Bundler dependency manager handler.

Author: sersut

.rspec

@@ -1,2 +1,3 @@
 --color
 --require spec_helper
+--exclude-pattern spec/fixtures/**/*

.rubocop.yml

@@ -0,0 +1,3 @@
+AllCops:
+  Excludes:
+    - spec/fixtures/**/*

lib/license_scout/collector.rb

@@ -102,7 +102,7 @@ def collect_licenses_from(dependency_manager)
 
     def all_dependency_managers
       DependencyManager.implementations.map do |implementation|
-        implementation.new(overrides)
+        implementation.new(project_dir, overrides)
       end
     end
   end

lib/license_scout/dependency.rb

@@ -0,0 +1,20 @@
+#
+# Copyright:: Copyright 2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+module LicenseScout
+  Dependency = Struct.new(:name, :version, :license, :license_files)
+end

lib/license_scout/dependency_manager/_bundler_script.rb

@@ -0,0 +1,47 @@
+#
+# Copyright:: Copyright 2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+# When using LicenseScout with Omnibus, LicenseScout is run from the bundled
+# omnibus process which has a different ruby executable and rubygems directory
+# than the project we want to collect licenses for. Bundler will end up loading
+# the gemspecs for the gems we are inspecting, so we need to run our query for
+# version and license information from a separate process that executes inside
+# the target ruby+bundler environment. This script is the thing that runs that
+# query; it's intended to be run like
+# `/opt/chef/embedded/bin/ruby /path/to/script`. It returns the data
+# LicenseScout needs as JSON on stdout.
+
+# We need to load the target project's bundler config, so we have to do a full
+# bundler setup:
+require "bundler/setup"
+
+# We're only using things that are in the stdlib.
+require "json"
+
+definition = ::Bundler::Definition.build("./Gemfile", "./Gemfile.lock", nil)
+dependencies = []
+
+definition.specs_for(definition.groups).each do |gem_spec|
+  dependencies << {
+    name: gem_spec.name,
+    version: gem_spec.version,
+    license: gem_spec.license,
+    path: gem_spec.full_gem_path,
+  }
+end
+
+puts JSON.generate(dependencies)

lib/license_scout/dependency_manager/base.rb

@@ -15,13 +15,17 @@
 # limitations under the License.
 #
 
+require "license_scout/dependency"
+
 module LicenseScout
   module DependencyManager
     class Base
 
+      attr_reader :project_dir
       attr_reader :overrides
 
-      def initialize(overrides)
+      def initialize(project_dir, overrides)
+        @project_dir = project_dir
         @overrides = overrides
       end
 

lib/license_scout/dependency_manager/bundler.rb

@@ -0,0 +1,149 @@
+#
+# Copyright:: Copyright 2016, Chef Software Inc.
+# License:: Apache License, Version 2.0
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+#
+
+require "license_scout/dependency_manager/base"
+require "license_scout/exceptions"
+
+require "bundler"
+require "mixlib/shellout"
+require "ffi_yajl"
+
+module LicenseScout
+  module DependencyManager
+    class Bundler < Base
+
+      POSSIBLE_LICENSE_FILES = %w{
+        LICENSE
+        LICENSE.txt
+        LICENSE.md
+        LICENSE.rdoc
+        License
+        License.text
+        License.md
+        License.rdoc
+        Licence.rdoc
+        MIT-LICENSE
+        MIT-LICENSE.txt
+        LICENSE.MIT
+        LGPL-2.1
+      }
+
+      def name
+        "ruby_bundler"
+      end
+
+      def detected?
+        # We only check for the existence of Gemfile in order to declare a
+        # project a Bundler project. If the Gemfile.lock does not exist
+        # we will raise a specific error to indicate that "bundle install"
+        # needs to be run before proceeding.
+        File.exists?(gemfile_path)
+      end
+
+      def dependency_data
+        bundler_script = File.join(File.dirname(__FILE__), "_bundler_script.rb")
+
+        Dir.chdir(project_dir) do
+
+          json_dep_data = ::Bundler.with_clean_env do
+            s = Mixlib::ShellOut.new("ruby #{bundler_script}")
+            s.run_command
+            s.error!
+            s.stdout
+          end
+          FFI_Yajl::Parser.parse(json_dep_data)
+        end
+      end
+
+      def dependencies
+        if !File.exists?(lockfile_path)
+          raise LicenseScout::Exceptions::DependencyManagerNotRun.new(project_dir, name)
+        end
+
+        dependencies = []
+        dependency_data.each do |gem_data|
+          dependency_name = gem_data["name"]
+          dependency_version = gem_data["version"]
+          dependency_license = nil
+          dependency_license_files = []
+
+          if overrides.have_override_for?(name, dependency_name, dependency_version)
+            dependency_license = overrides.license_for(name, dependency_name, dependency_version)
+            dependency_license_files = check_override_files(gem_data["path"], overrides.license_files_for(name, dependency_name, dependency_version))
+          elsif dependency_name == "bundler"
+            # Bundler is weird. It inserts itself as a dependency, but is a
+            # special case, so rubygems cannot correctly report the license.
+            # Additionally, rubygems reports the gem path as a path inside
+            # bundler's lib/ dir, so we have to munge it.
+            dependency_license = "MIT"
+
+            munged_path = File.expand_path("../../..", gem_data["path"])
+            dependency_license_files = auto_detect_license_files(munged_path)
+          else
+            dependency_license = gem_data["license"]
+            dependency_license_files = auto_detect_license_files(gem_data["path"])
+          end
+
+          dependencies << Dependency.new(
+            dependency_name,
+            dependency_version,
+            dependency_license,
+            dependency_license_files
+          )
+        end
+
+        dependencies
+      end
+
+      private
+
+      def auto_detect_license_files(gem_path)
+        unless File.exist?(gem_path)
+          raise Exceptions::InaccessibleDependency "Autodetected gem path '#{gem_path}' does not exist"
+        end
+
+        Dir.glob("#{gem_path}/*").select do |f|
+          POSSIBLE_LICENSE_FILES.include?(File.basename(f))
+        end
+      end
+
+      def check_override_files(gem_path, override_license_files)
+        license_files = []
+
+        override_license_files.each do |filepath|
+          potential_path = File.join(gem_path, filepath)
+
+          unless File.exists?(potential_path)
+            raise Exceptions::InvalidOverride, "Provided license file path '#{filepath}' can not be found under detected gem path '#{gem_path}'."
+          end
+
+          license_files << potential_path
+        end
+
+        license_files
+      end
+
+      def gemfile_path
+        File.join(project_dir, "Gemfile")
+      end
+
+      def lockfile_path
+        File.join(project_dir, "Gemfile.lock")
+      end
+    end
+  end
+end

lib/license_scout/exceptions.rb

@@ -39,5 +39,19 @@ def to_s
       end
     end
 
+    class DependencyManagerNotRun < Error
+      def initialize(project_dir, dependency_manager_name)
+        @project_dir = project_dir
+        @dependency_manager_name = dependency_manager_name
+      end
+
+      def to_s
+        "Dependency manager '#{dependency_manager_name}' is not yet run for project at '#{@project_dir}'."
+      end
+    end
+
+    class InaccessibleDependency < Error; end
+    class InvalidOverride < Error; end
+
   end
 end

license_scout.gemspec

@@ -36,8 +36,11 @@ Gem::Specification.new do |spec|
   spec.require_paths = %w{lib}
 
   spec.add_dependency "ffi-yajl",         "~> 2.2"
+  spec.add_dependency "mixlib-shellout",  "~> 2.2"
 
   spec.add_development_dependency "bundler", "~> 1.12"
   spec.add_development_dependency "rake", "~> 10.0"
   spec.add_development_dependency "rspec"
+  spec.add_development_dependency "pry"
+  spec.add_development_dependency "rb-readline"
 end

spec/fixtures/bundler/.bundle/config

@@ -0,0 +1,3 @@
+---
+BUNDLE_PATH: vendor/bundle
+BUNDLE_DISABLE_SHARED_GEMS: true

spec/fixtures/bundler/Gemfile

@@ -0,0 +1,5 @@
+# Gemfile used to test bundler dependency manager.
+
+source "https://rubygems.org"
+
+gem "test-kitchen"

spec/fixtures/bundler/Gemfile.lock

@@ -0,0 +1,31 @@
+GEM
+  remote: https://rubygems.org/
+  specs:
+    artifactory (2.3.3)
+    mixlib-install (1.1.0)
+      artifactory
+      mixlib-shellout
+      mixlib-versioning
+    mixlib-shellout (2.2.6)
+    mixlib-versioning (1.1.0)
+    net-scp (1.2.1)
+      net-ssh (>= 2.6.5)
+    net-ssh (3.2.0)
+    safe_yaml (1.0.4)
+    test-kitchen (1.10.2)
+      mixlib-install (~> 1.0, >= 1.0.4)
+      mixlib-shellout (>= 1.2, < 3.0)
+      net-scp (~> 1.1)
+      net-ssh (>= 2.9, < 4.0)
+      safe_yaml (~> 1.0)
+      thor (~> 0.18)
+    thor (0.19.1)
+
+PLATFORMS
+  ruby
+
+DEPENDENCIES
+  test-kitchen
+
+BUNDLED WITH
+   1.12.5

spec/fixtures/bundler/vendor/bundle/ruby/2.1.0/bin/kitchen

@@ -0,0 +1,22 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'test-kitchen' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0.a"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+load Gem.activate_bin_path('test-kitchen', 'kitchen', version)

spec/fixtures/bundler/vendor/bundle/ruby/2.1.0/bin/safe_yaml

@@ -0,0 +1,22 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'safe_yaml' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0.a"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+load Gem.activate_bin_path('safe_yaml', 'safe_yaml', version)

spec/fixtures/bundler/vendor/bundle/ruby/2.1.0/bin/thor

@@ -0,0 +1,22 @@
+#!/usr/bin/env ruby
+#
+# This file was generated by RubyGems.
+#
+# The application 'thor' is installed as part of a gem, and
+# this file is here to facilitate running it.
+#
+
+require 'rubygems'
+
+version = ">= 0.a"
+
+if ARGV.first
+  str = ARGV.first
+  str = str.dup.force_encoding("BINARY") if str.respond_to? :force_encoding
+  if str =~ /\A_(.*)_\z/ and Gem::Version.correct?($1) then
+    version = $1
+    ARGV.shift
+  end
+end
+
+load Gem.activate_bin_path('thor', 'thor', version)