Initial PACTA infrastructure

.bazelignore

@@ -0,0 +1 @@
+.postgres-data

.bazelrc

@@ -0,0 +1 @@
+test --test_output=errors

.bazelversion

@@ -0,0 +1 @@
+6.1.2

.github/dco.yml

@@ -0,0 +1,4 @@
+allowRemediationCommits:
+  individual: true
+require:
+  members: false

.github/workflows/test.yml

@@ -0,0 +1,38 @@
+name: Test + Lint
+
+on: push
+
+jobs:
+  backend-build-test:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Cache Bazel
+        uses: actions/cache@v3
+        with:
+          path: |
+            ~/.cache/bazel
+          key: ${{ runner.os }}-bazel-${{ hashFiles('.bazelversion', '.bazelrc', 'WORKSPACE') }}
+          restore-keys: |
+            ${{ runner.os }}-bazel-
+
+      - uses: actions/checkout@v3
+
+      - name: Run all tests
+        run: bazelisk query 'tests(//... except kind(oci_*, //...))' | xargs bazelisk test
+
+  frontend-build-lint-test:
+    runs-on: ubuntu-latest
+    defaults:
+      run:
+        working-directory: frontend
+    steps:
+    - uses: actions/checkout@v3
+    - uses: actions/setup-node@v3
+      with:
+        node-version-file: '.nvmrc'
+        cache: 'npm'
+        cache-dependency-path: frontend/package-lock.json
+    - run: npm ci
+    - run: npm run build:local
+    - run: npm run lint
+    - run: npm run typecheck

.gitignore

@@ -0,0 +1,6 @@
+/bazel-*
+/test_ed25519.key
+/test_ed25519.pub
+/test_server.key
+/test_server.pub
+/.postgres-data

.nvmrc

@@ -0,0 +1 @@
+16.13

BUILD.bazel

@@ -0,0 +1,25 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_library")
+load("@bazel_gazelle//:def.bzl", "gazelle")
+
+# gazelle:resolve go github.com/RMI/pacta/openapi/pacta //openapi:pacta_generated
+# gazelle:prefix github.com/RMI/pacta
+# gazelle:exclude frontend/
+# gazelle:exclude .postgres-data
+gazelle(name = "gazelle")
+
+gazelle(
+    name = "gazelle-update-repos",
+    args = [
+        "-from_file=go.mod",
+        "-to_macro=deps.bzl%go_dependencies",
+        "-prune",
+    ],
+    command = "update-repos",
+)
+
+go_library(
+    name = "pacta",
+    srcs = ["pacta.go"],
+    importpath = "github.com/RMI/pacta",
+    visibility = ["//visibility:public"],
+)

README.md

@@ -0,0 +1,39 @@
+# PACTA
+
+This repository contains code for the Paris Agreement Capital Transition Assessment (PACTA) project, which consists of an OpenAPI v3-based API and a Nuxt-based frontend.
+
+## Running
+
+```bash
+# First, run a credential service, which you'll need if you want to log in.
+# Otherwise, you can manually create a token with genjwt and use the API directly.
+
+cd <path to credential service>
+
+# Run the credential service
+bazel run //scripts:run_server -- --use_azure_auth
+
+# In a new terminal, from this directory, run the PACTA database
+bazel run //scripts:run_db
+
+# In another terminal, run the PACTA server
+bazel run //scripts:run_server
+
+# In one last terminal, run the frontend
+cd frontend
+npm run local
+```
+
+## Status
+
+This project is at a very early stage, expect things to change rapidly.
+
+## Security
+
+Please report security issues to [email protected], or by using one of
+the contact methods available on our
+[Contact Us page](https://siliconally.org/contact/).
+
+## Contributing
+
+Contribution guidelines can be found [on our website](https://siliconally.org/oss/contributor-guidelines).

WORKSPACE

@@ -0,0 +1,100 @@
+load("@bazel_tools//tools/build_defs/repo:http.bzl", "http_archive")
+
+# Start of Go + Gazelle + gRPC
+http_archive(
+    name = "io_bazel_rules_go",
+    sha256 = "278b7ff5a826f3dc10f04feaf0b70d48b68748ccd512d7f98bf442077f043fe3",
+    urls = [
+        "https://mirror.bazel.build/github.com/bazelbuild/rules_go/releases/download/v0.41.0/rules_go-v0.41.0.zip",
+        "https://github.com/bazelbuild/rules_go/releases/download/v0.41.0/rules_go-v0.41.0.zip",
+    ],
+)
+
+http_archive(
+    name = "bazel_gazelle",
+    sha256 = "29218f8e0cebe583643cbf93cae6f971be8a2484cdcfa1e45057658df8d54002",
+    urls = [
+        "https://mirror.bazel.build/github.com/bazelbuild/bazel-gazelle/releases/download/v0.32.0/bazel-gazelle-v0.32.0.tar.gz",
+        "https://github.com/bazelbuild/bazel-gazelle/releases/download/v0.32.0/bazel-gazelle-v0.32.0.tar.gz",
+    ],
+)
+
+http_archive(
+    name = "com_siliconally_rules_oapi_codegen",
+    sha256 = "2e4f696fad21126f584a457e91740f84d14e3d1e980871ffa1f490b58ff96908",
+    urls = [
+        "https://github.com/Silicon-Ally/rules_oapi_codegen/releases/download/v0.0.1/rules_oapi_codegen-v0.0.1.zip",
+    ],
+)
+
+load("@io_bazel_rules_go//go:deps.bzl", "go_register_toolchains", "go_rules_dependencies")
+load("@bazel_gazelle//:deps.bzl", "gazelle_dependencies")
+load("@com_siliconally_rules_oapi_codegen//:deps.bzl", "oapi_dependencies")
+load("//:deps.bzl", "go_dependencies")
+
+# gazelle:repository_macro deps.bzl%go_dependencies
+go_dependencies()
+
+oapi_dependencies()
+go_rules_dependencies()
+go_register_toolchains(version = "1.20.6")
+gazelle_dependencies()
+
+http_archive(
+    name = "com_google_protobuf",
+    sha256 = "d0f5f605d0d656007ce6c8b5a82df3037e1d8fe8b121ed42e536f569dec16113",
+    strip_prefix = "protobuf-3.14.0",
+    urls = [
+        "https://mirror.bazel.build/github.com/protocolbuffers/protobuf/archive/v3.14.0.tar.gz",
+        "https://github.com/protocolbuffers/protobuf/archive/v3.14.0.tar.gz",
+    ],
+)
+
+load("@com_google_protobuf//:protobuf_deps.bzl", "protobuf_deps")
+
+protobuf_deps()
+
+# Start of rules_pkg, which we use for tarballs in Docker containers. This needs
+# to be placed before Docker configuration, see
+# https://github.com/bazelbuild/rules_pkg/issues/606 for details.
+http_archive(
+    name = "rules_pkg",
+    urls = [
+        "https://mirror.bazel.build/github.com/bazelbuild/rules_pkg/releases/download/0.9.1/rules_pkg-0.9.1.tar.gz",
+        "https://github.com/bazelbuild/rules_pkg/releases/download/0.9.1/rules_pkg-0.9.1.tar.gz",
+    ],
+    sha256 = "8f9ee2dc10c1ae514ee599a8b42ed99fa262b757058f65ad3c384289ff70c4b8",
+)
+
+load("@rules_pkg//:deps.bzl", "rules_pkg_dependencies")
+
+rules_pkg_dependencies()
+
+
+# Start of container image configuration, see https://github.com/bazel-contrib/rules_oci
+http_archive(
+    name = "rules_oci",
+    sha256 = "176e601d21d1151efd88b6b027a24e782493c5d623d8c6211c7767f306d655c8",
+    strip_prefix = "rules_oci-1.2.0",
+    url = "https://github.com/bazel-contrib/rules_oci/releases/download/v1.2.0/rules_oci-v1.2.0.tar.gz",
+)
+
+load("@rules_oci//oci:dependencies.bzl", "rules_oci_dependencies")
+
+rules_oci_dependencies()
+
+load("@rules_oci//oci:repositories.bzl", "LATEST_CRANE_VERSION", "oci_register_toolchains")
+
+oci_register_toolchains(
+    name = "oci",
+    crane_version = LATEST_CRANE_VERSION,
+)
+
+load("@rules_oci//oci:pull.bzl", "oci_pull")
+
+oci_pull(
+    name = "distroless_base",
+    digest = "sha256:73deaaf6a207c1a33850257ba74e0f196bc418636cada9943a03d7abea980d6d",
+    image = "gcr.io/distroless/base",
+    platforms = ["linux/amd64"],
+)

cmd/server/BUILD.bazel

@@ -0,0 +1,74 @@
+load("@io_bazel_rules_go//go:def.bzl", "go_binary", "go_library")
+load("@rules_pkg//:pkg.bzl", "pkg_tar")
+load("@rules_oci//oci:defs.bzl", "oci_image", "oci_push", "oci_tarball")
+
+go_library(
+    name = "server_lib",
+    srcs = ["main.go"],
+    importpath = "github.com/RMI/pacta/cmd/server",
+    visibility = ["//visibility:private"],
+    deps = [
+        "//cmd/server/pactasrv",
+        "//db/sqldb",
+        "//keyutil",
+        "//openapi:pacta_generated",
+        "@com_github_deepmap_oapi_codegen//pkg/chi-middleware",
+        "@com_github_go_chi_chi_v5//:chi",
+        "@com_github_go_chi_chi_v5//middleware",
+        "@com_github_go_chi_httprate//:httprate",
+        "@com_github_go_chi_jwtauth_v5//:jwtauth",
+        "@com_github_jackc_pgx_v4//pgxpool",
+        "@com_github_namsral_flag//:flag",
+        "@com_github_rs_cors//:cors",
+        "@com_github_silicon_ally_zaphttplog//:zaphttplog",
+        "@org_uber_go_zap//:zap",
+    ],
+)
+
+go_binary(
+    name = "server",
+    embed = [":server_lib"],
+    visibility = ["//visibility:public"],
+)
+
+filegroup(
+    name = "configs",
+    srcs = glob(["configs/**"]),
+    visibility = ["//visibility:public"],
+)
+
+pkg_tar(
+    name = "configs_tar",
+    srcs = [":configs"],
+    package_dir = "/configs",
+    strip_prefix = "/cmd/server/configs",
+)
+
+pkg_tar(
+    name = "server_tar",
+    srcs = [":server"],
+)
+
+oci_image(
+    name = "image",
+    base = "@distroless_base",
+    entrypoint = ["/server"],
+    tars = [
+        ":server_tar",
+        ":configs_tar",
+    ],
+)
+
+oci_push(
+    name = "push_image",
+    image = ":image",
+    remote_tags = ["latest"],
+    repository = "TODO",
+)
+
+# Note: This tarball is provided for local testing of the Docker image, see the README.md for details on usage.
+oci_tarball(
+    name = "image_tarball",
+    image = ":image",
+    repo_tags = [],
+)

cmd/server/README.md

@@ -0,0 +1,73 @@
+# PACTA API Server
+
+The PACTA API Server is the main API-serving binary in the PACTA ecosystem. All endpoints are defined in [OpenAPI 3.0](https://spec.openapis.org/oas/v3.0.0) definitions, which live in the [`/openapi`](/openapi) directory. This binary serves the PACTA service (in [pacta.yaml](/openapi/pacta.yaml)), and may add other related services in the future.
+
+## Running the API server
+
+Run the server:
+
+```bash
+# Run the backend
+bazel run //scripts:run_server
+```
+
+There are two ways to access the PACTA API endpoints, both require an RMI-signed JWT token:
+
+1. **With the frontend** - Using the frontend, you can login with Azure and exchange the token for an RMI JWT, which will then be available in the `jwt` cookie in the browser.
+2. **With `genjwt`** - The genjwt tool can generate tokens that can be used directly with the PACTA API, make sure to have the `test_server.key` private key generated from your credential service (using the `keygen` tool) in the root of the PACTA repo directory, then run:
+
+```bash
+bazel run //scripts:run_genjwt
+
+# This will output something like:
+# Token: <header>.<payload>.<sig>
+```
+
+You can use this token to query the PACTA (currently just the Petstore example) API:
+
+```bash
+APIKEY='<the token from genjwt>'
+# Get pets
+curl -H "Authorization: BEARER $APIKEY" -X GET localhost:8080/pets
+
+# []
+
+# Add a pet
+curl \
+  -H "Authorization: BEARER $APIKEY" \
+  -X POST \
+  --data '{"name": "Scruffles", "tag": "good dog"}' \
+  -H 'Content-Type: application/json' \
+  localhost:8080/pets
+
+# {"id":1,"name":"Scruffles","tag":"good dog"}
+
+# Get pets again
+curl -H "Authorization: BEARER $APIKEY" -X GET localhost:8080/pets
+
+# [{"id":1,"name":"Scruffles","tag":"good dog"}]
+```
+
+## Building and running the Docker container locally
+
+To build and run the image locally:
+
+```bash
+# Build the image
+bazel build --@io_bazel_rules_go//go/config:pure //cmd/server:image_tarball
+
+# Load it into Docker. This will print out something like:
+# Loaded image ID: sha256:<image SHA>
+docker load < bazel-bin/cmd/server/image_tarball/tarball.tar
+
+docker run --rm -it sha256:<image SHA from previous step> --config=/configs/local.conf
+```
+
+If you get an error like:
+
+```
+/server: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.32' not found (required by /server)
+/server: /lib/x86_64-linux-gnu/libc.so.6: version `GLIBC_2.34' not found (required by /server)
+```
+
+Make sure you included the `--@io_bazel_rules_go//go/config:pure` flag in `bazel build`, see [`pure` docs](https://github.com/bazelbuild/rules_go/blob/master/go/modes.rst#pure). The problem is that without it, the compiled binary dynamically links glibc against your system, which may use a different version of glibc than the Docker container, which currently uses Debian 11 + glibc 2.28

cmd/server/configs/local.conf

@@ -0,0 +1,3 @@
+env local
+auth_public_key_file test_server.pub
+allowed_cors_origin http://localhost:3000