dependabot-nuget 0.80.0

data/lib/dependabot/nuget/update_checker/property_updater.rb

@@ -0,0 +1,95 @@
+# frozen_string_literal: true
+
+require "dependabot/nuget/file_parser"
+require "dependabot/nuget/update_checker"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class PropertyUpdater
+        require_relative "version_finder"
+        require_relative "requirements_updater"
+
+        def initialize(dependency:, dependency_files:, credentials:,
+                       target_version_details:, ignored_versions:)
+          @dependency       = dependency
+          @dependency_files = dependency_files
+          @credentials      = credentials
+          @ignored_versions = ignored_versions
+          @target_version   = target_version_details&.fetch(:version)
+          @source_details   = target_version_details&.
+                              slice(:nuspec_url, :repo_url, :source_url)
+        end
+
+        def update_possible?
+          return false unless target_version
+
+          @update_possible ||=
+            dependencies_using_property.all? do |dep|
+              versions = VersionFinder.new(
+                dependency: dep,
+                dependency_files: dependency_files,
+                credentials: credentials,
+                ignored_versions: ignored_versions
+              ).versions.map { |v| v.fetch(:version) }
+
+              versions.include?(target_version) || versions.none?
+            end
+        end
+
+        def updated_dependencies
+          raise "Update not possible!" unless update_possible?
+
+          @updated_dependencies ||=
+            dependencies_using_property.map do |dep|
+              Dependency.new(
+                name: dep.name,
+                version: target_version.to_s,
+                requirements: updated_requirements(dep),
+                previous_version: dep.version,
+                previous_requirements: dep.requirements,
+                package_manager: dep.package_manager
+              )
+            end
+        end
+
+        private
+
+        attr_reader :dependency, :dependency_files, :target_version,
+                    :source_details, :credentials, :ignored_versions
+
+        def dependencies_using_property
+          @dependencies_using_property ||=
+            Nuget::FileParser.new(
+              dependency_files: dependency_files,
+              source: nil
+            ).parse.select do |dep|
+              dep.requirements.any? do |r|
+                r.dig(:metadata, :property_name) == property_name
+              end
+            end
+        end
+
+        def property_name
+          @property_name ||= dependency.requirements.
+                             find { |r| r.dig(:metadata, :property_name) }&.
+                             dig(:metadata, :property_name)
+
+          raise "No requirement with a property name!" unless @property_name
+
+          @property_name
+        end
+
+        def updated_requirements(dep)
+          @updated_requirements ||= {}
+          @updated_requirements[dep.name] ||=
+            RequirementsUpdater.new(
+              requirements: dep.requirements,
+              latest_version: target_version,
+              source_details: source_details
+            ).updated_requirements
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/repository_finder.rb

@@ -0,0 +1,230 @@
+# frozen_string_literal: true
+
+require "excon"
+require "nokogiri"
+require "dependabot/errors"
+require "dependabot/nuget/update_checker"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class RepositoryFinder
+        DEFAULT_REPOSITORY_URL = "https://api.nuget.org/v3/index.json"
+
+        def initialize(dependency:, credentials:, config_file: nil)
+          @dependency  = dependency
+          @credentials = credentials
+          @config_file = config_file
+        end
+
+        def dependency_urls
+          find_dependency_urls
+        end
+
+        private
+
+        attr_reader :dependency, :credentials, :config_file
+
+        def find_dependency_urls
+          @find_dependency_urls ||=
+            known_repositories.flat_map do |details|
+              if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+                # Save a request for the default URL, since we already how
+                # it addresses packages
+                next default_repository_details
+              end
+
+              build_url_for_details(details)
+            end.compact.uniq
+        end
+
+        def build_url_for_details(repo_details)
+          response = get_repo_metadata(repo_details)
+          check_repo_reponse(response, repo_details)
+          return unless response.status == 200
+
+          base_url = base_url_from_v3_metadata(JSON.parse(response.body))
+          search_url = search_url_from_v3_metadata(JSON.parse(response.body))
+
+          details = {
+            repository_url: repo_details.fetch(:url),
+            auth_header: auth_header_for_token(repo_details.fetch(:token)),
+            repository_type: "v3"
+          }
+          if base_url
+            details[:versions_url] =
+              File.join(base_url, dependency.name.downcase, "index.json")
+          end
+          if search_url
+            details[:search_url] =
+              search_url + "?q=#{dependency.name.downcase}&prerelease=true"
+          end
+          details
+        rescue JSON::ParserError
+          build_v2_url(response, repo_details)
+        rescue Excon::Error::Timeout, Excon::Error::Socket
+          handle_timeout(repo_metadata_url: repo_details.fetch(:url))
+        end
+
+        def get_repo_metadata(repo_details)
+          Excon.get(
+            repo_details.fetch(:url),
+            headers: auth_header_for_token(repo_details.fetch(:token)),
+            idempotent: true,
+            **SharedHelpers.excon_defaults
+          )
+        end
+
+        def base_url_from_v3_metadata(metadata)
+          metadata.
+            fetch("resources", []).
+            find { |r| r.fetch("@type") == "PackageBaseAddress/3.0.0" }&.
+            fetch("@id")
+        end
+
+        def search_url_from_v3_metadata(metadata)
+          metadata.
+            fetch("resources", []).
+            find { |r| r.fetch("@type") == "SearchQueryService" }&.
+            fetch("@id")
+        end
+
+        def build_v2_url(response, repo_details)
+          doc = Nokogiri::XML(response.body)
+          doc.remove_namespaces!
+          base_url = doc.at_xpath("service")&.attributes&.fetch("base")&.value
+          return unless base_url
+
+          {
+            repository_url: base_url,
+            versions_url: File.join(
+              base_url,
+              "FindPackagesById()?id='#{dependency.name}'"
+            ),
+            auth_header: auth_header_for_token(repo_details.fetch(:token)),
+            repository_type: "v2"
+          }
+        end
+
+        def check_repo_reponse(response, details)
+          return unless [401, 402, 403].include?(response.status)
+          raise if details.fetch(:url) == DEFAULT_REPOSITORY_URL
+
+          raise PrivateSourceAuthenticationFailure, details.fetch(:url)
+        end
+
+        def handle_timeout(repo_metadata_url:)
+          raise if repo_metadata_url == DEFAULT_REPOSITORY_URL
+
+          raise PrivateSourceTimedOut, repo_metadata_url
+        end
+
+        def known_repositories
+          return @known_repositories if @known_repositories
+
+          @known_repositories = []
+          @known_repositories += credential_repositories
+          @known_repositories += config_file_repositories
+
+          if @known_repositories.empty?
+            @known_repositories << { url: DEFAULT_REPOSITORY_URL, token: nil }
+          end
+
+          @known_repositories.uniq
+        end
+
+        def credential_repositories
+          @credential_repositories ||=
+            credentials.
+            select { |cred| cred["type"] == "nuget_feed" }.
+            map { |c| { url: c.fetch("url"), token: c["token"] } }
+        end
+
+        def config_file_repositories
+          return [] unless config_file
+
+          doc = Nokogiri::XML(config_file.content)
+          doc.remove_namespaces!
+          sources =
+            doc.css("configuration > packageSources > add").map do |node|
+              {
+                key:
+                  node.attribute("key")&.value&.strip ||
+                    node.at_xpath("./key")&.content&.strip,
+                url:
+                  node.attribute("value")&.value&.strip ||
+                    node.at_xpath("./value")&.content&.strip
+              }
+            end
+
+          sources.reject! do |s|
+            known_urls = credential_repositories.map { |cr| cr.fetch(:url) }
+            known_urls.include?(s.fetch(:url))
+          end
+
+          add_config_file_credentials(sources: sources, doc: doc)
+          sources.each { |details| details.delete(:key) }
+
+          sources
+        end
+
+        def default_repository_details
+          {
+            repository_url: DEFAULT_REPOSITORY_URL,
+            versions_url: "https://api.nuget.org/v3-flatcontainer/"\
+                             "#{dependency.name.downcase}/index.json",
+            search_url: "https://api-v2v3search-0.nuget.org/query"\
+                             "?q=#{dependency.name.downcase}&prerelease=true",
+            auth_header: {},
+            repository_type: "v3"
+          }
+        end
+
+        def add_config_file_credentials(sources:, doc:)
+          sources.each do |source_details|
+            key = source_details.fetch(:key)
+            next source_details[:token] = nil unless key
+            next source_details[:token] = nil if key.match?(/^\d/)
+
+            tag = key.gsub(" ", "_x0020_")
+            creds_nodes = doc.css("configuration > packageSourceCredentials "\
+                                  "> #{tag} > add")
+
+            username =
+              creds_nodes.
+              find { |n| n.attribute("key")&.value == "Username" }&.
+              attribute("value")&.value
+            password =
+              creds_nodes.
+              find { |n| n.attribute("key")&.value == "ClearTextPassword" }&.
+              attribute("value")&.value
+
+            # Note: We have to look for plain text passwords, as we have no
+            # way of decrypting encrypted passwords. For the same reason we
+            # don't fetch API keys from the nuget.config at all.
+            next source_details[:token] = nil unless username && password
+
+            source_details[:token] = "#{username}:#{password}"
+          end
+
+          sources
+        end
+
+        def auth_header_for_token(token)
+          return {} unless token
+
+          if token.include?(":")
+            encoded_token = Base64.encode64(token).delete("\n")
+            { "Authorization" => "Basic #{encoded_token}" }
+          elsif Base64.decode64(token).ascii_only? &&
+                Base64.decode64(token).include?(":")
+            { "Authorization" => "Basic #{token.delete("\n")}" }
+          else
+            { "Authorization" => "Bearer #{token}" }
+          end
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/requirements_updater.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+#######################################################################
+# For more details on Dotnet version constraints, see:                #
+# https://docs.microsoft.com/en-us/nuget/reference/package-versioning #
+#######################################################################
+
+require "dependabot/nuget/update_checker"
+require "dependabot/nuget/version"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class RequirementsUpdater
+        VERSION_REGEX = /[0-9a-zA-Z]+(?:\.[a-zA-Z0-9\-]+)*/.freeze
+
+        def initialize(requirements:, latest_version:, source_details:)
+          @requirements = requirements
+          @source_details = source_details
+          return unless latest_version
+
+          @latest_version = version_class.new(latest_version)
+        end
+
+        def updated_requirements
+          return requirements unless latest_version
+
+          # Note: Order is important here. The FileUpdater needs the updated
+          # requirement at index `i` to correspond to the previous requirement
+          # at the same index.
+          requirements.map do |req|
+            next req if req.fetch(:requirement).nil?
+            next req if req.fetch(:requirement).include?(",")
+
+            new_req =
+              if req.fetch(:requirement).include?("*")
+                update_wildcard_requirement(req.fetch(:requirement))
+              else
+                # Since range requirements are excluded by the line above we
+                # can just do a `gsub` on anything that looks like a version
+                req[:requirement].gsub(VERSION_REGEX, latest_version.to_s)
+              end
+
+            next req if new_req == req.fetch(:requirement)
+
+            req.merge(requirement: new_req, source: updated_source)
+          end
+        end
+
+        private
+
+        attr_reader :requirements, :latest_version, :source_details
+
+        def version_class
+          Nuget::Version
+        end
+
+        def update_wildcard_requirement(req_string)
+          precision = req_string.split("*").first.split(/\.|\-/).count
+          wilcard_section = req_string.partition(/(?=[.\-]\*)/).last
+
+          version_parts = latest_version.segments.first(precision)
+          version = version_parts.join(".")
+
+          version + wilcard_section
+        end
+
+        def updated_source
+          {
+            type: "nuget_repo",
+            url: source_details.fetch(:repo_url),
+            nuspec_url: source_details.fetch(:nuspec_url),
+            source_url: source_details.fetch(:source_url)
+          }
+        end
+      end
+    end
+  end
+end

data/lib/dependabot/nuget/update_checker/version_finder.rb

@@ -0,0 +1,229 @@
+# frozen_string_literal: true
+
+require "excon"
+require "nokogiri"
+
+require "dependabot/nuget/version"
+require "dependabot/nuget/requirement"
+require "dependabot/nuget/update_checker"
+require "dependabot/shared_helpers"
+
+module Dependabot
+  module Nuget
+    class UpdateChecker
+      class VersionFinder
+        require_relative "repository_finder"
+
+        def initialize(dependency:, dependency_files:, credentials:,
+                       ignored_versions: [])
+          @dependency = dependency
+          @dependency_files = dependency_files
+          @credentials = credentials
+          @ignored_versions = ignored_versions
+        end
+
+        def latest_version_details
+          @latest_version_details ||=
+            begin
+              tmp_versions = versions
+              unless wants_prerelease?
+                tmp_versions.reject! { |d| d.fetch(:version).prerelease? }
+              end
+              tmp_versions.reject! do |hash|
+                ignore_reqs.any? { |r| r.satisfied_by?(hash.fetch(:version)) }
+              end
+              tmp_versions.max_by { |hash| hash.fetch(:version) }
+            end
+        end
+
+        def versions
+          available_v3_versions + available_v2_versions
+        end
+
+        attr_reader :dependency, :dependency_files, :credentials,
+                    :ignored_versions
+
+        private
+
+        def available_v3_versions
+          v3_nuget_listings.flat_map do |listing|
+            listing.
+              fetch("versions", []).
+              map do |v|
+                nuspec_url =
+                  listing.fetch("listing_details").
+                  fetch(:versions_url).
+                  gsub(/index\.json$/, "#{v}/#{sanitized_name}.nuspec")
+
+                {
+                  version: version_class.new(v),
+                  nuspec_url: nuspec_url,
+                  source_url: nil,
+                  repo_url:
+                    listing.fetch("listing_details").fetch(:repository_url)
+                }
+              end
+          end
+        end
+
+        def available_v2_versions
+          v2_nuget_listings.flat_map do |listing|
+            body = listing.fetch("xml_body", [])
+            doc = Nokogiri::XML(body)
+            doc.remove_namespaces!
+
+            doc.xpath("/feed/entry").map do |entry|
+              listed = entry.at_xpath("./properties/Listed")&.content&.strip
+              next if listed&.casecmp("false")&.zero?
+
+              entry_details = dependency_details_from_v2_entry(entry)
+              entry_details.merge(
+                repo_url: listing.fetch("listing_details").
+                          fetch(:repository_url)
+              )
+            end.compact
+          end
+        end
+
+        def dependency_details_from_v2_entry(entry)
+          version = entry.at_xpath("./properties/Version").content.strip
+          source_urls = []
+          [
+            entry.at_xpath("./properties/ProjectUrl").content,
+            entry.at_xpath("./properties/ReleaseNotes").content
+          ].join(" ").scan(Source::SOURCE_REGEX) do
+            source_urls << Regexp.last_match.to_s
+          end
+
+          source_url = source_urls.find { |url| Source.from_url(url) }
+          source_url = Source.from_url(source_url)&.url if source_url
+
+          {
+            version: version_class.new(version),
+            nuspec_url: nil,
+            source_url: source_url
+          }
+        end
+
+        def wants_prerelease?
+          if dependency.version &&
+             version_class.correct?(dependency.version) &&
+             version_class.new(dependency.version).prerelease?
+            return true
+          end
+
+          dependency.requirements.any? do |req|
+            reqs = (req.fetch(:requirement) || "").split(",").map(&:strip)
+            reqs.any? { |r| r.include?("-") }
+          end
+        end
+
+        def v3_nuget_listings
+          return @v3_nuget_listings unless @v3_nuget_listings.nil?
+
+          dependency_urls.
+            select { |details| details.fetch(:repository_type) == "v3" }.
+            map do |url_details|
+              versions = versions_for_v3_repository(url_details)
+              next unless versions
+
+              { "versions" => versions, "listing_details" => url_details }
+            end.compact
+        end
+
+        def v2_nuget_listings
+          return @v2_nuget_listings unless @v2_nuget_listings.nil?
+
+          dependency_urls.
+            select { |details| details.fetch(:repository_type) == "v2" }.
+            map do |url_details|
+              response = Excon.get(
+                url_details[:versions_url],
+                headers: url_details[:auth_header],
+                idempotent: true,
+                **excon_defaults
+              )
+              next unless response.status == 200
+
+              {
+                "xml_body" => response.body,
+                "listing_details" => url_details
+              }
+            end.compact
+        end
+
+        def versions_for_v3_repository(repository_details)
+          # If we have a search URL we use it (since it will exclude unlisted
+          # versions)
+          if repository_details[:search_url]
+            response = Excon.get(
+              repository_details[:search_url],
+              headers: repository_details[:auth_header],
+              idempotent: true,
+              **excon_defaults
+            )
+            return unless response.status == 200
+
+            JSON.parse(response.body).fetch("data").
+              find { |d| d.fetch("id").casecmp(sanitized_name).zero? }&.
+              fetch("versions")&.
+              map { |d| d.fetch("version") }
+          # Otherwise, use the versions URL
+          elsif repository_details[:versions_url]
+            response = Excon.get(
+              repository_details[:versions_url],
+              headers: repository_details[:auth_header],
+              idempotent: true,
+              **excon_defaults
+            )
+            return unless response.status == 200
+
+            JSON.parse(response.body).fetch("versions")
+          end
+        end
+
+        def dependency_urls
+          @dependency_urls ||=
+            RepositoryFinder.new(
+              dependency: dependency,
+              credentials: credentials,
+              config_file: nuget_config
+            ).dependency_urls
+        end
+
+        def ignore_reqs
+          ignored_versions.map { |req| requirement_class.new(req.split(",")) }
+        end
+
+        def nuget_config
+          @nuget_config ||=
+            dependency_files.find { |f| f.name.casecmp("nuget.config").zero? }
+        end
+
+        def sanitized_name
+          dependency.name.downcase
+        end
+
+        def version_class
+          Nuget::Version
+        end
+
+        def requirement_class
+          Nuget::Requirement
+        end
+
+        def excon_defaults
+          # For large JSON files we sometimes need a little longer than for
+          # other languages. For example, see:
+          # https://dotnet.myget.org/F/aspnetcore-dev/api/v3/query?
+          # q=microsoft.aspnetcore.mvc&prerelease=true
+          SharedHelpers.excon_defaults.merge(
+            connect_timeout: 10,
+            write_timeout: 10,
+            read_timeout: 10
+          )
+        end
+      end
+    end
+  end
+end