Merge branch 'main' into fix/jira-mixed-case-key-matching

Author: jbrejner

.snyk

@@ -17,3 +17,7 @@ exclude:
     # (a graphql `Login` field) as a hardcoded credential. It is a public
     # identifier in test data, not a secret. See kosli-dev/server#5479.
     - internal/github/build_pr_evidence_test.go
+    # False positive: Snyk Code flags the hardcoded test session token (auth_token)
+    # in this test-user fixture as a secret. It is fake test data, not a real
+    # credential, and is used only to seed the local integration-test server.
+    - server-scripts/create_standalone_test_users.py

bin/reset-or-start-server.sh

@@ -24,10 +24,16 @@ check_success()
 restart_server() 
 {
     echo restarting server ...
-    ./bin/docker_login_aws.sh staging
+    # Only remote (digest-pinned) images need an AWS login and pull. The local-image
+    # flow uses the plain "merkely" tag, which is built locally — skip both.
+    if [[ "$KOSLI_SERVER_IMAGE" == *"@sha256:"* ]]; then
+        ./bin/docker_login_aws.sh staging
+        docker pull "${KOSLI_SERVER_IMAGE}" || true
+    else
+        echo "local image — skipping AWS login and pull"
+    fi
     docker compose down || true
     echo -e "\033[38;5;208musing server image\033[0m ${KOSLI_SERVER_IMAGE}"
-    docker pull ${KOSLI_SERVER_IMAGE} || true
     docker compose up -d
     ./mongo/ip_wait.sh localhost:9010/minio/health/live
     ./mongo/ip_wait.sh localhost:8001/ready
@@ -46,5 +52,5 @@ else
 fi
 
 echo creating test users on server ...
-docker exec $container_name /demo/create_standalone_test_users.py
+docker exec $container_name /app/test/create_standalone_test_users.py
 check_success

server-scripts/create_standalone_test_users.py

@@ -0,0 +1,47 @@
+#!/usr/bin/env python3
+
+# Creates the standalone test users used by the Kosli CLI integration tests.
+#
+# This script is owned by the CLI repo (the test users are CLI test data). It is
+# mounted into the server container at /app/test via docker-compose and executed
+# there, so it relies on the server's `lib` and `model` packages being importable
+# via PYTHONPATH=/app/src.
+
+import hashlib
+
+from lib import Sku
+from model import Organizations, Users
+
+# key == person-id, value == api-key
+CLI_TEST_USERS = {
+    "docs-cmd-test-user": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ImNkNzg4OTg5In0.e8i_lA_QrEhFncb05Xw6E_tkCHU9QfcY4OLTVUCHffY",
+    "acme-org": "v3OWZiYWu9G2IMQStYg9BcPQUQ88lJNNnTJTNq8jfvmkR1C5wVpHSs7F00JcB5i6OGeUzrKt3CwRq7ndcN4TTfMeo8ASVJ5NdHpZT7DkfRfiFvm8s7GbsIHh2PtiQJYs2UoN13T8DblV5C4oKb6-yWH73h67OhotPlKfVKazR-c",
+    "iu-org": "qM9u2_grv6pJLbACwsMMMT5LIQy82tQj2k1zjZnlXti1smnFaGwCKW4jzk0La7ae9RrSYvEwCXSsXknD6YZqd-onLaaIUUKtEn6-B6yh53vWIe9EC5u85FCbKZjFbaicp_d0Me0Zcqq_KcCgrAZRX9xggl_pBb2oaCsNdllqNjk",
+    "system-tests-user": "95-IeGBfyKdTteLdKidiAnXk6uMmV6jTkGM9v3DEtrQ",
+}
+
+
+def create_standalone_test_users(test_users):
+    users = Users()
+    orgs = Organizations()
+
+    for user_name, api_key in test_users.items():
+        uid = hashlib.sha256(user_name.encode("utf-8")).hexdigest()[0:24]
+        login_data = {
+            "userId": uid,
+            "name": user_name,
+            "email": "default@example.com",
+            "picture": "",
+        }
+        users.create("descope", login_data)
+        user = users.find_by_auth_user_id(login_data["userId"])
+        user.completed_signup = True
+        user.add_api_key(api_key=api_key, setting_user=user, expires_at=0, description="")
+        # fixed auth_token so tests have a stable session token to authenticate with
+        user.auth_token = "213c18081df7f738ec479107b86f97ec678b1d54"
+
+        orgs.create_shared(f"{user_name}-shared", sku=Sku().existing_orgs, owner=user)
+
+
+if __name__ == "__main__":
+    create_standalone_test_users(CLI_TEST_USERS)