dependabot-hex 0.213.0 → 0.214.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 30d16ac35f7e452a754f78329c9ef9ba1fd65758264be8220338a721e66dbcb6
-  data.tar.gz: 94a09051bf06589fe462aa33ab4440d1c5207069a23d8d45aea8517aeb16427e
+  metadata.gz: 66e2212df8486009a3da3b280dc0c36e342556e4765760c0c3dc38a71e034a00
+  data.tar.gz: d3a62fc111e0e50212cb617bc19f8e86077bf681b3b1d82d1950e16fc283a67a
 SHA512:
-  metadata.gz: b9461aa63f1f9a7f6184b29659bbf2a006642fb70eb402787ecbe9a747251c6ae2bf0dd6b484f4e80fa9a0b4b5db42fc2d9eb838aa84c8277a261ce8c03113c8
-  data.tar.gz: 4a9453c6d17e8af0037c637041726c0c5e12fdcb9e061eaf208051fecf644ac6a54b2d6dcfbed7ed423b6593f6d7ad1c331a1cba796a113c89c0f4570ceb16c4
+  metadata.gz: 9233d16f7d684b4e79ed18914d2512c7c2f72d9ae5a6b23d86298f7ac01088d0b43caac63367339974337d36b448ff037906c49867bc1a4f12ebf5a65c052bfa
+  data.tar.gz: 564a484640d7135729f86dbe931debabda0c14255c5098a4e1041ec97b2f8dfe69f4fe86ba5bf1bea86223037a7e335de6621feec39e6429ca464549bd76e591

data/helpers/build

@@ -10,7 +10,14 @@ fi
 install_dir="$DEPENDABOT_NATIVE_HELPERS_PATH/hex"
 mkdir -p "$install_dir"
 
-mix local.hex --force
+# Initial Hex install - will always be the latest available version
+mix local.hex --force --if-missing
+# Annoyingly, a specific Hex version cannot be specified during the initial install.
+# The only way to pin is to re-install.
+if [ -n "$HEX_VERSION" ]; then
+  mix hex.install "$HEX_VERSION"
+fi
+
 mix archive.install hex nerves_bootstrap --force
 
 helpers_dir="$(dirname "${BASH_SOURCE[0]}")"

data/helpers/lib/check_update.exs

@@ -1,9 +1,8 @@
 defmodule UpdateChecker do
-  def run(dependency_name, credentials) do
-    set_credentials(credentials)
-
+  def run(dependency_name) do
     # Update the lockfile in a session that we can time out
     task = Task.async(fn -> do_resolution(dependency_name) end)
+
     case Task.yield(task, 30000) || Task.shutdown(task) do
       {:ok, {:ok, :resolution_successful}} ->
         # Read the new lock
@@ -15,43 +14,20 @@ defmodule UpdateChecker do
           updated_lock
           |> Map.get(String.to_atom(dependency_name))
           |> elem(2)
+
         {:ok, version}
 
-      {:ok, {:error, error}} -> {:error, error}
+      {:ok, {:error, error}} ->
+        {:error, error}
 
-      nil -> {:error, :dependency_resolution_timed_out}
+      nil ->
+        {:error, :dependency_resolution_timed_out}
 
-      {:exit, reason} -> {:error, reason}
+      {:exit, reason} ->
+        {:error, reason}
     end
   end
 
-  defp set_credentials(credentials) do
-    credentials
-    |> Enum.reduce([], fn cred, acc ->
-      if List.last(acc) == nil || List.last(acc)[:token] do
-        List.insert_at(acc, -1, %{organization: cred})
-      else
-        {item, acc} = List.pop_at(acc, -1)
-        item = Map.put(item, :token, cred)
-        List.insert_at(acc, -1, item)
-      end
-    end)
-    |> Enum.each(fn cred ->
-      hexpm = Hex.Repo.get_repo("hexpm")
-
-      repo = %{
-        url: hexpm.url <> "/repos/#{cred.organization}",
-        public_key: nil,
-        auth_key: cred.token
-      }
-
-      Hex.Config.read()
-      |> Hex.Config.read_repos()
-      |> Map.put("hexpm:#{cred.organization}", repo)
-      |> Hex.Config.update_repos()
-    end)
-  end
-
   defp do_resolution(dependency_name) do
     # Fetch dependencies that needs updating
     {dependency_lock, rest_lock} =
@@ -59,6 +35,7 @@ defmodule UpdateChecker do
 
     try do
       Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
+
       {:ok, :resolution_successful}
     rescue
       error -> {:error, error}
@@ -66,15 +43,14 @@ defmodule UpdateChecker do
   end
 end
 
-[dependency_name | credentials] = System.argv()
-
+[dependency_name] = System.argv()
 
-case UpdateChecker.run(dependency_name, credentials) do
+case UpdateChecker.run(dependency_name) do
   {:ok, version} ->
     version = :erlang.term_to_binary({:ok, version})
     IO.write(:stdio, version)
 
-  {:error, %Hex.Version.InvalidRequirementError{} = error}  ->
+  {:error, %Version.InvalidRequirementError{} = error}  ->
     result = :erlang.term_to_binary({:error, "Invalid requirement: #{error.requirement}"})
     IO.write(:stdio, result)
 

data/helpers/lib/do_update.exs

@@ -1,35 +1,11 @@
-[dependency_name | credentials] = System.argv()
-
-grouped_creds = Enum.reduce credentials, [], fn cred, acc ->
-  if List.last(acc) == nil || List.last(acc)[:token] do
-    List.insert_at(acc, -1, %{ organization: cred })
-  else
-    { item, acc } = List.pop_at(acc, -1)
-    item = Map.put(item, :token, cred)
-    List.insert_at(acc, -1, item)
-  end
-end
-
-Enum.each grouped_creds, fn cred ->
-  hexpm = Hex.Repo.get_repo("hexpm")
-  repo = %{
-    url: hexpm.url <> "/repos/#{cred.organization}",
-    public_key: nil,
-    auth_key: cred.token
-  }
-
-  Hex.Config.read()
-  |> Hex.Config.read_repos()
-  |> Map.put("hexpm:#{cred.organization}", repo)
-  |> Hex.Config.update_repos()
-end
-
-# dependency atom
-dependency = String.to_atom(dependency_name)
+dependency =
+  System.argv()
+  |> List.first()
+  |> String.to_atom()
 
 # Fetch dependencies that needs updating
 {dependency_lock, rest_lock} = Map.split(Mix.Dep.Lock.read(), [dependency])
-Mix.Dep.Fetcher.by_name([dependency_name], dependency_lock, rest_lock, [])
+Mix.Dep.Fetcher.by_name([dependency], dependency_lock, rest_lock, [])
 
 System.cmd(
   "mix",

data/helpers/lib/run.exs

@@ -11,7 +11,8 @@ defmodule DependencyHelper do
           {:ok, :erlang.binary_to_term(output)}
         end
 
-      {error, 1} -> {:error, error}
+      {error, 1} ->
+        {:error, error}
     end
     |> handle_result()
   end
@@ -40,37 +41,115 @@ defmodule DependencyHelper do
     run_script("parse_deps.exs", dir)
   end
 
-  defp run(%{"function" => "get_latest_resolvable_version", "args" => [dir, dependency_name, credentials]}) do
-    run_script("check_update.exs", dir, [dependency_name] ++ credentials)
+  defp run(%{
+         "function" => "get_latest_resolvable_version",
+         "args" => [dir, dependency_name, credentials]
+       }) do
+    set_credentials(credentials)
+
+    run_script("check_update.exs", dir, [dependency_name])
   end
 
   defp run(%{"function" => "get_updated_lockfile", "args" => [dir, dependency_name, credentials]}) do
-    run_script("do_update.exs", dir, [dependency_name] ++ credentials)
+    set_credentials(credentials)
+
+    run_script("do_update.exs", dir, [dependency_name])
   end
 
   defp run_script(script, dir, args \\ []) do
-    args = [
-      "run",
-      "--no-deps-check",
-      "--no-start",
-      "--no-compile",
-      "--no-elixir-version-check",
-      script
-    ] ++ args
+    args =
+      [
+        "run",
+        "--no-deps-check",
+        "--no-start",
+        "--no-compile",
+        "--no-elixir-version-check",
+        script
+      ] ++ args
 
     System.cmd(
       "mix",
       args,
-      [
-        cd: dir,
-        env: %{
-          "MIX_EXS" => nil,
-          "MIX_LOCK" => nil,
-          "MIX_DEPS" => nil
-        }
-      ]
+      cd: dir,
+      env: %{
+        "MIX_EXS" => nil,
+        "MIX_LOCK" => nil,
+        "MIX_DEPS" => nil
+      }
     )
   end
+
+  defp set_credentials([]), do: :ok
+
+  defp set_credentials(["hex_organization", organization, token | tail]) do
+    url =
+      "hexpm"
+      |> Hex.Repo.get_repo()
+      |> Map.fetch!(:url)
+      |> URI.merge("/repos/#{organization}")
+      |> to_string()
+
+    update_repos("hexpm:#{organization}", %{url: url, public_key: nil, auth_key: token})
+
+    set_credentials(tail)
+  end
+
+  defp set_credentials(["hex_repository", repo, url, auth_key, fingerprint | tail]) do
+    case fetch_public_key(repo, url, auth_key, fingerprint) do
+      {:ok, public_key} ->
+        update_repos(repo, %{auth_key: auth_key, public_key: public_key, url: url})
+
+        set_credentials(tail)
+
+      error ->
+        handle_result(error)
+    end
+  end
+
+  defp set_credentials([_mode, org_or_url | _]) do
+    handle_result({:error, "Missing credentials for \"#{org_or_url}\""})
+  end
+
+  defp update_repos(name, opts) do
+    Hex.Config.read()
+    |> Hex.Config.read_repos()
+    |> Map.put(name, opts)
+    |> Hex.Config.update_repos()
+  end
+
+  defp fetch_public_key(repo, repo_url, auth_key, fingerprint) do
+    case Hex.Repo.get_public_key(repo_url, auth_key) do
+      {:ok, {200, key, _}} ->
+        if public_key_matches?(key, fingerprint) do
+          {:ok, key}
+        else
+          {:error, "Public key fingerprint mismatch for repo \"#{repo}\""}
+        end
+
+      {:ok, {code, _, _}} ->
+        {:error, "Downloading public key for repo \"#{repo}\" failed with code: #{inspect(code)}"}
+
+      other ->
+        {:error, "Downloading public key for repo \"#{repo}\" failed: #{inspect(other)}"}
+    end
+  end
+
+  defp public_key_matches?(_public_key, _fingerprint = ""), do: true
+
+  defp public_key_matches?(public_key, fingerprint) do
+    public_key =
+      public_key
+      |> :public_key.pem_decode()
+      |> List.first()
+      |> :public_key.pem_entry_decode()
+
+    decoded_fingerprint =
+      :sha256
+      |> :ssh.hostkey_fingerprint(public_key)
+      |> List.to_string()
+
+    decoded_fingerprint == fingerprint
+  end
 end
 
 DependencyHelper.main()

data/lib/dependabot/hex/credential_helpers.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Dependabot
+  module Hex
+    module CredentialHelpers
+      def self.hex_credentials(credentials)
+        organization_credentials(credentials) + repo_credentials(credentials)
+      end
+
+      def self.organization_credentials(credentials)
+        defaults = { "organization" => "", "token" => "" }
+        keys = %w(type organization token)
+
+        credentials.
+          select { |cred| cred["type"] == "hex_organization" }.
+          flat_map { |cred| defaults.merge(cred).slice(*keys).values }
+      end
+
+      def self.repo_credentials(credentials)
+        # Credentials are serialized as an array that may not have optional fields. Using a
+        # default ensures that the array is always the same length, even if values are empty.
+        defaults = { "url" => "", "auth_key" => "", "public_key_fingerprint" => "" }
+        keys = %w(type repo url auth_key public_key_fingerprint)
+
+        credentials.
+          select { |cred| cred["type"] == "hex_repository" }.
+          flat_map { |cred| defaults.merge(cred).slice(*keys).values }
+      end
+    end
+  end
+end

data/lib/dependabot/hex/file_updater/lockfile_updater.rb

@@ -4,8 +4,9 @@ require "dependabot/hex/file_updater"
 require "dependabot/hex/file_updater/mixfile_updater"
 require "dependabot/hex/file_updater/mixfile_sanitizer"
 require "dependabot/hex/file_updater/mixfile_requirement_updater"
-require "dependabot/hex/version"
+require "dependabot/hex/credential_helpers"
 require "dependabot/hex/native_helpers"
+require "dependabot/hex/version"
 require "dependabot/shared_helpers"
 
 module Dependabot
@@ -29,7 +30,7 @@ module Dependabot
                   env: mix_env,
                   command: "mix run #{elixir_helper_path}",
                   function: "get_updated_lockfile",
-                  args: [Dir.pwd, dependency.name, organization_credentials]
+                  args: [Dir.pwd, dependency.name, CredentialHelpers.hex_credentials(credentials)]
                 )
               end
             end
@@ -131,11 +132,6 @@ module Dependabot
         def lockfile
           @lockfile ||= dependency_files.find { |f| f.name == "mix.lock" }
         end
-
-        def organization_credentials
-          credentials.select { |cred| cred["type"] == "hex_organization" }.
-            flat_map { |cred| [cred["organization"], cred.fetch("token", "")] }
-        end
       end
     end
   end

data/lib/dependabot/hex/update_checker/version_resolver.rb

@@ -2,6 +2,7 @@
 
 require "dependabot/hex/version"
 require "dependabot/hex/update_checker"
+require "dependabot/hex/credential_helpers"
 require "dependabot/hex/native_helpers"
 require "dependabot/hex/file_updater/mixfile_sanitizer"
 require "dependabot/shared_helpers"
@@ -32,10 +33,7 @@ module Dependabot
           latest_resolvable_version =
             SharedHelpers.in_a_temporary_directory do
               write_temporary_sanitized_dependency_files
-              FileUtils.cp(
-                elixir_helper_check_update_path,
-                "check_update.exs"
-              )
+              FileUtils.cp(elixir_helper_check_update_path, "check_update.exs")
 
               SharedHelpers.with_git_configured(credentials: credentials) do
                 run_elixir_update_checker
@@ -55,23 +53,31 @@ module Dependabot
             env: mix_env,
             command: "mix run #{elixir_helper_path}",
             function: "get_latest_resolvable_version",
-            args: [Dir.pwd,
-                   dependency.name,
-                   organization_credentials],
+            args: [Dir.pwd, dependency.name, CredentialHelpers.hex_credentials(credentials)],
             stderr_to_stdout: true
           )
         end
 
         def handle_hex_errors(error)
-          if error.message.include?("No authenticated organization found")
-            org = error.message.match(/found for ([a-z_]+)\./).captures.first
-            raise Dependabot::PrivateSourceAuthenticationFailure, org
+          if (match = error.message.match(/No authenticated organization found for (?<repo>[a-z_]+)\./))
+            raise Dependabot::PrivateSourceAuthenticationFailure, match[:repo]
           end
 
-          if error.message.include?("Failed to fetch record for")
-            org_match = error.message.match(%r{for 'hexpm:([a-z_]+)/})
-            org = org_match&.captures&.first
-            raise Dependabot::PrivateSourceAuthenticationFailure, org if org
+          if (match = error.message.match(/Public key fingerprint mismatch for repo "(?<repo>[a-z_]+)"/))
+            raise Dependabot::PrivateSourceAuthenticationFailure, match[:repo]
+          end
+
+          if (match = error.message.match(/Missing credentials for "(?<repo>[a-z_]+)"/))
+            raise Dependabot::PrivateSourceAuthenticationFailure, match[:repo]
+          end
+
+          if (match = error.message.match(/Downloading public key for repo "(?<repo>[a-z_]+)"/))
+            raise Dependabot::PrivateSourceAuthenticationFailure, match[:repo]
+          end
+
+          if (match = error.message.match(/Failed to fetch record for '(?<repo>[a-z_]+)(?::(?<org>[a-z_]+))?/))
+            name = match[:org] || match[:repo]
+            raise Dependabot::PrivateSourceAuthenticationFailure, name
           end
 
           # TODO: Catch the warnings as part of the Elixir module. This happens
@@ -171,12 +177,6 @@ module Dependabot
         def elixir_helper_check_update_path
           File.join(NativeHelpers.hex_helpers_dir, "lib/check_update.exs")
         end
-
-        def organization_credentials
-          credentials.
-            select { |cred| cred["type"] == "hex_organization" }.
-            flat_map { |cred| [cred["organization"], cred.fetch("token", "")] }
-        end
       end
     end
   end

data/lib/dependabot/hex/update_checker.rb

@@ -231,7 +231,7 @@ module Dependabot
       # rubocop:enable Metrics/PerceivedComplexity
 
       def filter_lower_versions(versions_array)
-        return versions_array unless current_version && version_class.correct?(current_version)
+        return versions_array unless current_version
 
         versions_array.select do |version|
           version > current_version
@@ -251,12 +251,6 @@ module Dependabot
         nil
       end
 
-      def current_version
-        return unless dependency.version && version_class.correct?(dependency.version)
-
-        version_class.new(dependency.version)
-      end
-
       def wants_prerelease?
         return true if current_version&.prerelease?
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-hex
 version: !ruby/object:Gem::Version
-  version: 0.213.0
+  version: 0.214.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-10-31 00:00:00.000000000 Z
+date: 2022-12-01 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.213.0
+        version: 0.214.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -58,14 +58,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 4.0.0
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
@@ -114,14 +114,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 1.37.1
+        version: 1.39.0
 - !ruby/object:Gem::Dependency
   name: rubocop-performance
   requirement: !ruby/object:Gem::Requirement
@@ -221,6 +221,7 @@ files:
 - helpers/mix.exs
 - helpers/mix.lock
 - lib/dependabot/hex.rb
+- lib/dependabot/hex/credential_helpers.rb
 - lib/dependabot/hex/file_fetcher.rb
 - lib/dependabot/hex/file_parser.rb
 - lib/dependabot/hex/file_updater.rb