ndr_dev_support 6.1.4 → 6.1.7

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 665f148ac622b9f75c0150d8b1d6770aaeaaf5c9d1bb561c5a1d34a3f9b8bf2d
-  data.tar.gz: af2bd48cfef10426450978b40071f134d40af2524edec37cf380b5ffa820a409
+  metadata.gz: 5fe8e3400612fc7c12992a9ed37a1896cc2345ef9d060638776ad5f3f5f2c2e1
+  data.tar.gz: 229b4288c7f789407821bea03feaf6bf0512b5628d51d1a69fd8f8febdcacb6d
 SHA512:
-  metadata.gz: 706873fa19d231e950bec7f26a74946a5c19d9d594930b5fe6b64e0b4be12545254b2371c82067a7ed0b420153ac050f449980c84c3eb15b8a2a58940e6a64ab
-  data.tar.gz: a20045257bbd629bca137e8b8724549836c2c484e05d1074b245dbdf56c607608cfd572141619c4bfe18786ae8645581ebe6777ed0068bd849e1bb8d97d95306
+  metadata.gz: 1edfdb2328f91d2fb3707b1f6e1b8b70f48cf4bae5037a1bea01398192a079912d063842bd45a88b748fb6522e6c6b5593336584e7bad3a0e2c91e0ff539fcb5
+  data.tar.gz: 687c9637cc0c9d1dae203b242393f91c44fc7817719fb9e0fbe43bb8ea9b545918ee45850f0f2f2d8186858a72ef807416ef2006fd8cf7f8b2533b5987596c74

data/CHANGELOG.md

@@ -1,6 +1,18 @@
 ## [Unreleased]
 * No unreleased changes
 
+## 6.1.7 / 2022-07-15
+### Added
+* Add `cd:credentials` rake task for continuous deployment of credentials
+
+## 6.1.6 / 2022-07-01
+### Added
+* capistrano: use DEPLOYER environment variable for non-interactive deployments
+
+## 6.1.5 / 2022-06-24
+### Fixed
+* audit:code should allow special characters in filenames
+
 ## 6.1.4 / 2022-06-16
 ### Added
 * Add warning when upgrading webpacker

data/lib/ndr_dev_support/capistrano/ndr_model.rb

@@ -30,6 +30,8 @@ require_relative 'sysadmin_scripts'
 #   and SVN branches. To use the latter, be sure to set the `:repository_branches` variable
 #   to point at the root of the branches. Otherwise, just set `:repository` directly as normal.
 #
+#   Set environment variable DEPLOYER to deploy as a particular user instead of prompting.
+#
 Capistrano::Configuration.instance(:must_exist).load do
   # Paths that are symlinked for each release to the "shared" directory:
   set :shared_paths, %w[config/database.yml config/secrets.yml log tmp]
@@ -94,9 +96,14 @@ Capistrano::Configuration.instance(:must_exist).load do
 
       # Gather SSH credentials: (password is asked for by Net::SSH, if needed)
       set :use_sudo, false
-      set :user, Capistrano::CLI.ui.ask('Deploy as: ')
+      if ENV['DEPLOYER']
+        set :user, ENV['DEPLOYER']
+        Capistrano::CLI.ui.say "Deploy as: #{fetch(:user)}"
+      else
+        set :user, Capistrano::CLI.ui.ask('Deploy as: ')
+      end
 
-      # If no alternate user is specified, deploy to the crediental-holding user.
+      # If no alternate user is specified, deploy to the credential-holding user.
       set :application_user, fetch(:user) unless fetch(:application_user)
 
       # The home folder of the application user:

data/lib/ndr_dev_support/daemon/cd_credentials.rb

@@ -0,0 +1,157 @@
+require 'English'
+require_relative 'stoppable'
+require 'ndr_dev_support/slack_message_publisher'
+require 'shellwords'
+require 'with_clean_rbenv'
+
+module NdrDevSupport
+  module Daemon
+    # Wrapper around Capistrano based Continuous Deployment of application credentials
+    #
+    # Assumes there is a capistrano task "app:update_secrets" which can be used together
+    # with a target name, e.g. cap target app:update_secrets
+    # to update a capistrano target with secrets / credentials from one or more repositories.
+    # To use this daemon, a number of environment variables need to be set
+    # including CD_TARGETS and CD_URLS.
+    class CDCredentials
+      include Stoppable
+
+      def self.from_args(env)
+        name = env['WORKER_NAME'].to_s
+        cd_targets = env['CD_TARGETS'].to_s.split
+        cd_urls = env['CD_URLS'].to_s.split
+
+        new(name: name, cd_targets: cd_targets, cd_urls: cd_urls)
+      end
+
+      def initialize(name:, cd_targets:, cd_urls:)
+        super
+
+        # Worker name can be used for clear logging:
+        @name = name
+        raise ArgumentError, 'No WORKER_NAME specified!' if name.blank?
+
+        # Capistrano targets to use for deployments
+        @cd_targets = cd_targets
+        raise ArgumentError, 'No CD_TARGETS specified!' unless cd_targets&.present?
+
+        # URLs to watch for continuous deployment
+        @cd_urls = cd_urls
+        raise ArgumentError, 'No CD_URLS specified!' unless cd_urls&.present?
+      end
+
+      private
+
+      def run_once
+        log('running once...')
+
+        # Keep state, watch repositories for changes, maybe save state to disk?
+        if (revisions = check_for_new_revisions)
+          log("deploying with revisions #{revisions}...")
+          deploy_credentials # should also notify slack if any changes deployed, but not
+        else
+          log('nothing new to deploy')
+        end
+        log('completed single run.')
+      rescue => e
+        log(<<~MSG)
+          Unhandled exception! #{e.class}: #{e.message}
+          #{(e.backtrace || []).join("\n")}
+        MSG
+
+        raise e
+      end
+
+      # Check for new revisions, and cache the latest one.
+      # If there are new revisions in the repositories available since the last check,
+      # return a hash of repo -> latest revision
+      # If no revisions have changed, returns nil
+      def check_for_new_revisions
+        # TODO: implement this, by checking for updates to @cd_urls
+        # Stub implementation, pretends things always changed
+        { 'dummy_repo' => '0' }
+      end
+
+      # Deploy credentials to all targets. Should also notify slack if any changes deployed
+      def deploy_credentials
+        log("Deploying to #{@cd_targets.join(', ')}...")
+        @changed_targets = []
+        @unchanged_targets = []
+        @failed_targets = []
+        @cd_targets.each do |target|
+          deploy_to_target(target)
+        end
+        publish_results
+      end
+
+      # Deploy credentials to a single target.
+      def deploy_to_target(target)
+        WithCleanRbenv.with_clean_rbenv do
+          results = `rbenv exec bundle exec cap #{Shellwords.escape(target)} \
+                       app:update_secrets < /dev/null`.split("\n")
+          puts results
+          if $CHILD_STATUS.exitstatus.zero?
+            if results.include?('No changed secret files to upload')
+              @unchanged_targets << target
+              log("Unchanged target #{target}")
+            elsif results.grep(/^Uploaded [0-9]+ changed secret files: /).any?
+              @changed_targets << target
+              log("Changed target #{target}")
+            else
+              @failed_targets << target
+              log("Unparseable result deploying to target #{target}")
+            end
+          else
+            @failed_targets << target
+            log("Failed to deploy to target #{target}")
+          end
+        end
+      end
+
+      def publish_results
+        slack_publisher = NdrDevSupport::SlackMessagePublisher.new(ENV['SLACK_WEBHOOK_URL'],
+                                                                   username: 'Rake CI',
+                                                                   icon_emoji: ':robot_face:',
+                                                                   channel: ENV['SLACK_CHANNEL'])
+        slack_publisher.post(attachments: attachments)
+      end
+
+      # Status / warning messages for slack notifications
+      def attachments
+        attachments = []
+
+        if @failed_targets.any?
+          attachment = {
+            color: 'danger',
+            title: "#{@failed_targets.count} failed credential updates :rotating_light:",
+            text: "Failed targets: `#{@failed_targets.join(', ')}`",
+            footer: 'bundle exec cap target app:update_secrets',
+            mrkdwn_in: ['text']
+          }
+          attachments << attachment
+          puts attachment.inspect
+        end
+
+        if @changed_targets.any?
+          text = "Changed targets: `#{@changed_targets.join(', ')}`\n"
+          text << (if @unchanged_targets.any?
+                     "Unchanged targets: `#{@unchanged_targets.join(', ')}`"
+                   else
+                     'No unchanged targets'
+                   end)
+          attachment = {
+            color: 'good',
+            title: "#{@changed_targets.size} successful credential updates",
+            text: text,
+            footer: 'bundle exec cap target app:update_secrets',
+            mrkdwn_in: ['text']
+          }
+          attachments << attachment
+          puts attachment.inspect
+        end
+
+        attachments
+      end
+    end
+  end
+end

data/lib/ndr_dev_support/tasks.rb

@@ -1,5 +1,6 @@
 load 'tasks/audit_code.rake'
 load 'tasks/audit_bundle.rake'
+load 'tasks/cd/credentials.rake'
 load 'tasks/ci/brakeman.rake'
 load 'tasks/ci/bundle_audit.rake'
 load 'tasks/ci/commit_cop.rake'

data/lib/ndr_dev_support/version.rb

@@ -2,5 +2,5 @@
 # This defines the NdrDevSupport version. If you change it, rebuild and commit the gem.
 # Use "rake build" to build the gem, see rake -T for all bundler rake tasks (and our own).
 module NdrDevSupport
-  VERSION = '6.1.4'
+  VERSION = '6.1.7'
 end

data/lib/tasks/audit_code.rake

@@ -1,6 +1,7 @@
 require 'csv'
 require 'pathname'
 require 'yaml'
+require 'shellwords'
 
 SAFETY_FILE =
   if File.exist?('code_safety.yml')
@@ -338,7 +339,8 @@ def get_last_changed_revision(repo, fname)
     %x[git log -n 1 -- "#{fname}"].split("\n").first[7..-1]
   when 'git-svn', 'svn'
     begin
-      svn_info = %x[svn info -r head "#{repo}/#{fname}"]
+      dest = "#{repo}/#{fname}@"
+      svn_info = %x[svn info -r head #{Shellwords.escape(dest)}]
     rescue
       puts 'we have an error in the svn info line'
     end
@@ -376,9 +378,10 @@ def capture_file_diffs(repo, fname, safe_revision, repolatest)
   cmd =
     case repository_type
     when 'git'
-      cmd = ['git', '--no-pager', 'diff', '--color', '-b', "#{safe_revision}..#{repolatest}", fname]
+      ['git', '--no-pager', 'diff', '--color', '-b', "#{safe_revision}..#{repolatest}", fname]
     when 'git-svn', 'svn'
-      cmd = ['svn', 'diff', '-r', "#{safe_revision.to_i}:#{repolatest.to_i}", '-x', '-b', "#{repo}/#{fname}"]
+      ['svn', 'diff', '-r', "#{safe_revision.to_i}:#{repolatest.to_i}", '-x', '-b',
+       "#{repo}/#{fname}@"]
     end
 
   stdout_and_err_str, _status = Open3.capture2e(*cmd)

data/lib/tasks/cd/credentials.rake

@@ -0,0 +1,9 @@
+namespace :cd do
+  desc 'Run Capistrano Continuous Deployment credentials server'
+  task :credentials do
+    require 'ndr_dev_support/daemon/cd_credentials'
+
+    worker = NdrDevSupport::Daemon::CDCredentials.from_args(ENV)
+    worker.run
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ndr_dev_support
 version: !ruby/object:Gem::Version
-  version: 6.1.4
+  version: 6.1.7
 platform: ruby
 authors:
 - NCRS Development Team
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2022-06-16 00:00:00.000000000 Z
+date: 2022-07-15 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -422,6 +422,7 @@ files:
 - lib/ndr_dev_support/capistrano/standalone_gems.rb
 - lib/ndr_dev_support/capistrano/svn_cache.rb
 - lib/ndr_dev_support/capistrano/sysadmin_scripts.rb
+- lib/ndr_dev_support/daemon/cd_credentials.rb
 - lib/ndr_dev_support/daemon/ci_server.rb
 - lib/ndr_dev_support/daemon/stoppable.rb
 - lib/ndr_dev_support/integration_testing.rb
@@ -452,6 +453,7 @@ files:
 - lib/ndr_dev_support/version.rb
 - lib/tasks/audit_bundle.rake
 - lib/tasks/audit_code.rake
+- lib/tasks/cd/credentials.rake
 - lib/tasks/ci/brakeman.rake
 - lib/tasks/ci/bundle_audit.rake
 - lib/tasks/ci/commit_cop.rake