moose-inventory 1.0.8 → 2.0

data/lib/moose_inventory/version.rb

@@ -2,6 +2,6 @@ module Moose
   ##
   # The Moose-Tools dynamic inventory management library
   module Inventory
-    VERSION = '1.0.8'
+    VERSION = '2.0'.freeze
   end
 end

data/moose-inventory.gemspec

@@ -16,30 +16,48 @@ Gem::Specification.new do |spec|
   # rubocop:enable Metrics/LineLength
   spec.homepage      = 'https://github.com/RusDavies/moose-inventory'
   spec.license       = 'MIT'
+  spec.required_ruby_version = '>= 3.2'
 
   spec.files         = `git ls-files -z`.split("\x0")
   spec.executables   = spec.files.grep(%r{^bin/}) { |f| File.basename(f) }
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
 
-  spec.add_runtime_dependency 'indentation', '~> 0.1'
-  spec.add_runtime_dependency 'json',        '~>1.8'
-  spec.add_runtime_dependency 'mysql',       '~>2.9'
-  # spec.add_runtime_dependency 'mysql2',    '~>0.3'
-  spec.add_runtime_dependency 'pg',        '~>0.17'
-  spec.add_runtime_dependency 'sequel',    '~>4.22'
-  spec.add_runtime_dependency 'sqlite3',   '~>1.3'
-  spec.add_runtime_dependency 'thor',      '~>0.19'
-  # spec.add_runtime_dependency   'yaml',      '~>1.0'
-
-  spec.add_development_dependency 'bundler',      '~> 1.10'
-  spec.add_development_dependency 'coveralls',    '~> 0.8'
-  spec.add_development_dependency 'hitimes',      '~> 1.2'
-  spec.add_development_dependency 'guard',        '~> 2.12'
-  spec.add_development_dependency 'guard-rspec',  '~> 4.5'
-  spec.add_development_dependency 'guard-rubocop',  '~> 1.2'
-  spec.add_development_dependency 'rake',         '~> 10.1'
-  spec.add_development_dependency 'rspec',        '~>3.2'
-  spec.add_development_dependency 'rubocop',      '>= 0.19'
-  spec.add_development_dependency 'simplecov',    '~> 0.10'
+#  spec.add_runtime_dependency 'indentation', '~> 0.1'
+#  spec.add_runtime_dependency 'json',        '~>1.8'
+#  #spec.add_runtime_dependency 'mysql',       '~>2.9' # This causes lots of problems.  Need to migrate to the newer mysql2.
+#  #spec.add_runtime_dependency 'mysql2',    '~>0.3'
+#  spec.add_runtime_dependency 'mysql2'
+#  spec.add_runtime_dependency 'pg',        '~>0.17'
+#  spec.add_runtime_dependency 'sequel',    '~>4.22'
+#  spec.add_runtime_dependency 'sqlite3',   '~>1.3'
+#  spec.add_runtime_dependency 'thor',      '~>0.19'
+#  # spec.add_runtime_dependency   'yaml',      '~>1.0'
+
+#  spec.add_development_dependency 'bundler',      '~> 1.7'
+#  spec.add_development_dependency 'coveralls',    '~> 0.8'
+#  spec.add_development_dependency 'guard',        '~> 2.12'
+#  spec.add_development_dependency 'guard-rspec',  '~> 4.5'
+#  spec.add_development_dependency 'guard-rubocop', '~> 1.2'
+#  spec.add_development_dependency 'rake',         '~> 10.1'
+#  spec.add_development_dependency 'rspec',        '~>3.2'
+#  spec.add_development_dependency 'rubocop',      '>= 0.19'
+#  spec.add_development_dependency 'simplecov',    '~> 0.10'
+
+  spec.add_runtime_dependency 'indentation', '~> 0'
+  spec.add_runtime_dependency 'json', '>= 2.7', '< 3'
+  spec.add_runtime_dependency 'mysql2', '>= 0.5.7', '< 0.6'
+  spec.add_runtime_dependency 'pg', '>= 1.5', '< 2'
+  spec.add_runtime_dependency 'sequel', '>= 5.80', '< 6'
+  spec.add_runtime_dependency 'sqlite3', '>= 1.7', '< 3'
+  spec.add_runtime_dependency 'thor', '>= 1.3', '< 2'
+
+  spec.add_development_dependency 'bundler', '>= 2.2.33', '< 3'
+  spec.add_development_dependency 'bundler-audit', '>= 0.9', '< 1'
+  spec.add_development_dependency 'parallel', '>= 1.10', '< 2.0'
+  spec.add_development_dependency 'rake', '>= 13.0', '< 14'
+  spec.add_development_dependency 'rspec', '~> 3'
+  spec.add_development_dependency 'rubocop', '>= 1.72', '< 2'
+  spec.add_development_dependency 'simplecov', '~> 0'
+
 end

data/scripts/check.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+set -euo pipefail
+
+bundle exec rspec --format progress
+scripts/ci/check_rubocop.sh
+git diff --check
+scripts/ci/check_permissions.sh
+scripts/ci/check_security.sh
+scripts/ci/check_secrets.sh
+scripts/ci/package_sanity.sh

data/scripts/ci/check_permissions.sh

@@ -0,0 +1,35 @@
+#!/bin/bash
+set -euo pipefail
+
+allowed_executables=(
+  "bin/moose-inventory"
+  "scripts/check.sh"
+  "scripts/ci/check_permissions.sh"
+  "scripts/ci/check_rubocop.sh"
+  "scripts/ci/check_secrets.sh"
+  "scripts/ci/check_security.sh"
+  "scripts/ci/install_security_tools.sh"
+  "scripts/ci/package_sanity.sh"
+  "scripts/files.rb"
+  "scripts/install_dependencies.sh"
+  "scripts/reports.sh"
+  "scripts/work-through.sh"
+)
+
+allowed_file="$(mktemp)"
+actual_file="$(mktemp)"
+trap 'rm -f "$allowed_file" "$actual_file"' EXIT
+
+printf '%s\n' "${allowed_executables[@]}" | sort > "$allowed_file"
+
+git ls-files -z | while IFS= read -r -d '' path; do
+  if [[ -x "$path" ]]; then
+    printf '%s\n' "$path"
+  fi
+done | sort > "$actual_file"
+
+if ! diff -u "$allowed_file" "$actual_file"; then
+  echo "Unexpected executable file permissions detected." >&2
+  echo "Update scripts/ci/check_permissions.sh only when a new executable entrypoint is intentional." >&2
+  exit 1
+fi

data/scripts/ci/check_rubocop.sh

@@ -0,0 +1,28 @@
+#!/bin/bash
+set -euo pipefail
+
+bundle exec rubocop \
+  lib/moose_inventory/inventory_context.rb \
+  lib/moose_inventory/operations/add_hosts.rb \
+  lib/moose_inventory/operations/add_groups.rb \
+  lib/moose_inventory/operations/add_associations.rb \
+  lib/moose_inventory/operations/remove_associations.rb \
+  lib/moose_inventory/operations/group_cleanup.rb \
+  lib/moose_inventory/operations/group_child_relations.rb \
+  lib/moose_inventory/operations/remove_groups.rb \
+  lib/moose_inventory/cli/helpers.rb \
+  lib/moose_inventory/cli/host_add.rb \
+  lib/moose_inventory/cli/group_add.rb \
+  lib/moose_inventory/cli/host_addgroup.rb \
+  lib/moose_inventory/cli/group_addhost.rb \
+  lib/moose_inventory/cli/host_rmgroup.rb \
+  lib/moose_inventory/cli/group_rmhost.rb \
+  lib/moose_inventory/cli/group_addchild.rb \
+  lib/moose_inventory/cli/group_rmchild.rb \
+  lib/moose_inventory/cli/group_rm.rb \
+  spec/lib/moose_inventory/operations/add_hosts_spec.rb \
+  spec/lib/moose_inventory/operations/add_groups_spec.rb \
+  spec/lib/moose_inventory/operations/add_associations_spec.rb \
+  spec/lib/moose_inventory/operations/remove_associations_spec.rb \
+  spec/lib/moose_inventory/operations/group_child_relations_spec.rb \
+  spec/lib/moose_inventory/operations/remove_groups_spec.rb

data/scripts/ci/check_secrets.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+if command -v gitleaks >/dev/null 2>&1; then
+  GITLEAKS=(gitleaks)
+elif [ -x "$BIN_DIR/gitleaks" ]; then
+  GITLEAKS=("$BIN_DIR/gitleaks")
+else
+  if [ "${MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS:-0}" = "1" ]; then
+    echo "gitleaks is required but was not found. Run scripts/ci/install_security_tools.sh first." >&2
+    exit 2
+  fi
+  echo "gitleaks not found; skipping dedicated secret scan."
+  exit 0
+fi
+
+"${GITLEAKS[@]}" detect \
+  --no-git \
+  --source . \
+  --config .gitleaks.toml \
+  --redact \
+  --no-banner \
+  --log-level warn
+
+echo "Gitleaks secret scan passed."

data/scripts/ci/check_security.sh

@@ -0,0 +1,68 @@
+#!/bin/bash
+set -euo pipefail
+
+python3 - <<'PY'
+import json
+import sys
+import urllib.error
+import urllib.request
+
+specs = []
+for line in open('Gemfile.lock', encoding='utf-8'):
+    item = line.strip()
+    if not item or ' (' not in item:
+        continue
+    if item.startswith('moose-inventory'):
+        continue
+    name = item.split(' (', 1)[0]
+    version = item.split(' (', 1)[1].split(')', 1)[0].split('-', 1)[0]
+    if name and name[0].isalpha():
+        specs.append((name, version))
+
+queries = [
+    {'package': {'name': name, 'ecosystem': 'RubyGems'}, 'version': version}
+    for name, version in specs
+]
+
+request = urllib.request.Request(
+    'https://api.osv.dev/v1/querybatch',
+    data=json.dumps({'queries': queries}).encode('utf-8'),
+    headers={'Content-Type': 'application/json'},
+)
+
+try:
+    with urllib.request.urlopen(request, timeout=30) as response:
+        data = json.load(response)
+except (urllib.error.URLError, TimeoutError) as exc:
+    print(f'OSV dependency check failed: {exc}', file=sys.stderr)
+    sys.exit(2)
+
+findings = []
+for (name, version), result in zip(specs, data.get('results', [])):
+    for vuln in result.get('vulns') or []:
+        findings.append((name, version, vuln.get('id', 'unknown'), vuln.get('summary') or ''))
+
+print(f'OSV dependency check: queried={len(specs)} vulnerable={len(findings)}')
+if findings:
+    for name, version, vuln_id, summary in findings:
+        print(f'- {name} {version}: {vuln_id} {summary}', file=sys.stderr)
+    sys.exit(1)
+PY
+
+bundle exec bundle-audit check --update
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+if command -v osv-scanner >/dev/null 2>&1; then
+  OSV_SCANNER=(osv-scanner)
+elif [ -x "$BIN_DIR/osv-scanner" ]; then
+  OSV_SCANNER=("$BIN_DIR/osv-scanner")
+else
+  if [ "${MOOSE_INVENTORY_REQUIRE_SECURITY_TOOLS:-0}" = "1" ]; then
+    echo "osv-scanner is required but was not found. Run scripts/ci/install_security_tools.sh first." >&2
+    exit 2
+  fi
+  echo "osv-scanner not found; skipping osv-scanner lockfile scan."
+  exit 0
+fi
+
+"${OSV_SCANNER[@]}" scan source --lockfile Gemfile.lock .

data/scripts/ci/install_security_tools.sh

@@ -0,0 +1,47 @@
+#!/bin/bash
+set -euo pipefail
+
+# Installs optional security audit CLIs used by CI. They are kept out of the
+# gem runtime/development bundle because they are Go command-line tools, not
+# Ruby dependencies.
+
+BIN_DIR="${MOOSE_INVENTORY_SECURITY_TOOLS_BIN:-$PWD/tmp/security-tools/bin}"
+GITLEAKS_VERSION="${GITLEAKS_VERSION:-v8.30.0}"
+OSV_SCANNER_VERSION="${OSV_SCANNER_VERSION:-v2.2.3}"
+
+mkdir -p "$BIN_DIR"
+
+if ! command -v go >/dev/null 2>&1; then
+  echo "Go is required to install gitleaks/osv-scanner. Install Go or use a prebuilt package." >&2
+  exit 2
+fi
+
+install_go_tool() {
+  local name="$1"
+  local module="$2"
+  local version="$3"
+
+  if command -v "$name" >/dev/null 2>&1; then
+    echo "$name already available at $(command -v "$name")"
+    return
+  fi
+
+  if [ -x "$BIN_DIR/$name" ]; then
+    echo "$name already installed at $BIN_DIR/$name"
+    return
+  fi
+
+  echo "Installing $name $version into $BIN_DIR"
+  GOBIN="$BIN_DIR" go install "$module@$version"
+}
+
+install_go_tool gitleaks github.com/zricethezav/gitleaks/v8 "$GITLEAKS_VERSION"
+install_go_tool osv-scanner github.com/google/osv-scanner/v2/cmd/osv-scanner "$OSV_SCANNER_VERSION"
+
+if [ -n "${GITHUB_PATH:-}" ]; then
+  echo "$BIN_DIR" >> "$GITHUB_PATH"
+fi
+
+export PATH="$BIN_DIR:$PATH"
+gitleaks version || true
+osv-scanner --version

data/scripts/ci/package_sanity.sh

@@ -0,0 +1,46 @@
+#!/bin/bash
+set -euo pipefail
+
+pkg_dir="tmp/pkg"
+extract_dir="tmp/package-sanity"
+rm -rf "$pkg_dir" "$extract_dir"
+mkdir -p "$pkg_dir" "$extract_dir"
+
+gem_path="$pkg_dir/moose-inventory.gem"
+gem build moose-inventory.gemspec --output "$gem_path"
+
+gem specification "$gem_path" name --yaml > "$pkg_dir/name.yml"
+gem specification "$gem_path" version --yaml > "$pkg_dir/version.yml"
+gem specification "$gem_path" executables --yaml > "$pkg_dir/executables.yml"
+gem specification "$gem_path" require_paths --yaml > "$pkg_dir/require_paths.yml"
+gem specification "$gem_path" files --yaml > "$pkg_dir/files.yml"
+
+tar -xf "$gem_path" -C "$extract_dir"
+tar -xzf "$extract_dir/data.tar.gz" -C "$extract_dir"
+
+required_files=(
+  "bin/moose-inventory"
+  "lib/moose_inventory.rb"
+  "lib/moose_inventory/version.rb"
+  "README.md"
+  "LICENSE.txt"
+)
+
+for path in "${required_files[@]}"; do
+  if [[ ! -f "$extract_dir/$path" ]]; then
+    echo "Packaged gem is missing required file: $path" >&2
+    exit 1
+  fi
+done
+
+if ! grep -q "^- moose-inventory$" "$pkg_dir/executables.yml"; then
+  echo "Packaged gem metadata does not expose the moose-inventory executable." >&2
+  exit 1
+fi
+
+if ! bundle exec ruby -Ilib bin/moose-inventory --config spec/config/config.yml version | grep -q '^Version '; then
+  echo "CLI version smoke failed." >&2
+  exit 1
+fi
+
+printf 'Package sanity passed: %s\n' "$gem_path"

data/scripts/files.rb

@@ -12,7 +12,4 @@ out['Executables'.to_sym] = executables
 out['Test_Files'.to_sym] = test_files
 out['Require_Paths'.to_sym] = require_paths
 
-puts "#{out.to_yaml}"
-
-
-
+puts out.to_yaml.to_s

data/scripts/install_dependencies.sh

@@ -0,0 +1,19 @@
+#!/bin/bash
+set -euo pipefail
+
+sudo dnf groupinstall -y "C Development Tools and Libraries" "Development Tools"
+sudo dnf install -y \
+            ansible \
+            gitleaks \
+            golang \
+            ruby \
+            ruby-devel \
+            rubygem-bundler \
+            sqlite \
+            sqlite-libs \
+            sqlite-devel \
+            mariadb-connector-c-devel \
+            libpq-devel \
+            libffi \
+            libffi-devel \
+            rpm-build

data/scripts/reports.sh

@@ -1,4 +1,4 @@
 #!/bin/bash
+set -euo pipefail
 
-firefox spec/reports/quality/rubocop.html spec/reports/coverage/index.html spec/reports/test/rspec.html
-
+firefox spec/reports/coverage/index.html

data/spec/lib/moose_inventory/cli/cli_spec.rb

@@ -1,26 +1,25 @@
- require 'spec_helper'
+require 'spec_helper'
 
- RSpec.describe Moose::Inventory::Cli::Application do
+RSpec.describe Moose::Inventory::Cli::Application do
   before do
     @app = Moose::Inventory::Cli::Application
   end
 
-  describe ".version" do
+  describe '.version' do
     # --------------------
     it 'method should be responsive' do
       result = @app.instance_methods(false).include?(:version)
       expect(result).to eq(true)
     end
-    
+
     # --------------------
-#    it 'should output version information' do
-#      actual = runner { @app.version }
-#
-#      desired = {}
-#      desired[:STDERR] = "Version #{Moose::Inventory::VERSION}"
-#
-#      expected(actual, desired)
-#    end 
-    
+    #    it 'should output version information' do
+    #      actual = runner { @app.version }
+    #
+    #      desired = {}
+    #      desired[:STDERR] = "Version #{Moose::Inventory::VERSION}"
+    #
+    #      expected(actual, desired)
+    #    end
   end
- end
+end