignatureSigned,
+            event_company_id=company_id,
+            event_cla_group_id=project_id,
+            event_user_id=user_id,
+            event_user_name=user.get_user_name() if user else None,
+            event_data=event_data,
+            event_summary=event_summary,
+            contains_pii=True,
+        )
+        if return_url_type.lower() == "github":
+            # Update cache to mark this user as authorized for the project - we only need this for GitHub as we only use caching in GitHub
+            update_cache_after_signature(user, project)
 
         # If the project does not require an ICLA to be signed, update the pull request and remove the active
         # signature metadata.

utils/delete_user_repository_project_signature.sh

@@ -0,0 +1,64 @@
+#!/bin/bash
+# DRY=1 - dry run
+# DRY=1 ./utils/delete_user_repository_project_signature.sh mlehotskylf-org2/easycla-dev lukaszgryglicki
+if [ -z "$STAGE" ]
+then
+  export STAGE=dev
+fi
+if [ -z "$1" ]
+then
+  echo "$0: you need to provide the repository name, for example: 'mlehotskylf-org2/easycla-dev'"
+  exit 1
+fi
+REPO_NAME=$1
+if [ -z "$2" ]
+then
+  echo "$0: you need to provide the GitHub user name, for example: 'lukaszgryglicki'"
+  exit 2
+fi
+GITHUB_USER=$2
+PROJECT_IDS=$(./utils/scan.sh repositories repository_name "${REPO_NAME}" | jq -r '.[].repository_project_id.S')
+if [ -z "$PROJECT_IDS" ] || [ "$PROJECT_IDS" == "null" ]
+then
+  echo "$0: cannot find project IDs for repository ${REPO_NAME}"
+  exit 3
+fi
+echo "Project IDs: ${PROJECT_IDS}"
+USER_IDS=$(./utils/scan.sh users user_github_username "${GITHUB_USER}" | jq -r '.[].user_id.S')
+if [ -z "$USER_IDS" ] || [ "$USER_IDS" == "null" ]
+then
+  echo "$0: cannot find user ID for GitHub user ${GITHUB_USER}"
+  exit 4
+fi
+echo "User IDs: ${USER_IDS}"
+for PROJECT_ID in $PROJECT_IDS
+do
+  for USER_ID in $USER_IDS
+  do
+    echo "Deleting user repository project signature for user ID ${USER_ID} and project ID ${PROJECT_ID}"
+    SIGS=$(aws dynamodb query \
+      --profile "lfproduct-${STAGE}" \
+      --table-name "cla-${STAGE}-signatures" \
+      --index-name "signature-project-reference-index" \
+      --key-condition-expression "signature_project_id = :pid AND signature_reference_id = :uid" \
+      --filter-expression "signature_reference_type = :rtype AND signature_signed = :true AND signature_approved = :true" \
+      --expression-attribute-values '{
+        ":pid":  {"S":"'"${PROJECT_ID}"'"},
+        ":uid":  {"S":"'"${USER_ID}"'"},
+        ":rtype":{"S":"user"},
+        ":true":{"BOOL": true}
+      }' --output json | jq -r '.Items[].signature_id.S')
+    for SIG in $SIGS
+    do
+      if [ ! -z "$DRY" ]
+      then
+          echo "DRY RUN: would delete this signature:"
+          ./utils/scan.sh signatures signature_id "${SIG}"
+          echo "DRY RUN: would delete this ^ signature."
+          continue
+      fi
+      echo "Deleting signature ID ${SIG}"
+      aws dynamodb delete-item --profile "lfproduct-${STAGE}" --table-name "cla-${STAGE}-signatures" --key '{"signature_id": {"S":"'"${SIG}"'"}}'
+    done
+  done
+done

utils/search_aws_log_group.sh

@@ -68,8 +68,6 @@ fi
 if [ ! -z "${DEBUG}" ]
 then
   echo "aws --region \"${REGION}\" --profile \"lfproduct-${STAGE}\" logs filter-log-events --log-group-name \"/aws/lambda/${log_group}\" --start-time \"${DTFROM}\" --end-time \"${DTTO}\" --filter-pattern \"${2}\""
-  aws --region "${REGION}" --profile "lfproduct-${STAGE}" logs filter-log-events --log-group-name "/aws/lambda/${log_group}" --start-time "${DTFROM}" --end-time "${DTTO}" --filter-pattern "\"${2}\""
-else
-  aws --region "${REGION}" --profile "lfproduct-${STAGE}" logs filter-log-events --log-group-name "/aws/lambda/${log_group}" --start-time "${DTFROM}" --end-time "${DTTO}" --filter-pattern "\"${2}\"" | jq -r '.events'
 fi
+aws --region "${REGION}" --profile "lfproduct-${STAGE}" logs filter-log-events --log-group-name "/aws/lambda/${log_group}" --start-time "${DTFROM}" --end-time "${DTTO}" --filter-pattern "\"${2}\"" | jq -r '.events | sort_by(.timestamp)'
 

utils/search_aws_logs.sh

@@ -6,6 +6,7 @@
 # REGION=us-east-1|us-east-2 STAGE=dev DEBUG=1 DTFROM='3 days ago' DTTO='2 days ago' OUT=logs.json ./utils/search_aws_logs.sh 'error'
 # DEBUG=1 STAGE=dev REGION=us-east-1 DTFROM='10 days ago' DTTO='1 second ago' OUT=api-logs-dev.json ./utils/search_aws_logs.sh 'LG:api-request-path' && ./utils/count_apis.sh api-logs-dev.json
 # DEBUG=1 STAGE=prod REGION=us-east-1 NO_ECHO=1 DTFROM='10 days ago' DTTO='1 second ago' OUT=api-logs-prod.json ./utils/search_aws_logs.sh 'LG:api-request-path' && ./utils/count_apis.sh api-logs-prod.json
+# REVERSE=1 - reverse logs order - newest on top.
 # To find distinct log groups: | jq -r 'map(.logGroupName) | unique | .[]'
 # in us-east-1 (mostly V1, V2 and V3):
 # To see specific log group: | jq 'map(select(.logGroupName == "/aws/lambda/cla-backend-dev-apiv1"))'
@@ -96,7 +97,7 @@ do
   --start-time "${DTFROM}" \
   --end-time "${DTTO}" \
   --filter-pattern "\"${search}\"" | jq --arg logGroupName "$log_group" '
-  .events[] |
+  .events[]? |
   .logGroupName = $logGroupName |
   .dt = ( (.timestamp / 1000) | strftime("%Y-%m-%d %H:%M:%S") ) + "." + ( (.timestamp % 1000 | tostring) | if length == 1 then "00" + . elif length == 2 then "0" + . else . end )
   ')
@@ -117,9 +118,19 @@ done
 
 if [ ! -z "${OUT}" ]
 then
-  echo "$jsons" | jq -s 'sort_by(.dt) | reverse' > "${OUT}"
+  if [ ! -z "${REVERSE}" ]
+  then
+    echo "$jsons" | jq -s '(. // []) | sort_by(.dt) | reverse' > "${OUT}"
+  else
+    echo "$jsons" | jq -s '(. // []) | sort_by(.dt)' > "${OUT}"
+  fi
 fi
 if [ -z "${NO_ECHO}" ]
 then
-  echo "$jsons" | jq -s 'sort_by(.dt) | reverse'
+  if [ ! -z "${REVERSE}" ]
+  then
+    echo "$jsons" | jq -s '(. // []) | sort_by(.dt) | reverse'
+  else
+    echo "$jsons" | jq -s '(. // []) | sort_by(.dt)'
+  fi
 fi