Topics

has anyone scripted doing updates to the CII site?


Tony Hansen
 

I’m one of the many people working on the Linux ONAP (Open Networking Automation Platform) Project. We chose to pursue CII badges from the very beginning, but because of the size of the project, we chose several years ago to use separate CII projects for each of the ONAP sub-projects. We currently have close to 40 CII projects covering the ONAP sub-projects.

 

For all of the application-specific questions, we rely on our project team leaders to answer the questions. However, when we do something (say, updating our build infrastructure to better satisfy one of the Gold questions), we are faced with updating all 40 CII pages with an identical update. Getting the project team leaders to do the updates has proven unreliable, and doing the update one project at a time is tedious at best.

 

So I’d like a tool that could be used to do an identical update across a variety of CII projects. I’d like such a tool to take a list of CII project IDs, a field name and an update to make, such as

 

projects: 3777, . . .

mods:

    signed_releases_justification: "All release artifacts are signed by the Linux Foundation prior to release.."

 

Of course, it would need to log in correctly with an ID that has been authorized on each of the projects.

 

I started writing such a tool, but I keep getting caught up with issues with CSRF.

 

Has anyone successfully scripted doing updates to the CII site? If no one has, is anyone interested in working with me on such a tool?

 

Thank you

 

                Tony Hansen

                tony@...

 

 

 


David Wheeler
 

On Wed, Aug 12, 2020 at 12:10 AM Tony Hansen <tony@...> wrote:
...
So I’d like a tool that could be used to do an identical update across a variety of CII projects. I’d like such a tool to take a list of CII project IDs, a field name and an update to make, such as
Of course, it would need to log in correctly with an ID that has been authorized on each of the projects.
I started writing such a tool, but I keep getting caught up with issues with CSRF.
Tony: We developed the API so it *could* be done. But I have never
needed to do it, so I don't have code lying around to do it.

I'd be delighted to help anyone who starts down that path. I believe
it shouldn't be *too* hard,
the problem is that it has to be exactly right or it gets (rightly) rejected.

The current API documentation may help:
https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/api.md
... and if such code is created, we should add it to the API documentation.

--- David A. Wheeler
Director of Open Source Supply Chain Security, The Linux Foundation


Tony Hansen
 

David, here are some questions not answered by that page:

* Does the REST API support basic authentication (over TLS)? Or some other HTTPS authentication method?

* When using the PATCH verb, what is the JSON input expected to look like?

PATCH /projects/:id(.:format) projects#update

Thank you

Tony

On 8/12/20, 9:22 AM, "David A. Wheeler" <dwheeler@...> wrote:

On Wed, Aug 12, 2020 at 12:10 AM Tony Hansen <tony@...> wrote:
...
> So I’d like a tool that could be used to do an identical update across a variety of CII projects. I’d like such a tool to take a list of CII project IDs, a field name and an update to make, such as
> Of course, it would need to log in correctly with an ID that has been authorized on each of the projects.
> I started writing such a tool, but I keep getting caught up with issues with CSRF.

Tony: We developed the API so it *could* be done. But I have never
needed to do it, so I don't have code lying around to do it.

I'd be delighted to help anyone who starts down that path. I believe
it shouldn't be *too* hard,
the problem is that it has to be exactly right or it gets (rightly) rejected.

The current API documentation may help:
https://github.com/coreinfrastructure/best-practices-badge/blob/master/doc/api.md
... and if such code is created, we should add it to the API documentation.

--- David A. Wheeler
Director of Open Source Supply Chain Security, The Linux Foundation


David Wheeler
 

On Aug 12, 2020, at 5:43 PM, HANSEN, TONY L <tony@...> wrote:
David, here are some questions not answered by that page:
* Does the REST API support basic authentication (over TLS)? Or some other HTTPS authentication method?
It uses TLS to authenticate the best practices server, as well as provide
confidentiality & integrity between client & server.
Login session management uses an HTTP cookie, not basic authentication.

A quick summary is “do what a human user would do”. You use a POST
to log in (with username & password), and get a cookie that represents your session.
That cookie can then be used (for a period of time) by sending it as part of
future requests, and grants you whatever your account is authorized to do.

* When using the PATCH verb, what is the JSON input expected to look like?
PATCH /projects/:id(.:format) projects#update
This is actually implemented by the underlying Rails framework. I’ll have to search,
but I believe there’s lots of sites that go into this.

— David A. Wheeler