✨ GitLab: Code Review check (ossf#2764)

* Add GitLab support for Code-Review check

Signed-off-by: Raghav Kaul <[email protected]>

* Remove spurious printf

Signed-off-by: Raghav Kaul <[email protected]>

* Working commit

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* update

Signed-off-by: Raghav Kaul <[email protected]>

* e2e test

Signed-off-by: Raghav Kaul <[email protected]>

* update: test coverage

Signed-off-by: Raghav Kaul <[email protected]>

---------

Signed-off-by: Raghav Kaul <[email protected]>
Signed-off-by: Avishay <[email protected]>

Author: raghavkaul

checks/evaluation/code_review.go

@@ -105,7 +105,10 @@ func CodeReview(name string, dl checker.DetailLogger, r *checker.CodeReviewData)
 		}
 		return checker.CreateResultWithScore(
 			name,
-			fmt.Sprintf("found %v unreviewed human changesets", nUnreviewedHumanChanges),
+			fmt.Sprintf(
+				"found %v unreviewed human changesets (%d total)",
+				nUnreviewedHumanChanges, len(r.DefaultBranchChangesets),
+			),
 			score,
 		)
 	}

clients/gitlabrepo/client.go

@@ -52,6 +52,7 @@ type Client struct {
 	languages     *languagesHandler
 	licenses      *licensesHandler
 	tarball       *tarballHandler
+	graphql       *graphqlHandler
 	ctx           context.Context
 	commitDepth   int
 }
@@ -78,7 +79,9 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD
 	client.repourl = &repoURL{
 		scheme:        glRepo.scheme,
 		host:          glRepo.host,
-		project:       fmt.Sprint(repo.ID),
+		owner:         glRepo.owner,
+		project:       glRepo.project,
+		projectID:     fmt.Sprint(repo.ID),
 		defaultBranch: repo.DefaultBranch,
 		commitSHA:     commitSHA,
 	}
@@ -132,6 +135,9 @@ func (client *Client) InitRepo(inputRepo clients.Repo, commitSHA string, commitD
 	// Init tarballHandler
 	client.tarball.init(client.ctx, client.repourl, repo, commitSHA)
 
+	// Init graphqlHandler
+	client.graphql.init(client.ctx, client.repourl)
+
 	return nil
 }
 
@@ -152,7 +158,22 @@ func (client *Client) GetFileContent(filename string) ([]byte, error) {
 }
 
 func (client *Client) ListCommits() ([]clients.Commit, error) {
-	return client.commits.listCommits()
+	// Get commits from REST API
+	commitsRaw, err := client.commits.listRawCommits()
+	if err != nil {
+		return []clients.Commit{}, err
+	}
+
+	// Get merge request details from GraphQL
+	// GitLab REST API doesn't provide a way to link Merge Requests and Commits that
+	// are within them without making a REST call for each commit (~30 by default)
+	// Making 1 GraphQL query to combine the results of 2 REST calls, we avoid this
+	mrDetails, err := client.graphql.getMergeRequestsDetail()
+	if err != nil {
+		return []clients.Commit{}, err
+	}
+
+	return client.commits.zip(commitsRaw, mrDetails), nil
 }
 
 func (client *Client) ListIssues() ([]clients.Issue, error) {
@@ -278,6 +299,7 @@ func CreateGitlabClientWithToken(ctx context.Context, token string, repo clients
 		},
 		licenses: &licensesHandler{},
 		tarball:  &tarballHandler{},
+		graphql:  &graphqlHandler{},
 	}, nil
 }
 

clients/gitlabrepo/client_test.go

@@ -0,0 +1,55 @@
+// Copyright 2023 OpenSSF Scorecard Authors
+//
+// Licensed under the Apache License, Version 2.0 (the "License");
+// you may not use this file except in compliance with the License.
+// You may obtain a copy of the License at
+//
+//      http://www.apache.org/licenses/LICENSE-2.0
+//
+// Unless required by applicable law or agreed to in writing, software
+// distributed under the License is distributed on an "AS IS" BASIS,
+// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+// See the License for the specific language governing permissions and
+// limitations under the License.
+
+package gitlabrepo
+
+import (
+	"context"
+	"testing"
+)
+
+func Test_InitRepo(t *testing.T) {
+	t.Parallel()
+	tcs := []struct {
+		name    string
+		repourl string
+		commit  string
+		depth   int
+	}{
+		{
+			repourl: "https://gitlab.com/fdroid/fdroidclient",
+			commit:  "a4bbef5c70fd2ac7c15437a22ef0f9ef0b447d08",
+			depth:   20,
+		},
+	}
+
+	for _, tt := range tcs {
+		t.Run(tt.name, func(t *testing.T) {
+			repo, err := MakeGitlabRepo(tt.repourl)
+			if err != nil {
+				t.Error("couldn't make gitlab repo", err)
+			}
+
+			client, err := CreateGitlabClientWithToken(context.Background(), "", repo)
+			if err != nil {
+				t.Error("couldn't make gitlab client", err)
+			}
+
+			err = client.InitRepo(repo, tt.commit, tt.depth)
+			if err != nil {
+				t.Error("couldn't init gitlab repo", err)
+			}
+		})
+	}
+}

clients/gitlabrepo/commits.go

@@ -16,6 +16,7 @@ package gitlabrepo
 
 import (
 	"fmt"
+	"strconv"
 	"strings"
 	"sync"
 
@@ -25,11 +26,11 @@ import (
 )
 
 type commitsHandler struct {
-	glClient *gitlab.Client
-	once     *sync.Once
-	errSetup error
-	repourl  *repoURL
-	commits  []clients.Commit
+	glClient   *gitlab.Client
+	once       *sync.Once
+	errSetup   error
+	repourl    *repoURL
+	commitsRaw []*gitlab.Commit
 }
 
 func (handler *commitsHandler) init(repourl *repoURL) {
@@ -38,123 +39,118 @@ func (handler *commitsHandler) init(repourl *repoURL) {
 	handler.once = new(sync.Once)
 }
 
-// nolint: gocognit
 func (handler *commitsHandler) setup() error {
 	handler.once.Do(func() {
-		commits, _, err := handler.glClient.Commits.ListCommits(handler.repourl.project, &gitlab.ListCommitsOptions{})
+		commits, _, err := handler.glClient.Commits.ListCommits(handler.repourl.projectID, &gitlab.ListCommitsOptions{})
 		if err != nil {
 			handler.errSetup = fmt.Errorf("request for commits failed with %w", err)
 			return
 		}
+		handler.commitsRaw = commits
+	})
 
-		// To limit the number of user requests we are going to map every committer email
-		// to a user.
-		userToEmail := make(map[string]*gitlab.User)
-		for _, commit := range commits {
-			user, ok := userToEmail[commit.AuthorEmail]
-			if !ok {
-				users, _, err := handler.glClient.Search.Users(commit.CommitterName, &gitlab.SearchOptions{})
-				if err != nil {
-					// Possibility this shouldn't be an issue as individuals can leave organizations
-					// (possibly taking their account with them)
-					handler.errSetup = fmt.Errorf("unable to find user associated with commit: %w", err)
-					return
-				}
-
-				// For some reason some users have unknown names, so below we are going to parse their email into pieces.
-				// i.e. ([email protected]) -> "firstname lastname".
-				if len(users) == 0 {
-					users, _, err = handler.glClient.Search.Users(parseEmailToName(commit.CommitterEmail), &gitlab.SearchOptions{})
-					if err != nil {
-						handler.errSetup = fmt.Errorf("unable to find user associated with commit: %w", err)
-						return
-					}
-				}
-				userToEmail[commit.AuthorEmail] = users[0]
-				user = users[0]
-			}
+	return handler.errSetup
+}
 
-			// Commits are able to be a part of multiple merge requests, but the only one that will be important
-			// here is the earliest one.
-			mergeRequests, _, err := handler.glClient.Commits.ListMergeRequestsByCommit(handler.repourl.project, commit.ID)
-			if err != nil {
-				handler.errSetup = fmt.Errorf("unable to find merge requests associated with commit: %w", err)
-				return
-			}
-			var mergeRequest *gitlab.MergeRequest
-			if len(mergeRequests) > 0 {
-				mergeRequest = mergeRequests[0]
-				for i := range mergeRequests {
-					if mergeRequests[i] == nil || mergeRequests[i].MergedAt == nil {
-						continue
-					}
-					if mergeRequests[i].CreatedAt.Before(*mergeRequest.CreatedAt) {
-						mergeRequest = mergeRequests[i]
-					}
-				}
-			} else {
-				handler.commits = append(handler.commits, clients.Commit{
-					CommittedDate: *commit.CommittedDate,
-					Message:       commit.Message,
-					SHA:           commit.ID,
-				})
-				continue
-			}
+func (handler *commitsHandler) listRawCommits() ([]*gitlab.Commit, error) {
+	if err := handler.setup(); err != nil {
+		return nil, fmt.Errorf("error during commitsHandler.setup: %w", err)
+	}
+
+	return handler.commitsRaw, nil
+}
 
-			if mergeRequest == nil || mergeRequest.MergedAt == nil {
-				handler.commits = append(handler.commits, clients.Commit{
-					CommittedDate: *commit.CommittedDate,
-					Message:       commit.Message,
-					SHA:           commit.ID,
-				})
+// zip combines Commit and MergeRequest information from the GitLab REST API with
+// information from the GitLab GraphQL API. The REST API doesn't provide any way to
+// get from Commits -> MRs that they were part of or vice-versa (MRs -> commits they
+// contain), except through a separate API call. Instead of calling the REST API
+// len(commits) times to get the associated MR, we make 3 calls (2 REST, 1 GraphQL).
+func (handler *commitsHandler) zip(commitsRaw []*gitlab.Commit, data graphqlData) []clients.Commit {
+	commitToMRIID := make(map[string]string) // which mr does a commit belong to?
+	for i := range data.Project.MergeRequests.Nodes {
+		mr := data.Project.MergeRequests.Nodes[i]
+		for _, commit := range mr.Commits.Nodes {
+			commitToMRIID[commit.SHA] = mr.IID
+		}
+		commitToMRIID[mr.MergeCommitSHA] = mr.IID
+	}
+
+	iidToMr := make(map[string]clients.PullRequest)
+	for i := range data.Project.MergeRequests.Nodes {
+		mr := data.Project.MergeRequests.Nodes[i]
+		// Two GitLab APIs for reviews (reviews vs. approvals)
+		// Use a map to consolidate results from both APIs by the user ID who performed review
+		reviews := make(map[string]clients.Review)
+		for _, reviewer := range mr.Reviewers.Nodes {
+			reviews[reviewer.Username] = clients.Review{
+				Author: &clients.User{Login: reviewer.Username},
+				State:  "COMMENTED",
 			}
+		}
 
-			// Casting the Reviewers into clients.Review.
-			var reviews []clients.Review
-			for _, reviewer := range mergeRequest.Reviewers {
-				reviews = append(reviews, clients.Review{
-					Author: &clients.User{ID: int64(reviewer.ID)},
-					State:  "",
-				})
+		if fmt.Sprintf("%v", mr.IID) != mr.IID {
+			continue
+		}
+
+		// Check approvers
+		for _, approver := range mr.Approvers.Nodes {
+			reviews[approver.Username] = clients.Review{
+				Author: &clients.User{Login: approver.Username},
+				State:  "APPROVED",
 			}
+			break
+		}
 
-			// Casting the Labels into []clients.Label.
-			var labels []clients.Label
-			for _, label := range mergeRequest.Labels {
-				labels = append(labels, clients.Label{
-					Name: label,
-				})
+		// Check reviewers (sometimes unofficial approvals end up here)
+		for _, reviewer := range mr.Reviewers.Nodes {
+			if reviewer.MergeRequestInteraction.ReviewState != "REVIEWED" {
+				continue
 			}
+			reviews[reviewer.Username] = clients.Review{
+				Author: &clients.User{Login: reviewer.Username},
+				State:  "APPROVED",
+			}
+			break
+		}
 
-			// append the commits to the handler.
-			handler.commits = append(handler.commits,
-				clients.Commit{
-					CommittedDate: *commit.CommittedDate,
-					Message:       commit.Message,
-					SHA:           commit.ID,
-					AssociatedMergeRequest: clients.PullRequest{
-						Number:   mergeRequest.ID,
-						MergedAt: *mergeRequest.MergedAt,
-						HeadSHA:  mergeRequest.SHA,
-						Author:   clients.User{ID: int64(mergeRequest.Author.ID)},
-						Labels:   labels,
-						Reviews:  reviews,
-						MergedBy: clients.User{ID: int64(mergeRequest.MergedBy.ID)},
-					},
-					Committer: clients.User{ID: int64(user.ID)},
-				})
+		vals := []clients.Review{}
+		for _, v := range reviews {
+			vals = append(vals, v)
 		}
-	})
 
-	return handler.errSetup
-}
+		var mrno int
+		mrno, err := strconv.Atoi(mr.IID)
+		if err != nil {
+			mrno = mr.ID.ID
+		}
 
-func (handler *commitsHandler) listCommits() ([]clients.Commit, error) {
-	if err := handler.setup(); err != nil {
-		return nil, fmt.Errorf("error during commitsHandler.setup: %w", err)
+		iidToMr[mr.IID] = clients.PullRequest{
+			Number:   mrno,
+			MergedAt: mr.MergedAt,
+			HeadSHA:  mr.MergeCommitSHA,
+			Author:   clients.User{Login: mr.Author.Username, ID: int64(mr.Author.ID.ID)},
+			Reviews:  vals,
+			MergedBy: clients.User{Login: mr.MergedBy.Username, ID: int64(mr.MergedBy.ID.ID)},
+		}
+	}
+
+	// Associate Merge Requests with Commits based on the GitLab Merge Request IID
+	commits := []clients.Commit{}
+	for _, cRaw := range commitsRaw {
+		// Get IID of Merge Request that this commit was merged as part of
+		mrIID := commitToMRIID[cRaw.ID]
+		associatedMr := iidToMr[mrIID]
+
+		commits = append(commits,
+			clients.Commit{
+				CommittedDate:          *cRaw.CommittedDate,
+				Message:                cRaw.Message,
+				SHA:                    cRaw.ID,
+				AssociatedMergeRequest: associatedMr,
+			})
 	}
 
-	return handler.commits, nil
+	return commits
 }
 
 // Expected email form: <firstname>.<lastname>@<namespace>.com.