learning_ai_common_plat/scripts/switch-network.sh

#!/bin/bash
# ─────────────────────────────────────────────────────────────
# Dual-network development setup
# ─────────────────────────────────────────────────────────────
#
# Controls: one env var — NETWORK=corp or NETWORK=home
#
# Usage (add to ~/.zshrc):
#   export NETWORK=corp   # at work / on VPN
#   export NETWORK=home   # at home (or just unset it)
#
# Then source this file from ~/.zshrc:
#   source "$HOME/code/mygh/learning_ai_common_plat/scripts/switch-network.sh"
#
# What it sets when NETWORK=corp:
#   - http_proxy / https_proxy  → cso.proxy.att.com:8080
#   - NPM_CONFIG_REGISTRY       → AT&T JFrog npm proxy
#   - NPM_CONFIG_PROXY          → corporate proxy
#   - NPM_CONFIG_STRICT_SSL     → false (proxy TLS interception)
#   - NO_PROXY / no_proxy        → localhost,127.0.0.1 (Gitea, Cosmos, Azurite)
#   - NPM_CONFIG_NOPROXY         → localhost,127.0.0.1
#   - NODE_TLS_REJECT_UNAUTHORIZED → 0 (Node.js trusts proxy certs)
#   - PIP_TRUSTED_HOST           → pypi.org, files.pythonhosted.org
#   - GRADLE_OPTS                → JVM truststore with corporate CA cert
#                                  (truststore at ~/.gradle/ssl/gradle-cacerts.jks)
#
# What it sets when NETWORK=home:
#   - All proxy vars unset, default registries, direct internet
#
# Gradle SSL setup (one-time):
#   The corporate proxy (cso.proxy.att.com) does TLS interception.
#   Gradle's JVM needs a custom truststore with the proxy CA cert.
#   To create/recreate:
#     mkdir -p ~/.gradle/ssl
#     JAVA_HOME=$(/usr/libexec/java_home)
#     cp "$JAVA_HOME/lib/security/cacerts" ~/.gradle/ssl/gradle-cacerts.jks
#     echo | openssl s_client -connect services.gradle.org:443 \
#       -proxy cso.proxy.att.com:8080 -showcerts 2>/dev/null \
#       | awk 'BEGIN{c=0} /BEGIN CERT/{c++} c==2{print} /END CERT/&&c==2{exit}' \
#       > /tmp/corp-ca.pem
#     keytool -importcert -noprompt -trustcacerts -alias att-cso-proxy \
#       -file /tmp/corp-ca.pem \
#       -keystore ~/.gradle/ssl/gradle-cacerts.jks -storepass changeit
#
# ─────────────────────────────────────────────────────────────

_CORP_PROXY="http://cso.proxy.att.com:8080/"
_CORP_NPM_REGISTRY="https://jfrog-pkg-proxy.it.att.com/artifactory/api/npm/att-npm-proxy-group/"

_GRADLE_TRUSTSTORE="$HOME/.gradle/ssl/gradle-cacerts.jks"

if [ "${NETWORK:-home}" = "corp" ]; then
  # ── Corporate proxy ──
  export http_proxy="$_CORP_PROXY"
  export https_proxy="$_CORP_PROXY"
  export HTTP_PROXY="$_CORP_PROXY"
  export HTTPS_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_REGISTRY="$_CORP_NPM_REGISTRY"
  export NPM_CONFIG_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_HTTPS_PROXY="$_CORP_PROXY"
  export NPM_CONFIG_STRICT_SSL="false"
  export PIP_TRUSTED_HOST="pypi.org files.pythonhosted.org"
  export NODE_TLS_REJECT_UNAUTHORIZED="0"
  # Bypass proxy for local services (Gitea npm registry, Cosmos emulator, Azurite, etc.)
  export NO_PROXY="localhost,127.0.0.1"
  export no_proxy="localhost,127.0.0.1"
  export NPM_CONFIG_NOPROXY="localhost,127.0.0.1"
  # Gradle: trust corporate proxy CA cert (TLS interception by cso.proxy.att.com)
  if [ -f "$_GRADLE_TRUSTSTORE" ]; then
    export GRADLE_OPTS="-Djavax.net.ssl.trustStore=$_GRADLE_TRUSTSTORE -Djavax.net.ssl.trustStorePassword=changeit -Djdk.http.auth.tunneling.disabledSchemes= -Djdk.http.auth.proxying.disabledSchemes= -Djava.net.useSystemProxies=true"
  fi
else
  # ── Home / direct internet ──
  unset http_proxy https_proxy HTTP_PROXY HTTPS_PROXY 2>/dev/null
  unset NPM_CONFIG_REGISTRY NPM_CONFIG_PROXY NPM_CONFIG_HTTPS_PROXY 2>/dev/null
  unset NPM_CONFIG_STRICT_SSL NODE_TLS_REJECT_UNAUTHORIZED 2>/dev/null
  unset NO_PROXY no_proxy NPM_CONFIG_NOPROXY 2>/dev/null
  unset PIP_TRUSTED_HOST GRADLE_OPTS 2>/dev/null
fi

unset _GRADLE_TRUSTSTORE

# Quick status on new shell (only if interactive)
if [[ $- == *i* ]]; then
  if [ "${NETWORK:-home}" = "corp" ]; then
    echo "🏢 NETWORK=corp — proxy active"
  else
    echo "🏠 NETWORK=home — direct internet"
  fi
fi

unset _CORP_PROXY _CORP_NPM_REGISTRY

# ── Gitea NPM registry (NETWORK-aware) ────────────────────────────
# Repos use .npmrc with:  @bytelyst:registry=http://${GITEA_NPM_HOST}:3300/...
#
# NETWORK=corp → Gitea runs locally on this machine (localhost)
# NETWORK=home → Gitea runs on the Azure VM (read host from ~/.gitea_vm_host)
#
# To configure the VM host (one-time):
#   echo "bytelyst-vm.eastus.cloudapp.azure.com" > ~/.gitea_vm_host
#
# Token for publish access (reads are public, writes need auth):
#   Store in ~/.gitea_npm_token (one line, no newline)
#   Create: curl -s -u admin:PASSWORD http://<host>:3300/api/v1/users/admin/tokens \
#             -H 'Content-Type: application/json' -d '{"name":"npm"}' | jq -r '.sha1 // .token'

# Gitea npm package owner — single env var drives every .npmrc + Dockerfile.
# Override per-shell if you have multiple Gitea orgs; default is the canonical
# ByteLyst owner. Renaming the owner is now a one-line env change.
export GITEA_NPM_OWNER="${GITEA_NPM_OWNER:-learning_ai_user}"

_GITEA_VM_HOST_FILE="$HOME/.gitea_vm_host"
if [ "${NETWORK:-home}" = "corp" ]; then
  export GITEA_NPM_HOST="localhost"
else
  if [ -f "$_GITEA_VM_HOST_FILE" ]; then
    export GITEA_NPM_HOST
    GITEA_NPM_HOST="$(cat "$_GITEA_VM_HOST_FILE")"
  else
    # Fallback: assume Gitea on localhost (e.g., local Docker or SSH tunnel)
    export GITEA_NPM_HOST="localhost"
  fi
fi
unset _GITEA_VM_HOST_FILE

# Token: per-network file preferred, fallback to shared file
# Layout:
#   ~/.gitea_npm_token_corp  → corp (local Gitea via SSH tunnel)
#   ~/.gitea_npm_token_home  → home / prod (cloud VM Gitea)
#   ~/.gitea_npm_token       → fallback (used if per-network file missing)
unset GITEA_NPM_TOKEN
_NET="${NETWORK:-home}"
for _f in "$HOME/.gitea_npm_token_${_NET}" "$HOME/.gitea_npm_token"; do
  if [ -f "$_f" ]; then
    GITEA_NPM_TOKEN="$(tr -d '\n\r ' < "$_f")"
    export GITEA_NPM_TOKEN
    break
  fi
done
unset _NET _f