[ANE-1692] CLI communicates with analysis.fossa.com by default

[spatten]

Overview

Delivers ANE-1692

Acceptance criteria

• If the endpoint is not customized, the CLI will default to communicating with analysis.fossa.com
• If the endpoint is not customized, the build URLs displayed to users will point to app.fossa.com
• If the endpoint is customized, the CLI will communicate with the custom endpoint

Testing plan

Setup

To test this, we need to be able to hit Sparkle, but running at http://localhost:3000. I did this by using Nginx as a reverse proxy.

• Have Sparkle running on localhost:3000 and proxying to https://app.fossa.com
• In /etc/hosts, point analysis.fossa.com at localhost
• Set up nginx to reverse proxy analysis.fossa.com to http://localhost:3000
• Set up an SSL cert and force your OS to ignore that it's self-signed

Point analysis.fossa.com to localhost in /etc/hosts

Add this to /etc/hosts:

127.0.0.1 analysis.fossa.com

Create an SSL Cert

Here's how I did it.

First, generate your key. You will need the passphrase for the next few steps, so make sure you remember it:

sudo openssl genrsa -des3 -out server.key 4096
passphrase: <some passphrase>

Now generate your CSR:

sudo openssl req -new -key server.key -out server.csr

Make sure you put analysis.fossa.com for the appropriate answers when you run this. Mine looked like this:

sudo openssl req -new -key server.key -out server.csr
Enter pass phrase for server.key:
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]:CA
State or Province Name (full name) [Some-State]:BC
Locality Name (eg, city) []:Vancouver
Organization Name (eg, company) [Internet Widgits Pty Ltd]:analysis.fossa.com
Organizational Unit Name (eg, section) []:analysis.fossa.com
Common Name (e.g. server FQDN or YOUR name) []:analysis.fossa.com
Email Address []:scott@fossa.com

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

Now generate the crt file and copy things to the right spot:

sudo cp server.key server.key.org
sudo openssl rsa -in server.key.org -out server.key
sudo openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt

That will result in a server.crt and server.key file. Put those in /usr/local/nginx/conf

sudo mkdir -p /usr/local/nginx/conf
sudo mv server.crt /usr/local/nginx/conf
sudo mv server.key /usr/local/nginx/conf

Make your OS accept the cert even though it's self-signed

On MacOS, I followed the directions here: https://tosbourn.com/getting-os-x-to-trust-self-signed-ssl-certificates/

Set up nginx to reverse-proxy analysis.fossa.com to Sparkle running locally

brew install nginx

Put this in your nginx config (/opt/homebrew/etc/nginx/nginx.conf) inside the http block:

    server {
        listen       analysis.fossa.com:80;
        listen 443 ssl;
        server_name  analysis.fossa.com;
        ssl_certificate  /usr/local/nginx/conf/server.crt;
        ssl_certificate_key  /usr/local/nginx/conf/server.key;
        ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;
        location / {
            proxy_pass http://127.0.0.1:3000;
        }
    }

Test that your config is working properly:

sudo nginx -t
nginx: the configuration file /opt/homebrew/etc/nginx/nginx.conf syntax is ok
nginx: configuration file /opt/homebrew/etc/nginx/nginx.conf test is successful

Start the nginx service. You're binding to port 80, so you have to do this as root:

sudo brew services start nginx

Now you should be able to go to http://analysis.fossa.com in your browser and see it hit Sparkle running on localhost:3000. We're using a self-signed certificate, so you'll have to click through a scary warning

Now that you're set up, let's test that things work.

This will hit Sparkle and Sparkle will proxy to Core:

make install-dev
cd ~/some/project
FOSSA_API_KEY=... fossa-dev analyze 

Watch your Sparkle logs. Make sure that the CLI is hitting URLs. You should see a bunch of GET api/cli/organization, a POST to api/builds/custom and a POST to /api/cli/telemetry.

There should be no errors in the Sparkle logs.

Check that the project URL is correct and points at app.fossa.com.

Try again, but force the endpoint to Sparkle by using this flag: -e https://analysis.fossa.com

Everything should work exaclty the same, except the project URL will now point at analysis.fossa.com. Make sure that the analysis.fossa.com URL redirects to the correct spot on app.fossa.com.

Run this with a normal build, a build with vendored dependencies and a container.

Risks

This is a small change in some ways, but a big change in others.

If Sparkle is working correctly, this will be just fine.

If Sparkle is not working correctly, this will cause problems.

But the risk is not contained in this PR. This PR just exposes it.

Metrics

Is this change something that can or should be tracked? If so, can we do it today? And how? If its easy, do it

References

Add links to any referenced GitHub issues, Zendesk tickets, Jira tickets, Slack threads, etc.

Example:

• ANE-123: Implement X.

Checklist

• [ ] I added tests for this PR's change (or explained in the PR description why tests don't make sense).
• [ ] If this PR introduced a user-visible change, I added documentation into docs/.
• [ ] If this PR added docs, I added links as appropriate to the user manual's ToC in docs/README.ms and gave consideration to how discoverable or not my documentation is.
• [ ] If this change is externally visible, I updated Changelog.md. If this PR did not mark a release, I added my changes into an # Unreleased section at the top.
• [ ] If I made changes to .fossa.yml or fossa-deps.{json.yml}, I updated docs/references/files/*.schema.json AND I have updated example files used by fossa init command. You may also need to update these if you have added/removed new dependency type (e.g. pip) or analysis target type (e.g. poetry).
• [ ] If I made changes to a subcommand's options, I updated docs/references/subcommands/<subcommand>.md.

[spatten]

We're going to do this in a different way, talking to sparkle only on specific routes instead of for all routes, so closing this