ndr_dev_support 7.2.6 → 7.3.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 76f81b66bcf17c0e5e413814393d16bc99dd60dd8da6cde93ce57def7cb35e6a
-  data.tar.gz: ceb801fe0ccbd025342f6a50d0ae7c079be834624339744862a9b6ce010a61a5
+  metadata.gz: 5084b3677de82f1613b2a3d95e2290ca79128285da4a004636ee67d23d1546d5
+  data.tar.gz: 13561b93f13f6739c072382faf65968f59a5b82898ccbbb9b3a3c55a006744c3
 SHA512:
-  metadata.gz: 27ca7a80b76b603d216e4d816aa73f4bfce98cb5fa148502c89df109bea215ed1ad97f94770405b049f2bbf057139cd32901c9019d71891faba069fe298254db
-  data.tar.gz: a174a2fb75a30a8a716425ae6a9e7892a73827f8f2993df87bb33d4b5226651f38f5fba0cb14101db3aa5b603ed61c40fa8cdfca080b3cea7c30e35ea63ce022
+  metadata.gz: 656ead5b1726958c845ba2eda14afc1e548e1a012a813aff524dc78953630bae0f119bacdaed63b3621c4da6bfd41439f3022c8ab260a43470408b0f1ef51080
+  data.tar.gz: 541c54385afa983aaa6087302f92318d425556aaf5d9de534c685e52e7dc770e799bc318f0983d83c73053c1d81fe4b7937f14d91143b156292b4387481b5201

data/CHANGELOG.md

@@ -1,6 +1,14 @@
 ## [Unreleased]
 *no unreleased changes*
 
+## 7.3.1 / 2025-01-02
+### Added
+* Capistrano: deploy application secrets from a subversion or git repository
+
+## 7.3.0 / 2024-12-19
+### Added
+* Capistrano: install rbenv and ruby from /opt/rbenv.tar.gz or vendor/rbenv/
+
 ## 7.2.6 / 2024-11-13
 ### Fixed
 * Support Rails 7.2, 8.0, Ruby 3.3

data/lib/ndr_dev_support/capistrano/assets.rb

@@ -4,8 +4,8 @@ Capistrano::Configuration.instance(:must_exist).load do
     task :configure_assets do
       asset_script = fetch(:asset_script, <<~SHELL)
         set -e
-        ruby -ryaml -e "puts YAML.dump('production' => { 'secret_key_base' => 'compile_me' })" > config/secrets.yml
-        ruby -ryaml -e "puts YAML.dump('production' => { 'adapter' => 'placeholder' })" > config/database.yml
+        ruby -e "require 'yaml'; puts YAML.dump('production' => { 'secret_key_base' => 'compile_me' })" > config/secrets.yml
+        ruby -e "require 'yaml'; puts YAML.dump('production' => { 'adapter' => 'placeholder' })" > config/database.yml
         RAILS_ENV=production bundle exec rake assets:clobber assets:precompile
         rm config/secrets.yml config/database.yml
       SHELL

data/lib/ndr_dev_support/capistrano/deploy_secrets.rb

@@ -0,0 +1,166 @@
+# Add a git or svn secrets respository for ndr_dev_support:deploy_secrets
+def add_secrets_repo(name:, url:, scm:, branch: nil)
+  raise "Invalid repo name #{name}" unless /\A[A-Z0-9_-]+\z/i.match?(name)
+  raise "Unknown scm #{scm}" unless %w[svn git].include?(scm)
+  raise "Expected branch for repo #{name}" if scm == 'git' && branch.to_s.empty?
+
+  secrets_repositories = fetch(:secrets_repositories, {})
+  secrets_repositories[name] = { url: url, scm: scm, branch: branch }
+  set :secrets_repositories, secrets_repositories
+end
+
+# Add a secret to be deployed by ndr_dev_support:deploy_secrets
+def add_secret(repo:, repo_path:, shared_dest:)
+  secrets = fetch(:secrets, [])
+  raise "Unknown repo #{repo}" unless fetch(:secrets_repositories, {}).key?(repo)
+
+  secrets << { repo: repo, repo_path: repo_path, shared_dest: shared_dest }
+  set :secrets, secrets
+end
+
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :ndr_dev_support do
+    desc <<~DESC
+      Deploy updated application secrets to shared folders on application servers
+
+      To use this in a project, add something like the code below to your
+      Capistrano file config/deploy.rb, then run:
+      $ cap target app:update_secrets
+
+      namespace :app do
+        desc 'Update application secrets'
+        task :update_secrets do
+          add_secrets_repo(name: 'userlists',
+                           url: 'https://github.com/example/users.git',
+                           branch: 'main',
+                           scm: 'git')
+          add_secrets_repo(name: 'encrypted_credentials_store',
+                           url: 'https://svn-server.example.org/svn/creds', scm: 'svn')
+
+          add_secret(repo: 'encrypted_credentials_store',
+                     repo_path: 'path/to/credentials.yml.enc',
+                     shared_dest: 'config/credentials.yml.enc')
+          add_secret(repo: 'userlists',
+                     repo_path: 'config/userlist.yml',
+                     shared_dest: 'config/userlist.yml')
+        end
+      end
+      after 'app:update_secrets', 'ndr_dev_support:deploy_secrets'
+    DESC
+    task :deploy_secrets do
+      # List of repositories used for secrets
+      secrets_repositories = fetch(:secrets_repositories, {})
+      secrets = fetch(:secrets, [])
+      secrets_repo_base = Pathname.new('tmp/deployment-secrets')
+
+      if secrets.empty?
+        Capistrano::CLI.ui.say 'Warning: No secret files configured to upload'
+        next
+      end
+
+      # Allow quick indexing by filename
+      secrets_map = secrets.to_h { |secret| [secret[:shared_dest], secret] } # rubocop:disable Rails/IndexBy
+      changed = [] # List of changed files updated
+      Dir.mktmpdir do |secret_dir|
+        # Clone git secrets repositories if required
+        used_repos = secrets.collect { |secret| secret[:repo] }.uniq
+        repo_dirs = {}
+        used_repos.each do |repo|
+          repository = secrets_repositories[repo]
+          next unless repository[:scm] == 'git'
+
+          repo_dir = Pathname.new(secrets_repo_base).join(".git-#{repo}").to_s
+          if File.directory?(repo_dir)
+            ok = system("cd #{Shellwords.escape(repo_dir)} && git fetch")
+            raise "Error: cannot fetch secrets repository #{repo}: aborting" unless ok
+          else
+            ok = system('git', 'clone', '--mirror', '--filter=blob:none', repository[:url], repo_dir)
+            raise "Error: cannot clone secrets repository #{repo}: aborting" unless ok
+          end
+          repo_dirs[repo] = repo_dir
+        end
+
+        # Set up a temporary secrets directory of exported secrets,
+        # creating nested structure if necessary
+        secrets_map.each_value do |secret|
+          repo = secret[:repo]
+          repository = secrets_repositories[repo]
+          raise "Unknown repository #{secret[:repo]}" unless repository
+
+          repo_root = repository[:url]
+          raise 'Unknown / unsupported repository' unless repo_root&.start_with?('https://')
+
+          dest_fname = File.join(secret_dir, secret[:shared_dest])
+          dest_dir = File.dirname(dest_fname)
+          FileUtils.mkdir_p(dest_dir)
+          case repository[:scm]
+          when 'git'
+            repo_dir = Pathname.new(secrets_repo_base).join(".git-#{repo}").to_s
+            ok = system("GIT_DIR=#{Shellwords.escape(repo_dir)} git archive --format=tar " \
+                        "#{Shellwords.escape(repository[:branch])} " \
+                        "#{Shellwords.escape(secret[:repo_path])} | " \
+                        "tar x -Ps %#{Shellwords.escape(secret[:repo_path])}%" \
+                        "#{Shellwords.escape(File.join(secret_dir, secret[:shared_dest]))}% " \
+                        "#{Shellwords.escape(secret[:repo_path])}")
+          when 'svn'
+            ok = system('svn', 'export', '--quiet', "#{repo_root}/#{secret[:repo_path]}",
+                        File.join(secret_dir, secret[:shared_dest]))
+            # TODO: use --non-interactive, and then run again interactively if there's an eror
+          else
+            raise "Error: unsupported scm #{repository[:scm]}"
+          end
+
+          raise 'Error: cannot export secrets files: aborting' unless ok
+
+          secret[:digest] = Digest::SHA256.file(dest_fname).hexdigest
+        end
+
+        # Retrieve digests of secrets from application server
+        escaped_fnames = secrets_map.keys.collect { |fname| Shellwords.escape(fname) }
+        capture("cd #{shared_path.shellescape}; " \
+                "sha256sum #{escaped_fnames.join(' ')} || true").split("\n").each do |digest_line|
+          match = digest_line.match(/([0-9a-f]{64}) [ *](.*)/)
+          raise "Invalid digest returned: #{digest_line}" unless match && secrets_map.key?(match[2])
+
+          secrets_map[match[2]][:server_digest] = match[1]
+        end
+
+        # Upload replacements for all changed files
+        secrets_map.each_value do |secret|
+          if secret[:digest] == secret[:server_digest]
+            # Capistrano::CLI.ui.say "Unchanged secret: #{secret[:shared_dest]}"
+            next
+          end
+
+          Capistrano::CLI.ui.say "Uploading changed secret file: #{secret[:shared_dest]}"
+          changed << secret[:shared_dest]
+          # Capistrano does an in-place overwrite of the file, so use a temporary name,
+          # then move it into place
+          temp_dest = capture("mktemp -p #{shared_path.shellescape}").chomp
+          dest_fname = File.join(secret_dir, secret[:shared_dest])
+          put File.read(dest_fname), temp_dest
+          escape_shared_dest = Shellwords.escape(secret[:shared_dest])
+          escape_temp_dest = Shellwords.escape(temp_dest)
+          capture("cd #{shared_path.shellescape}; " \
+                  "chmod 664 #{escape_temp_dest}; " \
+                  "if [ -e #{escape_shared_dest} ]; then cp -p #{escape_shared_dest}{,.orig}; fi; " \
+                  "mv #{escape_temp_dest} #{escape_shared_dest}")
+        end
+      end
+
+      if changed.empty?
+        Capistrano::CLI.ui.say 'No changed secret files to upload'
+      else
+        Capistrano::CLI.ui.say "Uploaded #{changed.size} changed secret files: #{changed.join(', ')}"
+      end
+      # TODO: Support logging of changes, so that a calling script can report changes
+
+      # TODO: maintain a per-target local cache of latest revisions uploaded / file checksums
+      # then we don't need to re-connect to the remote servers, if nothing changed,
+      # We could also then only need to do "svn ls" instead of "svn export"
+
+      # TODO: Warn if some repos are inaccessible?
+      # TODO: Add notes for passwordless SSH deployment, using ssh-agent
+    end
+  end
+end

data/lib/ndr_dev_support/capistrano/install_ruby.rb

@@ -0,0 +1,103 @@
+Capistrano::Configuration.instance(:must_exist).load do
+  namespace :ndr_dev_support do
+    desc <<~DESC
+      Ensure that the required ruby version is installed.
+
+      This can be installed from /opt/rbenv.tar.gz (first installation only) or vendor/rbenv/
+
+      To place an offline copy of rbenv in /opt/rbenv.tar.gz
+      For ruby 3.1.6, run the following commands:
+      $ mkdir clone_rbenv
+      $ git clone https://github.com/rbenv/rbenv.git clone_rbenv/.rbenv
+      $ git clone https://github.com/rbenv/ruby-build.git clone_rbenv/.rbenv/plugins/ruby-build
+      $ mkdir clone_rbenv/.rbenv/cache
+      $ (cd clone_rbenv/.rbenv/cache; curl -O https://cache.ruby-lang.org/pub/ruby/3.1/ruby-3.1.6.tar.gz)
+      $ (cd clone_rbenv; rm -f ../rbenv.tar.gz; tar czf ../rbenv.tar.gz .rbenv)
+      $ rm -rf clone_rbenv
+      $ scp -p rbenv.tar.gz app-server:/opt/rbenv.tar.gz
+
+      To add rbenv, ruby-build and additional ruby versions to the application vendor directory
+      For ruby 3.2.6:
+      $ mkdir clone_rbenv
+      $ git clone https://github.com/rbenv/rbenv.git clone_rbenv/.rbenv
+      $ mkdir -p vendor/rbenv; rm -f vendor/rbenv/rbenv.tar.gz
+      $ tar czf vendor/rbenv/rbenv.tar.gz -C clone_rbenv .rbenv
+      $ rm -rf clone_rbenv
+      $ mkdir clone_ruby-build
+      $ git clone https://github.com/rbenv/ruby-build.git clone_ruby-build/ruby-build
+      $ mkdir -p vendor/rbenv/cache; rm -f vendor/rbenv/ruby-build.tar.gz
+      $ tar czf vendor/rbenv/ruby-build.tar.gz -C clone_ruby-build ruby-build
+      $ rm -rf clone_ruby-build
+      $ (cd vendor/rbenv/cache; curl -O https://cache.ruby-lang.org/pub/ruby/3.2/ruby-3.2.6.tar.gz)
+      $ git add vendor/rbenv/{rbenv,ruby-build}.tar.gz vendor/rbenv/cache/*
+    DESC
+    task :install_ruby do
+      version = fetch(:ruby)
+      # Note that ruby 3.1.x on CentOS 7 generally installs successfully but then reports an error:
+      #   ERROR:  While executing gem ... (URI::InvalidURIError)
+      #   bad URI(is not URI?): "bundler\r"
+      # For this reason, we ignore the exit status, and run our own test.
+      #
+      # For some reason, SSH keepalive options have no effect with capistrano 2 and net-ssh 7.
+      # So we run a poor-man's keepalive, because this installation can take over 10 minutes
+      # and some of our SSH servers disconnect inactive sessions after 5 minutes.
+      # We have a keepalive time limit of 40 minutes in case the installation fails unexpectedly.
+      #
+      # We remove ~/.rbenv paths from capistrano-defined PATH when running `rbenv init`
+      # so that it knows the path is needed in ~/.bash_profile
+      #
+      # We use latest_release: this is broadly well-defined, and will point to the in-progress
+      # release if we're part way through a deployment, or the most recent release if run
+      # after a deployment has happened, or be blank if attempted after cap deploy:setup
+      run <<~SHELL
+        set -e;
+        if ! rbenv versions --bare 2> /dev/null | grep -q ^#{Regexp.escape(version)}$; then
+          echo Installing ruby #{version};
+          { sleep 10; for i in `seq 1 80`; do echo -n '.'; sleep 30; done & } 2> /dev/null;
+          sudo -i -n -u #{fetch(:application_user)} sh -c "
+            if [ ! -e .rbenv ] && [ -e /opt/rbenv.tar.gz ]; then
+              tar xf /opt/rbenv.tar.gz .rbenv;
+              PATH=\\`echo \\"\\$PATH\\"|sed -e \\"s_[^:=]*/[.]rbenv[^:]*:__g\\"\\` .rbenv/bin/rbenv init bash;
+            fi;
+            if [ ! -e .rbenv ] && [ -f #{latest_release}/vendor/rbenv/rbenv.tar.gz ]; then
+              tar xf #{latest_release}/vendor/rbenv/rbenv.tar.gz .rbenv;
+              PATH=\\`echo \\"\\$PATH\\"|sed -e \\"s_[^:=]*/[.]rbenv[^:]*:__g\\"\\` .rbenv/bin/rbenv init bash;
+            fi;
+            if [ ! -e .rbenv ]; then
+              echo rbenv not installed: aborting;
+            else
+              if [ -d #{latest_release}/vendor/rbenv/cache ] && [ -n \\"\\`ls #{latest_release}/vendor/rbenv/cache\\`\\" ]; then
+                mkdir -p .rbenv/cache/;
+                cp -nvp #{latest_release}/vendor/rbenv/cache/* .rbenv/cache/;
+              fi;
+              if [ -f #{latest_release}/vendor/rbenv/ruby-build.tar.gz ]; then
+                mkdir -p .rbenv/plugins/;
+                tar xf #{latest_release}/vendor/rbenv/ruby-build.tar.gz -C .rbenv/plugins/ ruby-build;
+              fi;
+              eval \\"\\$(.rbenv/bin/rbenv init - --no-rehash bash)\\";
+              export TMPDIR=\\`mktemp -d \\"\\$HOME\\"/rbenv_tmp_XXXX\\`;
+              if rbenv install #{version} --skip-existing 2>&1; then
+                RBENV_VERSION=#{version} ruby --version;
+                rm -rf \\"\\`printenv TMPDIR\\`\\";
+                rbenv global #{version};
+              fi;
+            fi;
+          ";
+          { kill % && wait; } 2> /dev/null;
+          set -e;
+          if [ "`RBENV_VERSION=#{version} gem list --exact --installed bundler`" == "true" ]; then
+            echo 'Please ignore the following error above:';
+            echo '> ERROR:  While executing gem ... (URI::InvalidURIError)';
+            echo '> bad URI(is not URI?): "bundler\\r"';
+            echo Successfully installed ruby #{version};
+          else
+            echo ERROR: Failure installing ruby #{version}: aborting;
+            exit 1;
+          fi;
+        fi
+      SHELL
+    end
+  end
+
+  before 'bundle:install', 'ndr_dev_support:install_ruby'
+end

data/lib/ndr_dev_support/capistrano/ndr_model.rb

@@ -2,6 +2,8 @@ require 'rainbow'
 
 # Discrete bits of functionality we use automatically:
 require_relative 'assets'
+require_relative 'deploy_secrets'
+require_relative 'install_ruby'
 require_relative 'restart'
 require_relative 'revision_logger'
 require_relative 'ruby_version'
@@ -172,7 +174,7 @@ Capistrano::Configuration.instance(:must_exist).load do
 end
 
 def release_config_for(env)
-  branches = YAML.load_file('config/deployments.yml')
+  branches = YAML.safe_load_file('config/deployments.yml', permitted_classes: [Date])
   branches.fetch(env.to_s) { raise 'Unknown release branch!' }
 end
 

data/lib/ndr_dev_support/version.rb

@@ -2,5 +2,5 @@
 # This defines the NdrDevSupport version. If you change it, rebuild and commit the gem.
 # Use "rake build" to build the gem, see rake -T for all bundler rake tasks (and our own).
 module NdrDevSupport
-  VERSION = '7.2.6'
+  VERSION = '7.3.1'
 end

data/ndr_dev_support.gemspec

@@ -25,6 +25,7 @@ Gem::Specification.new do |spec|
   spec.add_dependency 'pry'
 
   # Audit dependencies:
+  spec.add_dependency 'csv'
   spec.add_dependency 'highline', '>= 1.6.0'
 
   # Rubocop dependencies:

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: ndr_dev_support
 version: !ruby/object:Gem::Version
-  version: 7.2.6
+  version: 7.3.1
 platform: ruby
 authors:
 - NCRS Development Team
 autorequire:
 bindir: exe
 cert_chain: []
-date: 2024-11-13 00:00:00.000000000 Z
+date: 2025-01-03 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: pry
@@ -24,6 +24,20 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: '0'
+- !ruby/object:Gem::Dependency
+  name: csv
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
+  type: :runtime
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - ">="
+      - !ruby/object:Gem::Version
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: highline
   requirement: !ruby/object:Gem::Requirement
@@ -395,6 +409,8 @@ files:
 - lib/minitest/rake_ci_plugin.rb
 - lib/ndr_dev_support.rb
 - lib/ndr_dev_support/capistrano/assets.rb
+- lib/ndr_dev_support/capistrano/deploy_secrets.rb
+- lib/ndr_dev_support/capistrano/install_ruby.rb
 - lib/ndr_dev_support/capistrano/ndr_model.rb
 - lib/ndr_dev_support/capistrano/restart.rb
 - lib/ndr_dev_support/capistrano/revision_logger.rb