RubyGems - dependabot-maven - Versions diffs - 0.140.3 → 0.141.0 - Mend

dependabot-maven 0.140.3 → 0.141.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

checksums.yaml +4 -4
data/lib/dependabot/maven/metadata_finder.rb +5 -17
data/lib/dependabot/maven/update_checker/version_finder.rb +16 -12
data/lib/dependabot/maven/utils/auth_headers_finder.rb +56 -0
metadata +4 -3

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: faa01084789ce9d35656ae869fec4869cca61e2df243e1ddaeb74b2282c8c314
-  data.tar.gz: 665edebdc3fbdd17a11e19952df56a2e9025f3e93ff13bdab68a53f11c2676d0
+  metadata.gz: 151a0ba3ce7459d72866cfb1f41905cf273d8511aba880175ee61425b1d926ca
+  data.tar.gz: b2608b35aed7d66344017049d42c0a245a5611f475768c21a711a82d929180d1
 SHA512:
-  metadata.gz: 53fc158fc5e63b88681d89a3561167331012accf9765a8be2d49840679ac654eb7116058155d5ccc4f32732979c7dcdf8f67cbdfcbf898fdd9e8eb8d4edc8c5e
-  data.tar.gz: 3dc3738180ca20c9894b915dde558c49830fef8f93ea9de75604e46bf360662d6fe7a4b880218fee3abf57ccebdb440b7e6873d8e2a3655a85c7f02b06f57626
+  metadata.gz: 56eee00d65f6ffcd920792299fc18a5478e1989d0a982ad7b1e717d87cace69b39ffc467d40fe8afd723f1a2f0225b164497812670d9d3128bb389f9748cce94
+  data.tar.gz: 597decbc541d8dbabb9fb9cf193cee11bd7e75523be05177e3dd5dcd813b85317d1815801c923870e4e37c9e306552614fcf388fcdfba578d0133ea500672e3a

data/lib/dependabot/maven/metadata_finder.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "dependabot/metadata_finders/base"
 require "dependabot/file_fetchers/base"
 require "dependabot/maven/file_parser"
 require "dependabot/maven/file_parser/repositories_finder"
+require "dependabot/maven/utils/auth_headers_finder"
 module Dependabot
   module Maven
@@ -104,7 +105,7 @@ module Dependabot
           "#{dependency.version}/"\
           "#{dependency_artifact_id}-#{dependency.version}.pom",
           idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_details)
+          **SharedHelpers.excon_defaults(headers: auth_headers)
         )
         @dependency_pom_file = Nokogiri::XML(response.body)
@@ -135,7 +136,7 @@ module Dependabot
         response = Excon.get(
           substitute_properties_in_source_url(url, pom),
           idempotent: true,
-          **SharedHelpers.excon_defaults(headers: auth_details)
+          **SharedHelpers.excon_defaults(headers: auth_headers)
         )
         Nokogiri::XML(response.body)
@@ -156,21 +157,8 @@ module Dependabot
         "#{maven_repo_url}/#{group_id.tr('.', '/')}/#{artifact_id}"
       end
-      def auth_details
-        cred =
-          credentials.select { |c| c["type"] == "maven_repository" }.
-          find do |c|
-            cred_url = c.fetch("url").gsub(%r{/+$}, "")
-            next false unless cred_url == maven_repo_url
-            c.fetch("username", nil)
-          end
-        return {} unless cred
-        token = cred.fetch("username") + ":" + cred.fetch("password")
-        encoded_token = Base64.encode64(token).delete("\n")
-        { "Authorization" => "Basic #{encoded_token}" }
+      def auth_headers
+        @auth_headers ||= Utils::AuthHeadersFinder.new(credentials).auth_headers(maven_repo_url)
       end
     end
   end

data/lib/dependabot/maven/update_checker/version_finder.rb CHANGED Viewed

@@ -6,6 +6,7 @@ require "dependabot/maven/file_parser/repositories_finder"
 require "dependabot/maven/update_checker"
 require "dependabot/maven/version"
 require "dependabot/maven/requirement"
+require "dependabot/maven/utils/auth_headers_finder"
 module Dependabot
   module Maven
@@ -152,10 +153,8 @@ module Dependabot
               url = repository_details.fetch("url")
               response = Excon.head(
                 dependency_files_url(url, version),
-                user: repository_details.fetch("username"),
-                password: repository_details.fetch("password"),
                 idempotent: true,
-                **SharedHelpers.excon_defaults
+                **SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
               )
               response.status < 400
@@ -173,10 +172,8 @@ module Dependabot
             begin
               response = Excon.get(
                 dependency_metadata_url(repository_details.fetch("url")),
-                user: repository_details.fetch("username"),
-                password: repository_details.fetch("password"),
                 idempotent: true,
-                **Dependabot::SharedHelpers.excon_defaults
+                **Dependabot::SharedHelpers.excon_defaults(headers: repository_details.fetch("auth_headers"))
               )
               check_response(response, repository_details.fetch("url"))
@@ -206,10 +203,10 @@ module Dependabot
           @repositories =
             details.reject do |repo|
-              next if repo["password"]
+              next if repo["auth_headers"]
-              # Reject this entry if an identical one with a password exists
-              details.any? { |r| r["url"] == repo["url"] && r["password"] }
+              # Reject this entry if an identical one with non-empty auth_headers exists
+              details.any? { |r| r["url"] == repo["url"] && r["auth_headers"] != {} }
             end
         end
@@ -219,7 +216,7 @@ module Dependabot
             new(dependency_files: dependency_files).
             repository_urls(pom: pom).
             map do |url|
-              { "url" => url, "username" => nil, "password" => nil }
+              { "url" => url, "auth_headers" => {} }
             end
         end
@@ -229,8 +226,7 @@ module Dependabot
             map do |cred|
               {
                 "url" => cred.fetch("url").gsub(%r{/+$}, ""),
-                "username" => cred.fetch("username", nil),
-                "password" => cred.fetch("password", nil)
+                "auth_headers" => auth_headers(cred.fetch("url").gsub(%r{/+$}, ""))
               }
             end
         end
@@ -287,6 +283,14 @@ module Dependabot
           %w(http:// https://).map { |p| p + central_url_without_protocol }
         end
+        def auth_headers_finder
+          @auth_headers_finder ||= Utils::AuthHeadersFinder.new(credentials)
+        end
+        def auth_headers(maven_repo_url)
+          auth_headers_finder.auth_headers(maven_repo_url)
+        end
       end
     end
   end

data/lib/dependabot/maven/utils/auth_headers_finder.rb ADDED Viewed

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+module Dependabot
+  module Maven
+    module Utils
+      class AuthHeadersFinder
+        def initialize(credentials)
+          @credentials = credentials
+        end
+        def auth_headers(maven_repo_url)
+          cred =
+            credentials.select { |c| c["type"] == "maven_repository" }.
+            find do |c|
+              cred_url = c.fetch("url").gsub(%r{/+$}, "")
+              next false unless cred_url == maven_repo_url
+              c.fetch("username", nil)
+            end
+          return gitlab_auth_headers(maven_repo_url) unless cred
+          token = cred.fetch("username") + ":" + cred.fetch("password")
+          encoded_token = Base64.strict_encode64(token)
+          { "Authorization" => "Basic #{encoded_token}" }
+        end
+        private
+        attr_reader :credentials
+        def gitlab_auth_headers(maven_repo_url)
+          return {} unless gitlab_maven_repo?(URI(maven_repo_url).path)
+          cred =
+            credentials.select { |c| c["type"] == "git_source" }.
+            find do |c|
+              cred_host = c.fetch("host").gsub(%r{/+$}, "")
+              next false unless URI(maven_repo_url).host == cred_host
+              c.fetch("password", nil)
+            end
+          return {} unless cred
+          { "Private-Token" => cred.fetch("password") }
+        end
+        def gitlab_maven_repo?(maven_repo_path)
+          gitlab_maven_repo_reg = %r{^/api/v4.*/packages/maven/?$}.freeze
+          maven_repo_path.match?(gitlab_maven_repo_reg)
+        end
+      end
+    end
+  end
+end

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-maven
 version: !ruby/object:Gem::Version
-  version: 0.140.3
+  version: 0.141.0
 platform: ruby
 authors:
 - Dependabot
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.140.3
+        version: 0.141.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.140.3
+        version: 0.141.0
 - !ruby/object:Gem::Dependency
   name: byebug
   requirement: !ruby/object:Gem::Requirement
@@ -199,6 +199,7 @@ files:
 - lib/dependabot/maven/update_checker/property_updater.rb
 - lib/dependabot/maven/update_checker/requirements_updater.rb
 - lib/dependabot/maven/update_checker/version_finder.rb
+- lib/dependabot/maven/utils/auth_headers_finder.rb
 - lib/dependabot/maven/version.rb
 homepage: https://github.com/dependabot/dependabot-core
 licenses: