RubyGems - dependabot-maven - Versions diffs - 0.140.0 → 0.141.1 - Mend

dependabot-maven 0.140.0 → 0.141.1

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/maven/metadata_finder.rb +5 -17
data/lib/dependabot/maven/update_checker/version_finder.rb +16 -12
data/lib/dependabot/maven/utils/auth_headers_finder.rb +56 -0
metadata +5 -4

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 032f65402bd8c2354d1053333399b130b0752262df47fb6c40af8d0c8603d0f8
-  data.tar.gz: 19fc4b70b4d4d9127c56f0f56527333f03b4dbb26a4de8abbc52f6b04c317f7c
+  metadata.gz: 8fb530a1c8378e43ace00ea44e5f683ee64142c696f628c57830574e352097bd
+  data.tar.gz: cf0777299e97975ea4ce97ba926608346d11f003ec01fec6e5e3a19c8936fdf8
 SHA512:
-  metadata.gz: 0f5354f423db0616be3e944b5ae16e8f206d85d82b017565ab481007a6e4aea4ec4695d6b91b4791ca6ba71a1ae901757674317e1d3b9674900480a9e8bea673
-  data.tar.gz: 745c225b89beb7016ee2259f82402d1b7b61b5706d5fb6ec50aaadbfb73cb21d00e3ed35b88af843d33613a57909b1a4a3c38b2a152f6d880d59d82869803411
+  metadata.gz: 9acafa33468546c704a6118ed35837832341a5d928f18dcfa2638c29828d66a2fc880e93cdc2c42a944e3ec01405b6a6922819ac759ede0687498dc42399a975
+  data.tar.gz: 9017b597915608f49972db123e5dc655b3f28ceee1fff1bb44eced063786b97ff37cb9f0b9af57882b6be48802eb2555381517e262c7dbdaac2a1eccd3f0b2d3

data/lib/dependabot/maven/metadata_finder.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "dependabot/metadata_finders/base"
 require "dependabot/file_fetchers/base"
 require "dependabot/maven/file_parser"
 require "dependabot/maven/file_parser/repositories_finder"
+require "dependabot/maven/utils/auth_headers_finder"
 module Dependabot
   module Maven
@@ -104,7 +105,7 @@ module Dependabot
           "#{dependency.version}/"\
           "#{dependency_artifact_id}-#{dependency.version}.pom",
           idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_details)
+          **SharedHelpers.excon_defaults(headers: auth_headers)
         )
         @dependency_pom_file = Nokogiri::XML(response.body)
@@ -135,7 +136,7 @@ module Dependabot
         response = Excon.get(
           substitute_properties_in_source_url(url, pom),
           idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_details)
+          **SharedHelpers.excon_defaults(headers: auth_headers)
         )
         Nokogiri::XML(response.body)
@@ -156,21 +157,8 @@ module Dependabot
         "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
       end
-      def auth_details
-        cred =
-          credentials.select { |c| c["type"] == "maven_repository" }.
-          find do |c|
-            cred_url = c.fetch("url").gsub(%r{/+$}, "")
-            next false unless cred_url == maven_repo_url
-            c.fetch("username", nil)
-          end
-        return {} unless cred
-        token = cred.fetch("username") + ":" + cred.fetch("password")
-        encoded_token = Base64.encode64(token).delete("\n")
-        { "Authorization" => "Basic #{encoded_token}" }
+      def auth_headers
+        @auth_headers ||= Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url)
       end
     end
   end

data/lib/dependabot/maven/update_checker/version_finder.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "dependabot/maven/file_parser/repositories_finder"
 require "dependabot/maven/update_checker"
 require "dependabot/maven/version"
 require "dependabot/maven/requirement"
+require "dependabot/maven/utils/auth_headers_finder"
 module Dependabot
   module Maven
@@ -152,10 +153,8 @@ module Dependabot
               url = repository_details.fetch("url")
               response = Excon.head(
                 dependency_files_url(url, version),
-                user: repository_details.fetch("username"),
-                password: repository_details.fetch("password"),
                 idempotent: true,
-                **SharedHelpers.excon_defaults
+                **SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
               )
               response.status < 400
@@ -173,10 +172,8 @@ module Dependabot
             begin
               response = Excon.get(
                 dependency_metadata_url(repository_details.fetch("url")),
-                user: repository_details.fetch("username"),
-                password: repository_details.fetch("password"),
                 idempotent: true,
-                **Dependabot::SharedHelpers.excon_defaults
+                **Dependabot::SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
               )
               check_response(response, repository_details.fetch("url"))
@@ -206,10 +203,10 @@ module Dependabot
           @repositories =
             details.reject do |repo|
-              next if repo["password"]
+              next if repo["auth_headers"]
-              # Reject this entry if an identical one with a password exists
-              details.any? { |r| r["url"] == repo["url"] && r["password"] }
+              # Reject this entry if an identical one with non-empty auth_headers exists
+              details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
             end
         end
@@ -219,7 +216,7 @@ module Dependabot
             new(dependency_files: dependency_files).
             repository_urls(pom: pom).
             map do |url|
-              { "url" => url, "username" => nil, "password" => nil }
+              { "url" => url, "auth_headers" => {} }
             end
         end
@@ -229,8 +226,7 @@ module Dependabot
             map do |cred|
               {
                 "url" => cred.fetch("url").gsub(%r{/+$}, ""),
-                "username" => cred.fetch("username", nil),
-                "password" => cred.fetch("password", nil)
+                "auth_headers" => auth_headers(cred.fetch("url").gsub(%r{/+$}, ""))
               }
             end
         end
@@ -287,6 +283,14 @@ module Dependabot
           %w(http:// https://).map { |p| p + central_url_without_protocol }
         end
+        def auth_headers_finder
+          @auth_headers_finder ||= Utils::AuthHeadersFinder.new(credentials)
+        end
+        def auth_headers(maven_repo_url)
+          auth_headers_finder.auth_headers(maven_repo_url)
+        end
       end
     end
   end

data/lib/dependabot/maven/utils/auth_headers_finder.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Dependabot
+  module Maven
+    module Utils
+      class AuthHeadersFinder
+        def initialize(credentials)
+          @credentials = credentials
+        end
+        def auth_headers(maven_repo_url)
+          cred =
+            credentials.select { |c| c["type"] == "maven_repository" }.
+            find do |c|
+              cred_url = c.fetch("url").gsub(%r{/+$}, "")
+              next false unless cred_url == maven_repo_url
+              c.fetch("username", nil)
+            end
+          return gitlab_auth_headers(maven_repo_url) unless cred
+          token = cred.fetch("username") + ":" + cred.fetch("password")
+          encoded_token = Base64.strict_encode64(token)
+          { "Authorization" => "Basic #{encoded_token}" }
+        end
+        private
+        attr_reader :credentials
+        def gitlab_auth_headers(maven_repo_url)
+          return {} unless gitlab_maven_repo?(URI(maven_repo_url).path)
+          cred =
+            credentials.select { |c| c["type"] == "git_source" }.
+            find do |c|
+              cred_host = c.fetch("host").gsub(%r{/+$}, "")
+              next false unless URI(maven_repo_url).host == cred_host
+              c.fetch("password", nil)
+            end
+          return {} unless cred
+          { "Private-Token" => cred.fetch("password") }
+        end
+        def gitlab_maven_repo?(maven_repo_path)
+          gitlab_maven_repo_reg = %r{^/api/v4.*/packages/maven/?$}.freeze
+          maven_repo_path.match?(gitlab_maven_repo_reg)
+        end
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.140.0
+  version: 0.141.1
 platform: ruby
 authors:
 - Dependabot
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2021-04-07 00:00:00.000000000 Z
+date: 2021-04-13 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.140.0
+        version: 0.141.1
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.140.0
+        version: 0.141.1
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -199,6 +199,7 @@ files:
 - lib/dependabot/maven/update_checker/property_updater.rb
 - lib/dependabot/maven/update_checker/requirements_updater.rb
 - lib/dependabot/maven/update_checker/version_finder.rb
+- lib/dependabot/maven/utils/auth_headers_finder.rb
 - lib/dependabot/maven/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: