pact_broker 2.53.0 → 2.57.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 146cb79312c70762f13a8a49ebd8cd52e33dc11669b5f647551624cd1bbdd8c7
-  data.tar.gz: c8d41ae4b4dd59fa6684ecce7572ed9e31d5c96bfeadbc078d8e0eb8c2e5e4dc
+  metadata.gz: 1de4cab3f4fb99ade4806255fb8e1ea1745429fdac8302154d092c99c36c7d76
+  data.tar.gz: 910569291d130d66d73b3a557a983ba4563a70ae7d3c581ad9ebc770958ea56e
 SHA512:
-  metadata.gz: b3d9ad57dc60c6cb6c8c4edead5b7cd10b69de4d63d4b5e355bf5cf5d0edf8f410a69601ef4a002d645c968e0b446dddc6b8a0b63ddb10aa9a51b3cc2331a398
-  data.tar.gz: 50c7b30d1994654117c68db4b47ef9afd6d734691da60723c27ce717ca4313facaffa1cde5c43d388c82fcf3a3a47d08813cbc942aefd7168c4125f832cff4e9
+  metadata.gz: 2df74e9cbdfa705a1221f4422fb9dc18e33106b25a68b9b2013f649e8d35ad015b344251d2aacd7e9b22d73d50435eb3cdc2e773843de0b49792859e5daa83c6
+  data.tar.gz: 2f5255f3ba8292bd2df960db95c40b86196872c49f3080afb8cdb398dd96b22022bd6bd28ca73a221881322112fa9f9da6bf9d1b870dba6a59cd286bfb45fbeb

data/CHANGELOG.md

@@ -1,3 +1,81 @@
+<a name="v2.57.0"></a>
+### v2.57.0 (2020-06-16)
+
+
+#### Features
+
+* add Content Security Policy header	 ([fd2e81fb](/../../commit/fd2e81fb))
+
+
+#### Bug Fixes
+
+* upgrade Rack for vulnerability CVE-2020-8184	 ([99b78b3c](/../../commit/99b78b3c))
+* fix Home link on pact page	 ([081d1586](/../../commit/081d1586))
+* return a 422 if the URL path contains a new line or tab	 ([db9f7f4d](/../../commit/db9f7f4d))
+
+
+<a name="v2.56.1"></a>
+### v2.56.1 (2020-06-01)
+
+
+#### Bug Fixes
+
+* **matrix ui**
+  * fix home link	 ([67065b7d](/../../commit/67065b7d))
+
+
+<a name="v2.56.0"></a>
+### v2.56.0 (2020-06-01)
+
+
+#### Features
+
+* **database**
+  * log schema versions and migration info on startup	 ([b385e535](/../../commit/b385e535))
+  * allow options to be passed to Sequel migrate via the MigrationTask	 ([143613e7](/../../commit/143613e7))
+
+* allow Pactflow messages in logs to be hidden by setting PACT_BROKER_HIDE_PACTFLOW_MESSAGES=true	 ([a7550105](/../../commit/a7550105))
+
+* **can-i-deploy**
+  * experimental - add a warning message if there are interactions missing verification test results.	 ([f7ab8cc5](/../../commit/f7ab8cc5))
+
+
+#### Bug Fixes
+
+* use relative URLs when base_url not explictly set to ensure app is not vulnerable to host header attacks	 ([92c45a0a](/../../commit/92c45a0a))
+* raise PactBroker::Error when either pacticipant is not found in the business layer while attempting to delete an integration	 ([3c209a46](/../../commit/3c209a46))
+
+
+<a name="v2.55.0"></a>
+### v2.55.0 (2020-05-22)
+
+
+#### Features
+
+* support non root context (#344)	 ([dc480499](/../../commit/dc480499))
+
+
+<a name="v2.54.0"></a>
+### v2.54.0 (2020-05-13)
+
+
+#### Features
+
+* **hal browser**
+  * update to latest code	 ([a79ad290](/../../commit/a79ad290))
+
+
+#### Bug Fixes
+
+* update rack for CVE-2020-8161	 ([96c3386a](/../../commit/96c3386a))
+
+* **hal browser**
+  * fix xss vulnerability	 ([ac564412](/../../commit/ac564412))
+
+* **webhooks**
+  * add missing validation for event names when creating webhooks	 ([5fc0563c](/../../commit/5fc0563c))
+
+
 <a name="v2.53.0"></a>
 ### v2.53.0 (2020-05-12)
 

data/lib/pact_broker/api/contracts/webhook_contract.rb

@@ -2,6 +2,7 @@ require 'pact_broker/api/contracts/base_contract'
 require 'pact_broker/webhooks/check_host_whitelist'
 require 'pact_broker/webhooks/render'
 require 'pact_broker/pacticipants/service'
+require 'pact_broker/webhooks/webhook_event'
 
 module PactBroker
   module Api
@@ -13,11 +14,13 @@ module PactBroker
           # I just cannot seem to get the validation to stop on the first error.
           # If one rule fails, they all come back failed, and it's driving me nuts.
           # Why on earth would I want that behaviour?
-          new_errors = Reform::Contract::Errors.new
-          errors.messages.each do | key, value |
-            new_errors.add(key, value.first)
+          # I cannot believe I have to do this shit.
+          @first_errors = errors
+          @first_errors.messages.keys.each do | key |
+            @first_errors.messages[key] = @first_errors.messages[key][0...1]
           end
-          @errors = new_errors
+
+          def self.errors; @first_errors end
           result
         end
 
@@ -46,7 +49,6 @@ module PactBroker
 
             required(:name).filled(:pacticipant_exists?)
           end
-
         end
 
         property :provider do
@@ -155,7 +157,7 @@ module PactBroker
           property :name
 
           validation do
-            required(:name).filled
+            required(:name).filled(included_in?: PactBroker::Webhooks::WebhookEvent::EVENT_NAMES)
           end
         end
       end

data/lib/pact_broker/api/decorators/reason_decorator.rb

@@ -22,6 +22,11 @@ module PactBroker
             "There are no missing dependencies"
           when PactBroker::Matrix::Successful
             "All required verification results are published and successful"
+          when PactBroker::Matrix::InteractionsMissingVerifications
+            descriptions = reason.interactions.collect do | interaction |
+              interaction_description(interaction)
+            end.join('; ')
+            "WARNING: Although the verification was reported as successful, the results for #{reason.consumer_selector.description} and #{reason.provider_selector.description} may be missing tests for the following interactions: #{descriptions}"
           else
             reason
           end
@@ -44,6 +49,18 @@ module PactBroker
             ""
           end
         end
+
+        # TODO move this somewhere else
+        def interaction_description(interaction)
+          if interaction['providerState'] && interaction['providerState'] != ''
+            "#{interaction['description']} given #{interaction['providerState']}"
+          elsif interaction['providerStates'] && interaction['providerStates'].is_a?(Array) && interaction['providerStates'].any?
+            provider_states = interaction['providerStates'].collect{ |ps| ps['name'] }.compact.join(', ')
+            "#{interaction['description']} given #{provider_states}"
+          else
+            interaction['description']
+          end
+        end
       end
     end
   end

data/lib/pact_broker/api/pact_broker_urls.rb

@@ -284,8 +284,8 @@ module PactBroker
         "#{base_url}/groups/#{pacticipant_name}"
       end
 
-      def hal_browser_url target_url
-        "/hal-browser/browser.html#" + target_url
+      def hal_browser_url target_url, base_url = ''
+        "#{base_url}/hal-browser/browser.html#" + target_url
       end
 
       def url_encode param

data/lib/pact_broker/api/renderers/html_pact_renderer.rb

@@ -37,18 +37,18 @@ module PactBroker
 
         def head
          "<title>#{title}</title>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/pact.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/github-json.css'>
-          <link rel='stylesheet' type='text/css' href='/css/bootstrap.min.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/material-menu.css'>
-          <link rel='stylesheet' type='text/css' href='/stylesheets/jquery-confirm.min.css'>
-          <script src='/javascripts/highlight.pack.js'></script>
-          <script src='/javascripts/jquery-3.3.1.min.js'></script>
-          <script src='/js/bootstrap.min.js'></script>
-          <script src='/javascripts/material-menu.js'></script>
-          <script src='/javascripts/pact.js'></script>
-          <script src='/javascripts/jquery-confirm.min.js'></script>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/pact.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/github-json.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/css/bootstrap.min.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/material-menu.css'>
+          <link rel='stylesheet' type='text/css' href='#{base_url}/stylesheets/jquery-confirm.min.css'>
+          <script src='#{base_url}/javascripts/highlight.pack.js'></script>
+          <script src='#{base_url}/javascripts/jquery-3.3.1.min.js'></script>
+          <script src='#{base_url}/js/bootstrap.min.js'></script>
+          <script src='#{base_url}/javascripts/material-menu.js'></script>
+          <script src='#{base_url}/javascripts/pact.js'></script>
+          <script src='#{base_url}/javascripts/jquery-confirm.min.js'></script>
           <script>hljs.initHighlightingOnLoad();</script>"
         end
 
@@ -72,7 +72,7 @@ module PactBroker
                 <a href=\"#{matrix_url}\">View Matrix</a>
               </li>
               <li>
-                <a href=\"/\">Home</a>
+                <a href=\"#{base_url}/\">Home</a>
               </li>
               <li>
                 <span data-consumer-name=\"#{@pact.consumer.name}\"
@@ -129,7 +129,7 @@ module PactBroker
         end
 
         def json_url
-          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url
+          PactBroker::Api::PactBrokerUrls.hal_browser_url pact_url, base_url
         end
 
         def pact_url

data/lib/pact_broker/api/resources/base_resource.rb

@@ -62,6 +62,11 @@ module PactBroker
           PactBroker.configuration.base_url || request.base_uri.to_s.chomp('/')
         end
 
+        # See comments for base_url in lib/pact_broker/doc/controllers/app.rb
+        def ui_base_url
+          PactBroker.configuration.base_url || ''
+        end
+
         def charsets_provided
           [['utf-8', :encode]]
         end

data/lib/pact_broker/api/resources/latest_pact.rb

@@ -36,7 +36,7 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
+              base_url: ui_base_url,
               badge_url: "#{resource_url}/badge.svg"
           })
         end

data/lib/pact_broker/api/resources/pact.rb

@@ -77,8 +77,8 @@ module PactBroker
         def to_html
           PactBroker.configuration.html_pact_renderer.call(
             pact, {
-              base_url: base_url,
-              badge_url: badge_url_for_latest_pact(pact, base_url)
+              base_url: ui_base_url,
+              badge_url: badge_url_for_latest_pact(pact, ui_base_url)
           })
         end
 
@@ -100,7 +100,7 @@ module PactBroker
 
         def set_post_deletion_response
           latest_pact = pact_service.find_latest_pact(pact_params)
-          response_body = { "_links" => {} }
+          response_body = { "_links" => { index: { href: base_url } } }
           if latest_pact
             response_body["_links"]["pb:latest-pact-version"] = {
               href: latest_pact_url(base_url, latest_pact),

data/lib/pact_broker/app.rb

@@ -15,12 +15,14 @@ require 'rack/pact_broker/no_auth'
 require 'rack/pact_broker/convert_404_to_hal'
 require 'rack/pact_broker/reset_thread_data'
 require 'rack/pact_broker/add_vary_header'
+require 'rack/pact_broker/use_when'
 require 'sucker_punch'
 
 module PactBroker
 
   class App
     include PactBroker::Logging
+    using Rack::PactBroker::UseWhen
 
     attr_accessor :configuration
 
@@ -81,11 +83,18 @@ module PactBroker
     end
 
     def prepare_database
+      logger.info "Database schema version is #{PactBroker::DB.version(configuration.database_connection)}"
       if configuration.auto_migrate_db
-        logger.info "Migrating database"
-        PactBroker::DB.run_migrations configuration.database_connection, allow_missing_migration_files: configuration.allow_missing_migration_files
+        migration_options = { allow_missing_migration_files: configuration.allow_missing_migration_files }
+        if PactBroker::DB.is_current?(configuration.database_connection, migration_options)
+          logger.info "Skipping database migrations as the latest migration has already been applied"
+        else
+          logger.info "Migrating database schema"
+          PactBroker::DB.run_migrations configuration.database_connection, migration_options
+          logger.info "Database schema version is now #{PactBroker::DB.version(configuration.database_connection)}"
+        end
       else
-        logger.info "Skipping database migrations"
+        logger.info "Skipping database schema migrations as database auto migrate is disabled"
       end
 
       if configuration.auto_migrate_db_data
@@ -155,6 +164,15 @@ module PactBroker
       # NOTE THAT NONE OF THIS IS PROTECTED BY AUTH - is that ok?
       if configuration.use_rack_protection
         @app_builder.use Rack::Protection, except: [:path_traversal, :remote_token, :session_hijacking, :http_origin]
+
+        is_hal_browser = ->(env) { env['PATH_INFO'] == '/hal-browser/browser.html' }
+        not_hal_browser = ->(env) { env['PATH_INFO'] != '/hal-browser/browser.html' }
+
+        @app_builder.use_when not_hal_browser,
+          Rack::Protection::ContentSecurityPolicy, configuration.content_security_policy
+        @app_builder.use_when is_hal_browser,
+          Rack::Protection::ContentSecurityPolicy,
+          configuration.content_security_policy.merge(configuration.hal_browser_content_security_policy_overrides)
       end
       @app_builder.use Rack::PactBroker::InvalidUriProtection
       @app_builder.use Rack::PactBroker::ResetThreadData
@@ -232,7 +250,9 @@ module PactBroker
     end
 
     def print_startup_message
-      logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      if ENV['PACT_BROKER_HIDE_PACTFLOW_MESSAGES'] != 'true'
+        logger.info "\n\n#{'*' * 80}\n\nWant someone to manage your Pact Broker for you? Check out https://pactflow.io/oss for a hardened, fully supported SaaS version of the Pact Broker with an improved UI + more.\n\n#{'*' * 80}\n"
+      end
     end
   end
 end

data/lib/pact_broker/configuration.rb

@@ -43,6 +43,7 @@ module PactBroker
     attr_accessor :semver_formats
     attr_accessor :enable_public_badge_access, :shields_io_base_url, :badge_provider_mode
     attr_accessor :disable_ssl_verification
+    attr_accessor :content_security_policy, :hal_browser_content_security_policy_overrides
     attr_accessor :base_equality_only_on_content_that_affects_verification_results
     attr_reader :api_error_reporters
     attr_reader :custom_logger
@@ -90,6 +91,20 @@ module PactBroker
       config.webhook_http_method_whitelist = ['POST']
       config.webhook_scheme_whitelist = ['https']
       config.webhook_host_whitelist = []
+      # TODO get rid of unsafe-inline
+      config.content_security_policy = {
+        script_src: "'self' 'unsafe-inline'",
+        style_src: "'self' 'unsafe-inline'",
+        img_src: "'self' data:",
+        font_src: "'self' data:",
+        base_uri: "'self'",
+        frame_src: "'self'",
+        frame_ancestors: "'self'"
+      }
+      config.hal_browser_content_security_policy_overrides = {
+        script_src: "'self' 'unsafe-inline' 'unsafe-eval'",
+        frame_ancestors: "'self'"
+      }
       config
     end
 

data/lib/pact_broker/db.rb

@@ -2,12 +2,12 @@ require 'sequel'
 require 'pact_broker/db/validate_encoding'
 require 'pact_broker/db/migrate'
 require 'pact_broker/db/migrate_data'
+require 'pact_broker/db/version'
 
 Sequel.datetime_class = DateTime
 
 module PactBroker
   module DB
-
     MIGRATIONS_DIR = File.expand_path("../../../db/migrations", __FILE__)
 
     def self.connection= connection
@@ -27,6 +27,14 @@ module PactBroker
       PactBroker::DB::MigrateData.(database_connection)
     end
 
+    def self.is_current? database_connection, options = {}
+      Sequel::TimestampMigrator.is_current?(database_connection, PactBroker::DB::MIGRATIONS_DIR, options)
+    end
+
+    def self.version database_connection
+      PactBroker::DB::Version.call(database_connection)
+    end
+
     def self.validate_connection_config
       PactBroker::DB::ValidateEncoding.(connection)
     end

data/lib/pact_broker/doc/controllers/app.rb

@@ -33,7 +33,7 @@ module PactBroker
         get ":rel_name" do
           rel_name = params[:rel_name]
           context = params[:context]
-          view_params = {:layout_engine => :haml, layout: :'layouts/main'}
+          view_params = {:layout_engine => :haml, layout: :'layouts/main', locals: { base_url: base_url }}
           if resource_exists? rel_name, context
             markdown view_name_for(rel_name, context).to_sym, view_params, {}
           elsif resource_exists? rel_name
@@ -42,6 +42,16 @@ module PactBroker
             markdown :not_found, view_params, {}
           end
         end
+
+        private
+
+        def base_url
+          # Using the X-Forwarded headers in the UI can leave the app vulnerable
+          # https://www.acunetix.com/blog/articles/automated-detection-of-host-header-attacks/
+          # Either use the explicitly configured base url or an empty string,
+          # rather than request.base_url, which uses the X-Forwarded headers.
+          PactBroker.configuration.base_url || ''
+        end
       end
     end
   end

data/lib/pact_broker/doc/views/layouts/main.haml

@@ -1,5 +1,5 @@
 %html
   %head
-    %link{rel: 'stylesheet', href: '/css/bootstrap.min.css'}
+    %link{rel: 'stylesheet', href: "#{base_url}/css/bootstrap.min.css"}
   %body{style: 'margin:20px'}
     = yield

data/lib/pact_broker/domain/verification.rb

@@ -2,6 +2,7 @@ require 'json'
 require 'sequel'
 require 'pact_broker/repositories/helpers'
 require 'pact_broker/tags/tag_with_latest_flag'
+require 'pact_broker/pacts/content'
 
 
 module PactBroker
@@ -83,6 +84,18 @@ module PactBroker
       def latest_pact_publication
         pact_version.latest_pact_publication
       end
+
+      def interactions_missing_test_results
+        @interactions_missing_test_results ||= pact_content_with_test_results.interactions_missing_test_results
+      end
+
+      def all_interactions_missing_test_results?
+        pact_content_with_test_results.interactions.count == pact_content_with_test_results.interactions_missing_test_results.count
+      end
+
+      def pact_content_with_test_results
+        @pact_content_with_test_results = PactBroker::Pacts::Content.from_json(pact_version.content).with_test_results(test_results)
+      end
     end
 
     Verification.plugin :timestamps