newrelic_security 0.1.0

data/.github/actions/simplecov-report/dummy_coverage/.last_run.json

@@ -0,0 +1,5 @@
+{
+  "result": {
+    "covered_percent": 93.08
+  }
+}

data/.github/actions/simplecov-report/jest.config.js

@@ -0,0 +1,11 @@
+module.exports = {
+  clearMocks: true,
+  moduleFileExtensions: ['js', 'ts'],
+  testEnvironment: 'node',
+  testMatch: ['**/*.test.ts'],
+  testRunner: 'jest-circus/runner',
+  transform: {
+    '^.+\\.ts$': 'ts-jest'
+  },
+  verbose: true
+}

data/.github/actions/simplecov-report/package.json

@@ -0,0 +1,51 @@
+{
+  "name": "simplecov-report",
+  "version": "1.4.1",
+  "private": true,
+  "description": "SimpleCov Report",
+  "main": "lib/main.js",
+  "scripts": {
+    "build": "tsc --allowSyntheticDefaultImports",
+    "format": "prettier --write **/*.ts",
+    "format-check": "prettier --check **/*.ts",
+    "lint": "eslint src/**/*.ts",
+    "pack": "ncc build",
+    "test": "jest",
+    "all": "npm run build && npm run format && npm run lint && npm run pack && npm test",
+    "build_pack": "npm run build && npm run pack"
+  },
+  "repository": {
+    "type": "git",
+    "url": "git+https://github.com/actions/typescript-action.git"
+  },
+  "keywords": [
+    "actions",
+    "node",
+    "setup"
+  ],
+  "author": "aki77",
+  "license": "MIT",
+  "dependencies": {
+    "@actions/core": "^1.9.0",
+    "@actions/github": "^5.0.0",
+    "@aki77/actions-replace-comment": "^0.5.0",
+    "markdown-table": "^3.0.0"
+  },
+  "devDependencies": {
+    "@types/jest": "^27.0.2",
+    "@types/markdown-table": "^3.0.0",
+    "@types/node": "^12.12.38",
+    "@typescript-eslint/parser": "^5.16.0",
+    "@zeit/ncc": "^0.22.3",
+    "eslint": "^8.12.0",
+    "eslint-plugin-github": "^4.1.1",
+    "eslint-plugin-jest": "^26.1.3",
+    "eslint-plugin-prettier": "^4.0.0",
+    "jest": "^27.2.2",
+    "jest-circus": "^27.2.2",
+    "js-yaml": "^4.1.0",
+    "prettier": "^2.1.2",
+    "ts-jest": "^27.0.5",
+    "typescript": "^4.0.3"
+  }
+}

data/.github/actions/simplecov-report/src/main.ts

@@ -0,0 +1,54 @@
+import path from 'path'
+import * as core from '@actions/core'
+import * as github from '@actions/github'
+import {report} from './report'
+
+interface Result {
+  result: {
+    covered_percent?: number // NOTE: simplecov < 0.21.0
+    line?: number
+    branch?: number | undefined
+  }
+}
+
+async function run(): Promise<void> {
+  try {
+    if (!github.context.issue.number) {
+      core.warning('Cannot find the PR id.')
+      return
+    }
+
+    const failedThreshold: number = Number.parseInt(core.getInput('failedThreshold'), 10)
+    core.debug(`failedThreshold ${failedThreshold}`)
+
+    const failedThresholdBranch: number = Number.parseInt(core.getInput('failedThresholdBranch'), 10)
+    core.debug(`failedThresholdBranch ${failedThresholdBranch}`)
+
+    const resultPath: string = core.getInput('resultPath')
+    core.debug(`resultPath ${resultPath}`)
+
+    // eslint-disable-next-line @typescript-eslint/no-non-null-assertion, @typescript-eslint/no-require-imports, @typescript-eslint/no-var-requires
+    const json = require(path.resolve(process.env.GITHUB_WORKSPACE!, resultPath)) as Result
+    const coveredPercent = json.result.covered_percent ?? json.result.line
+    const coveredPercentBranch = json.result.branch
+
+    if (coveredPercent === undefined) {
+      throw new Error('Coverage is undefined!')
+    }
+
+    await report(coveredPercent, failedThreshold, coveredPercentBranch, failedThresholdBranch)
+
+    if (coveredPercent < failedThreshold) {
+      throw new Error(`Line coverage is less than ${failedThreshold}%. (${coveredPercent}%)`)
+    }
+    if ((coveredPercentBranch !== undefined) && (coveredPercentBranch < failedThresholdBranch)) {
+      throw new Error(`Branch coverage is less than ${failedThresholdBranch}%. (${coveredPercentBranch}%)`)
+    }
+  } catch (error) {
+    if (error instanceof Error) {
+      core.setFailed(error.message)
+    }
+  }
+}
+
+run()

data/.github/actions/simplecov-report/src/report.ts

@@ -0,0 +1,28 @@
+import * as core from '@actions/core'
+import * as github from '@actions/github'
+import replaceComment from '@aki77/actions-replace-comment'
+import {markdownTable} from 'markdown-table'
+
+export async function report(coveredPercent: number, failedThreshold: number, coveredPercentBranch: number | undefined, failedThresholdBranch: number): Promise<void> {
+  let results: string[][] = [['','Coverage', 'Threshold'],
+                   ['Line', `${coveredPercent}%`, `${failedThreshold}%`]]
+  if (coveredPercentBranch){
+    results.push(['Branch',`${coveredPercentBranch}%`,`${failedThresholdBranch}%`])
+  }
+  const summaryTable = markdownTable(results)
+
+  const pullRequestId = github.context.issue.number
+  if (!pullRequestId) {
+    throw new Error('Cannot find the PR id.')
+  }
+
+  await replaceComment({
+    token: core.getInput('token', {required: true}),
+    owner: github.context.repo.owner,
+    repo: github.context.repo.repo,
+    issue_number: pullRequestId,
+    body: `## SimpleCov Report
+${summaryTable}
+`
+  })
+}

data/.github/actions/simplecov-report/tsconfig.json

@@ -0,0 +1,12 @@
+{
+  "compilerOptions": {
+    "target": "es6",                          /* Specify ECMAScript target version: 'ES3' (default), 'ES5', 'ES2015', 'ES2016', 'ES2017', 'ES2018', 'ES2019' or 'ESNEXT'. */
+    "module": "commonjs",                     /* Specify module code generation: 'none', 'commonjs', 'amd', 'system', 'umd', 'es2015', or 'ESNext'. */
+    "outDir": "./lib",                        /* Redirect output structure to the directory. */
+    "rootDir": "./src",                       /* Specify the root directory of input files. Use to control the output directory structure with --outDir. */
+    "strict": true,                           /* Enable all strict type-checking options. */
+    "noImplicitAny": true,                    /* Raise error on expressions and declarations with an implied 'any' type. */
+    "esModuleInterop": true                   /* Enables emit interoperability between CommonJS and ES Modules via creation of namespace objects for all imports. Implies 'allowSyntheticDefaultImports'. */
+  },
+  "exclude": ["node_modules", "**/*.test.ts"]
+}

data/.github/workflows/pr_ci.yml

@@ -0,0 +1,77 @@
+name: PR Continuous Integration
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  unit_tests:
+    runs-on: ubuntu-22.04
+    strategy:
+      fail-fast: false
+      matrix:
+        ruby-version: [2.4.10, 2.5.9, 2.6.10, 2.7.8, 3.0.7, 3.1.5, 3.2.4, 3.3.1, jruby-9.4.5.0]
+        instrumentation-method: ['prepend', 'chain']
+    steps:
+      - name: Configure git
+        run: 'git config --global init.defaultBranch main'
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
+
+        # - curl is needed for Curb
+        # - xslt is needed for older Nokogiris, RUBY_VERSION < 2.5
+      - name: Install OS packages
+        run: sudo apt-get update; sudo apt-get install -y --no-install-recommends libcurl4-nss-dev libxslt1-dev libc6-dev openjdk-11-jdk
+
+      - name: Install Ruby ${{ matrix.ruby-version }}
+        uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+        with:
+          ruby-version: ${{ matrix.ruby-version }}
+
+      - name: Bundle test environment
+        run: BUNDLE_GEMFILE=Gemfile_test rake test_bundle
+
+      - name: Run Unit Tests
+        run: bundle exec rake test
+        env:
+          VERBOSE_TEST_OUTPUT: true
+          BUNDLE_GEMFILE: 'Gemfile_test'
+          NR_CSEC_INSTRUMENTATION_METHOD: '${{ matrix.instrumentation-method }}'
+
+      - name: Save coverage results
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # tag v4.3.2
+        with:
+          name: coverage-report-unit-tests-${{ matrix.ruby-version }}-${{ matrix.instrumentation-method }}
+          path: lib/coverage_*/.resultset.json
+
+  simplecov:
+    needs: unit_tests
+    runs-on: ubuntu-22.04
+    if: github.event.pull_request.head.repo.full_name == github.repository
+    permissions:
+      pull-requests: write
+      contents: read
+    steps:
+      - name: Configure git
+        run: 'git config --global init.defaultBranch main'
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
+      - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+        with:
+          ruby-version: '3.1'
+      - run: bundle
+      - name: Download all workflow run artifacts
+        uses: actions/download-artifact@9c19ed7fe5d278cd354c7dfd5d3b88589c7e2395 # tag v4.1.6
+      - name: Collate Coverage Results
+        run: bundle exec rake coverage:report
+      - name: Upload coverage results
+        uses: actions/upload-artifact@1746f4ab65b179e0ea60a494b83293b640dd5bba # tag v4.3.2
+        with:
+          name: coverage-report-combined
+          path: lib/coverage_results
+          retention-days: 2
+      - name: Simplecov Report
+        uses: ./.github/actions/simplecov-report
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          resultPath: lib/coverage_results/.last_run.json
+          failedThreshold: 70
+          failedThresholdBranch: 33
+

data/.github/workflows/release.yml

@@ -0,0 +1,51 @@
+name: Release
+
+on:
+  push:
+    branches:
+      - main
+
+jobs:
+  release:
+    runs-on: ubuntu-latest
+    permissions:
+      contents: write
+      repository-projects: write
+    steps:
+    - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
+      with:
+        fetch-depth: 0
+
+    - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+      with:
+        ruby-version: 3.2
+
+    - name: Install onetimepass
+      run: pip install onetimepass==1.0.1
+
+    - name: Configure gem credentials
+      run: |
+        echo "GEM_HOST_API_KEY=${{ secrets.RUBYGEMS_API_KEY }}" >> $GITHUB_ENV
+        echo "RUBYGEMS_MFA_KEY=${{ secrets.RUBYGEMS_MFA_KEY }}" >> $GITHUB_ENV
+
+    - name: Build newrelic_security gem
+      run: gem build newrelic_security.gemspec
+
+    - name: Determine version
+      run: |
+        echo "VERSION=$(ls newrelic_security-*.gem | ruby -pe 'sub(/newrelic_security\-(.*).gem/, "\\1")')" >> $GITHUB_ENV
+
+    - name: Create github release
+      uses: softprops/action-gh-release@de2c0eb89ae2a093876385947365aca7b0e5f844 # tag v0.1.15
+      if: $(git tag -l ${{ env.VERSION }}) == false
+      with:
+        tag_name: ${{ env.VERSION }}
+      env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+
+    - name: Obtain OTP to publish newrelic_security to rubygems.org
+      run: echo "RUBYGEMS_OTP=$(python ./.github/workflows/scripts/rubygems-authenticate.py RUBYGEMS_MFA_KEY)" >> $GITHUB_ENV
+
+    - name: Publish newrelic_security to rubygems.org
+      run: ruby ./.github/workflows/scripts/rubygems-publish.rb newrelic_security
+

data/.github/workflows/repolinter.yml

@@ -0,0 +1,31 @@
+# NOTE: This file should always be named `repolinter.yml` to allow
+# workflow_dispatch to work properly
+name: Repolinter Action
+
+# NOTE: This workflow will ONLY check the default branch!
+# Currently there is no elegant way to specify the default
+# branch in the event filtering, so branches are instead
+# filtered in the "Test Default Branch" step.
+on: [push, workflow_dispatch]
+
+jobs:
+  repolint:
+    name: Run Repolinter
+    runs-on: ubuntu-latest
+    steps:
+      - name: Test Default Branch
+        id: default-branch
+        uses: actions/github-script@60a0d83039c74a4aee543508d2ffcb1c3799cdea # tag v7.0.1
+        with:
+          script: |
+            const data = await github.rest.repos.get(context.repo)
+            return data.data && data.data.default_branch === context.ref.split('/').slice(-1)[0]
+      - name: Checkout Self
+        if: ${{ steps.default-branch.outputs.result == 'true' }}
+        uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
+      - name: Run Repolinter
+        if: ${{ steps.default-branch.outputs.result == 'true' }}
+        uses: newrelic/repolinter-action@3f4448f855c351e9695b24524a4111c7847b84cb # tag v1.7.0
+        with:
+          config_url: https://raw.githubusercontent.com/newrelic/.github/main/repolinter-rulesets/community-project.yml
+          output_type: issue

data/.github/workflows/rubocop.yml

@@ -0,0 +1,17 @@
+name: PR Rubocop
+on:
+  pull_request:
+  workflow_dispatch:
+
+jobs:
+  run_rubocop:
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Configure git
+        run: 'git config --global init.defaultBranch main'
+      - uses: actions/checkout@9bb56186c3b09b4f86b1c65136769dd318469633 # tag v4.1.2
+      - uses: ruby/setup-ruby@cacc9f1c0b3f4eb8a16a6bb0ed10897b43b9de49 # tag v1.176.0
+        with:
+          ruby-version: '3.3'
+      - run: bundle
+      - run: rubocop

data/.github/workflows/scripts/rubygems-authenticate.py

@@ -0,0 +1,13 @@
+import os
+
+import argparse
+import onetimepass
+
+if __name__ == '__main__':
+
+    parser = argparse.ArgumentParser(
+        description='Generate a one-time password from a key'
+    )
+    parser.add_argument('env_var', type=str, help='The name of the environment variable from which to load the MFA key from the service')
+    args = parser.parse_args()
+    print(onetimepass.get_totp(os.getenv(args.env_var)))

data/.github/workflows/scripts/rubygems-publish.rb

@@ -0,0 +1,33 @@
+# frozen_string_literal: true
+gem_name = ARGV[0]
+raise "gem name sans version must be supplied" if gem_name.to_s == ""
+
+api_key = ENV["GEM_HOST_API_KEY"]
+raise "GEM_HOST_API_KEY must be set" if api_key.to_s == ""
+
+version = ENV["VERSION"]
+raise "VERSION environment must be set" if version.to_s == ""
+
+gem_filename = "#{gem_name}-#{version}.gem"
+raise "#{gem_filename} is missing!" unless File.exist?(gem_filename)
+
+otp = ENV["RUBYGEMS_OTP"]
+raise "RUBYGEMS_OTP environment must be set" if otp.to_s == ""
+
+puts "Publishing the #{gem_filename} file..."
+cmd = "gem push --otp #{otp} #{gem_filename}"
+puts "executing: #{cmd}"
+
+result = `#{cmd}`
+if $?.to_i.zero?
+  puts "#{gem_filename} successfully pushed to rubygems.org!"
+else
+  if result.include?('Repushing of gem versions is not allowed')
+    puts "Pushing #{gem_filename} skipped because this version is already published to rubygems.org!"
+    exit 0
+  else
+    puts "#{gem_filename} failed to push to rubygems.org!"
+    puts result
+    exit 1
+  end
+end

data/.gitignore

@@ -0,0 +1,72 @@
+*.gem
+*.rbc
+/.config
+/coverage/
+/InstalledFiles
+/pkg/
+/spec/reports/
+/spec/examples.txt
+/test/tmp/
+/test/version_tmp/
+/tmp/
+**/.DS_Store
+
+# Used by dotenv library to load environment variables.
+# .env
+
+# Ignore Byebug command history file.
+.byebug_history
+
+## Specific to RubyMotion:
+.dat*
+.repl_history
+build/
+*.bridgesupport
+build-iPhoneOS/
+build-iPhoneSimulator/
+
+## Specific to RubyMotion (use of CocoaPods):
+#
+# We recommend against adding the Pods directory to your .gitignore. However
+# you should judge for yourself, the pros and cons are mentioned at:
+# https://guides.cocoapods.org/using/using-cocoapods.html#should-i-check-the-pods-directory-into-source-control
+#
+# vendor/Pods/
+
+## Documentation cache and generated files:
+/.yardoc/
+/_yardoc/
+/doc/
+/rdoc/
+
+## Environment normalization:
+/.bundle/
+/vendor/bundle
+/lib/bundler/man/
+
+# for a library or gem, you might want to ignore these files since the code is
+# intended to run in multiple environments; otherwise, check them in:
+# Gemfile.lock
+.ruby-version
+# .ruby-gemset
+
+# unless supporting rvm < 1.11.0 or doing something fancy, ignore this:
+.rvmrc
+
+# Used by RuboCop. Remote config files pulled in from inherit_from directive.
+# .rubocop-https?--*
+.vscode/settings.json
+
+# only the gemspec gets checked in, ignore machine/developer specific lock files
+Gemfile.lock
+
+# bundle the test gems on each machine
+Gemfile_test.lock
+
+# don't commit the home dir
+nr-security-home/
+
+# temp files
+test/resources/tmp.txt
+**/test.db
+**/log/

data/.rubocop.yml

@@ -0,0 +1,9 @@
+inherit_from: .rubocop_todo.yml
+
+require:
+  - rubocop-minitest
+  - rubocop-rake
+
+AllCops:
+  NewCops: enable
+  TargetRubyVersion: 2.4