From 4d6fa79bafc4ce7c2186409ec0e63a458052a691 Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:14:11 +0700 Subject: [PATCH 1/8] add test workflow --- .github/workflows/test.yaml | 19 ++++ .gitignore | 3 +- LICENSE | 201 ++++++++++++++++++++++++++++++++++++ SECURITY.md | 28 +++++ docker-compose.yaml | 3 + scripts/test.sh | 39 +++++++ 6 files changed, 292 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/test.yaml create mode 100644 LICENSE create mode 100644 SECURITY.md create mode 100755 scripts/test.sh diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml new file mode 100644 index 0000000..48dde3f --- /dev/null +++ b/.github/workflows/test.yaml @@ -0,0 +1,19 @@ +name: Unit tests + +on: + workflow_call: + push: + +jobs: + test: + name: Run tests + steps: + - name: Checkout + uses: actions/checkout@v4 + + - name: Run Test + run: scripts/test.sh + + - name: Dump docker logs on failure + if: failure() + uses: jwalton/gh-docker-logs@v2 diff --git a/.gitignore b/.gitignore index 2eea525..f7e482d 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,2 @@ -.env \ No newline at end of file +.env +ndc-test \ No newline at end of file diff --git a/LICENSE b/LICENSE new file mode 100644 index 0000000..f49a4e1 --- /dev/null +++ b/LICENSE @@ -0,0 +1,201 @@ + Apache License + Version 2.0, January 2004 + http://www.apache.org/licenses/ + + TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION + + 1. Definitions. + + "License" shall mean the terms and conditions for use, reproduction, + and distribution as defined by Sections 1 through 9 of this document. + + "Licensor" shall mean the copyright owner or entity authorized by + the copyright owner that is granting the License. + + "Legal Entity" shall mean the union of the acting entity and all + other entities that control, are controlled by, or are under common + control with that entity. For the purposes of this definition, + "control" means (i) the power, direct or indirect, to cause the + direction or management of such entity, whether by contract or + otherwise, or (ii) ownership of fifty percent (50%) or more of the + outstanding shares, or (iii) beneficial ownership of such entity. + + "You" (or "Your") shall mean an individual or Legal Entity + exercising permissions granted by this License. + + "Source" form shall mean the preferred form for making modifications, + including but not limited to software source code, documentation + source, and configuration files. + + "Object" form shall mean any form resulting from mechanical + transformation or translation of a Source form, including but + not limited to compiled object code, generated documentation, + and conversions to other media types. + + "Work" shall mean the work of authorship, whether in Source or + Object form, made available under the License, as indicated by a + copyright notice that is included in or attached to the work + (an example is provided in the Appendix below). + + "Derivative Works" shall mean any work, whether in Source or Object + form, that is based on (or derived from) the Work and for which the + editorial revisions, annotations, elaborations, or other modifications + represent, as a whole, an original work of authorship. For the purposes + of this License, Derivative Works shall not include works that remain + separable from, or merely link (or bind by name) to the interfaces of, + the Work and Derivative Works thereof. + + "Contribution" shall mean any work of authorship, including + the original version of the Work and any modifications or additions + to that Work or Derivative Works thereof, that is intentionally + submitted to Licensor for inclusion in the Work by the copyright owner + or by an individual or Legal Entity authorized to submit on behalf of + the copyright owner. For the purposes of this definition, "submitted" + means any form of electronic, verbal, or written communication sent + to the Licensor or its representatives, including but not limited to + communication on electronic mailing lists, source code control systems, + and issue tracking systems that are managed by, or on behalf of, the + Licensor for the purpose of discussing and improving the Work, but + excluding communication that is conspicuously marked or otherwise + designated in writing by the copyright owner as "Not a Contribution." + + "Contributor" shall mean Licensor and any individual or Legal Entity + on behalf of whom a Contribution has been received by Licensor and + subsequently incorporated within the Work. + + 2. Grant of Copyright License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + copyright license to reproduce, prepare Derivative Works of, + publicly display, publicly perform, sublicense, and distribute the + Work and such Derivative Works in Source or Object form. + + 3. Grant of Patent License. Subject to the terms and conditions of + this License, each Contributor hereby grants to You a perpetual, + worldwide, non-exclusive, no-charge, royalty-free, irrevocable + (except as stated in this section) patent license to make, have made, + use, offer to sell, sell, import, and otherwise transfer the Work, + where such license applies only to those patent claims licensable + by such Contributor that are necessarily infringed by their + Contribution(s) alone or by combination of their Contribution(s) + with the Work to which such Contribution(s) was submitted. If You + institute patent litigation against any entity (including a + cross-claim or counterclaim in a lawsuit) alleging that the Work + or a Contribution incorporated within the Work constitutes direct + or contributory patent infringement, then any patent licenses + granted to You under this License for that Work shall terminate + as of the date such litigation is filed. + + 4. Redistribution. You may reproduce and distribute copies of the + Work or Derivative Works thereof in any medium, with or without + modifications, and in Source or Object form, provided that You + meet the following conditions: + + (a) You must give any other recipients of the Work or + Derivative Works a copy of this License; and + + (b) You must cause any modified files to carry prominent notices + stating that You changed the files; and + + (c) You must retain, in the Source form of any Derivative Works + that You distribute, all copyright, patent, trademark, and + attribution notices from the Source form of the Work, + excluding those notices that do not pertain to any part of + the Derivative Works; and + + (d) If the Work includes a "NOTICE" text file as part of its + distribution, then any Derivative Works that You distribute must + include a readable copy of the attribution notices contained + within such NOTICE file, excluding those notices that do not + pertain to any part of the Derivative Works, in at least one + of the following places: within a NOTICE text file distributed + as part of the Derivative Works; within the Source form or + documentation, if provided along with the Derivative Works; or, + within a display generated by the Derivative Works, if and + wherever such third-party notices normally appear. The contents + of the NOTICE file are for informational purposes only and + do not modify the License. You may add Your own attribution + notices within Derivative Works that You distribute, alongside + or as an addendum to the NOTICE text from the Work, provided + that such additional attribution notices cannot be construed + as modifying the License. + + You may add Your own copyright statement to Your modifications and + may provide additional or different license terms and conditions + for use, reproduction, or distribution of Your modifications, or + for any such Derivative Works as a whole, provided Your use, + reproduction, and distribution of the Work otherwise complies with + the conditions stated in this License. + + 5. Submission of Contributions. Unless You explicitly state otherwise, + any Contribution intentionally submitted for inclusion in the Work + by You to the Licensor shall be under the terms and conditions of + this License, without any additional terms or conditions. + Notwithstanding the above, nothing herein shall supersede or modify + the terms of any separate license agreement you may have executed + with Licensor regarding such Contributions. + + 6. Trademarks. This License does not grant permission to use the trade + names, trademarks, service marks, or product names of the Licensor, + except as required for reasonable and customary use in describing the + origin of the Work and reproducing the content of the NOTICE file. + + 7. Disclaimer of Warranty. Unless required by applicable law or + agreed to in writing, Licensor provides the Work (and each + Contributor provides its Contributions) on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or + implied, including, without limitation, any warranties or conditions + of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A + PARTICULAR PURPOSE. You are solely responsible for determining the + appropriateness of using or redistributing the Work and assume any + risks associated with Your exercise of permissions under this License. + + 8. Limitation of Liability. In no event and under no legal theory, + whether in tort (including negligence), contract, or otherwise, + unless required by applicable law (such as deliberate and grossly + negligent acts) or agreed to in writing, shall any Contributor be + liable to You for damages, including any direct, indirect, special, + incidental, or consequential damages of any character arising as a + result of this License or out of the use or inability to use the + Work (including but not limited to damages for loss of goodwill, + work stoppage, computer failure or malfunction, or any and all + other commercial damages or losses), even if such Contributor + has been advised of the possibility of such damages. + + 9. Accepting Warranty or Additional Liability. While redistributing + the Work or Derivative Works thereof, You may choose to offer, + and charge a fee for, acceptance of support, warranty, indemnity, + or other liability obligations and/or rights consistent with this + License. However, in accepting such obligations, You may act only + on Your own behalf and on Your sole responsibility, not on behalf + of any other Contributor, and only if You agree to indemnify, + defend, and hold each Contributor harmless for any liability + incurred by, or claims asserted against, such Contributor by reason + of your accepting any such warranty or additional liability. + + END OF TERMS AND CONDITIONS + + APPENDIX: How to apply the Apache License to your work. + + To apply the Apache License to your work, attach the following + boilerplate notice, with the fields enclosed by brackets "[]" + replaced with your own identifying information. (Don't include + the brackets!) The text should be enclosed in the appropriate + comment syntax for the file format. We also recommend that a + file or class name and description of purpose be included on the + same "printed page" as the copyright notice for easier + identification within third-party archives. + + Copyright [yyyy] [name of copyright owner] + + Licensed under the Apache License, Version 2.0 (the "License"); + you may not use this file except in compliance with the License. + You may obtain a copy of the License at + + http://www.apache.org/licenses/LICENSE-2.0 + + Unless required by applicable law or agreed to in writing, software + distributed under the License is distributed on an "AS IS" BASIS, + WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. + See the License for the specific language governing permissions and + limitations under the License. \ No newline at end of file diff --git a/SECURITY.md b/SECURITY.md new file mode 100644 index 0000000..f21d6b1 --- /dev/null +++ b/SECURITY.md @@ -0,0 +1,28 @@ +# Security Policy + +## Supported Versions + +| Version | Supported | +| -------- | ------------------ | +| >= 0.1.0 | :white_check_mark: | + +## Reporting a Vulnerability + +We’re extremely grateful for security researchers and users who report vulnerabilities to the community. +All reports are thoroughly investigated by a set of community volunteers. + +### When Should I Report a Vulnerability? + +- You think you have discovered a potential security vulnerability in the NDC Go SDK or related components. +- You are unsure how a vulnerability affects the SDK. +- You think you discovered a vulnerability in another project that SDK depends on (e.g. Docker, etc). +- You want to report any other security risk that could potentially harm SDK users. + +### When Should I NOT Report a Vulnerability? + +- You need help applying security-related updates. +- Your issue is not security-related. + +### Security Vulnerability Response + +Each report is acknowledged and analyzed by the project's maintainers. New pull requests are welcome too. diff --git a/docker-compose.yaml b/docker-compose.yaml index 304c042..279bba6 100644 --- a/docker-compose.yaml +++ b/docker-compose.yaml @@ -6,6 +6,9 @@ services: - 8080:8080 volumes: - ./config:/config:ro + depends_on: + stripe-mock: + condition: service_started environment: STRIPE_SERVER_URL: ${STRIPE_SERVER_URL} STRIPE_BASIC_AUTH_TOKEN: ${STRIPE_BASIC_AUTH_TOKEN} diff --git a/scripts/test.sh b/scripts/test.sh new file mode 100755 index 0000000..88da7dc --- /dev/null +++ b/scripts/test.sh @@ -0,0 +1,39 @@ +#!/bin/bash + +ROOT="$(pwd)" +NDC_TEST_VERSION=v0.1.2 + +http_wait() { + printf "$1:\t " + for i in {1..60}; + do + local code="$(curl -s -o /dev/null -m 2 -w '%{http_code}' $1)" + if [[ $code != "200" ]]; then + printf "." + sleep 1 + else + printf "\r\033[K$1:\t ${GREEN}OK${NC}\n" + return 0 + fi + done + printf "\n${RED}ERROR${NC}: cannot connect to $1. Please check service logs with command:\n" + echo " docker-compose logs -f $2" + exit 1 +} + +# download ndc-test +if [ ! -f "$ROOT/ndc-test" ]; then + curl -L "https://github.com/hasura/ndc-spec/releases/download/$NDC_TEST_VERSION/ndc-test-x86_64-unknown-linux-gnu" -o "$ROOT/ndc-test" + chmod +x "$ROOT/ndc-test" +fi + +cp .env.example .env +DOCKER_BUILDKIT=1 COMPOSE_DOCKER_CLI_BUILD=1 docker compose up -d +http_wait http://localhost:8080/health + +$ROOT/ndc-test test --endpoint http://localhost:8080 --snapshots-dir $ROOT/testdata/mock +$ROOT/ndc-test replay --endpoint http://localhost:8080 --snapshots-dir $ROOT/testdata/mock + +exit_code=$? +docker compose down --remove-orphans +exit $exit_code \ No newline at end of file From 21ed2dca5eaec54d553b84269e7ada236eda2f0e Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:17:05 +0700 Subject: [PATCH 2/8] add test workflow --- .github/workflows/test.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.github/workflows/test.yaml b/.github/workflows/test.yaml index 48dde3f..f933928 100644 --- a/.github/workflows/test.yaml +++ b/.github/workflows/test.yaml @@ -7,6 +7,7 @@ on: jobs: test: name: Run tests + runs-on: ubuntu-latest steps: - name: Checkout uses: actions/checkout@v4 From fa845cba41fd682ecd40b78bfda8c71cb4698603 Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:33:27 +0700 Subject: [PATCH 3/8] add release workflow --- .github/workflows/release.yaml | 65 +++++++++++++++++++ .../connector-metadata.yaml | 2 +- scripts/build-manifest.sh | 18 +++++ 3 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 .github/workflows/release.yaml rename {.hasura-connector => connector-definition/.hasura-connector}/connector-metadata.yaml (88%) create mode 100755 scripts/build-manifest.sh diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml new file mode 100644 index 0000000..e24025a --- /dev/null +++ b/.github/workflows/release.yaml @@ -0,0 +1,65 @@ +name: Release container definition +on: + push: + # tags: + # - "*" + +env: + DOCKER_REGISTRY: ghcr.io + DOCKER_IMAGE_NAME: hasura/ndc-stripe + +jobs: + tests: + uses: ./.github/workflows/test.yaml + + release-image: + name: Release ndc-stripe image + runs-on: ubuntu-latest + needs: [tests] + steps: + - uses: actions/checkout@v4 + + - name: Set up QEMU + uses: docker/setup-qemu-action@v3 + + - name: Set up Docker Buildx + uses: docker/setup-buildx-action@v3 + + - name: Login to Docker Hub + uses: docker/login-action@v3 + with: + registry: ${{ env.DOCKER_REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + + - name: Get version from tag + id: get-version + run: | + echo "tagged_version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + shell: bash + + - name: Extract metadata (tags, labels) for Docker + id: docker-metadata + uses: docker/metadata-action@v5 + with: + images: ${{ env.DOCKER_REGISTRY }}/${{ env.DOCKER_IMAGE_NAME }} + + - name: Build and push + uses: docker/build-push-action@v5 + with: + push: true + tags: ${{ steps.docker-metadata.outputs.tags }} + labels: ${{ steps.docker-metadata.outputs.labels }} + + - name: Build connector definition + run: | + ./scripts/build-manifest.sh + env: + VERSION: ${{ steps.get-version.outputs.tagged_version }} + + - name: create a draft release + uses: ncipollo/release-action@v1 + with: + draft: true + tag: ${{ steps.get-version.outputs.tagged_version }} + artifacts: release/* diff --git a/.hasura-connector/connector-metadata.yaml b/connector-definition/.hasura-connector/connector-metadata.yaml similarity index 88% rename from .hasura-connector/connector-metadata.yaml rename to connector-definition/.hasura-connector/connector-metadata.yaml index 4b20962..c06123e 100644 --- a/.hasura-connector/connector-metadata.yaml +++ b/connector-definition/.hasura-connector/connector-metadata.yaml @@ -1,6 +1,6 @@ packagingDefinition: type: PrebuiltDockerImage - dockerImage: ghcr.io/hasura/ndc-stripe:v0.1.1 + dockerImage: ghcr.io/hasura/ndc-stripe:{{VERSION}} supportedEnvironmentVariables: - STRIPE_SERVER_URL - STRIPE_BASIC_AUTH_TOKEN diff --git a/scripts/build-manifest.sh b/scripts/build-manifest.sh new file mode 100755 index 0000000..f318dfd --- /dev/null +++ b/scripts/build-manifest.sh @@ -0,0 +1,18 @@ +#!/bin/bash +set -evo pipefail + +REF=$(git rev-parse --short HEAD) +VERSION=${VERSION:-$REF} +BUILD_DIR=/tmp/ndc-stripe +ROOT="$(pwd)" + +rm -rf $BUILD_DIR +mkdir -p $BUILD_DIR + +cp -r connector-definition $BUILD_DIR +sed -i "s/{{VERSION}}/$VERSION/g" $BUILD_DIR/connector-definition/.hasura-connector/connector-metadata.yaml + +mkdir -p "${ROOT}/release" +tar -czvf "${ROOT}/release/connector-definition.tgz" --directory $BUILD_DIR/connector-definition . +echo "checksum of connector-definition.tgz:" +sha256sum "${ROOT}/release/connector-definition.tgz" \ No newline at end of file From 1911e4f2963786838aa3c2d4610f139321c5688a Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:44:59 +0700 Subject: [PATCH 4/8] fix build-manifest scripts --- scripts/build-manifest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/build-manifest.sh b/scripts/build-manifest.sh index f318dfd..bcd20f5 100755 --- a/scripts/build-manifest.sh +++ b/scripts/build-manifest.sh @@ -1,7 +1,7 @@ #!/bin/bash set -evo pipefail -REF=$(git rev-parse --short HEAD) +REF="$(git rev-parse --short HEAD)#refs/heads/" VERSION=${VERSION:-$REF} BUILD_DIR=/tmp/ndc-stripe ROOT="$(pwd)" From e108c010e688d001bdd0af1a701bc2cabfc5a623 Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:48:14 +0700 Subject: [PATCH 5/8] fix build-manifest scripts --- scripts/build-manifest.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scripts/build-manifest.sh b/scripts/build-manifest.sh index bcd20f5..8ba0a75 100755 --- a/scripts/build-manifest.sh +++ b/scripts/build-manifest.sh @@ -1,7 +1,7 @@ #!/bin/bash set -evo pipefail -REF="$(git rev-parse --short HEAD)#refs/heads/" +REF="${$(git rev-parse --short HEAD)#refs/heads/}" VERSION=${VERSION:-$REF} BUILD_DIR=/tmp/ndc-stripe ROOT="$(pwd)" From 847d8edfb861dfa05502d4abf86d8c038a5e96c1 Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 00:57:04 +0700 Subject: [PATCH 6/8] fix build-manifest scripts --- .github/workflows/release.yaml | 6 +++++- scripts/build-manifest.sh | 2 +- 2 files changed, 6 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index e24025a..6b18eea 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -35,7 +35,11 @@ jobs: - name: Get version from tag id: get-version run: | - echo "tagged_version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + if [[ "$GITHUB_REF_TYPE" == 'tag' ]]; then + echo "tagged_version=${GITHUB_REF#refs/tags/}" >> $GITHUB_OUTPUT + else + echo "tagged_version=${GITHUB_REF#refs/heads/}" >> $GITHUB_OUTPUT + fi shell: bash - name: Extract metadata (tags, labels) for Docker diff --git a/scripts/build-manifest.sh b/scripts/build-manifest.sh index 8ba0a75..192a0b4 100755 --- a/scripts/build-manifest.sh +++ b/scripts/build-manifest.sh @@ -1,7 +1,7 @@ #!/bin/bash set -evo pipefail -REF="${$(git rev-parse --short HEAD)#refs/heads/}" +REF="$(git rev-parse --short HEAD)" VERSION=${VERSION:-$REF} BUILD_DIR=/tmp/ndc-stripe ROOT="$(pwd)" From 94dc1fe7c5dc4a817ea2f86bac2bcd4da57566ee Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 01:01:24 +0700 Subject: [PATCH 7/8] remove tags push --- .github/workflows/release.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index 6b18eea..6cabc57 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -1,8 +1,8 @@ name: Release container definition on: push: - # tags: - # - "*" + tags: + - "*" env: DOCKER_REGISTRY: ghcr.io From 6624e7feef510cd2f999509b23a5591743ad7e37 Mon Sep 17 00:00:00 2001 From: Toan Nguyen Date: Tue, 16 Apr 2024 01:03:59 +0700 Subject: [PATCH 8/8] change SECURITY.md --- SECURITY.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/SECURITY.md b/SECURITY.md index f21d6b1..7b64707 100644 --- a/SECURITY.md +++ b/SECURITY.md @@ -13,10 +13,10 @@ All reports are thoroughly investigated by a set of community volunteers. ### When Should I Report a Vulnerability? -- You think you have discovered a potential security vulnerability in the NDC Go SDK or related components. +- You think you have discovered a potential security vulnerability in the NDC Stripe or related components. - You are unsure how a vulnerability affects the SDK. -- You think you discovered a vulnerability in another project that SDK depends on (e.g. Docker, etc). -- You want to report any other security risk that could potentially harm SDK users. +- You think you discovered a vulnerability in another project that connector depends on (e.g. Docker, etc). +- You want to report any other security risk that could potentially harm connector users. ### When Should I NOT Report a Vulnerability?