Merge branch 'main' of github.com:acm-uiuc/core into siglead-management

Author: Tarash Agarwal

.devcontainer/devcontainer.json

@@ -1,41 +1,39 @@
 // For format details, see https://aka.ms/devcontainer.json. For config options, see the
 // README at: https://github.com/devcontainers/templates/tree/main/src/ubuntu
 {
-	"name": "Ubuntu",
-	// Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
-	"image": "mcr.microsoft.com/devcontainers/base:jammy",
-	"features": {
-		"ghcr.io/devcontainers/features/node:1": {},
+  "name": "Ubuntu",
+  // Or use a Dockerfile or Docker Compose file. More info: https://containers.dev/guide/dockerfile
+  "image": "mcr.microsoft.com/devcontainers/base:jammy",
+  "features": {
+    "ghcr.io/devcontainers/features/node:1": {},
     "ghcr.io/devcontainers/features/aws-cli:1": {},
-		"ghcr.io/jungaretti/features/make:1": {},
-	  "ghcr.io/customink/codespaces-features/sam-cli:1": {},
-	  "ghcr.io/devcontainers/features/python:1": {}
-	},
+    "ghcr.io/jungaretti/features/make:1": {},
+    "ghcr.io/customink/codespaces-features/sam-cli:1": {},
+    "ghcr.io/devcontainers/features/python:1": {},
+    "ghcr.io/devcontainers/features/docker-outside-of-docker:1": {}
+  },
 
-	// Features to add to the dev container. More info: https://containers.dev/features.
-	// "features": {},
+  // Features to add to the dev container. More info: https://containers.dev/features.
+  // "features": {},
 
-	// Use 'forwardPorts' to make a list of ports inside the container available locally.
-	"forwardPorts": [
-		8080,
-		5173
-	],
-	"customizations": {
-		"vscode": {
-			"extensions": [
-				"EditorConfig.EditorConfig",
-				"waderyan.gitblame",
-				"Gruntfuggly.todo-tree"
-			]
-		}
-	}
+  // Use 'forwardPorts' to make a list of ports inside the container available locally.
+  "forwardPorts": [8080, 5173],
+  "customizations": {
+    "vscode": {
+      "extensions": [
+        "EditorConfig.EditorConfig",
+        "waderyan.gitblame",
+        "Gruntfuggly.todo-tree"
+      ]
+    }
+  }
 
-	// Use 'postCreateCommand' to run commands after the container is created.
-	// "postCreateCommand": "uname -a",
+  // Use 'postCreateCommand' to run commands after the container is created.
+  // "postCreateCommand": "uname -a",
 
-	// Configure tool-specific properties.
-	// "customizations": {},
+  // Configure tool-specific properties.
+  // "customizations": {},
 
-	// Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
-	// "remoteUser": "root"
+  // Uncomment to connect as root instead. More info: https://aka.ms/dev-containers-non-root.
+  // "remoteUser": "root"
 }

.github/workflows/deploy-dev.yml

@@ -81,7 +81,7 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole
-          role-session-name: Core_Dev_Deployment
+          role-session-name: Core_Dev_Deployment_${{ github.run_id }}
           aws-region: us-east-1
 
       - name: Publish to AWS

.github/workflows/deploy-prod.yml

@@ -42,6 +42,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 22.x
+
       - uses: actions/checkout@v4
         env:
           HUSKY: "0"
@@ -55,7 +56,7 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::427040638965:role/GitHubActionsRole
-          role-session-name: Core_Dev_Prod_Deployment
+          role-session-name: Core_Dev_Prod_Deployment_${{ github.run_id }}
           aws-region: us-east-1
       - name: Publish to AWS
         run: make deploy_dev
@@ -90,6 +91,7 @@ jobs:
         uses: actions/setup-node@v4
         with:
           node-version: 22.x
+
       - uses: actions/checkout@v4
         env:
           HUSKY: "0"
@@ -103,7 +105,7 @@ jobs:
       - uses: aws-actions/configure-aws-credentials@v4
         with:
           role-to-assume: arn:aws:iam::298118738376:role/GitHubActionsRole
-          role-session-name: Core_Dev_Prod_Deployment
+          role-session-name: Core_Dev_Prod_Deployment_${{ github.run_id }}
           aws-region: us-east-1
       - name: Publish to AWS
         run: make deploy_prod

.gitignore

@@ -142,3 +142,4 @@ __pycache__
 /blob-report/
 /playwright/.cache/
 dist_devel/
+!src/ui/pages/logs

Makefile

@@ -58,7 +58,7 @@ build: src/ cloudformation/ docs/
 	VITE_BUILD_HASH=$(GIT_HASH) yarn build
 	cp -r src/api/resources/ dist/api/resources
 	rm -rf dist/lambda/sqs
-	sam build --template-file cloudformation/main.yml
+	sam build --template-file cloudformation/main.yml --use-container
 	mkdir -p .aws-sam/build/AppApiLambdaFunction/node_modules/aws-crt/
 	cp -r node_modules/aws-crt/dist .aws-sam/build/AppApiLambdaFunction/node_modules/aws-crt
 

cloudformation/iam.yml

@@ -77,6 +77,7 @@ Resources:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-room-requests-status
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-linkry
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-keys
               # Index accesses
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-stripe-links/index/*
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-events/index/*
@@ -106,6 +107,16 @@ Resources:
             Resource:
               - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-rate-limiter
 
+          - Sid: DynamoDBAuditLogTableAccess
+            Effect: Allow
+            Action:
+              - dynamodb:DescribeTable
+              - dynamodb:PutItem
+              - dynamodb:Query
+            Resource:
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-audit-log
+              - Fn::Sub: arn:aws:dynamodb:${AWS::Region}:${AWS::AccountId}:table/infra-core-api-audit-log/index/*
+
           - Sid: DynamoDBStreamAccess
             Effect: Allow
             Action:

cloudformation/logs.yml

@@ -21,3 +21,26 @@ Resources:
       LogGroupName:
         Fn::Sub: /aws/lambda/${LambdaFunctionName}-edge
       RetentionInDays: 7
+  AppAuditLog:
+    Type: "AWS::DynamoDB::Table"
+    DeletionPolicy: "Retain"
+    UpdateReplacePolicy: "Retain"
+    Properties:
+      BillingMode: "PAY_PER_REQUEST"
+      TableName: infra-core-api-audit-log
+      DeletionProtectionEnabled: true
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: true
+      AttributeDefinitions:
+        - AttributeName: module
+          AttributeType: S
+        - AttributeName: createdAt
+          AttributeType: N
+      KeySchema:
+        - AttributeName: module
+          KeyType: HASH
+        - AttributeName: createdAt
+          KeyType: RANGE
+      TimeToLiveSpecification:
+        AttributeName: expiresAt
+        Enabled: true

cloudformation/main.yml

@@ -48,7 +48,7 @@ Mappings:
       LogRetentionDays: 7
       SesDomain: "aws.qa.acmuiuc.org"
     prod:
-      LogRetentionDays: 365
+      LogRetentionDays: 90
       SesDomain: "acm.illinois.edu"
   ApiGwConfig:
     dev:
@@ -151,7 +151,7 @@ Resources:
     DependsOn:
       - AppLogGroups
     Properties:
-      Architectures: [arm64]
+      Architectures: [x86_64]
       CodeUri: ../dist/lambda
       AutoPublishAlias: live
       Runtime: nodejs22.x
@@ -166,7 +166,7 @@ Resources:
           RunEnvironment: !Ref RunEnvironment
           EntraRoleArn: !GetAtt AppSecurityRoles.Outputs.EntraFunctionRoleArn
           LinkryKvArn: !GetAtt LinkryRecordsCloudfrontStore.Arn
-          AWS_CRT_NODEJS_BINARY_RELATIVE_PATH: node_modules/aws-crt/dist/bin/linux-arm64-glibc/aws-crt-nodejs.node
+          AWS_CRT_NODEJS_BINARY_RELATIVE_PATH: node_modules/aws-crt/dist/bin/linux-x64-glibc/aws-crt-nodejs.node
       VpcConfig:
         Ipv6AllowedForDualStack: !If [ShouldAttachVpc, True, !Ref AWS::NoValue]
         SecurityGroupIds:
@@ -198,7 +198,7 @@ Resources:
     DependsOn:
       - AppLogGroups
     Properties:
-      Architectures: [arm64]
+      Architectures: [x86_64]
       CodeUri: ../dist/sqsConsumer
       AutoPublishAlias: live
       Runtime: nodejs22.x
@@ -273,6 +273,26 @@ Resources:
         - AttributeName: email
           KeyType: HASH
 
+  ApiKeyTable:
+    Type: "AWS::DynamoDB::Table"
+    DeletionPolicy: "Retain"
+    UpdateReplacePolicy: "Retain"
+    Properties:
+      BillingMode: "PAY_PER_REQUEST"
+      TableName: infra-core-api-keys
+      DeletionProtectionEnabled: !If [IsProd, true, false]
+      PointInTimeRecoverySpecification:
+        PointInTimeRecoveryEnabled: !If [IsProd, true, false]
+      AttributeDefinitions:
+        - AttributeName: keyId
+          AttributeType: S
+      KeySchema:
+        - AttributeName: keyId
+          KeyType: HASH
+      TimeToLiveSpecification:
+        AttributeName: expiresAt
+        Enabled: true
+
   ExternalMembershipRecordsTable:
     Type: "AWS::DynamoDB::Table"
     DeletionPolicy: "Retain"
@@ -736,6 +756,38 @@ Resources:
               - HEAD
             CachePolicyId: !Ref CloudfrontCachePolicy
             OriginRequestPolicyId: 216adef6-5c7f-47e4-b989-5492eafa07d3
+          - PathPattern: "/api/v1/organizations"
+            TargetOriginId: ApiGatewayOrigin
+            ViewerProtocolPolicy: redirect-to-https
+            AllowedMethods:
+              - GET
+              - HEAD
+              - OPTIONS
+              - PUT
+              - POST
+              - DELETE
+              - PATCH
+            CachedMethods:
+              - GET
+              - HEAD
+            CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
+            OriginRequestPolicyId: 216adef6-5c7f-47e4-b989-5492eafa07d3
+          - PathPattern: "/api/documentation*"
+            TargetOriginId: ApiGatewayOrigin
+            ViewerProtocolPolicy: redirect-to-https
+            AllowedMethods:
+              - GET
+              - HEAD
+              - OPTIONS
+              - PUT
+              - POST
+              - DELETE
+              - PATCH
+            CachedMethods:
+              - GET
+              - HEAD
+            CachePolicyId: "658327ea-f89d-4fab-a63d-7e88639e58f6"
+            OriginRequestPolicyId: 216adef6-5c7f-47e4-b989-5492eafa07d3
           - PathPattern: "/api/*"
             TargetOriginId: ApiGatewayOrigin
             ViewerProtocolPolicy: redirect-to-https
@@ -901,6 +953,15 @@ Resources:
         async function handler(event) {
           const request = event.request;
           const path = request.uri.replace(/^\/+/, '');
+          if (path === "") {
+            return {
+              statusCode: 301,
+              statusDescription: 'Found',
+              headers: {
+                'location': { value: "https://core.acm.illinois.edu/linkry" }
+              }
+            }
+          }
           let redirectUrl = "https://acm.illinois.edu/404";
           try {
             const value = await kvs.get(path);

package.json

@@ -17,7 +17,7 @@
     "lint": "yarn workspaces run lint",
     "prepare": "node .husky/install.mjs || true",
     "typecheck": "yarn workspaces run typecheck",
-    "test:unit": "cross-env RunEnvironment='dev' vitest run --coverage tests/unit --config tests/unit/vitest.config.ts && yarn workspace infra-core-ui run test:unit",
+    "test:unit": "cross-env RunEnvironment='dev' vitest run --coverage --config tests/unit/vitest.config.ts tests/unit && yarn workspace infra-core-ui run test:unit",
     "test:unit-ui": "yarn test:unit --ui",
     "test:unit-watch": "vitest tests/unit",
     "test:live": "vitest tests/live",
@@ -44,6 +44,7 @@
     "concurrently": "^9.1.2",
     "cross-env": "^7.0.3",
     "esbuild": "^0.23.0",
+    "esbuild-plugin-copy": "^2.1.1",
     "eslint": "^8.57.0",
     "eslint-config-airbnb": "^19.0.4",
     "eslint-config-airbnb-typescript": "^18.0.0",

src/api/build.js

@@ -1,5 +1,6 @@
 import esbuild from "esbuild";
 import { resolve } from "path";
+import { copy } from 'esbuild-plugin-copy'
 
 
 const commonParams = {
@@ -15,7 +16,7 @@ const commonParams = {
   target: "es2022", // Target ES2022
   sourcemap: false,
   platform: "node",
-  external: ["aws-sdk", "moment-timezone", "passkit-generator", "fastify"],
+  external: ["aws-sdk", "moment-timezone", "passkit-generator", "fastify", "zod", "zod-openapi", "@fastify/swagger", "@fastify/swagger-ui", "argon2"],
   alias: {
     'moment-timezone': resolve(process.cwd(), '../../node_modules/moment-timezone/builds/moment-timezone-with-data-10-year-range.js')
   },
@@ -27,8 +28,26 @@ const commonParams = {
       const require = topLevelCreateRequire(import.meta.url);
       const __filename = fileURLToPath(import.meta.url);
       const __dirname = path.dirname(__filename);
+      import "zod-openapi/extend";
     `.trim(),
   }, // Banner for compatibility with CommonJS
+  plugins: [
+    copy({
+      resolveFrom: 'cwd',
+      assets: {
+        from: ['../../node_modules/@fastify/swagger-ui/static/*'],
+        to: ['../../dist/lambda/static'],
+      },
+    }),
+    copy({
+      resolveFrom: 'cwd',
+      assets: {
+        from: ['./public/*'],
+        to: ['../../dist/lambda/public'],
+      },
+    }),
+  ],
+  inject: [resolve(process.cwd(), "./zod-openapi-patch.js")],
 }
 esbuild
   .build({