RubyGems - entitlements-github-plugin - Versions diffs - 1.1.0 → 1.2.1 - Mend

entitlements-github-plugin 1.1.0 → 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml +4 -4
data/lib/entitlements/backend/github_org/service.rb +7 -2
data/lib/entitlements/backend/github_org.rb +2 -0
data/lib/entitlements/backend/github_team/provider.rb +1 -1
data/lib/entitlements/backend/github_team/service.rb +30 -10
data/lib/entitlements/backend/github_team.rb +2 -0
data/lib/entitlements/config/retry.rb +21 -0
data/lib/entitlements/service/github.rb +54 -10
data/lib/version.rb +1 -1
metadata +31 -10

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 684563b348978cba23282a6ea80a590b5a7335ec3ebf0278abb6a7a7b891c8ce
-  data.tar.gz: 360ddce764d1e3077216e066a3bdaba44a37e8df61c817f9df0eb887fcb3beca
+  metadata.gz: 63c03f0243b0e1b51bcf58b214a4cf70bc856522209b07f721d4e6b5c219dbe1
+  data.tar.gz: 1fc7c61f4ca66cc75a4c212f4f0a40a21b6e5c7e4011dabef46bc6293d4220e0
 SHA512:
-  metadata.gz: c5d0ed6468aff36d7ca1047218273dc86173063896eaf4cbf88d47189c6daeb73e3eac8f84c6ecabc82b4293079bc06b0f6edb146a6168043cfe0629ecb5c014
-  data.tar.gz: a79d07768d11a62362b6dfe55a897805d763c4b493475b8e1607a211b0c82066aa284effb191554cabaaaf8b7ba2c94fc1d6712d706afba4bbbab98ff5cc9ddb
+  metadata.gz: b4344c74a359dc828711ceaea05cf083fc699218a43af046a8fddcd98fc8fe7651dc71e108c2d6f9abc9b5f1aa9f9b7a7b2f70d525927f1b3a179fca2f4e5d5c
+  data.tar.gz: ca57d0790b548d6039b48163d38753cacbfd80d86fef7888835f0c70426273188d7533c2e04ce9ecd370ec5553996beb7613aba5fa2788d9ce6ffbde623b5285

data/lib/entitlements/backend/github_org/service.rb CHANGED Viewed

@@ -46,7 +46,9 @@ module Entitlements
           Entitlements.logger.debug "#{identifier} add_user_to_organization(user=#{user}, org=#{org}, role=#{role})"
           begin
-            new_membership = octokit.update_organization_membership(org, user:, role:)
+            new_membership = Retryable.with_context(:default, not: [Octokit::NotFound]) do
+              octokit.update_organization_membership(org, user:, role:)
+            end
           rescue Octokit::NotFound => e
             raise e unless ignore_not_found
@@ -78,7 +80,10 @@ module Entitlements
         Contract String => C::Bool
         def remove_user_from_organization(user)
           Entitlements.logger.debug "#{identifier} remove_user_from_organization(user=#{user}, org=#{org})"
-          result = octokit.remove_organization_membership(org, user:)
+          result = Retryable.with_context(:default) do
+            octokit.remove_organization_membership(org, user:)
+          end
           # If we removed the user, remove them from the cache of members, so that any GitHub team
           # operations in this organization will ignore this user.

data/lib/entitlements/backend/github_org.rb CHANGED Viewed

@@ -24,3 +24,5 @@ end
 require_relative "github_org/controller"
 require_relative "github_org/provider"
 require_relative "github_org/service"
+require_relative "../config/retry"
+Retry.setup!

data/lib/entitlements/backend/github_team/provider.rb CHANGED Viewed

@@ -162,7 +162,7 @@ module Entitlements
             metadata = entitlement_group.metadata
             metadata["team_id"] = -999
           rescue Entitlements::Models::Group::NoMetadata
-            metadata = {"team_id" => -999}
+            metadata = { "team_id" => -999 }
           end
           Entitlements::Backend::GitHubTeam::Models::Team.new(
             team_id: -999,

data/lib/entitlements/backend/github_team/service.rb CHANGED Viewed

@@ -279,10 +279,12 @@ module Entitlements
                 team_options[:parent_team_id] = parent_team_data[:team_id]
               rescue TeamNotFound
                 # if the parent team does not exist, create it (think `mkdir -p` logic here)
-                result = octokit.create_team(
-                  org,
-                  { name: entitlement_metadata["parent_team_name"], repo_names: [], privacy: "closed" }
-                )
+                result = Retryable.with_context(:default, not: [Octokit::UnprocessableEntity]) do
+                  octokit.create_team(
+                    org,
+                    { name: entitlement_metadata["parent_team_name"], repo_names: [], privacy: "closed" }
+                  )
+                end
                 Entitlements.logger.debug "created parent team #{entitlement_metadata["parent_team_name"]} with id #{result[:id]}"
@@ -296,7 +298,11 @@ module Entitlements
           end
           Entitlements.logger.debug "create_team(team=#{team_name})"
-          result = octokit.create_team(org, team_options)
+          result = Retryable.with_context(:default, not: [Octokit::UnprocessableEntity]) do
+            octokit.create_team(org, team_options)
+          end
           Entitlements.logger.debug "created team #{team_name} with id #{result[:id]}"
           true
         rescue Octokit::UnprocessableEntity => e
@@ -317,7 +323,10 @@ module Entitlements
           Entitlements.logger.debug "update_team(team=#{team.team_name})"
           options = { name: team.team_name, repo_names: [], privacy: "closed",
                       parent_team_id: metadata[:parent_team_id] }
-          octokit.update_team(team.team_id, options)
+          Retryable.with_context(:default, not: [Octokit::UnprocessableEntity]) do
+            octokit.update_team(team.team_id, options)
+          end
           true
         rescue Octokit::UnprocessableEntity => e
           Entitlements.logger.debug "update_team(team=#{team.team_name}) ERROR - #{e.message}"
@@ -334,7 +343,9 @@ module Entitlements
                    team_name: String
                  ] => Sawyer::Resource
         def team_by_name(org_name:, team_name:)
-          octokit.team_by_name(org_name, team_name)
+          Retryable.with_context(:default) do
+            octokit.team_by_name(org_name, team_name)
+          end
         end
         private
@@ -426,7 +437,10 @@ module Entitlements
           @validation_cache ||= {}
           @validation_cache[team_id] ||= begin
             Entitlements.logger.debug "validate_team_id_and_slug!(#{team_id}, #{team_slug.inspect})"
-            team_data = octokit.team(team_id)
+            team_data = Retryable.with_context(:default) do
+              octokit.team(team_id)
+            end
             team_data[:slug]
           end
           return if @validation_cache[team_id] == team_slug
@@ -457,7 +471,10 @@ module Entitlements
           validate_team_id_and_slug!(team.team_id, team.team_name)
           begin
-            result = octokit.add_team_membership(team.team_id, user, role:)
+            result = Retryable.with_context(:default, not: [Octokit::UnprocessableEntity, Octokit::NotFound]) do
+              octokit.add_team_membership(team.team_id, user, role:)
+            end
             result[:state] == "active" || result[:state] == "pending"
           rescue Octokit::UnprocessableEntity => e
             raise e unless ignore_not_found && e.message =~ /Enterprise Managed Users must be part of the organization to be assigned to the team/
@@ -487,7 +504,10 @@ module Entitlements
           Entitlements.logger.debug "#{identifier} remove_user_from_team(user=#{user}, org=#{org}, team_id=#{team.team_id})"
           validate_team_id_and_slug!(team.team_id, team.team_name)
-          octokit.remove_team_membership(team.team_id, user)
+          Retryable.with_context(:default) do
+            octokit.remove_team_membership(team.team_id, user)
+          end
         end
       end
     end

data/lib/entitlements/backend/github_team.rb CHANGED Viewed

@@ -4,3 +4,5 @@ require_relative "github_team/controller"
 require_relative "github_team/models/team"
 require_relative "github_team/provider"
 require_relative "github_team/service"
+require_relative "../config/retry"
+Retry.setup!

data/lib/entitlements/config/retry.rb ADDED Viewed

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+require "retryable"
+module Retry
+  # This method should be called as early as possible in the startup of your application
+  # It sets up the Retryable gem with custom contexts and passes through a few options
+  # Should the number of retries be reached without success, the last exception will be raised
+  def self.setup!
+    ######## Retryable Configuration ########
+    # All defaults available here:
+    # https://github.com/nfedyashev/retryable/blob/6a04027e61607de559e15e48f281f3ccaa9750e8/lib/retryable/configuration.rb#L22-L33
+    Retryable.configure do |config|
+      config.contexts[:default] = {
+        on: [StandardError],
+        sleep: 1,
+        tries: 3
+      }
+    end
+  end
+end

data/lib/entitlements/service/github.rb CHANGED Viewed

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
+require_relative "../config/retry"
 require "net/http"
 require "octokit"
 require "uri"
@@ -36,6 +38,9 @@ module Entitlements
         ignore_not_found: C::Maybe[C::Bool],
       ] => C::Any
       def initialize(addr: nil, org:, token:, ou:, ignore_not_found: false)
+        # init the retry module
+        Retry.setup!
         # Save some parameters for the connection but don't actually connect yet.
         @addr = addr
         @org = org
@@ -94,7 +99,10 @@ module Entitlements
       # Returns true if the github instance is an enterprise server instance
       Contract C::None => C::Bool
       def enterprise?
-        meta = octokit.github_meta
+        meta = Retryable.with_context(:default) do
+          octokit.github_meta
+        end
         meta.key? :installed_version
       end
@@ -163,6 +171,7 @@ module Entitlements
           client = Octokit::Client.new(access_token: token)
           client.api_endpoint = addr if addr
           client.auto_paginate = true
+          client.per_page = 100
           Entitlements.logger.debug "Setting up GitHub API connection to #{client.api_endpoint}"
           client
         end
@@ -246,11 +255,22 @@ module Entitlements
       def members_and_roles_from_rest
         Entitlements.logger.debug "Loading organization members and roles for #{org}"
         result = {}
-        members = octokit.organization_members(org, { role: "admin" })
-        members.each do |member|
+        # fetch all the admin members from the org
+        admin_members = Retryable.with_context(:default) do
+          octokit.organization_members(org, { role: "admin" })
+        end
+        # fetch all the regular members from the org
+        regular_members = Retryable.with_context(:default) do
+          octokit.organization_members(org, { role: "member" })
+        end
+        admin_members.each do |member|
           result[member[:login].downcase] = "ADMIN"
         end
-        octokit.organization_members(org, { role: "member" }).each do |member|
+        regular_members.each do |member|
           result[member[:login].downcase] = "MEMBER"
         end
@@ -318,18 +338,30 @@ module Entitlements
       def graphql_http_post(query)
         1.upto(MAX_GRAPHQL_RETRIES) do |try_number|
           result = graphql_http_post_real(query)
-          if result[:code] < 500
+          if !graphql_result_retryable?(result)
             return result
           elsif try_number >= MAX_GRAPHQL_RETRIES
-            Entitlements.logger.error "Query still failing after #{MAX_GRAPHQL_RETRIES} tries. Giving up."
+            Entitlements.logger.error "Query still failing after #{MAX_GRAPHQL_RETRIES} tries (last code: #{result[:code]}). Giving up."
             return result
           else
             Entitlements.logger.warn "GraphQL failed on try #{try_number} of #{MAX_GRAPHQL_RETRIES}. Will retry."
-            sleep WAIT_BETWEEN_GRAPHQL_RETRIES * (2 ** (try_number - 1))
+            sleep WAIT_BETWEEN_GRAPHQL_RETRIES * (2**(try_number - 1))
           end
         end
       end
+      # Helper: determine whether a result hash from `graphql_http_post_real` represents
+      # a transient failure that the retry wrapper will retry. Used by the wrapper itself
+      # and to decide log severity inside `graphql_http_post_real`.
+      #
+      # result - Hash returned by `graphql_http_post_real`.
+      #
+      # Returns true if the result is retryable (HTTP 5xx or synthetic 5xx), false otherwise.
+      Contract ({ code: Integer, data: C::Or[nil, Hash] }) => C::Bool
+      def graphql_result_retryable?(result)
+        result[:code] >= 500
+      end
       # Helper method: Do the HTTP POST to the GitHub API for GraphQL.
       #
       # query - String with the data to be posted.
@@ -350,23 +382,35 @@ module Entitlements
           response = http.request(request)
           if response.code != "200"
-            Entitlements.logger.error "Got HTTP #{response.code} POSTing to #{uri}"
-            Entitlements.logger.error response.body
+            # The retry wrapper retries on 5xx, so log those at WARN to avoid misleading
+            # the operator with an ERROR for a transient failure that we recover from.
+            # Terminal non-2xx responses (4xx) stay at ERROR.
+            msg = "POST to #{uri} returned HTTP Code #{response.code} and Body: #{response.body}"
+            response.code.start_with?("5") ? Entitlements.logger.warn(msg) : Entitlements.logger.error(msg)
             return { code: response.code.to_i, data: { "body" => response.body } }
           end
           begin
             data = JSON.parse(response.body)
             if data.key?("errors")
-              Entitlements.logger.error "Errors reported: #{data['errors'].inspect}"
+              # Synthesized 500 below triggers a retry, so log at WARN. Note: some GraphQL
+              # `errors` are permanent (bad query, auth, schema). The retry wrapper's final
+              # "Giving up" ERROR will surface persistent cases.
+              Entitlements.logger.warn "Errors reported: #{data['errors'].inspect}"
               return { code: 500, data: }
             end
             { code: response.code.to_i, data: }
           rescue JSON::ParserError => e
+            # JSON parse errors mean the API returned something we can't interpret. The
+            # synthesized 500 below triggers a retry, but the cause is more likely a real
+            # protocol/server problem than a transient network blip, so log at ERROR.
             Entitlements.logger.error "#{e.class} #{e.message}: #{response.body.inspect}"
             { code: 500, data: { "body" => response.body } }
           end
         rescue => e
+          # Catch-all for any unexpected exception (network blip OR local code bug).
+          # We retry below via the synthesized 500, but log at ERROR because this
+          # branch can mask programming errors that operators must see.
           Entitlements.logger.error "Caught #{e.class} POSTing to #{uri}: #{e.message}"
           { code: 500, data: nil }
         end

data/lib/version.rb CHANGED Viewed

@@ -2,6 +2,6 @@
 module Entitlements
   module Version
-    VERSION = "1.1.0"
+    VERSION = "1.2.1"
   end
 end

metadata CHANGED Viewed

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: entitlements-github-plugin
 version: !ruby/object:Gem::Version
-  version: 1.1.0
+  version: 1.2.1
 platform: ruby
 authors:
 - GitHub, Inc. Security Ops
-autorequire:
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2024-11-14 00:00:00.000000000 Z
+date: 2026-05-05 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: contracts
@@ -66,6 +66,26 @@ dependencies:
     - - "~>"
       - !ruby/object:Gem::Version
         version: '4.25'
+- !ruby/object:Gem::Dependency
+  name: retryable
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.5
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 3.0.5
 - !ruby/object:Gem::Dependency
   name: entitlements-app
   requirement: !ruby/object:Gem::Requirement
@@ -106,14 +126,14 @@ dependencies:
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 3.13.2
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - '='
       - !ruby/object:Gem::Version
-        version: 3.13.0
+        version: 3.13.2
 - !ruby/object:Gem::Dependency
   name: rubocop
   requirement: !ruby/object:Gem::Requirement
@@ -162,14 +182,14 @@ dependencies:
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.1
+        version: 0.26.1
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - "~>"
       - !ruby/object:Gem::Version
-        version: 0.19.1
+        version: 0.26.1
 - !ruby/object:Gem::Dependency
   name: rugged
   requirement: !ruby/object:Gem::Requirement
@@ -273,13 +293,14 @@ files:
 - lib/entitlements/backend/github_team/models/team.rb
 - lib/entitlements/backend/github_team/provider.rb
 - lib/entitlements/backend/github_team/service.rb
+- lib/entitlements/config/retry.rb
 - lib/entitlements/service/github.rb
 - lib/version.rb
 homepage: https://github.com/github/entitlements-github-plugin
 licenses:
 - MIT
 metadata: {}
-post_install_message:
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -294,8 +315,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.9
-signing_key:
+rubygems_version: 3.5.22
+signing_key:
 specification_version: 4
 summary: GitHub dotcom provider for entitlements-app
 test_files: []