Merge pull request #12747 from dependabot/jurre/go-proxy-support

Add support for goproxy_server and go.env files

Author: alhss

go_modules/lib/dependabot/go_modules/file_fetcher.rb

@@ -41,6 +41,7 @@ def fetch_files
           fetched_files = go_mod ? [go_mod] : []
           # Fetch the (optional) go.sum
           fetched_files << T.must(go_sum) if go_sum
+          fetched_files << T.must(go_env) if go_env
           fetched_files
         end
       end
@@ -56,6 +57,14 @@ def go_mod
       def go_sum
         @go_sum ||= T.let(fetch_file_if_present("go.sum"), T.nilable(Dependabot::DependencyFile))
       end
+
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_env
+        return @go_env if defined?(@go_env)
+
+        @go_env = T.let(fetch_support_file("go.env"), T.nilable(Dependabot::DependencyFile))
+        @go_env
+      end
     end
   end
 end

go_modules/lib/dependabot/go_modules/file_parser.rb

@@ -20,6 +20,18 @@ module GoModules
     class FileParser < Dependabot::FileParsers::Base
       extend T::Sig
 
+      sig do
+        params(dependency_files: T::Array[Dependabot::DependencyFile], source: T.nilable(Dependabot::Source),
+               repo_contents_path: T.nilable(String), credentials: T::Array[Dependabot::Credential],
+               reject_external_code: T::Boolean, options: T::Hash[Symbol, T.untyped]).void
+      end
+      def initialize(dependency_files:, source: nil, repo_contents_path: nil,
+                     credentials: [], reject_external_code: false, options: {})
+        super
+
+        set_go_environment_variables
+      end
+
       sig { override.returns(T::Array[Dependabot::Dependency]) }
       def parse
         dependency_set = Dependabot::FileParsers::Base::DependencySet.new
@@ -50,6 +62,48 @@ def ecosystem
 
       private
 
+      sig { void }
+      def set_go_environment_variables
+        set_goenv_variable
+        set_goproxy_variable
+        set_goprivate_variable
+      end
+
+      sig { void }
+      def set_goenv_variable
+        return unless go_env
+
+        env_file = T.must(go_env)
+        File.write(env_file.name, env_file.content)
+        ENV["GOENV"] = Pathname.new(env_file.name).realpath.to_s
+      end
+
+      sig { void }
+      def set_goprivate_variable
+        return if go_env&.content&.include?("GOPRIVATE")
+        return if go_env&.content&.include?("GOPROXY")
+        return if goproxy_credentials.any?
+
+        goprivate = options.fetch(:goprivate, "*")
+        ENV["GOPRIVATE"] = goprivate if goprivate
+      end
+
+      sig { void }
+      def set_goproxy_variable
+        return if go_env&.content&.include?("GOPROXY")
+        return if goproxy_credentials.empty?
+
+        urls = goproxy_credentials.filter_map { |cred| cred["url"] }
+        ENV["GOPROXY"] = "#{urls.join(',')},direct"
+      end
+
+      sig { returns(T::Array[Dependabot::Credential]) }
+      def goproxy_credentials
+        @goproxy_credentials ||= T.let(credentials.select do |cred|
+          cred["type"] == "goproxy_server"
+        end, T.nilable(T::Array[Dependabot::Credential]))
+      end
+
       sig { returns(Ecosystem::VersionManager) }
       def package_manager
         @package_manager ||= T.let(
@@ -85,6 +139,11 @@ def go_mod
         @go_mod ||= T.let(get_original_file("go.mod"), T.nilable(Dependabot::DependencyFile))
       end
 
+      sig { returns(T.nilable(Dependabot::DependencyFile)) }
+      def go_env
+        @go_env ||= T.let(get_original_file("go.env"), T.nilable(Dependabot::DependencyFile))
+      end
+
       sig { override.void }
       def check_required_files
         raise "No go.mod!" unless go_mod

go_modules/lib/dependabot/go_modules/file_updater.rb

@@ -29,7 +29,6 @@ class FileUpdater < Dependabot::FileUpdaters::Base
       def initialize(dependencies:, dependency_files:, credentials:, repo_contents_path: nil, options: {})
         super
 
-        @goprivate = T.let(options.fetch(:goprivate, "*"), String)
         use_repo_contents_stub if repo_contents_path.nil?
       end
 
@@ -149,7 +148,7 @@ def file_updater
             credentials: credentials,
             repo_contents_path: repo_contents_path,
             directory: T.must(directory),
-            options: { tidy: tidy?, vendor: vendor?, goprivate: @goprivate }
+            options: { tidy: tidy?, vendor: vendor? }
           ),
           T.nilable(Dependabot::GoModules::FileUpdater::GoModUpdater)
         )

go_modules/lib/dependabot/go_modules/file_updater/go_mod_updater.rb

@@ -96,7 +96,6 @@ def initialize(dependencies:, dependency_files:, credentials:, repo_contents_pat
           @directory = directory
           @tidy = T.let(options.fetch(:tidy, false), T::Boolean)
           @vendor = T.let(options.fetch(:vendor, false), T::Boolean)
-          @goprivate = T.let(options.fetch(:goprivate), T.nilable(String))
         end
 
         sig { returns(T.nilable(String)) }
@@ -188,7 +187,7 @@ def run_go_mod_tidy
           # continue with an info log here. `go mod tidy` shouldn't block
           # updating versions because there are some edge cases where it's OK to fail
           # (such as generated files not available yet to us).
-          _, stderr, status = Open3.capture3(environment, command)
+          _, stderr, status = Open3.capture3(command)
           if status.success?
             Dependabot.logger.info "`go mod tidy` succeeded"
           else
@@ -201,7 +200,7 @@ def run_go_vendor
           return unless vendor?
 
           command = "go mod vendor"
-          _, stderr, status = Open3.capture3(environment, command)
+          _, stderr, status = Open3.capture3(command)
           handle_subprocess_error(stderr) unless status.success?
         end
 
@@ -225,7 +224,7 @@ def run_go_get(dependencies = [])
           end
           command = SharedHelpers.escape_command(command)
 
-          _, stderr, status = Open3.capture3(environment, command)
+          _, stderr, status = Open3.capture3(command)
           handle_subprocess_error(stderr) unless status.success?
         ensure
           FileUtils.rm_f(T.must(tmp_go_file))
@@ -234,7 +233,7 @@ def run_go_get(dependencies = [])
         sig { returns(T::Hash[String, T.untyped]) }
         def parse_manifest
           command = "go mod edit -json"
-          stdout, stderr, status = Open3.capture3(environment, command)
+          stdout, stderr, status = Open3.capture3(command)
           handle_subprocess_error(stderr) unless status.success?
 
           JSON.parse(stdout) || {}
@@ -305,7 +304,7 @@ def handle_subprocess_error(stderr) # rubocop:disable Metrics/AbcSize
           end
 
           repo_error_regex = REPO_RESOLVABILITY_ERROR_REGEXES.find { |r| stderr =~ r }
-          ResolvabilityErrors.handle(stderr, goprivate: @goprivate) if repo_error_regex
+          ResolvabilityErrors.handle(stderr) if repo_error_regex
 
           path_regex = MODULE_PATH_MISMATCH_REGEXES.find { |r| stderr =~ r }
           if path_regex
@@ -366,11 +365,6 @@ def tidy?
         def vendor?
           !!@vendor
         end
-
-        sig { returns(T::Hash[String, T.untyped]) }
-        def environment
-          { "GOPRIVATE" => @goprivate }
-        end
       end
     end
   end

go_modules/lib/dependabot/go_modules/package/package_details_fetcher.rb

@@ -41,15 +41,13 @@ class PackageDetailsFetcher
           params(
             dependency: Dependabot::Dependency,
             dependency_files: T::Array[Dependabot::DependencyFile],
-            credentials: T::Array[Dependabot::Credential],
-            goprivate: String
+            credentials: T::Array[Dependabot::Credential]
           ).void
         end
-        def initialize(dependency:, dependency_files:, credentials:, goprivate:)
+        def initialize(dependency:, dependency_files:, credentials:)
           @dependency = dependency
           @dependency_files = dependency_files
           @credentials = credentials
-          @goprivate = T.let(goprivate, String)
 
           @source_type = T.let(nil, T.nilable(String))
         end
@@ -63,9 +61,6 @@ def initialize(dependency:, dependency_files:, credentials:, goprivate:)
         sig { returns(T::Array[T.untyped]) }
         attr_reader :credentials
 
-        sig { returns(String) }
-        attr_reader :goprivate
-
         # rubocop:disable Metrics/AbcSize,Metrics/PerceivedComplexity
         sig { returns(T::Array[Dependabot::Package::PackageRelease]) }
         def fetch_available_versions
@@ -82,12 +77,9 @@ def fetch_available_versions
               end
 
               # Turn off the module proxy for private dependencies
-              env = { "GOPRIVATE" => @goprivate }
-
               versions_json = SharedHelpers.run_shell_command(
                 "go list -m -versions -json #{dependency.name}",
-                fingerprint: "go list -m -versions -json <dependency_name>",
-                env: env
+                fingerprint: "go list -m -versions -json <dependency_name>"
               )
               version_strings = JSON.parse(versions_json)["Versions"]
 
@@ -112,7 +104,7 @@ def fetch_available_versions
           retry_count += 1
           retry if transitory_failure?(e) && retry_count < 2
 
-          ResolvabilityErrors.handle(e.message, goprivate: @goprivate)
+          ResolvabilityErrors.handle(e.message)
           [package_release(version: T.must(dependency.version))]
         end
         # rubocop:enable Metrics/AbcSize,Metrics/PerceivedComplexity

go_modules/lib/dependabot/go_modules/resolvability_errors.rb

@@ -10,8 +10,8 @@ module ResolvabilityErrors
 
       GITHUB_REPO_REGEX = %r{github.com/[^:@ ]*}
 
-      sig { params(message: String, goprivate: T.untyped).void }
-      def self.handle(message, goprivate:)
+      sig { params(message: String).void }
+      def self.handle(message)
         mod_path = message.scan(GITHUB_REPO_REGEX).last
         unless mod_path && message.include?("If this is a private repository")
           raise Dependabot::DependencyFileNotResolvable, message
@@ -30,8 +30,7 @@ def self.handle(message, goprivate:)
                         mod_path
                       end
 
-          env = { "GOPRIVATE" => goprivate }
-          _, _, status = Open3.capture3(env, SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
+          _, _, status = Open3.capture3(SharedHelpers.escape_command("go list -m -versions #{repo_path}"))
           raise Dependabot::DependencyFileNotResolvable, message if status.success?
 
           raise Dependabot::GitDependenciesNotReachable, [repo_path]

go_modules/lib/dependabot/go_modules/update_checker.rb

@@ -1,4 +1,4 @@
-# typed: strict
+# typed: strong
 # frozen_string_literal: true
 
 require "sorbet-runtime"
@@ -66,8 +66,7 @@ def latest_version_finder
             ignored_versions: ignored_versions,
             security_advisories: security_advisories,
             raise_on_ignored: raise_on_ignored,
-            cooldown_options: update_cooldown,
-            goprivate: options.fetch(:goprivate, "*")
+            cooldown_options: update_cooldown
           ),
           T.nilable(Dependabot::GoModules::UpdateChecker::LatestVersionFinder)
         )

go_modules/lib/dependabot/go_modules/update_checker/latest_version_finder.rb

@@ -46,7 +46,6 @@ class LatestVersionFinder < Dependabot::Package::PackageLatestVersionFinder
             credentials: T::Array[Dependabot::Credential],
             ignored_versions: T::Array[String],
             security_advisories: T::Array[Dependabot::SecurityAdvisory],
-            goprivate: String,
             raise_on_ignored: T::Boolean,
             cooldown_options: T.nilable(Dependabot::Package::ReleaseCooldownOptions)
           )
@@ -58,7 +57,6 @@ def initialize(
           credentials:,
           ignored_versions:,
           security_advisories:,
-          goprivate:,
           raise_on_ignored: false,
           cooldown_options: nil
         )
@@ -68,7 +66,6 @@ def initialize(
           @ignored_versions    = ignored_versions
           @security_advisories = security_advisories
           @raise_on_ignored    = raise_on_ignored
-          @goprivate           = goprivate
           @cooldown_options    = cooldown_options
           super(
             dependency: dependency,
@@ -122,9 +119,6 @@ def cooldown_enabled?
         sig { returns(T::Array[Dependabot::SecurityAdvisory]) }
         attr_reader :security_advisories
 
-        sig { returns(String) }
-        attr_reader :goprivate
-
         sig { returns(T.nilable(Dependabot::Package::ReleaseCooldownOptions)) }
         attr_reader :cooldown_options
 
@@ -133,8 +127,7 @@ def available_versions_details
           @available_versions_details ||= T.let(Package::PackageDetailsFetcher.new(
             dependency: dependency,
             dependency_files: dependency_files,
-            credentials: credentials,
-            goprivate: goprivate
+            credentials: credentials
           ).fetch_available_versions, T.nilable(T::Array[Dependabot::Package::PackageRelease]))
         end
 
@@ -197,13 +190,10 @@ def lazy_filter_cooldown_versions(releases, check_max: true)
         # rubocop:disable Metrics/AbcSize
         sig { params(release: Dependabot::Package::PackageRelease).returns(T::Boolean) }
         def in_cooldown_period?(release)
-          env = { "GOPRIVATE" => @goprivate }
-
           begin
             release_info = SharedHelpers.run_shell_command(
               "go list -m -json #{dependency.name}@#{release.details.[]('version_string')}",
-              fingerprint: "go list -m -json <dependency_name>",
-              env: env
+              fingerprint: "go list -m -json <dependency_name>"
             )
           rescue Dependabot::SharedHelpers::HelperSubprocessFailed => e
             Dependabot.logger.info("Error while fetching release date info: #{e.message}")

go_modules/spec/dependabot/go_modules/file_fetcher_spec.rb

@@ -57,6 +57,14 @@
     end
   end
 
+  context "with a go.env file" do
+    let(:branch) { "with-go-env" }
+
+    it "fetches the go.env file" do
+      expect(file_fetcher_instance.files.map(&:name)).to include("go.env")
+    end
+  end
+
   context "when directory is missing" do
     let(:directory) { "/missing" }