entitlements-gitrepo-auditor-plugin 0.1.0

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA256:
+  metadata.gz: 5d2c6e9e8d300430a3e00d95bb6c3d6ab275e2d226adbfdeb0bc25ebb8491da1
+  data.tar.gz: d52b1b6ec5f60a5ec79040dd8e57b59cc8f951e8cfdb329f9c4aa4992af3d022
+SHA512:
+  metadata.gz: 3120c728197899b44e5f712f903834cdc40e2cb2ebaa29f395dee40d7ccf2160f7ae5a8d6a13e5b76bb7eba9c808af607a5f76b782a0b847327f306a132bbd96
+  data.tar.gz: b98e1e33ecccd8914138fc20b40d5cdc4b5101dd1d05acf4640d486837a71e2f18d78be514e5600676c69f1982e7d60dff404aa8c573c58aec1dd98db380838d

data/VERSION

@@ -0,0 +1 @@
+0.1.0

data/lib/entitlements/auditor/gitrepo.rb

@@ -0,0 +1,445 @@
+# frozen_string_literal: true
+
+# This audit provider dumps a sorted list of member DNs and group metadata to a file in a directory structure,
+# and when the entitlements run is finished, commits the changes to the git repo.
+require "base64"
+
+module Entitlements
+  class Auditor
+    class GitRepo < Entitlements::Auditor::Base
+      include ::Contracts::Core
+      C = ::Contracts
+
+      # Setup method for git repo: this will clone the repo into the configured directory if
+      # it does not exist, or pull the latest changes from the configured directory if it does.
+      # We can also validate that the required parameters are supplied here.
+      #
+      # Takes no arguments.
+      #
+      # Returns nothing.
+      Contract C::None => C::Any
+      def setup
+        validate_options!
+        operation = File.directory?(checkout_directory) ? :pull : :clone
+
+        logger.debug "Preparing #{checkout_directory}"
+        @repo = Entitlements::Util::GitRepo.new(
+          repo: config["repo"],
+          sshkey: Base64.decode64(config["sshkey"]),
+          logger: logger
+        )
+        @repo.github = config["github_override"] if config["github_override"]
+        @repo.send(operation, checkout_directory)
+        @repo.configure(checkout_directory, config["git_name"], config["git_email"])
+        logger.debug "Directory #{checkout_directory} prepared"
+      end
+
+      # Commit method for git repo: this will write out all of the entitlements files to the
+      # configured directory, then do a git commit, and then push to GitHub.
+      #
+      # actions            - Array of Entitlements::Models::Action (all requested actions)
+      # successful_actions - Set of DNs (successfully applied actions)
+      # provider_exception - Exception raised by a provider when applying (hopefully nil)
+      #
+      # Returns nothing.
+      Contract C::KeywordArgs[
+        actions: C::ArrayOf[Entitlements::Models::Action],
+        successful_actions: C::SetOf[String],
+        provider_exception: C::Or[nil, Exception]
+      ] => C::Any
+      def commit(actions:, successful_actions:, provider_exception:)
+        raise "Must run setup method before running commit method" unless @repo
+
+        sync_changes = {}
+        valid_changes = {}
+
+        commitable_actions = actions_with_membership_change(actions)
+        action_hash = commitable_actions.map { |action| [action.dn, action] }.to_h
+
+        %w[update_files delete_files].each do |m|
+          send(
+            m.to_sym,
+            action_hash: action_hash,
+            successful_actions: successful_actions,
+            sync_changes: sync_changes,
+            valid_changes: valid_changes
+          )
+        end
+
+        # If there is anything out-of-sync and the provider did not throw an exception, create
+        # a special sync commit to update things.
+        if sync_changes.any?
+          if provider_exception
+            logger.warn "Not committing #{sync_changes.size} unrecognized change(s) due to provider exception"
+          else
+            logger.warn "Sync changes required: count=#{sync_changes.size}"
+            commit_changes(sync_changes, :sync, commit_message)
+          end
+        end
+
+        # If there are any valid changes, create a commit to update things.
+        if valid_changes.any?
+          logger.debug "Committing #{valid_changes.size} change(s) to git repository"
+          commit_changes(valid_changes, :valid, commit_message)
+        elsif sync_changes.empty?
+          logger.debug "No changes to git repository"
+        end
+      end
+
+      private
+
+      # The checkout directory from the configuration. Separated out here as a method so
+      # it can be more easily stubbed from tests.
+      #
+      # Takes no arguments.
+      #
+      # Returns a String with the checkout directory.
+      Contract C::None => String
+      def checkout_directory
+        config["checkout_directory"]
+      end
+
+      # Commit message - read from the provider's configuration. (This is so the commit
+      # message can be passed in as an ERB for flexibility.)
+      #
+      # Takes no arguments.
+      #
+      # Returns a String with the commit message.
+      Contract C::None => String
+      def commit_message
+        config.fetch("commit_message")
+      end
+
+      # Check the current calculation object for any added or updated groups. Break changes
+      # apart into sync changes and valid changes.
+      #
+      # action_hash        - The hash of actions
+      # successful_actions - Set of DNs that were successfully updated/added/deleted
+      # sync_changes       - The hash (will be updated)
+      # valid_changes      - The hash (will be updated)
+      #
+      # Returns nothing.
+      Contract C::KeywordArgs[
+        action_hash: C::HashOf[String => Entitlements::Models::Action],
+        successful_actions: C::SetOf[String],
+        sync_changes: C::HashOf[String => C::Or[String, :delete]],
+        valid_changes: C::HashOf[String => C::Or[String, :delete]]
+      ] => C::Any
+      def update_files(action_hash:, successful_actions:, sync_changes:, valid_changes:)
+        # Need to add nil entries onto the calculated hash for action == delete. These entries
+        # simply disappear from the calculated hash, but we need to iterate over them too.
+        iterable_hash = Entitlements::Data::Groups::Calculated.to_h.dup
+        action_hash.select { |dn, action| action.change_type == :delete }.each do |dn, _action|
+          iterable_hash[dn] = nil
+        end
+
+        iterable_hash.each do |dn, group|
+          filename = path_from_dn(dn)
+          target_file = File.join(checkout_directory, filename)
+          action = action_hash[dn]
+
+          if action.nil?
+            handle_no_action(sync_changes, valid_changes, filename, target_file, group)
+          elsif action.change_type == :delete
+            handle_delete(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn)
+          elsif action.change_type == :add
+            handle_add(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn, group)
+          elsif action.change_type == :update
+            handle_update(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn, group)
+          else
+            # :nocov:
+            raise "Unhandled condition for action #{action.inspect}"
+            # :nocov:
+          end
+        end
+      end
+
+      # Find files that need to be deleted. All files deleted because of actions are handled in the
+      # 'updated_files' method. This method is truly meant for cleanup only.
+      #
+      # action_hash        - The hash of actions
+      # successful_actions - Set of DNs that were successfully updated/added/deleted
+      # sync_changes       - The hash (will be updated)
+      # valid_changes      - The hash (will be updated)
+      #
+      # Returns nothing.
+      Contract C::KeywordArgs[
+        action_hash: C::HashOf[String => Entitlements::Models::Action],
+        successful_actions: C::SetOf[String],
+        sync_changes: C::HashOf[String => C::Or[String, :delete]],
+        valid_changes: C::HashOf[String => C::Or[String, :delete]]
+      ] => C::Any
+      def delete_files(action_hash:, successful_actions:, sync_changes:, valid_changes:)
+        Dir.chdir checkout_directory
+        Dir.glob("**/*") do |child|
+          child_file = File.join(checkout_directory, child)
+          next unless File.file?(child_file)
+          next if File.basename(child) == "README.md"
+
+          # !! NOTE !!
+          # Defined actions (:add, :update, :delete) are handled in update_files. This
+          # logic only deals with files that exist and shouldn't and don't have action being
+          # taken upon them.
+
+          child_dn = dn_from_path(child)
+          if Entitlements::Data::Groups::Calculated.to_h.key?(child_dn)
+            # File is supposed to exist and it exists. Do nothing.
+          elsif action_hash[child_dn].nil?
+            # File is not supposed to exist, but it does, and there was no action concerning it.
+            # Set up sync change to delete file.
+            logger.warn "Sync change (delete #{child}) required"
+            sync_changes[child] = :delete
+          end
+        end
+      end
+
+      # For readability: Handle no-action logic.
+      def handle_no_action(sync_changes, valid_changes, filename, target_file, group)
+        group_expected_contents = group_contents_as_text(group)
+
+        if File.file?(target_file)
+          file_contents = File.read(target_file)
+          unless file_contents == group_expected_contents
+            logger.warn "Sync change (update #{filename}) required"
+            sync_changes[filename] = group_expected_contents
+          end
+        elsif group.member_strings.empty?
+          # The group does not currently exist in the file system nor is it created in the
+          # provider because it has no members. We can skip over this case.
+        else
+          logger.warn "Sync change (create #{filename}) required"
+          sync_changes[filename] = group_expected_contents
+        end
+      end
+
+      # For readability: Handle 'delete' logic.
+      def handle_delete(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn)
+        group_expected_contents = group_contents_as_text(action.existing)
+
+        if File.file?(target_file)
+          file_contents = File.read(target_file)
+          if successful_actions.member?(dn)
+            if file_contents == group_expected_contents
+              # Good: The file had the correct prior content so it can just be deleted.
+              logger.debug "Valid change (delete #{filename}) queued"
+              valid_changes[filename] = :delete
+            else
+              # Bad: The file had incorrect prior content. Sync to the previous members and then delete it.
+              logger.warn "Sync change (update #{filename}) required"
+              sync_changes[filename] = group_expected_contents
+              logger.debug "Valid change (delete #{filename}) queued"
+              valid_changes[filename] = :delete
+            end
+          elsif file_contents == group_expected_contents
+            # Good: The file already had the correct prior content. Since the action was unsuccessful
+            # just skip this case doing nothing.
+            logger.warn "Skip change (delete #{filename}) due to unsuccessful action"
+          else
+            # Bad: The file had incorrect prior content. Wait for the successful run to sync the change.
+            logger.warn "Skip sync change (update #{filename}) due to unsuccessful action"
+          end
+        else
+          if successful_actions.member?(dn)
+            # Bad: The file didn't exist before but it should have. Create it now and then delete it.
+            logger.warn "Sync change (create #{filename}) required"
+            sync_changes[filename] = group_expected_contents
+            logger.debug "Valid change (delete #{filename}) queued"
+            valid_changes[filename] = :delete
+          else
+            # Bad: The file didn't exist before but it should have. Wait for the successful run to sync the change.
+            logger.warn "Skip sync change (create #{filename}) due to unsuccessful action"
+          end
+        end
+      end
+
+      # For readability: Handle 'add' logic.
+      def handle_add(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn, group)
+        group_expected_contents = group_contents_as_text(group)
+
+        if File.file?(target_file)
+          if successful_actions.member?(dn)
+            # Weird case: The file was not supposed to be there but for some reason it is.
+            # Do a sync commit to remove the file (then a valid commit to add it back).
+            logger.warn "Sync change (delete #{filename}) required"
+            sync_changes[filename] = :delete
+          else
+            # Weird case: The file was there but the action to create the group was unsuccessful.
+            # Do nothing here, to let this get sync'd and updated when it completes successfully.
+            logger.warn "Skip sync change (delete #{filename}) due to unsuccessful action"
+          end
+        end
+
+        if successful_actions.member?(dn)
+          logger.debug "Valid change (create #{filename}) queued"
+          valid_changes[filename] = group_expected_contents
+        else
+          logger.warn "Skip change (add #{filename}) due to unsuccessful action"
+        end
+      end
+
+      # For readability: Handle 'update' logic.
+      def handle_update(sync_changes, valid_changes, action, successful_actions, filename, target_file, dn, group)
+        group_expected_contents = group_contents_as_text(group)
+        group_existing_contents = group_contents_as_text(action.existing)
+
+        if File.file?(target_file)
+          if successful_actions.member?(dn)
+            if File.read(target_file) == group_existing_contents
+              # Good: The file had the correct prior content so it can just be updated with the new content.
+              logger.debug "Valid change (update #{filename}) queued"
+              valid_changes[filename] = group_expected_contents
+            else
+              # Bad: The file had incorrect prior content. Sync to the previous members and then update it.
+              logger.warn "Sync change (update #{filename}) required"
+              sync_changes[filename] = group_existing_contents
+              logger.debug "Valid change (update #{filename}) queued"
+              valid_changes[filename] = group_expected_contents
+            end
+          elsif File.read(target_file) == group_existing_contents
+            # Good: The file already had the correct prior content. Since the action was unsuccessful
+            # just skip this case doing nothing.
+            logger.warn "Skip change (update #{filename}) due to unsuccessful action"
+          else
+            # Bad: The file had incorrect prior content. Wait for the successful run to sync the change.
+            logger.warn "Skip sync change (update #{filename}) due to unsuccessful action"
+          end
+        else
+          if successful_actions.member?(dn)
+            # Bad: The file didn't exist before but it should have. Create it now and then update it.
+            logger.warn "Sync change (create #{filename}) required"
+            sync_changes[filename] = group_existing_contents
+            logger.debug "Valid change (update #{filename}) queued"
+            valid_changes[filename] = group_expected_contents
+          else
+            # Bad: The file didn't exist before but it should have. Wait for the successful run to sync the change.
+            logger.warn "Skip sync change (create #{filename}) due to unsuccessful action"
+          end
+        end
+      end
+
+      # This defines the file format within this repository. Just dump the list of users
+      # and sort them, one per line.
+      #
+      # group - Entitlements::Models::Group object
+      #
+      # Returns a String with the members sorted and delimited by newlines.
+      Contract Entitlements::Models::Group => String
+      def member_strings_as_text(group)
+        if group.member_strings.empty?
+          return "# No members\n"
+        end
+
+        member_array = if config["person_dn_format"]
+          group.member_strings.map { |ms| config["person_dn_format"].gsub("%KEY%", ms).downcase }
+        else
+          group.member_strings.map(&:downcase)
+        end
+
+        member_array.sort.join("\n") + "\n"
+      end
+
+      # This defines the file format within this repository. Dump the metadata from the group, and return it as one
+      # metadata declaration per line ie "metadata_team_name = my_github_team"
+      #
+      # group - Entitlements::Models::Group object
+      #
+      # Returns a String with the metadata sorted and delimited by newlines.
+      Contract Entitlements::Models::Group => String
+      def metadata_strings_as_text(group)
+        begin
+          group_metadata = group.metadata
+          ignored_metadata = ["_filename"]
+          ignored_metadata.each do |metadata|
+            group_metadata.delete(metadata)
+          end
+
+          if group_metadata.empty?
+            return ""
+          end
+
+          metadata_array = group_metadata.map { |k, v| "metadata_#{k}=#{v}" }
+
+          return metadata_array.sort.join("\n") + "\n"
+        rescue Entitlements::Models::Group::NoMetadata
+          return ""
+        end
+      end
+
+      # This defines the file format within this repository. Grabs the full
+      # contents of an entitlements group - that is the members and the metadata - and returns it
+      #
+      # group - Entitlements::Models::Group object
+      #
+      # Returns a String with the content sorted and delimited by newlines.
+      Contract Entitlements::Models::Group => String
+      def group_contents_as_text(group)
+        group_members = member_strings_as_text(group)
+        group_metadata = metadata_strings_as_text(group)
+        group_members + group_metadata
+      end
+
+      # Make changes in the directory tree, then "git add" and "git commit" the changes
+      # with the specified commit message.
+      #
+      # changes - Hash of { filename => content } (or { filename => :delete })
+      # type    - Either :sync or :valid
+      #
+      # Returns nothing.
+      Contract C::HashOf[String => C::Or[String, :delete]], C::Or[:sync, :valid], String => nil
+      def commit_changes(expected_changes, type, commit_message)
+        return if expected_changes.empty?
+
+        valid_changes = false
+
+        expected_changes.each do |filename, content|
+          target = File.join(checkout_directory, filename)
+          if content == :delete
+            # It's possible for two separate commits to the gitrepo to remove the same file, causing a race condition
+            # The first commit will delete the file from the gitrepo, and the second commit will fail with an empty commit
+            # For that reason, we only track a removal as a valid change if the file exists and would actually be removed
+            next unless File.exist?(target)
+
+            FileUtils.rm_f target
+          else
+            FileUtils.mkdir_p File.dirname(target)
+            File.open(target, "w") { |f| f.write(content) }
+          end
+          valid_changes = true
+          @repo.add(checkout_directory, filename)
+        end
+        return unless valid_changes
+
+        if type == :sync
+          @repo.commit(checkout_directory, "[sync commit] #{commit_message}")
+        else
+          @repo.commit(checkout_directory, commit_message)
+        end
+        @repo.push(checkout_directory)
+      end
+
+      # Validate the options in 'config'. Raise an error if options are invalid.
+      #
+      # Takes no arguments.
+      #
+      # Returns nothing.
+      # :nocov:
+      Contract C::None => nil
+      def validate_options!
+        require_config_keys %w[checkout_directory commit_message git_name git_email repo sshkey]
+
+        unless config["repo"] =~ %r{\A([^/]+)/([^/]+)\z}
+          configuration_error "'repo' must be of the form 'organization/reponame'"
+        end
+
+        begin
+          Base64.decode64(config["sshkey"])
+        rescue => e
+          configuration_error "'sshkey' could not be base64 decoded: #{e.class} #{e.message}"
+        end
+
+        nil
+      end
+      # :nocov:
+    end
+  end
+end

data/lib/entitlements/util/gitrepo.rb

@@ -0,0 +1,227 @@
+# frozen_string_literal: true
+
+# NOTE: This currently does NOT use "rugged" because we want to use SSH to connect to GitHub,
+# but cannot be assured that "rugged" is compiled with SSH support everywhere this might run.
+# Hence, "open3" is used to access an assumed "git" binary.
+
+require "fileutils"
+require "open3"
+require "shellwords"
+require "tmpdir"
+
+module Entitlements
+  class Util
+    class GitRepo
+      include ::Contracts::Core
+      C = ::Contracts
+
+      class CommandError < StandardError; end
+
+      # This is hard-coded to use GitHub, just because. However this is here to support
+      # overriding this if needed (e.g. acceptance tests).
+      attr_accessor :github
+
+      # Constructor.
+      #
+      # repo   - Name of the repo on GitHub (e.g. github/entitlements-audit)
+      # sshkey - Private SSH key for a user with push access to the repo
+      # logger - Logger object
+      #
+      # Returns nothing.
+      Contract C::KeywordArgs[
+        repo: String,
+        sshkey: String,
+        logger: C::Maybe[C::Or[Logger, Entitlements::Auditor::Base::CustomLogger]]
+      ] => C::Any
+      def initialize(repo:, sshkey:, logger: Entitlements.logger)
+        @logger = logger
+        @repo = repo
+        @sshkey = sshkey
+        @github = "git@github.com:"
+      end
+
+      # Run "git add" on a file.
+      #
+      # dir      - A String with the path where this is to take place.
+      # filename - File name, relative to dir, to be added.
+      #
+      # Returns nothing.
+      Contract String, String => nil
+      def add(dir, filename)
+        validate_git_repository!(dir)
+        git(dir, ["add", filename])
+        nil
+      end
+
+      # Clone git repo into the specified directory.
+      #
+      # dir - A String with the path where this is to take place.
+      #
+      # Returns nothing.
+      Contract String => nil
+      def clone(dir)
+        if File.exist?(dir)
+          raise Errno::EEXIST, "Cannot clone to #{dir}: already exists"
+        end
+
+        logger.debug "Cloning from GitHub to #{dir}"
+        FileUtils.mkdir_p(dir)
+        git(dir, ["clone", repo_url, "."], ssh: true)
+        nil
+      end
+
+      # Commit to the repo.
+      #
+      # dir            - A String with the path where this is to take place.
+      # commit_message - A String with the commit message.
+      #
+      # Returns nothing.
+      Contract String, String => nil
+      def commit(dir, commit_message)
+        validate_git_repository!(dir)
+        git(dir, ["commit", "-m", commit_message])
+        nil
+      end
+
+      # Configure the name and e-mail address in the repo, so git commit knows what to use.
+      #
+      # dir   - A String with the path where this is to take place.
+      # name  - A String to pass to user.name
+      # email - A String to pass to user.email
+      #
+      # Returns nothing.
+      Contract String, String, String => nil
+      def configure(dir, name, email)
+        validate_git_repository!(dir)
+        logger.debug "Configuring #{dir} with name=#{name.inspect} email=#{email.inspect}"
+        git(dir, ["config", "user.name", name])
+        git(dir, ["config", "user.email", email])
+        nil
+      end
+
+      # Pull the latest from GitHub.
+      #
+      # dir - A String with the path where this is to take place.
+      #
+      # Returns nothing.
+      Contract String => nil
+      def pull(dir)
+        validate_git_repository!(dir)
+        logger.debug "Pulling from GitHub to #{dir}"
+        git(dir, ["reset", "--hard", "HEAD"])
+        git(dir, ["clean", "-f", "-d"])
+        git(dir, ["pull"], ssh: true)
+        nil
+      end
+
+      # Push the branch to GitHub.
+      #
+      # dir - A String with the path where this is to take place.
+      #
+      # Returns nothing.
+      Contract String => nil
+      def push(dir)
+        validate_git_repository!(dir)
+        logger.debug "Pushing to GitHub from #{dir}"
+        git(dir, ["push", "origin", "master"], ssh: true)
+        nil
+      end
+
+      private
+
+      attr_reader :repo, :sshkey, :logger
+
+      # Helper method to refer to the repository on GitHub.
+      #
+      # Takes no arguments.
+      #
+      # Returns a String with the URL on GitHub.
+      Contract C::None => String
+      def repo_url
+        "#{github}#{repo}.git"
+      end
+
+      # Helper to validate that a particular directory contains a git repository.
+      #
+      # dir - Directory where the command should be run.
+      #
+      # Returns nothing (but may raise Errno::ENOENT).
+      Contract String => nil
+      def validate_git_repository!(dir)
+        return if File.directory?(dir) && File.directory?(File.join(dir, ".git"))
+        raise Errno::ENOENT, "Cannot pull in #{dir}: does not exist or is not a git repo"
+      end
+
+      # Run a git command.
+      #
+      # dir     - Directory where the command should be run.
+      # args    - An Array of Strings with the command line arguments.
+      # options - Additional options?
+      #
+      # Returns a hash of { stdout: String, stderr: String, status: Integer }
+      Contract String, C::ArrayOf[String], C::Maybe[C::HashOf[Symbol => C::Any]] => C::HashOf[Symbol => C::Any]
+      def git(dir, args, options = {})
+        unless File.directory?(dir)
+          raise Errno::ENOENT, "Attempted to run 'git' in non-existing directory #{dir}!"
+        end
+
+        commandline = ["git", args].flatten.map { |str| Shellwords.escape(str) }.join(" ")
+
+        out, err, code = open3_git_execute(dir, commandline, options.fetch(:ssh, false))
+        if code.exitstatus != 0 && options.fetch(:raise_on_error, true)
+          if out && !out.empty?
+            out.split("\n").reject { |str| str.strip.empty? }.each { |str| logger.warn "[stdout] #{str}" }
+          end
+          if err && !err.empty?
+            err.split("\n").reject { |str| str.strip.empty? }.each { |str| logger.warn "[stderr] #{str}" }
+          end
+          logger.fatal "Command failed (#{code.exitstatus}): #{commandline}"
+          raise CommandError, "git command failed"
+        end
+
+        { stdout: out, stderr: err, status: code.exitstatus }
+      end
+
+      # Actually execute a command using open3. This handles wrapping the SSH key and git.
+      #
+      # dir         - Directory where to run the command
+      # commandline - Commands to execute (must be properly escapted)
+      # ssh         - True to set up a temporary directory and do the SSH key, false to skip this.
+      #
+      # Returns STDOUT, STDERR, EXITSTATUS
+      Contract String, String, C::Maybe[C::Bool] => [String, String, Process::Status]
+      def open3_git_execute(dir, commandline, ssh = false)
+        logger.debug "Execute: #{commandline}"
+
+        unless ssh
+          return Open3.capture3(commandline, chdir: dir)
+        end
+
+        begin
+          # Replace GIT_SSH with our custom SSH wrapper that installs the key and disables anything
+          # else custom that might be going on in the environment. Turn off prompts for the SSH key for
+          # github.com being trusted or not, only use the provided key as the identity, and ignore any
+          # ~/.ssh/config file the user running this might have set up.
+          tempdir = Dir.mktmpdir
+          File.open(File.join(tempdir, "key"), "w") { |f| f.write(sshkey) }
+          File.open(File.join(tempdir, "ssh"), "w") do |f|
+            f.puts "#!/bin/sh"
+            f.puts "exec /usr/bin/ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null \\"
+            f.puts "  -o IdentityFile=#{Shellwords.escape(File.join(tempdir, 'key'))} -o IdentitiesOnly=yes \\"
+            f.puts "  -F /dev/null \\"
+            f.puts "  \"$@\""
+          end
+          FileUtils.chmod(0400, File.join(tempdir, "key"))
+          FileUtils.chmod(0700, File.join(tempdir, "ssh"))
+
+          # Run the command in the directory `dir` with GIT_SSH pointed at the wrapper script built above.
+          # Returns STDOUT, STDERR, EXITSTATUS.
+          Open3.capture3({ "GIT_SSH" => File.join(tempdir, "ssh") }, commandline, chdir: dir)
+        ensure
+          # Always kill the temporary directory after running, no matter what happened.
+          FileUtils.remove_entry_secure(tempdir)
+        end
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,317 @@
+--- !ruby/object:Gem::Specification
+name: entitlements-gitrepo-auditor-plugin
+version: !ruby/object:Gem::Version
+  version: 0.1.0
+platform: ruby
+authors:
+- GitHub, Inc. Security Ops
+autorequire:
+bindir: bin
+cert_chain: []
+date: 2022-08-15 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: concurrent-ruby
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.1.9
+- !ruby/object:Gem::Dependency
+  name: contracts
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.16.0
+- !ruby/object:Gem::Dependency
+  name: faraday
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: 0.17.3
+    - - "<"
+      - !ruby/object:Gem::Version
+        version: '0.18'
+- !ruby/object:Gem::Dependency
+  name: net-ldap
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+- !ruby/object:Gem::Dependency
+  name: octokit
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.18'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '4.18'
+- !ruby/object:Gem::Dependency
+  name: optimist
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.0.0
+- !ruby/object:Gem::Dependency
+  name: contracts-rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.0
+- !ruby/object:Gem::Dependency
+  name: entitlements
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.5.g6c8e3a79
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.5.g6c8e3a79
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 13.0.6
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: rspec-core
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.8.0
+- !ruby/object:Gem::Dependency
+  name: rubocop
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.29.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.29.1
+- !ruby/object:Gem::Dependency
+  name: rubocop-github
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.17.0
+- !ruby/object:Gem::Dependency
+  name: rubocop-performance
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.13.3
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 1.13.3
+- !ruby/object:Gem::Dependency
+  name: rugged
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.27.5
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.27.5
+- !ruby/object:Gem::Dependency
+  name: simplecov
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.16.1
+- !ruby/object:Gem::Dependency
+  name: simplecov-erb
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 0.1.1
+- !ruby/object:Gem::Dependency
+  name: vcr
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 4.0.0
+- !ruby/object:Gem::Dependency
+  name: webmock
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.4.2
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - '='
+      - !ruby/object:Gem::Version
+        version: 3.4.2
+description: ''
+email: opensource+entitlements-app@github.com
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- VERSION
+- lib/entitlements/auditor/gitrepo.rb
+- lib/entitlements/util/gitrepo.rb
+homepage: https://github.com/github/entitlements-gitrepo-auditor-plugin
+licenses:
+- MIT
+metadata: {}
+post_install_message:
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubygems_version: 3.1.6
+signing_key:
+specification_version: 4
+summary: Entitlements GitRepo Auditor
+test_files: []