bundler 1.2.4 → 1.2.5

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+## 1.2.5 (Feb 24, 2013)
+
+Bugfixes:
+
+  - install Gemfiles with HTTP sources even without OpenSSL present
+  - display CerficateFailureError message in full
+
 ## 1.2.4 (Feb 12, 2013)
 
 Features:

data/lib/bundler/fetcher.rb

@@ -4,10 +4,24 @@ require 'bundler/vendored_persistent'
 module Bundler
   # Handles all the fetching with the rubygems server
   class Fetcher
+    # How many redirects to allew in one request
     REDIRECT_LIMIT = 5
     # how long to wait for each gemcutter API call
-    API_TIMEOUT    = 10
-    class FallbackError < Bundler::HTTPError; end
+    API_TIMEOUT = 10
+
+    # This error is raised if the API returns a 413 (only printed in verbose)
+    class FallbackError < HTTPError; end
+    # This is the error raised if OpenSSL fails the cert verification
+    class CertificateFailureError < HTTPError
+      def initialize(remote_uri)
+        super "Could not verify the SSL certificate for #{remote_uri}.\nThere" \
+          " is a chance you are experiencing a man-in-the-middle attack, but" \
+          " most likely your system doesn't have the CA certificates needed" \
+          " for verification. For information about OpenSSL certificates, see" \
+          " bit.ly/ssl-certs. To connect without using SSL, edit your Gemfile" \
+          " sources and change 'https' to 'http'."
+      end
+    end
 
     attr_reader :has_api
 
@@ -46,8 +60,19 @@ module Bundler
     def initialize(remote_uri)
       @remote_uri = remote_uri
       @has_api    = true # will be set to false if the rubygems index is ever fetched
-      @@connection ||= Net::HTTP::Persistent.new nil, :ENV
-      @@connection.read_timeout = API_TIMEOUT
+
+      if USE_PERSISTENT
+        @connection ||= Net::HTTP::Persistent.new 'bundler', :ENV
+      else
+        if @remote_uri.scheme == "https"
+          raise Bundler::HTTPError, "Could not load OpenSSL.\n" \
+            "You must recompile Ruby with OpenSSL support or change the sources in your " \
+            "Gemfile from 'https' to 'http'. Instructions for compiling with OpenSSL " \
+            "using RVM are available at rvm.io/packages/openssl."
+        end
+        @connection ||= Net::HTTP.new(@remote_uri.host, @remote_uri.port)
+      end
+      @connection.read_timeout = API_TIMEOUT
 
       Socket.do_not_reverse_lookup = true
     end
@@ -66,8 +91,9 @@ module Bundler
     # return the specs in the bundler format as an index
     def specs(gem_names, source)
       index = Index.new
+      use_full_source_index = !gem_names || @remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
 
-      if !gem_names || @remote_uri.scheme == "file" || Bundler::Fetcher.disable_endpoint
+      if use_full_source_index
         Bundler.ui.info "Fetching source index from #{strip_user_pass_from_uri(@remote_uri)}"
         specs = fetch_all_remote_specs
       else
@@ -110,6 +136,9 @@ module Bundler
       end
 
       index
+    rescue OpenSSL::SSL::SSLError
+      Bundler.ui.info "" if !use_full_source_index # newline after dots
+      raise CertificateFailureError.new(strip_user_pass_from_uri(@remote_uri))
     end
 
     # fetch index
@@ -133,16 +162,25 @@ module Bundler
 
   private
 
+    HTTP_ERRORS = [
+      Timeout::Error, EOFError, SocketError,
+      Errno::EINVAL, Errno::ECONNRESET, Errno::ETIMEDOUT, Errno::EAGAIN,
+      Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError, Net::ProtocolError
+    ]
+    HTTP_ERRORS << Net::HTTP::Persistent::Error if defined?(Net::HTTP::Persistent)
+
     def fetch(uri, counter = 0)
       raise HTTPError, "Too many redirects" if counter >= REDIRECT_LIMIT
 
       begin
         Bundler.ui.debug "Fetching from: #{uri}"
-        response = nil
-        response = @@connection.request(uri)
-      rescue Timeout::Error, Errno::EINVAL, Errno::ECONNRESET, EOFError,
-             SocketError, Net::HTTPBadResponse, Net::HTTPHeaderSyntaxError,
-             Net::HTTP::Persistent::Error, Net::ProtocolError => e
+        if USE_PERSISTENT
+          response = @connection.request(uri)
+        else
+          req = Net::HTTP::Get.new uri.request_uri
+          response = @connection.request(req)
+        end
+      rescue *HTTP_ERRORS
         raise HTTPError, "Network error while fetching #{uri}"
       end
 
@@ -216,8 +254,12 @@ module Bundler
         rescue Gem::RemoteFetcher::FetchError
           Bundler.ui.debug "Could not fetch prerelease specs from #{strip_user_pass_from_uri(@remote_uri)}"
         end
-      rescue Gem::RemoteFetcher::FetchError
-        raise HTTPError, "Could not reach #{strip_user_pass_from_uri(@remote_uri)}"
+      rescue Gem::RemoteFetcher::FetchError => e
+        if e.message.match("certificate verify failed")
+          raise CertificateFailureError.new(strip_user_pass_from_uri(@remote_uri))
+        else
+          raise HTTPError, "Could not fetch specs from #{strip_user_pass_from_uri(@remote_uri)}"
+        end
       end
 
       return spec_list

data/lib/bundler/vendored_persistent.rb

@@ -1,3 +1,15 @@
-vendor = File.expand_path('../vendor', __FILE__)
-$:.unshift(vendor) unless $:.include?(vendor)
-require 'net/http/persistent'
+begin
+  require 'openssl'
+  OpenSSL # ensure OpenSSL is loaded
+
+  vendor = File.expand_path('../vendor', __FILE__)
+  $:.unshift(vendor) unless $:.include?(vendor)
+  require 'net/http/persistent'
+
+  USE_PERSISTENT = true
+
+rescue LoadError, NameError => e
+  require 'net/http'
+  USE_PERSISTENT = false
+
+end

data/lib/bundler/version.rb

@@ -2,5 +2,5 @@ module Bundler
   # We're doing this because we might write tests that deal
   # with other versions of bundler and we are unsure how to
   # handle this better.
-  VERSION = "1.2.4" unless defined?(::Bundler::VERSION)
+  VERSION = "1.2.5" unless defined?(::Bundler::VERSION)
 end

data/spec/install/gems/dependency_api_spec.rb

@@ -483,4 +483,47 @@ OUTPUT
     end
   end
 
+  context "when SSL certificate verification fails" do
+    it "explains what is going on" do
+      # Install a monkeypatch that reproduces the effects of openssl raising
+      # a certificate validation error at the appropriate moment.
+      gemfile <<-G
+        class Bundler::Fetcher
+          def fetch_all_remote_specs
+            raise OpenSSL::SSL::SSLError, "Certificate invalid"
+          end
+        end
+
+        source "#{source_uri.gsub(/http/, 'https')}"
+        gem "rack"
+      G
+
+      bundle :install
+      expect(out).to match(/could not verify the SSL certificate/i)
+    end
+  end
+
+  context ".gemrc with sources is present" do
+    before do
+      File.open(home('.gemrc'), 'w') do |file|
+        file.puts({:sources => ["https://rubygems.org"]}.to_yaml)
+      end
+    end
+
+    after do
+      home('.gemrc').rmtree
+    end
+
+    it "uses other sources declared in the Gemfile" do
+      gemfile <<-G
+        source "#{source_uri}"
+        gem 'rack'
+      G
+
+      bundle "install", :exitstatus => true, :artifice => "endpoint_marshal_fail"
+
+      expect(exitstatus).to eq(0)
+    end
+  end
+
 end

data/spec/install/gems/simple_case_spec.rb

@@ -310,7 +310,7 @@ describe "bundle install with gem sources" do
       G
 
       bundle :install
-      out.should include("Could not reach http://localhost:9384/")
+      out.should include("Could not fetch specs from http://localhost:9384/")
       out.should_not include("file://")
     end
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 1.2.4
+  version: 1.2.5
   prerelease: 
 platform: ruby
 authors:
@@ -12,7 +12,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-02-14 00:00:00.000000000 Z
+date: 2013-02-25 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: ronn
@@ -276,7 +276,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: 1.3.6
 requirements: []
 rubyforge_project: bundler
-rubygems_version: 1.8.24
+rubygems_version: 1.8.23
 signing_key: 
 specification_version: 3
 summary: The best way to manage your application's dependencies
@@ -362,4 +362,3 @@ test_files:
 - spec/update/gems_spec.rb
 - spec/update/git_spec.rb
 - spec/update/source_spec.rb
-has_rdoc: