From cde085f001888b61234447e09d159fce8a4367a4 Mon Sep 17 00:00:00 2001 From: Vasco Santos Date: Thu, 4 Aug 2022 08:13:06 +0000 Subject: [PATCH] feat: add cron denylist (#28) --- .github/workflows/conventional-commits.yml | 17 ++++++++++ .github/workflows/cron-denylist.yml | 37 ++++++++++++++++++++++ packages/edge-gateway/scripts/README.md | 27 ++++++++++++++++ packages/edge-gateway/scripts/cli.js | 5 +++ packages/edge-gateway/scripts/heartbeat.js | 14 ++++++++ 5 files changed, 100 insertions(+) create mode 100644 .github/workflows/conventional-commits.yml create mode 100644 .github/workflows/cron-denylist.yml create mode 100644 packages/edge-gateway/scripts/README.md create mode 100644 packages/edge-gateway/scripts/heartbeat.js diff --git a/.github/workflows/conventional-commits.yml b/.github/workflows/conventional-commits.yml new file mode 100644 index 0000000..bb06acf --- /dev/null +++ b/.github/workflows/conventional-commits.yml @@ -0,0 +1,17 @@ +name: 'Check Conventional Commits' + +on: + pull_request_target: + types: + - opened + - edited + - synchronize + +jobs: + main: + name: Validate PR title + runs-on: ubuntu-latest + steps: + - uses: amannn/action-semantic-pull-request@v4 + env: + GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} diff --git a/.github/workflows/cron-denylist.yml b/.github/workflows/cron-denylist.yml new file mode 100644 index 0000000..488ac0b --- /dev/null +++ b/.github/workflows/cron-denylist.yml @@ -0,0 +1,37 @@ +name: Cron sync deny list + +on: + schedule: + - cron: '13 0,5,10,15,20 * * *' + workflow_dispatch: + push: + branches: + - main + paths: + - 'packages/edge-gateway/denylist.json' + +jobs: + update: + name: Sync deny list with KV store + runs-on: ubuntu-latest + strategy: + matrix: + env: ['staging', 'production'] + timeout-minutes: 20 + steps: + - uses: actions/checkout@v2 + - uses: pnpm/action-setup@v2.0.1 + with: + version: 6.32.x + - uses: actions/setup-node@v2 + with: + cache: 'pnpm' + - run: pnpm install + - name: Run job + env: + CF_API_TOKEN: ${{ secrets.CF_GATEWAY_TOKEN }} + run: node packages/edge-gateway/scripts/cli.js denylist sync --env ${{ matrix.env }} + + - name: Heartbeat + if: ${{ success() }} + run: node packages/edge-gateway/scripts/cli.js heartbeat --token ${{ secrets.OPSGENIE_KEY }} --name cron-edge-gateway-denylist diff --git a/packages/edge-gateway/scripts/README.md b/packages/edge-gateway/scripts/README.md new file mode 100644 index 0000000..c1e4d37 --- /dev/null +++ b/packages/edge-gateway/scripts/README.md @@ -0,0 +1,27 @@ +# Gateway CLI + +# `denylist add` + +Add a CID (or CID + path) to the local deny list. Note: we currently DO NOT support denying by CID + path in the API. + +Usage: + +```sh +node scripts/cli.js denylist add --status 410 --reason bad +``` + +Note that `--status` and `--reason` are optional. The default HTTP status is `410` with no reason. + +# `denylist sync` + +Reads `wrangler.toml` to pick out the correct KV to write to based on the passed `--env` value. + +Requires a Cloudflare API token (as an environment variable) in order to write entries. + +Usage: + +```sh +CF_API_TOKEN= node scripts/cli.js denylist sync --env production +``` + +It reads from the local `denylist.json` as well as the [badbits denylist](https://badbits.dwebops.pub/denylist.json). Sources can be updated in `denylist.js`. diff --git a/packages/edge-gateway/scripts/cli.js b/packages/edge-gateway/scripts/cli.js index b687914..81fdbd1 100644 --- a/packages/edge-gateway/scripts/cli.js +++ b/packages/edge-gateway/scripts/cli.js @@ -5,6 +5,7 @@ import sade from 'sade' import { buildCmd } from './build.js' import { ipfsCmd } from './ipfs.js' import { denylistSyncCmd, denylistAddCmd } from './denylist.js' +import { heartbeatCmd } from './heartbeat.js' const env = process.env.ENV || 'dev' const prog = sade('edge-gateway') @@ -19,6 +20,10 @@ prog .option('--start', 'Start docker container', false) .option('--stop', 'Stop and clean all dockers artifacts', false) .action(ipfsCmd) + .command('heartbeat', 'Ping opsgenie heartbeat') + .option('--token', 'Opsgenie Token') + .option('--name', 'Heartbeat Name') + .action(heartbeatCmd) .command('denylist sync') .describe('Sync the gateway deny list with various sources.') .option('--env', 'Wrangler environment to use.', env) diff --git a/packages/edge-gateway/scripts/heartbeat.js b/packages/edge-gateway/scripts/heartbeat.js new file mode 100644 index 0000000..92f46a3 --- /dev/null +++ b/packages/edge-gateway/scripts/heartbeat.js @@ -0,0 +1,14 @@ +import { fetch } from '@web-std/fetch' + +export async function heartbeatCmd (opts) { + try { + await fetch(`https://api.opsgenie.com/v2/heartbeats/${opts.name}/ping`, { + headers: { + Authorization: `GenieKey ${opts.token}` + } + }) + } catch (err) { + console.error(err) + process.exit(1) + } +}