dependabot-terraform 0.201.0 → 0.203.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: b788a0ad15124d1b9d882327abfc847b3d27b331aec214fd64d6e6a28a92a9b3
-  data.tar.gz: c01ec9b1aad1b353eb9f93393f1b0337b7d6ea7814ac5f485b630ed1873def06
+  metadata.gz: 2b669fb83e693d1a970c7150284474769b9d07df0e84e9b6b4173ff3ae925c39
+  data.tar.gz: b11df05643df7d12c170a8c7b0016c6c8a5ca6392515dafccae72233bc197037
 SHA512:
-  metadata.gz: fe9aa846045d66fadcde2f874b4827716b4f4e35e678416eaae15ba2fb6e0441133ab033cf2f583baa90b6e88cc63bab75fdd6dca2d503c4daa8ac9ea06e4eaf
-  data.tar.gz: 508e6e8b1d1055876df45b2d3bbc2cce76e5d291248618aa1098859ecd3372d4ee01309f49da856d5e4bd6517ec8060b4a3e0eab35957e306fa5aa5649c60b88
+  metadata.gz: 8034bdfaeb6a7ccbf34fc758ee5ba2bf40cd0e01004df72e7860de8a01027e8b013728438982722079c20669c3ed0ad52fc466d2889f802acf4936f810121098
+  data.tar.gz: cf46b5a10c70b5e2dac7720c86ba008567c926f288ac7ce163f90d73a22d23497b255a662d38e3f799f5e1687da4d02b8240ff4095be8a14f9a0bb9596872dc6

data/lib/dependabot/terraform/file_parser.rb

@@ -12,6 +12,7 @@ require "dependabot/git_commit_checker"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/terraform/file_selector"
+require "dependabot/terraform/registry_client"
 
 module Dependabot
   module Terraform
@@ -20,7 +21,6 @@ module Dependabot
 
       include FileSelector
 
-      ARCHIVE_EXTENSIONS = %w(.zip .tbz2 .tgz .txz).freeze
       DEFAULT_REGISTRY = "registry.terraform.io"
       DEFAULT_NAMESPACE = "hashicorp"
       # https://www.terraform.io/docs/language/providers/requirements.html#source-addresses
@@ -168,7 +168,7 @@ module Dependabot
       # Full docs at https://www.terraform.io/docs/modules/sources.html
       def source_from(details_hash)
         raw_source = details_hash.fetch("source")
-        bare_source = get_proxied_source(raw_source)
+        bare_source = RegistryClient.get_proxied_source(raw_source)
 
         source_details =
           case source_type(bare_source)
@@ -257,39 +257,6 @@ module Dependabot
         ref.match(version_regex).named_captures.fetch("version")
       end
 
-      # rubocop:disable Metrics/PerceivedComplexity
-      # See https://www.terraform.io/docs/modules/sources.html#http-urls for
-      # details of how Terraform handle HTTP(S) sources for modules
-      def get_proxied_source(raw_source) # rubocop:disable Metrics/AbcSize
-        return raw_source unless raw_source.start_with?("http")
-
-        uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
-        return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
-        return raw_source if URI.parse(raw_source).query&.include?("archive=")
-
-        url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
-        host = URI.parse(raw_source).host
-
-        response = Excon.get(
-          url,
-          idempotent: true,
-          **SharedHelpers.excon_defaults
-        )
-        raise PrivateSourceAuthenticationFailure, host if response.status == 401
-
-        return response.headers["X-Terraform-Get"] if response.headers["X-Terraform-Get"]
-
-        doc = Nokogiri::XML(response.body)
-        doc.css("meta").find do |tag|
-          tag.attributes&.fetch("name", nil)&.value == "terraform-get"
-        end&.attributes&.fetch("content", nil)&.value
-      rescue Excon::Error::Socket, Excon::Error::Timeout => e
-        raise PrivateSourceAuthenticationFailure, host if e.message.include?("no address for")
-
-        raw_source
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-
       # rubocop:disable Metrics/PerceivedComplexity
       def source_type(source_string)
         return :path if source_string.start_with?(".")
@@ -305,7 +272,7 @@ module Dependabot
 
         path_uri = URI.parse(source_string.split(%r{(?<!:)//}).first)
         query_uri = URI.parse(source_string)
-        return :http_archive if path_uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return :http_archive if path_uri.path.end_with?(*RegistryClient::ARCHIVE_EXTENSIONS)
         return :http_archive if query_uri.query&.include?("archive=")
 
         raise "HTTP source, but not an archive!"

data/lib/dependabot/terraform/file_updater.rb

@@ -103,6 +103,11 @@ module Dependabot
           select { |h| h&.match?(/^h1:/) }
       end
 
+      def remove_provider_h1_hashes(content, declaration_regex)
+        content.match(declaration_regex).to_s.
+          sub(hashes_object_regex, "")
+      end
+
       def lockfile_details(new_req)
         content = lock_file.content.dup
         provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
@@ -131,7 +136,7 @@ module Dependabot
         )
 
         base_dir = dependency_files.first.directory
-        lockfile_hash_removed = content.sub(hashes_object_regex, "")
+        lockfile_hash_removed = remove_provider_h1_hashes(content, declaration_regex)
 
         # This runs in the same directory as the actual lockfile update so
         # the platform must be determined before the updated manifest files
@@ -265,7 +270,7 @@ module Dependabot
       end
 
       def hashes_object_regex
-        /hashes\s*=\s*.*\]/m
+        /hashes\s*=\s*[^\]]*\]/m
       end
 
       def hashes_string_regex

data/lib/dependabot/terraform/registry_client.rb

@@ -10,6 +10,7 @@ module Dependabot
     # Terraform::RegistryClient is a basic API client to interact with a
     # terraform registry: https://www.terraform.io/docs/registry/api.html
     class RegistryClient
+      ARCHIVE_EXTENSIONS = %w(.zip .tbz2 .tgz .txz).freeze
       PUBLIC_HOSTNAME = "registry.terraform.io"
 
       def initialize(hostname: PUBLIC_HOSTNAME, credentials: [])
@@ -19,6 +20,39 @@ module Dependabot
         end
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      # See https://www.terraform.io/docs/modules/sources.html#http-urls for
+      # details of how Terraform handle HTTP(S) sources for modules
+      def self.get_proxied_source(raw_source) # rubocop:disable Metrics/AbcSize
+        return raw_source unless raw_source.start_with?("http")
+
+        uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
+        return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return raw_source if URI.parse(raw_source).query&.include?("archive=")
+
+        url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
+        host = URI.parse(raw_source).host
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+        raise PrivateSourceAuthenticationFailure, host if response.status == 401
+
+        return response.headers["X-Terraform-Get"] if response.headers["X-Terraform-Get"]
+
+        doc = Nokogiri::XML(response.body)
+        doc.css("meta").find do |tag|
+          tag.attributes&.fetch("name", nil)&.value == "terraform-get"
+        end&.attributes&.fetch("content", nil)&.value
+      rescue Excon::Error::Socket, Excon::Error::Timeout => e
+        raise PrivateSourceAuthenticationFailure, host if e.message.include?("no address for")
+
+        raw_source
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
       # Fetch all the versions of a provider, and return a Version
       # representation of them.
       #
@@ -64,10 +98,26 @@ module Dependabot
       def source(dependency:)
         type = dependency.requirements.first[:source][:type]
         base_url = service_url_for(service_key_for(type))
-        response = http_get(URI.join(base_url, "#{dependency.name}/#{dependency.version}"))
-        return nil unless response.status == 200
+        case type
+        # https://www.terraform.io/internals/module-registry-protocol#download-source-code-for-a-specific-module-version
+        when "module", "modules", "registry"
+          download_url = URI.join(base_url, "#{dependency.name}/#{dependency.version}/download")
+          response = http_get(download_url)
+          return nil unless response.status == 204
+
+          source_url = response.headers.fetch("X-Terraform-Get")
+          source_url = URI.join(download_url, source_url) if
+            source_url.start_with?("/") ||
+            source_url.start_with?("./") ||
+            source_url.start_with?("../")
+          source_url = RegistryClient.get_proxied_source(source_url) if source_url
+        when "provider", "providers"
+          response = http_get(URI.join(base_url, "#{dependency.name}/#{dependency.version}"))
+          return nil unless response.status == 200
+
+          source_url = JSON.parse(response.body).fetch("source")
+        end
 
-        source_url = JSON.parse(response.body).fetch("source")
         Source.from_url(source_url) if source_url
       rescue JSON::ParserError, Excon::Error::Timeout
         nil

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.201.0
+  version: 0.203.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-22 00:00:00.000000000 Z
+date: 2022-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.201.0
+        version: 0.203.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.201.0
+        version: 0.203.0
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement