hybrid_platforms_conductor 33.3.0 → 33.7.0
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/CHANGELOG.md +41 -0
- data/README.md +31 -2
- data/docs/config_dsl.md +45 -0
- data/docs/plugins/cmdb/host_keys.md +3 -1
- data/docs/plugins/connector/ssh.md +1 -0
- data/lib/hybrid_platforms_conductor/actions_executor.rb +29 -1
- data/lib/hybrid_platforms_conductor/bitbucket.rb +134 -90
- data/lib/hybrid_platforms_conductor/cmd_runner.rb +4 -4
- data/lib/hybrid_platforms_conductor/common_config_dsl/bitbucket.rb +12 -44
- data/lib/hybrid_platforms_conductor/common_config_dsl/github.rb +9 -31
- data/lib/hybrid_platforms_conductor/config.rb +2 -0
- data/lib/hybrid_platforms_conductor/confluence.rb +93 -88
- data/lib/hybrid_platforms_conductor/connector.rb +5 -2
- data/lib/hybrid_platforms_conductor/credentials.rb +122 -97
- data/lib/hybrid_platforms_conductor/deployer.rb +7 -9
- data/lib/hybrid_platforms_conductor/github.rb +39 -0
- data/lib/hybrid_platforms_conductor/hpc_plugins/action/bash.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/action/remote_bash.rb +27 -17
- data/lib/hybrid_platforms_conductor/hpc_plugins/cmdb/host_keys.rb +13 -12
- data/lib/hybrid_platforms_conductor/hpc_plugins/connector/local.rb +6 -4
- data/lib/hybrid_platforms_conductor/hpc_plugins/connector/my_connector.rb.sample +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/connector/ssh.rb +37 -25
- data/lib/hybrid_platforms_conductor/hpc_plugins/log/remote_fs.rb +5 -6
- data/lib/hybrid_platforms_conductor/hpc_plugins/platform_handler/serverless_chef.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/docker.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/provisioner/proxmox.rb +7 -4
- data/lib/hybrid_platforms_conductor/hpc_plugins/report/confluence.rb +3 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/keepass.rb +3 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/secrets_reader/thycotic.rb +3 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/bitbucket_conf.rb +4 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/check_deploy_and_idempotence.rb +17 -3
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/deploy_removes_root_access.rb +30 -10
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/file_system.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/github_ci.rb +4 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/hostname.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/idempotence.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/ip.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/jenkins_ci_conf.rb +7 -3
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/jenkins_ci_masters_ok.rb +8 -4
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/local_users.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/mounts.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/orphan_files.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/spectre.rb +1 -1
- data/lib/hybrid_platforms_conductor/hpc_plugins/test/vulnerabilities.rb +1 -2
- data/lib/hybrid_platforms_conductor/hpc_plugins/test_report/confluence.rb +3 -1
- data/lib/hybrid_platforms_conductor/logger_helpers.rb +24 -1
- data/lib/hybrid_platforms_conductor/test.rb +21 -7
- data/lib/hybrid_platforms_conductor/tests_runner.rb +7 -6
- data/lib/hybrid_platforms_conductor/thycotic.rb +80 -75
- data/lib/hybrid_platforms_conductor/version.rb +1 -1
- data/spec/hybrid_platforms_conductor_test.rb +6 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/actions/bash_spec.rb +15 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/actions/remote_bash_spec.rb +32 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/local/remote_actions_spec.rb +87 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/ssh/connections_spec.rb +30 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/ssh/global_helpers_spec.rb +10 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/connectors/ssh/remote_actions_spec.rb +38 -0
- data/spec/hybrid_platforms_conductor_test/api/actions_executor/helpers_spec.rb +195 -0
- data/spec/hybrid_platforms_conductor_test/api/cmd_runner_spec.rb +14 -0
- data/spec/hybrid_platforms_conductor_test/api/config_spec.rb +11 -0
- data/spec/hybrid_platforms_conductor_test/api/credentials_spec.rb +251 -0
- data/spec/hybrid_platforms_conductor_test/api/deployer/log_plugins/remote_fs_spec.rb +215 -0
- data/spec/hybrid_platforms_conductor_test/api/deployer/secrets_reader_plugins/keepass_spec.rb +280 -319
- data/spec/hybrid_platforms_conductor_test/api/deployer/secrets_reader_plugins/thycotic_spec.rb +2 -2
- data/spec/hybrid_platforms_conductor_test/api/nodes_handler/cmdbs/host_keys_spec.rb +49 -10
- data/spec/hybrid_platforms_conductor_test/api/platform_handlers/serverless_chef/services_deployment_spec.rb +38 -0
- data/spec/hybrid_platforms_conductor_test/api/tests_runner/test_plugins/bitbucket_conf_spec.rb +49 -69
- data/spec/hybrid_platforms_conductor_test/api/tests_runner/test_plugins/github_ci_spec.rb +29 -39
- data/spec/hybrid_platforms_conductor_test/helpers/connector_ssh_helpers.rb +5 -3
- data/spec/hybrid_platforms_conductor_test/serverless_chef_repositories/1_local_node/chef_versions.yml +3 -0
- data/spec/hybrid_platforms_conductor_test/serverless_chef_repositories/1_local_node/nodes/node.json +15 -0
- data/spec/hybrid_platforms_conductor_test/serverless_chef_repositories/1_local_node/policyfiles/test_policy.rb +3 -0
- data/spec/hybrid_platforms_conductor_test/shared_examples/deployer.rb +134 -0
- data/spec/hybrid_platforms_conductor_test/test_connector.rb +2 -2
- metadata +36 -2
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 6f8aa219b3d74ccbf0a7c32f61bef98a29c1eb5d11f27cca6b99d900def8e0e3
|
4
|
+
data.tar.gz: b596c459a7a6bed546aff37f193ddff42c4df488b79d6a3f1bcd7018f5cbfb57
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 65b4206c0dee17a47d60160d50aae67cdf4b2271443c74738dfb12d9b11088c84a05371019e46227f007f590df7689d1aa760a495bd5635902edbcd12d18f74e
|
7
|
+
data.tar.gz: 1a4e327d499f63595ae15d7bb145bf48d837332b26d12b4e2b8b7761c6c2acd87080302f9f36b07fe1cbf064f3fc0af355ecb6a392b29506eff766bfeccc4031
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,44 @@
|
|
1
|
+
# [v33.7.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.6.0...v33.7.0) (2021-07-09 16:32:25)
|
2
|
+
|
3
|
+
### Features
|
4
|
+
|
5
|
+
* [[Feature] [#91] Expose log_debug? method to the config DSL to adapt configuration in case we are in debug mode](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/87f6f51df2d20c7861f9ddd59a8d7f68c27cdd74)
|
6
|
+
|
7
|
+
# [v33.6.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.5.1...v33.6.0) (2021-07-07 15:45:12)
|
8
|
+
|
9
|
+
## Global changes
|
10
|
+
### Patches
|
11
|
+
|
12
|
+
* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
|
13
|
+
|
14
|
+
## Changes for cmdb_host_keys
|
15
|
+
### Features
|
16
|
+
|
17
|
+
* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
|
18
|
+
|
19
|
+
## Changes for connector_ssh
|
20
|
+
### Features
|
21
|
+
|
22
|
+
* [[Feature(connector_ssh)] [Feature(cmdb_host_keys)] [#78] Way to configure the SSH port being used with the ssh_port metadata](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/f1be319eae30eedcf7f901d3ce0a14f6f4d1f2ea)
|
23
|
+
|
24
|
+
# [v33.5.1](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.5.0...v33.5.1) (2021-07-07 12:01:32)
|
25
|
+
|
26
|
+
### Patches
|
27
|
+
|
28
|
+
* [[Bugfix] [#87] Make sure local nodes and root accounts are taken into account when getting sudo prefixes](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/cb626f1c99a6f1a95c9c884c03bf3fd71045259c)
|
29
|
+
|
30
|
+
# [v33.5.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.4.0...v33.5.0) (2021-07-07 11:03:01)
|
31
|
+
|
32
|
+
### Features
|
33
|
+
|
34
|
+
* [[Feature] [Security] [#80] Use SecretString for credentials to avoid passwords and secrets accidental leakage](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/0db5f529e539b81f86b9f618a63e62bdbd58cb38)
|
35
|
+
|
36
|
+
# [v33.4.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.3.0...v33.4.0) (2021-07-05 13:24:27)
|
37
|
+
|
38
|
+
### Features
|
39
|
+
|
40
|
+
* [[Feature] [#83] Credentials can now be given through config DSL for better security and control](https://github.com/sweet-delights/hybrid-platforms-conductor/commit/9dd40e82b4c71bea9686abd828adb4359f5bebb2)
|
41
|
+
|
1
42
|
# [v33.3.0](https://github.com/sweet-delights/hybrid-platforms-conductor/compare/v33.2.4...v33.3.0) (2021-07-02 17:20:58)
|
2
43
|
|
3
44
|
## Global changes
|
data/README.md
CHANGED
@@ -84,9 +84,11 @@ Here are the various plugin categories:
|
|
84
84
|
* **[Actions](docs/plugins/action)** implement a given **action**. For example: bash code execution, ruby code execution, file transfer...
|
85
85
|
* **[Cmdbs](docs/plugins/cmdb)** parse **metadata** from various sources. For example: a database, Chef/Ansible inventory files, a configuration management database such as Consul...
|
86
86
|
* **[Connectors](docs/plugins/connector)** give ways to execute commands and transfer files on **nodes**. For example: using an SSH connection, a CLI for a Cloud provider...
|
87
|
+
* **[Logs](docs/plugins/log)** handle any deployment log storage strategy. They take deployment logs and send them wherever the plugins want.
|
87
88
|
* **[Platform handlers](docs/plugins/platform_handler)** handle any **platform** of a given **platform type**. They read **nodes**' inventory and **services** from **platforms**, and provide **actions** to deploy a **service** on a **node**.
|
88
89
|
* **[Provisioners](docs/plugins/provisioner)** provision (create, destroy, start, stop...) **nodes**. For example: using OpenShift, Proxmox, Docker, Podman...
|
89
90
|
* **[Reports](docs/plugins/report)** gather **platforms** and **nodes**' inventory information and publish them to some medium. For example: on command line, as a JSON file, on a content management system like Confluence or Mediawiki...
|
91
|
+
* **[Secrets readers](docs/plugins/secrets_reader)** reads secrets from various sources (vaults, APIs, local files...).
|
90
92
|
* **[Tests](docs/plugins/test)** define tests to be performed on **platforms** and **nodes**.
|
91
93
|
* **[Tests reports](docs/plugins/test_report)** publish tests results to some medium. For example: on command line, as a JSON file, on a content management system like Confluence or Mediawiki...
|
92
94
|
|
@@ -304,12 +306,39 @@ See [the executables list](docs/executables.md) for more details.
|
|
304
306
|
# Credentials
|
305
307
|
|
306
308
|
Some tools or tests require authentication using user/password to an external resource. Examples of such tools are Bitbucket, Thycotic, Confluence...
|
307
|
-
Credentials can be given
|
309
|
+
Credentials can be given 3 different ways:
|
310
|
+
* from the configuration file `hpc_config.rb`,
|
311
|
+
* from environment variables,
|
312
|
+
* from the user's `.netrc` file.
|
308
313
|
|
309
|
-
In case a process needs a credential that has not been set, a warning message will be output so that the user knows which credential is missing, and eventually for which URL.
|
314
|
+
In case a process needs a credential that has not been set, a warning message will be output so that the user knows which credential is missing, and eventually for which resource (URL, file...).
|
310
315
|
|
311
316
|
Following sub-sections explain the different ways of setting such credentials.
|
312
317
|
|
318
|
+
## Configuration
|
319
|
+
|
320
|
+
The [`credentials_for` config DSL method](docs/config_dsl.md#credentials_for) can be used to define the credentials for a given credential ID and eventual resource.
|
321
|
+
The way to do it is to provide a callback that will be called only when a credential is needed, and the credentials are given to a requester object. This way the life-cycle of the secret can be completely controlled, and clean-up can be done to ensure no vulnerabilities are staying after usage.
|
322
|
+
|
323
|
+
Example:
|
324
|
+
```ruby
|
325
|
+
# Simple case
|
326
|
+
credentials_for(:bitbucket) do |resource, requester|
|
327
|
+
requester.call 'my_bitbucket_name', 'my_bitbucket_PaSsWoRd'
|
328
|
+
end
|
329
|
+
|
330
|
+
# More secure case, handling user input and memory clean-up after usage
|
331
|
+
credentials_for(:bitbucket) do |resource, requester|
|
332
|
+
puts 'Input Bitbucket password...'
|
333
|
+
password = ''
|
334
|
+
$stdin.noecho { |io| io.sysread(256, password) }
|
335
|
+
password.chomp!
|
336
|
+
SecretString.protect(password) do |secret_password|
|
337
|
+
requester.call 'my_bitbucket_name', secret_password
|
338
|
+
end
|
339
|
+
end
|
340
|
+
```
|
341
|
+
|
313
342
|
## Environment variables
|
314
343
|
|
315
344
|
Environment variables used for credentials are always named following this convention: `hpc_user_for_<credential_id>` and `hpc_password_for_<credential_id>`.
|
data/docs/config_dsl.md
CHANGED
@@ -13,6 +13,7 @@ This DSL can also be completed by plugins. Check [the plugins documentations](pl
|
|
13
13
|
* [`hybrid_platforms_dir`](#hybrid_platforms_dir)
|
14
14
|
* [`tests_provisioner`](#tests_provisioner)
|
15
15
|
* [`expect_tests_to_fail`](#expect_tests_to_fail)
|
16
|
+
* [`credentials_for`](#credentials_for)
|
16
17
|
* [`read_secrets_from`](#read_secrets_from)
|
17
18
|
* [`send_logs_to`](#send_logs_to)
|
18
19
|
* [`retry_deploy_for_errors_on_stdout`](#retry_deploy_for_errors_on_stdout)
|
@@ -202,6 +203,50 @@ for_nodes('/tst/') do
|
|
202
203
|
end
|
203
204
|
```
|
204
205
|
|
206
|
+
<a name="credentials_for"></a>
|
207
|
+
## `credentials_for`
|
208
|
+
|
209
|
+
Set the credentials to be used (user, password) for a given credential ID and an optional resources selection.
|
210
|
+
|
211
|
+
Credentials can be used by any plugin (using the [`with_credentials_for`](/lib/hybrid_platforms_conductor/credentials.rb) method) and are used by various processes in Hybrid Platforms Conductor. See each [plugin's documentation](plugins.md) to know which plugin uses which credential.
|
212
|
+
|
213
|
+
It takes the following parameters:
|
214
|
+
* the credential ID (as a Symbol),
|
215
|
+
* an optional resource specification (can be a String for a complete resource name, or a Regexp matching resources' names),
|
216
|
+
* a code block that will be called back by any process needing credentials matching the ID and resource specification.
|
217
|
+
The code block will be given both the resource name being accessed, and a requester object that needs to be given the corresponding user and password. When the requester finishes running, the credentials are not needed anymore and should be cleaned from memory to avoid vulnerabilities.
|
218
|
+
|
219
|
+
A secure way to five the password is to use a [`SecretString`](https://github.com/Muriel-Salvan/secret_string) class that will give the following guarantees:
|
220
|
+
* Avoid the password to leak inadvertently in logs, on-screen, files...
|
221
|
+
* Clear the password from memory as soon as it is not needed anymore.
|
222
|
+
|
223
|
+
Examples:
|
224
|
+
```ruby
|
225
|
+
# Using an environment variable as a password
|
226
|
+
credentials_for(:github) do |resource, requester|
|
227
|
+
requester.call 'MyUserName', ENV['MY_GITHUB_PASSWORD']
|
228
|
+
end
|
229
|
+
|
230
|
+
# Using user input and cleaning memory
|
231
|
+
credentials_for(:github) do |resource, requester|
|
232
|
+
puts 'Input Github password...'
|
233
|
+
password = ''
|
234
|
+
$stdin.noecho { |io| io.sysread(256, password) }
|
235
|
+
password.chomp!
|
236
|
+
SecretString.protect(password) do |secret_password|
|
237
|
+
requester.call 'MyUserName', secret_password
|
238
|
+
end
|
239
|
+
end
|
240
|
+
|
241
|
+
# Defining different credentials based on the resource being accessed
|
242
|
+
credentials_for(:github, resource: %r{github.com/my-projects}) do |resource, requester|
|
243
|
+
requester.call 'MyUserName', 'MyPassword'
|
244
|
+
end
|
245
|
+
credentials_for(:github, resource: %r{github.com/company}) do |resource, requester|
|
246
|
+
requester.call 'CompanyUserName', 'CompanyPassword'
|
247
|
+
end
|
248
|
+
```
|
249
|
+
|
205
250
|
<a name="read_secrets_from"></a>
|
206
251
|
## `read_secrets_from`
|
207
252
|
|
@@ -21,7 +21,9 @@ None
|
|
21
21
|
|
22
22
|
| Metadata | Type | Usage
|
23
23
|
| --- | --- | --- |
|
24
|
-
| `
|
24
|
+
| `host_ip` | `String` | Used to perform the `ssh-keyscan` |
|
25
|
+
| `hostname` | `String` | Used in place of the `host_ip` in case `host_ip` is not available |
|
26
|
+
| `ssh_port` | `Integer` | Port on which the `ssh-keyscan` will be performed (default: 22) |
|
25
27
|
|
26
28
|
## Used environment variables
|
27
29
|
|
@@ -70,6 +70,7 @@ end
|
|
70
70
|
| `host_keys` | `Array<String>` | The node's host keys used to generate a `known_hosts` file with those to avoid user confirmations when connecting. |
|
71
71
|
| `hostname` | `String` | Host name used to connect in case no IP address can be found in metadata. |
|
72
72
|
| `private_ips` | `Array<String>` | IP list to connect in case `host_ip` is not defined in metadata. |
|
73
|
+
| `ssh_port` | `Integer` | Port used to connect to SSH (default: 22). |
|
73
74
|
| `ssh_session_exec` | `Boolean` | If set to `false`, then consider that the node does not have any SSH SessionExec capabilities. This will make sure that remote command executions is done using stdin piping on interactive sessions instead of SSH commands execution. |
|
74
75
|
|
75
76
|
## Used environment variables
|
@@ -53,7 +53,8 @@ module HybridPlatformsConductor
|
|
53
53
|
logger_stderr: @logger_stderr,
|
54
54
|
config: @config,
|
55
55
|
cmd_runner: @cmd_runner,
|
56
|
-
nodes_handler: @nodes_handler
|
56
|
+
nodes_handler: @nodes_handler,
|
57
|
+
actions_executor: self
|
57
58
|
)
|
58
59
|
end
|
59
60
|
)
|
@@ -246,6 +247,33 @@ module HybridPlatformsConductor
|
|
246
247
|
@connector_plugins[connector_name]
|
247
248
|
end
|
248
249
|
|
250
|
+
# Is the access to a given node privileged?
|
251
|
+
# Take into account if remote actions are executed on a local node, and configurable sudos.
|
252
|
+
#
|
253
|
+
# Parameters::
|
254
|
+
# * *node* (String): Node on which we want privileged access
|
255
|
+
# Result::
|
256
|
+
# * Boolean: Is the access privileged?
|
257
|
+
def privileged_access?(node)
|
258
|
+
(@nodes_handler.get_local_node_of(node) ? @cmd_runner.whoami : connector(:ssh).ssh_user) == 'root'
|
259
|
+
end
|
260
|
+
|
261
|
+
# Get the sudo prefix to get privileged access.
|
262
|
+
# Take into account if remote actions are executed on a local node, and configurable sudos.
|
263
|
+
#
|
264
|
+
# Parameters::
|
265
|
+
# * *node* (String): Node on which we want privileged access
|
266
|
+
# * *forward_env* (Boolean): Do we need to forward environment in case of sudo? [default: false]
|
267
|
+
# Result::
|
268
|
+
# * String: Sudo prefix to be used (can be empty if root is being used)
|
269
|
+
def sudo_prefix(node, forward_env: false)
|
270
|
+
if privileged_access?(node)
|
271
|
+
''
|
272
|
+
else
|
273
|
+
"#{@nodes_handler.sudo_on(node)} #{forward_env ? '-E ' : ''}"
|
274
|
+
end
|
275
|
+
end
|
276
|
+
|
249
277
|
private
|
250
278
|
|
251
279
|
# Execute a list of actions for a node, and return exit codes, stdout and stderr of those actions.
|
@@ -7,116 +7,160 @@ require 'hybrid_platforms_conductor/logger_helpers'
|
|
7
7
|
|
8
8
|
module HybridPlatformsConductor
|
9
9
|
|
10
|
-
#
|
11
|
-
|
10
|
+
# Mixin used to access Bitbucket API
|
11
|
+
module Bitbucket
|
12
12
|
|
13
|
-
include
|
13
|
+
include Credentials
|
14
14
|
|
15
15
|
# Provide a Bitbucket connector, and make sure the password is being cleaned when exiting.
|
16
16
|
#
|
17
17
|
# Parameters::
|
18
18
|
# * *bitbucket_url* (String): The Bitbucket URL
|
19
|
-
# * *logger* (Logger): Logger to be used
|
20
|
-
# * *logger_stderr* (Logger): Logger to be used for stderr
|
21
19
|
# * Proc: Code called with the Bitbucket instance.
|
22
|
-
# * *bitbucket* (
|
23
|
-
def
|
24
|
-
|
25
|
-
yield
|
20
|
+
# * *bitbucket* (BitbucketApi): The Bitbucket instance to use.
|
21
|
+
def with_bitbucket(bitbucket_url)
|
22
|
+
with_credentials_for(:bitbucket, resource: bitbucket_url) do |bitbucket_user, bitbucket_password|
|
23
|
+
yield BitbucketApi.new(bitbucket_url, bitbucket_user, bitbucket_password, logger: @logger, logger_stderr: @logger_stderr)
|
26
24
|
end
|
27
25
|
end
|
28
26
|
|
29
|
-
#
|
30
|
-
# String
|
31
|
-
attr_reader :bitbucket_url
|
32
|
-
|
33
|
-
# Constructor
|
27
|
+
# Iterate over each Bitbucket repository
|
34
28
|
#
|
35
29
|
# Parameters::
|
36
|
-
# *
|
37
|
-
#
|
38
|
-
#
|
39
|
-
#
|
40
|
-
#
|
41
|
-
|
42
|
-
|
43
|
-
|
44
|
-
|
45
|
-
|
30
|
+
# * Proc: Code called for each Bitbucket repository:
|
31
|
+
# * Parameters::
|
32
|
+
# * *bitbucket* (Bitbucket): The Bitbucket instance used to query the API for this repository
|
33
|
+
# * *repo_info* (Hash<Symbol, Object>): The repository info:
|
34
|
+
# * *name* (String): Repository name.
|
35
|
+
# * *project* (String): Project name.
|
36
|
+
# * *url* (String): Project Git URL.
|
37
|
+
# * *jenkins_ci_url* (String or nil): Corresponding Jenkins CI URL, or nil if none.
|
38
|
+
# * *checks* (Hash<Symbol, Object>): Checks to be performed on this repository:
|
39
|
+
# * *branch_permissions* (Array< Hash<Symbol, Object> >): List of branch permissions to check [optional]
|
40
|
+
# * *type* (String): Type of branch permissions to check. Examples of values are 'fast-forward-only', 'no-deletes', 'pull-request-only'.
|
41
|
+
# * *branch* (String): Branch on which those permissions apply.
|
42
|
+
# * *exempted_users* (Array<String>): List of exempted users for this permission [default: []]
|
43
|
+
# * *exempted_groups* (Array<String>): List of exempted groups for this permission [default: []]
|
44
|
+
# * *exempted_keys* (Array<String>): List of exempted access keys for this permission [default: []]
|
45
|
+
# * *pr_settings* (Hash<Symbol, Object>): PR specific settings to check [optional]
|
46
|
+
# * *required_approvers* (Integer): Number of required approvers [optional]
|
47
|
+
# * *required_builds* (Integer): Number of required successful builds [optional]
|
48
|
+
# * *default_merge_strategy* (String): Name of the default merge strategy. Example: 'rebase-no-ff' [optional]
|
49
|
+
# * *mandatory_default_reviewers* (Array<String>): List of mandatory reviewers to check [default: []]
|
50
|
+
def for_each_bitbucket_repo
|
51
|
+
@config.known_bitbucket_repos.each do |bitbucket_repo_info|
|
52
|
+
with_bitbucket(bitbucket_repo_info[:url]) do |bitbucket|
|
53
|
+
(bitbucket_repo_info[:repos] == :all ? bitbucket.repos(bitbucket_repo_info[:project])['values'].map { |repo_info| repo_info['slug'] } : bitbucket_repo_info[:repos]).each do |name|
|
54
|
+
yield bitbucket, {
|
55
|
+
name: name,
|
56
|
+
project: bitbucket_repo_info[:project],
|
57
|
+
url: "#{bitbucket_repo_info[:url]}/scm/#{bitbucket_repo_info[:project].downcase}/#{name}.git",
|
58
|
+
jenkins_ci_url: bitbucket_repo_info[:jenkins_ci_url].nil? ? nil : "#{bitbucket_repo_info[:jenkins_ci_url]}/job/#{name}",
|
59
|
+
checks: bitbucket_repo_info[:checks]
|
60
|
+
}
|
61
|
+
end
|
62
|
+
end
|
63
|
+
end
|
46
64
|
end
|
47
65
|
|
48
|
-
#
|
49
|
-
|
50
|
-
#
|
51
|
-
# Parameters::
|
52
|
-
# * *project* (String): Project name
|
53
|
-
# Result::
|
54
|
-
# * Object: Corresponding JSON
|
55
|
-
def repos(project)
|
56
|
-
get_api("projects/#{project}/repos?limit=1000")
|
57
|
-
end
|
66
|
+
# Provide an API to Bitbucket
|
67
|
+
class BitbucketApi
|
58
68
|
|
59
|
-
|
60
|
-
#
|
61
|
-
# Parameters::
|
62
|
-
# * *project* (String): Project name
|
63
|
-
# * *repo* (String): Repository name
|
64
|
-
# Result::
|
65
|
-
# * Object: Corresponding JSON
|
66
|
-
def settings_pr(project, repo)
|
67
|
-
get_api("projects/#{project}/repos/#{repo}/settings/pull-requests")
|
68
|
-
end
|
69
|
+
include LoggerHelpers
|
69
70
|
|
70
|
-
|
71
|
-
|
72
|
-
|
73
|
-
# * *project* (String): Project name
|
74
|
-
# * *repo* (String): Repository name
|
75
|
-
# Result::
|
76
|
-
# * Object: Corresponding JSON
|
77
|
-
def default_reviewers(project, repo)
|
78
|
-
get_api("projects/#{project}/repos/#{repo}/conditions", api_domain: 'default-reviewers')
|
79
|
-
end
|
71
|
+
# The Bitbucket URL
|
72
|
+
# String
|
73
|
+
attr_reader :bitbucket_url
|
80
74
|
|
81
|
-
|
82
|
-
|
83
|
-
|
84
|
-
|
85
|
-
|
86
|
-
|
87
|
-
|
88
|
-
|
89
|
-
|
90
|
-
|
91
|
-
|
75
|
+
# Constructor
|
76
|
+
#
|
77
|
+
# Parameters::
|
78
|
+
# * *bitbucket_url* (String): The Bitbucket URL
|
79
|
+
# * *bitbucket_user_name* (String): Bitbucket user name to be used when querying the API
|
80
|
+
# * *bitbucket_password* (SecretString): Bitbucket password to be used when querying the API
|
81
|
+
# * *logger* (Logger): Logger to be used [default = Logger.new(STDOUT)]
|
82
|
+
# * *logger_stderr* (Logger): Logger to be used for stderr [default = Logger.new(STDERR)]
|
83
|
+
def initialize(bitbucket_url, bitbucket_user_name, bitbucket_password, logger: Logger.new($stdout), logger_stderr: Logger.new($stderr))
|
84
|
+
init_loggers(logger, logger_stderr)
|
85
|
+
@bitbucket_url = bitbucket_url
|
86
|
+
@bitbucket_user_name = bitbucket_user_name
|
87
|
+
@bitbucket_password = bitbucket_password
|
88
|
+
end
|
92
89
|
|
93
|
-
|
94
|
-
|
95
|
-
|
96
|
-
|
97
|
-
|
98
|
-
|
99
|
-
|
100
|
-
|
101
|
-
|
102
|
-
|
103
|
-
|
104
|
-
|
105
|
-
|
106
|
-
|
107
|
-
|
108
|
-
|
109
|
-
|
110
|
-
|
111
|
-
|
112
|
-
|
113
|
-
|
114
|
-
|
115
|
-
|
90
|
+
# Get the repositories of a given project.
|
91
|
+
# Limit to 1000 results max.
|
92
|
+
#
|
93
|
+
# Parameters::
|
94
|
+
# * *project* (String): Project name
|
95
|
+
# Result::
|
96
|
+
# * Object: Corresponding JSON
|
97
|
+
def repos(project)
|
98
|
+
get_api("projects/#{project}/repos?limit=1000")
|
99
|
+
end
|
100
|
+
|
101
|
+
# Get the PR settings of a given repository
|
102
|
+
#
|
103
|
+
# Parameters::
|
104
|
+
# * *project* (String): Project name
|
105
|
+
# * *repo* (String): Repository name
|
106
|
+
# Result::
|
107
|
+
# * Object: Corresponding JSON
|
108
|
+
def settings_pr(project, repo)
|
109
|
+
get_api("projects/#{project}/repos/#{repo}/settings/pull-requests")
|
110
|
+
end
|
111
|
+
|
112
|
+
# Get the default reviewers of a given repository
|
113
|
+
#
|
114
|
+
# Parameters::
|
115
|
+
# * *project* (String): Project name
|
116
|
+
# * *repo* (String): Repository name
|
117
|
+
# Result::
|
118
|
+
# * Object: Corresponding JSON
|
119
|
+
def default_reviewers(project, repo)
|
120
|
+
get_api("projects/#{project}/repos/#{repo}/conditions", api_domain: 'default-reviewers')
|
121
|
+
end
|
122
|
+
|
123
|
+
# Get the branch permissions of a given repository
|
124
|
+
#
|
125
|
+
# Parameters::
|
126
|
+
# * *project* (String): Project name
|
127
|
+
# * *repo* (String): Repository name
|
128
|
+
# Result::
|
129
|
+
# * Object: Corresponding JSON
|
130
|
+
def branch_permissions(project, repo)
|
131
|
+
# Put 3 retries here as the Bitbucket installation has a very unstable API 2.0 and often returns random 401 errors.
|
132
|
+
get_api("projects/#{project}/repos/#{repo}/restrictions", api_domain: 'branch-permissions', api_version: '2.0', retries: 3)
|
133
|
+
end
|
134
|
+
|
135
|
+
# Issue an HTTP get on the API.
|
136
|
+
# Handle authentication.
|
137
|
+
#
|
138
|
+
# Parameters::
|
139
|
+
# * *path* (String): API path to access
|
140
|
+
# * *api_domain* (String): API domain to access [default: 'api']
|
141
|
+
# * *api_version* (String): API version to access [default: '1.0']
|
142
|
+
# * *retries* (Integer): Number of retries in case of failures [default: 0]
|
143
|
+
# Result::
|
144
|
+
# * Object: Returned JSON
|
145
|
+
def get_api(path, api_domain: 'api', api_version: '1.0', retries: 0)
|
146
|
+
api_url = "#{@bitbucket_url}/rest/#{api_domain}/#{api_version}/#{path}"
|
147
|
+
log_debug "Call Bitbucket API #{@bitbucket_user_name}@#{api_url}..."
|
148
|
+
http_response = nil
|
149
|
+
loop do
|
150
|
+
begin
|
151
|
+
http_response = URI.parse(api_url).open(http_basic_authentication: [@bitbucket_user_name, @bitbucket_password&.to_unprotected])
|
152
|
+
rescue
|
153
|
+
raise if retries.zero?
|
154
|
+
|
155
|
+
log_warn "Got error #{$ERROR_INFO} on #{@bitbucket_user_name}@#{api_url}. Will retry #{retries} times..."
|
156
|
+
retries -= 1
|
157
|
+
sleep 1
|
158
|
+
end
|
159
|
+
break unless http_response.nil?
|
116
160
|
end
|
117
|
-
|
161
|
+
JSON.parse(http_response.read)
|
118
162
|
end
|
119
|
-
|
163
|
+
|
120
164
|
end
|
121
165
|
|
122
166
|
end
|