hybrid_platforms_conductor 33.3.0 → 33.4.0

data/lib/hybrid_platforms_conductor/common_config_dsl/github.rb

@@ -1,6 +1,3 @@
-require 'octokit'
-require 'hybrid_platforms_conductor/credentials'
-
 module HybridPlatformsConductor
 
   module CommonConfigDsl
@@ -8,12 +5,19 @@ module HybridPlatformsConductor
     # Add common Github config DSL to declare known Github repositories
     module Github
 
+      # List of Github repositories
+      # Array< Hash<Symbol, Object> >
+      # * *user* (String): User or organization name, storing repositories
+      # * *url* (String): URL to the Github API
+      # * *repos* (Array<String> or Symbol): List of repository names from this project, or :all for all
+      attr_reader :known_github_repos
+
       # Initialize the DSL
       def init_github
         # List of Github repositories definitions
         # Array< Hash<Symbol, Object> >
         # Each definition is just mapping the signature of #github_repos
-        @github_repos = []
+        @known_github_repos = []
       end
 
       # Register new Github repositories
@@ -23,39 +27,13 @@ module HybridPlatformsConductor
       # * *url* (String): URL to the Github API [default: 'https://api.github.com']
       # * *repos* (Array<String> or Symbol): List of repository names from this project, or :all for all [default: :all]
       def github_repos(user:, url: 'https://api.github.com', repos: :all)
-        @github_repos << {
+        @known_github_repos << {
           url: url,
           user: user,
           repos: repos
         }
       end
 
-      # Iterate over each Github repository
-      #
-      # Parameters::
-      # * Proc: Code called for each Github repository:
-      #   * Parameters::
-      #     * *github* (Octokit::Client): The client instance accessing the Github API
-      #     * *repo_info* (Hash<Symbol, Object>): The repository info:
-      #       * *name* (String): Repository name.
-      #       * *slug* (String): Repository slug.
-      def for_each_github_repo
-        @github_repos.each do |repo_info|
-          Octokit.configure do |c|
-            c.api_endpoint = repo_info[:url]
-          end
-          Credentials.with_credentials_for(:github, @logger, @logger_stderr, url: repo_info[:url]) do |_github_user, github_token|
-            client = Octokit::Client.new(access_token: github_token)
-            (repo_info[:repos] == :all ? client.repositories(repo_info[:user]).map { |repo| repo[:name] } : repo_info[:repos]).each do |name|
-              yield client, {
-                name: name,
-                slug: "#{repo_info[:user]}/#{name}"
-              }
-            end
-          end
-        end
-      end
-
     end
 
   end

data/lib/hybrid_platforms_conductor/confluence.rb

@@ -7,111 +7,116 @@ require 'hybrid_platforms_conductor/credentials'
 
 module HybridPlatformsConductor
 
-  # Object used to access Confluence API
-  class Confluence
+  # Mixin used to access Confluence API
+  module Confluence
 
-    include LoggerHelpers
+    include Credentials
 
     # Provide a Confluence connector, and make sure the password is being cleaned when exiting.
     #
     # Parameters::
     # * *confluence_url* (String): The Confluence URL
-    # * *logger* (Logger): Logger to be used
-    # * *logger_stderr* (Logger): Logger to be used for stderr
     # * Proc: Code called with the Confluence instance.
-    #   * *confluence* (Confluence): The Confluence instance to use.
-    def self.with_confluence(confluence_url, logger, logger_stderr)
-      Credentials.with_credentials_for(:confluence, logger, logger_stderr, url: confluence_url) do |confluence_user, confluence_password|
-        yield Confluence.new(confluence_url, confluence_user, confluence_password, logger: logger, logger_stderr: logger_stderr)
+    #   * *confluence* (ConfluenceApi): The Confluence instance to use.
+    def with_confluence(confluence_url)
+      with_credentials_for(:confluence, resource: confluence_url) do |confluence_user, confluence_password|
+        yield ConfluenceApi.new(confluence_url, confluence_user, confluence_password, logger: @logger, logger_stderr: @logger_stderr)
       end
     end
 
-    # Constructor
-    #
-    # Parameters::
-    # * *confluence_url* (String): The Confluence URL
-    # * *confluence_user_name* (String): Confluence user name to be used when querying the API
-    # * *confluence_password* (String): Confluence password to be used when querying the API
-    # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
-    # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
-      init_loggers(logger, logger_stderr)
-      @confluence_url = confluence_url
-      @confluence_user_name = confluence_user_name
-      @confluence_password = confluence_password
-    end
+    # Provide an API access on Confluence
+    class ConfluenceApi
 
-    # Return a Confluence storage format content from a page ID
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # Result::
-    # * Nokogiri::HTML: Storage format content, as a Nokogiri object
-    def page_storage_format(page_id)
-      Nokogiri::HTML(call_api("plugins/viewstorage/viewpagestorage.action?pageId=#{page_id}").body)
-    end
+      include LoggerHelpers
 
-    # Return some info of a given page ID
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # Result::
-    # * Hash: Page information, as returned by the Confluence API
-    def page_info(page_id)
-      JSON.parse(call_api("rest/api/content/#{page_id}").body)
-    end
+      # Constructor
+      #
+      # Parameters::
+      # * *confluence_url* (String): The Confluence URL
+      # * *confluence_user_name* (String): Confluence user name to be used when querying the API
+      # * *confluence_password* (String): Confluence password to be used when querying the API
+      # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
+      # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
+      def initialize(confluence_url, confluence_user_name, confluence_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
+        init_loggers(logger, logger_stderr)
+        @confluence_url = confluence_url
+        @confluence_user_name = confluence_user_name
+        @confluence_password = confluence_password
+      end
 
-    # Update a Confluence page to a new content.
-    #
-    # Parameters::
-    # * *page_id* (String): Confluence page ID
-    # * *content* (String): New content
-    # * *version* (String or nil): New version, or nil to automatically increase last existing version [default: nil]
-    def update_page(page_id, content, version: nil)
-      info = page_info(page_id)
-      version = info['version']['number'] + 1 if version.nil?
-      log_debug "Update Confluence page #{page_id}..."
-      call_api("rest/api/content/#{page_id}", :put) do |request|
-        request['Content-Type'] = 'application/json'
-        request.body = {
-          type: 'page',
-          title: info['title'],
-          body: {
-            storage: {
-              value: content,
-              representation: 'storage'
-            }
-          },
-          version: { number: version }
-        }.to_json
+      # Return a Confluence storage format content from a page ID
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # Result::
+      # * Nokogiri::HTML: Storage format content, as a Nokogiri object
+      def page_storage_format(page_id)
+        Nokogiri::HTML(call_api("plugins/viewstorage/viewpagestorage.action?pageId=#{page_id}").body)
       end
-    end
 
-    private
+      # Return some info of a given page ID
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # Result::
+      # * Hash: Page information, as returned by the Confluence API
+      def page_info(page_id)
+        JSON.parse(call_api("rest/api/content/#{page_id}").body)
+      end
 
-    # Call the Confluence API for a given URL and HTTP verb.
-    # Provide a simple way to tweak the request with an optional proc.
-    # Automatically handles authentication, base URL and error handling.
-    #
-    # Parameters::
-    # * *api_path* (String): The API path to query
-    # * *http_method* (Symbol): HTTP method to be used to create the request [default = :get]
-    # * Proc: Optional code called to alter the request
-    #   * Parameters::
-    #     * *request* (Net::HTTPRequest): The request
-    # Result::
-    # * Net::HTTPResponse: The corresponding response
-    def call_api(api_path, http_method = :get)
-      response = nil
-      page_url = URI.parse("#{@confluence_url}/#{api_path}")
-      Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
-        request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
-        request.basic_auth @confluence_user_name, @confluence_password
-        yield request if block_given?
-        response = http.request(request)
-        raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)
+      # Update a Confluence page to a new content.
+      #
+      # Parameters::
+      # * *page_id* (String): Confluence page ID
+      # * *content* (String): New content
+      # * *version* (String or nil): New version, or nil to automatically increase last existing version [default: nil]
+      def update_page(page_id, content, version: nil)
+        info = page_info(page_id)
+        version = info['version']['number'] + 1 if version.nil?
+        log_debug "Update Confluence page #{page_id}..."
+        call_api("rest/api/content/#{page_id}", :put) do |request|
+          request['Content-Type'] = 'application/json'
+          request.body = {
+            type: 'page',
+            title: info['title'],
+            body: {
+              storage: {
+                value: content,
+                representation: 'storage'
+              }
+            },
+            version: { number: version }
+          }.to_json
+        end
       end
-      response
+
+      private
+
+      # Call the Confluence API for a given URL and HTTP verb.
+      # Provide a simple way to tweak the request with an optional proc.
+      # Automatically handles authentication, base URL and error handling.
+      #
+      # Parameters::
+      # * *api_path* (String): The API path to query
+      # * *http_method* (Symbol): HTTP method to be used to create the request [default = :get]
+      # * Proc: Optional code called to alter the request
+      #   * Parameters::
+      #     * *request* (Net::HTTPRequest): The request
+      # Result::
+      # * Net::HTTPResponse: The corresponding response
+      def call_api(api_path, http_method = :get)
+        response = nil
+        page_url = URI.parse("#{@confluence_url}/#{api_path}")
+        Net::HTTP.start(page_url.host, page_url.port, use_ssl: true) do |http|
+          request = Net::HTTP.const_get(http_method.to_s.capitalize.to_sym).new(page_url.request_uri)
+          request.basic_auth @confluence_user_name, @confluence_password
+          yield request if block_given?
+          response = http.request(request)
+          raise "Confluence page API request on #{page_url} returned an error: #{response.code}\n#{response.body}\n===== Request body =====\n#{request.body}" unless response.is_a?(Net::HTTPSuccess)
+        end
+        response
+      end
+
     end
 
   end

data/lib/hybrid_platforms_conductor/credentials.rb

@@ -7,122 +7,139 @@ module HybridPlatformsConductor
   # Give a secured and harmonized way to access credentials for a given service.
   # It makes sure to remove passwords from memory for hardened security (this way if a vulnerability allows an attacker to dump the memory it won't get passwords).
   # It gets credentials from the following sources:
+  # * Configuration
   # * Environment variables
   # * Netrc file
-  class Credentials
+  module Credentials
 
-    include LoggerHelpers
+    # Extend the Config DSL
+    module ConfigDSLExtension
+
+      # List of credentials. Each info has the following properties:
+      # * *credential_id* (Symbol): Credential ID this rule applies to
+      # * *resource* (Regexp): Resource filtering for this rule
+      # * *provider* (Proc): The code providing the credentials:
+      #   * Parameters::
+      #     * *resource* (String or nil): The resource for which we want credentials, or nil if none
+      #     * *requester* (Proc): Code to be called to give credentials to:
+      #       * Parameters::
+      #         * *user* (String or nil): The user name, or nil if none
+      #         * *password* (String or nil): The password, or nil if none
+      attr_reader :credentials
+
+      # Mixin initializer
+      def init_credentials_config
+        @credentials = []
+      end
+
+      # Define a credentials provider
+      #
+      # Parameters::
+      # * *credential_id* (Symbol): Credential ID this rule applies to
+      # * *resource* (String or Regexp): Resource filtering for this rule [default: /.*/]
+      # * *provider* (Proc): The code providing the credentials:
+      #   * Parameters::
+      #     * *resource* (String or nil): The resource for which we want credentials, or nil if none
+      #     * *requester* (Proc): Code to be called to give credentials to:
+      #       * Parameters::
+      #         * *user* (String or nil): The user name, or nil if none
+      #         * *password* (String or nil): The password, or nil if none
+      def credentials_for(credential_id, resource: /.*/, &provider)
+        @credentials << {
+          credential_id: credential_id,
+          resource: resource.is_a?(String) ? /^#{Regexp.escape(resource)}$/ : resource,
+          provider: provider
+        }
+      end
+
+    end
+
+    Config.extend_config_dsl_with ConfigDSLExtension, :init_credentials_config
 
     # Get access to credentials and make sure they are wiped out from memory when client code ends.
     # To ensure password safety, never store the password in a scope beyond the client code's Proc.
     #
     # Parameters::
     # * *id* (Symbol): Credential ID
-    # * *logger* (Logger): Logger to be used
-    # * *logger_stderr* (Logger): Logger to be used for stderr
-    # * *url* (String or nil): The URL for which we want the credentials, or nil if not associated to a URL [default: nil]
+    # * *resource* (String or nil): The resource for which we want the credentials, or nil if not associated to a resource [default: nil]
     # * Proc: Client code called with credentials provided
     #   * Parameters::
     #     * *user* (String or nil): User name, or nil if none
     #     * *password* (String or nil): Password, or nil if none.
     #       !!! Never store this password in a scope broader than the client code itself !!!
-    def self.with_credentials_for(id, logger, logger_stderr, url: nil)
-      credentials = Credentials.new(id, url: url, logger: logger, logger_stderr: logger_stderr)
-      begin
-        yield credentials.user, credentials.password
-      ensure
-        credentials.clear_password
-      end
-    end
-
-    # Constructor
-    #
-    # Parameters::
-    # * *id* (Symbol): Credential ID
-    # * *url* (String or nil): The URL for which we want the credentials, or nil if not associated to a URL [default: nil]
-    # * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
-    # * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
-    def initialize(id, url: nil, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
-      init_loggers(logger, logger_stderr)
-      @id = id
-      @url = url
-      @user = nil
-      @password = nil
-      @retrieved = false
-    end
-
-    # Provide a helper to clear password from memory for security.
-    # To be used when the client knows it won't use the password anymore.
-    def clear_password
-      @password&.replace('gotyou!' * 100)
-      GC.start
-    end
-
-    # Get the associated user
-    #
-    # Result::
-    # * String or nil: The user name, or nil if none
-    def user
-      retrieve_credentials
-      @user
-    end
-
-    # Get the associated password
-    #
-    # Result::
-    # * String or nil: The password, or nil if none
-    def password
-      retrieve_credentials
-      @password
-    end
-
-    private
+    def with_credentials_for(id, resource: nil)
+      # Get the credentials provider
+      provider = nil
 
-    # Retrieve credentials in @user and @password.
-    # Do it only once.
-    # Make sure the retrieved credentials are not linked to other objects in memory, so that we can remove any other trace of secrets.
-    def retrieve_credentials
-      return if @retrieved
+      # Check configuration
+      # Take the last matching provider, this way we can define several providers for resources matched in a increasingly refined way.
+      @config.credentials.each do |credentials_info|
+        provider = credentials_info[:provider] if credentials_info[:credential_id] == id && (
+          (resource.nil? && credentials_info[:resource] == /.*/) || credentials_info[:resource] =~ resource
+        )
+      end
 
-      # Check environment variables
-      @user = ENV["hpc_user_for_#{@id}"].dup
-      @password = ENV["hpc_password_for_#{@id}"].dup
-      if @user.nil? || @user.empty? || @password.nil? || @password.empty?
-        log_debug "[ Credentials for #{@id} ] - Credentials not found from environment variables."
-        if @url.nil?
-          log_debug "[ Credentials for #{@id} ] - No URL associated to this credentials, so .netrc can't be used."
-        else
-          # Check Netrc
-          netrc = ::Netrc.read
-          begin
-            netrc_user, netrc_password = netrc[URI.parse(@url).host.downcase]
-            if netrc_user.nil?
-              log_debug "[ Credentials for #{@id} ] - No credentials retrieved from .netrc."
-              # TODO: Add more credentials source if needed here
-              log_warn "[ Credentials for #{@id} ] - Unable to get credentials for #{@id} (URL: #{@url})."
-            else
-              @user = netrc_user.dup
-              @password = netrc_password.dup
-              log_debug "[ Credentials for #{@id} ] - Credentials retrieved from .netrc using #{@url}."
-            end
-          ensure
-            # Make sure the password does not stay in Netrc memory
-            # Wipe out any memory trace that might contain passwords in clear
-            netrc.instance_variable_get(:@data).each do |data_line|
-              data_line.each do |data_string|
-                data_string.replace('GotYou!!!' * 100)
+      provider ||= proc do |requested_resource, requester|
+        # Check environment variables
+        user = ENV["hpc_user_for_#{id}"].dup
+        password = ENV["hpc_password_for_#{id}"].dup
+        if user.nil? || user.empty? || password.nil? || password.empty?
+          log_debug "[ Credentials for #{id} ] - Credentials not found from environment variables."
+          if requested_resource.nil?
+            log_debug "[ Credentials for #{id} ] - No resource associated to this credentials, so .netrc can't be used."
+          else
+            # Check Netrc
+            netrc = ::Netrc.read
+            begin
+              netrc_user, netrc_password = netrc[
+                begin
+                  URI.parse(requested_resource).host.downcase
+                rescue URI::InvalidURIError
+                  requested_resource
+                end
+              ]
+              if netrc_user.nil?
+                log_debug "[ Credentials for #{id} ] - No credentials retrieved from .netrc."
+                # TODO: Add more credentials source if needed here
+                log_warn "[ Credentials for #{id} ] - Unable to get credentials for #{id} (Resource: #{requested_resource})."
+              else
+                user = netrc_user.dup
+                password = netrc_password.dup
+                log_debug "[ Credentials for #{id} ] - Credentials retrieved from .netrc using #{requested_resource}."
+              end
+            ensure
+              # Make sure the password does not stay in Netrc memory
+              # Wipe out any memory trace that might contain passwords in clear
+              netrc.instance_variable_get(:@data).each do |data_line|
+                data_line.each do |data_string|
+                  data_string.replace('GotYou!!!' * 100)
+                end
               end
+              # We do this assignment on purpose so that GC can remove sensitive data later
+              # rubocop:disable Lint/UselessAssignment
+              netrc = nil
+              # rubocop:enable Lint/UselessAssignment
             end
-            # We don this assignment on purpose so that GC can remove sensitive data later
-            # rubocop:disable Lint/UselessAssignment
-            netrc = nil
-            # rubocop:enable Lint/UselessAssignment
           end
+        else
+          log_debug "[ Credentials for #{id} ] - Credentials retrieved from environment variables."
         end
-      else
-        log_debug "[ Credentials for #{@id} ] - Credentials retrieved from environment variables."
+        GC.start
+        requester.call user, password
+        password&.replace('gotyou!' * 100)
+        GC.start
       end
-      GC.start
+
+      requester_called = false
+      provider.call(
+        resource,
+        proc do |user, password|
+          requester_called = true
+          yield user, password
+        end
+      )
+
+      raise "Requester not called by the credentials provider for #{id} (resource: #{resource}) - Please check the credentials_for code in your configuration." unless requester_called
     end
 
   end