dependabot-opentofu 0.373.0 → 0.374.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 6933f74905bb89917d0fe59c946b4cc8a91b59ea8f49d260cdd104621ba54070
-  data.tar.gz: 9c244107e1d9e785bf4e7a787ca226faa00358aac5340319f9e79ef1d44a8c83
+  metadata.gz: aa3a44a842816fbe0b288ec3a69f126b289901963dec69e46f2c81ee090aa22e
+  data.tar.gz: eb62f10d778dcc79fd4faa71618671c590c33623c712c06cb80dd48ecd94620d
 SHA512:
-  metadata.gz: 4bbe6adf898b1766be9d674df58edd40ec27aa87b1dcf30b34a946dd776e847fea01c95df907f84a5b52a6bc4a89b0ede5efe909fdefbcae3317e332e69e256f
-  data.tar.gz: 26d0ea01b13a161243108a6bde3afc911b0569f9b70d2db5ed702e62f6732d09d50302ee8949403e3b481a891bf814e691930e9fb488673649b0e1e8389c71a5
+  metadata.gz: 1db6d58ed3b8210058685d3db3819bb50e161168a57b7febad44bfcc4a8bdf72bf71441b049cbd2b7d184cd01f9db054e4b39d349e6c762da013c268f19ed071
+  data.tar.gz: 449c4e645fe70e7dc48a27ba1e01ea4bc3369619d2e97c42d8b614fe92bcb72368cc102db2edbb20ffde07fb124dc3f455385f2755a8986d9be49d2821d910a1

data/lib/dependabot/opentofu/file_parser.rb

@@ -30,6 +30,18 @@ module Dependabot
       # https://opentofu.org/docs/language/providers/requirements/#source-addresses
       PROVIDER_SOURCE_ADDRESS = %r{\A((?<hostname>.+)/)?(?<namespace>.+)/(?<name>.+)\z}
 
+      # Namespaces reserved for providers bundled with the OpenTofu/Terraform
+      # binary. Providers in these namespaces cannot be updated independently
+      # because their version tracks the binary itself.
+      # See: https://pkg.go.dev/github.com/opentofu/registry-address/v2#Provider.IsBuiltIn
+      BUILTIN_PROVIDER_NAMESPACES = T.let(
+        %w(
+          terraform.io/builtin
+          opentofu.org/builtin
+        ).freeze,
+        T::Array[String]
+      )
+
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = DependencySet.new
@@ -56,6 +68,17 @@ module Dependabot
 
       private
 
+      sig { params(details: T.any(String, T::Hash[String, T.untyped])).returns(T::Boolean) }
+      def builtin_provider?(details)
+        return false unless details.is_a?(Hash)
+
+        source_address = details["source"]
+        return false unless source_address.is_a?(String)
+
+        normalized = source_address.downcase
+        BUILTIN_PROVIDER_NAMESPACES.any? { |ns| normalized.start_with?("#{ns}/") }
+      end
+
       # rubocop:disable Metrics/PerceivedComplexity
       sig { params(dependency_set: Dependabot::FileParsers::Base::DependencySet).void }
       def parse_opentofu_files(dependency_set)
@@ -75,24 +98,29 @@ module Dependabot
             details = details.first
 
             source = source_from(details)
-            # Cannot update local path modules, skip
-            next if source && source[:type] == "path"
+            # nil sources are unpinned (e.g. OCI without a tag/digest); paths are local.
+            next if source.nil? || source[:type] == "path"
 
             # Cannot update modules using early evaluation yet
-            if T.must(source)[:type] == "interpolation"
+            if source[:type] == "interpolation"
               Dependabot.logger.warn(
                 "Cannot parse module source name with early evaluation for #{name} in #{file.name}."
               )
               next
             end
 
-            dependency_set << build_opentofu_dependency(file, name, T.must(source), details)
+            dependency_set << build_opentofu_dependency(file, name, source, details)
           end
 
           parsed_file(file).fetch("terraform", []).each do |opentofu|
             required_providers = opentofu.fetch("required_providers", {})
             required_providers.each do |provider|
               provider.each do |name, details|
+                if builtin_provider?(details)
+                  Dependabot.logger.info("Skipping built-in provider #{name} in #{file.name}")
+                  next
+                end
+
                 dependency_set << build_provider_dependency(file, name, details)
               end
             end
@@ -137,6 +165,7 @@ module Dependabot
         version_req = details["version"]&.strip
         version =
           if source[:type] == "git" then version_from_ref(source[:ref])
+          elsif source[:type] == "oci" then source[:version]
           elsif version_req&.match?(/^\d/) then version_req
           end
 
@@ -230,18 +259,21 @@ module Dependabot
 
         source_details =
           case source_type
-          # TODO: add support for OCI Registries https://opentofu.org/docs/cli/oci_registries/
           when :http_archive, :path, :mercurial, :s3
             { type: source_type.to_s, url: bare_source }
           when :github, :bitbucket, :git
             git_source_details_from(bare_source)
+          when :oci
+            oci_source_details_from(bare_source)
           when :registry
             registry_source_details_from(bare_source)
           when :interpolation
             { type: source_type.to_s, name: bare_source }
           end
 
-        T.must(source_details)[:proxy_url] = raw_source if raw_source != bare_source
+        return nil if source_details.nil?
+
+        source_details[:proxy_url] = raw_source if raw_source != bare_source
         source_details
       end
 
@@ -260,6 +292,38 @@ module Dependabot
         ]
       end
 
+      sig { params(source_string: T.untyped).returns(T.nilable(T::Hash[Symbol, T.nilable(String)])) }
+      def oci_source_details_from(source_string)
+        uri_part, query_part = source_string.split("oci://").last.split("?", 2)
+
+        # Sources with no query string are unpinned — nothing to update.
+        return nil if query_part.nil?
+
+        # `//` (not preceded by `:`) separates the bare repository from a
+        # sub-module path; only the bare repo is queryable for tags.
+        artifact_identifier, subdirectory = uri_part.split(%r{(?<!:)//}, 2)
+
+        qs = CGI.parse(query_part)
+        # Treat `?tag=` or `?digest=` (empty value) the same as the param
+        # being absent, so we don't propagate "" as a usable version.
+        tag = qs["tag"].first&.then { |v| v.empty? ? nil : v }
+        digest = qs["digest"].first&.then { |v| v.empty? ? nil : v }
+
+        if tag && digest
+          raise DependencyFileNotEvaluatable,
+                "Invalid OCI source '#{source_string}': only one of `tag` or `digest` may be specified"
+        end
+
+        {
+          type: "oci",
+          artifact_identifier: artifact_identifier,
+          subdirectory: subdirectory,
+          tag: tag,
+          digest: digest,
+          version: tag || digest
+        }
+      end
+
       sig { params(source_string: T.untyped).returns(T::Hash[Symbol, String]) }
       def registry_source_details_from(source_string)
         parts = source_string.split("//").first.split("/")
@@ -333,7 +397,7 @@ module Dependabot
       # rubocop:disable Metrics/CyclomaticComplexity
       sig { params(source_string: String).returns(Symbol) }
       def source_type(source_string)
-        # TODO: add support for OCI Registries https://opentofu.org/docs/cli/oci_registries/
+        return :oci if source_string.include?("oci://")
         return :interpolation if source_string.include?("${")
         return :path if source_string.start_with?(".")
         return :github if source_string.start_with?("github.com/")

data/lib/dependabot/opentofu/file_updater.rb

@@ -92,6 +92,8 @@ module Dependabot
             update_git_declaration(new_req, old_req, content, file.name)
           when "registry", "provider"
             update_registry_declaration(new_req, old_req, content)
+          when "oci"
+            update_oci_declaration(new_req, old_req, content)
           else
             raise "Don't know how to update a #{new_req[:source][:type]} " \
                   "declaration!"
@@ -124,6 +126,29 @@ module Dependabot
         end
       end
 
+      sig do
+        params(
+          new_req: T::Hash[Symbol, T.untyped],
+          old_req: T.nilable(T::Hash[Symbol, T.untyped]),
+          updated_content: String
+        )
+          .void
+      end
+      def update_oci_declaration(new_req, old_req, updated_content)
+        old_tag = old_req&.dig(:source, :tag)
+        new_tag = new_req[:source][:tag]
+        artifact = old_req&.dig(:source, :artifact_identifier)
+        return if old_tag.nil? || new_tag.nil? || artifact.nil? || old_tag == new_tag
+
+        # Scoped to this artifact's source string so unrelated modules with
+        # the same tag value aren't touched.
+        oci_source_re = %r{
+          (["']oci://#{Regexp.escape(artifact)}(?://[^"'?]*)?\?[^"']*\btag=)
+          #{Regexp.escape(old_tag)}
+        }x
+        updated_content.gsub!(oci_source_re) { T.must(Regexp.last_match(1)) + new_tag }
+      end
+
       sig do
         params(
           new_req: T::Hash[Symbol, T.untyped],

data/lib/dependabot/opentofu/registry_client.rb

@@ -1,6 +1,9 @@
 # typed: strict
 # frozen_string_literal: true
 
+require "base64"
+require "uri"
+
 require "dependabot/dependency"
 require "dependabot/errors"
 require "dependabot/registry_client"
@@ -29,7 +32,12 @@ module Dependabot
         @api_base_url = T.let(API_BASE_URL, String)
         @tokens = T.let(
           credentials.each_with_object({}) do |item, memo|
-            memo[item["host"]] = item["token"] if item["type"] == "opentofu_registry"
+            # Only Bearer-token shaped creds belong here; OCI-only entries
+            # (username/password) would otherwise store a nil token and
+            # trigger a malformed `Authorization: Bearer ` header.
+            next unless item["type"] == "opentofu_registry" && item["token"]
+
+            memo[item["host"]] = item["token"]
           end,
           T::Hash[String, String]
         )
@@ -69,6 +77,52 @@ module Dependabot
       # rubocop:enable Metrics/AbcSize
       # rubocop:enable Metrics/PerceivedComplexity
 
+      # Fetch all tags for an OCI module artifact via the Distribution v2
+      # `GET /v2/<repo>/tags/list` endpoint. Returns Version objects whose
+      # to_s preserves the original tag string (so `v1.0.0` round-trips).
+      #
+      # @param artifact_identifier [String] "<host[:port]>/<repo>"
+      # @param credentials [Array<Dependabot::Credential>]
+      # @return [Array<Dependabot::Opentofu::Version>]
+      sig do
+        params(
+          artifact_identifier: String,
+          credentials: T::Array[Dependabot::Credential]
+        ).returns(T::Array[Dependabot::Opentofu::Version])
+      end
+      def self.all_oci_tags(artifact_identifier:, credentials: [])
+        host, _, repo = artifact_identifier.partition("/")
+        if host.empty? || repo.empty?
+          raise Dependabot::DependabotError, "Invalid OCI artifact: '#{artifact_identifier}'"
+        end
+
+        scheme = oci_scheme_for(host)
+        next_url = T.let("#{scheme}://#{host}/v2/#{repo}/tags/list", T.nilable(String))
+        tags = T.let([], T::Array[String])
+
+        while next_url
+          response = oci_get(next_url, host: host, credentials: credentials)
+          case response.status
+          when 200
+            body = JSON.parse(response.body)
+            tags.concat(Array(body["tags"]))
+          when 401, 403
+            raise Dependabot::PrivateSourceAuthenticationFailure, host
+          when 404
+            raise Dependabot::DependabotError,
+                  "OCI repository '#{repo}' not found on registry '#{host}'"
+          else
+            raise Dependabot::DependabotError,
+                  "OCI registry '#{host}' returned HTTP #{response.status} listing tags for '#{repo}'"
+          end
+          next_url = oci_next_page_url(response.headers["Link"], base: "#{scheme}://#{host}")
+        end
+
+        tags.filter_map { |t| Version.new(t) if Version.correct?(t) }
+      rescue Excon::Error::Socket, Excon::Error::Timeout
+        raise Dependabot::PrivateSourceBadResponse, host
+      end
+
       # Fetch all the versions of a provider, and return a Version
       # representation of them.
       #
@@ -156,6 +210,124 @@ module Dependabot
               "Available services: #{available}"
       end
 
+      # localhost registries are commonly served over plain HTTP in dev.
+      sig { params(host: String).returns(String) }
+      def self.oci_scheme_for(host)
+        bare_host = host.split(":").first
+        %w(localhost 127.0.0.1).include?(bare_host) ? "http" : "https"
+      end
+      private_class_method :oci_scheme_for
+
+      sig do
+        params(
+          url: String,
+          host: String,
+          credentials: T::Array[Dependabot::Credential]
+        ).returns(Excon::Response)
+      end
+      def self.oci_get(url, host:, credentials:)
+        cred = credentials.find do |c|
+          c["type"] == "opentofu_registry" && (c["host"] == host || c["registry"] == host)
+        end
+
+        headers = {}
+        headers["Authorization"] = oci_auth_header(cred) if cred
+
+        response = Dependabot::RegistryClient.get(url: url, headers: headers)
+
+        # OCI Distribution Spec: on 401 without explicit credentials, attempt the
+        # WWW-Authenticate Bearer challenge to access public registries anonymously.
+        if response.status == 401 && cred.nil?
+          token = oci_anonymous_bearer_token(response.headers["WWW-Authenticate"])
+          if token
+            response = Dependabot::RegistryClient.get(
+              url: url,
+              headers: { "Authorization" => "Bearer #{token}" }
+            )
+          end
+        end
+
+        response
+      end
+      private_class_method :oci_get
+
+      sig { params(www_authenticate: T.nilable(String)).returns(T.nilable(String)) }
+      def self.oci_anonymous_bearer_token(www_authenticate)
+        token_url = oci_bearer_token_url(www_authenticate)
+        return nil unless token_url
+
+        cached = oci_token_cache[token_url]
+        return cached[:token] if cached && T.cast(cached[:expires_at], Float) > Time.now.to_f
+
+        token_response = Dependabot::RegistryClient.get(url: token_url, headers: {})
+        return nil unless token_response.status == 200
+
+        body = JSON.parse(token_response.body)
+        token = body["token"]
+        expires_in = body.fetch("expires_in", 60).to_i
+        oci_token_cache[token_url] = { token: token, expires_at: Time.now.to_f + expires_in - 10 } if token
+        token
+      rescue StandardError
+        nil
+      end
+      private_class_method :oci_anonymous_bearer_token
+
+      # Parses a `WWW-Authenticate: Bearer realm="...",service="...",scope="..."`
+      # challenge and returns the token endpoint URL, or nil if not a Bearer challenge.
+      sig { params(www_authenticate: T.nilable(String)).returns(T.nilable(String)) }
+      def self.oci_bearer_token_url(www_authenticate)
+        return nil unless www_authenticate&.start_with?("Bearer ")
+
+        realm   = www_authenticate[/realm="([^"]+)"/, 1]
+        service = www_authenticate[/service="([^"]+)"/, 1]
+        scope   = www_authenticate[/scope="([^"]+)"/, 1]
+        return nil unless realm
+
+        params = {}
+        params["service"] = service if service
+        params["scope"]   = scope   if scope
+        "#{realm}?#{URI.encode_www_form(params)}"
+      end
+      private_class_method :oci_bearer_token_url
+
+      sig { returns(T::Hash[String, T::Hash[Symbol, T.untyped]]) }
+      def self.oci_token_cache
+        @oci_token_cache = T.let(
+          @oci_token_cache,
+          T.nilable(T::Hash[String, T::Hash[Symbol, T.untyped]])
+        )
+        @oci_token_cache ||= {}
+      end
+      private_class_method :oci_token_cache
+
+      # Basic for username/password pairs (OCI Distribution v2), Bearer for
+      # token-only creds (existing OpenTofu HTTP registry behaviour).
+      sig { params(cred: Dependabot::Credential).returns(String) }
+      def self.oci_auth_header(cred)
+        if cred["username"] && cred["password"]
+          "Basic " + Base64.strict_encode64("#{cred['username']}:#{cred['password']}")
+        else
+          "Bearer #{cred['token']}"
+        end
+      end
+      private_class_method :oci_auth_header
+
+      # Parses RFC 5988 `Link: <…>; rel="next"` from /tags/list responses.
+      sig { params(link_header: T.nilable(String), base: String).returns(T.nilable(String)) }
+      def self.oci_next_page_url(link_header, base:)
+        return nil if link_header.nil? || link_header.empty?
+
+        link_header.split(",").each do |part|
+          match = part.strip.match(/\A<([^>]+)>\s*;\s*rel="?next"?\z/)
+          next unless match
+
+          target = T.must(match[1])
+          return target.start_with?("http") ? target : "#{base}#{target}"
+        end
+        nil
+      end
+      private_class_method :oci_next_page_url
+
       private
 
       sig { returns(String) }

data/lib/dependabot/opentofu/requirements_updater.rb

@@ -84,6 +84,7 @@ module Dependabot
           case req.dig(:source, :type)
           when "git" then update_git_requirement(req)
           when "registry", "provider" then update_registry_requirement(req)
+          when "oci" then update_oci_requirement(req)
           else req
           end
         end
@@ -108,6 +109,20 @@ module Dependabot
         req.merge(source: req[:source].merge(ref: tag_for_latest_version))
       end
 
+      sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
+      def update_oci_requirement(req)
+        return req unless defined?(@latest_version) && @latest_version
+        return req if req.dig(:source, :digest)
+        return req unless req.dig(:source, :tag)
+
+        new_tag = latest_version.to_s
+        return req if req.dig(:source, :tag) == new_tag
+
+        req.merge(
+          source: req[:source].merge(tag: new_tag, version: new_tag)
+        )
+      end
+
       sig { params(req: T::Hash[Symbol, T.untyped]).returns(T::Hash[Symbol, T.untyped]) }
       def update_registry_requirement(req)
         return req if req.fetch(:requirement).nil?

data/lib/dependabot/opentofu/update_checker.rb

@@ -19,7 +19,7 @@ module Dependabot
       require_relative "update_checker/latest_version_resolver"
 
       ELIGIBLE_SOURCE_TYPES = T.let(
-        %w(git provider registry).freeze,
+        %w(git provider registry oci).freeze,
         T::Array[String]
       )
 
@@ -27,6 +27,7 @@ module Dependabot
       def latest_version
         return latest_version_for_git_dependency if git_dependency?
         return latest_version_for_registry_dependency if registry_dependency?
+        return latest_version_for_oci_dependency if oci_dependency?
 
         latest_version_for_provider_dependency if provider_dependency?
         # Other sources (mercurial, path dependencies) just return `nil`
@@ -213,6 +214,32 @@ module Dependabot
         dependency_source_details&.fetch(:type) == "provider"
       end
 
+      sig { returns(T::Boolean) }
+      def oci_dependency?
+        return false if dependency_source_details.nil?
+
+        dependency_source_details&.fetch(:type) == "oci"
+      end
+
+      sig { returns(T.nilable(Dependabot::Opentofu::Version)) }
+      def latest_version_for_oci_dependency
+        return unless oci_dependency?
+        # Digest pins are immutable; nothing to update to without a tag.
+        return if dependency_source_details&.fetch(:digest)
+
+        @latest_oci_version = T.let(@latest_oci_version, T.nilable(Dependabot::Opentofu::Version))
+        return @latest_oci_version if @latest_oci_version
+
+        identifier = T.must(dependency_source_details).fetch(:artifact_identifier)
+        versions = RegistryClient.all_oci_tags(
+          artifact_identifier: identifier,
+          credentials: credentials
+        )
+        versions.reject!(&:prerelease?) unless wants_prerelease?
+        versions.reject! { |v| ignore_requirements.any? { |r| r.satisfied_by?(v) } }
+        @latest_oci_version = versions.max
+      end
+
       sig { returns(T.nilable(T::Hash[T.any(String, Symbol), T.untyped])) }
       def dependency_source_details
         dependency.source_details(allowed_types: ELIGIBLE_SOURCE_TYPES)

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-opentofu
 version: !ruby/object:Gem::Version
-  version: 0.373.0
+  version: 0.374.0
 platform: ruby
 authors:
 - Dependabot
@@ -15,14 +15,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.373.0
+        version: 0.374.0
 - !ruby/object:Gem::Dependency
   name: debug
   requirement: !ruby/object:Gem::Requirement
@@ -262,7 +262,7 @@ licenses:
 - MIT
 metadata:
   bug_tracker_uri: https://github.com/dependabot/dependabot-core/issues
-  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.373.0
+  changelog_uri: https://github.com/dependabot/dependabot-core/releases/tag/v0.374.0
 rdoc_options: []
 require_paths:
 - lib