dependabot-terraform 0.201.1 → 0.204.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 45897d4d4a465d56ad301bd4d7088bd499d64031d3cffd1647637ff013574395
-  data.tar.gz: 74a5185b2e1e8ca45f832ecdfd7cde24ec0219b5ae82bfc6277b496c8f48c692
+  metadata.gz: 857c0219cc9c70bdef3a2c55738a7bf271bd1f64788ad38fd892576c7a73d36a
+  data.tar.gz: 8f7e1b97fe1530b307b8445a1f62c27f178399e3c03f8467d3117a6394b95c1b
 SHA512:
-  metadata.gz: 96e5fdeb726b95f0d70b1bac87f7743fd5562cdeb68257bf50a95ea5068b4a45b0ecb477157f686b2db8752eb26d19c61e9c1f7caada700c5c36aab395e9f2f7
-  data.tar.gz: 76e74e3b50f13783ea2102f6a36d217f9bb51386cdcff6fd3d115a1d63521b0353651b5416a4b5de78df4aa08c7b2c06ad47e59c67c8b047ace123487e0da8a7
+  metadata.gz: ed0ae12a8ab372985d6ed29d28dd25b9a9e4ef798b38d51291160f8af148f9e188cb11b28a6c7624610f17519df902d1d28579fb48fc0ee4916f862b113095fd
+  data.tar.gz: 3c8ecd036fde028e6fef102b8a70549011c4caa81a0a278879227c2165796b0dc8d312eed1e368927bc1f1b4c152edd051fcf37d6df6ee81766c3de78989adaa

data/lib/dependabot/terraform/file_parser.rb

@@ -12,6 +12,7 @@ require "dependabot/git_commit_checker"
 require "dependabot/shared_helpers"
 require "dependabot/errors"
 require "dependabot/terraform/file_selector"
+require "dependabot/terraform/registry_client"
 
 module Dependabot
   module Terraform
@@ -20,7 +21,6 @@ module Dependabot
 
       include FileSelector
 
-      ARCHIVE_EXTENSIONS = %w(.zip .tbz2 .tgz .txz).freeze
       DEFAULT_REGISTRY = "registry.terraform.io"
       DEFAULT_NAMESPACE = "hashicorp"
       # https://www.terraform.io/docs/language/providers/requirements.html#source-addresses
@@ -168,7 +168,7 @@ module Dependabot
       # Full docs at https://www.terraform.io/docs/modules/sources.html
       def source_from(details_hash)
         raw_source = details_hash.fetch("source")
-        bare_source = get_proxied_source(raw_source)
+        bare_source = RegistryClient.get_proxied_source(raw_source)
 
         source_details =
           case source_type(bare_source)
@@ -257,39 +257,6 @@ module Dependabot
         ref.match(version_regex).named_captures.fetch("version")
       end
 
-      # rubocop:disable Metrics/PerceivedComplexity
-      # See https://www.terraform.io/docs/modules/sources.html#http-urls for
-      # details of how Terraform handle HTTP(S) sources for modules
-      def get_proxied_source(raw_source) # rubocop:disable Metrics/AbcSize
-        return raw_source unless raw_source.start_with?("http")
-
-        uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
-        return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
-        return raw_source if URI.parse(raw_source).query&.include?("archive=")
-
-        url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
-        host = URI.parse(raw_source).host
-
-        response = Excon.get(
-          url,
-          idempotent: true,
-          **SharedHelpers.excon_defaults
-        )
-        raise PrivateSourceAuthenticationFailure, host if response.status == 401
-
-        return response.headers["X-Terraform-Get"] if response.headers["X-Terraform-Get"]
-
-        doc = Nokogiri::XML(response.body)
-        doc.css("meta").find do |tag|
-          tag.attributes&.fetch("name", nil)&.value == "terraform-get"
-        end&.attributes&.fetch("content", nil)&.value
-      rescue Excon::Error::Socket, Excon::Error::Timeout => e
-        raise PrivateSourceAuthenticationFailure, host if e.message.include?("no address for")
-
-        raw_source
-      end
-      # rubocop:enable Metrics/PerceivedComplexity
-
       # rubocop:disable Metrics/PerceivedComplexity
       def source_type(source_string)
         return :path if source_string.start_with?(".")
@@ -305,7 +272,7 @@ module Dependabot
 
         path_uri = URI.parse(source_string.split(%r{(?<!:)//}).first)
         query_uri = URI.parse(source_string)
-        return :http_archive if path_uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return :http_archive if path_uri.path.end_with?(*RegistryClient::ARCHIVE_EXTENSIONS)
         return :http_archive if query_uri.query&.include?("archive=")
 
         raise "HTTP source, but not an archive!"

data/lib/dependabot/terraform/file_updater.rb

@@ -103,6 +103,11 @@ module Dependabot
           select { |h| h&.match?(/^h1:/) }
       end
 
+      def remove_provider_h1_hashes(content, declaration_regex)
+        content.match(declaration_regex).to_s.
+          sub(hashes_object_regex, "")
+      end
+
       def lockfile_details(new_req)
         content = lock_file.content.dup
         provider_source = new_req[:source][:registry_hostname] + "/" + new_req[:source][:module_identifier]
@@ -131,7 +136,7 @@ module Dependabot
         )
 
         base_dir = dependency_files.first.directory
-        lockfile_hash_removed = content.sub(hashes_object_regex, "")
+        lockfile_hash_removed = remove_provider_h1_hashes(content, declaration_regex)
 
         # This runs in the same directory as the actual lockfile update so
         # the platform must be determined before the updated manifest files
@@ -265,7 +270,7 @@ module Dependabot
       end
 
       def hashes_object_regex
-        /hashes\s*=\s*.*\]/m
+        /hashes\s*=\s*[^\]]*\]/m
       end
 
       def hashes_string_regex

data/lib/dependabot/terraform/registry_client.rb

@@ -10,6 +10,7 @@ module Dependabot
     # Terraform::RegistryClient is a basic API client to interact with a
     # terraform registry: https://www.terraform.io/docs/registry/api.html
     class RegistryClient
+      ARCHIVE_EXTENSIONS = %w(.zip .tbz2 .tgz .txz).freeze
       PUBLIC_HOSTNAME = "registry.terraform.io"
 
       def initialize(hostname: PUBLIC_HOSTNAME, credentials: [])
@@ -19,6 +20,39 @@ module Dependabot
         end
       end
 
+      # rubocop:disable Metrics/PerceivedComplexity
+      # See https://www.terraform.io/docs/modules/sources.html#http-urls for
+      # details of how Terraform handle HTTP(S) sources for modules
+      def self.get_proxied_source(raw_source) # rubocop:disable Metrics/AbcSize
+        return raw_source unless raw_source.start_with?("http")
+
+        uri = URI.parse(raw_source.split(%r{(?<!:)//}).first)
+        return raw_source if uri.path.end_with?(*ARCHIVE_EXTENSIONS)
+        return raw_source if URI.parse(raw_source).query&.include?("archive=")
+
+        url = raw_source.split(%r{(?<!:)//}).first + "?terraform-get=1"
+        host = URI.parse(raw_source).host
+
+        response = Excon.get(
+          url,
+          idempotent: true,
+          **SharedHelpers.excon_defaults
+        )
+        raise PrivateSourceAuthenticationFailure, host if response.status == 401
+
+        return response.headers["X-Terraform-Get"] if response.headers["X-Terraform-Get"]
+
+        doc = Nokogiri::XML(response.body)
+        doc.css("meta").find do |tag|
+          tag.attributes&.fetch("name", nil)&.value == "terraform-get"
+        end&.attributes&.fetch("content", nil)&.value
+      rescue Excon::Error::Socket, Excon::Error::Timeout => e
+        raise PrivateSourceAuthenticationFailure, host if e.message.include?("no address for")
+
+        raw_source
+      end
+      # rubocop:enable Metrics/PerceivedComplexity
+
       # Fetch all the versions of a provider, and return a Version
       # representation of them.
       #
@@ -64,10 +98,26 @@ module Dependabot
       def source(dependency:)
         type = dependency.requirements.first[:source][:type]
         base_url = service_url_for(service_key_for(type))
-        response = http_get(URI.join(base_url, "#{dependency.name}/#{dependency.version}"))
-        return nil unless response.status == 200
+        case type
+        # https://www.terraform.io/internals/module-registry-protocol#download-source-code-for-a-specific-module-version
+        when "module", "modules", "registry"
+          download_url = URI.join(base_url, "#{dependency.name}/#{dependency.version}/download")
+          response = http_get(download_url)
+          return nil unless response.status == 204
+
+          source_url = response.headers.fetch("X-Terraform-Get")
+          source_url = URI.join(download_url, source_url) if
+            source_url.start_with?("/") ||
+            source_url.start_with?("./") ||
+            source_url.start_with?("../")
+          source_url = RegistryClient.get_proxied_source(source_url) if source_url
+        when "provider", "providers"
+          response = http_get(URI.join(base_url, "#{dependency.name}/#{dependency.version}"))
+          return nil unless response.status == 200
+
+          source_url = JSON.parse(response.body).fetch("source")
+        end
 
-        source_url = JSON.parse(response.body).fetch("source")
         Source.from_url(source_url) if source_url
       rescue JSON::ParserError, Excon::Error::Timeout
         nil

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: dependabot-terraform
 version: !ruby/object:Gem::Version
-  version: 0.201.1
+  version: 0.204.0
 platform: ruby
 authors:
 - Dependabot
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2022-07-25 00:00:00.000000000 Z
+date: 2022-08-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: dependabot-common
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.201.1
+        version: 0.204.0
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 0.201.1
+        version: 0.204.0
 - !ruby/object:Gem::Dependency
   name: debase
   requirement: !ruby/object:Gem::Requirement