unwrappr 0.3.0

data/lib/unwrappr/git_command_runner.rb

@@ -0,0 +1,81 @@
+# frozen_string_literal: true
+
+require 'git'
+require 'logger'
+
+module Unwrappr
+  # Runs Git commands
+  module GitCommandRunner
+    class << self
+      def create_branch!
+        raise 'Not a git working dir' unless git_dir?
+        raise 'failed to create branch' unless branch_created?
+      end
+
+      def commit_and_push_changes!
+        raise 'failed to add git changes' unless git_added_changes?
+        raise 'failed to commit changes' unless git_committed?
+        raise 'failed to push changes' unless git_pushed?
+      end
+
+      def reset_client
+        @git = nil
+      end
+
+      def show(revision, path)
+        git.show(revision, path)
+      rescue Git::GitExecuteError
+        nil
+      end
+
+      def remote
+        git.config('remote.origin.url')
+      end
+
+      def current_branch_name
+        git.current_branch
+      end
+
+      private
+
+      def git_dir?
+        git_wrap { !current_branch_name.empty? }
+      end
+
+      def branch_created?
+        timestamp = Time.now.strftime('%Y%d%m-%H%M').freeze
+        git_wrap do
+          git.checkout('origin/master')
+          git.branch("auto_bundle_update_#{timestamp}").checkout
+        end
+      end
+
+      def git_added_changes?
+        git_wrap { git.add(all: true) }
+      end
+
+      def git_committed?
+        git_wrap { git.commit('Automatic Bundle Update') }
+      end
+
+      def git_pushed?
+        git_wrap { git.push('origin', current_branch_name) }
+      end
+
+      def git
+        log_options = {}.tap do |opt|
+          opt[:log] = Logger.new(STDOUT) if ENV['DEBUG']
+        end
+
+        @git ||= Git.open(Dir.pwd, log_options)
+      end
+
+      def git_wrap
+        yield
+        true
+      rescue Git::GitExecuteError
+        false
+      end
+    end
+  end
+end

data/lib/unwrappr/github/client.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'octokit'
+
+module Unwrappr
+  module GitHub
+    # GitHub Interactions
+    module Client
+      class << self
+        def reset_client
+          @git_client = nil
+          @github_token = nil
+        end
+
+        def make_pull_request!
+          create_and_annotate_pull_request
+        rescue Octokit::ClientError => e
+          raise "Failed to create and annotate pull request: #{e}"
+        end
+
+        private
+
+        def repo_name_and_org
+          repo_url = Unwrappr::GitCommandRunner.remote.gsub(/\.git$/, '')
+          pattern = %r{github.com[/:](?<org>.*)/(?<repo>.*)}
+          m = pattern.match(repo_url)
+          [m[:org], m[:repo]].join('/')
+        end
+
+        def create_and_annotate_pull_request
+          pr = git_client.create_pull_request(
+            repo_name_and_org,
+            'master',
+            Unwrappr::GitCommandRunner.current_branch_name,
+            'Automated Bundle Update',
+            pull_request_body
+          )
+          annotate_pull_request(pr.number)
+        end
+
+        def pull_request_body
+          <<~BODY
+            Gems brought up-to-date with :heart: by [Unwrappr](https://github.com/envato/unwrappr).
+             See individual annotations below for details.
+          BODY
+        end
+
+        def annotate_pull_request(pr_number)
+          LockFileAnnotator.annotate_github_pull_request(
+            repo: repo_name_and_org,
+            pr_number: pr_number,
+            client: git_client
+          )
+        end
+
+        def git_client
+          @git_client ||= Octokit::Client.new(access_token: github_token)
+        end
+
+        def github_token
+          @github_token ||= ENV.fetch('GITHUB_TOKEN') do
+            raise %(
+Missing environment variable GITHUB_TOKEN.
+See https://github.com/settings/tokens to set up personal access tokens.
+Add to the environment:
+
+    export GITHUB_TOKEN=XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
+
+)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/unwrappr/github/pr_sink.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Github
+    # Saves Gemfile.lock annotations as Github pull request comments.
+    #
+    # Implements the `annotation_sink` interface as defined by the
+    # LockFileAnnotator.
+    class PrSink
+      def initialize(repo, pr_number, client)
+        @repo = repo
+        @pr_number = pr_number
+        @client = client
+      end
+
+      def annotate_change(gem_change, message)
+        @client.create_pull_request_comment(
+          @repo,
+          @pr_number,
+          message,
+          gem_change.sha,
+          gem_change.filename,
+          gem_change.line_number
+        )
+      end
+    end
+  end
+end

data/lib/unwrappr/github/pr_source.rb

@@ -0,0 +1,59 @@
+# frozen_string_literal: true
+
+require 'base64'
+
+module Unwrappr
+  module Github
+    # Obtains Gemfile.lock changes from a Github Pull Request
+    #
+    # Implements the `lock_file_diff_source` interface as defined by the
+    # LockFileAnnotator.
+    class PrSource
+      def initialize(repo, pr_number, client)
+        @repo = repo
+        @pr_number = pr_number
+        @client = client
+      end
+
+      def each_file
+        lock_file_diffs.each do |lock_file_diff|
+          yield LockFileDiff.new(
+            filename: lock_file_diff.filename,
+            base_file: file_contents(lock_file_diff.filename, base_sha),
+            head_file: file_contents(lock_file_diff.filename, head_sha),
+            patch: lock_file_diff.patch,
+            sha: head_sha
+          )
+        end
+      end
+
+      private
+
+      def lock_file_diffs
+        @lock_file_diffs ||= @client
+                             .pull_request_files(@repo, @pr_number)
+                             .select do |file|
+                               File.basename(file.filename) == 'Gemfile.lock'
+                             end
+      end
+
+      def file_contents(filename, ref)
+        Base64.decode64(
+          @client.contents(@repo, path: filename, ref: ref).content
+        )
+      end
+
+      def head_sha
+        @head_sha ||= pull_request.head.sha
+      end
+
+      def base_sha
+        @base_sha ||= pull_request.base.sha
+      end
+
+      def pull_request
+        @pull_request ||= @client.pull_request(@repo, @pr_number)
+      end
+    end
+  end
+end

data/lib/unwrappr/lock_file_annotator.rb

@@ -0,0 +1,65 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  # The main entry object for annotating Gemfile.lock files.
+  #
+  # This class has four main collaborators:
+  #
+  # - **lock_file_diff_source**: Provides a means of obtaining `LockFileDiff`
+  #   instances.
+  #
+  # - **annotation_sink**: A place to send gem change annotations.
+  #
+  # - **gem_researcher**: Collects extra information about the gem change.
+  #   Unwrapprs if you will.
+  #
+  # - **annotation_writer**: Collects the gem change and all the collated
+  #   research and presents it in a nicely formatted annotation.
+  class LockFileAnnotator
+    # rubocop:disable Metrics/MethodLength
+    def self.annotate_github_pull_request(
+      repo:, pr_number:, client: Octokit.client
+    )
+      new(
+        lock_file_diff_source: Github::PrSource.new(repo, pr_number, client),
+        annotation_sink: Github::PrSink.new(repo, pr_number, client),
+        annotation_writer: Writers::Composite.new(
+          Writers::Title,
+          Writers::VersionChange,
+          Writers::ProjectLinks,
+          Writers::SecurityVulnerabilities,
+          Writers::GithubCommitLog
+        ),
+        gem_researcher: Researchers::Composite.new(
+          Researchers::RubyGemsInfo.new,
+          Researchers::GithubRepo.new,
+          Researchers::GithubComparison.new(client),
+          Researchers::SecurityVulnerabilities.new
+        )
+      ).annotate
+    end
+    # rubocop:enable Metrics/MethodLength
+
+    def initialize(
+      lock_file_diff_source:,
+      annotation_sink:,
+      annotation_writer:,
+      gem_researcher:
+    )
+      @lock_file_diff_source = lock_file_diff_source
+      @annotation_sink = annotation_sink
+      @annotation_writer = annotation_writer
+      @gem_researcher = gem_researcher
+    end
+
+    def annotate
+      @lock_file_diff_source.each_file do |lock_file_diff|
+        lock_file_diff.each_gem_change do |gem_change|
+          gem_change_info = @gem_researcher.research(gem_change, {})
+          message = @annotation_writer.write(gem_change, gem_change_info)
+          @annotation_sink.annotate_change(gem_change, message)
+        end
+      end
+    end
+  end
+end

data/lib/unwrappr/lock_file_comparator.rb

@@ -0,0 +1,28 @@
+# frozen_string_literal: true
+
+require 'bundler'
+
+module Unwrappr
+  # Compares two lock files and emits a diff of versions
+  module LockFileComparator
+    class << self
+      def perform(lock_file_content_before, lock_file_content_after)
+        lock_file_before = Bundler::LockfileParser.new(lock_file_content_before)
+        lock_file_after = Bundler::LockfileParser.new(lock_file_content_after)
+
+        versions_diff = SpecVersionComparator.perform(
+          specs_versions(lock_file_before),
+          specs_versions(lock_file_after)
+        )
+
+        { versions: versions_diff }
+      end
+
+      private
+
+      def specs_versions(lock_file)
+        Hash[lock_file.specs.map { |s| [s.name.to_sym, s.version.to_s] }]
+      end
+    end
+  end
+end

data/lib/unwrappr/lock_file_diff.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  # Responsible for identifying all gem changes between two versions of a
+  # Gemfile.lock file.
+  class LockFileDiff
+    def initialize(filename:, base_file:, head_file:, patch:, sha:)
+      @filename = filename
+      @base_file = base_file
+      @head_file = head_file
+      @patch = patch
+      @sha = sha
+    end
+
+    attr_reader :filename, :sha
+
+    def each_gem_change
+      version_changes.each do |change|
+        yield GemChange.new(
+          name: change[:dependency].to_s,
+          base_version: gem_version(change[:before]),
+          head_version: gem_version(change[:after]),
+          line_number: line_number_for_change(change),
+          lock_file_diff: self
+        )
+      end
+    end
+
+    private
+
+    def version_changes
+      @version_changes ||=
+        LockFileComparator.perform(@base_file, @head_file)[:versions]
+    end
+
+    def gem_version(version)
+      version && GemVersion.new(version)
+    end
+
+    # Obtain the line in the patch that should be annotated
+    def line_number_for_change(change)
+      # If a gem is removed, use the `-` line (as there is no `+` line).
+      # For all other cases use the `+` line.
+      type = (change[:after].nil? ? '-' : '+')
+      line_numbers[change[:dependency].to_s][type]
+    end
+
+    def line_numbers
+      return @line_numbers if defined?(@line_numbers)
+
+      @line_numbers = Hash.new { |hash, key| hash[key] = {} }
+      @patch.split("\n").each_with_index do |line, line_number|
+        gem_name, change_type = extract_gem_and_change_type(line)
+        next if gem_name.nil? || change_type.nil?
+
+        @line_numbers[gem_name][change_type] = line_number
+      end
+      @line_numbers
+    end
+
+    def extract_gem_and_change_type(line)
+      # We only care about lines like this:
+      # '+    websocket-driver (0.6.5)'
+      # Careful not to match this (note the wider indent):
+      # '+      websocket-extensions (>= 0.1.0)'
+      pattern = /^(?<change_type>[\+\-])    (?<gem_name>[\w-]+) \(\d/
+      match = pattern.match(line)
+      return match[:gem_name], match[:change_type] unless match.nil?
+    end
+  end
+end

data/lib/unwrappr/octokit.rb

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+
+# Wrapper around octokit
+module Octokit
+  def self.client
+    @client ||= Client.new(access_token: ENV['GITHUB_TOKEN'])
+  end
+end

data/lib/unwrappr/researchers/composite.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Researchers
+    # Delegate to many researchers, collecting and returning their findings.
+    #
+    # Implements the `gem_researcher` interface required by the
+    # LockFileAnnotator.
+    class Composite
+      def initialize(*researchers)
+        @researchers = researchers
+      end
+
+      def research(gem_change, gem_change_info)
+        @researchers.reduce(gem_change_info) do |info, researcher|
+          researcher.research(gem_change, info)
+        end
+      end
+    end
+  end
+end

data/lib/unwrappr/researchers/github_comparison.rb

@@ -0,0 +1,43 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Researchers
+    # Compares the old version to the new via the Github API:
+    # https://developer.github.com/v3/repos/commits/#compare-two-commits
+    #
+    # Implements the `gem_researcher` interface required by the
+    # LockFileAnnotator.
+    class GithubComparison
+      def initialize(client)
+        @client = client
+      end
+
+      def research(gem_change, gem_change_info)
+        repo = gem_change_info[:github_repo]
+        return gem_change_info if repo.nil?
+
+        gem_change_info.merge(
+          github_comparison: try_comparing(
+            repo: repo,
+            base: gem_change.base_version,
+            head: gem_change.head_version
+          )
+        )
+      end
+
+      private
+
+      def try_comparing(repo:, base:, head:)
+        comparison = compare(repo, "v#{base}", "v#{head}")
+        comparison ||= compare(repo, base.to_s, head.to_s)
+        comparison
+      end
+
+      def compare(repo, base, head)
+        @client.compare(repo, base, head)
+      rescue Octokit::NotFound
+        nil
+      end
+    end
+  end
+end

data/lib/unwrappr/researchers/github_repo.rb

@@ -0,0 +1,25 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Researchers
+    # Checks the gem metadata to obtain a Github source repository if available.
+    #
+    # Implements the `gem_researcher` interface required by the
+    # LockFileAnnotator.
+    class GithubRepo
+      GITHUB_URI_PATTERN = %r{^https?://github.com/(?<repo>[^/]+/[^/]+)}i.freeze
+
+      def research(_gem_change, gem_change_info)
+        repo = match_repo(gem_change_info, :source_code_uri) ||
+               match_repo(gem_change_info, :homepage_uri)
+        gem_change_info.merge(github_repo: repo)
+      end
+
+      def match_repo(gem_change_info, uri_name)
+        uri = gem_change_info.dig(:ruby_gems, uri_name)
+        match = GITHUB_URI_PATTERN.match(uri)
+        match[:repo] if match
+      end
+    end
+  end
+end

data/lib/unwrappr/researchers/ruby_gems_info.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Researchers
+    # Obtains information about the gem from https://rubygems.org/
+    #
+    # Implements the `gem_researcher` interface required by the
+    # LockFileAnnotator.
+    class RubyGemsInfo
+      def research(gem_change, gem_change_info)
+        gem_change_info.merge(
+          ruby_gems: ::Unwrappr::RubyGems.gem_info(gem_change.name)
+        )
+      end
+    end
+  end
+end

data/lib/unwrappr/researchers/security_vulnerabilities.rb

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+
+require 'bundler/audit'
+
+module Unwrappr
+  module Researchers
+    # Checks for security vulnerabilities using the Advisory DB
+    # https://github.com/rubysec/ruby-advisory-db
+    #
+    # Implements the `gem_researcher` interface required by the
+    # LockFileAnnotator.
+    class SecurityVulnerabilities
+      Vulnerabilites = Struct.new(:patched, :introduced, :remaining)
+
+      def research(gem_change, gem_change_info)
+        gem_change_info.merge(
+          security_vulnerabilities: vulnerabilities(gem_change)
+        )
+      end
+
+      private
+
+      def vulnerabilities(gem)
+        advisories = database.advisories_for(gem.name)
+        base_advisories = vulnerable_advisories(gem.base_version, advisories)
+        head_advisories = vulnerable_advisories(gem.head_version, advisories)
+        Vulnerabilites.new(
+          base_advisories - head_advisories,
+          head_advisories - base_advisories,
+          base_advisories & head_advisories
+        )
+      end
+
+      def database
+        return @database if defined?(@database)
+
+        Bundler::Audit::Database.update!(quiet: true)
+        @database = Bundler::Audit::Database.new
+      end
+
+      def vulnerable_advisories(gem_version, advisories)
+        return [] if gem_version.nil?
+
+        advisories.select do |advisory|
+          advisory.vulnerable?(gem_version.version)
+        end
+      end
+    end
+  end
+end

data/lib/unwrappr/ruby_gems.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+require 'json'
+
+module Unwrappr
+  # A wrapper around RubyGems' API
+  module RubyGems
+    SERVER = 'https://rubygems.org'
+    GET_GEM = '/api/v1/gems/%s.json'
+
+    class << self
+      def gem_info(name)
+        parse(Faraday.get(SERVER + GET_GEM % name), name)
+      end
+
+      def try_get_source_code_uri(gem_name)
+        Unwrappr::RubyGems.gem_info(gem_name)&.source_code_uri
+      end
+
+      private
+
+      def parse(response, name)
+        case response.status
+        when 200
+          JSON.parse(response.body, object_class: OpenStruct)
+        when 404
+          nil
+        else
+          STDERR.puts(error_message(response: response, name: name))
+        end
+      end
+
+      def error_message(response:, name:)
+        "Rubygems response for #{name}: "\
+        "HTTP #{response.status}: #{response.body}"
+      end
+    end
+  end
+end

data/lib/unwrappr/spec_version_comparator.rb

@@ -0,0 +1,19 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  # specs_versions is a hash like { name: 'version' }
+  class SpecVersionComparator
+    def self.perform(specs_versions_before, specs_versions_after)
+      keys = (specs_versions_before.keys + specs_versions_after.keys).uniq
+      changes = keys.sort.map do |key|
+        {
+          dependency: key,
+          before: specs_versions_before[key],
+          after: specs_versions_after[key]
+        }
+      end
+
+      changes.reject { |rec| rec[:before] == rec[:after] }
+    end
+  end
+end

data/lib/unwrappr/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  VERSION = '0.3.0'
+end

data/lib/unwrappr/writers/composite.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module Unwrappr
+  module Writers
+    # Delegate to many writers and combine their produced annotations into one.
+    #
+    # Implements the `annotation_writer` interface required by the
+    # LockFileAnnotator.
+    class Composite
+      def initialize(*writers)
+        @writers = writers
+      end
+
+      def write(gem_change, gem_change_info)
+        @writers.map do |writer|
+          writer.write(gem_change, gem_change_info)
+        end.compact.join("\n")
+      end
+    end
+  end
+end