shipit-engine 0.21.0 → 0.22.0

data/lib/shipit/command.rb

@@ -143,7 +143,7 @@ module Shipit
     end
 
     def yield_control
-      @control_block.call if @control_block
+      @control_block&.call
     end
 
     def read_stream(io)

data/lib/shipit/engine.rb

@@ -29,16 +29,10 @@ module Shipit
       ActiveModel::ArraySerializer._root = false
       ActiveModel::Serializer.include(Engine.routes.url_helpers)
 
-      if Shipit.github_oauth_credentials
+      if Shipit.github.oauth?
         OmniAuth::Strategies::GitHub.configure path_prefix: '/github/auth'
         app.middleware.use OmniAuth::Builder do
-          provider(
-            :github,
-            Shipit.github_oauth_id,
-            Shipit.github_oauth_secret,
-            scope: 'email,repo_deployment',
-            client_options: Shipit.github_oauth_options,
-          )
+          provider(:github, *Shipit.github.oauth_config)
         end
       end
     end

data/lib/shipit/github_app.rb

@@ -0,0 +1,122 @@
+module Shipit
+  class GitHubApp
+    DOMAIN = 'github.com'.freeze
+    AuthenticationFailed = Class.new(StandardError)
+
+    attr_reader :oauth_teams, :domain, :bot_login
+
+    def initialize(config)
+      @config = (config || {}).with_indifferent_access
+      @domain = @config[:domain] || DOMAIN
+      @webhook_secret = @config[:webhook_secret].presence
+      @bot_login = @config[:bot_login]
+
+      oauth = (@config[:oauth] || {}).with_indifferent_access
+      @oauth_id = oauth[:id]
+      @oauth_secret = oauth[:secret]
+      @oauth_teams = Array.wrap(oauth[:teams] || oauth[:teams])
+    end
+
+    def login
+      raise NotImplementedError, 'Handle App login / user'
+    end
+
+    def api
+      @client = new_client if !defined?(@client) || @client.access_token != token
+      @client
+    end
+
+    def verify_webhook_signature(signature, message)
+      return true unless webhook_secret
+
+      algorithm, signature = signature.split("=", 2)
+      return false unless algorithm == 'sha1'
+
+      SecureCompare.secure_compare(signature, OpenSSL::HMAC.hexdigest(algorithm, webhook_secret, message))
+    end
+
+    def token
+      return 't0kEn' if Rails.env.test? # TODO: figure out something cleaner
+      return unless private_key && app_id && installation_id
+
+      Rails.cache.fetch('github:integration:token', expires_in: 50.minutes, race_condition_ttl: 10.minutes) do
+        token = Octokit::Client.new(bearer_token: authentication_payload).create_app_installation_access_token(
+          installation_id,
+          accept: 'application/vnd.github.machine-man-preview+json',
+        ).token
+        raise AuthenticationFailed if token.blank?
+        token
+      end
+    end
+
+    def oauth?
+      oauth_id.present? && oauth_secret.present?
+    end
+
+    def oauth_config
+      options = {}
+      if enterprise?
+        options = {
+          site: api_endpoint,
+          authorize_url: url('/login/oauth/authorize'),
+          token_url: url('/login/oauth/access_token'),
+        }
+      end
+
+      [
+        oauth_id,
+        oauth_secret,
+        scope: 'email,repo_deployment',
+        client_options: options,
+      ]
+    end
+
+    def url(*path)
+      @url ||= "https://#{domain}".freeze
+      path.empty? ? @url : File.join(@url, *path.map(&:to_s))
+    end
+
+    def api_endpoint
+      url('/api/v3/') if enterprise?
+    end
+
+    def enterprise?
+      domain != DOMAIN
+    end
+
+    private
+
+    attr_reader :webhook_secret, :oauth_id, :oauth_secret
+
+    def app_id
+      @app_id ||= @config.fetch(:app_id)
+    end
+
+    def installation_id
+      @installation_id ||= @config.fetch(:installation_id)
+    end
+
+    def private_key
+      @private_key ||= @config.fetch(:private_key)
+    end
+
+    def new_client
+      client = Octokit::Client.new(
+        access_token: token,
+        api_endpoint: api_endpoint,
+      )
+      client.middleware = Shipit.new_faraday_stack
+      client
+    end
+
+    def authentication_payload
+      payload = {
+        iat: Time.now.to_i,
+        exp: 10.minutes.from_now.to_i,
+        iss: app_id,
+      }
+      key = OpenSSL::PKey::RSA.new(private_key)
+      JWT.encode(payload, key, 'RS256')
+    end
+  end
+end

data/lib/shipit/octokit_bot_users_patch.rb

@@ -0,0 +1,25 @@
+require 'octokit'
+
+# https://github.com/octokit/octokit.rb/pull/1006
+if Octokit::VERSION >= '5'
+  raise 'This patch should be removed'
+else
+  module Octokit
+    module Connection
+      protected
+
+      def request(method, path, data, options = {})
+        if data.is_a?(Hash)
+          options[:query] = data.delete(:query) || {}
+          options[:headers] = data.delete(:headers) || {}
+          if accept = data.delete(:accept)
+            options[:headers][:accept] = accept
+          end
+        end
+
+        @last_response = response = agent.call(method, Addressable::URI.parse(path.to_s).normalize.to_s, data, options)
+        response.data
+      end
+    end
+  end
+end

data/lib/shipit/octokit_iterator.rb

@@ -6,8 +6,8 @@ module Shipit
       if relation
         @response = relation.get(per_page: 100)
       else
-        yield Shipit.github_api
-        @response = Shipit.github_api.last_response
+        yield Shipit.github.api
+        @response = Shipit.github.api.last_response
       end
     end
 

data/lib/shipit/version.rb

@@ -1,3 +1,3 @@
 module Shipit
-  VERSION = '0.21.0'.freeze
+  VERSION = '0.22.0'.freeze
 end

data/lib/tasks/teams.rake

@@ -1,29 +1,13 @@
 namespace :teams do
-  desc "Import the members of each team configured through the github_oauth.teams config and attempt to set a webhook to keep the list updated"
+  desc "Import the members of each team configured through the github.oauth.teams config"
   task fetch: :environment do
-    handles = Shipit.github_teams_handles
-    if handles.empty?
-      puts "github_oauth.teams is empty"
-    else
-      handles.each do |handle|
-        puts "Fetching @#{handle} members"
-        begin
-          team = Shipit::Team.find_or_create_by_handle(handle)
-          team.refresh_members!
-        rescue Octokit::Unauthorized, Octokit::NotFound => error
-          puts "Failed to fetch @#{handle} members. Do you have enough permissions?"
-          puts "#{error.class}: #{error.message}"
-        end
-
-        if team
-          puts "Ensuring webhook presence for #{team.organization}"
-          begin
-            team.setup_hooks(async: false)
-          rescue Octokit::Unauthorized, Octokit::NotFound => error
-            puts "Failed to install webhook on #{team.organization}. Do you have enough permissions?"
-            puts "#{error.class}: #{error.message}"
-          end
-        end
+    Shipit.github_teams.each do |team|
+      puts "Fetching @#{team.handle} members"
+      begin
+        team.refresh_members!
+      rescue Octokit::Unauthorized, Octokit::NotFound => error
+        puts "Failed to fetch @#{team.handle} members. Do you have enough permissions?"
+        puts "#{error.class}: #{error.message}"
       end
     end
   end

data/test/controllers/stacks_controller_test.rb

@@ -8,24 +8,10 @@ module Shipit
       session[:user_id] = shipit_users(:walrus).id
     end
 
-    test "validates that Shipit.github_oauth_id is present" do
-      Shipit.stubs(github_oauth_credentials: {'secret' => 'abc'})
+    test "validates that Shipit.github is present" do
+      Rails.application.secrets.stubs(:github).returns(nil)
       get :index
-      assert_select "#github_oauth_id .missing"
-      assert_select ".missing", count: 1
-    end
-
-    test "validates that Shipit.github_oauth_secret is present" do
-      Shipit.stubs(github_oauth_credentials: {'id' => 'abc'})
-      get :index
-      assert_select "#github_oauth_secret .missing"
-      assert_select ".missing", count: 1
-    end
-
-    test "validates that Shipit.github_api_credentials is present" do
-      Shipit.stubs(github_api_credentials: {})
-      get :index
-      assert_select "#github_api .missing"
+      assert_select "#github_app .missing"
       assert_select ".missing", count: 1
     end
 
@@ -142,18 +128,6 @@ module Shipit
       assert_redirected_to stack_settings_path(@stack)
     end
 
-    test "#sync_webhooks queues #{Stack::REQUIRED_HOOKS.count} SetupGithubHookJob" do
-      assert_enqueued_jobs(Stack::REQUIRED_HOOKS.count) do
-        post :sync_webhooks, params: {id: @stack.to_param}
-      end
-      assert_redirected_to stack_settings_path(@stack)
-    end
-
-    test "#sync_webhooks displays a flash message" do
-      post :sync_webhooks, params: {id: @stack.to_param}
-      assert_equal 'Webhooks syncing scheduled', flash[:success]
-    end
-
     test "#clear_git_cache queues a ClearGitCacheJob" do
       assert_enqueued_with(job: ClearGitCacheJob, args: [@stack]) do
         post :clear_git_cache, params: {id: @stack.to_param}

data/test/controllers/webhooks_controller_test.rb

@@ -9,10 +9,9 @@ module Shipit
 
     test ":push with the target branch queues a GithubSyncJob" do
       request.headers['X-Github-Event'] = 'push'
-      params = payload(:push_master)
 
       assert_enqueued_with(job: GithubSyncJob, args: [stack_id: @stack.id]) do
-        post :push, params: {stack_id: @stack.id}.merge(params)
+        post :create, body: payload(:push_master), as: :json
       end
     end
 
@@ -20,21 +19,21 @@ module Shipit
       request.headers['X-Github-Event'] = 'push'
       params = payload(:push_not_master)
       assert_no_enqueued_jobs do
-        post :push, params: {stack_id: @stack.id}.merge(params)
+        post :create, body: params, as: :json
       end
     end
 
     test ":state create a Status for the specific commit" do
       request.headers['X-Github-Event'] = 'status'
 
-      status_payload = payload(:status_master)
       commit = shipit_commits(:first)
 
       assert_difference 'commit.statuses.count', 1 do
-        post :state, params: {stack_id: @stack.id}.merge(status_payload)
+        post :create, body: payload(:status_master), as: :json
       end
 
       status = commit.statuses.last
+      status_payload = JSON.parse(payload(:status_master))
       assert_equal status_payload['target_url'], status.target_url
       assert_equal status_payload['state'], status.state
       assert_equal status_payload['description'], status.description
@@ -44,108 +43,92 @@ module Shipit
 
     test ":state with a unexisting commit respond with 200 OK" do
       request.headers['X-Github-Event'] = 'status'
-      params = {'sha' => 'notarealcommit', 'state' => 'pending', 'branches' => [{'name' => 'master'}]}
-      post :state, params: {stack_id: @stack.id}.merge(params)
+      params = {'sha' => 'notarealcommit', 'state' => 'pending', 'branches' => [{'name' => 'master'}]}.to_json
+      post :create, body: params, as: :json
       assert_response :ok
     end
 
     test ":state in an untracked branche bails out" do
       request.headers['X-Github-Event'] = 'status'
-      params = {'sha' => 'notarealcommit', 'state' => 'pending', 'branches' => []}
-      post :state, params: {stack_id: @stack.id}.merge(params)
+      params = {'sha' => 'notarealcommit', 'state' => 'pending', 'branches' => []}.to_json
+      post :create, body: params, as: :json
       assert_response :ok
     end
 
-    test ":push returns head :ok if request is ping" do
+    test "returns head :ok if request is ping" do
       @request.headers['X-Github-Event'] = 'ping'
 
       assert_no_enqueued_jobs do
-        post :state, params: {stack_id: @stack.id, zen: 'Git is beautiful'}
+        post :create, body: {zen: 'Git is beautiful'}.to_json, as: :json
         assert_response :ok
       end
     end
 
-    test ":state returns head :ok if request is ping" do
-      @request.headers['X-Github-Event'] = 'ping'
-
-      assert_no_enqueued_jobs do
-        post :state, params: {stack_id: @stack.id}
-        assert_response :ok
-      end
-    end
-
-    test ":state verifies webhook signature" do
+    test "verifies webhook signature" do
       commit = shipit_commits(:first)
 
-      params = {"sha" => commit.sha, "state" => "pending", "target_url" => "https://ci.example.com/1000/output"}
+      payload = {"sha" => commit.sha, "state" => "pending", "target_url" => "https://ci.example.com/1000/output"}.to_json
       signature = 'sha1=4848deb1c9642cd938e8caa578d201ca359a8249'
 
       @request.headers['X-Github-Event'] = 'push'
       @request.headers['X-Hub-Signature'] = signature
 
-      GithubHook.any_instance.expects(:verify_signature).with(signature, URI.encode_www_form(params)).returns(false)
-
-      post :push, params: {stack_id: @stack.id}.merge(params)
-      assert_response :unprocessable_entity
-    end
-
-    test ":push verifies webhook signature" do
-      params = {"ref" => "refs/heads/master"}
-      signature = 'sha1=ad1d939e9acd6bdc2415a2dd5951be0f2a796ce0'
-
-      @request.headers['X-Github-Event'] = 'push'
-      @request.headers['X-Hub-Signature'] = signature
-
-      GithubHook.any_instance.expects(:verify_signature).with(signature, URI.encode_www_form(params)).returns(false)
+      Shipit.github.expects(:verify_webhook_signature).with(signature, payload).returns(false)
 
-      post :push, params: {stack_id: @stack.id}.merge(params)
+      post :create, body: payload, as: :json
       assert_response :unprocessable_entity
     end
 
     test ":membership creates the mentioned team on the fly" do
+      @request.headers['X-Github-Event'] = 'membership'
       assert_difference -> { Team.count }, 1 do
-        post :membership, params: membership_params.merge(team: {
+        post :create, as: :json, body: membership_params.merge(team: {
           id: 48,
           name: 'Ouiche Cooks',
           slug: 'ouiche-cooks',
           url: 'https://example.com',
-        })
+        }).to_json
         assert_response :ok
       end
     end
 
     test ":membership creates the mentioned user on the fly" do
-      Shipit.github_api.expects(:user).with('george').returns(george)
+      @request.headers['X-Github-Event'] = 'membership'
+      Shipit.github.api.expects(:user).with('george').returns(george)
       assert_difference -> { User.count }, 1 do
-        post :membership, params: membership_params.merge(member: {login: 'george'})
+        post :create, body: membership_params.merge(member: {login: 'george'}).to_json, as: :json
         assert_response :ok
       end
     end
 
     test ":membership can delete an user membership" do
+      @request.headers['X-Github-Event'] = 'membership'
       assert_difference -> { Membership.count }, -1 do
-        post :membership, params: membership_params.merge(_action: 'removed')
+        post :create, body: membership_params.merge(action: 'removed').to_json, as: :json
         assert_response :ok
       end
     end
 
     test ":membership can append an user membership" do
+      @request.headers['X-Github-Event'] = 'membership'
       assert_difference -> { Membership.count }, 1 do
-        post :membership, params: membership_params.merge(member: {login: 'bob'})
+        post :create, body: membership_params.merge(member: {login: 'bob'}).to_json, as: :json
         assert_response :ok
       end
     end
 
     test ":membership can append an user twice" do
+      @request.headers['X-Github-Event'] = 'membership'
       assert_no_difference -> { Membership.count } do
-        post :membership, params: membership_params
+        post :create, body: membership_params.to_json, as: :json
         assert_response :ok
       end
     end
 
     test ":membership can delete an user twice" do
+      @request.headers['X-Github-Event'] = 'membership'
       assert_no_difference -> { Membership.count } do
-        post :membership, params: membership_params.merge(_action: 'removed', member: {login: 'bob'})
+        post :create, body: membership_params.merge(action: 'removed', member: {login: 'bob'}).to_json, as: :json
         assert_response :ok
       end
     end
@@ -153,7 +136,7 @@ module Shipit
     private
 
     def membership_params
-      {_action: 'added', team: team_params, organization: {login: 'shopify'}, member: {login: 'walrus'}}
+      {action: 'added', team: team_params, organization: {login: 'shopify'}, member: {login: 'walrus'}}
     end
 
     def team_params