rubocop-sidekiq_plus 0.1.0

data/lib/rubocop/cop/sidekiq_ent/encryption_with_many_arguments.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that encrypted jobs use proper argument structure.
+      #
+      # Sidekiq Enterprise encryption only encrypts the last argument.
+      # If sensitive data is passed in non-last arguments, it won't be encrypted.
+      #
+      # @example
+      #   # bad - sensitive data not in last argument
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options encrypt: true
+      #
+      #     def perform(password, user_id, options)
+      #     end
+      #   end
+      #
+      #   # good - sensitive data in last argument (secret bag)
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options encrypt: true
+      #
+      #     def perform(user_id, secret_bag)
+      #     end
+      #   end
+      #
+      class EncryptionWithManyArguments < Base
+        include RuboCop::Sidekiq::Language
+
+        MSG = 'Encrypted jobs should use a secret bag pattern. ' \
+              'Only the last argument is encrypted; consider consolidating sensitive data.'
+
+        MAX_RECOMMENDED_ARGS = 2
+
+        # @!method encryption_enabled?(node)
+        def_node_matcher :encryption_enabled?, <<~PATTERN
+          (send nil? :sidekiq_options (hash <(pair (sym :encrypt) {(true) (sym :true)}) ...>))
+        PATTERN
+
+        def on_send(node)
+          return unless encryption_enabled?(node)
+
+          class_node = node.each_ancestor(:class).first
+          return unless class_node
+
+          perform_method = find_perform_method(class_node)
+          return unless perform_method
+
+          arg_count = perform_method.arguments.size
+          add_offense(perform_method.loc.name) if arg_count > max_args
+        end
+        alias on_csend on_send
+
+        private
+
+        def max_args
+          cop_config.fetch('MaxArguments', MAX_RECOMMENDED_ARGS)
+        end
+
+        def find_perform_method(class_node)
+          class_node.body&.each_descendant(:def)&.find do |def_node|
+            def_node.method?(:perform)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/encryption_without_secret_bag.rb

@@ -0,0 +1,83 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that encrypted jobs have meaningful arguments to encrypt.
+      #
+      # Sidekiq Enterprise encryption only encrypts the last argument.
+      # If the job only has a single ID-like argument, encryption may
+      # not provide much value.
+      #
+      # @example
+      #   # questionable - only ID argument
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options encrypt: true
+      #
+      #     def perform(user_id)
+      #     end
+      #   end
+      #
+      #   # good - secret data in last argument
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options encrypt: true
+      #
+      #     def perform(user_id, secret_data)
+      #     end
+      #   end
+      #
+      class EncryptionWithoutSecretBag < Base
+        include RuboCop::Sidekiq::Language
+
+        MSG = 'Encrypted job has only one argument. ' \
+              'Consider if encryption is necessary or add a secret bag argument.'
+
+        # @!method encryption_enabled?(node)
+        def_node_matcher :encryption_enabled?, <<~PATTERN
+          (send nil? :sidekiq_options (hash <(pair (sym :encrypt) {(true) (sym :true)}) ...>))
+        PATTERN
+
+        def on_send(node)
+          return unless encryption_enabled?(node)
+
+          class_node = node.each_ancestor(:class).first
+          return unless class_node
+
+          perform_method = find_perform_method(class_node)
+          return unless perform_method
+
+          add_offense(perform_method.loc.name) if single_id_like_argument?(perform_method)
+        end
+        alias on_csend on_send
+
+        private
+
+        def find_perform_method(class_node)
+          class_node.body&.each_descendant(:def)&.find do |def_node|
+            def_node.method?(:perform)
+          end
+        end
+
+        def single_id_like_argument?(method_node)
+          args = method_node.arguments
+          return false unless args.size == 1
+
+          arg_name = args.first.name.to_s
+          id_like_patterns.any? { |pattern| arg_name.match?(pattern) }
+        end
+
+        def id_like_patterns
+          @id_like_patterns ||= [
+            /_id\z/,
+            /\Aid\z/,
+            /_ids\z/,
+            /\Auuid\z/,
+            /\Arecord_id\z/
+          ]
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/leader_election_without_block.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks for potentially problematic leader election usage.
+      #
+      # Using `Sidekiq.leader?` for long-running operations can be
+      # problematic if leadership changes during execution. Prefer
+      # delegating work to a job.
+      #
+      # @example
+      #   # bad - long-running operation in leader check
+      #   if Sidekiq.leader?
+      #     do_long_running_work
+      #   end
+      #
+      #   # good - enqueue job for leader work
+      #   if Sidekiq.leader?
+      #     LeaderOnlyJob.perform_async
+      #   end
+      #
+      class LeaderElectionWithoutBlock < Base
+        MSG = 'Avoid long-running operations in leader checks. ' \
+              'Consider delegating work to a job.'
+
+        # @!method leader_check?(node)
+        def_node_matcher :leader_check?, <<~PATTERN
+          (send (const {nil? cbase} :Sidekiq) :leader?)
+        PATTERN
+
+        # @!method if_leader_condition?(node)
+        def_node_matcher :if_leader_condition?, <<~PATTERN
+          (if (send (const {nil? cbase} :Sidekiq) :leader?) $_ $_)
+        PATTERN
+
+        def on_if(node)
+          if_leader_condition?(node) do |then_branch, _else_branch|
+            return unless then_branch
+
+            add_offense(node) if contains_non_job_calls?(then_branch)
+          end
+        end
+
+        private
+
+        def contains_non_job_calls?(node)
+          return false if only_job_enqueue?(node)
+
+          case node.type
+          when :begin
+            node.children.any? { |child| contains_non_job_calls?(child) }
+          when :send
+            !job_enqueue_call?(node)
+          else
+            true
+          end
+        end
+
+        def only_job_enqueue?(node)
+          return job_enqueue_call?(node) if node.send_type?
+          return node.children.all? { |child| child.send_type? && job_enqueue_call?(child) } if node.begin_type?
+
+          false
+        end
+
+        def job_enqueue_call?(node)
+          return false unless node.send_type?
+
+          %i[perform_async perform_in perform_at].include?(node.method_name)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/limiter_not_reused.rb

@@ -0,0 +1,79 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that rate limiters are created as class constants for reuse.
+      #
+      # Creating limiters inside the perform method causes Redis memory leaks
+      # because each instance creates new Redis keys. Limiters should be
+      # defined as class constants to be reused across job executions.
+      #
+      # @example
+      #   # bad - limiter created inside perform
+      #   class MyJob
+      #     include Sidekiq::Job
+      #
+      #     def perform
+      #       limiter = Sidekiq::Limiter.concurrent('api', 50)
+      #       limiter.within_limit { call_api }
+      #     end
+      #   end
+      #
+      #   # good - limiter as class constant
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     API_LIMITER = Sidekiq::Limiter.concurrent('api', 50, wait_timeout: 0)
+      #
+      #     def perform
+      #       API_LIMITER.within_limit { call_api }
+      #     end
+      #   end
+      #
+      #   # good - dynamic limiter name (user-specific)
+      #   class MyJob
+      #     include Sidekiq::Job
+      #
+      #     def perform(user_id)
+      #       limiter = Sidekiq::Limiter.concurrent("api-#{user_id}", 10)
+      #       limiter.within_limit { call_api_for_user(user_id) }
+      #     end
+      #   end
+      #
+      class LimiterNotReused < Base
+        MSG = 'Create rate limiters as class constants for reuse.'
+
+        def on_send(node)
+          limiter_creation?(node) do |_method, name, _limit|
+            return if inside_class_body_directly?(node)
+            return if dynamic_limiter_name?(name)
+
+            add_offense(node)
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def inside_class_body_directly?(node)
+          !inside_method?(node) && inside_class?(node)
+        end
+
+        def inside_method?(node)
+          node.each_ancestor(:any_def).any?
+        end
+
+        def inside_class?(node)
+          node.each_ancestor(:class).any?
+        end
+
+        def dynamic_limiter_name?(name)
+          return true if name.dstr_type?
+          return true if name.send_type?
+
+          false
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/limiter_without_lock_timeout.rb

@@ -0,0 +1,46 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that concurrent limiters specify lock_timeout option.
+      #
+      # Without lock_timeout, the default (30 seconds) may not cover jobs
+      # with longer execution times, causing locks to expire prematurely.
+      #
+      # @example
+      #   # bad - no lock_timeout specified
+      #   LIMITER = Sidekiq::Limiter.concurrent('erp', 50, wait_timeout: 0)
+      #
+      #   # good - explicit lock_timeout
+      #   LIMITER = Sidekiq::Limiter.concurrent('erp', 50, wait_timeout: 0, lock_timeout: 120)
+      #
+      class LimiterWithoutLockTimeout < Base
+        MSG = 'Specify `lock_timeout` option for concurrent limiters to match job execution time.'
+
+        def on_send(node)
+          limiter_creation?(node) do |method, _name, _limit|
+            return unless method == :concurrent
+            return if lock_timeout_option?(node)
+
+            add_offense(node)
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def lock_timeout_option?(node)
+          options_hash = find_options_hash(node)
+          return false unless options_hash
+
+          options_hash.pairs.any? { |pair| pair.key.value == :lock_timeout }
+        end
+
+        def find_options_hash(node)
+          node.arguments.find(&:hash_type?)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/limiter_without_wait_timeout.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that rate limiters specify wait_timeout option.
+      #
+      # Without wait_timeout, jobs will wait indefinitely for a limit slot,
+      # potentially blocking Sidekiq worker threads. Setting wait_timeout: 0
+      # for class constant limiters makes the job fail fast and rely on retry.
+      #
+      # @example
+      #   # bad - no wait_timeout specified
+      #   API_LIMITER = Sidekiq::Limiter.concurrent('api', 50)
+      #
+      #   # good - explicit wait_timeout
+      #   API_LIMITER = Sidekiq::Limiter.concurrent('api', 50, wait_timeout: 0)
+      #
+      #   # good - wait_timeout with value
+      #   API_LIMITER = Sidekiq::Limiter.concurrent('api', 50, wait_timeout: 5)
+      #
+      class LimiterWithoutWaitTimeout < Base
+        MSG = 'Specify `wait_timeout` option for rate limiters to avoid blocking worker threads.'
+
+        def on_send(node)
+          limiter_creation?(node) do |_method, _name, _limit|
+            return if wait_timeout_option?(node)
+
+            add_offense(node)
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def wait_timeout_option?(node)
+          options_hash = find_options_hash(node)
+          return false unless options_hash
+
+          options_hash.pairs.any? { |pair| pair.key.value == :wait_timeout }
+        end
+
+        def find_options_hash(node)
+          node.arguments.find(&:hash_type?)
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/periodic_job_invalid_cron.rb

@@ -0,0 +1,108 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that cron expressions in periodic job registration are valid.
+      #
+      # Invalid cron expressions will cause Sidekiq Enterprise to fail when
+      # loading the periodic job configuration.
+      #
+      # @example
+      #   # bad - invalid cron (6 fields)
+      #   config.periodic do |mgr|
+      #     mgr.register('0 * * * * *', 'SomeJob')
+      #   end
+      #
+      #   # bad - invalid minute value
+      #   config.periodic do |mgr|
+      #     mgr.register('60 * * * *', 'SomeJob')
+      #   end
+      #
+      #   # good - valid cron
+      #   config.periodic do |mgr|
+      #     mgr.register('0 * * * *', 'SomeJob')
+      #   end
+      #
+      class PeriodicJobInvalidCron < Base
+        MSG = 'Invalid cron expression: %<reason>s'
+
+        # @!method periodic_register?(node)
+        def_node_matcher :periodic_register?, <<~PATTERN
+          (send _ :register (str $_) ...)
+        PATTERN
+
+        def on_send(node)
+          periodic_register?(node) do |cron_expression|
+            error = validate_cron(cron_expression)
+            add_offense(node.first_argument, message: format(MSG, reason: error)) if error
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def validate_cron(expression)
+          fields = expression.strip.split(/\s+/)
+
+          return 'expected 5 fields (minute hour day month weekday)' unless fields.size == 5
+
+          validate_field(fields[0], 0, 59, 'minute') ||
+            validate_field(fields[1], 0, 23, 'hour') ||
+            validate_field(fields[2], 1, 31, 'day') ||
+            validate_field(fields[3], 1, 12, 'month') ||
+            validate_field(fields[4], 0, 6, 'weekday')
+        end
+
+        def validate_field(field, min, max, name)
+          return nil if field == '*'
+
+          if field.include?('/')
+            step_validation(field, min, max, name)
+          elsif field.include?(',')
+            list_validation(field, min, max, name)
+          elsif field.include?('-')
+            range_validation(field, min, max, name)
+          else
+            value_validation(field, min, max, name)
+          end
+        end
+
+        def step_validation(field, min, max, name)
+          base, step = field.split('/', 2)
+          base_error = base == '*' ? nil : validate_field(base, min, max, name)
+          return base_error if base_error
+          return "invalid step value for #{name}" unless step&.match?(/\A\d+\z/)
+          return "step value out of range for #{name}" unless step.to_i.between?(1, max)
+
+          nil
+        end
+
+        def list_validation(field, min, max, name)
+          field.split(',').each do |value|
+            error = validate_field(value.strip, min, max, name)
+            return error if error
+          end
+          nil
+        end
+
+        def range_validation(field, min, max, name)
+          start_val, end_val = field.split('-', 2)
+          return "invalid range for #{name}" unless start_val&.match?(/\A\d+\z/) && end_val&.match?(/\A\d+\z/)
+
+          in_range = start_val.to_i.between?(min, max) && end_val.to_i.between?(min, max)
+          return "#{name} value out of range" unless in_range
+
+          nil
+        end
+
+        def value_validation(field, min, max, name)
+          return "invalid #{name} value" unless field.match?(/\A\d+\z/)
+          return "#{name} value out of range (#{min}-#{max})" unless field.to_i.between?(min, max)
+
+          nil
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/periodic_job_with_arguments.rb

@@ -0,0 +1,94 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that periodic jobs do not require arguments without defaults.
+      #
+      # Periodic jobs are scheduled by cron and cannot receive dynamic arguments
+      # unless specified via the `args` option in the periodic registration.
+      # A perform method requiring arguments will fail when called periodically.
+      #
+      # @example
+      #   # bad - requires arguments
+      #   class HourlyReportJob
+      #     include Sidekiq::Job
+      #
+      #     def perform(user_id)
+      #     end
+      #   end
+      #
+      #   # good - no arguments
+      #   class HourlyReportJob
+      #     include Sidekiq::Job
+      #
+      #     def perform
+      #     end
+      #   end
+      #
+      #   # good - optional arguments with defaults
+      #   class HourlyReportJob
+      #     include Sidekiq::Job
+      #
+      #     def perform(scope = 'all')
+      #     end
+      #   end
+      #
+      class PeriodicJobWithArguments < Base
+        include RuboCop::Sidekiq::Language
+
+        MSG = 'Periodic job `perform` should not require arguments. ' \
+              'Use optional arguments or the `args` option in periodic registration.'
+
+        # @!method periodic_register?(node)
+        def_node_matcher :periodic_register?, <<~PATTERN
+          (send _ :register (str _) {(str $_) (const ... $_)} ...)
+        PATTERN
+
+        def on_send(node)
+          periodic_register?(node) do |job_class_name|
+            job_class_name = job_class_name.to_s
+            check_job_class(node, job_class_name)
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def check_job_class(register_node, job_class_name)
+          return if args_option?(register_node)
+
+          find_job_class(job_class_name)&.then do |class_node|
+            perform_method = find_perform_method(class_node)
+            add_offense(perform_method.loc.name) if perform_method && requires_arguments?(perform_method)
+          end
+        end
+
+        def args_option?(node)
+          options_hash = node.arguments.find(&:hash_type?)
+          return false unless options_hash
+
+          options_hash.pairs.any? { |pair| pair.key.value == :args }
+        end
+
+        def find_job_class(class_name)
+          processed_source.ast.each_descendant(:class).find do |class_node|
+            class_node.identifier.source == class_name.split('::').last
+          end
+        end
+
+        def find_perform_method(class_node)
+          class_node.body&.each_descendant(:def)&.find do |def_node|
+            def_node.method?(:perform)
+          end
+        end
+
+        def requires_arguments?(method_node)
+          method_node.arguments.any? do |arg|
+            arg.type?(:arg, :kwarg)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/rubocop/cop/sidekiq_ent/unique_job_too_short_ttl.rb

@@ -0,0 +1,80 @@
+# frozen_string_literal: true
+
+module RuboCop
+  module Cop
+    module SidekiqEnt
+      # Checks that unique jobs have sufficient TTL.
+      #
+      # A too short unique_for TTL may expire during retries, allowing
+      # duplicate jobs to be enqueued while the original is still retrying.
+      #
+      # @example
+      #   # bad - TTL too short
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options unique_for: 30
+      #   end
+      #
+      #   # good - adequate TTL
+      #   class MyJob
+      #     include Sidekiq::Job
+      #     sidekiq_options unique_for: 3600
+      #   end
+      #
+      class UniqueJobTooShortTTL < Base
+        MSG = 'Unique job TTL is too short (minimum: %<minimum>s seconds). ' \
+              'Consider increasing `unique_for` to cover retry period.'
+
+        MINIMUM_TTL = 60
+
+        # @!method unique_for_value(node)
+        def_node_matcher :unique_for_value, <<~PATTERN
+          (send nil? :sidekiq_options (hash <(pair (sym :unique_for) $_) ...>))
+        PATTERN
+
+        def on_send(node)
+          unique_for_value(node) do |value_node|
+            ttl = extract_seconds(value_node)
+            return unless ttl && ttl < minimum_ttl
+
+            add_offense(value_node, message: format(MSG, minimum: minimum_ttl))
+          end
+        end
+        alias on_csend on_send
+
+        private
+
+        def minimum_ttl
+          cop_config.fetch('MinimumTTL', MINIMUM_TTL)
+        end
+
+        def extract_seconds(node)
+          case node.type
+          when :int
+            node.value
+          when :float
+            node.value.to_i
+          when :send
+            extract_duration_seconds(node)
+          end
+        end
+
+        def extract_duration_seconds(node)
+          return unless node.receiver&.type?(:int, :float)
+
+          value = node.receiver.value.to_f
+          duration_multiplier(node.method_name, value)&.to_i
+        end
+
+        def duration_multiplier(method_name, value)
+          case method_name
+          when :seconds, :second then value
+          when :minutes, :minute then value * 60
+          when :hours, :hour then value * 3600
+          when :days, :day then value * 86_400
+          end
+        end
+      end
+    end
+  end
+end