cpflow 4.1.1 → 5.0.0.rc.0

data/lib/core/controlplane.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require "shellwords"
+
 class Controlplane # rubocop:disable Metrics/ClassLength
   attr_reader :config, :api, :gvc, :org
 
@@ -93,14 +95,14 @@ class Controlplane # rubocop:disable Metrics/ClassLength
   def image_build(image, dockerfile:, docker_context:, docker_args: [], build_args: [])
     # https://docs.controlplane.com/guides/push-image#step-2
     # Might need to use `docker buildx build` if compatiblitity issues arise
-    cmd = "docker build --platform=linux/amd64 -t #{image} -f #{dockerfile}"
-    cmd += " --progress=plain" if ControlplaneApiDirect.trace
+    cmd = ["docker", "build", "--platform=linux/amd64", "-t", image, "-f", dockerfile]
+    cmd << "--progress=plain" if ControlplaneApiDirect.trace
 
-    cmd += " #{docker_args.join(' ')}" if docker_args.any?
-    build_args.each { |build_arg| cmd += " --build-arg #{build_arg}" }
-    cmd += " #{docker_context}"
+    cmd.concat(docker_args)
+    build_args.each { |build_arg| cmd.concat(["--build-arg", build_arg]) }
+    cmd << docker_context
 
-    perform!(cmd)
+    perform!(Shellwords.join(cmd))
   end
 
   def fetch_image_details(image)
@@ -321,7 +323,7 @@ class Controlplane # rubocop:disable Metrics/ClassLength
   # domain
 
   def find_domain_route(data)
-    port = data["spec"]["ports"].find { |current_port| current_port["number"] == 80 || current_port["number"] == 443 }
+    port = data["spec"]["ports"].find { |current_port| [80, 443].include?(current_port["number"]) }
     return nil if port.nil? || port["routes"].nil?
 
     route = port["routes"].find { |current_route| current_route["prefix"] == "/" }
@@ -404,11 +406,12 @@ class Controlplane # rubocop:disable Metrics/ClassLength
   end
 
   # apply
-  def apply_template(data) # rubocop:disable Metrics/MethodLength
+  def apply_template(data, wait: false) # rubocop:disable Metrics/MethodLength, Metrics/PerceivedComplexity
     Tempfile.create do |f|
       f.write(data)
       f.rewind
       cmd = "cpln apply #{gvc_org} --file #{f.path}"
+      cmd += " --ready" if wait && ENV.fetch("DISABLE_APPLY_READY", nil).nil?
       if Shell.tmp_stderr
         cmd += " 2> #{Shell.tmp_stderr.path}" if Shell.should_hide_output?
 
@@ -429,8 +432,8 @@ class Controlplane # rubocop:disable Metrics/ClassLength
     end
   end
 
-  def apply_hash(data)
-    apply_template(data.to_yaml)
+  def apply_hash(data, wait: false)
+    apply_template(data.to_yaml, wait: wait)
   end
 
   def parse_apply_result(result) # rubocop:disable Metrics/CyclomaticComplexity, Metrics/MethodLength, Metrics/PerceivedComplexity

data/lib/core/controlplane_api_direct.rb

@@ -1,5 +1,27 @@
 # frozen_string_literal: true
 
+class RedactedDebugOutput
+  SAFE_HEADERS = %w[Content-Type Content-Length Accept Host Date Cache-Control Connection].freeze
+  HEADER_REGEX = /^([A-Za-z-]+): (.+)$/
+
+  def <<(msg)
+    $stdout << redact(msg)
+  end
+
+  private
+
+  def redact(msg)
+    msg.lines.map { |line| redact_line(line) }.join
+  end
+
+  def redact_line(line)
+    match = line.match(HEADER_REGEX)
+    return line.gsub(/[\w\-._]{50,}/, "[REDACTED]") unless match
+
+    SAFE_HEADERS.any? { |h| h.casecmp(match[1]).zero? } ? line : "#{match[1]}: [REDACTED]\n"
+  end
+end
+
 class ControlplaneApiDirect
   API_METHODS = {
     get: Net::HTTP::Get,
@@ -15,7 +37,7 @@ class ControlplaneApiDirect
   #  /^[\w\-._]{1134}$/ # 'cpln profile token' format
   # ).freeze
 
-  API_TOKEN_REGEX = /^[\w\-._]+$/.freeze
+  API_TOKEN_REGEX = /^[\w\-._]+$/
   API_TOKEN_EXPIRY_SECONDS = 300
 
   class << self
@@ -37,7 +59,7 @@ class ControlplaneApiDirect
 
     http = Net::HTTP.new(uri.hostname, uri.port)
     http.use_ssl = uri.scheme == "https"
-    http.set_debug_output($stdout) if trace
+    http.set_debug_output(RedactedDebugOutput.new) if trace
 
     response = http.start { |ht| ht.request(request) }
 
@@ -89,7 +111,7 @@ class ControlplaneApiDirect
   def should_refresh_api_token?
     return false unless api_token[:comes_from_profile]
 
-    payload, = JWT.decode(api_token[:token], nil, false)
+    payload, = JWT.decode(api_token[:token], nil, false, algorithms: [])
     difference_in_seconds = payload["exp"] - Time.now.to_i
 
     difference_in_seconds <= API_TOKEN_EXPIRY_SECONDS

data/lib/core/github_flow_readiness/checks.rb

@@ -0,0 +1,143 @@
+# frozen_string_literal: true
+
+module GithubFlowReadiness
+  Result = Struct.new(:status, :message, keyword_init: true)
+
+  # Each check class accepts the host service in its initializer (so it can reach the
+  # shared lockfile parser, HTTP version cache, etc.), exposes a single `call` method,
+  # and returns either a `Result`, an array of `Result`s, or `nil` (skipped). Adding
+  # a new check is "create a class with `call` and register it in
+  # `GithubFlowReadinessService::CHECKS`".
+  module Checks
+    class Base
+      def initialize(service)
+        @service = service
+      end
+
+      private
+
+      attr_reader :service
+
+      def root_path
+        service.root_path
+      end
+
+      def pass(message)
+        Result.new(status: :pass, message: message)
+      end
+
+      def fail_result(message)
+        Result.new(status: :fail, message: message)
+      end
+
+      def warn_result(message)
+        Result.new(status: :warn, message: message)
+      end
+
+      def info_result(message)
+        Result.new(status: :info, message: message)
+      end
+
+      def format_path_list(paths)
+        paths.map { |path| "`#{path}`" }.join(", ")
+      end
+
+      def first_existing_path(paths)
+        paths.find { |relative_path| root_path.join(relative_path).file? }
+      end
+
+      def missing_paths_for(paths)
+        paths.reject { |relative_path| root_path.join(relative_path).file? }
+      end
+    end
+
+    class RailsApp < Base
+      REQUIRED_PATHS = ["Gemfile", "bin/rails", "config/application.rb", "config.ru"].freeze
+
+      def call
+        missing = missing_paths_for(REQUIRED_PATHS)
+        return pass("Rails app scaffold found (#{format_path_list(REQUIRED_PATHS)}).") if missing.empty?
+
+        fail_result("Missing Rails runtime scaffold: #{format_path_list(missing)}.")
+      end
+    end
+
+    class RubyVersion < Base
+      # Oldest Ruby line still receiving security backports (ruby-lang.org/en/downloads/branches/).
+      # Bump this constant when the upstream list drops the 3.3 series.
+      THRESHOLD = Gem::Version.new("3.3.0")
+
+      def call
+        version = service.inferred_ruby_version
+        return warn_result("Could not determine the app Ruby version.") unless version
+        return pass("Ruby #{version} is modern enough for rollout.") if version >= THRESHOLD
+
+        fail_result("Ruby #{version} is legacy. Upgrade the repo toolchain before adding the GitHub flow.")
+      end
+    end
+
+    class BundlerVersion < Base
+      THRESHOLD = Gem::Version.new("2.0.0")
+
+      def call
+        version = service.lockfile_bundler_version
+        return warn_result("Could not determine the Bundler version from `Gemfile.lock`.") unless version
+        return pass("Bundler #{version} is modern enough for rollout.") if version >= THRESHOLD
+
+        fail_result("Bundler #{version} is legacy. Upgrade the repo toolchain before adding the GitHub flow.")
+      end
+    end
+
+    class Dockerfile < Base
+      PATHS = ["Dockerfile", ".controlplane/Dockerfile"].freeze
+
+      def call
+        path = first_existing_path(PATHS)
+        return pass("Found production Dockerfile at `#{path}`.") if path
+
+        fail_result(
+          "No production Dockerfile found at `Dockerfile` or `.controlplane/Dockerfile`. " \
+          "Add and validate one before generating the Control Plane GitHub flow."
+        )
+      end
+    end
+
+    class SqliteProduction < Base
+      def call
+        return unless service.sqlite_database_in_production?
+
+        info_result(
+          "Production database config uses SQLite. `cpflow generate` will scaffold " \
+          "persistent `db` and `storage` volumes."
+        )
+      end
+    end
+
+    class GemSources < Base
+      def call
+        non_public = service.gem_dependencies.reject { |dep| service.public_rubygems_dependency?(dep) }
+        return pass("All direct Ruby gems resolve from public RubyGems sources.") if non_public.empty?
+
+        names = non_public.map { |dep| dep[:name] }.sort
+        warn_result(
+          "Direct Ruby dependencies using git/path or non-public gem sources need manual review: " \
+          "#{names.map { |name| "`#{name}`" }.join(', ')}."
+        )
+      end
+    end
+
+    class GemExactPins < Base
+      def call
+        service.exact_pin_registry_result(service.rubygems_registry_check)
+      end
+    end
+
+    class NpmExactPins < Base
+      def call
+        return service.package_json_parse_error_result if service.package_json_parse_error
+
+        service.exact_pin_registry_result(service.npm_registry_check)
+      end
+    end
+  end
+end