roo_on_rails 1.1.0 → 1.2.0

data/gemfiles/rails_5.gemfile.lock

@@ -0,0 +1,205 @@
+PATH
+  remote: ../
+  specs:
+    roo_on_rails (1.1.0)
+      dotenv-rails (~> 2.1)
+      hashie (~> 3.4)
+      newrelic_rpm (~> 3.17)
+      platform-api (~> 0.8)
+      rack-ssl-enforcer
+      rack-timeout
+      rails (>= 3.2.22, < 5.1)
+
+GEM
+  remote: https://rubygems.org/
+  specs:
+    actioncable (5.0.1)
+      actionpack (= 5.0.1)
+      nio4r (~> 1.2)
+      websocket-driver (~> 0.6.1)
+    actionmailer (5.0.1)
+      actionpack (= 5.0.1)
+      actionview (= 5.0.1)
+      activejob (= 5.0.1)
+      mail (~> 2.5, >= 2.5.4)
+      rails-dom-testing (~> 2.0)
+    actionpack (5.0.1)
+      actionview (= 5.0.1)
+      activesupport (= 5.0.1)
+      rack (~> 2.0)
+      rack-test (~> 0.6.3)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    actionview (5.0.1)
+      activesupport (= 5.0.1)
+      builder (~> 3.1)
+      erubis (~> 2.7.0)
+      rails-dom-testing (~> 2.0)
+      rails-html-sanitizer (~> 1.0, >= 1.0.2)
+    activejob (5.0.1)
+      activesupport (= 5.0.1)
+      globalid (>= 0.3.6)
+    activemodel (5.0.1)
+      activesupport (= 5.0.1)
+    activerecord (5.0.1)
+      activemodel (= 5.0.1)
+      activesupport (= 5.0.1)
+      arel (~> 7.0)
+    activesupport (5.0.1)
+      concurrent-ruby (~> 1.0, >= 1.0.2)
+      i18n (~> 0.7)
+      minitest (~> 5.1)
+      tzinfo (~> 1.1)
+    appraisal (2.1.0)
+      bundler
+      rake
+      thor (>= 0.14.0)
+    arel (7.1.4)
+    builder (3.2.3)
+    byebug (9.0.6)
+    coderay (1.1.1)
+    concurrent-ruby (1.0.5)
+    diff-lcs (1.3)
+    dotenv (2.2.0)
+    dotenv-rails (2.2.0)
+      dotenv (= 2.2.0)
+      railties (>= 3.2, < 5.1)
+    erubis (2.7.0)
+    excon (0.55.0)
+    ffi (1.9.17)
+    formatador (0.2.5)
+    globalid (0.3.7)
+      activesupport (>= 4.1.0)
+    guard (2.14.1)
+      formatador (>= 0.2.4)
+      listen (>= 2.7, < 4.0)
+      lumberjack (~> 1.0)
+      nenv (~> 0.1)
+      notiffany (~> 0.0)
+      pry (>= 0.9.12)
+      shellany (~> 0.0)
+      thor (>= 0.18.1)
+    guard-compat (1.2.1)
+    guard-rspec (4.7.3)
+      guard (~> 2.1)
+      guard-compat (~> 1.1)
+      rspec (>= 2.99.0, < 4.0)
+    hashie (3.5.5)
+    heroics (0.0.21)
+      erubis (~> 2.0)
+      excon
+      multi_json (>= 1.9.2)
+    i18n (0.8.1)
+    listen (3.1.5)
+      rb-fsevent (~> 0.9, >= 0.9.4)
+      rb-inotify (~> 0.9, >= 0.9.7)
+      ruby_dep (~> 1.2)
+    loofah (2.0.3)
+      nokogiri (>= 1.5.9)
+    lumberjack (1.0.11)
+    mail (2.6.4)
+      mime-types (>= 1.16, < 4)
+    method_source (0.8.2)
+    mime-types (3.1)
+      mime-types-data (~> 3.2015)
+    mime-types-data (3.2016.0521)
+    mini_portile2 (2.1.0)
+    minitest (5.10.1)
+    multi_json (1.12.1)
+    nenv (0.3.0)
+    newrelic_rpm (3.18.1.330)
+    nio4r (1.2.1)
+    nokogiri (1.7.0.1)
+      mini_portile2 (~> 2.1.0)
+    notiffany (0.1.1)
+      nenv (~> 0.1)
+      shellany (~> 0.0)
+    platform-api (0.8.0)
+      heroics (~> 0.0.17)
+    pry (0.10.4)
+      coderay (~> 1.1.0)
+      method_source (~> 0.8.1)
+      slop (~> 3.4)
+    pry-byebug (3.4.2)
+      byebug (~> 9.0)
+      pry (~> 0.10)
+    rack (2.0.1)
+    rack-ssl-enforcer (0.2.9)
+    rack-test (0.6.3)
+      rack (>= 1.0)
+    rack-timeout (0.4.2)
+    rails (5.0.1)
+      actioncable (= 5.0.1)
+      actionmailer (= 5.0.1)
+      actionpack (= 5.0.1)
+      actionview (= 5.0.1)
+      activejob (= 5.0.1)
+      activemodel (= 5.0.1)
+      activerecord (= 5.0.1)
+      activesupport (= 5.0.1)
+      bundler (>= 1.3.0, < 2.0)
+      railties (= 5.0.1)
+      sprockets-rails (>= 2.0.0)
+    rails-dom-testing (2.0.2)
+      activesupport (>= 4.2.0, < 6.0)
+      nokogiri (~> 1.6)
+    rails-html-sanitizer (1.0.3)
+      loofah (~> 2.0)
+    railties (5.0.1)
+      actionpack (= 5.0.1)
+      activesupport (= 5.0.1)
+      method_source
+      rake (>= 0.8.7)
+      thor (>= 0.18.1, < 2.0)
+    rake (10.5.0)
+    rb-fsevent (0.9.8)
+    rb-inotify (0.9.8)
+      ffi (>= 0.5.0)
+    rspec (3.5.0)
+      rspec-core (~> 3.5.0)
+      rspec-expectations (~> 3.5.0)
+      rspec-mocks (~> 3.5.0)
+    rspec-core (3.5.4)
+      rspec-support (~> 3.5.0)
+    rspec-expectations (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-mocks (3.5.0)
+      diff-lcs (>= 1.2.0, < 2.0)
+      rspec-support (~> 3.5.0)
+    rspec-support (3.5.0)
+    ruby_dep (1.5.0)
+    shellany (0.0.1)
+    slop (3.6.0)
+    sprockets (3.7.1)
+      concurrent-ruby (~> 1.0)
+      rack (> 1, < 3)
+    sprockets-rails (3.2.0)
+      actionpack (>= 4.0)
+      activesupport (>= 4.0)
+      sprockets (>= 3.0.0)
+    thor (0.19.4)
+    thread_safe (0.3.6)
+    tzinfo (1.2.2)
+      thread_safe (~> 0.1)
+    websocket-driver (0.6.5)
+      websocket-extensions (>= 0.1.0)
+    websocket-extensions (0.1.2)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  appraisal
+  bundler (~> 1.13)
+  guard
+  guard-rspec
+  pry-byebug
+  rails (~> 5.0)
+  rake (~> 10.0)
+  roo_on_rails!
+  rspec (~> 3.0)
+  thor (~> 0.19)
+
+BUNDLED WITH
+   1.14.6

data/lib/roo_on_rails/checks/environment.rb

@@ -1,10 +1,12 @@
 require 'roo_on_rails/checks/env_specific'
+require 'roo_on_rails/checks/github/branch_protection'
 require 'roo_on_rails/checks/heroku/app_exists'
 require 'roo_on_rails/checks/heroku/preboot_enabled'
 
 module RooOnRails
   module Checks
     class Environment < EnvSpecific
+      requires GitHub::BranchProtection
       requires Heroku::PrebootEnabled
 
       def call
@@ -19,4 +21,3 @@ module RooOnRails
     end
   end
 end
-

data/lib/roo_on_rails/checks/github/branch_protection.rb

@@ -0,0 +1,130 @@
+require 'roo_on_rails/checks/base'
+require 'roo_on_rails/checks/git/origin'
+require 'roo_on_rails/checks/github/token'
+
+module RooOnRails
+  module Checks
+    module GitHub
+      class BranchProtection < Base
+        requires GitHub::Token, Git::Origin
+
+        def intro
+          'Checking if GitHub master branch is protected...'
+        end
+
+        def call
+          ensure_status_checks!
+          ensure_code_reviews!
+          ensure_no_push!
+          pass 'branch protection is sufficient'
+        end
+
+        def fix
+          client.protect_branch(
+            repo,
+            branch,
+            options.merge(
+              required_status_checks: fixed_required_status_checks,
+              required_pull_request_reviews: fixed_pull_request_reviews,
+              restrictions: fixed_restrictions
+            )
+          )
+        end
+
+        private
+
+        def ensure_status_checks!
+          status_checks = protection[:required_status_checks] || {}
+          fail! 'status checks do not include admins' unless status_checks[:include_admins]
+
+          contexts = status_checks[:contexts] || []
+          ensure_ci_status_check!(contexts)
+          ensure_analysis_status_check!(contexts)
+          ensure_coverage_status_check!(contexts)
+        end
+
+        def ensure_ci_status_check!(contexts)
+          fail! 'no CI status check' unless contexts.include?(ci_context)
+        end
+
+        def ensure_analysis_status_check!(contexts)
+          fail! 'no code analysis status check' unless contexts.include?(analysis_context)
+        end
+
+        def ensure_coverage_status_check!(contexts)
+          return if (contexts & coverage_contexts) == coverage_contexts
+          fail! 'no code coverage status checks'
+        end
+
+        def ensure_code_reviews!
+          reviews = protection[:required_pull_request_reviews] || {}
+          fail! 'code reviews do not include admins' unless reviews[:include_admins]
+        end
+
+        def ensure_no_push!
+          users = protection.dig(:restrictions, :users)
+          teams = protection.dig(:restrictions, :teams)
+          fail! 'push restrictions should be enabled' if users.nil? || teams.nil?
+          fail! 'no users or teams should be allowed to push to master' if users.any? || teams.any?
+        end
+
+        def fixed_required_status_checks
+          status_checks = protection[:required_status_checks] || {}
+          status_checks.merge(
+            include_admins: true,
+            contexts: (status_checks[:contexts] || []) | [
+              ci_context,
+              analysis_context,
+              *coverage_contexts
+            ]
+          )
+        end
+
+        def fixed_pull_request_reviews
+          reviews = protection[:required_pull_request_reviews] || {}
+          reviews.merge(include_admins: true)
+        end
+
+        def fixed_restrictions
+          restrictions = protection[:restrictions] || {}
+          restrictions.merge(users: [], teams: [])
+        end
+
+        def ci_context
+          if Pathname.new('.travis.yml').exist? then 'continuous-integration/travis-ci'
+          else 'ci/circle-ci'
+          end
+        end
+
+        def analysis_context
+          'codeclimate'
+        end
+
+        def coverage_contexts
+          %w(codecov/patch codecov/project)
+        end
+
+        def protection
+          client.branch_protection(repo, branch, options).to_h
+        end
+
+        def repo
+          "#{context.git_org}/#{context.git_repo}"
+        end
+
+        def branch
+          'master'
+        end
+
+        def options
+          accept = Octokit::Preview::PREVIEW_TYPES[:branch_protection]
+          accept ? { accept: accept } : {}
+        end
+
+        def client
+          context.github.api_client
+        end
+      end
+    end
+  end
+end

data/lib/roo_on_rails/checks/github/token.rb

@@ -0,0 +1,85 @@
+require 'roo_on_rails/checks/base'
+require 'octokit'
+require 'socket'
+
+module RooOnRails
+  module Checks
+    module GitHub
+      # Output context:
+      # - github.api_client: a connected Octokit client
+      class Token < Base
+        TOKEN_FILE = File.expand_path('~/.roo_on_rails/github-token').freeze
+        private_constant :TOKEN_FILE
+
+        def intro
+          'Obtaining GitHub auth token...'
+        end
+
+        def call
+          token = File.exist?(TOKEN_FILE) && File.read(TOKEN_FILE)
+          fail! 'no token found' unless token && !token.empty?
+
+          oauth_client = Octokit::Client.new(access_token: token)
+          oauth_client.user # idempotent call to check access
+
+          context.github!.api_client = oauth_client
+          pass "connected to GitHub's API"
+        rescue Octokit::Error => e
+          fail! "#{e.class}: #{e.message}"
+        end
+
+        def fix
+          token = create_access_token
+          FileUtils.mkpath(File.dirname(TOKEN_FILE))
+          File.write(TOKEN_FILE, token)
+        rescue Octokit::Error => e
+          final_fail! "#{e.class}: #{e.message}"
+        end
+
+        private
+
+        def create_access_token
+          delete_existing_access_token
+          result = basic_client.create_authorization(
+            scopes: %w(repo),
+            note: token_name,
+            note_url: 'https://github.com/deliveroo/roo_on_rails',
+            headers: two_factor_headers
+          )
+          result[:token]
+        end
+
+        def delete_existing_access_token
+          authorizations = basic_client.authorizations(headers: two_factor_headers)
+          authorization = authorizations.find { |a| a[:note] == token_name }
+          return unless authorization
+
+          basic_client.delete_authorization(authorization[:id], headers: two_factor_headers)
+        end
+
+        def basic_client
+          @basic_client ||= begin
+            username = ask 'Enter your GitHub username:'
+            password = ask 'Enter your GitHub password (typing will be hidden):', echo: false
+            say # line break after non-echoed password
+            Octokit::Client.new(login: username, password: password)
+          end
+        end
+
+        def two_factor_headers
+          @two_factor_headers ||= begin
+            basic_client.user # idempotent call to check access
+            {}
+          rescue Octokit::OneTimePasswordRequired
+            otp = ask 'Enter your GitHub 2FA code:'
+            { 'X-GitHub-OTP' => otp }
+          end
+        end
+
+        def token_name
+          "Roo on Rails @ #{Socket.gethostname}"
+        end
+      end
+    end
+  end
+end

data/lib/roo_on_rails/checks/helpers.rb

@@ -13,7 +13,7 @@ module RooOnRails
       def self.included(by)
         by.class_eval do
           extend Forwardable
-          delegate %i[say set_color] => :'RooOnRails::Checks::Helpers::Receiver.instance'
+          delegate %i[ask say set_color] => :'RooOnRails::Checks::Helpers::Receiver.instance'
         end
       end
 

data/lib/roo_on_rails/default.env

@@ -7,3 +7,5 @@ NEW_RELIC_TRANSACTION_TRACER_RECORD_SQL=obfuscated
 NEW_RELIC_TRANSACTION_TRACER_RECORD_REDIS_ARGUMENTS=true
 NEW_RELIC_DEVELOPER_MODE=false
 NEW_RELIC_LICENSE_KEY=override-me
+RACK_SERVICE_TIMEOUT=10
+RACK_WAIT_TIMEOUT=30

data/lib/roo_on_rails/rack/safe_timeouts.rb

@@ -0,0 +1,28 @@
+# inspiration from:
+# https://devcenter.heroku.com/articles/concurrency-and-database-connections#multi-process-servers
+# https://devcenter.heroku.com/articles/postgres-logs-errors#pgerror-prepared-statement-a30-already-exists
+# http://stackoverflow.com/questions/8118074/is-the-prepared-statement-cache-cleared-per-request-in-rails-3-1
+# http://stackoverflow.com/questions/16775795/rails-switch-connection-on-each-request-but-keep-a-connection-pool
+
+module RooOnRails
+  module Rack
+    # Cleans up Rails database connections on timeouts, before they're returned
+    # to the pool.
+    #
+    # In particular, this clears the prepared statement cache, which can become
+    # corrupted as ActiveRecord isn't interrupt-safe.
+    class SafeTimeouts
+      def initialize(app)
+        @app = app
+      end
+
+      def call(env)
+        @app.call(env)
+      rescue Rack::Timeout::Error, Rack::Timeout::RequestTimeoutException
+        Rails.logger.warn('Clearing ActiveRecord connection cache due to timeout')
+        ActiveRecord::Base.connection.clear_cache!
+        raise
+      end
+    end
+  end
+end

data/lib/roo_on_rails/railtie.rb

@@ -12,30 +12,5 @@ module RooOnRails
     #     puts "#{k}: #{v}"
     #   end
     # end
-
-    initializer 'roo_on_rails.new_relic' do
-      $stderr.puts 'initializer roo_on_rails.new_relic'
-
-      license_key = ENV['NEW_RELIC_LICENSE_KEY']
-
-      if %w[ test development ].exclude?(Rails.env.to_s) and license_key == 'override-me'
-        abort 'Aborting: NEW_RELIC_LICENSE_KEY must be set in production environments'
-      end
-       
-      if license_key.nil?
-        abort 'Aborting: NEW_RELIC_LICENSE_KEY is required'
-      end
-
-      path = %w[newrelic.yml config/newrelic.yml].map { |p|
-        Pathname.new(p) 
-      }.find(&:exist?)
-      if path
-        abort "Aborting: newrelic.yml detected in '#{path.parent.realpath}', should not exist"
-      end
-
-      require 'newrelic_rpm'
-      ::NewRelic::Agent.manual_start unless Rails.env.test?
-    end
   end
 end
-

data/lib/roo_on_rails/railties/http.rb

@@ -0,0 +1,38 @@
+module RooOnRails
+  module Railties
+    class HTTP < Rails::Railtie
+      initializer 'roo_on_rails.http' do |app|
+        $stderr.puts 'initializer roo_on_rails.http'
+        require 'rack/timeout/base'
+        require 'rack/ssl-enforcer'
+
+        require 'roo_on_rails/rack/safe_timeouts'
+
+        ::Rack::Timeout.service_timeout = ENV.fetch('RACK_SERVICE_TIMEOUT', 15).to_i
+        ::Rack::Timeout.wait_timeout = ENV.fetch('RACK_WAIT_TIMEOUT', 30).to_i
+        ::Rack::Timeout::Logger.level = Logger::WARN
+
+        app.config.middleware.insert_before(
+          ::Rack::Runtime,
+          ::Rack::Timeout
+        )
+
+        # This needs to be inserted low in the stack, before Rails returns the
+        # thread-current connection to the pool.
+        app.config.middleware.insert_before(
+          ActionDispatch::Cookies,
+          RooOnRails::Rack::SafeTimeouts
+        )
+
+        if ENV.fetch('ROO_ON_RAILS_RACK_DEFLATE', 'YES').to_s =~ /\A(YES|TRUE|ON|1)\Z/i
+          app.config.middleware.use ::Rack::Deflater
+        end
+
+        app.config.middleware.insert_before(
+          ActionDispatch::Cookies,
+          ::Rack::SslEnforcer
+        )
+      end
+    end
+  end
+end

data/lib/roo_on_rails/railties/new_relic.rb

@@ -0,0 +1,27 @@
+module RooOnRails
+  module Railties
+    class NewRelic < Rails::Railtie
+      initializer 'roo_on_rails.new_relic' do
+        $stderr.puts 'initializer roo_on_rails.new_relic'
+
+        license_key = ENV['NEW_RELIC_LICENSE_KEY']
+
+        if %w(test development).exclude?(Rails.env.to_s) && (license_key == 'override-me')
+          abort 'Aborting: NEW_RELIC_LICENSE_KEY must be set in production environments'
+        end
+
+        abort 'Aborting: NEW_RELIC_LICENSE_KEY is required' if license_key.nil?
+
+        path = %w(newrelic.yml config/newrelic.yml).map do |p|
+          Pathname.new(p)
+        end.find(&:exist?)
+        if path
+          abort "Aborting: newrelic.yml detected in '#{path.parent.realpath}', should not exist"
+        end
+
+        require 'newrelic_rpm'
+        ::NewRelic::Agent.manual_start unless Rails.env.test?
+      end
+    end
+  end
+end

data/lib/roo_on_rails/version.rb

@@ -1,3 +1,3 @@
 module RooOnRails
-  VERSION = '1.1.0'
+  VERSION = '1.2.0'
 end

data/lib/roo_on_rails.rb

@@ -6,4 +6,6 @@ end
 if defined?(Rails)
   require 'dotenv/rails-now'
   require 'roo_on_rails/railtie'
+  require 'roo_on_rails/railties/new_relic'
+  require 'roo_on_rails/railties/http'
 end

data/roo_on_rails.gemspec

@@ -4,32 +4,38 @@ $LOAD_PATH.unshift(lib) unless $LOAD_PATH.include?(lib)
 require 'roo_on_rails/version'
 
 Gem::Specification.new do |spec|
-  spec.name          = "roo_on_rails"
+  spec.name          = 'roo_on_rails'
   spec.version       = RooOnRails::VERSION
-  spec.authors       = ["Julien Letessier"]
-  spec.email         = ["julien.letessier@gmail.com"]
+  spec.authors       = ['Julien Letessier']
+  spec.email         = ['julien.letessier@gmail.com']
 
-  spec.summary       = %q{Scaffolding for building services}
-  spec.description   = %q{Scaffolding for building services}
+  spec.summary       = 'Scaffolding for building services'
+  spec.description   = 'Scaffolding for building services'
   spec.homepage      = 'https://github.com/deliveroo/roo_on_rails'
-  spec.license       = "MIT"
+  spec.license       = 'MIT'
 
   spec.files         = `git ls-files -z`.split("\x0").reject do |f|
     f.match(%r{^(test|spec|features)/})
   end
-  spec.bindir        = "exe"
+  spec.bindir        = 'exe'
   spec.executables   = spec.files.grep(%r{^exe/}) { |f| File.basename(f) }
-  spec.require_paths = ["lib"]
+  spec.require_paths = ['lib']
 
   spec.add_runtime_dependency 'dotenv-rails', '~> 2.1'
   spec.add_runtime_dependency 'newrelic_rpm', '~> 3.17'
-  spec.add_runtime_dependency 'rails', '~> 5.0'
+  spec.add_runtime_dependency 'rails', '>= 3.2.22', '< 5.1'
   spec.add_runtime_dependency 'platform-api', '~> 0.8'
   spec.add_runtime_dependency 'hashie', '~> 3.4'
+  spec.add_runtime_dependency 'rack-timeout'
+  spec.add_runtime_dependency 'rack-ssl-enforcer'
+  spec.add_runtime_dependency 'octokit'
 
-  spec.add_development_dependency "bundler", "~> 1.13"
-  spec.add_development_dependency "rake", "~> 10.0"
-  spec.add_development_dependency "rspec", "~> 3.0"
+  spec.add_development_dependency 'bundler', '~> 1.13'
+  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'rspec', '~> 3.0'
   spec.add_development_dependency 'thor', '~> 0.19'
   spec.add_development_dependency 'pry-byebug'
+  spec.add_development_dependency 'memfs'
+  spec.add_development_dependency 'simplecov'
+  spec.add_development_dependency 'codecov'
 end