Bundler 2: [Prerelease] Add version resolver

bundler/helpers/v2/lib/functions.rb

@@ -3,6 +3,7 @@
 require "functions/conflicting_dependency_resolver"
 require "functions/dependency_source"
 require "functions/file_parser"
+require "functions/version_resolver"
 require "functions/lockfile_updater"
 
 module Functions
@@ -79,7 +80,13 @@ def self.private_registry_versions(gemfile_name:, dependency_name:, dir:,
   def self.resolve_version(dependency_name:, dependency_requirements:,
                            gemfile_name:, lockfile_name:, using_bundler2:,
                            dir:, credentials:)
-    raise NotImplementedError, "Bundler 2 adapter does not yet implement #{__method__}"
+    set_bundler_flags_and_credentials(dir: dir, credentials: credentials, using_bundler2: using_bundler2)
+    VersionResolver.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: gemfile_name,
+      lockfile_name: lockfile_name
+    ).version_details
   end
 
   def self.jfrog_source(dir:, gemfile_name:, credentials:, using_bundler2:)

bundler/helpers/v2/lib/functions/version_resolver.rb

@@ -0,0 +1,140 @@
+module Functions
+  class VersionResolver
+    GEM_NOT_FOUND_ERROR_REGEX = /locked to (?<name>[^\s]+) \(/.freeze
+
+    attr_reader :dependency_name, :dependency_requirements,
+                :gemfile_name, :lockfile_name
+
+    def initialize(dependency_name:, dependency_requirements:,
+                   gemfile_name:, lockfile_name:)
+      @dependency_name = dependency_name
+      @dependency_requirements = dependency_requirements
+      @gemfile_name = gemfile_name
+      @lockfile_name = lockfile_name
+    end
+
+    def version_details
+      dep = dependency_from_definition
+
+      # If the dependency wasn't found in the definition, but *is*
+      # included in a gemspec, it's because the Gemfile didn't import
+      # the gemspec. This is unusual, but the correct behaviour if/when
+      # it happens is to behave as if the repo was gemspec-only.
+      if dep.nil? && dependency_requirements.any?
+        return "latest"
+      end
+
+      # Otherwise, if the dependency wasn't found it's because it is a
+      # subdependency that was removed when attempting to update it.
+      return nil if dep.nil?
+
+      # If the dependency is Bundler itself then we can't trust the
+      # version that has been returned (it's the version Dependabot is
+      # running on, rather than the true latest resolvable version).
+      return nil if dep.name == "bundler"
+
+      details = {
+        version: dep.version,
+        ruby_version: ruby_version,
+        fetcher: fetcher_class(dep)
+      }
+      if dep.source.instance_of?(::Bundler::Source::Git)
+        details[:commit_sha] = dep.source.revision
+      end
+      details
+    end
+
+    private
+
+    # rubocop:disable Metrics/PerceivedComplexity
+    def dependency_from_definition(unlock_subdependencies: true)
+      dependencies_to_unlock = [dependency_name]
+      dependencies_to_unlock += subdependencies if unlock_subdependencies
+      begin
+        definition = build_definition(dependencies_to_unlock)
+        definition.resolve_remotely!
+      rescue ::Bundler::GemNotFound => e
+        unlock_yanked_gem(dependencies_to_unlock, e) && retry
+      rescue ::Bundler::HTTPError => e
+        # Retry network errors
+        # Note: in_a_native_bundler_context will also retry `Bundler::HTTPError` errors
+        # up to three times meaning we'll end up retrying this error up to six times
+        # TODO: Could we get rid of this retry logic and only rely on
+        # SharedBundlerHelpers.in_a_native_bundler_context
+        attempt ||= 1
+        attempt += 1
+        raise if attempt > 3 || !e.message.include?("Network error")
+
+        retry
+      end
+
+      dep = definition.resolve.find { |d| d.name == dependency_name }
+      return dep if dep
+      return if dependency_requirements.any? || !unlock_subdependencies
+
+      # If no definition was found and we're updating a sub-dependency,
+      # try again but without unlocking any other sub-dependencies
+      dependency_from_definition(unlock_subdependencies: false)
+    end
+    # rubocop:enable Metrics/PerceivedComplexity
+
+    def subdependencies
+      # If there's no lockfile we don't need to worry about
+      # subdependencies
+      return [] unless lockfile
+
+      all_deps =  ::Bundler::LockfileParser.new(lockfile).
+                  specs.map(&:name).map(&:to_s).uniq
+      top_level = build_definition([]).dependencies.
+                  map(&:name).map(&:to_s)
+
+      all_deps - top_level
+    end
+
+    def build_definition(dependencies_to_unlock)
+      # Note: we lock shared dependencies to avoid any top-level
+      # dependencies getting unlocked (which would happen if they were
+      # also subdependencies of the dependency being unlocked)
+      ::Bundler::Definition.build(
+        gemfile_name,
+        lockfile_name,
+        gems: dependencies_to_unlock,
+        lock_shared_dependencies: true
+      )
+    end
+
+    def unlock_yanked_gem(dependencies_to_unlock, error)
+      raise unless error.message.match?(GEM_NOT_FOUND_ERROR_REGEX)
+
+      gem_name = error.message.match(GEM_NOT_FOUND_ERROR_REGEX).
+                 named_captures["name"]
+      raise if dependencies_to_unlock.include?(gem_name)
+
+      dependencies_to_unlock << gem_name
+    end
+
+    def lockfile
+      return @lockfile if defined?(@lockfile)
+
+      @lockfile =
+        begin
+          return unless lockfile_name
+          return unless File.exist?(lockfile_name)
+
+          File.read(lockfile_name)
+        end
+    end
+
+    def fetcher_class(dep)
+      return unless dep.source.is_a?(::Bundler::Source::Rubygems)
+
+      dep.source.fetchers.first.fetchers.first.class.to_s
+    end
+
+    def ruby_version
+      return nil unless gemfile_name
+
+      @ruby_version ||= build_definition([]).ruby_version&.gem_version
+    end
+  end
+end

bundler/helpers/v2/spec/functions/version_resolver_spec.rb

@@ -0,0 +1,97 @@
+# frozen_string_literal: true
+
+require "native_spec_helper"
+require "shared_contexts"
+
+RSpec.describe Functions::VersionResolver do
+  include_context "in a temporary bundler directory"
+  include_context "stub rubygems compact index"
+
+  let(:version_resolver) do
+    described_class.new(
+      dependency_name: dependency_name,
+      dependency_requirements: dependency_requirements,
+      gemfile_name: "Gemfile",
+      lockfile_name: "Gemfile.lock"
+    )
+  end
+
+  let(:dependency_name) { "business" }
+  let(:dependency_requirements) do
+    [{
+      file: "Gemfile",
+      requirement: requirement_string,
+      groups: [],
+      source: source
+    }]
+  end
+  let(:source) { nil }
+
+  let(:rubygems_url) { "https://index.rubygems.org/api/v1/" }
+  let(:old_index_url) { rubygems_url + "dependencies" }
+
+  describe "#version_details" do
+    subject do
+      in_tmp_folder { version_resolver.version_details }
+    end
+
+    let(:project_name) { "gemfile" }
+    let(:requirement_string) { " >= 0" }
+
+    its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+    its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::CompactIndex") }
+
+    context "with a private gemserver source" do
+      include_context "stub rubygems compact index"
+
+      let(:project_name) { "specified_source" }
+      let(:requirement_string) { ">= 0" }
+
+      before do
+        gemfury_url = "https://repo.fury.io/greysteil/"
+        gemfury_deps_url = gemfury_url + "api/v1/dependencies"
+
+        stub_request(:get, gemfury_url + "versions").
+          to_return(status: 200, body: fixture("ruby", "gemfury-index"))
+        stub_request(:get, gemfury_url + "info/business").to_return(status: 404)
+        stub_request(:get, gemfury_deps_url).to_return(status: 200)
+        stub_request(:get, gemfury_deps_url + "?gems=business,statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=business").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+        stub_request(:get, gemfury_deps_url + "?gems=statesman").
+          to_return(status: 200, body: fixture("ruby", "gemfury_response"))
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.9.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+
+    context "with a git source" do
+      let(:project_name) { "git_source" }
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.6.0")) }
+      its([:fetcher]) { is_expected.to be_nil }
+    end
+
+    context "when Bundler's compact index is down" do
+      before do
+        stub_request(:get, "https://index.rubygems.org/versions").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, "https://index.rubygems.org/info/public_suffix").
+          to_return(status: 500, body: "We'll be back soon")
+        stub_request(:get, old_index_url).to_return(status: 200)
+        stub_request(:get, old_index_url + "?gems=business,statesman").
+          to_return(
+            status: 200,
+            body: fixture("ruby",
+                          "rubygems_responses",
+                          "dependencies-default-gemfile")
+          )
+      end
+
+      its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+      its([:fetcher]) { is_expected.to eq("Bundler::Fetcher::Dependency") }
+    end
+  end
+end

bundler/helpers/v2/spec/functions_spec.rb

@@ -8,8 +8,6 @@
     force_update: [ :dir, :dependency_name, :target_version, :gemfile_name, :lockfile_name, :using_bundler2,
                     :credentials, :update_multiple_dependencies ],
     private_registry_versions: [:gemfile_name, :dependency_name, :dir, :credentials ],
-    resolve_version: [:dependency_name, :dependency_requirements, :gemfile_name, :lockfile_name, :using_bundler2,
-                      :dir, :credentials],
     jfrog_source: [:dir, :gemfile_name, :credentials, :using_bundler2],
     git_specs: [:dir, :gemfile_name, :credentials, :using_bundler2],
   }.each do |function, kwargs|

bundler/spec/dependabot/bundler/update_checker/version_resolver_spec.rb

@@ -20,7 +20,7 @@
       }],
       unlock_requirement: unlock_requirement,
       latest_allowable_version: latest_allowable_version,
-      options: {}
+      options: { bundler_2_available: bundler_2_available? }
     )
   end
   let(:ignored_versions) { [] }
@@ -98,7 +98,7 @@
         # end
       end
 
-      context "with a Bundler version specified" do
+      context "with a Bundler v1 version specified", :bundler_v1_only do
         let(:requirement_string) { "~> 1.4.0" }
 
         let(:dependency_files) { project_dependency_files("bundler1/bundler_specified") }
@@ -130,6 +130,67 @@
         end
       end
 
+      context "with a Bundler v2 version specified", :bundler_v2_only do
+        let(:requirement_string) { "~> 1.4.0" }
+
+        let(:dependency_files) { project_dependency_files("bundler2/bundler_specified") }
+        its([:version]) { is_expected.to eq(Gem::Version.new("1.4.0")) }
+
+        context "attempting to update Bundler" do
+          let(:dependency_name) { "bundler" }
+          let(:requirement_string) { "~> 2.2.0" }
+
+          let(:dependency_files) { project_dependency_files("bundler2/bundler_specified") }
+
+          it "returns nil as resolution returns the bundler version installed by core" do
+            expect(subject).to be_nil
+          end
+        end
+      end
+
+      context "with a dependency that requiers bundler v1", :bundler_v1_only do
+        let(:dependency_name) { "guard-bundler" }
+        let(:requirement_string) { "2.2.1" }
+
+        let(:dependency_files) { project_dependency_files("bundler1/requires_bundler") }
+        its([:version]) { is_expected.to eq(Gem::Version.new("2.2.1")) }
+      end
+
+      context "when bundled with v1 and requesting a version that requires bundler v2", :bundler_v1_only do
+        let(:dependency_name) { "guard-bundler" }
+        let(:requirement_string) { "~> 3.0.0" }
+
+        let(:dependency_files) { project_dependency_files("bundler1/requires_bundler") }
+
+        it "raises a DependencyFileNotResolvable error" do
+          expect { subject }.
+            to raise_error(Dependabot::DependencyFileNotResolvable)
+        end
+      end
+
+      context "with a dependency that requiers bundler v2", :bundler_v2_only do
+        let(:dependency_name) { "guard-bundler" }
+        let(:requirement_string) { "3.0.0" }
+
+        let(:dependency_files) { project_dependency_files("bundler2/requires_bundler") }
+
+        pending "resolves version" do
+          expect(subject.version).to eq(Gem::Version.new("3.0.0"))
+        end
+      end
+
+      context "when bundled with v2 and requesting a version that requires bundler v1", :bundler_v2_only do
+        let(:dependency_name) { "guard-bundler" }
+        let(:requirement_string) { "~> 2.2.0" }
+
+        let(:dependency_files) { project_dependency_files("bundler2/requires_bundler") }
+
+        pending "raises a DependencyFileNotResolvable error" do
+          expect { subject }.
+            to raise_error(Dependabot::DependencyFileNotResolvable)
+        end
+      end
+
       context "with a default gem specified" do
         let(:requirement_string) { "~> 1.4" }
 
@@ -192,7 +253,7 @@
             allow(Dependabot::Bundler::NativeHelpers).
               to receive(:run_bundler_subprocess).
               with({
-                     bundler_version: "1",
+                     bundler_version: bundler_2_available? ? "2" : "1",
                      function: "resolve_version",
                      args: anything
                    }).
@@ -384,18 +445,29 @@
             to eq(Gem::Version.new("2.0.1"))
         end
 
-        context "that isn't satisfied by the dependencies" do
+        context "that isn't satisfied by the dependencies", :bundler_v1_only do
           let(:dependency_files) do
             project_dependency_files("bundler1/imports_gemspec_version_clash_old_required_ruby_no_lockfile")
           end
-          let(:gemfile_fixture_name) { "imports_gemspec_version_clash" }
           let(:current_version) { "3.0.1" }
 
           it "ignores the minimum ruby version in the gemspec" do
             expect(resolver.latest_resolvable_version_details[:version]).
               to eq(Gem::Version.new("7.2.0"))
           end
         end
+
+        context "that isn't satisfied by the dependencies", :bundler_v2_only do
+          let(:dependency_files) do
+            project_dependency_files("bundler2/imports_gemspec_version_clash_old_required_ruby_no_lockfile")
+          end
+          let(:current_version) { "3.0.1" }
+
+          it "raises a DependencyFileNotResolvable error" do
+            expect { subject }.
+              to raise_error(Dependabot::DependencyFileNotResolvable)
+          end
+        end
       end
     end
   end