.envrc

#! /usr/bin/env bash

##########################################
# DO NOT MAKE LOCAL CHANGES TO THIS FILE #
#                                        #
# Vars in this file can be overridden by #
# exporting them in .envrc.local         #
##########################################

# Add local paths for binaries and scripts
PATH_add ./bin
PATH_add ./scripts

required_vars=()
var_docs=()

# Declare an environment variable as required.
#
#   require VAR_NAME "Documentation about how to define valid values"
require() {
  required_vars+=("$1")
  var_docs+=("$2")
}

# Check all variables declared as required. If any are missing, print a message and
# exit with a non-zero status.
check_required_variables() {
  missing_var=false

  for i in "${!required_vars[@]}"; do
    var=${required_vars[i]}
    if [[ -z "${!var:-}" ]]; then
      log_status "${var} is not set: ${var_docs[i]}"
      missing_var=true
    fi
  done

  if [[ $missing_var == "true" ]]; then
    log_error "Your environment is missing some variables!"
    log_error "Set the above variables in .envrc.local and try again."
  fi
}


#############################
# AWS VAULT SETTINGS        #
#############################

export AWS_VAULT_KEYCHAIN_NAME=login

#############################
# Load Secrets from Chamber #
#############################

# Make Chamber read ~/.aws/config
export AWS_SDK_LOAD_CONFIG=1
# Make Chamber use the default AWS KMS key
export CHAMBER_KMS_KEY_ALIAS='alias/aws/ssm'
# Make Chamber use path based keys ('/' instead of '.')
export CHAMBER_USE_PATHS=1
# Sets the number of retries for chamber to 20.
export CHAMBER_RETRIES=20

# Loads secrets from chamber instead of requiring them to be listed in .envrc.local

if [ -e .envrc.chamber ]; then
  # Loading secrets from Chamber can take a while. Prevent direnv from
  # complaining.
  export DIRENV_WARN_TIMEOUT="20s"

  # Evaluate if the files have drifted
  if ! cmp .envrc.chamber .envrc.chamber.template >/dev/null 2>&1; then
    log_error "Your .envrc.chamber has drifted from .envrc.chamber.template. Please 'cp .envrc.chamber.template .envrc.chamber'"
  fi

  source_env .envrc.chamber
else
  log_status "Want to load secrets from chamber? 'cp .envrc.chamber.template .envrc.chamber'"
fi

#########################
# Project Configuration #
#########################

# Enable Go module as 'auto' because we want people working outside the $GOPATH
# and we also want dependencies in pre-commit to use $GOPATH instead of managing them
# locally in the ~/.cache/pre-commit/repo*/ directories.
export GO111MODULE=auto

# Allows use of certificates that do not use SANS (required for our current certs for Go1.15.2)
export GODEBUG="x509ignoreCN=0"

# Capture the root directory of the project. This works even if someone `cd`s
# directly into a subdirectory.
MYMOVE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export MYMOVE_DIR

# Sets the environment for the server
export ENVIRONMENT=development

# Sets the application for migrations, options are 'app' or 'orders'
export APPLICATION=app

# Migration Path
export MIGRATION_PATH="file://${MYMOVE_DIR}/migrations/app/schema;file://${MYMOVE_DIR}/migrations/app/secure"
export MIGRATION_MANIFEST="${MYMOVE_DIR}/migrations/app/migrations_manifest.txt"

# Default DB configuration
export DB_PASSWORD=mysecretpassword
export DB_PASSWORD_LOW_PRIV=mysecretpassword
export PGPASSWORD=$DB_PASSWORD
export DB_USER=postgres
export DB_USER_LOW_PRIV=crud
export DB_HOST=localhost
export DB_PORT=5432
export DB_PORT_DEPLOYED_MIGRATIONS=5434
export DB_PORT_TEST=5433
export DB_NAME=dev_db
export DB_NAME_DEV=dev_db
export DB_NAME_DEPLOYED_MIGRATIONS=deployed_migrations
export DB_NAME_TEST=test_db
export DB_RETRY_INTERVAL=5s
export DB_SSL_MODE=disable

# Login.gov configuration
export LOGIN_GOV_CALLBACK_PROTOCOL="http"
export LOGIN_GOV_CALLBACK_PORT="3000"
export LOGIN_GOV_MY_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:dod:mymovemillocal"
export LOGIN_GOV_OFFICE_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:dod:officemovemillocal"
export LOGIN_GOV_ADMIN_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:dod:adminmovemillocal"
export LOGIN_GOV_ENGADMIN_CLIENT_ID="urn:gov:gsa:openidconnect.profiles:sp:sso:dod:engadminmovemillocal"
export LOGIN_GOV_HOSTNAME="idp.int.identitysandbox.gov"

require LOGIN_GOV_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal login_gov_secret_key'"

# JSON Web Token (JWT) config
CLIENT_AUTH_SECRET_KEY=$(cat config/tls/devlocal-client_auth_secret.key)
export CLIENT_AUTH_SECRET_KEY

# Path to PEM-encoded CA certificate used to sign testing and development certificates
# This CA is not trusted in production!
export DEVLOCAL_CA="${MYMOVE_DIR}/config/tls/devlocal-ca.pem"
export DEVLOCAL_AUTH=true

# Path to PKCS#7 package containing certificates of all DoD root and
# intermediate CAs, so that we can both validate the server certs of other DoD
# entities like GEX and DMDC, as well as validate the client certs of other DoD
# entities when they connect to us
export DOD_CA_PACKAGE="${MYMOVE_DIR}/config/tls/Certificates_PKCS7_v5.6_DoD.der.p7b"

# MyMove client certificate
# All of our DoD-signed certs are currently signed by DOD SW CA-54
# This cannot be changed unless our certs are all resigned
MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-54.pem)
require MOVE_MIL_DOD_TLS_CERT "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_cert'"
require MOVE_MIL_DOD_TLS_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_key'"
export MOVE_MIL_DOD_CA_CERT

# Use UTC timezone
export TZ="UTC"

# AWS development access
#
# To use S3/SES for local builds, you'll need to uncomment the following.
# Do not commit the change:
#
#   export STORAGE_BACKEND=s3
#   export EMAIL_BACKEND=ses
#
# Instructions for using S3 storage backend here: https://github.com/transcom/mymove/wiki/Test-Storing-Data-in-S3-in-Devlocal
# Instructions for using SES email backend here: https://github.com/transcom/mymove/wiki/Test-Sending-Email-in-Devlocal
#
# The default and equivalent to not being set is:
#
#   export STORAGE_BACKEND=local
#   export EMAIL_BACKEND=local
#
# Setting region and profile conditionally while we migrate from com to govcloud.
if [ "$STORAGE_BACKEND" == "s3" ]; then
  export AWS_S3_BUCKET_NAME="transcom-gov-dev-app-devlocal-us-gov-west-1"
  export AWS_S3_REGION="us-gov-west-1"
  export AWS_DEFAULT_REGION="us-gov-west-1"
  export AWS_PROFILE=transcom-gov-dev
fi

export AWS_S3_KEY_NAMESPACE=$USER
export AWS_SES_DOMAIN="devlocal.dp3.us"
export AWS_SES_REGION="us-gov-west-1"

# To use s3 links aws-bucketname/xx/user/ for local builds,
# you'll need to add the following to your .envrc.local:
#
#   export STORAGE_BACKEND=s3
#
# HERE MAPS API
export HERE_MAPS_GEOCODE_ENDPOINT="https://geocoder.api.here.com/6.2/geocode.json"
export HERE_MAPS_ROUTING_ENDPOINT="https://route.api.here.com/routing/7.2/calculateroute.json"
require HERE_MAPS_APP_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal here_maps_app_id'"
require HERE_MAPS_APP_CODE "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal here_maps_app_code'"

# GEX integration config
export GEX_BASIC_AUTH_USERNAME="mymovet"
require GEX_BASIC_AUTH_PASSWORD "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal gex_basic_auth_password'"
export GEX_URL=""
# To actually send the GEX request, replace url in envrc.local with the line below
# export GEX_URL=https://gexweba.daas.dla.mil/msg_data/submit/

require DPS_AUTH_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal dps_auth_secret_key'"
require DPS_AUTH_COOKIE_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal dps_auth_cookie_secret_key'"
export DPS_COOKIE_EXPIRES_IN_MINUTES="240"
export HTTP_SDDC_PROTOCOL="http"
export HTTP_SDDC_PORT="8080"
export DPS_REDIRECT_URL="https://dpstest.sddc.army.mil/cust"
export DPS_COOKIE_NAME="DPSIVV"

# DMDC Identity Web Services Real-Time Broker Service
# To test against DMDC IWS RBS modify IWS_RBS_ENABLED and set to 1 in your .envrc.local
# It is disabled by default so that no requests are sent to DMDC during development unless explicitly set
export IWS_RBS_ENABLED=0
export IWS_RBS_HOST="pkict.dmdc.osd.mil"

# Unsecured CSRF Auth Key, for local dev only
require CSRF_AUTH_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal csrf_auth_key'"

# Always show Swagger UI in development
export SERVE_SWAGGER_UI=true

# HAPPO Keys
require HAPPO_API_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal happo_api_key'"
require HAPPO_API_SECRET "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal happo_api_secret'"

# EIA API Key (for fuel price data)
require EIA_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal eia_key'"
export EIA_URL="https://api.eia.gov/series/"

# Listeners
export NO_TLS_ENABLED=1 # primary development listener
export MUTUAL_TLS_ENABLED=1 # used for orders and prime testing
export TLS_ENABLED=false # not used in development

# Set server names
export HTTP_MY_SERVER_NAME=milmovelocal
export HTTP_OFFICE_SERVER_NAME=officelocal
export HTTP_ADMIN_SERVER_NAME=adminlocal
export HTTP_ORDERS_SERVER_NAME=orderslocal
export HTTP_PRIME_SERVER_NAME=primelocal

# Set ports - Changed from defaults so as not to conflict with transcom/mymove
export GIN_PORT=9001
export NO_TLS_PORT=8080
export TLS_PORT=8443
export MUTUAL_TLS_PORT=9443

# Services
export SERVE_ADMIN=true
export SERVE_SDDC=true
export SERVE_ORDERS=true
export SERVE_DPS=true
export SERVE_API_INTERNAL=true
export SERVE_API_GHC=true
export SERVE_API_PRIME=true
export SERVE_API_SUPPORT=true

# Set feature flags
export FEATURE_FLAG_ACCESS_CODE=false
export FEATURE_FLAG_SUPPORT_ENDPOINTS=true

# Set golangci-lint concurrency env variable
export GOLANGCI_LINT_CONCURRENCY=6
# Set golangci-lint verbosity if value is "-v"
export GOLANGCI_LINT_VERBOSE=""

# Set DB_DEBUG to true for development to enable sql logging
export DB_DEBUG=1
# Set the logging level to debug locally. You can override in .envrc.local
# Other possible values are: info, warn, error, fatal
export LOGGING_LEVEL=debug

# Anti-Virus Settings
export AV_DIR="${MYMOVE_DIR}"
# WARNING: IGNORE FILES AT OUR PERIL. IF ADDING HERE ADD NOTES!
# - pkg/testdatagen/testdata/orders.pdf is a file used exclusively for testing
export AV_IGNORE_FILES=pkg/testdatagen/testdata/orders.pdf
# WARNING: IGNORE SIGNATURES AT OUR PERIL. IF ADDING HERE ADD NOTES!
# - PUA.Pdf.Trojan.EmbeddedJavaScript-1 is ignored because we don't ship PDFs in any docker containers
# - orders.pdf.UNOFFICIAL is a finding based on the ignored file above of the same name
export AV_IGNORE_SIGS="PUA.Pdf.Trojan.EmbeddedJavaScript-1 orders.pdf.UNOFFICIAL"

#### Nix Experiment Start ####
# if nix is installed, use it
if [ ! -r .nix-disable  ] && has nix-env; then
  # set NIX_PROFILE so nix-env operations don't need to manually
  # specify the profile path
  export NIX_PROFILE=/nix/var/nix/profiles/mymove

  # Having NIX_SSL_CERT_FILE set means go won't use macOS keychain based certs
  export NIX_SSL_CERT_FILE_ORIG=$NIX_SSL_CERT_FILE
  unset NIX_SSL_CERT_FILE

  # Nix installs opensc which the prime-api-client needs
  export PKCS11MODULE=/nix/var/nix/profiles/mymove/lib/opensc-pkcs11.so

  nix_dir="nix"
  # add the nix files so that if they change, direnv needs to be reloaded
  watch_file "${nix_dir}"/*.nix
  config_hash=$(nix-hash "${nix_dir}")
  store_hash=$(nix-store -q --hash "${NIX_PROFILE}")

  # The .nix-hash file is created by nix/update.sh
  if [ ! -r .nix-hash ] || ! grep -q "${config_hash}-${store_hash}" .nix-hash; then
    log_status "WARNING: nix packages out of date. Run ${nix_dir}/update.sh"
  fi

  # add the NIX_PROFILE bin path so that everything we just installed
  # is available on the path
  PATH_add ${NIX_PROFILE}/bin
  # Add the node binaries to our path
  PATH_add ./node_modules/.bin
  # nix is immutable, so we need to specify a path for local changes, e.g.
  # binaries can be installed local to this project
  export GOPATH=$PWD/.gopath
  PATH_add ./.gopath/bin
  # nix is immutable, so we need to specify a path so npm global
  # installs work
  export NPM_CONFIG_PREFIX=$PWD/.npmglobal
  PATH_add ./.npmglobal/bin
fi


#### Nix Experiment End ######

##############################################
# Load Local Overrides and Check Environment #
##############################################

# Load a local overrides file. Any changes you want to make for your local
# environment should live in that file.

if [ -e .envrc.local ]
then
  source_env .envrc.local
fi

# Check that all required environment variables are set
check_required_variables