chore: SAML EE (windmill-labs#3176)

* Extract SAML logic into its own file

* Remove saml.rs core logic

* hello

* Add substitute_ee_code.sh and check_no_symlink.sh scripts

* dry-run docker image build

* test hook

* add setup-hooks.sh script

* Update pre-commit hook

* Update substitution script

* revert docker-image action yaml

* revert Cargo.lock

* publish custom image

* swap for ce build as well

* empty

* revert temp action override

* fix docker-image.yml

Author: gbouv

.githooks/pre-commit

@@ -0,0 +1,14 @@
+#!/bin/sh
+#
+# This file is symlinked to local .git/hooks/pre-commit by the setup-hooks.sh script
+# It wil run before every commit, so it needs to be quick and efficient. If it returns
+# a non-zero exit code, the commit will be aborted.
+
+echo "Running pre-commit hook"
+
+# This checks that there is no symlinks in the backend directory among the EE files
+./backend/check_no_symlink.sh > /dev/null
+if [ $? -ne 0 ]; then
+  echo "/!\ Symlinks detected in the backend directory. Please run './backend/substitute_ee_code.sh --revert' before committing."
+  exit 1
+fi

.github/workflows/docker-image.yml

@@ -26,6 +26,13 @@ jobs:
         with:
           fetch-depth: 0
 
+      - uses: actions/checkout@v3
+        with:
+          repository: windmill-labs/windmill-ee-private
+          path: ./windmill-ee-private
+          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
+          fetch-depth: 0
+
       # - name: Set up Docker Buildx
       #   uses: docker/setup-buildx-action@v2
       - uses: depot/setup-action@v1
@@ -37,6 +44,10 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Substitute EE code (EE logic is behind feature flag)
+        run: |
+          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
+
       - name: Docker meta
         id: meta-public
         uses: docker/metadata-action@v4
@@ -69,9 +80,16 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
+      - uses: actions/checkout@v3
+        with:
+          repository: windmill-labs/windmill-ee-private
+          path: ./windmill-ee-private
+          token: ${{ secrets.WINDMILL_EE_PRIVATE_ACCESS }}
+          fetch-depth: 0
+
       # - name: Set up Docker Buildx
       #   uses: docker/setup-buildx-action@v2
-
       - uses: depot/setup-action@v1
 
       - name: Docker meta
@@ -94,6 +112,10 @@ jobs:
           username: ${{ github.actor }}
           password: ${{ secrets.GITHUB_TOKEN }}
 
+      - name: Substitute EE code
+        run: |
+          ./backend/substitute_ee_code.sh --copy --dir ./windmill-ee-private
+
       - name: Build and push publicly ee
         uses: depot/build-push-action@v1
         with:
@@ -143,7 +165,7 @@ jobs:
           username: ${{ secrets.AWS_ACCESS_KEY_ID }}
           password: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
 
-      - name: Build and push publicly ee
+      - name: Build and push publicly ee reports
         uses: depot/build-push-action@v1
         with:
           context: .
@@ -393,6 +415,7 @@ jobs:
       - uses: actions/checkout@v3
         with:
           fetch-depth: 0
+
       # - name: Set up Docker Buildx
       #   uses: docker/setup-buildx-action@v2
 

backend/Cargo.lock

@@ -198,7 +198,9 @@ tokio-postgres = {version = "^0.7", features = ["array-impls", "with-serde_json-
 mysql_async = { version = "*", default-features = false, features = ["minimal", "default", "native-tls-tls"]}
 postgres-native-tls = "^0"
 native-tls = "^0"
-samael = { version = "0.0.14", features = ["xmlsec"] }
+# samael will break compilation on MacOS. Use this fork instead to make it work
+# samael = { git="https://github.com/gbouv/samael", rev="2344211ed0ac041a86222b38b928adfc1030cb94", features = ["xmlsec"] }
+samael = { version="0.0.14", features = ["xmlsec"] }
 gcp_auth = "0.9.0"
 rust_decimal = { version = "^1", features = ["db-postgres"]}
 jsonwebtoken = "8.3.0"

backend/Cargo.toml

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -euo pipefail
+script_dirpath="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+root_dirpath="$(cd "${script_dirpath}/.." && pwd)"
+
+EE_CODE_DIR="../windmill-ee-private/"
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -d|--dir)
+      EE_CODE_DIR="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+if [[ $EE_CODE_DIR == /* ]]; then
+  EE_CODE_DIR="${EE_CODE_DIR}"
+else
+  EE_CODE_DIR="${root_dirpath}/${EE_CODE_DIR}"
+fi
+echo "EE code directory = ${EE_CODE_DIR}"
+
+if [ ! -d "${EE_CODE_DIR}" ]; then
+  echo "Windmill EE repo not found, nothing to do"
+  exit 0
+fi
+
+for ee_file in $(find "${EE_CODE_DIR}" -name "*.rs"); do
+  ce_file="${ee_file/${EE_CODE_DIR}/.}"
+  ce_file="${root_dirpath}/backend/${ce_file}"
+  echo "Checking if '${ce_file}' is a symlink"
+  if [[ -L "${ce_file}" ]]; then
+      echo "File ${ce_file} is a symlink, cannot commit symlinks"
+      exit 1
+  fi
+done
+echo "All good!"

backend/check_no_symlink.sh

@@ -0,0 +1,86 @@
+#!/bin/bash
+set -euo pipefail
+script_dirpath="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+root_dirpath="$(cd "${script_dirpath}/.." && pwd)"
+
+REVERT="NO"
+COPY="NO"
+EE_CODE_DIR="../windmill-ee-private/"
+
+while [[ $# -gt 0 ]]; do
+  case $1 in
+    -r|--revert)
+      # If EE files have been substituted, this will revert them to their initial content. 
+      # This relies on `git restore` so the EE files must not be committed to the repo for 
+      # this to work (commit hooks should prevent this from happening, as well as the fact
+      # that we're using symlinks by default).
+      REVERT="YES"
+      shift
+      ;;
+    -c|--copy)
+      # By default, EE files are symlinked. Pass this option to do a real copy instead.
+      # This might be necessary if you want to build the Docker Image as Docker COPY seems
+      # to not follow symlinks. For local development, symlinks should be preferred as they
+      # adds a safeguards EE files can't be commited to the OSS repo.
+      COPY="YES"
+      shift # past argument
+      ;;
+    -d|--dir)
+      # Path to the local directory of the windmill-ee-private repository. By defaults, it
+      # assumes it is cloned next to the Windmill OSS repo.
+      EE_CODE_DIR="$2"
+      shift # past argument
+      shift # past value
+      ;;
+    -*|--*)
+      echo "Unknown option $1"
+      exit 1
+      ;;
+    *)
+      POSITIONAL_ARGS+=("$1") # save positional arg
+      shift # past argument
+      ;;
+  esac
+done
+
+if [[ $EE_CODE_DIR == /* ]]; then
+  EE_CODE_DIR="${EE_CODE_DIR}"
+else
+  EE_CODE_DIR="${root_dirpath}/${EE_CODE_DIR}"
+fi
+echo "EE code directory = ${EE_CODE_DIR} | Revert = ${REVERT}"
+
+
+if [ ! -d "${EE_CODE_DIR}" ]; then
+  echo "Windmill EE repo not found, please clone it next to this repository (or use the --dir option) and try again"
+  echo ">   git clone [email protected]:windmill-labs/windmill-ee-private.git"
+  echo ""
+  exit 0
+fi
+
+if [ "$REVERT" == "YES" ]; then
+  for ee_file in $(find ${EE_CODE_DIR} -name "*.rs"); do
+    ce_file="${ee_file/${EE_CODE_DIR}/.}"
+    ce_file="${root_dirpath}/backend/${ce_file}"
+    git restore --staged ${ce_file} || true
+    git restore ${ce_file} || true
+  done
+else
+  # This replaces all files in current repo with alternative EE files in windmill-ee-private
+  for ee_file in $(find "${EE_CODE_DIR}" -name "*.rs"); do
+    ce_file="${ee_file/${EE_CODE_DIR}/.}"
+    ce_file="${root_dirpath}/backend/${ce_file}"
+    if [[ -f "${ce_file}" ]]; then
+      rm "${ce_file}"
+      if [ "$COPY" == "YES" ]; then
+        cp "${ee_file}" "${ce_file}"
+        echo "File copied '${ee_file}' -->> '${ce_file}'"
+      else
+        ln -s "${ee_file}" "${ce_file}"
+        echo "Symlink created '${ee_file}' -->> '${ce_file}'"
+      fi
+    else
+      echo "File ${ce_file} is not a file, ignoring"
+    fi
+  done
+fi