@freshworks/shiftleft-tools 1.1.8

package/templates/postman/collections/01-core.json.ejs

@@ -0,0 +1,91 @@
+{
+  "info": {
+    "_postman_id": "01-core-<%= serviceNameLower %>",
+    "name": "Core API",
+    "description": "Core API endpoints for <%= serviceName %>",
+    "schema": "https://schema.getpostman.com/json/collection/v2.1.0/collection.json"
+  },
+  "auth": {
+    "type": "bearer",
+    "bearer": [
+      {
+        "key": "token",
+        "value": "{{auth_token}}",
+        "type": "string"
+      }
+    ]
+  },
+  "event": [
+    {
+      "listen": "prerequest",
+      "script": {
+        "type": "text/javascript",
+        "exec": [""]
+      }
+    },
+    {
+      "listen": "test",
+      "script": {
+        "type": "text/javascript",
+        "exec": [""]
+      }
+    }
+  ],
+  "item": [
+    {
+      "name": "Health Check",
+      "item": [
+        {
+          "name": "Health Check - 200 OK",
+          "event": [
+            {
+              "listen": "test",
+              "script": {
+                "exec": [
+                  "pm.test(\"Status code is 200\", function () {",
+                  "    pm.response.to.have.status(200);",
+                  "});",
+                  "",
+                  "pm.test(\"Response time is less than 2000ms\", function () {",
+                  "    pm.expect(pm.response.responseTime).to.be.below(2000);",
+                  "});",
+                  "",
+                  "pm.test(\"Content-Type is application/json\", function () {",
+                  "    pm.expect(pm.response.headers.get(\"Content-Type\")).to.include(\"application/json\");",
+                  "});",
+                  "",
+                  "var jsonData = pm.response.json();",
+                  "",
+                  "pm.test(\"Response has status field\", function () {",
+                  "    pm.expect(jsonData).to.have.property('status');",
+                  "    pm.expect(jsonData.status).to.eql('UP');",
+                  "});"
+                ],
+                "type": "text/javascript"
+              }
+            }
+          ],
+          "request": {
+            "method": "GET",
+            "header": [],
+            "url": {
+              "raw": "{{base_url}}/actuator/health",
+              "host": ["{{base_url}}"],
+              "path": ["actuator", "health"]
+            },
+            "description": "Health check endpoint to verify service is running"
+          },
+          "response": []
+        }
+      ]
+    }
+  ],
+  "variable": [
+    {
+      "key": "base_url",
+      "value": "http://localhost:8080/api",
+      "type": "string",
+      "description": "Base URL for the API"
+    }
+  ]
+}

package/templates/postman/config/local.json.ejs

@@ -0,0 +1,12 @@
+{
+  "comment": "Local environment configuration for <%= serviceName %> Postman tests",
+  "environment": "local",
+  "base_url": "http://localhost:8080/api",
+  "jwt": {
+    "use_hardcoded_token": true,
+    "hardcoded_token": "temporary_token"
+  },
+  "headers": {
+    "content_type": "application/json"
+  }
+}

package/templates/postman/config/staging.json.ejs

@@ -0,0 +1,26 @@
+{
+  "comment": "Staging environment configuration for <%= serviceName %> Postman tests",
+  "environment": "staging",
+  "base_url": "https://your-staging-url.freshworks.com/api",
+  "aws": {
+    "secretName": "staging_stack_secrets",
+    "region": "us-west-2",
+    "client": "your_client",
+    "issuer": "your_issuer"
+  },
+  "jwt": {
+    "use_hardcoded_token": false,
+    "api_issuer": "your_issuer",
+    "api_account_id": "your_account_id",
+    "api_account_domain": "your_domain.freshworks.com",
+    "api_user_id": "your_user_id",
+    "api_product": "freshdesk",
+    "api_product_id": "1",
+    "api_user_role": "admin",
+    "api_pod": "poduswest2",
+    "api_jwt_expiry": "240"
+  },
+  "headers": {
+    "content_type": "application/json"
+  }
+}

package/templates/postman/environments/local.postman_environment.json.ejs

@@ -0,0 +1,31 @@
+{
+  "id": "local-environment",
+  "name": "<%= serviceName %> - Local",
+  "values": [
+    {
+      "key": "base_url",
+      "value": "http://localhost:8080/api",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "environment",
+      "value": "local",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "auth_token",
+      "value": "temporary_token",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "setup_complete",
+      "value": "false",
+      "type": "default",
+      "enabled": true
+    }
+  ],
+  "_postman_variable_scope": "environment"
+}

package/templates/postman/environments/staging.postman_environment.json.ejs

@@ -0,0 +1,31 @@
+{
+  "id": "staging-environment",
+  "name": "<%= serviceName %> - Staging",
+  "values": [
+    {
+      "key": "base_url",
+      "value": "https://your-staging-url.freshworks.com/api",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "environment",
+      "value": "staging",
+      "type": "default",
+      "enabled": true
+    },
+    {
+      "key": "auth_token",
+      "value": "",
+      "type": "secret",
+      "enabled": true
+    },
+    {
+      "key": "setup_complete",
+      "value": "false",
+      "type": "default",
+      "enabled": true
+    }
+  ],
+  "_postman_variable_scope": "environment"
+}

package/templates/postman/gitignore

@@ -0,0 +1,16 @@
+node_modules/
+reports/*.html
+reports/*.json
+reports/json/
+*.log
+audit-report.json
+deps-tree.txt
+
+# dev-tools staged scripts (machine-local cache; refreshed by `dev-tools test`)
+scripts/.run-all-impl.sh
+scripts/auth/
+scripts/database/
+scripts/infra/
+scripts/lib/
+scripts/report-generators/
+scripts/runners/

package/templates/postman/npmrc

@@ -0,0 +1,31 @@
+# =============================================================================
+# npm Security Configuration for Postman Tests
+# =============================================================================
+#
+# This file configures npm with security-focused settings to reduce the risk
+# of supply chain attacks (like the tunnel-agent compromise).
+#
+# =============================================================================
+
+# CRITICAL: Block postinstall attacks
+# This prevents malicious packages from running scripts during installation
+ignore-scripts=true
+
+# Lock dependencies to exact versions
+# Ensures reproducible builds and prevents version drift attacks
+package-lock=true
+save-exact=true
+
+# Use official npm registry with SSL
+# Prevents man-in-the-middle attacks and package tampering
+registry=https://registry.npmjs.org/
+strict-ssl=true
+
+# Run security audit on install
+# Automatically checks for known CVEs in dependencies
+audit=true
+audit-level=high
+
+# Verify package signatures (npm 8.4+)
+# Ensures packages haven't been tampered with after publishing
+audit-signatures=true

package/templates/postman/package.json.ejs

@@ -0,0 +1,66 @@
+{
+  "name": "<%= serviceName %>-postman-tests",
+  "version": "1.0.0",
+  "private": true,
+  "description": "Postman API tests for <%= serviceName %> - secure configuration with pinned dependencies",
+  "scripts": {
+    "prepare": "cd .. && husky postman/.husky",
+    "test:local": "./scripts/runners/run-tests-local.sh",<% if (includeStaging) { %>
+    "test:staging": "./scripts/runners/run-tests-staging.sh",<% } %>
+    "audit": "npm audit --audit-level=high",
+    "audit:fix": "npm audit fix",
+    "audit:json": "npm audit --json > audit-report.json",
+    "audit:signatures": "npm audit signatures",
+    "deps:check": "npm ls --all 2>/dev/null | grep -E 'tunnel-agent|@postman|got|node-fetch' || echo 'No problematic packages found'",
+    "deps:tree": "npm ls --all",
+    "deps:outdated": "npm outdated",
+    "deps:duplicates": "npm ls --all 2>/dev/null | sort | uniq -d || echo 'No duplicates'",
+    "security:check": "npm run audit && npm run audit:signatures && npm run deps:check",
+    "security:full": "npm run audit:json && npm run deps:tree > deps-tree.txt && echo 'Reports: audit-report.json, deps-tree.txt'",
+    "format": "prettier --write '**/*.json' '!node_modules/**'",
+    "format:check": "prettier --check '**/*.json' '!node_modules/**'"
+  },
+  "dependencies": {
+    "newman": "6.2.2",
+    "newman-reporter-htmlextra": "1.23.1"
+  },
+  "devDependencies": {
+    "husky": "9.1.7",
+    "prettier": "3.4.2"
+  },
+  "overrides": {
+    "tunnel-agent": "0.6.0",
+    "@postman/tunnel-agent": "0.6.3",
+    "tough-cookie": "4.1.3",
+    "semver": "7.5.4",
+    "word-wrap": "1.2.5",
+    "xml2js": "0.6.2",
+    "http-cache-semantics": "4.1.1",
+    "json5": "2.2.3",
+    "minimatch": "3.1.2",
+    "jose": "4.15.5",
+    "node-forge": "1.3.3",
+    "qs": "6.15.0",
+    "lodash": "4.17.23",
+    "ajv": "6.14.0",
+    "postman-runtime": {
+      "jose": "4.15.5",
+      "node-forge": "1.3.3"
+    },
+    "postman-request": {
+      "qs": "6.15.0"
+    }
+  },
+  "engines": {
+    "node": ">=18.0.0",
+    "npm": ">=8.4.0"
+  },
+  "keywords": [
+    "postman",
+    "api-testing",
+    "newman",
+    "<%= serviceName %>"
+  ],
+  "author": "Developer Platform Team",
+  "license": "UNLICENSED"
+}

package/templates/postman/run-all-shim.sh

@@ -0,0 +1,16 @@
+#!/usr/bin/env bash
+# Generated by shiftleft-tools — do not edit.
+#
+# Test orchestration lives in the shiftleft-tools package, not in this repo. This
+# shim stages the latest scripts (gitignored, machine-local) and runs them, so
+# `npm install -g shiftleft-tools` updates behavior with no repo change.
+# All flags pass through unchanged: --env, --skip-unit, --skip-mutation,
+# --skip-postman, --skip-coverage, --skip-report, --no-delay, ...
+
+if ! command -v shiftleft >/dev/null 2>&1; then
+    echo "error: shiftleft CLI not found." >&2
+    echo "Install it with: npm install -g shiftleft-tools --registry=https://nexuscentral.runwayci.com/repository/npm-group/" >&2
+    exit 127
+fi
+
+exec shiftleft test "$@"

package/templates/postman/scripts/auth/generate-jwt.sh

@@ -0,0 +1,113 @@
+#!/bin/bash
+# =============================================================================
+# SECURE JWT Generator - Uses only bash and openssl (NO Node.js, NO npm)
+# =============================================================================
+#
+# This script replaces generate-jwt.js to eliminate npm supply chain risk.
+# The ISSUER_SECRET never touches any Node.js process.
+#
+# Usage:
+#   ISSUER_SECRET=<secret> ./generate-jwt.sh
+#
+# Or with all parameters:
+#   ISSUER_SECRET=<secret> \
+#   API_ISSUER=mp_collections_manager \
+#   API_ACCOUNT_ID=123 \
+#   ./generate-jwt.sh
+#
+# =============================================================================
+
+set -euo pipefail
+
+# Configuration from environment or defaults
+API_ISSUER="${API_ISSUER:-mp_collections_manager}"
+API_ACCOUNT_ID="${API_ACCOUNT_ID:-1}"
+API_ACCOUNT_DOMAIN="${API_ACCOUNT_DOMAIN:-freshworks.com}"
+API_USER_ID="${API_USER_ID:-1}"
+API_PRODUCT="${API_PRODUCT:-freshdesk}"
+API_PRODUCT_ID="${API_PRODUCT_ID:-1}"
+API_USER_ROLE="${API_USER_ROLE:-internal_admin}"
+API_POD="${API_POD:-poduswest2}"
+API_SKUS="${API_SKUS:-estate_pro}"
+SKU="${SKU:-estate_pro}"
+IS_SOURCE_INTERNAL="${IS_SOURCE_INTERNAL:-false}"
+API_JWT_EXPIRY="${API_JWT_EXPIRY:-3600}"
+ISSUER_SECRET="${ISSUER_SECRET:-}"
+
+# Validate required secret
+if [ -z "$ISSUER_SECRET" ]; then
+    echo "ERROR: ISSUER_SECRET environment variable is required" >&2
+    echo "" >&2
+    echo "Usage: ISSUER_SECRET=<secret> $0" >&2
+    echo "" >&2
+    echo "Or set all parameters:" >&2
+    echo "  ISSUER_SECRET=<secret> \\" >&2
+    echo "  API_ISSUER=mp_collections_manager \\" >&2
+    echo "  API_ACCOUNT_ID=123 \\" >&2
+    echo "  $0" >&2
+    exit 1
+fi
+
+# =============================================================================
+# Base64URL encode function (URL-safe base64 without padding)
+# This matches the JWT spec: https://tools.ietf.org/html/rfc7519
+# =============================================================================
+base64url_encode() {
+    # Read from stdin, base64 encode, convert to URL-safe format, remove padding
+    openssl base64 -A | tr '+/' '-_' | tr -d '='
+}
+
+# =============================================================================
+# Build JWT
+# =============================================================================
+
+# Current timestamp
+NOW=$(date +%s)
+EXP=$((NOW + API_JWT_EXPIRY))
+
+# JWT Header (always the same for HS256)
+HEADER='{"alg":"HS256","typ":"JWT"}'
+
+# JWT Payload - build dynamically to only include non-empty fields
+PAYLOAD="{"
+PAYLOAD+="\"iss\":\"${API_ISSUER}\""
+
+[ -n "$API_ACCOUNT_ID" ] && PAYLOAD+=",\"account_id\":\"${API_ACCOUNT_ID}\""
+[ -n "$API_ACCOUNT_DOMAIN" ] && PAYLOAD+=",\"account_domain\":\"${API_ACCOUNT_DOMAIN}\""
+[ -n "$API_USER_ID" ] && PAYLOAD+=",\"user_id\":\"${API_USER_ID}\""
+[ -n "$API_PRODUCT" ] && PAYLOAD+=",\"product\":\"${API_PRODUCT}\""
+[ -n "$API_PRODUCT_ID" ] && PAYLOAD+=",\"product_id\":\"${API_PRODUCT_ID}\""
+[ -n "$API_USER_ROLE" ] && PAYLOAD+=",\"user_role\":\"${API_USER_ROLE}\""
+[ -n "$API_POD" ] && PAYLOAD+=",\"pod\":\"${API_POD}\""
+[ -n "$API_SKUS" ] && PAYLOAD+=",\"skus\":\"${API_SKUS}\""
+[ -n "$SKU" ] && PAYLOAD+=",\"sku\":\"${SKU}\""
+
+# Boolean field
+if [ "$IS_SOURCE_INTERNAL" = "true" ]; then
+    PAYLOAD+=",\"is_source_internal\":true"
+fi
+
+# Timestamps
+PAYLOAD+=",\"iat\":${NOW}"
+PAYLOAD+=",\"exp\":${EXP}"
+PAYLOAD+="}"
+
+# =============================================================================
+# Encode and Sign
+# =============================================================================
+
+# Encode header and payload
+HEADER_B64=$(echo -n "$HEADER" | base64url_encode)
+PAYLOAD_B64=$(echo -n "$PAYLOAD" | base64url_encode)
+
+# Create signature using HMAC-SHA256
+# This is the secure part - openssl handles the cryptography
+SIGNATURE=$(echo -n "${HEADER_B64}.${PAYLOAD_B64}" | \
+    openssl dgst -sha256 -hmac "$ISSUER_SECRET" -binary | \
+    base64url_encode)
+
+# =============================================================================
+# Output complete JWT
+# =============================================================================
+echo "${HEADER_B64}.${PAYLOAD_B64}.${SIGNATURE}"
+

package/templates/postman/scripts/auth/get-issuer-secret.sh

@@ -0,0 +1,140 @@
+#!/bin/bash
+
+# Helper script to fetch ISSUER_SECRET from AWS Secrets Manager
+# 
+# Usage: 
+#   ./get-issuer-secret.sh <secret-name> <client> <issuer> [region]
+#
+# Authentication:
+#   - In Jenkins/CI: Uses IAM role attached to Kubernetes pod (no profile needed)
+#   - Locally: Set AWS_PROFILE environment variable (e.g., export AWS_PROFILE=staging)
+#
+# Example:
+#   AWS_PROFILE=staging ./get-issuer-secret.sh staging_stack_secrets developer_platform mp_collections_manager us-west-2
+
+set -e
+
+# Colors
+GREEN='\033[0;32m'
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+BLUE='\033[0;34m'
+NC='\033[0m'
+
+# Parse arguments
+SECRET_NAME="${1:-}"
+CLIENT="${2:-}"
+ISSUER="${3:-}"
+REGION="${4:-us-east-1}"
+
+# Show usage if arguments missing
+if [ -z "$SECRET_NAME" ] || [ -z "$CLIENT" ] || [ -z "$ISSUER" ]; then
+    echo -e "${BLUE}╔════════════════════════════════════════════════════════════╗${NC}"
+    echo -e "${BLUE}║  Get Issuer Secret from AWS Secrets Manager                ║${NC}"
+    echo -e "${BLUE}╚════════════════════════════════════════════════════════════╝${NC}"
+    echo ""
+    echo "Usage: $0 <secret-name> <client> <issuer> [region]"
+    echo ""
+    echo "Arguments:"
+    echo "  secret-name   AWS Secrets Manager secret name"
+    echo "  client        Client name (e.g., developer_platform)"
+    echo "  issuer        Issuer name (e.g., developer_platform)"
+    echo "  region        AWS region (default: us-east-1)"
+    echo ""
+    echo "Example:"
+    echo "  $0 my-secret-name developer_platform developer_platform us-east-1"
+    echo ""
+    echo "Output:"
+    echo "  Prints the issuer secret to stdout"
+    echo ""
+    exit 1
+fi
+
+# Check if AWS CLI is installed
+if ! command -v aws &> /dev/null; then
+    echo -e "${RED}✗ Error: AWS CLI is not installed${NC}"
+    echo ""
+    echo "Install AWS CLI:"
+    echo "  https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html"
+    echo ""
+    exit 1
+fi
+
+# Check if jq is installed
+if ! command -v jq &> /dev/null; then
+    echo -e "${RED}✗ Error: jq is not installed${NC}"
+    echo ""
+    echo "Install jq:"
+    echo "  brew install jq   # macOS"
+    echo "  apt install jq    # Ubuntu/Debian"
+    echo ""
+    exit 1
+fi
+
+# Fetch secret from AWS
+# Disable exit-on-error to capture error details for better diagnostics
+set +e
+
+# Use --profile if AWS_PROFILE is set, otherwise use default credentials (IAM role in Jenkins)
+if [ -n "${AWS_PROFILE:-}" ]; then
+    SECRET_JSON=$(aws --profile "$AWS_PROFILE" secretsmanager get-secret-value \
+        --secret-id "$SECRET_NAME" \
+        --region "$REGION" \
+        --query SecretString \
+        --output text 2>&1)
+else
+    SECRET_JSON=$(aws secretsmanager get-secret-value \
+        --secret-id "$SECRET_NAME" \
+        --region "$REGION" \
+        --query SecretString \
+        --output text 2>&1)
+fi
+
+AWS_EXIT_CODE=$?
+set -e
+
+if [ $AWS_EXIT_CODE -ne 0 ]; then
+    echo -e "${RED}✗ Error fetching secret from AWS:${NC}" >&2
+    echo "$SECRET_JSON" >&2
+    echo "" >&2
+    
+    # Check if it's a credentials issue
+    if echo "$SECRET_JSON" | grep -q "Unable to locate credentials"; then
+        echo -e "${YELLOW}AWS credentials not configured!${NC}" >&2
+        echo "" >&2
+        echo "Please configure AWS credentials:" >&2
+        echo "  aws configure" >&2
+        echo "" >&2
+        echo "You'll need:" >&2
+        echo "  - AWS Access Key ID" >&2
+        echo "  - AWS Secret Access Key" >&2
+        echo "  - Default region: $REGION" >&2
+        echo "" >&2
+    fi
+    exit 1
+fi
+
+# For mp-apps API, use jwt_secret_secondary at client level
+# This matches the BaseTest.prototype.mpappsAPISecret implementation
+ISSUER_SECRET=$(echo "$SECRET_JSON" | jq -r ".auth.clients[\"$CLIENT\"].jwt_secret_secondary // empty" 2>/dev/null)
+
+# Fall back to primary jwt_secret if secondary not found
+if [ -z "$ISSUER_SECRET" ] || [ "$ISSUER_SECRET" == "null" ]; then
+    echo -e "${YELLOW}⚠ Secondary secret not found, falling back to primary client secret${NC}" >&2
+    ISSUER_SECRET=$(echo "$SECRET_JSON" | jq -r ".auth.clients[\"$CLIENT\"].jwt_secret // empty" 2>/dev/null)
+fi
+
+# Check if secret was found
+if [ -z "$ISSUER_SECRET" ] || [ "$ISSUER_SECRET" == "null" ]; then
+    echo -e "${RED}✗ Error: Could not find secret for client '$CLIENT' and issuer '$ISSUER'${NC}" >&2
+    echo "" >&2
+    echo "Available clients:" >&2
+    echo "$SECRET_JSON" | jq -r '.auth.clients | keys[]' 2>/dev/null >&2
+    exit 1
+fi
+
+# Output the secret (to stdout for easy capture)
+echo -e "${GREEN}✓ Secret found!${NC}" >&2
+echo "" >&2
+echo "$ISSUER_SECRET"
+