bundler-security 0.0.1 → 0.1.0

data/lib/bundler/security/voting/remote_policy.rb

@@ -0,0 +1,24 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Remote policy settings from Coditsu
+      RemotePolicy = Struct.new(:type, :threshold) do
+        # How many time gem was marked as safe
+        #
+        # @return [Integer]
+        def approved
+          threshold['up'].to_i
+        end
+
+        # How many time gem was marked as malicious
+        #
+        # @return [Integer]
+        def rejected
+          threshold['down'].to_i
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/request.rb

@@ -0,0 +1,88 @@
+# frozen_string_literal: true
+
+require 'net/http'
+require 'openssl'
+require 'json'
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for doing request to Coditsu differ
+      module Request
+        # Differ endpoint url
+        ENDPOINT_URL = 'https://diff.coditsu.io/api/bundler.json'
+        # Request headers
+        HEADERS = { 'Content-Type': 'application/json' }.freeze
+
+        private_constant :ENDPOINT_URL, :HEADERS
+
+        class << self
+          # Execute request to the differ
+          #
+          # @param config [OpenStruct] Coditsu config
+          # @param payload [Hash] with versions to check
+          #
+          # @return [Net::HTTPResponse] response from Coditsu differ
+          def call(config, payload)
+            build_http do |http, uri|
+              http.request(build_request(uri, config, payload))
+            end
+          end
+
+          # Builds http connection object
+          def build_http
+            uri = URI(differ_url)
+
+            Net::HTTP.start(
+              uri.host,
+              uri.port,
+              use_ssl: uri.scheme == 'https',
+              verify_mode: OpenSSL::SSL::VERIFY_NONE
+            ) { |http| yield(http, uri) }
+          end
+
+          # Build http post request and assigns headers and payload
+          #
+          # @param uri [URI::HTTPS]
+          # @param config [OpenStruct] Coditsu config
+          # @param payload [Hash] with versions to check
+          #
+          # @return [Net::HTTP::Post]
+          def build_request(uri, config, payload)
+            Net::HTTP::Post
+              .new(uri.request_uri, HEADERS)
+              .tap { |request| assign_auth(request, config) }
+              .tap { |request| assign_payload(request, payload) }
+          end
+
+          # Assigns basic authorization if provided in the config
+          #
+          # @param request [Net::HTTP::Post] prepared http post
+          # @param config [OpenStruct] Coditsu config
+          def assign_auth(request, config)
+            return unless config
+            return unless config.api_key
+            return unless config.api_secret
+
+            request.basic_auth(config.api_key, config.api_secret)
+          end
+
+          # Assigns payload as json
+          #
+          # @param request [Net::HTTP::Post] prepared http post
+          # @param payload [Hash] with versions to check
+          def assign_payload(request, payload)
+            request.body = JSON.dump(payload)
+          end
+
+          # Provides differ endpoint url
+          #
+          # @return [String]
+          def differ_url
+            ENV['CODITSU_DIFFER_URL'] || ENDPOINT_URL
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/versions/local.rb

@@ -0,0 +1,102 @@
+# frozen_string_literal: true
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for handling both local and remote gem versions
+      module Versions
+        # Module responsible for preparing current or current/new versions of gems
+        module Local
+          class << self
+            # Definition of a local path, if it matches it means that we are the source
+            ME_PATH = '.'
+            # Sources that we expect to match ourselves too
+            ME_SOURCES = [
+              Bundler::Source::Gemspec,
+              Bundler::Source::Path
+            ].freeze
+
+            # @param command [String] either install or update
+            # @param definition [Bundler::Definition] definition for your source
+            def call(command, definition)
+              Bundler.ui.silence { definition.resolve_remotely! }
+
+              case command
+              when Commands::INSTALL then build_install(definition)
+              when Commands::UPDATE then build_update(definition)
+              else
+                raise ArgumentError, "invalid command: #{command}"
+              end
+            end
+
+            private
+
+            # @param definition [Bundler::Definition] definition for your source
+            def build_install(definition)
+              requested_specs = definition.requested_specs
+              locked_specs = definition.locked_gems.specs
+              introduced = requested_specs.map(&:name) - locked_specs.map(&:name)
+              introduced_specs = requested_specs.select { |spec| introduced.include?(spec.name) }
+              introduced_specs.concat(locked_specs)
+
+              introduced_specs.each_with_object({}) do |spec, hash|
+                next if skip?(spec.source)
+
+                hash[spec.name] = ['', spec.version.to_s]
+              end
+            end
+
+            # @param definition [Bundler::Definition] definition for your source
+            def build_update(definition)
+              locked_specs = definition.locked_gems.specs
+
+              definition.requested_specs.each_with_object({}) do |spec, hash|
+                next if skip?(spec.source)
+
+                locked_spec = locked_specs.find { |s| s.name == spec.name }
+
+                hash[spec.name] = if locked_spec
+                                    [locked_spec.version.to_s, spec.version.to_s]
+                                  else
+                                    ['', spec.version.to_s]
+                                  end
+              end
+            end
+
+            # Checks if we should skip a source
+            #
+            # @param source [Bundler::Source::Git, Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if we should skip this source, false otherwise
+            def skip?(source)
+              return true if git?(source)
+              return true if me?(source)
+
+              false
+            end
+
+            # Checks if it's a git source
+            #
+            # @param source [Bundler::Source::Git, Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if it's a git source, false otherwise
+            def git?(source)
+              source.instance_of?(Bundler::Source::Git)
+            end
+
+            # Checks if it's a self source, this happens for repositories that are a gem
+            #
+            # @param source [Bundler::Source::Path,Bundler::Source::Git,Bundler::Source::Rubygems]
+            #
+            # @return [Boolean] true if it's a self source, false otherwise
+            def me?(source)
+              return false unless ME_SOURCES.include?(source.class)
+
+              source.path.to_s == ME_PATH
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/bundler/security/voting/versions/remote.rb

@@ -0,0 +1,60 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Bundler
+  module Security
+    module Voting
+      # Module responsible for handling both local and remote gem versions
+      module Versions
+        # Module responsible for fetching safe/malicious votes
+        # for current or current/new versions of gems
+        module Remote
+          # Differ bundler url
+          ENDPOINT_URL = 'https://diff.coditsu.io/api/bundler.json'
+
+          private_constant :ENDPOINT_URL
+
+          class << self
+            # @param command [String] either install or update
+            # @param definition [Bundler::Definition] definition for your source
+            def call(command, definition)
+              config = fetch_config
+
+              Request
+                .call(config, payload(command, config&.repository_id, definition))
+                .then { |response| JSON.parse(response.body) }
+            end
+
+            # @param command [String] either install or update
+            # @param repository_id [String] coditsu repository_id
+            # @param definition [Bundler::Definition] definition for your source
+            #
+            # @return [Hash] payload for differ bundler endpoint
+            def payload(command, repository_id, definition)
+              Local.call(command, definition).each_with_object({}) do |(name, versions), hash|
+                hash[:data] ||= {}
+                hash[:data][:repository_id] = repository_id if repository_id
+                hash[:data][:gems] ||= {}
+                hash[:data][:gems][name] = versions
+              end
+            end
+
+            # Fetch coditsu config file
+            #
+            # @return [OpenStruct, nil] configuration object
+            #
+            # @raise [Errors::MissingConfigurationFile] when no config file
+            def fetch_config
+              Config::Fetcher.call(
+                File.expand_path('..', Bundler.bin_path)
+              )
+            rescue Errors::MissingConfigurationFile
+              nil
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/plugins.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+require 'bundler/security'
+
+Bundler::Security.register

metadata

@@ -1,65 +1,107 @@
 --- !ruby/object:Gem::Specification
 name: bundler-security
 version: !ruby/object:Gem::Version
-  version: 0.0.1
+  version: 0.1.0
 platform: ruby
 authors:
-- Maciej Mensfeld
+- Tomasz Pajor
 autorequire: 
-bindir: exe
-cert_chain: []
-date: 2019-10-24 00:00:00.000000000 Z
+bindir: bin
+cert_chain:
+- |
+  -----BEGIN CERTIFICATE-----
+  MIIEODCCAqCgAwIBAgIBATANBgkqhkiG9w0BAQsFADAjMSEwHwYDVQQDDBhtYWNp
+  ZWovREM9bWVuc2ZlbGQvREM9cGwwHhcNMTkwNzMwMTQ1NDU0WhcNMjAwNzI5MTQ1
+  NDU0WjAjMSEwHwYDVQQDDBhtYWNpZWovREM9bWVuc2ZlbGQvREM9cGwwggGiMA0G
+  CSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQC9fCwtaHZG2SyyNXiH8r0QbJQx/xxl
+  dkvwWz9QGJO+O8rEx20FB1Ab+MVkfOscwIv5jWpmk1U9whzDPl1uFtIbgu+sk+Zb
+  uQlZyK/DPN6c+/BbBL+RryTBRyvkPLoCVwm7uxc/JZ1n4AI6eF4cCZ2ieZ9QgQbU
+  MQs2QPqs9hT50Ez/40GnOdadVfiDDGz+NME2C4ms0BriXwZ1tcRTfJIHe2xjIbbb
+  y5qRGfsLKcgMzvLQR24olixyX1MR0s4+Wveq3QL/gBhL4veUcv+UABJA8IJR0kyB
+  seHHutusiwZ1v3SjjjW1xLLrc2ARV0mgCb0WaK2T4iA3oFTGLh6Ydz8LNl31KQFv
+  94nRd8IhmJxrhQ6dQ/WT9IXoa5S9lfT5lPJeINemH4/6QPABzf9W2IZlCdI9wCdB
+  TBaw57MKneGAYZiKjw6OALSy2ltQUCl3RqFl3VP7n8uFy1U987Q5VIIQ3O1UUsQD
+  Oe/h+r7GUU4RSPKgPlrwvW9bD/UQ+zF51v8CAwEAAaN3MHUwCQYDVR0TBAIwADAL
+  BgNVHQ8EBAMCBLAwHQYDVR0OBBYEFJNIBHdfEUD7TqHqIer2YhWaWhwcMB0GA1Ud
+  EQQWMBSBEm1hY2llakBtZW5zZmVsZC5wbDAdBgNVHRIEFjAUgRJtYWNpZWpAbWVu
+  c2ZlbGQucGwwDQYJKoZIhvcNAQELBQADggGBAKA4eqko6BTNhlysip6rfBkVTGri
+  ZXsL+kRb2hLvsQJS/kLyM21oMlu+LN0aPj3qEFR8mE/YeDD8rLAfruBRTltPNbR7
+  xA5eE1gkxY5LfExUtK3b2wPqfmo7mZgfcsMwfYg/tUXw1WpBCnrhAJodpGH6SXmp
+  A40qFUZst0vjiOoO+aTblIHPmMJXoZ3K42dTlNKlEiDKUWMRKSgpjjYGEYalFNWI
+  hHfCz2r8L2t+dYdMZg1JGbEkq4ADGsAA8ioZIpJd7V4hI17u5TCdi7X5wh/0gN0E
+  CgP+nLox3D+l2q0QuQEkayr+auFYkzTCkF+BmEk1D0Ru4mcf3F4CJvEmW4Pzbjqt
+  i1tsCWPtJ4E/UUKnKaWKqGbjrjHJ0MuShYzHkodox5IOiCXIQg+1+YSzfXUV6WEK
+  KJG/fhg1JV5vVDdVy6x+tv5SQ5ctU0feCsVfESi3rE3zRd+nvzE9HcZ5aXeL1UtJ
+  nT5Xrioegu2w1jPyVEgyZgTZC5rvD0nNS5sFNQ==
+  -----END CERTIFICATE-----
+date: 2019-11-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '2.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - "~>"
+    - - ">="
       - !ruby/object:Gem::Version
-        version: '10.0'
-description: Gem placeholder for gem that is under development.
+        version: '0'
+description: Bundler Security
 email:
-- maciej@mensfeld.pl
+- tomek@coditsu.io
 executables: []
 extensions: []
 extra_rdoc_files: []
 files:
+- ".circleci/config.yml"
+- ".coditsu/ci.yml"
 - ".gitignore"
+- ".ruby-version"
 - Gemfile
-- LICENSE.txt
+- Gemfile.lock
+- LICENSE
 - README.md
-- Rakefile
-- bin/console
-- bin/setup
 - bundler-security.gemspec
+- certs/mensfeld.pem
 - lib/bundler/security.rb
+- lib/bundler/security/commands.rb
+- lib/bundler/security/config/fetcher.rb
+- lib/bundler/security/config/file_finder.rb
+- lib/bundler/security/errors.rb
 - lib/bundler/security/version.rb
+- lib/bundler/security/voting.rb
+- lib/bundler/security/voting/build_failure.rb
+- lib/bundler/security/voting/build_success.rb
+- lib/bundler/security/voting/build_unsafe_gem.rb
+- lib/bundler/security/voting/gem_policy.rb
+- lib/bundler/security/voting/remote_policy.rb
+- lib/bundler/security/voting/request.rb
+- lib/bundler/security/voting/versions/local.rb
+- lib/bundler/security/voting/versions/remote.rb
+- plugins.rb
 homepage: https://diff.coditsu.io
 licenses:
-- LGPL3
+- MIT
 metadata:
-  homepage_uri: https://diff.coditsu.io
+  allowed_push_host: https://rubygems.org
 post_install_message: 
 rdoc_options: []
 require_paths:
@@ -78,5 +120,5 @@ requirements: []
 rubygems_version: 3.0.3
 signing_key: 
 specification_version: 4
-summary: Gem placeholder
+summary: Bundler Security
 test_files: []

data/LICENSE.txt

@@ -1,21 +0,0 @@
-The MIT License (MIT)
-
-Copyright (c) 2019 Maciej Mensfeld
-
-Permission is hereby granted, free of charge, to any person obtaining a copy
-of this software and associated documentation files (the "Software"), to deal
-in the Software without restriction, including without limitation the rights
-to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-copies of the Software, and to permit persons to whom the Software is
-furnished to do so, subject to the following conditions:
-
-The above copyright notice and this permission notice shall be included in
-all copies or substantial portions of the Software.
-
-THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-THE SOFTWARE.

data/Rakefile

@@ -1,2 +0,0 @@
-require "bundler/gem_tasks"
-task :default => :spec