Hardening & E2E updates

Signed-off-by: Lukasz Gryglicki <lgryglicki@cncf.io>

Assisted by [OpenAI](https://platform.openai.com/)

Assisted by [GitHub Copilot](https://github.com/features/copilot)

Author: lukaszgryglicki

cla-backend-go/v2/sign/service.go

@@ -465,7 +465,7 @@ func (s *service) SignedIndividualCallbackGithub(ctx context.Context, payload []
 		var claUser *v1Models.User
 		if fetchedUser, userErr := s.userService.GetUser(signature.SignatureReferenceID); userErr != nil {
 			log.WithFields(f).WithError(userErr).Warnf("unable to lookup user by ID before pull request refresh: %s", signature.SignatureReferenceID)
-		} else {
+		} else if fetchedUser != nil {
 			claUser = fetchedUser
 			if cacheErr := github.UpdateCacheAfterSignature(ctx, claUser, signature.ProjectID); cacheErr != nil {
 				log.WithFields(f).WithError(cacheErr).Warnf("unable to prime GitHub authorization cache for user: %s", signature.SignatureReferenceID)
@@ -506,6 +506,11 @@ func (s *service) SignedIndividualCallbackGithub(ctx context.Context, payload []
 				log.WithFields(f).WithError(userErr).Warnf("unable to lookup user by ID: %s", signature.SignatureReferenceID)
 				return userErr
 			}
+			if claUser == nil {
+				err = fmt.Errorf("user not found: %s", signature.SignatureReferenceID)
+				log.WithFields(f).WithError(err).Warn("unable to lookup user by ID - user not found")
+				return err
+			}
 		}
 
 		if claUser.Username == "" {

cla-backend-go/v2/signatures/converters.go

@@ -23,6 +23,9 @@ func v2Signature(src *v1Models.Signature) (*models.Signature, error) {
 	if err != nil {
 		return nil, err
 	}
+	if dst.Signatures == nil {
+		dst.Signatures = make([]*models.Signature, 0)
+	}
 	return &dst, nil
 }
 

tests/functional/cypress/e2e/v4/signatures.cy.ts

@@ -76,6 +76,11 @@ describe('To Validate & get list of signatures of ClaGroups via API call', funct
   const findProjectCompanySignature = (signatures: any[], signatureID?: string) =>
     signatures.find((item: any) => item.signatureID === signatureID) || signatures[0];
 
+  const getAllowlistSignatureID = () => signatureCclaID || projectCompanySignatureID || signatureID;
+
+  const getSignedDocumentSignatureID = () =>
+    signatureIclaID || signatureID || signatureCclaID || projectCompanySignatureID;
+
   const extractApprovalValues = (list: any[] = []) =>
     list
       .map((item: any) => {
@@ -469,24 +474,40 @@ describe('To Validate & get list of signatures of ClaGroups via API call', funct
       },
     }).then((response) => {
       return cy.logJson('response', response).then(() => {
+        const signatures = response.body.signatures || [];
+        const normalizedResponse = {
+          ...response,
+          body: { ...response.body, signatures },
+        };
+
         validate_200_Status(response);
-        let signatures = response.body.signatures;
+        expect(signatures).to.be.an('array');
         for (let i = 0; i <= signatures.length - 1; i++) {
           // LG: API /signatures/user/{userID} internally skips ECLA records, and for ICLA we never have company
           expect(signatures[i].companyName).to.be.undefined;
           expect(signatures[i].signatureReferenceType).to.eql('user');
-          signatureID = signatures[i].signatureID;
+          if (!signatureID && signatures[i].signatureID) {
+            signatureID = signatures[i].signatureID;
+          }
+        }
+        if (signatures.length === 0) {
+          cy.task(
+            'log',
+            `No direct user signatures were returned for user ${userID2}. This can happen in dev when the user only has ECLA/employee signatures or no active ICLA.`,
+          );
         }
-        validateApiResponse('signatures/getProjectCompanySignatures.json', response);
+        validateApiResponse('signatures/getUserSignatures.json', normalizedResponse);
       });
     });
   });
 
   it('GET: Updates the specified signature GitHub Organization approval list', function () {
+    const allowlistSignatureID = getAllowlistSignatureID();
+    expect(allowlistSignatureID, 'signature ID for GitHub organization allowlist').to.not.equal('');
     cy.request({
       method: 'GET',
       // we can't use inclusive name yet as it is inside API URL.
-      url: `${claEndpoint}signatures/${signatureID}/gh-org-whitelist`,
+      url: `${claEndpoint}signatures/${allowlistSignatureID}/gh-org-whitelist`,
       timeout: timeout,
       failOnStatusCode: allowFail,
       headers: getXACLHeader(),
@@ -499,10 +520,12 @@ describe('To Validate & get list of signatures of ClaGroups via API call', funct
   });
 
   it('POST: Updates the specified signature GitHub organization approval list', function () {
+    const allowlistSignatureID = getAllowlistSignatureID();
+    expect(allowlistSignatureID, 'signature ID for GitHub organization allowlist').to.not.equal('');
     cy.request({
       method: 'POST',
       // we can't use inclusive name yet as it is inside API URL.
-      url: `${claEndpoint}signatures/${signatureID}/gh-org-whitelist`,
+      url: `${claEndpoint}signatures/${allowlistSignatureID}/gh-org-whitelist`,
       timeout: timeout,
       failOnStatusCode: false,
       headers: getXACLHeader(),
@@ -524,9 +547,11 @@ describe('To Validate & get list of signatures of ClaGroups via API call', funct
   });
 
   it('Returns the signature signed document when provided the signature ID', function () {
+    const signedDocumentSignatureID = getSignedDocumentSignatureID();
+    expect(signedDocumentSignatureID, 'signature ID for signed document').to.not.equal('');
     cy.request({
       method: 'GET',
-      url: `${claEndpoint}signatures/${signatureID}/signed-document`,
+      url: `${claEndpoint}signatures/${signedDocumentSignatureID}/signed-document`,
       timeout: timeout,
       failOnStatusCode: allowFail,
       headers: getXACLHeader(),