shipit-engine 0.7.0 → 0.8.0

data/app/views/shipit/deploys/_concurrent_deploy_warning.html.erb

@@ -1,5 +1,5 @@
 <section class="warning concurrent-deploy">
-  <h2><%= render_github_user(@stack.active_deploy.author) %> is already deploying!</h2>
+  <h2><%= render_github_user(@stack.active_task.author) %> is already deploying!</h2>
   <ul>
     <li>Are you sure you want to deploy concurrently?</li>
     <li>

data/app/views/shipit/deploys/_deploy.html.erb

@@ -23,12 +23,12 @@
   <% unless read_only %>
     <div class="commit-actions">
       <% if deploy.rollbackable? %>
-        <% if deploy.stack.deploying? %>
+        <% if deploy.stack.active_task? %>
           <%= link_to 'Deploy in progress...', '#', class: 'btn disabled deploy-action' %>
         <% else %>
           <%= link_to 'Rollback to this deploy...', rollback_stack_deploy_path(@stack, deploy), class: 'btn btn--delete deploy-action rollback-action' %>
         <% end %>
-      <% elsif deploy.currently_deployed? && !deploy.stack.deploying? %>
+      <% elsif deploy.currently_deployed? && !deploy.stack.active_task? %>
         <%= redeploy_button(deploy.until_commit) %>
       <% end %>
     </div>

data/app/views/shipit/deploys/new.html.erb

@@ -28,23 +28,9 @@
   <%= render_checklist @stack.checklist %>
 
   <%= form_for [@stack, @deploy] do |f| %>
-    <% unless @deploy.variables.empty? %>
-      <section>
-        <header class="section-header environment-variables">
-          <h2>Environment variables</h2>
-        </header>
-        <%= f.fields_for :env do |env_fields| %>
-          <% @deploy.variables.each do |variable| %>
-            <p class="environment-variable">
-              <%= env_fields.text_field variable.name, value: variable.default %>
-              <%= env_fields.label variable.name, variable.title || variable.name %>
-            </p>
-          <% end %>
-        <% end %>
-      </section>
-    <% end %>
-
-    <%= render 'concurrent_deploy_warning' if @stack.deploying? %>
+    <%= render partial: 'shipit/variables', locals: { variables: @deploy.variables, form: f, header: "Environment Variables", field_name: :env}  %>
+
+    <%= render 'concurrent_deploy_warning' if @stack.active_task? %>
 
     <section class="submit-section">
       <%= f.hidden_field :until_commit_id %>

data/app/views/shipit/deploys/rollback.html.erb

@@ -24,23 +24,9 @@
   <%= render_checklist @stack.checklist %>
 
   <%= form_for [@stack, @rollback] do |f| %>
-    <% unless @rollback.variables.empty? %>
-      <section>
-        <header class="section-header environment-variables">
-          <h2>Environment variables</h2>
-        </header>
-        <%= f.fields_for :env do |env_fields| %>
-          <% @rollback.variables.each do |variable| %>
-            <p class="environment-variable">
-              <%= env_fields.text_field variable.name, value: variable.default %>
-              <%= env_fields.label variable.name, variable.title || variable.name %>
-            </p>
-          <% end %>
-        <% end %>
-      </section>
-    <% end %>
-
-    <%= render 'concurrent_deploy_warning' if @stack.deploying? %>
+    <%= render partial: 'shipit/variables', locals: { variables: @rollback.variables, form: f, header: "Environment Variables", field_name: :env}  %>
+
+    <%= render 'concurrent_deploy_warning' if @stack.active_task? %>
 
     <section class="submit-section">
       <%= f.hidden_field :parent_id %>

data/app/views/shipit/tasks/new.html.erb

@@ -13,9 +13,17 @@
 
   <%= render_checklist @task.checklist %>
 
-  <section class="submit-section">
-    <%= form_for @task, url: stack_tasks_path(@stack, definition_id: @task.definition.id) do |f| %>
+  <%= form_for @task, url: stack_tasks_path(@stack, definition_id: @task.definition.id) do |f| %>
+
+    <%= render partial: 'shipit/variables', locals: { variables: @task.definition.variables, form: f, header: "Environment Variables", field_name: :env}  %>
+
+    <section class="submit-section">
+      <% if !@task.definition.allow_concurrency? && @stack.active_task? %>
+        <%= render 'shipit/deploys/concurrent_deploy_warning' %>
+      <% end %>
+
       <%= f.submit @task.definition.action, :class => ['btn', 'primary', 'trigger-deploy'] %>
-    <% end %>
-  </section>
+    </section>
+
+  <% end %>
 </div>

data/config/locales/en.yml

@@ -52,3 +52,14 @@ en:
     messages:
       subset: "is not a strict subset of %{of}"
       ascii: "contains non-ASCII characters"
+  deployment_description:
+    deploy:
+      pending: "%{author} triggered the deploy of %{stack} to %{sha}"
+      success: "%{author} deployed %{stack} to %{sha}"
+      failure: "Deploy of %{stack} to %{sha} by %{author} failed"
+      error: "Deploy of %{stack} to %{sha} by %{author} failed"
+    rollback:
+      pending: "%{author} triggered the rollback of %{stack} to %{sha}"
+      success: "%{author} rolled back %{stack} to %{sha}"
+      failure: "Rollback of %{stack} to %{sha} by %{author} failed"
+      error: "Rollback of %{stack} to %{sha} by %{author} failed"

data/db/migrate/20160210183823_add_allow_concurrency_to_tasks.rb

@@ -0,0 +1,5 @@
+class AddAllowConcurrencyToTasks < ActiveRecord::Migration
+  def change
+    add_column :tasks, :allow_concurrency, :boolean, null: false, default: false
+  end
+end

data/db/migrate/20160303163611_create_shipit_commit_deployments.rb

@@ -0,0 +1,14 @@
+class CreateShipitCommitDeployments < ActiveRecord::Migration
+  def change
+    create_table :commit_deployments do |t|
+      t.references :commit, foreign_key: true
+      t.references :task, index: true, foreign_key: true
+      t.integer :github_id, null: true
+      t.string :api_url, null: true
+
+      t.timestamps null: false
+
+      t.index %i(commit_id task_id), unique: true
+    end
+  end
+end

data/db/migrate/20160303170913_create_shipit_commit_deployment_statuses.rb

@@ -0,0 +1,12 @@
+class CreateShipitCommitDeploymentStatuses < ActiveRecord::Migration
+  def change
+    create_table :commit_deployment_statuses do |t|
+      t.references :commit_deployment, index: true, foreign_key: true
+      t.string :status
+      t.integer :github_id
+      t.string :api_url
+
+      t.timestamps null: false
+    end
+  end
+end

data/db/migrate/20160303203940_add_encrypted_token_to_users.rb

@@ -0,0 +1,6 @@
+class AddEncryptedTokenToUsers < ActiveRecord::Migration
+  def change
+    add_column :users, :encrypted_github_access_token, :string
+    add_column :users, :encrypted_github_access_token_iv, :string
+  end
+end

data/lib/shipit.rb

@@ -4,6 +4,7 @@ require 'state_machines-activerecord'
 require 'validate_url'
 require 'responders'
 require 'explicit-parameters'
+require 'attr_encrypted'
 
 require 'sass-rails'
 require 'coffee-rails'
@@ -37,6 +38,7 @@ require 'shipit/stack_commands'
 require 'shipit/task_commands'
 require 'shipit/deploy_commands'
 require 'shipit/rollback_commands'
+require 'shipit/environment_variables'
 
 SafeYAML::OPTIONS[:default_mode] = :safe
 SafeYAML::OPTIONS[:deserialize_symbols] = false
@@ -96,7 +98,11 @@ module Shipit
   end
 
   def api_clients_secret
-    secrets.api_clients_secret || ''
+    secrets.api_clients_secret.presence || secrets.secret_key_base
+  end
+
+  def user_access_tokens_key
+    secrets.user_access_tokens_key.presence || secrets.secret_key_base
   end
 
   def host

data/lib/shipit/engine.rb

@@ -18,6 +18,8 @@ module Shipit
         path =~ /\Aplugins\/[\-\w]+\.(js|css)\Z/
       end
 
+      ActionDispatch::ExceptionWrapper.rescue_responses[Shipit::TaskDefinition::NotFound.name] = :not_found
+
       ActiveModel::Serializer._root = false
       ActiveModel::ArraySerializer._root = false
       ActiveModel::Serializer.include(Engine.routes.url_helpers)
@@ -29,7 +31,7 @@ module Shipit
             :github,
             Shipit.github_oauth_id,
             Shipit.github_oauth_secret,
-            scope: 'email',
+            scope: 'email,repo_deployment',
             client_options: Shipit.github_oauth_options,
           )
         end

data/lib/shipit/environment_variables.rb

@@ -0,0 +1,34 @@
+module Shipit
+  class EnvironmentVariables
+    NotPermitted = Class.new(StandardError)
+
+    class << self
+      def with(env)
+        EnvironmentVariables.new(env)
+      end
+    end
+
+    def permit(variable_definitions)
+      return {} unless @env
+      raise "A whitelist is required to sanitize environment variables" unless variable_definitions
+      sanitize_env_vars(variable_definitions)
+    end
+
+    private
+
+    def initialize(env)
+      @env = env
+    end
+
+    def sanitize_env_vars(variable_definitions)
+      allowed_variables = variable_definitions.map(&:name)
+
+      allowed, disallowed = @env.partition { |k, _| allowed_variables.include?(k) }.map(&:to_h)
+
+      error_message = "Variables #{disallowed.keys.to_sentence} have not been whitelisted"
+      raise NotPermitted.new(error_message) unless disallowed.empty?
+
+      allowed
+    end
+  end
+end

data/lib/shipit/simple_message_verifier.rb

@@ -2,7 +2,6 @@ module Shipit
   class SimpleMessageVerifier < ActiveSupport::MessageVerifier
     def initialize(secret, options = {})
       options[:serializer] ||= ToS
-      secret += Rails.application.secrets.secret_key_base
       super(secret, options)
     end
 

data/lib/shipit/task_commands.rb

@@ -31,6 +31,7 @@ module Shipit
       normalized_name = ActiveSupport::Inflector.transliterate(@task.author.name)
       super.merge(
         'ENVIRONMENT' => @stack.environment,
+        'BRANCH' => @stack.branch,
         'USER' => "#{@task.author.login} (#{normalized_name}) via Shipit",
         'EMAIL' => @task.author.email,
         'BUNDLE_PATH' => Rails.root.join('data', 'bundler').to_s,

data/lib/shipit/version.rb

@@ -1,3 +1,3 @@
 module Shipit
-  VERSION = '0.7.0'
+  VERSION = '0.8.0'
 end

data/test/controllers/api/deploys_controller_test.rb

@@ -18,6 +18,21 @@ module Shipit
         assert_json 'status', 'pending'
       end
 
+      test "#create triggers a new deploy for whitelisted variables" do
+        correct_env = {'SAFETY_DISABLED' => 1}
+        post :create, stack_id: @stack.to_param, sha: @commit.sha, env: correct_env
+        assert_response :accepted
+        assert_json 'type', 'deploy'
+        assert_json 'status', 'pending'
+      end
+
+      test "#create refuses to trigger a new deploy with incorrect variables" do
+        incorrect_env = {'DANGEROUS_VARIABLE' => 1}
+        post :create, stack_id: @stack.to_param, sha: @commit.sha, env: incorrect_env
+        assert_response :unprocessable_entity
+        assert_json 'message', 'Variables DANGEROUS_VARIABLE have not been whitelisted'
+      end
+
       test "#create use the claimed user as author" do
         request.headers['X-Shipit-User'] = @user.login
         post :create, stack_id: @stack.to_param, sha: @commit.sha

data/test/controllers/api/tasks_controller_test.rb

@@ -31,6 +31,21 @@ module Shipit
         assert_json 'status', 'pending'
       end
 
+      test "#trigger refuses to trigger a task with tasks not whitelisted" do
+        env = {'DANGEROUS_VARIABLE' => 'bar'}
+        post :trigger, stack_id: @stack.to_param, task_name: 'restart', env: env
+        assert_response :unprocessable_entity
+        assert_json 'message', 'Variables DANGEROUS_VARIABLE have not been whitelisted'
+      end
+
+      test "#trigger triggers a task with only whitelisted env variables" do
+        env = {'FOO' => 'bar'}
+        post :trigger, stack_id: @stack.to_param, task_name: 'restart', env: env
+        assert_response :accepted
+        assert_json 'type', 'task'
+        assert_json 'status', 'pending'
+      end
+
       test "#trigger returns a 404 when the task doesn't exist" do
         post :trigger, stack_id: @stack.to_param, task_name: 'doesnt_exist'
         assert_response :not_found

data/test/controllers/github_authentication_controller_test.rb

@@ -3,12 +3,30 @@ require 'test_helper'
 module Shipit
   class GithubAuthenticationControllerTest < ActionController::TestCase
     test ":callback can sign in to github" do
-      @request.env['omniauth.auth'] = {info: {nickname: 'shipit'}}
-      github_user = mock('Sawyer User')
-      Shipit.github_api.stubs(:user).returns(github_user)
-      User.expects(:find_or_create_from_github).with(github_user).returns(stub(id: 44))
+      auth = OmniAuth::AuthHash.new(
+        credentials: OmniAuth::AuthHash.new(
+          token: 's3cr3t',
+        ),
+        extra: OmniAuth::AuthHash.new(
+          raw_info: OmniAuth::AuthHash.new(
+            id: 44,
+            name: 'Shipit',
+            email: 'shipit@example.com',
+            login: 'shipit',
+            avatar_url: 'https://example.com',
+            api_url: 'https://github.com/api/v3/users/shipit',
+          ),
+        ),
+      )
+      @request.env['omniauth.auth'] = auth
 
-      get :callback
+      assert_difference -> { User.count } do
+        get :callback
+      end
+
+      user = User.find_by_login('shipit')
+      assert_equal 's3cr3t', user.github_access_token
+      assert_equal 44, user.github_id
     end
   end
 end

data/test/controllers/tasks_controller_test.rb

@@ -15,13 +15,38 @@ module Shipit
       assert_response :ok
     end
 
-    test "tasks defined in the shipit.yml can be triggered" do
-      assert_difference '@stack.tasks.count', 1 do
+    test "tasks defined in the shipit.yml can't be triggered if the stack is being deployed" do
+      assert @stack.active_task?
+      assert_no_difference -> { @stack.tasks.count } do
+        post :create, stack_id: @stack, definition_id: @definition.id
+      end
+      assert_redirected_to new_stack_tasks_path(@stack, @definition)
+    end
+
+    test "tasks defined in the shipit.yml can be triggered anyway if force apram is present" do
+      assert @stack.active_task?
+      assert_difference -> { @stack.tasks.count } do
+        post :create, stack_id: @stack, definition_id: @definition.id, force: 'true'
+      end
+      assert_redirected_to stack_task_path(@stack, Task.last)
+    end
+
+    test "tasks defined in the shipit.yml can be triggered while the stack is being deployed if specified as such" do
+      @definition = @stack.find_task_definition('flush_cache')
+      assert_difference -> { @stack.tasks.count } do
         post :create, stack_id: @stack, definition_id: @definition.id
       end
       assert_redirected_to stack_task_path(@stack, Task.last)
     end
 
+    test "tasks with variables defined in the shipit.yml can be triggered with their variables set" do
+      env = {"FOO" => "0"}
+
+      post :create, stack_id: @stack, definition_id: @definition.id, task: {env: env}, force: 'true'
+
+      assert_redirected_to stack_tasks_path(@stack, Task.last)
+    end
+
     test "triggered tasks can be observed" do
       get :show, stack_id: @stack, id: @task.id
       assert_response :ok

data/test/controllers/webhooks_controller_test.rb

@@ -171,8 +171,14 @@ module Shipit
     end
 
     def george
-      rels = {self: stub(href: 'https://api.github.com/user/george')}
-      stub(id: 42, name: 'George Abitbol', login: 'george', email: 'george@cyclim.se', rels: rels)
+      stub(
+        id: 42,
+        name: 'George Abitbol',
+        login: 'george',
+        email: 'george@cyclim.se',
+        avatar_url: 'https://avatars.githubusercontent.com/u/42?v=3',
+        url: 'https://api.github.com/user/george',
+      )
     end
   end
 end

data/test/dummy/config/database.mysql.yml

@@ -1,6 +1,6 @@
 default: &default
   adapter: mysql2
-  encoding: utf8
+  encoding: utf8mb4
   strict: true
 
 development:

data/test/dummy/config/secrets.example.yml

@@ -1,5 +1,5 @@
 development:
-  secret_key_base: s3cr3t
+  secret_key_base: s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3t
   github_oauth:
     # id:
     # secret:
@@ -15,7 +15,7 @@ development:
   redis_url: "redis://127.0.0.1:6379/7"
 
 test:
-  secret_key_base: s3cr37
+  secret_key_base: s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3t
   host: shipit.com
   github_api:
     access_token: t0kEn

data/test/dummy/config/secrets.yml

@@ -1,5 +1,5 @@
 development:
-  secret_key_base: s3cr3t
+  secret_key_base: s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3t
   # github_domain: github.shopify.com
   github_oauth:
     id: 29f6c9084a8837f337ff
@@ -14,7 +14,7 @@ development:
   redis_url: "redis://127.0.0.1:6379/7"
 
 test:
-  secret_key_base: s3cr37
+  secret_key_base: s3cr3ts3cr3ts3cr3ts3cr3ts3cr3ts3cr3t
   host: shipit.com
   github_api:
     access_token: t0kEn