r10k 3.9.1 → 3.11.0

data/r10k.gemspec

@@ -36,6 +36,8 @@ Gem::Specification.new do |s|
   s.add_dependency 'fast_gettext', '~> 1.1.0'
   s.add_dependency 'gettext', ['>= 3.0.2', '< 3.3.0']
 
+  s.add_dependency 'jwt', '~> 2.2.3'
+
   s.add_development_dependency 'rspec', '~> 3.1'
 
   s.add_development_dependency 'rake'

data/spec/fixtures/unit/action/r10k_forge_auth.yaml

@@ -0,0 +1,4 @@
+---
+forge:
+  baseurl: 'http://private-forge.com'
+  authorization_token: 'faketoken'

data/spec/fixtures/unit/action/r10k_forge_auth_no_url.yaml

@@ -0,0 +1,3 @@
+---
+forge:
+  authorization_token: 'faketoken'

data/spec/unit/action/deploy/environment_spec.rb

@@ -47,6 +47,22 @@ describe R10K::Action::Deploy::Environment do
       described_class.new({ 'oauth-token': '/nonexistent' }, [], {})
     end
 
+    it 'can accept an app id option' do
+      described_class.new({ 'github-app-id': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a ttl option' do
+      described_class.new({ 'github-app-ttl': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a ssl private key option' do
+      described_class.new({ 'github-app-key': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a exclude-spec option' do
+      described_class.new({ :'exclude-spec' => true }, [], {})
+    end
+
     describe "initializing errors" do
       let (:settings) { { deploy: { purge_levels: [:environment],
                                     purge_whitelist: ['coolfile', 'coolfile2'],
@@ -265,6 +281,15 @@ describe R10K::Action::Deploy::Environment do
       describe "deployment purge level" do
         let(:purge_levels) { [:deployment] }
 
+
+        it "updates the source's cache before it purges environments" do
+          deployment.sources.each do |source|
+            expect(source).to receive(:reload!).ordered
+          end
+          expect(deployment).to receive(:purge!).ordered
+          subject.call
+        end
+
         it "only logs about purging deployment" do
           expect(subject).to receive(:visit_environment).and_wrap_original do |original, env, &block|
             expect(env.logger).to_not receive(:debug).with(/purging unmanaged puppetfile content/i)

data/spec/unit/action/deploy/module_spec.rb

@@ -41,6 +41,22 @@ describe R10K::Action::Deploy::Module do
     it 'can accept a token option' do
       described_class.new({ 'oauth-token': '/nonexistent' }, [], {})
     end
+
+    it 'can accept an app id option' do
+      described_class.new({ 'github-app-id': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a ttl option' do
+      described_class.new({ 'github-app-ttl': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a ssl private key option' do
+      described_class.new({ 'github-app-key': '/nonexistent' }, [], {})
+    end
+
+    it 'can accept a exclude-spec option' do
+      described_class.new({ :'exclude-spec' => true }, [], {})
+    end
   end
 
   describe "with no-force" do
@@ -177,12 +193,39 @@ describe R10K::Action::Deploy::Module do
     end
   end
 
+  describe 'with github-app-id' do
+
+    subject { described_class.new({ config: '/some/nonexistent/path', 'github-app-id': '/nonexistent' }, [], {}) }
+
+    it 'sets github-app-id' do
+      expect(subject.instance_variable_get(:@github_app_id)).to eq('/nonexistent')
+    end
+  end
+
+  describe 'with github-app-key' do
+
+    subject { described_class.new({ config: '/some/nonexistent/path', 'github-app-key': '/nonexistent' }, [], {}) }
+
+    it 'sets github-app-key' do
+      expect(subject.instance_variable_get(:@github_app_key)).to eq('/nonexistent')
+    end
+  end
+
+  describe 'with github-app-ttl' do
+
+    subject { described_class.new({ config: '/some/nonexistent/path', 'github-app-ttl': '/nonexistent' }, [], {}) }
+
+    it 'sets github-app-ttl' do
+      expect(subject.instance_variable_get(:@github_app_ttl)).to eq('/nonexistent')
+    end
+  end
+
   describe 'with modules' do
 
     subject { described_class.new({ config: '/some/nonexistent/path' }, ['mod1', 'mod2'], {}) }
 
     let(:cache) { instance_double("R10K::Git::Cache", 'sanitized_dirname' => 'foo', 'cached?' => true, 'sync' => true) }
-    let(:repo) { instance_double("R10K::Git::StatefulRepository", cache: cache, resolve: 'main') }
+    let(:repo) { instance_double("R10K::Git::StatefulRepository", cache: cache, resolve: 'main', tracked_paths: []) }
 
     it 'does not sync modules not given' do
       allow(R10K::Deployment).to receive(:new).and_wrap_original do |original, settings, &block|
@@ -202,14 +245,26 @@ describe R10K::Action::Deploy::Module do
       allow_any_instance_of(R10K::Source::Git).to receive(:branch_names).and_return([R10K::Environment::Name.new('first', {})])
 
       expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
-        pf = environment.puppetfile
-        expect(pf).to receive(:load) do
-          pf.add_module('mod1', { git: 'git://remote' })
-          pf.add_module('mod2', { git: 'git://remote' })
-          pf.add_module('mod3', { git: 'git://remote' })
+        # For this test we want to have realistic Modules and access to
+        # their internal Repos to validate the sync. Unfortunately, to
+        # do so we do some invasive mocking, effectively implementing
+        # our own R10K::Puppetfile#load. We directly update the Puppetfile's
+        # internal ModuleLoader and then call `load` on it so it will create
+        # the correct loaded_content.
+        puppetfile = environment.puppetfile
+        loader = puppetfile.loader
+        expect(puppetfile).to receive(:load) do
+          loader.add_module('mod1', { git: 'git://remote' })
+          loader.add_module('mod2', { git: 'git://remote' })
+          loader.add_module('mod3', { git: 'git://remote' })
+
+          allow(loader).to receive(:puppetfile_content).and_return('')
+          loaded_content = loader.load
+          puppetfile.instance_variable_set(:@loaded_content, loaded_content)
+          puppetfile.instance_variable_set(:@loaded, true)
         end
 
-        pf.modules.each do |mod|
+        puppetfile.modules.each do |mod|
           if ['mod1', 'mod2'].include?(mod.name)
             expect(mod.should_sync?).to be(true)
           else
@@ -231,7 +286,7 @@ describe R10K::Action::Deploy::Module do
     subject { described_class.new({ config: '/some/nonexistent/path', environment: 'first' }, ['mod1'], {}) }
 
     let(:cache) { instance_double("R10K::Git::Cache", 'sanitized_dirname' => 'foo', 'cached?' => true, 'sync' => true) }
-    let(:repo) { instance_double("R10K::Git::StatefulRepository", cache: cache, resolve: 'main') }
+    let(:repo) { instance_double("R10K::Git::StatefulRepository", cache: cache, resolve: 'main', tracked_paths: []) }
 
     it 'only syncs to the given environments' do
       allow(R10K::Deployment).to receive(:new).and_wrap_original do |original, settings, &block|
@@ -252,15 +307,27 @@ describe R10K::Action::Deploy::Module do
                                                                                      R10K::Environment::Name.new('second', {})])
 
       expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
-        pf = environment.puppetfile
+        puppetfile = environment.puppetfile
 
         if environment.name == 'first'
-          expect(pf).to receive(:load) do
-            pf.add_module('mod1', { git: 'git://remote' })
-            pf.add_module('mod2', { git: 'git://remote' })
+          # For this test we want to have realistic Modules and access to
+          # their internal Repos to validate the sync. Unfortunately, to
+          # do so we do some invasive mocking, effectively implementing
+          # our own R10K::Puppetfile#load. We directly update the Puppetfile's
+          # internal ModuleLoader and then call `load` on it so it will create
+          # the correct loaded_content.
+          loader = puppetfile.loader
+          expect(puppetfile).to receive(:load) do
+            loader.add_module('mod1', { git: 'git://remote' })
+            loader.add_module('mod2', { git: 'git://remote' })
+
+            allow(loader).to receive(:puppetfile_content).and_return('')
+            loaded_content = loader.load
+            puppetfile.instance_variable_set(:@loaded_content, loaded_content)
+            puppetfile.instance_variable_set(:@loaded, true)
           end
 
-          pf.modules.each do |mod|
+          puppetfile.modules.each do |mod|
             if mod.name == 'mod1'
               expect(mod.should_sync?).to be(true)
             else
@@ -269,7 +336,7 @@ describe R10K::Action::Deploy::Module do
             expect(mod).to receive(:sync).and_call_original
           end
         else
-          expect(pf).not_to receive(:load)
+          expect(puppetfile).not_to receive(:load)
         end
 
         original.call(environment, &block)
@@ -282,5 +349,140 @@ describe R10K::Action::Deploy::Module do
       subject.call
     end
   end
+
+
+  describe "postrun" do
+    let(:mock_config) do
+      R10K::Deployment::MockConfig.new(
+        :sources => {
+          :control => {
+            :type => :mock,
+            :basedir => '/some/nonexistent/path/control',
+            :environments => %w[first second third],
+          }
+        }
+      )
+    end
+
+    context "basic postrun hook" do
+      let(:settings) { { postrun: ["/path/to/executable", "arg1", "arg2"] } }
+      let(:deployment) { R10K::Deployment.new(mock_config.merge(settings)) }
+
+      before do
+        expect(R10K::Deployment).to receive(:new).and_return(deployment)
+      end
+
+      subject do
+        described_class.new({config: "/some/nonexistent/path" },
+                            ['mod1'], settings)
+      end
+
+      it "is passed to Subprocess" do
+        mock_subprocess = double
+        allow(mock_subprocess).to receive(:logger=)
+        expect(mock_subprocess).to receive(:execute)
+
+        expect(R10K::Util::Subprocess).to receive(:new).
+          with(["/path/to/executable", "arg1", "arg2"]).
+          and_return(mock_subprocess)
+
+        expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
+          modified = subject.instance_variable_get(:@modified_envs) << environment
+          subject.instance_variable_set(:modified_envs, modified)
+        end.exactly(3).times
+
+        subject.call
+      end
+    end
+
+    context "supports environments" do
+      context "with one environment" do
+        let(:settings) { { postrun: ["/generate/types/wrapper", "$modifiedenvs"] } }
+        let(:deployment) { R10K::Deployment.new(mock_config.merge(settings)) }
+
+        before do
+          expect(R10K::Deployment).to receive(:new).and_return(deployment)
+        end
+
+        subject do
+          described_class.new({ config: '/some/nonexistent/path',
+                                environment: 'first' },
+                               ['mod1'], settings)
+        end
+
+        it "properly substitutes the environment" do
+          mock_subprocess = double
+          allow(mock_subprocess).to receive(:logger=)
+          expect(mock_subprocess).to receive(:execute)
+
+          mock_mod = double('mock_mod', name: 'mod1')
+
+          expect(R10K::Util::Subprocess).to receive(:new).
+            with(["/generate/types/wrapper", "first"]).
+            and_return(mock_subprocess)
+
+          expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
+            if environment.name == 'first'
+              expect(environment).to receive(:deploy).and_return(true)
+              expect(environment).to receive(:modules).and_return([mock_mod])
+            end
+            original.call(environment, &block)
+          end.exactly(3).times
+
+          subject.call
+        end
+      end
+
+      context "with all environments" do
+        let(:settings) { { postrun: ["/generate/types/wrapper", "$modifiedenvs"] } }
+        let(:deployment) { R10K::Deployment.new(mock_config.merge(settings)) }
+
+        before do
+          expect(R10K::Deployment).to receive(:new).and_return(deployment)
+        end
+
+        subject do
+          described_class.new({ config: '/some/nonexistent/path' },
+                               ['mod1'], settings)
+        end
+
+        it "properly substitutes the environment where modules were deployed" do
+          mock_subprocess = double
+          allow(mock_subprocess).to receive(:logger=)
+          expect(mock_subprocess).to receive(:execute)
+
+          expect(R10K::Util::Subprocess).to receive(:new).
+            with(["/generate/types/wrapper", "first third"]).
+            and_return(mock_subprocess)
+
+          mock_mod = double('mock_mod', name: 'mod1')
+
+          expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
+            expect(environment).to receive(:deploy).and_return(true)
+            if ['first', 'third'].include?(environment.name)
+              expect(environment).to receive(:modules).and_return([mock_mod])
+            end
+            original.call(environment, &block)
+          end.exactly(3).times
+
+          subject.call
+        end
+
+        it "does not execute the command if no envs had the module" do
+          expect(R10K::Util::Subprocess).not_to receive(:new)
+
+          mock_mod2 = double('mock_mod', name: 'mod2')
+          expect(subject).to receive(:visit_environment).and_wrap_original do |original, environment, &block|
+            expect(environment).to receive(:deploy).and_return(true)
+            # Envs have a different module than the one we asked to deploy
+            expect(environment).to receive(:modules).and_return([mock_mod2])
+            original.call(environment, &block)
+          end.exactly(3).times
+
+          subject.call
+        end
+      end
+    end
+  end
 end
 

data/spec/unit/action/runner_spec.rb

@@ -171,6 +171,86 @@ describe R10K::Action::Runner do
     end
   end
 
+  describe "configuring github app credentials" do
+    it 'errors if app id is passed without ssl key' do
+      runner = described_class.new(
+        { 'github-app-id': '/nonexistent', },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Must specify both id and SSL private key/)
+    end
+
+    it 'errors if ssl key is passed without app id' do
+      runner = described_class.new(
+        { 'github-app-key': '/nonexistent', },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Must specify both id and SSL private key/)
+    end
+
+    it 'errors if both app id and token paths are passed' do
+      runner = described_class.new(
+        { 'github-app-id': '/nonexistent', 'oauth-token': '/also/fake' },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Cannot specify both/)
+    end
+
+    it 'errors if both ssl key and token paths are passed' do
+      runner = described_class.new(
+        { 'github-app-key': '/nonexistent', 'oauth-token': '/also/fake' },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Cannot specify both/)
+    end
+
+    it 'errors if both ssl key and ssh key paths are passed' do
+      runner = described_class.new(
+        { 'github-app-key': '/nonexistent', 'private-key': '/also/fake' },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Cannot specify both/)
+    end
+
+    it 'errors if both app id and ssh key are passed' do
+      runner = described_class.new(
+        { 'github-app-id': '/nonexistent', 'private-key': '/also/fake' },
+        %w[args yes],
+        action_class
+      )
+      expect{ runner.call }.to raise_error(R10K::Error, /Cannot specify both/)
+    end
+
+    it 'saves the parameters in settings hash' do
+      runner = described_class.new(
+        { 'github-app-id': '123456', 'github-app-key': '/my/ssl/key', 'github-app-ttl': '600' },
+        %w[args yes],
+        action_class
+      )
+      runner.call
+      expect(runner.instance.settings[:git][:github_app_id]).to eq('123456')
+      expect(runner.instance.settings[:git][:github_app_key]).to eq('/my/ssl/key')
+      expect(runner.instance.settings[:git][:github_app_ttl]).to eq('600')
+    end
+
+    it 'saves the parameters in settings hash without ttl and uses its default value' do
+      runner = described_class.new(
+        { 'github-app-id': '123456', 'github-app-key': '/my/ssl/key', },
+        %w[args yes],
+        action_class
+      )
+      runner.call
+      expect(runner.instance.settings[:git][:github_app_id]).to eq('123456')
+      expect(runner.instance.settings[:git][:github_app_key]).to eq('/my/ssl/key')
+      expect(runner.instance.settings[:git][:github_app_ttl]).to eq('120')
+    end
+  end
+
   describe "configuring git credentials" do
     it 'errors if both token and key paths are passed' do
       runner = described_class.new({ 'oauth-token': '/nonexistent',
@@ -218,42 +298,66 @@ describe R10K::Action::Runner do
   end
 
   describe "configuration authorization" do
-    context "when license is not present" do
-      before(:each) do
-        expect(R10K::Util::License).to receive(:load).and_return(nil)
+    context "settings auth" do
+      it "sets the configured token as the forge authorization header" do
+        options = { config: "spec/fixtures/unit/action/r10k_forge_auth.yaml" }
+        runner = described_class.new(options, %w[args yes], action_class)
+
+        expect(PuppetForge).to receive(:host=).with('http://private-forge.com')
+        expect(PuppetForge::Connection).to receive(:authorization=).with('faketoken')
+        expect(PuppetForge::Connection).to receive(:authorization).and_return('faketoken')
+        expect(R10K::Util::License).not_to receive(:load)
+        runner.setup_settings
+        runner.setup_authorization
       end
 
-      it "does not set authorization header on connection class" do
-        expect(PuppetForge::Connection).not_to receive(:authorization=)
-        runner.setup_authorization
+      it 'errors if no custom forge URL is set' do
+        options = { config: "spec/fixtures/unit/action/r10k_forge_auth_no_url.yaml" }
+        runner = described_class.new(options, %w[args yes], action_class)
+        expect(PuppetForge::Connection).not_to receive(:authorization=).with('faketoken')
+
+        expect { runner.setup_settings }.to raise_error(R10K::Error, /Cannot specify a Forge auth/)
       end
     end
 
-    context "when license is present but invalid" do
-      before(:each) do
-        expect(R10K::Util::License).to receive(:load).and_raise(R10K::Error.new('invalid license'))
-      end
+    context "license auth" do
+      context "when license is not present" do
+        before(:each) do
+          expect(R10K::Util::License).to receive(:load).and_return(nil)
+        end
 
-      it "issues warning to logger" do
-        expect(runner.logger).to receive(:warn).with(/invalid license/)
-        runner.setup_authorization
+        it "does not set authorization header on connection class" do
+          expect(PuppetForge::Connection).not_to receive(:authorization=)
+          runner.setup_authorization
+        end
       end
 
-      it "does not set authorization header on connection class" do
-        expect(PuppetForge::Connection).not_to receive(:authorization=)
-        runner.setup_authorization
-      end
-    end
+      context "when license is present but invalid" do
+        before(:each) do
+          expect(R10K::Util::License).to receive(:load).and_raise(R10K::Error.new('invalid license'))
+        end
+
+        it "issues warning to logger" do
+          expect(runner.logger).to receive(:warn).with(/invalid license/)
+          runner.setup_authorization
+        end
 
-    context "when license is present and valid" do
-      before(:each) do
-        mock_license = double('pe-license', :authorization_token => 'test token')
-        expect(R10K::Util::License).to receive(:load).and_return(mock_license)
+        it "does not set authorization header on connection class" do
+          expect(PuppetForge::Connection).not_to receive(:authorization=)
+          runner.setup_authorization
+        end
       end
 
-      it "sets authorization header on connection class" do
-        expect(PuppetForge::Connection).to receive(:authorization=).with('test token')
-        runner.setup_authorization
+      context "when license is present and valid" do
+        before(:each) do
+          mock_license = double('pe-license', :authorization_token => 'test token')
+          expect(R10K::Util::License).to receive(:load).and_return(mock_license)
+        end
+
+        it "sets authorization header on connection class" do
+          expect(PuppetForge::Connection).to receive(:authorization=).with('test token')
+          runner.setup_authorization
+        end
       end
     end
   end