From 53f676908f4d2e6fcee99e44c1bfada2401333c6 Mon Sep 17 00:00:00 2001
From: seaerchin <44049504+seaerchin@users.noreply.github.com>
Date: Wed, 20 Dec 2023 12:07:07 +0800
Subject: [PATCH] feat(docker): setup github stuff to be parity with efs
 (#1067)

**NOTE: Setup changes required after this PR is merged!!!**
## Problem
Docker setup previously couldn't push to github due to lacking ssh creds + git config. This PR solves that issue.

Closes [insert issue #]

## Solution
- copy over stuff from a local `.ssh` folder into docker
- add git + ssh clients
- add github to trusted hosts

## Setup instructions
- This assumes that your `git.config` is **global**; if this isn't so, remedy by following the instructions [here](https://git-scm.com/book/en/v2/Getting-Started-First-Time-Git-Setup)
- Copy over your `ssh` creds for github into a `.ssh` folder **rooted inside our workdir** (that's `isomercms-backend/`). Name the public key `github.pub` and hte private key `github`
- ensure that your local `DB_URI` is `postgres://isomer:password@postgres:5432/isomercms_dev` (updated alr in 1pw)
---
 .github/workflows/ci.yml                     |  2 +-
 .gitignore                                   |  1 +
 Dockerfile                                   |  8 ------
 Dockerfile.develop                           | 22 +++++++++++++++
 docker-compose.yml => docker-compose.dev.yml | 17 +++---------
 docker-compose.test.yml                      | 13 +++++++++
 package.json                                 |  2 +-
 scripts/04_add_github_to_known_hosts.sh      | 28 ++++++++++++++++++++
 8 files changed, 70 insertions(+), 23 deletions(-)
 delete mode 100644 Dockerfile
 create mode 100644 Dockerfile.develop
 rename docker-compose.yml => docker-compose.dev.yml (55%)
 create mode 100644 docker-compose.test.yml
 create mode 100644 scripts/04_add_github_to_known_hosts.sh

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 1e0a985a5..cd39ea2f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -86,7 +86,7 @@ jobs:
           path: ~/.npm
           key: ${{ runner.OS }}-node-${{ hashFiles('**/package-lock.json') }}
       - run: npm ci
-      - run: npm run dev:services
+      - run: docker compose -f docker-compose.test.yml up
       - run: . .env.test && npx jest --runInBand
       - run: docker compose down
 
diff --git a/.gitignore b/.gitignore
index c53d70f7e..dc81c9289 100644
--- a/.gitignore
+++ b/.gitignore
@@ -11,3 +11,4 @@ build/
 .step-functions-local/
 .serverless/
 .cache_ggshield
+.ssh/
diff --git a/Dockerfile b/Dockerfile
deleted file mode 100644
index e967a233f..000000000
--- a/Dockerfile
+++ /dev/null
@@ -1,8 +0,0 @@
-FROM node:18-alpine AS base
-WORKDIR /opt/isomercms-backend
-COPY . .
-RUN apk update
-RUN apk add git
-RUN npm ci
-EXPOSE "8081"
-CMD ["npm", "run", "dev:server"]
diff --git a/Dockerfile.develop b/Dockerfile.develop
new file mode 100644
index 000000000..9b541658a
--- /dev/null
+++ b/Dockerfile.develop
@@ -0,0 +1,22 @@
+FROM node:18-alpine AS base
+WORKDIR /opt/isomercms-backend
+RUN mkdir /root/.ssh
+COPY . .
+COPY ./.ssh /root/.ssh
+RUN chmod 600 /root/.ssh/github.pub
+RUN chmod 600 /root/.ssh/github
+RUN apk update
+RUN apk add git
+RUN apk add openssh-client
+RUN npm ci
+RUN cat <<EOF >/root/.ssh/config 
+Host github.com
+  IdentityFile /root/.ssh/github
+  User git
+EOF
+
+RUN chmod +x ./scripts/04_add_github_to_known_hosts.sh
+RUN sh ./scripts/04_add_github_to_known_hosts.sh
+
+EXPOSE "8081"
+CMD ["npm", "run", "dev:server"] 
diff --git a/docker-compose.yml b/docker-compose.dev.yml
similarity index 55%
rename from docker-compose.yml
rename to docker-compose.dev.yml
index 4c4c1a467..2688656ca 100644
--- a/docker-compose.yml
+++ b/docker-compose.dev.yml
@@ -1,20 +1,20 @@
 version: "3"
 services:
   web:
-    build: .
+    build:
+      context: .
+      dockerfile: Dockerfile.develop
     ports:
       - "8081:8081"
     depends_on:
       - postgres
     env_file:
       - .env
-    environment:
-      # postgres://user:pass@hostname:port/database
-      - DB_URI=postgres://isomer:password@postgres:5432/isomercms_dev
     volumes:
       - ./:/opt/isomercms-backend
       - /opt/isomercms-backend/node_modules
       - ${EFS_VOL_PATH}:${EFS_VOL_PATH}
+      - "~/.gitconfig:/etc/gitconfig"
 
   postgres:
     image: "postgres:13-alpine"
@@ -27,14 +27,5 @@ services:
     volumes:
       - isomercms_data:/var/lib/postgresql/data
 
-  postgres_test:
-    image: "postgres:13-alpine"
-    environment:
-      POSTGRES_USER: isomer
-      POSTGRES_PASSWORD: password
-      POSTGRES_DB: isomercms_test
-    ports:
-      # use a different port to avoid blocking dev environment when running tests
-      - "54321:5432"
 volumes:
   isomercms_data:
diff --git a/docker-compose.test.yml b/docker-compose.test.yml
new file mode 100644
index 000000000..d427b11a0
--- /dev/null
+++ b/docker-compose.test.yml
@@ -0,0 +1,13 @@
+version: "3"
+services:
+  postgres_test:
+    image: "postgres:13-alpine"
+    environment:
+      POSTGRES_USER: isomer
+      POSTGRES_PASSWORD: password
+      POSTGRES_DB: isomercms_test
+    ports:
+      # use a different port to avoid blocking dev environment when running tests
+      - "54321:5432"
+volumes:
+  isomercms_data:
diff --git a/package.json b/package.json
index 951017c6f..f1bd63e38 100644
--- a/package.json
+++ b/package.json
@@ -6,7 +6,7 @@
     "build": "tsc -p tsconfig.build.json",
     "start": "node --unhandled-rejections=warn -r ts-node/register/transpile-only -r tsconfig-paths/register -r dotenv/config build/server.js dotenv_config_path=/efs/isomer/.isomer.env",
     "dev:server": "source .env && ts-node-dev --unhandled-rejections=warn --respawn src/server.js",
-    "dev": "docker compose up",
+    "dev": "docker compose -f docker-compose.dev.yml up",
     "test": "source .env.test && jest --runInBand",
     "release": "npm version $npm_config_isomer_update && git push --tags",
     "lint": "npx eslint .",
diff --git a/scripts/04_add_github_to_known_hosts.sh b/scripts/04_add_github_to_known_hosts.sh
new file mode 100644
index 000000000..8bfdd0d2d
--- /dev/null
+++ b/scripts/04_add_github_to_known_hosts.sh
@@ -0,0 +1,28 @@
+#!/bin/bash
+
+# Get the server's public key
+ssh-keyscan -t rsa github.com >github_rsa.pub
+
+# Generate the key's fingerprint
+SERVER_FINGERPRINT=$(ssh-keygen -lf github_rsa.pub | awk '{print $2}')
+echo "SERVER_FINGERPRINT: $SERVER_FINGERPRINT" >/tmp/setup-github-known-hosts.txt
+
+# The official GitHub RSA fingerprint
+# https://docs.github.com/en/authentication/keeping-your-account-and-data-secure/githubs-ssh-key-fingerprints
+OFFICIAL_FINGERPRINT="SHA256:uNiVztksCsDhcc0u9e8BujQXVUpKZIDTMczCvj3tD2s"
+
+# Check if the server's fingerprint matches the official fingerprint
+# Note: This check is important to prevent any MITM attacks
+if [ "$SERVER_FINGERPRINT" = "$OFFICIAL_FINGERPRINT" ]; then
+    # If the fingerprints match, add the public key to the known_hosts file
+    cat github_rsa.pub >/root/.ssh/known_hosts
+    echo "GitHub's public key added to known_hosts." >>/tmp/setup-github-known-hosts.txt
+else
+    # If the fingerprints don't match, output a warning and exit with an error
+    echo "WARNING: The server's SSH key fingerprint doesn't match the official GitHub fingerprint." >>/tmp/setup-github-known-hosts.txt
+    rm github_rsa.pub
+    exit 1
+fi
+
+# Remove the temporary public key file
+rm github_rsa.pub