bundler-security 0.0.1 → 0.1.0

data/lib/bundler/security/commands.rb

@@ -0,0 +1,13 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Modules grouping supported bundler commands
+    module Commands
+      # Install bundler command
+      INSTALL = 'install'
+      # Update bundler command
+      UPDATE = 'update'
+    end
+  end
+end

data/lib/bundler/security/config/fetcher.rb

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Module for all the components related to setting up the config
+    module Config
+      # Class responsible for fetching the config from .coditsu.yml
+      module Fetcher
+        class << self
+          # @param build_path [String] path of the current build
+          # @return [OpenStruct] open struct with config details
+          # @example
+          #   details = Fetcher.new.call('./')
+          #   details.build_path #=> './'
+          def call(build_path)
+            FileFinder
+              .call(build_path)
+              .then(&File.method(:read))
+              .then(&ERB.method(:new))
+              .then(&:result)
+              .then(&YAML.method(:load))
+              .then { |data| data.merge(build_path: build_path) }
+              .then(&OpenStruct.method(:new))
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/config/file_finder.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Config
+      # Class used to figure out the file from which we should load the settings
+      module FileFinder
+        # Names of the files or paths where we will look for the settings
+        #
+        # @note We do the double dot trick, to look outside of the current dir because when
+        #   executed from a docker container, we copy the local uncommitted settings into the
+        #   dir above the app location not to pollute the reset state of the git repo
+        #
+        # @note Order is important, as for local env we should load from
+        #   local file (if present first)
+        FILE_NAMES = %w[
+          .coditsu/local.yml
+          .coditsu/ci.yml
+          .coditsu/*.yml
+          .coditsu.yml
+        ].map { |name| ["../#{name}", name] }.tap(&:flatten!).freeze
+
+        private_constant :FILE_NAMES
+
+        class << self
+          # Looks for coditsu settings file for a given env
+          #
+          # @param build_path [String] path of the current build
+          #
+          # @return [String] path to the file from which we should load all the settings
+          def call(build_path)
+            FILE_NAMES
+              .map { |name| File.join(build_path, name) }
+              .map { |name| Dir[name] }
+              .find { |selection| !selection.empty? }
+              .tap { |path| path || raise(Errors::MissingConfigurationFile) }
+              .first
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/errors.rb

@@ -0,0 +1,15 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Build runner app errors
+    module Errors
+      # Base error class from which all the errors should inherit
+      BaseError = Class.new(StandardError)
+      # Raised when we couldn't find a valid configuration file
+      MissingConfigurationFile = Class.new(BaseError)
+      # When we receive invalid remote versions type
+      InvalidRemoteVersionsType = Class.new(BaseError)
+    end
+  end
+end

data/lib/bundler/security/version.rb

@@ -1,5 +1,10 @@
+# frozen_string_literal: true
+
 module Bundler
   module Security
-    VERSION = "0.0.1"
+    # Current BundlerSecurity version
+    VERSION = '0.1.0'
+    # Coditsu differ homepage
+    HOMEPAGE = 'https://diff.coditsu.io'
   end
 end

data/lib/bundler/security/voting.rb

@@ -0,0 +1,72 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    # Verifies voting verdicts for gems
+    module Voting
+      class << self
+        # Build verdict
+        #
+        # @param command [String] either install or update
+        # @param definition [Bundler::Definition] definition for your source
+        def call(command, definition)
+          remote_data(command, definition)
+            .then { |policy, gems| [policy, build_gems(policy, gems)] }
+            .then { |policy, errors| build_status(policy.type, command, errors) }
+        end
+
+        # Build gems that don't have enough approvals
+        #
+        # @param policy [Voting::RemotePolicy] remote policy settings
+        # @param gems [Hash] remote gem statistics
+        #
+        # @return [Array] gems that don't have enough approvals based on remote policy
+        def build_gems(policy, gems)
+          gems.each_with_object([]) do |(name, data), errors|
+            gem_policy = GemPolicy.new(name, data, policy)
+
+            next if gem_policy.approved?
+            next unless gem_policy.rejected?
+
+            errors << BuildUnsafeGem.call(gem_policy)
+          end
+        end
+
+        # Fetch data from the differ
+        #
+        # @param command [String] either install or update
+        # @param definition [Bundler::Definition]
+        def remote_data(command, definition)
+          Versions::Remote
+            .call(command, definition)
+            .yield_self { |response| [build_remote_policy(response['policy']), response['gems']] }
+        end
+
+        # Build remote policy based on Coditsu differ settings
+        #
+        # @param policy [Hash] remote policy settings
+        #
+        # @return [Voting::RemotePolicy]
+        def build_remote_policy(policy)
+          RemotePolicy.new(
+            policy['type'], policy['threshold']
+          )
+        end
+
+        # Build security verdict
+        #
+        # @param remote_policy_type [String]
+        # @param command [String] either install or update
+        # @param errors [Array] detected security errors
+        def build_status(remote_policy_type, command, errors)
+          if errors.empty?
+            BuildSuccess.call(remote_policy_type, command)
+          else
+            BuildFailure.call(remote_policy_type, command, errors)
+            exit 1
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_failure.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Build failure security verdict
+      module BuildFailure
+        class << self
+          # Prints failure security verdict
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          # @param errors [Array] detected security errors
+          def call(policy_type, command, errors)
+            Bundler.ui.error(
+              build(policy_type, command, errors)
+            )
+          end
+
+          # Builds failure security verdict message
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          # @param errors [Array] detected security errors
+          #
+          # @return [String]
+          def build(policy_type, command, errors)
+            [
+              "\n",
+              message_type(policy_type),
+              ", blocking #{command}",
+              "\n\n",
+              errors.join("\n"),
+              "\n\n"
+            ].join
+          end
+
+          # Builds a message based on policy type
+          #
+          # @param policy_type [String]
+          #
+          # @return [String]
+          #
+          # @raise InvalidPolicyType if policy type was not recognized
+          def message_type(policy_type)
+            case policy_type
+            when 'organization'
+              'Not enough reviews on your organization'
+            when 'community'
+              'Not enough reviews in the community'
+            else
+              raise InvalidPolicyType, policy_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_success.rb

@@ -0,0 +1,55 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Build successful security verdict
+      module BuildSuccess
+        class << self
+          # Prints successful security verdict
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          def call(policy_type, command)
+            Bundler.ui.confirm(
+              build(policy_type, command)
+            )
+          end
+
+          # Builds successful security verdict message
+          #
+          # @param policy_type [String]
+          # @param command [String] either install or update
+          #
+          # @return [String]
+          def build(policy_type, command)
+            [
+              "\n",
+              message_type(policy_type),
+              ", commencing #{command}",
+              "\n\n"
+            ].join
+          end
+
+          # Builds a message based on policy type
+          #
+          # @param policy_type [String]
+          #
+          # @return [String]
+          #
+          # @raise InvalidPolicyType if policy type was not recognized
+          def message_type(policy_type)
+            case policy_type
+            when 'organization'
+              'All gems approved by your organization'
+            when 'community'
+              'All gems approved by community'
+            else
+              raise InvalidPolicyType, policy_type
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/build_unsafe_gem.rb

@@ -0,0 +1,73 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for building unsafe gem details
+      module BuildUnsafeGem
+        # Differ url
+        DIFF_URL = 'https://diff.coditsu.io/gems'
+
+        class << self
+          # Builds details of an unsafe gem
+          #
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def call(gem_policy)
+            [
+              gem_policy.name,
+              gem_policy.new_version? ? gem_policy.new_version : gem_policy.current_version,
+              '-',
+              [
+                approved(gem_policy.remote_policy, gem_policy),
+                rejected(gem_policy.remote_policy, gem_policy)
+              ].compact.join(', ')
+            ].join(' ')
+          end
+
+          # Builds safe details
+          #
+          # @param remote_policy [Voting::RemotePolicy]
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def approved(remote_policy, gem_policy)
+            return if gem_policy.approved?
+
+            array = []
+            array << "approved (#{gem_policy.approved} expected #{remote_policy.approved})"
+            array << differ_url(gem_policy)
+            array.join(' ')
+          end
+
+          # Builds malicious details
+          #
+          # @param remote_policy [Voting::RemotePolicy]
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def rejected(remote_policy, gem_policy)
+            return if gem_policy.rejected?
+
+            array = []
+            array << "rejected (#{gem_policy.rejected} expected #{remote_policy.rejected})"
+            array << differ_url(gem_policy)
+            array.join(' ')
+          end
+
+          # Builds differ url for gem with version details
+          #
+          # @param gem_policy [Voting::GemPolicy]
+          #
+          # @return [String]
+          def differ_url(gem_policy)
+            array = [DIFF_URL, gem_policy.name, gem_policy.current_version]
+            array << gem_policy.new_version if gem_policy.new_version?
+            array.join('/')
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/gem_policy.rb

@@ -0,0 +1,67 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Gem policy with statistics from Coditsu differ
+      class GemPolicy
+        attr_reader :name, :current_version, :new_version, :remote_policy
+
+        # Build gem policy
+        #
+        # @param name [String] gem name
+        # @param gem_data [Array] gem version and statistics from Coditsu
+        # @param remote_policy [Voting::RemotePolicy]
+        def initialize(name, gem_data, remote_policy)
+          @name = name
+          @new_version = nil
+
+          versions = gem_data.first
+
+          raise Errors::InvalidRemoteVersionsType, versions.class unless versions.is_a?(Array)
+
+          @current_version = versions.first.empty? ? versions.last : versions.first
+          @new_version = versions.last if @current_version != versions.last
+
+          @remote_policy = remote_policy
+          @threshold = gem_data.last[remote_policy.type]
+        end
+
+        # How many time gem was marked as safe
+        #
+        # @return [Integer]
+        def approved
+          @threshold['up'].to_i
+        end
+
+        # How many time gem was marked as malicious
+        #
+        # @return [Integer]
+        def rejected
+          @threshold['down'].to_i
+        end
+
+        # Checks if a gem is safe based on a remote policy
+        #
+        # @return [Boolean] true if it's safe, false otherwise
+        def approved?
+          approved >= @remote_policy.approved
+        end
+
+        # Checks if a gem is malicious based on a remote policy
+        #
+        # @return [Boolean] true if it's malicious, false otherwise
+        def rejected?
+          @remote_policy.rejected >= rejected
+        end
+
+        # Check if a new version was requested
+        #
+        # @return [Boolean] true if new version was requested, false otherwise
+        def new_version?
+          !@new_version.nil?
+        end
+      end
+    end
+  end
+end