zonesync 0.11.0 → 0.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3e2ac350c2fe58aaed3387c001755daba2e460747b09e12ca187e3643895cfec
-  data.tar.gz: b9c28c96bfcb6e4964060aa6fac6b05af5533d7903dd74b76850cc1d58904158
+  metadata.gz: aaa6c630bddb382ab5b051983a3af48b5d59583a2e6befb51bf4098e3ccbdbb0
+  data.tar.gz: 7005f724efb994e55bc9d581780a8ba5711729ba208b9ef4c8fb77cc48d018bc
 SHA512:
-  metadata.gz: 8861b5bbcb843c30e3017eb2989fc3391913452246d5a6d798b8ccac677430ae845f5189271a6a07d8f4b7f72f07db34153f480281a3e6d398e135c3b0b28cf1
-  data.tar.gz: 6a471b920e9cd971a023eca9992894c65f43ef9e6fffe9d873abb32706f265db98043fdeb7e749cd7a87feeda0faefac8bd4b1477f27059e28b8e793f3f091fe
+  metadata.gz: ca2cc5e0fefcbf14efe91cb80b84ef20b485715891d92b8f2cd1f58cb2b6193bf9a7a51e822fa046a516bb275a7c5a5fb98e19d2cb9ae08cee41208434986f9e
+  data.tar.gz: bb66c82041407b2e3d3a57e0c1c381dc9a7ac77fb1d09db52d61892fb76409541a3d5059f916205f00dbf304a71218a0df7f60c6fb995350a1928d8026e8b617

data/lib/zonesync/errors.rb

@@ -1,22 +1,56 @@
 # typed: strict
 require "sorbet-runtime"
+require "zonesync/record_hash"
 
 module Zonesync
+  class ValidationError < StandardError
+    extend T::Sig
+
+    sig { void }
+    def initialize
+      @errors = T.let([], T::Array[StandardError])
+    end
+
+    sig { params(error: StandardError).void }
+    def add(error)
+      @errors << error
+    end
+
+    sig { returns(T::Boolean) }
+    def any?
+      @errors.any?
+    end
+
+    sig { returns(String) }
+    def message
+      @errors.map(&:message).join("\n\n#{'-' * 60}\n\n")
+    end
+
+    sig { returns(T::Array[StandardError]) }
+    attr_reader :errors
+  end
+
   class ConflictError < StandardError
     extend T::Sig
 
-    sig { params(existing: T.nilable(Record), new: Record).void }
-    def initialize existing, new
-      @existing = existing
-      @new = new
+    sig { params(conflicts: T::Array[[T.nilable(Record), Record]]).void }
+    def initialize(conflicts)
+      @conflicts = conflicts
     end
 
     sig { returns(String) }
     def message
-      <<~MSG
-        The following untracked DNS record already exists and would be overwritten.
-          existing: #{@existing}
-          new:      #{@new}
+      conflicts_text = @conflicts.sort_by { |_existing, new_rec| new_rec.name }.map do |existing_rec, new_rec|
+        "  existing: #{existing_rec}\n  new:      #{new_rec}"
+      end.join("\n\n")
+
+      count = @conflicts.length
+      record_word = count == 1 ? "record" : "records"
+      exists_word = count == 1 ? "exists" : "exist"
+
+      <<~MSG.chomp
+        The following untracked DNS #{record_word} already #{exists_word} and would be overwritten:
+        #{conflicts_text}
       MSG
     end
   end
@@ -41,20 +75,71 @@ module Zonesync
   class ChecksumMismatchError < StandardError
     extend T::Sig
 
-    sig { params(existing: T.nilable(Record), new: Record).void }
-    def initialize existing, new
+    sig {
+      params(
+        existing: T.nilable(Record),
+        new: T.nilable(Record),
+        expected_record: T.nilable(Record),
+        actual_record: T.nilable(Record),
+        missing_hash: T.nilable(String)
+      ).void
+    }
+    def initialize(existing = nil, new = nil, expected_record: nil, actual_record: nil, missing_hash: nil)
       @existing = existing
       @new = new
+      @expected_record = expected_record
+      @actual_record = actual_record
+      @missing_hash = missing_hash
     end
 
     sig { returns(String) }
     def message
+      # V2 manifest integrity violation
+      if @missing_hash
+        return generate_v2_message
+      end
+
+      # V1 checksum mismatch
       <<~MSG
         The zonesync_checksum TXT record does not match the current state of the DNS records. This probably means that someone else has changed them.
           existing: #{@existing}
           new:      #{@new}
       MSG
     end
+
+    private
+
+    sig { returns(String) }
+    def generate_v2_message
+      if @expected_record && @actual_record
+        # Record was modified
+        actual_hash = RecordHash.generate(@actual_record)
+        <<~MSG.chomp
+          The following tracked DNS record has been modified externally:
+            Expected: #{@expected_record.name} #{@expected_record.ttl} #{@expected_record.type} #{@expected_record.rdata} (hash: #{@missing_hash})
+            Actual:   #{@actual_record.name} #{@actual_record.ttl} #{@actual_record.type} #{@actual_record.rdata} (hash: #{actual_hash})
+
+          This probably means someone else has changed it. Use --force to override.
+        MSG
+      elsif @expected_record
+        # Record was deleted
+        <<~MSG.chomp
+          The following tracked DNS record has been deleted externally:
+            Expected: #{@expected_record.name} #{@expected_record.ttl} #{@expected_record.type} #{@expected_record.rdata} (hash: #{@missing_hash})
+            Not found in current remote records.
+
+          This probably means someone else has deleted it. Use --force to override.
+        MSG
+      else
+        # Fallback: we don't have source records to look up details
+        <<~MSG.chomp
+          The following tracked DNS record has been modified or deleted externally:
+            Expected hash: #{@missing_hash} (not found in current records)
+
+          This probably means someone else has changed it. Use --force to override.
+        MSG
+      end
+    end
   end
 
   class DuplicateRecordError < StandardError

data/lib/zonesync/provider.rb

@@ -26,7 +26,7 @@ module Zonesync
     sig { params(other: Provider, force: T::Boolean).returns(T::Array[Operation]) }
     def diff! other, force: false
       operations = diff(other).call
-      Validator.call(operations, self, force: force)
+      Validator.call(operations, self, other, force: force)
       operations
     end
 
@@ -118,7 +118,7 @@ module Zonesync
 
       missing = expected_set - found_set
       if missing.any?
-        raise ConflictError.new(nil, diffable.first || remote_records.first)
+        raise ConflictError.new([[nil, diffable.first || remote_records.first]])
       end
 
       diffable.sort

data/lib/zonesync/record.rb

@@ -53,6 +53,37 @@ module Zonesync
       string << " ; #{comment}" if comment
       string
     end
+
+    sig { params(other: Record).returns(T::Boolean) }
+    def identical_to?(other)
+      name == other.name && type == other.type && ttl == other.ttl && rdata == other.rdata
+    end
+
+    sig { params(other: Record).returns(T::Boolean) }
+    def conflicts_with?(other)
+      return false unless name == other.name && type == other.type
+
+      case type
+      when "CNAME", "SOA"
+        true
+      when "MX"
+        existing_priority = rdata.split(' ').first
+        new_priority = other.rdata.split(' ').first
+        existing_priority == new_priority
+      else
+        false
+      end
+    end
+
+    sig { params(type: String).returns(T::Boolean) }
+    def self.single_record_per_name?(type)
+      type == "CNAME" || type == "SOA"
+    end
+
+    sig { params(records: T::Array[Record]).returns(T::Array[Record]) }
+    def self.non_meta(records)
+      records.reject { |r| r.manifest? || r.checksum? }
+    end
   end
 end
 

data/lib/zonesync/validator.rb

@@ -3,28 +3,42 @@ require "sorbet-runtime"
 require "zonesync/record_hash"
 
 module Zonesync
-  Validator = Struct.new(:operations, :destination) do
+  Validator = Struct.new(:operations, :destination, :source) do
     extend T::Sig
 
-    sig { params(operations: T::Array[Operation], destination: Provider, force: T::Boolean).void }
-    def self.call(operations, destination, force: false)
-      new(operations, destination).call(force: force)
+    sig { params(operations: T::Array[Operation], destination: Provider, source: T.nilable(Provider), force: T::Boolean).void }
+    def self.call(operations, destination, source = nil, force: false)
+      new(operations, destination, source).call(force: force)
     end
 
     sig { params(force: T::Boolean).void }
     def call(force: false)
+      validation_error = ValidationError.new
+
       if !force && operations.any? && !manifest.existing?
-        raise MissingManifestError.new(manifest.generate)
+        validation_error.add(MissingManifestError.new(manifest.generate))
       end
-      # Only validate checksums for v1 manifests (v2 manifests provide integrity via hashes)
+
       if !force && manifest.v1_format? && manifest.existing_checksum && manifest.existing_checksum != manifest.generate_checksum
-        raise ChecksumMismatchError.new(manifest.existing_checksum, manifest.generate_checksum)
+        validation_error.add(ChecksumMismatchError.new(manifest.existing_checksum, manifest.generate_checksum))
       end
-      operations.each do |method, args|
-        if method == :add
-          validate_addition args.first, force: force
-        end
+
+      if !force && manifest.v2_format?
+        integrity_error = validate_v2_manifest_integrity
+        validation_error.add(integrity_error) if integrity_error
       end
+
+      conflicts = operations.map do |method, args|
+        method == :add ? validate_addition(args.first, force: force) : nil
+      end.compact
+      validation_error.add(ConflictError.new(conflicts)) if conflicts.any?
+
+      if validation_error.errors.length == 1
+        raise validation_error.errors.first
+      elsif validation_error.errors.length > 1
+        raise validation_error
+      end
+
       nil
     end
 
@@ -35,68 +49,96 @@ module Zonesync
       destination.manifest
     end
 
-    sig { params(record: Record, force: T::Boolean).void }
-    def validate_addition record, force: false
-      return if manifest.matches?(record)
-      return if force
+    sig { returns(T.nilable(ChecksumMismatchError)) }
+    def validate_v2_manifest_integrity
+      manifest_data = T.must(manifest.existing).rdata[1..-2]
+      expected_hashes = manifest_data.split(",")
+      actual_records = Record.non_meta(destination.records)
+      actual_hash_to_record = actual_records.map { |r| [RecordHash.generate(r), r] }.to_h
 
-      # Use hash-based conflict detection when we have a v2 manifest
-      if manifest.existing? && !manifest.existing.rdata[1..-2].include?(";")
-        # V2 hash-based manifest: check for untracked records that conflict
-        record_hash = RecordHash.generate(record)
-        expected_hashes = manifest.existing.rdata[1..-2].split(",")
+      missing_hash = expected_hashes.find { |hash| !actual_hash_to_record.key?(hash) }
+      return nil unless missing_hash
+
+      expected_record = find_expected_record(missing_hash)
+      actual_record = find_modified_record(expected_record, actual_records)
+
+      ChecksumMismatchError.new(
+        expected_record: expected_record,
+        actual_record: actual_record,
+        missing_hash: missing_hash
+      )
+    end
+
+    sig { params(missing_hash: String).returns(T.nilable(Record)) }
+    def find_expected_record(missing_hash)
+      return nil unless source
+
+      source_records = Record.non_meta(source.records)
+      source_records.find { |r| RecordHash.generate(r) == missing_hash }
+    end
+
+    sig { params(expected_record: T.nilable(Record), actual_records: T::Array[Record]).returns(T.nilable(Record)) }
+    def find_modified_record(expected_record, actual_records)
+      return nil unless expected_record
 
-        # Find conflicting records that would be overwritten by this addition
-        conflicting_record = destination.records.find do |r|
-          next if r.manifest? || r.checksum?
-
-          # Skip if this record is tracked in the manifest
-          r_hash = RecordHash.generate(r)
-          next if expected_hashes.include?(r_hash)
-
-          # Skip if it's exactly the same record (we're just starting to track it)
-          next if r.name == record.name && r.type == record.type && r.ttl == record.ttl && r.rdata == record.rdata
-
-          # Check for conflicts based on record type
-          case record.type
-          when "CNAME", "SOA"
-            # These types only allow one record per name
-            r.name == record.name && r.type == record.type
-          when "MX"
-            # MX records conflict if same name and same priority (first part of rdata)
-            if r.name == record.name && r.type == record.type
-              existing_priority = r.rdata.split(' ').first
-              new_priority = record.rdata.split(' ').first
-              existing_priority == new_priority
-            end
-          else
-            # For other types (A, AAAA, TXT, etc.), multiple records are allowed
-            # Only conflict if trying to add identical record (but we already checked that above)
-            false
-          end
+      # For CNAME and SOA, only one record per name is allowed, so check for modification
+      # For other types (A, AAAA, TXT, MX), only check if there's exactly one record
+      # with that name/type - if there are multiples, we can't determine which one it "became"
+      if Record.single_record_per_name?(expected_record.type)
+        actual_records.find do |r|
+          r.name == expected_record.name && r.type == expected_record.type
         end
       else
-        # V1 name-based manifest or no manifest
-        if manifest.existing?
-          # V1 name-based manifest: use old shorthand logic
-          shorthand = manifest.shorthand_for(record, with_type: true)
-          conflicting_record = destination.records.find do |r|
-            manifest.shorthand_for(r, with_type: true) == shorthand
-          end
-        else
-          # No manifest: only conflict if exact same record exists
-          conflicting_record = destination.records.find do |r|
-            r.name == record.name &&
-            r.type == record.type &&
-            r.ttl == record.ttl &&
-            r.rdata == record.rdata
-          end
+        matching_records = actual_records.select do |r|
+          r.name == expected_record.name && r.type == expected_record.type
         end
+        matching_records.first if matching_records.count == 1
       end
+    end
+
+    sig { params(record: Record, force: T::Boolean).returns(T.nilable([T.nilable(Record), Record])) }
+    def validate_addition record, force: false
+      return nil if manifest.matches?(record)
+      return nil if force
+
+      conflicting_record = if manifest.v2_format?
+        expected_hashes = manifest.existing.rdata[1..-2].split(",")
+        find_v2_conflict(record, expected_hashes)
+      elsif manifest.existing?
+        find_v1_conflict(record)
+      else
+        find_unmanaged_conflict(record)
+      end
+
+      return nil if !conflicting_record
+      return nil if conflicting_record == record
+      [conflicting_record, record]
+    end
 
-      return if !conflicting_record
-      return if conflicting_record == record
-      raise Zonesync::ConflictError.new(conflicting_record, record)
+    sig { params(record: Record, expected_hashes: T::Array[String]).returns(T.nilable(Record)) }
+    def find_v2_conflict(record, expected_hashes)
+      destination.records.find do |r|
+        next if r.manifest? || r.checksum?
+        next if expected_hashes.include?(RecordHash.generate(r))
+        next if r.identical_to?(record)
+
+        r.conflicts_with?(record)
+      end
+    end
+
+    sig { params(record: Record).returns(T.nilable(Record)) }
+    def find_v1_conflict(record)
+      shorthand = manifest.shorthand_for(record, with_type: true)
+      destination.records.find do |r|
+        manifest.shorthand_for(r, with_type: true) == shorthand
+      end
+    end
+
+    sig { params(record: Record).returns(T.nilable(Record)) }
+    def find_unmanaged_conflict(record)
+      destination.records.find do |r|
+        r.identical_to?(record)
+      end
     end
   end
 end

data/lib/zonesync/version.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 
 module Zonesync
-  VERSION = "0.11.0"
+  VERSION = "0.12.0"
 end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: zonesync
 version: !ruby/object:Gem::Version
-  version: 0.11.0
+  version: 0.12.0
 platform: ruby
 authors:
 - Micah Geisel
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: exe
 cert_chain: []
-date: 2025-09-18 00:00:00.000000000 Z
+date: 2025-10-19 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: diff-lcs