shipit-engine 0.35.1 → 0.37.0

data/app/views/shipit/stacks/settings.html.erb

@@ -6,61 +6,7 @@
       <h2>Settings (Stack #<%= @stack.id %>)</h2>
     </header>
 
-    <div class="setting-section">
-      <%= form_with scope: :stack, url: stack_path(@stack), method: :patch do |f| %>
-        <div class="field-wrapper">
-          <%= f.label :environment %>
-          <%= f.text_field :environment, placeholder: 'production' %>
-        </div>
-
-        <div class="field-wrapper">
-          <span>Branch: <%= @stack.branch %></span>
-        </div>
-
-        <div class="field-wrapper">
-          <%= f.label :deploy_url, 'Deploy URL (Where is this stack deployed to?)' %>
-          <%= f.text_field :deploy_url, placeholder: 'https://' %>
-        </div>
-
-        <div class="field-wrapper">
-          <%= f.check_box :continuous_deployment %>
-          <%= f.label :continuous_deployment, 'Enable continuous deployment' %>
-        </div>
-
-        <div class="field-wrapper">
-          <%= f.check_box :merge_queue_enabled %>
-          <%= f.label :merge_queue_enabled, 'Enable merge queue' %>
-        </div>
-
-        <div class="field-wrapper">
-          <%= f.check_box :ignore_ci %>
-          <%= f.label :ignore_ci, "Don't require CI to deploy" %>
-        </div>
-
-        <%= f.submit class: "btn", value: "Save" %>
-      <% end %>
-    </div>
-
-    <div class="setting-section">
-      <h5>Lock deploys</h5>
-      <%= form_with scope: :stack, url: stack_path(@stack), method: :patch do |f| %>
-        <div class="field-wrapper">
-          <%= f.label :lock_reason, 'Reason for lock' %>
-          <%= f.text_area :lock_reason %>
-        </div>
-        <% if @stack.locked? %>
-          <%= f.submit class: "btn", value: "Update Reason" %>
-        <% else %>
-            <%= f.submit class: "btn", value: "Lock" %>
-        <% end %>
-      <% end %>
-      <% if @stack.locked? %>
-        <%= form_with scope: :stack, url: stack_path(@stack), method: :patch do |f| %>
-          <%= f.hidden_field :lock_reason, value: nil %>
-          <%= f.submit class: "btn btn--primary", value: "Unlock" %>
-        <%- end -%>
-      <% end %>
-    </div>
+    <%= render partial: 'shipit/stacks/settings_form', locals: { stack: @stack } %>
 
     <div class="setting-section">
       <h5>Resynchronize this stack</h5>

data/app/views/shipit/stacks/show.html.erb

@@ -30,7 +30,7 @@
     </ul>
   </section>
 
-  <% cache @stack do %>
+  <% cache [@stack, params[:force]] do %>
     <section>
       <header class="section-header">
         <h2>Previous Deploys</h2>

data/config/locales/en.yml

@@ -41,7 +41,7 @@ en:
     reject: Mark the release as faulty
   deploy_button:
     hint:
-      max_commits: It is recommended not to deploy more than %{maximum} commits at once.
+      max_commits: Use caution when deploying more than %{maximum} commits at once.
       blocked: This commit range includes a commit that can't be deployed.
     caption:
       pending: Pending CI

data/config/routes.rb

@@ -20,6 +20,7 @@ Shipit::Engine.routes.draw do
       get '/' => 'stacks#show'
       delete '/' => 'stacks#destroy'
       patch '/' => 'stacks#update'
+      post '/refresh' => 'stacks#refresh'
     end
 
     scope '/stacks/*stack_id', stack_id: stack_id_format, as: :stack do
@@ -27,6 +28,9 @@ Shipit::Engine.routes.draw do
       resource :lock, only: %i(create update destroy)
       resources :tasks, only: %i(index show) do
         resource :output, only: :show
+        member do
+          put :abort
+        end
       end
       resources :deploys, only: %i(index create) do
         resources :release_statuses, only: %i(create)

data/db/migrate/20211103154121_increase_github_team_slug_size.rb

@@ -0,0 +1,5 @@
+class IncreaseGithubTeamSlugSize < ActiveRecord::Migration[6.1]
+  def change
+    change_column :teams, :slug, :string, limit: 255, null: true
+  end
+end

data/lib/shipit/engine.rb

@@ -5,6 +5,17 @@ module Shipit
 
     paths['app/models'] << 'app/serializers' << 'app/serializers/concerns'
 
+    initializer 'shipit.encryption_config', before: 'active_record_encryption.configuration' do |app|
+      if app.credentials.active_record_encryption.blank? && Shipit.user_access_tokens_key.present?
+        # For ease of upgrade, we derive an Active Record encryption config automatically.
+        # But if AR Encryption is already configured, we just use that
+        app.credentials[:active_record_encryption] = {
+          primary_key: Shipit.user_access_tokens_key,
+          key_derivation_salt: Digest::SHA256.digest("salt:".b + Shipit.user_access_tokens_key),
+        }
+      end
+    end
+
     initializer 'shipit.config' do |app|
       Rails.application.routes.default_url_options[:host] = Shipit.host
       Shipit::Engine.routes.default_url_options[:host] = Shipit.host
@@ -28,8 +39,6 @@ module Shipit
         path.end_with?('.svg') || (path.start_with?('emoji/') && path.end_with?('.png'))
       end
 
-      ActionDispatch::ExceptionWrapper.rescue_responses[Shipit::TaskDefinition::NotFound.name] = :not_found
-
       ActiveModel::Serializer._root = false
       ActiveModel::ArraySerializer._root = false
       ActiveModel::Serializer.include(Engine.routes.url_helpers)
@@ -44,10 +53,11 @@ module Shipit
       if Shipit.enable_samesite_middleware?
         app.config.middleware.insert_after(::Rack::Runtime, Shipit::SameSiteCookieMiddleware)
       end
+    end
 
-      app.config.after_initialize do
-        ActionController::Base.include(Shipit::ActiveModelSerializersPatch)
-      end
+    config.after_initialize do
+      ActionDispatch::ExceptionWrapper.rescue_responses[Shipit::TaskDefinition::NotFound.name] = :not_found
+      ActionController::Base.include(Shipit::ActiveModelSerializersPatch)
     end
   end
 end

data/lib/shipit/stack_commands.rb

@@ -16,7 +16,7 @@ module Shipit
     def fetch
       create_directories
       if valid_git_repository?(@stack.git_path)
-        git('fetch', 'origin', '--tags', @stack.branch, env: env, chdir: @stack.git_path)
+        git('fetch', 'origin', '--quiet', '--tags', @stack.branch, env: env, chdir: @stack.git_path)
       else
         @stack.clear_git_cache!
         git_clone(@stack.repo_git_url, @stack.git_path, branch: @stack.branch, env: env, chdir: @stack.deploys_path)
@@ -72,7 +72,14 @@ module Shipit
         ).run!
 
         git_dir = File.join(dir, @stack.repo_name)
-        git('-c', 'advice.detachedHead=false', 'checkout', commit.sha, chdir: git_dir).run! if commit
+        git(
+          '-c',
+          'advice.detachedHead=false',
+          'checkout',
+          '--quiet',
+          commit.sha,
+          chdir: git_dir
+        ).run! if commit
         yield Pathname.new(git_dir)
       end
     end

data/lib/shipit/task_commands.rb

@@ -47,7 +47,14 @@ module Shipit
     end
 
     def checkout(commit)
-      git('-c', 'advice.detachedHead=false', 'checkout', commit.sha, chdir: @task.working_directory)
+      git(
+        '-c',
+        'advice.detachedHead=false',
+        'checkout',
+        '--quiet',
+        commit.sha,
+        chdir: @task.working_directory
+      )
     end
 
     def clone

data/lib/shipit/version.rb

@@ -1,4 +1,4 @@
 # frozen_string_literal: true
 module Shipit
-  VERSION = '0.35.1'
+  VERSION = '0.37.0'
 end

data/lib/shipit.rb

@@ -5,7 +5,7 @@ require 'state_machines-activerecord'
 require 'validate_url'
 require 'responders'
 require 'explicit-parameters'
-require 'attr_encrypted'
+require 'paquito'
 
 require 'sass-rails'
 require 'coffee-rails'
@@ -64,7 +64,8 @@ module Shipit
 
   delegate :table_name_prefix, to: :secrets
 
-  attr_accessor :disable_api_authentication, :timeout_exit_codes, :deployment_checks
+  attr_accessor :disable_api_authentication, :timeout_exit_codes, :deployment_checks, :respect_bare_shipit_file,
+    :database_serializer
   attr_writer(
     :internal_hook_receivers,
     :preferred_org_emails,
@@ -77,6 +78,9 @@ module Shipit
   end
 
   self.timeout_exit_codes = [].freeze
+  self.respect_bare_shipit_file = true
+
+  alias_method :respect_bare_shipit_file?, :respect_bare_shipit_file
 
   def authentication_disabled?
     ENV['SHIPIT_DISABLE_AUTH'].present?
@@ -104,6 +108,50 @@ module Shipit
     )
   end
 
+  module SafeJSON
+    class << self
+      def load(serial)
+        return nil if serial.nil?
+        # JSON.load is unsafe, we should use parse instead
+        JSON.parse(serial)
+      end
+
+      def dump(object)
+        JSON.dump(object)
+      end
+    end
+  end
+
+  module TransitionalSerializer
+    SafeYAML = Paquito::SafeYAML.new(deprecated_classes: ["ActiveSupport::HashWithIndifferentAccess"])
+
+    class << self
+      def load(serial)
+        return if serial.nil?
+
+        JSON.parse(serial)
+      rescue JSON::ParserError
+        SafeYAML.load(serial)
+      end
+
+      def dump(object)
+        return if object.nil?
+        JSON.dump(object)
+      end
+    end
+  end
+
+  self.database_serializer = TransitionalSerializer
+
+  def serialized_column(attribute_name, type: nil, coder: nil)
+    column = Paquito::SerializedColumn.new(database_serializer, type, attribute_name: attribute_name)
+    if coder
+      Paquito.chain(coder, column)
+    else
+      column
+    end
+  end
+
   def github(organization: github_default_organization)
     # Backward compatibility
     # nil signifies the single github app config schema is being used
@@ -153,7 +201,11 @@ module Shipit
   end
 
   def user_access_tokens_key
-    (secrets.user_access_tokens_key.presence || secrets.secret_key_base).byteslice(0, 32)
+    if secrets.user_access_tokens_key.present?
+      secrets.user_access_tokens_key
+    elsif secrets.secret_key_base
+      Digest::SHA256.digest("user_access_tokens_key" + secrets.secret_key_base)
+    end
   end
 
   def host

data/lib/snippets/fetch-gem-version

@@ -10,7 +10,7 @@ github_repository = ARGV[1]
 def get_json(url)
   uri = URI.parse(url)
   response = Net::HTTP.get_response(uri)
-  versions = JSON.load(response.body)
+  versions = JSON.parse(response.body)
 end
 
 versions = get_json("https://rubygems.org/api/v1/versions/#{gem_name}.json")

data/test/controllers/api/hooks_controller_test.rb

@@ -61,7 +61,7 @@ module Shipit
         post :create, params: {
           delivery_url: 'https://example.com/hook',
           events: %w(deploy rollback),
-          created_at: 2.months.ago.to_s(:db),
+          created_at: 2.months.ago.to_formatted_s(:db),
         }
         Hook.last.created_at > 2.seconds.ago
       end

data/test/controllers/api/rollback_controller_test.rb

@@ -107,6 +107,7 @@ module Shipit
         assert_response :accepted
         refute_predicate last_deploy, :active?
         assert_json 'rollback_once_aborted_to.revision.sha', @commit.sha
+        assert last_deploy.rollback_once_aborted?
       end
     end
   end

data/test/controllers/api/stacks_controller_test.rb

@@ -96,6 +96,24 @@ module Shipit
         assert_equal 'test', @stack.branch
       end
 
+      test "#update updates the stack when nil deploy_url" do
+        @stack.update(deploy_url: nil)
+        @stack.update(continuous_deployment: true)
+        assert_nil @stack.deploy_url
+        assert @stack.continuous_deployment
+
+        patch :update, params: {
+          id: @stack.to_param,
+          continuous_deployment: false,
+        }
+
+        assert_response :ok
+        @stack.reload
+
+        assert_nil @stack.deploy_url
+        refute @stack.continuous_deployment
+      end
+
       test "#index returns a list of stacks" do
         stack = Stack.last
         get :index
@@ -189,6 +207,22 @@ module Shipit
         assert_response :forbidden
         assert_json 'message', 'This operation requires the `write:stack` permission'
       end
+
+      test "#refresh queues a GithubSyncJob" do
+        assert_enqueued_with(job: GithubSyncJob, args: [stack_id: @stack.id]) do
+          post :refresh, params: { id: @stack.to_param }
+        end
+        assert_response :accepted
+      end
+
+      test "#refresh queues a RefreshStatusesJob and RefreshCheckRunsJob" do
+        assert_enqueued_with(job: RefreshStatusesJob, args: [stack_id: @stack.id]) do
+          assert_enqueued_with(job: RefreshCheckRunsJob, args: [stack_id: @stack.id]) do
+            post :refresh, params: { id: @stack.to_param }
+          end
+        end
+        assert_response :accepted
+      end
     end
   end
 end

data/test/controllers/api/tasks_controller_test.rb

@@ -6,6 +6,7 @@ module Shipit
     class TasksControllerTest < ActionController::TestCase
       setup do
         @stack = shipit_stacks(:shipit)
+        @user = shipit_users(:walrus)
         authenticate!
       end
 
@@ -90,6 +91,61 @@ module Shipit
         assert_response :conflict
         assert_json 'message', 'A task is already running.'
       end
+
+      test "#trigger fails when user does not have deploy permission" do
+        @client.permissions.delete('deploy:stack')
+        @client.save!
+
+        assert_no_difference 'Task.count' do
+          post :trigger, params: { stack_id: @stack.to_param, task_name: 'restart' }
+        end
+
+        assert_response :forbidden
+        assert_json 'message', 'This operation requires the `deploy:stack` permission'
+      end
+
+      test "#abort aborts the task" do
+        task = shipit_deploys(:shipit_running)
+        task.ping
+
+        put :abort, params: { stack_id: @stack.to_param, id: task.id }
+
+        assert_response :accepted
+        assert_equal 'aborting', task.reload.status
+      end
+
+      test "#abort sets `aborted_by` to the current user" do
+        task = shipit_deploys(:shipit_running)
+        task.ping
+        request.headers['X-Shipit-User'] = @user.login
+
+        put :abort, params: { stack_id: @stack.to_param, id: task.id }
+
+        assert_equal task.reload.aborted_by, @user
+      end
+
+      test "#abort responds with method_not_allowed if the task is not currently running" do
+        task = shipit_deploys(:shipit_aborted)
+        task.ping
+        put :abort, params: { stack_id: @stack.to_param, id: task.id }
+
+        assert_response :method_not_allowed
+        assert_json 'message', 'This task is not currently running.'
+      end
+
+      test "#abort fails when user does not have deploy permission" do
+        @client.permissions.delete('deploy:stack')
+        @client.save!
+        task = shipit_deploys(:shipit_running)
+        task.ping
+
+        assert_no_difference 'Task.count' do
+          put :abort, params: { stack_id: @stack.to_param, id: task.id }
+        end
+
+        assert_response :forbidden
+        assert_json 'message', 'This operation requires the `deploy:stack` permission'
+      end
     end
   end
 end

data/test/controllers/stacks_controller_test.rb

@@ -36,6 +36,17 @@ module Shipit
       assert_redirected_to '/github/auth/github?origin=http%3A%2F%2Ftest.host%2F'
     end
 
+    test "users which require a fresh login are redirected" do
+      user = shipit_users(:walrus)
+      user.update!(github_access_token: 'some_legacy_value')
+      assert_predicate user, :requires_fresh_login?
+
+      get :index
+
+      assert_redirected_to '/github/auth/github?origin=http%3A%2F%2Ftest.host%2F'
+      assert_nil session[:user_id]
+    end
+
     test "current_user must be a member of at least a Shipit.github_teams" do
       session[:user_id] = shipit_users(:bob).id
       Shipit.stubs(:github_teams).returns([shipit_teams(:cyclimse_cooks), shipit_teams(:shopify_developers)])

data/test/dummy/config/application.rb

@@ -17,7 +17,6 @@ end
 
 module Shipit
   class Application < Rails::Application
-    config.load_defaults 6.1
+    config.load_defaults 7.0
   end
 end
-

data/test/dummy/db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema.define(version: 2021_08_23_075617) do
+ActiveRecord::Schema.define(version: 2021_11_03_154121) do
 
   create_table "api_clients", force: :cascade do |t|
     t.text "permissions", limit: 65535
@@ -315,7 +315,7 @@ ActiveRecord::Schema.define(version: 2021_08_23_075617) do
   create_table "teams", force: :cascade do |t|
     t.integer "github_id", limit: 4
     t.string "api_url", limit: 255
-    t.string "slug", limit: 50
+    t.string "slug", limit: 255
     t.string "name", limit: 255
     t.string "organization", limit: 39
     t.datetime "created_at", null: false

data/test/fixtures/shipit/check_runs.yml

@@ -7,7 +7,7 @@ second_pending_travis:
   conclusion: success
   html_url: "http://www.example.com/run/424242"
   details_url: "http://www.example.com/build/424242"
-  created_at: <%= 10.days.ago.to_s(:db) %>
+  created_at: <%= 10.days.ago.to_formatted_s(:db) %>
 
 check_runs_first_pending_coveralls:
   stack: check_runs
@@ -15,7 +15,7 @@ check_runs_first_pending_coveralls:
   github_id: 43
   title: lets go
   name: Coverage metrics
-  created_at: <%= 10.days.ago.to_s(:db) %>
+  created_at: <%= 10.days.ago.to_formatted_s(:db) %>
   conclusion: pending
   html_url: "http://www.example.com/run/434343"
   details_url: "http://www.example.com/build/434343"
@@ -26,7 +26,7 @@ check_runs_first_success_coveralls:
   github_id: 434343
   title: lets go
   name: Coverage metrics
-  created_at: <%= 9.days.ago.to_s(:db) %>
+  created_at: <%= 9.days.ago.to_formatted_s(:db) %>
   conclusion: success
   html_url: "http://www.example.com/run/434343"
   details_url: "http://www.example.com/build/434343"