github_snap_builder 0.1.0

data/lib/github_snap_builder/server.rb

@@ -0,0 +1,254 @@
+require 'sinatra/base'
+require 'octokit'
+require 'json'
+require 'openssl'     # Verifies the webhook signature
+require 'jwt'         # Authenticates a GitHub App
+require 'time'        # Gets ISO 8601 representation of a Time object
+require 'logger'      # Logs debug statements
+require 'yaml'
+require 'github_snap_builder/config'
+require 'github_snap_builder/snap_builder'
+
+module GithubSnapBuilder
+	if ENV.include? 'SNAP_BUILDER_CONFIG'
+		CONFIG = Config.new(File.read(ENV['SNAP_BUILDER_CONFIG']))
+	else
+		CONFIG = Config.new('{}')
+	end
+
+	class Application < Sinatra::Application
+		set :port, CONFIG.port
+		set :bind, CONFIG.bind
+
+		# Converts the newlines. Expects that the private key has been set as an
+		# environment variable in PEM format.
+		PRIVATE_KEY = OpenSSL::PKey::RSA.new(CONFIG.github_app_private_key.gsub('\n', "\n")) if CONFIG.valid?
+
+		# Your registered app must have a secret set. The secret is used to verify
+		# that webhooks are sent by GitHub.
+		WEBHOOK_SECRET = CONFIG.github_webhook_secret
+
+		# The GitHub App's identifier (type integer) set when registering an app.
+		APP_IDENTIFIER = CONFIG.github_app_id
+
+		# Turn on Sinatra's verbose logging during development
+		configure :development do
+			set :logging, Logger::DEBUG
+		end
+
+		# Executed before each request to the `/event_handler` route
+		before '/event_handler' do
+			get_payload_request(request)
+			verify_webhook_signature
+			authenticate_app
+			# Authenticate the app installation in order to run API operations
+			authenticate_installation(@payload)
+		end
+
+		post '/event_handler' do
+			if !CONFIG.valid?
+				logger.info "Invalid config, ignoring event..."
+				return 200
+			end
+
+			case request.env['HTTP_X_GITHUB_EVENT']
+			when 'pull_request'
+				repo = @payload['pull_request']['base']['repo']['full_name']
+				unless CONFIG.repos_include? repo
+					logger.info "Not configured for repo '#{repo}'. Ignoring event..."
+					return 200 # Ignored, but still successful
+				end
+
+				case @payload['action']
+				when "opened", "reopened", "synchronize"
+					handle_pull_request_updated_event(@payload)
+				end
+			end
+
+			200 # success status
+		end
+
+		get '/logs/*' do
+			logfile = File.join logdir, params[:splat][0]
+			if File.file? logfile
+				send_file logfile
+			else
+				404
+			end
+		end
+
+
+		helpers do
+
+			def handle_pull_request_updated_event(payload)
+				pull_request = payload['pull_request']
+				repo = pull_request['base']['repo']['full_name']
+				head_url = pull_request['head']['repo']['html_url']
+				base_url = pull_request['base']['repo']['html_url']
+				commit_sha = pull_request['head']['sha']
+				pr_number = pull_request['number']
+
+				repo_config = CONFIG.repo(repo) || raise("Config missing repo definition for '#{repo}'")
+				channel = repo_config.channel
+				token = repo_config.token || raise("'#{repo}' config missing token")
+
+				relative_logfile_path = File.join repo, "#{commit_sha}.log"
+				logfile_path = File.join(logdir, relative_logfile_path)
+				FileUtils.mkpath File.dirname(logfile_path)
+				FileUtils.chmod_R 0755, File.dirname(logfile_path)
+				build_logger = Logger.new(logfile_path)
+				log_url = request.url.gsub 'event_handler', "logs/#{relative_logfile_path}"
+				status_reporter = GithubStatusReporter.new(@installation_client, repo, commit_sha, log_url)
+
+				begin
+					begin
+						status_reporter.pending("Currently building a snap...")
+
+						builder = SnapBuilder.new(build_logger, base_url, head_url, commit_sha, CONFIG.build_type)
+						logger.info "Building snap for '#{repo}'"
+						snap_path = builder.build
+					rescue Error => e
+						logger.error "Failed to build snap: #{e.message}"
+						status_reporter.error("Snap failed to build.")
+						return
+					end
+
+					begin
+						status_reporter.pending("Currently uploading/releasing snap...")
+
+						full_channel = "#{channel}/pr-#{pr_number}"
+						logger.info "Pushing and releasing snap into '#{full_channel}'"
+						builder.release(snap_path, token, full_channel)
+					rescue Error => e
+						logger.error "Failed to push/release snap: #{e.message}"
+						status_reporter.error("Snap failed to upload/release.")
+						return
+					end
+
+					logger.info 'Built and released snap, all done'
+					status_reporter.success("Snap built and released to '#{full_channel}'")
+				rescue => e
+					logger.error "Unknown error: #{e.message}"
+					status_reporter.error("Encountered an error.")
+					raise
+				ensure
+					if !snap_path.nil? and File.file? snap_path
+						File.delete snap_path
+					end
+				end
+			end
+
+			# Saves the raw payload and converts the payload to JSON format
+			def get_payload_request(request)
+				# request.body is an IO or StringIO object
+				# Rewind in case someone already read it
+				request.body.rewind
+				# The raw text of the body is required for webhook signature verification
+				@payload_raw = request.body.read
+				begin
+					@payload = JSON.parse @payload_raw
+				rescue => e
+					fail  "Invalid JSON (#{e}): #{@payload_raw}"
+				end
+			end
+
+			# Instantiate an Octokit client authenticated as a GitHub App.
+			# GitHub App authentication requires that you construct a
+			# JWT (https://jwt.io/introduction/) signed with the app's private key,
+			# so GitHub can be sure that it came from the app an not altererd by
+			# a malicious third party.
+			def authenticate_app
+				payload = {
+					# The time that this JWT was issued, _i.e._ now.
+					iat: Time.now.to_i,
+
+					# JWT expiration time (10 minute maximum)
+					exp: Time.now.to_i + (10 * 60),
+
+					# Your GitHub App's identifier number
+					iss: APP_IDENTIFIER
+				}
+
+				# Cryptographically sign the JWT.
+				jwt = JWT.encode(payload, PRIVATE_KEY, 'RS256')
+
+				# Create the Octokit client, using the JWT as the auth token.
+				@app_client ||= Octokit::Client.new(bearer_token: jwt)
+			end
+
+			# Instantiate an Octokit client, authenticated as an installation of a
+			# GitHub App, to run API operations.
+			def authenticate_installation(payload)
+				@installation_id = payload['installation']['id']
+				@installation_token = @app_client.create_app_installation_access_token(@installation_id)[:token]
+				@installation_client = Octokit::Client.new(bearer_token: @installation_token)
+			end
+
+			# Check X-Hub-Signature to confirm that this webhook was generated by
+			# GitHub, and not a malicious third party.
+			#
+			# GitHub uses the WEBHOOK_SECRET, registered to the GitHub App, to
+			# create the hash signature sent in the `X-HUB-Signature` header of each
+			# webhook. This code computes the expected hash signature and compares it to
+			# the signature sent in the `X-HUB-Signature` header. If they don't match,
+			# this request is an attack, and you should reject it. GitHub uses the HMAC
+			# hexdigest to compute the signature. The `X-HUB-Signature` looks something
+			# like this: "sha1=123456".
+			# See https://developer.github.com/webhooks/securing/ for details.
+			def verify_webhook_signature
+				their_signature_header = request.env['HTTP_X_HUB_SIGNATURE'] || 'sha1='
+				method, their_digest = their_signature_header.split('=')
+				our_digest = OpenSSL::HMAC.hexdigest(method, WEBHOOK_SECRET, @payload_raw)
+				halt 401 unless their_digest == our_digest
+
+				# The X-GITHUB-EVENT header provides the name of the event.
+				# The action value indicates the which action triggered the event.
+				logger.debug "---- received event #{request.env['HTTP_X_GITHUB_EVENT']}"
+				logger.debug "----    action #{@payload['action']}" unless @payload['action'].nil?
+			end
+
+			def logdir
+				ENV.fetch("SNAP_BUILDER_LOG_DIR", "log")
+			end
+
+			def logfile_path(repo, commit_sha)
+			end
+
+		end
+	end
+
+	class GithubStatusReporter
+		def initialize(client, repo, commit_sha, log_url)
+			@client = client
+			@repo = repo
+			@commit_sha = commit_sha
+			@log_url = log_url
+		end
+
+		def pending(message)
+			create_status 'pending', message
+		end
+
+		def success(message)
+			create_status 'success', message
+		end
+
+		def failure(message)
+			create_status 'failure', message
+		end
+
+		def error(message)
+			create_status 'error', message
+		end
+
+		private
+
+		def create_status(state, description)
+			@client.create_status(@repo, @commit_sha, state, {
+				context: "Snap Builder",
+				description: description,
+				target_url: @log_url
+			})
+		end
+	end
+end

data/lib/github_snap_builder/snap_builder.rb

@@ -0,0 +1,89 @@
+require 'fileutils'
+require 'tmpdir'
+require 'tempfile'
+require 'yaml'
+require 'rugged'
+require 'github_snap_builder'
+
+Dir[File.join(__dir__, 'builder_implementations', '*.rb')].each {|file| require file }
+
+module GithubSnapBuilder
+	class SnapBuilder
+		def initialize(logger, base_url, head_url, commit_sha, build_type)
+			@logger = logger
+			@base_url = base_url
+			@head_url = head_url
+			@commit_sha = commit_sha
+			@build_type = build_type
+			@base = 'core16'
+		end
+
+		def build
+			Dir.mktmpdir do |tempdir|
+				# First of all, clone the repository and get on the proper hash. Make
+				# sure to include the base repo so `git describe` has meaning.
+				repo = Rugged::Repository.clone_at(@base_url, tempdir)
+				remote = repo.remotes.create('fork', @head_url)
+				remote.fetch
+				repo.checkout(@commit_sha, {strategy: :force})
+
+				# Before we can actually build the snap, we must first determine the
+				# base to use. The default is "core".
+				snapcraft_yaml = snapcraft_yaml_location(tempdir)
+				@base = YAML.safe_load(File.read(snapcraft_yaml)).fetch("base", @base)
+				if @base == "core"
+					@base = "core16"
+				end
+
+				# Factor out any snaps that existed before we build the new one
+				snaps_glob = File.join(tempdir, '*.snap')
+				existing_snaps = Dir.glob(snaps_glob)
+
+				# Now build the snap
+				build_implementation.build(tempdir)
+
+				# Grab the filename of the snap we just built
+				new_snaps = Dir.glob(snaps_glob) - existing_snaps
+				if new_snaps.empty?
+					raise BuildFailedError
+				elsif new_snaps.length > 1
+					raise TooManySnapsError, new_snaps
+				end
+
+				# The directory we're in right now will be removed shortly. Copy the
+				# snap somewhere that will live forever, and hand it to the Snap class
+				# (which will remove it when it's done with it).
+				snap_file = Tempfile.create [@commit_sha, '.snap']
+				FileUtils.cp new_snaps[0], snap_file
+				snap_file.path
+			end
+		end
+
+		def release(snap_path, token, channel)
+			build_implementation.release(snap_path, token, channel)
+		end
+
+		def self.supported_build_types
+			Dir[File.join(__dir__, 'builder_implementations', '*.rb')].collect do |f|
+				File.basename(f, File.extname(f))
+			end
+		end
+
+		private
+
+		def build_implementation
+			GithubSnapBuilder.const_get("#{@build_type.capitalize}Builder").new(@logger, @base)
+		end
+
+		def snapcraft_yaml_location(project_dir)
+			["snapcraft.yaml", ".snapcraft.yaml", File.join("snap", "snapcraft.yaml")].each do |f|
+				path = File.join(project_dir, f)
+				if File.file? path
+					return path
+				end
+			end
+
+			raise MissingSnapcraftYaml
+		end
+	end
+end

data/lib/github_snap_builder/version.rb

@@ -0,0 +1,3 @@
+module GithubSnapBuilder
+	VERSION = "0.1.0"
+end

data/lib/github_snap_builder.rb

@@ -0,0 +1,69 @@
+require 'github_snap_builder/version'
+
+module GithubSnapBuilder
+	class Error < StandardError; end
+
+	class MissingSnapcraftError < Error
+		def initialize
+			super("snapcraft must be installed and in the PATH")
+		end
+	end
+
+	class MissingSnapFileError < Error
+		def initialize(path)
+			super("unable to find snap with path '#{path}'")
+		end
+	end
+
+	class BuildFailedError < Error
+		def initialize
+			super("build failed")
+		end
+	end
+
+	class TooManySnapsError < Error
+		def initialize(paths)
+			super("expected to find a single snap, found #{paths.length}: #{paths}")
+		end
+	end
+
+	class SnapPushError < Error
+		def initialize
+			super("failed to push/release snap")
+		end
+	end
+
+	class AuthenticationError < Error
+		def initialize(message)
+			super("failed to authenticate: #{message}")
+		end
+	end
+
+	class MissingSnapcraftYaml < Error
+		def initialize
+			super("unable to find snapcraft.yaml")
+		end
+	end
+
+	class DockerError < Error; end
+
+	class DockerVersionError < DockerError
+		def initialize
+			super("docker is either not installed or is incompatible")
+		end
+	end
+
+	class DockerRunError < DockerError
+		def initialize(command)
+			super("command in docker returned non-zero: #{command}")
+		end
+	end
+
+	class ConfigurationError < Error; end
+
+	class ConfigurationFieldError < ConfigurationError
+		def initialize(field)
+			super("configuration field is invalid: '#{field}'")
+		end
+	end
+end

data/sample-config.yaml

@@ -0,0 +1,35 @@
+# REQUIRED. Your registered app must have a secret set. The secret is used to
+# verify that webhooks are sent by github and not someone else on the internet.
+# github_webhook_secret: ""
+
+# REQUIRED. The ID of the github app
+# github_app_id: 12345
+
+# REQUIRED. The private key for the app, including line breaks.
+# github_app_private_key: |
+#   -----BEGIN RSA PRIVATE KEY-----
+#   nice long key
+#   -----END RSA PRIVATE KEY-----
+
+# REQUIRED. Specify the type of build. Options are:
+#   - docker: run in an ephemeral docker container
+# build_type: docker
+
+# The port on which to listen
+# port: 3000
+
+# The address on which to listen
+# bind: "0.0.0.0"
+
+# Configure destination channel and credentials for the snap in each repo
+# repos:
+#   repo_owner/repo_name:
+#     # Snaps will be released to the hotfix channel <channel>/pr-<number>
+#     channel: edge
+#
+#     # REQUIRED: Snapcraft login token. Generate this with:
+#     # $ snapcraft export-login \
+#     #             --snaps=<snap-name> \
+#     #             --channels=<channel> \
+#     #             --acls=package_push,package_release -
+#     token: ""

data/tests/builder_implementations/docker_test.rb

@@ -0,0 +1,85 @@
+require 'fileutils'
+require 'github_snap_builder/builder_implementations/docker'
+require_relative '../test_helpers'
+
+module GithubSnapBuilder
+	class DockerBuilderTest < SnapBuilderBaseTest
+		def setup
+			@mock_image = mock('image')
+			@mock_container = mock('container')
+			@mock_logger = mock('logger')
+			@mock_logger.stubs(:info)
+			@mock_logger.stubs(:error)
+			Docker.stubs(:validate_version!)
+		end
+
+		def test_docker_missing
+			Docker.expects(:validate_version!).raises(Excon::Error::Socket)
+
+			assert_raises DockerVersionError do
+				DockerBuilder.new(@mock_logger, 'test-base')
+			end
+		end
+
+		def test_build_success
+			assert_build 0
+		end
+
+		def test_build_failure
+			assert_raises DockerRunError do
+				assert_build 1
+			end
+		end
+
+		def test_release
+			Docker::Image.expects(:create).with('fromImage' => 'kyrofa/github-snap-builder:test-base').returns(@mock_image)
+
+			# Expect container based on image to be fired up
+			@mock_image.expects(:id).returns('1234')
+			Docker::Container.expects(:create).with(
+				'Cmd' => ['sh', '-c', "snapcraft login --with /token && snapcraft push test.snap --release=test-channel"],
+				'Image' => '1234',
+				'Env' => ['SNAPCRAFT_MANAGED_HOST=yes'],
+				'WorkingDir' => '/snapcraft',
+				'HostConfig' => {
+					'Binds' => ["/foo:/snapcraft"],
+					'AutoRemove' => true,
+				}
+			).returns(@mock_container)
+			@mock_container.expects(:store_file).with('/token', 'test-token')
+			@mock_container.expects(:start)
+			@mock_container.expects(:attach)
+			@mock_container.expects(:wait).returns({'StatusCode' => 0})
+			@mock_container.expects(:delete).with(force: true)
+
+			builder = DockerBuilder.new(@mock_logger, 'test-base')
+			builder.release("/foo/test.snap", "test-token", "test-channel")
+		end
+
+		private
+
+		def assert_build(status_code)
+			Docker::Image.expects(:create).with('fromImage' => 'kyrofa/github-snap-builder:test-base').returns(@mock_image)
+
+			# Expect container based on image to be fired up
+			@mock_image.expects(:id).returns('1234')
+			Docker::Container.expects(:create).with(
+				'Cmd' => ['sh', '-c', "apt update -qq && snapcraft"],
+				'Image' => '1234',
+				'Env' => ['SNAPCRAFT_MANAGED_HOST=yes'],
+				'WorkingDir' => '/snapcraft',
+				'HostConfig' => {
+					'Binds' => ["test-project-dir:/snapcraft"],
+					'AutoRemove' => true,
+				}
+			).returns(@mock_container)
+			@mock_container.expects(:start)
+			@mock_container.expects(:attach)
+			@mock_container.expects(:wait).returns({'StatusCode' => status_code})
+			@mock_container.expects(:delete).with(force: true)
+
+			builder = DockerBuilder.new(@mock_logger, 'test-base')
+			builder.build('test-project-dir')
+		end
+	end
+end

data/tests/config_test.rb

@@ -0,0 +1,164 @@
+require 'github_snap_builder/config'
+require_relative 'test_helpers'
+
+module GithubSnapBuilder
+	class ConfigTest < SnapBuilderBaseTest
+		def setup
+			@config_data = {
+				"github_webhook_secret" => "test-secret",
+				"github_app_id" => 123,
+				"github_app_private_key" => "test-key",
+				"port" => 1234,
+				"bind" => "1.2.3.4",
+				"build_type" => "docker",
+				"repos" => {
+					"test/repo" => {
+						"channel" => "test-channel",
+						"token" => "test-token",
+					}
+				},
+			}
+		end
+
+		def test_valid
+			assert config.valid?
+		end
+
+		def test_github_webhook_secret
+			assert_equal "test-secret", config.github_webhook_secret
+		end
+
+		def test_github_app_id
+			assert_equal 123, config.github_app_id
+		end
+
+		def test_github_app_private_key
+			assert_equal "test-key", config.github_app_private_key
+		end
+
+		def test_port
+			assert_equal 1234, config.port
+		end
+
+		def test_bind
+			assert_equal "1.2.3.4", config.bind
+		end
+
+		def test_build_type
+			assert_equal "docker", config.build_type
+		end
+
+		def test_repos
+			repos = config.repos
+			assert_equal 1, repos.length
+			repo = repos[0]
+
+			assert_equal "test/repo", repo.name
+			assert_equal "test-channel", repo.channel
+			assert_equal "test-token", repo.token
+		end
+
+		def test_invalid_github_webhook_secret
+			@config_data["github_webhook_secret"] = 1
+			assert !config.valid?
+
+			@config_data["github_webhook_secret"] = ''
+			assert !config.valid?
+
+			@config_data.delete "github_webhook_secret"
+			assert !config.valid?
+		end
+
+		def test_invalid_github_app_id
+			@config_data["github_app_id"] = 'string'
+			assert !config.valid?
+
+			@config_data["github_app_id"] = 0
+			assert !config.valid?
+
+			@config_data.delete "github_app_id"
+			assert !config.valid?
+		end
+
+		def test_invalid_github_app_private_key
+			@config_data["github_app_private_key"] = 1
+			assert !config.valid?
+
+			@config_data["github_app_private_key"] = ''
+			assert !config.valid?
+
+			@config_data.delete "github_app_private_key"
+			assert !config.valid?
+		end
+
+		def test_invalid_port
+			@config_data["port"] = 'string'
+			assert !config.valid?
+
+			@config_data["port"] = 0
+			assert !config.valid?
+		end
+
+		def test_invalid_bind
+			@config_data["bind"] = 1
+			assert !config.valid?
+
+			@config_data["bind"] = ''
+			assert !config.valid?
+		end
+
+		def test_invalid_build_type
+			@config_data["build_type"] = 1
+			assert !config.valid?
+
+			@config_data["build_type"] = ''
+			assert !config.valid?
+
+			@config_data["build_type"] = 'invalid'
+			assert !config.valid?
+
+			@config_data.delete "build_type"
+			assert !config.valid?
+		end
+
+		def test_invalid_channel
+			@config_data["repos"]["test/repo"]["channel"] = 1
+			assert !config.valid?
+
+			@config_data["repos"]["test/repo"]["channel"] = ''
+			assert !config.valid?
+		end
+
+		def test_invalid_token
+			@config_data["repos"]["test/repo"]["token"] = 1
+			assert !config.valid?
+
+			@config_data["repos"]["test/repo"]["token"] = ''
+			assert !config.valid?
+
+			@config_data["repos"]["test/repo"].delete "token"
+			assert !config.valid?
+		end
+
+		def test_port_is_optional
+			@config_data.delete "port"
+			assert config.valid?
+		end
+
+		def test_bind_is_optional
+			@config_data.delete "bind"
+			assert config.valid?
+		end
+
+		def test_channel_is_optional
+			@config_data["repos"]["test/repo"].delete "channel"
+			assert config.valid?
+		end
+
+		private
+
+		def config
+			Config.new(@config_data.to_yaml)
+		end
+	end
+end