.envrc

#! /usr/bin/env bash

##########################################
# DO NOT MAKE LOCAL CHANGES TO THIS FILE #
#                                        #
# Vars in this file can be overridden by #
# exporting them in .envrc.local         #
##########################################

# Add local paths for binaries and scripts
PATH_add ./bin
PATH_add ./scripts

required_vars=()
var_docs=()

# Declare an environment variable as required.
#
#   require VAR_NAME "Documentation about how to define valid values"
require() {
  required_vars+=("$1")
  var_docs+=("$2")
}

# Check all variables declared as required. If any are missing, print a message and
# exit with a non-zero status.
check_required_variables() {
  missing_var=false

  for i in "${!required_vars[@]}"; do
    var=${required_vars[i]}
    if [[ -z "${!var:-}" ]]; then
      log_status "${var} is not set: ${var_docs[i]}"
      missing_var=true
    fi
  done

  if [[ $missing_var == "true" ]]; then
    log_error "Your environment is missing some variables!"
    log_error "Set the above variables in .envrc.local and try again."
  fi
}


#############################
# AWS VAULT SETTINGS        #
#############################

export AWS_VAULT_KEYCHAIN_NAME=login

#############################
# Load Secrets from Chamber #
#############################

# Make Chamber read ~/.aws/config
export AWS_SDK_LOAD_CONFIG=1
# Make Chamber use the default AWS KMS key
export CHAMBER_KMS_KEY_ALIAS='alias/aws/ssm'
# Make Chamber use path based keys ('/' instead of '.')
export CHAMBER_USE_PATHS=1
# Sets the number of retries for chamber to 20.
export CHAMBER_RETRIES=20

# Loads secrets from chamber instead of requiring them to be listed in .envrc.local

if [ -e .envrc.chamber ]; then
  # Loading secrets from Chamber can take a while. Prevent direnv from
  # complaining.
  export DIRENV_WARN_TIMEOUT="20s"

  # Evaluate if the files have drifted
  if ! cmp .envrc.chamber .envrc.chamber.template >/dev/null 2>&1; then
    log_error "Your .envrc.chamber has drifted from .envrc.chamber.template. Please 'cp .envrc.chamber.template .envrc.chamber'"
  fi

  source_env .envrc.chamber
else
  log_status "Want to load secrets from chamber? 'cp .envrc.chamber.template .envrc.chamber'"
fi

#########################
# Project Configuration #
#########################

# Enable Go module as 'auto' because we want people working outside the $GOPATH
# and we also want dependencies in pre-commit to use $GOPATH instead of managing them
# locally in the ~/.cache/pre-commit/repo*/ directories.
export GO111MODULE=auto

# Capture the root directory of the project. This works even if someone `cd`s
# directly into a subdirectory.
MYMOVE_DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
export MYMOVE_DIR

# Sets the environment for the server
export ENVIRONMENT=development

# Sets the application for migrations, options are 'app' or 'orders'
export APPLICATION=app

# Migration Path
export MIGRATION_PATH="file://${MYMOVE_DIR}/migrations/app/schema;file://${MYMOVE_DIR}/migrations/app/secure"
export MIGRATION_MANIFEST="${MYMOVE_DIR}/migrations/app/migrations_manifest.txt"

# Default DB configuration
export DB_PASSWORD=mysecretpassword
export DB_PASSWORD_LOW_PRIV=mysecretpassword
export PGPASSWORD=$DB_PASSWORD
export DB_USER=postgres
export DB_USER_LOW_PRIV=crud
export DB_HOST=localhost
export DB_PORT=5432
export DB_PORT_DEPLOYED_MIGRATIONS=5434
export DB_PORT_TEST=5433
export DB_NAME=dev_db
export DB_NAME_DEV=dev_db
export DB_NAME_DEPLOYED_MIGRATIONS=deployed_migrations
export DB_NAME_TEST=test_db
export DB_RETRY_INTERVAL=5s
export DB_SSL_MODE=disable

# Experimental feature flags, these will be replaced by the config/env/*.env files for live deployments
# By placing FEATURE_FLAG_${FLAG_KEY} in our .envrc and in our config/env files, we allow
# for a "backup" in case the Flipt server goes down. Also, config/env and modifying the CircleCI config.yml file
# allows CircleCI to run tests with the feature flag properly as it can't communicate with our Flipt server.
# So think of this as feature flags for development (Without a Flipt server running), for CircleCI tests, and then a fallback
# for when the live environment can't access Flipt.
# Multi Move feature flag
export FEATURE_FLAG_MULTI_MOVE=true
export FEATURE_FLAG_COUNSELOR_MOVE_CREATE=true

export FEATURE_FLAG_MOVE_LOCK=false
export FEATURE_FLAG_OKTA_DODID_INPUT=false
export FEATURE_FLAG_SAFETY_MOVE=true

# Feature flag for additional supporting documents uploaded by customer
export FEATURE_FLAG_MANAGE_SUPPORTING_DOCS=true

# Feature flags to enable third address
export FEATURE_FLAG_THIRD_ADDRESS_AVAILABLE=false

# Feature flag to disable/enable headquarters role
export FEATURE_FLAG_HEADQUARTERS_ROLE=true

# Feature flag to disable/enable GSR role
export FEATURE_FLAG_GSR_ROLE=false

# Feature flag to disable/enable supervisor queue management
export FEATURE_FLAG_QUEUE_MANAGEMENT=true

# Feature flags to disable certain shipment types
export FEATURE_FLAG_PPM=true
export FEATURE_FLAG_NTS=true
export FEATURE_FLAG_NTSR=true
export FEATURE_FLAG_BOAT=true
export FEATURE_FLAG_MOBILE_HOME=true
export FEATURE_FLAG_UNACCOMPANIED_BAGGAGE=false

# Feature flag to allow AK to be entered as a state
export FEATURE_FLAG_ENABLE_ALASKA=false

# Feature flag to enable/disable customers needing to authenticate with CAC on registration
# When turned to true, this will require each customer user to have the value of true in cac_validated in the service_members table
export FEATURE_FLAG_CAC_VALIDATED_LOGIN=false

# Go-live verification code feature flag. This is utilized for when a new customer accesses
# the application and needs to provide a verification code to access the application.
export FEATURE_FLAG_VALIDATION_CODE_REQUIRED=false # We don't want this validation code in our local dev environment!

# Feature flag to disable/enable DODID validation and enforce unique constraints in the backend
export FEATURE_FLAG_DODID_UNIQUE=false

# Okta.mil configuration

# Tenant
require OKTA_TENANT_ORG_URL "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_tenant_org_url'"
export OKTA_TENANT_CALLBACK_PORT=3000
export OKTA_TENANT_CALLBACK_PROTOCOL=http
require OKTA_API_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_api_key'"

# Customer
require OKTA_CUSTOMER_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_customer_secret_key'"
require OKTA_CUSTOMER_CLIENT_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_customer_client_id'"
require OKTA_CUSTOMER_CALLBACK_URL "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_customer_callback_url'"
require OKTA_CUSTOMER_GROUP_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_customer_group_id'"

# Office
require OKTA_OFFICE_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_office_secret_key'"
require OKTA_OFFICE_CLIENT_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_office_client_id'"
require OKTA_OFFICE_CALLBACK_URL "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_office_callback_url'"
require OKTA_OFFICE_GROUP_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_office_group_id'"

# Admin
require OKTA_ADMIN_SECRET_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_admin_secret_key'"
require OKTA_ADMIN_CLIENT_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_admin_client_id'"
require OKTA_ADMIN_CALLBACK_URL "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal okta_admin_callback_url'"

# JSON Web Token (JWT) config
CLIENT_AUTH_SECRET_KEY=$(cat config/tls/devlocal-client_auth_secret.key)
export CLIENT_AUTH_SECRET_KEY

# Path to PEM-encoded CA certificate used to sign testing and development certificates
# This CA is not trusted in production!
export DEVLOCAL_CA="${MYMOVE_DIR}/config/tls/devlocal-ca.pem"
export DEVLOCAL_AUTH=true

# Path to PKCS#7 package containing certificates of all DoD root and
# intermediate CAs, so that we can both validate the server certs of other DoD
# entities like GEX and DMDC, as well as validate the client certs of other DoD
# entities when they connect to us
export DOD_CA_PACKAGE="${MYMOVE_DIR}/config/tls/milmove-cert-bundle.p7b"

# MyMove client certificate
# All of our DoD-signed certs are currently signed by DOD SW CA-75
# This cannot be changed unless our certs are all resigned
MOVE_MIL_DOD_CA_CERT=$(cat "${MYMOVE_DIR}"/config/tls/dod-sw-ca-75.pem)
require MOVE_MIL_DOD_TLS_CERT "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_cert'"
require MOVE_MIL_DOD_TLS_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal move_mil_dod_tls_key'"
export MOVE_MIL_DOD_CA_CERT

# Use UTC timezone
export TZ="UTC"

# AWS development access
#
# To use S3/SES for local builds, you'll need to uncomment the following.
# Do not commit the change:
#
#   export STORAGE_BACKEND=s3
#   export EMAIL_BACKEND=ses
#
# Instructions for using S3 storage backend here: https://dp3.atlassian.net/wiki/spaces/MT/pages/1470955567/How+to+test+storing+data+in+S3+locally
# Instructions for using SES email backend here: https://dp3.atlassian.net/wiki/spaces/MT/pages/1467973894/How+to+test+sending+email+locally
#
# The default and equivalent to not being set is:
#
#   export STORAGE_BACKEND=local
#   export EMAIL_BACKEND=local
#
# Setting region and profile conditionally while we migrate from com to govcloud.
if [ "$STORAGE_BACKEND" == "s3" ]; then
  export AWS_S3_BUCKET_NAME="transcom-gov-dev-app-devlocal-us-gov-west-1"
  export AWS_S3_REGION="us-gov-west-1"
  export AWS_DEFAULT_REGION="us-gov-west-1"
  export AWS_PROFILE=transcom-gov-dev
fi

export AWS_S3_KEY_NAMESPACE=$USER
export AWS_SES_DOMAIN="devlocal.dp3.us"
export AWS_SES_REGION="us-gov-west-1"

# To use s3 links aws-bucketname/xx/user/ for local builds,
# you'll need to add the following to your .envrc.local:
#
#   export STORAGE_BACKEND=s3
#
# HERE MAPS API
export HERE_MAPS_GEOCODE_ENDPOINT="https://geocoder.api.here.com/6.2/geocode.json"
export HERE_MAPS_ROUTING_ENDPOINT="https://route.api.here.com/routing/7.2/calculateroute.json"
require HERE_MAPS_APP_ID "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal here_maps_app_id'"
require HERE_MAPS_APP_CODE "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal here_maps_app_code'"

# GEX integration config
export GEX_BASIC_AUTH_USERNAME="mymovet"
require GEX_BASIC_AUTH_PASSWORD "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal gex_basic_auth_password'"
export GEX_URL=""
# To actually send the GEX request, replace url in envrc.local with the line below
# export GEX_URL=https://gexb.gw.daas.dla.mil/msg_data/submit/


# DMDC Identity Web Services Real-Time Broker Service
# To test against DMDC IWS RBS modify IWS_RBS_ENABLED and set to 1 in your .envrc.local
# It is disabled by default so that no requests are sent to DMDC during development unless explicitly set
export IWS_RBS_ENABLED=0
export IWS_RBS_HOST="pkict.dmdc.osd.mil"

# Unsecured CSRF Auth Key, for local dev only
require CSRF_AUTH_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal csrf_auth_key'"

# Always show Swagger UI in development
export SERVE_SWAGGER_UI=true

# Regenerate swagger files if necessary.
export SWAGGER_AUTOREBUILD=1

# HAPPO Keys
require HAPPO_API_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal happo_api_key'"
require HAPPO_API_SECRET "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal happo_api_secret'"

# EIA API Key (for fuel price data)
require EIA_KEY "See 'DISABLE_AWS_VAULT_WRAPPER=1 AWS_REGION=us-gov-west-1 aws-vault exec transcom-gov-dev -- chamber read app-devlocal eia_key'"
export EIA_URL="https://api.eia.gov/v2/seriesid/PET.EMD_EPD2D_PTE_NUS_DPG.W"

# Listeners
export NO_TLS_ENABLED=1 # primary development listener
export MUTUAL_TLS_ENABLED=1 # used for orders and prime testing
export TLS_ENABLED=false # not used in development
# enable health server locally
export HEALTH_SERVER_ENABLED=true

# Set server names
export HTTP_MY_SERVER_NAME=milmovelocal
export HTTP_OFFICE_SERVER_NAME=officelocal
export HTTP_ADMIN_SERVER_NAME=adminlocal
export HTTP_ORDERS_SERVER_NAME=orderslocal
export HTTP_PRIME_SERVER_NAME=primelocal

# Set ports - Changed from defaults so as not to conflict with transcom/mymove
export GIN_PORT=9001
export NO_TLS_PORT=8080
export TLS_PORT=8443
export MUTUAL_TLS_PORT=9443

# Services
export SERVE_ADMIN=true
export SERVE_ORDERS=true
export SERVE_API_INTERNAL=true
export SERVE_API_GHC=true
export SERVE_API_PRIME=true
export SERVE_API_SUPPORT=true
export SERVE_API_PPTAS=true
# enable prime simulator locally
export SERVE_PRIME_SIMULATOR=true

# Set golangci-lint concurrency env variable
export GOLANGCI_LINT_CONCURRENCY=6
# Set golangci-lint verbosity if value is "-v"
export GOLANGCI_LINT_VERBOSE=""

# Set DB_DEBUG to true for development to enable sql logging
export DB_DEBUG=1
# Set the logging level to debug locally. You can override in .envrc.local
# Other possible values are: info, warn, error, fatal
export LOGGING_LEVEL=debug

# Set TELEMETRY_ENABLED=true to report telemetry to the endpoint
# (stdout by default)
export TELEMETRY_ENABLED=false
# Default to sending telemetry to stdout when enabled
export TELEMETRY_ENDPOINT=stdout
# Default to sampling 100% of all events
export TELEMETRY_SAMPLING_FRACTION=1

# default connection info for Gotenberg
export GOTENBERG_PROTOCOL=http
export GOTENBERG_HOST=localhost
export GOTENBERG_PORT=2000

# Determines if we are using the mock DTOD service to calculate
# distance or the actual service
#
# This is enabled in local dev environments for playwright. It can be
# set to false during local dev if needed to test/debug DTOD
# interactions
export DTOD_USE_MOCK=false

# Simulates the DTOD service being down
#
# This is enabled in local dev environments for playwright. It can be
# set to false during local dev if needed to test/debug DTOD
# interactions
export DTOD_SIMULATE_OUTAGE=false

# Client build flags
#
# Send error logs to the console for local development. Set to 'otel'
# to send to the backend
export REACT_APP_ERROR_LOGGING=console


# Anti-Virus Settings
export AV_DIR="${MYMOVE_DIR}"
# WARNING: IGNORE FILES AT OUR PERIL. IF ADDING HERE ADD NOTES!
# - pkg/testdatagen/testdata/orders.pdf is a file used exclusively for testing
export AV_IGNORE_FILES=pkg/testdatagen/testdata/orders.pdf
# WARNING: IGNORE SIGNATURES AT OUR PERIL. IF ADDING HERE ADD NOTES!
# - PUA.Pdf.Trojan.EmbeddedJavaScript-1 is ignored because we don't ship PDFs in any docker containers
# - orders.pdf.UNOFFICIAL is a finding based on the ignored file above of the same name
export AV_IGNORE_SIGS="PUA.Pdf.Trojan.EmbeddedJavaScript-1 orders.pdf.UNOFFICIAL"

#### Nix Experiment Start ####
# if nix is installed, use it
if [ ! -r .nix-disable  ] && has nix-env; then
  # set NIX_PROFILE so nix-env operations don't need to manually
  # specify the profile path
  #
  export NIX_PROFILE="/nix/var/nix/profiles/per-user/${LOGNAME}/mymove"

  # Having NIX_SSL_CERT_FILE set means go won't use macOS keychain based certs
  export NIX_SSL_CERT_FILE_ORIG=$NIX_SSL_CERT_FILE
  unset NIX_SSL_CERT_FILE

  # Nix installs opensc which the prime-api-client needs
  export PKCS11MODULE="${NIX_PROFILE}"/lib/opensc-pkcs11.so

  nix_dir="nix"
  # add the nix files so that if they change, direnv needs to be reloaded
  watch_file "${nix_dir}"/*.nix
  config_hash=$(nix-hash "${nix_dir}")
  store_hash=$(nix-store -q --hash "${NIX_PROFILE}")

  # The .nix-hash file is created by nix/update.sh
  if [ ! -r .nix-hash ] || ! grep -q "${config_hash}-${store_hash}" .nix-hash; then
    log_status "WARNING: nix packages out of date. Run ${nix_dir}/update.sh"
  fi

  # add the NIX_PROFILE bin path so that everything we just installed
  # is available on the path
  PATH_add ${NIX_PROFILE}/bin
  # Add the node binaries to our path
  PATH_add ./node_modules/.bin
  # nix is immutable, so we need to specify a path for local changes, e.g.
  # binaries can be installed local to this project
  export GOPATH=$PWD/.gopath
  PATH_add ./.gopath/bin
  # nix is immutable, so we need to specify a path so npm global
  # installs work
  export NPM_CONFIG_PREFIX=$PWD/.npmglobal
  PATH_add ./.npmglobal/bin
fi


#### Nix Experiment End ######

##############################################
# Load Local Overrides and Check Environment #
##############################################

# Load a local overrides file. Any changes you want to make for your local
# environment should live in that file.

if [ -e .envrc.local ]
then
  source_env .envrc.local
fi

# Check that all required environment variables are set
check_required_variables