bundler 1.7.7 → 1.7.8

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: a89eb823ec7cbdb414f00ff9332326cfc87dee65
-  data.tar.gz: 547184539810c8c7c3ff1bfb5f7863c7408360e1
+  metadata.gz: adfd35f4416630e7c51fc82b523f4f6def3bc717
+  data.tar.gz: 198dfe3a2a9841f9bf269ce3a21156acbaf584ac
 SHA512:
-  metadata.gz: d8c4602184d1fae30a6feb1cd9b798737ef3d1dc03bdc42d917283232c3527d4f16242af034ace71a701973acc77c207ae7b12c6e0ae40893e795b299b85cc9b
-  data.tar.gz: a5246b6165e3463a9e38edb0fd7cf8c28db10c97a60f5e8c7a668d0336dd8b28e2bbf79b9d92b36e8d505130b2d8170f8b19f5db8e084c01c3010403b1c8c821
+  metadata.gz: e6d8cb12624484c125a154268bc1f02ec058353ce05b1a487cedf53504380a34ac33a8ed131e203bd4dd63b29d39e3bc2b19afd3d572106370dd3748f0c6ebce
+  data.tar.gz: bd488989524220b9b6b9bf096ba93199e3c27e4d823c34972156aabeee8d4b8f593504308131177196036f8fd30bffc3aee95d05bf005ce53695f9fa0161884b

data/CHANGELOG.md

@@ -1,3 +1,9 @@
+## 1.7.8 (2014-12-06)
+
+Bugfixes:
+
+  - Hide credentials while warning about gems with ambiguous sources (#3256, @tmoore)
+
 ## 1.7.7 (2014-11-19)
 
 Bugfixes:

data/lib/bundler.rb

@@ -12,6 +12,7 @@ module Bundler
   preserve_gem_path
   ORIGINAL_ENV = ENV.to_hash
 
+  autoload :AnonymizableURI,       'bundler/anonymizable_uri'
   autoload :Definition,            'bundler/definition'
   autoload :Dependency,            'bundler/dependency'
   autoload :DepProxy,              'bundler/dep_proxy'

data/lib/bundler/anonymizable_uri.rb

@@ -0,0 +1,16 @@
+module Bundler
+  class AnonymizableURI
+    attr_reader :original_uri,
+                :without_credentials
+
+    def initialize(original_uri)
+      @original_uri = original_uri.freeze
+      @without_credentials ||=
+        if original_uri.userinfo
+          original_uri.dup.tap { |uri| uri.user = uri.password = nil }.freeze
+        else
+          original_uri
+        end
+    end
+  end
+end

data/lib/bundler/fetcher.rb

@@ -96,8 +96,7 @@ module Bundler
       @max_retries    = 3  # How many retries for the API call
 
       @remote_uri = Bundler::Source.mirror_for(remote_uri)
-      @public_uri = @remote_uri.dup
-      @public_uri.user, @public_uri.password = nil, nil # don't print these
+      @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup) unless @remote_uri.nil?
 
       Socket.do_not_reverse_lookup = true
       connection # create persistent connection
@@ -131,7 +130,7 @@ module Bundler
     end
 
     def uri
-      @public_uri
+      @anonymizable_uri.without_credentials unless @anonymizable_uri.nil?
     end
 
     # fetch a gem specification
@@ -186,7 +185,7 @@ module Bundler
           spec = RemoteSpecification.new(name, version, platform, self)
         end
         spec.source = source
-        spec.source_uri = @remote_uri
+        spec.source_uri = @anonymizable_uri
         index << spec
       end
 
@@ -387,6 +386,7 @@ module Bundler
       raise AuthenticationRequiredError.new(uri) if auth.nil?
 
       @remote_uri.user, @remote_uri.password = *auth.split(":", 2)
+      @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup)
       yield
     end
 

data/lib/bundler/source/rubygems.rb

@@ -83,9 +83,8 @@ module Bundler
         # by rubygems.org are broken and wrong.
         if spec.source_uri
           # Check for this spec from other sources
-          uris = [spec.source_uri]
+          uris = [spec.source_uri.without_credentials]
           uris += source_uris_for_spec(spec)
-          uris.compact!
           uris.uniq!
           Installer.ambiguous_gems << [spec.name, *uris] if uris.length > 1
 
@@ -186,14 +185,15 @@ module Bundler
         end
       end
 
-    protected
+    private
 
       def source_uris_for_spec(spec)
-        specs.search_all(spec.name).map{|s| s.source_uri }
+        specs.search_all(spec.name).inject([]) do |uris, spec|
+          uris << spec.source_uri.without_credentials if spec.source_uri
+          uris
+        end
       end
 
-    private
-
       def cached_gem(spec)
         cached_gem = cached_path(spec)
         unless cached_gem
@@ -330,7 +330,7 @@ module Bundler
 
       def fetch_gem(spec)
         return false unless spec.source_uri
-        Fetcher.download_gem_from_uri(spec, spec.source_uri)
+        Fetcher.download_gem_from_uri(spec, spec.source_uri.original_uri)
       end
 
       def builtin_gem?(spec)

data/lib/bundler/version.rb

@@ -2,5 +2,5 @@ module Bundler
   # We're doing this because we might write tests that deal
   # with other versions of bundler and we are unsure how to
   # handle this better.
-  VERSION = "1.7.7" unless defined?(::Bundler::VERSION)
+  VERSION = "1.7.8" unless defined?(::Bundler::VERSION)
 end

data/spec/bundler/anonymizable_uri_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+require 'bundler/anonymizable_uri'
+
+describe Bundler::AnonymizableURI do
+  let(:anonymizable_uri) { Bundler::AnonymizableURI.new(original_uri) }
+
+  describe "#without_credentials" do
+    context "when the original URI has no credentials" do
+      let(:original_uri) { URI('https://rubygems.org') }
+
+      it "returns the original URI" do
+        expect(anonymizable_uri.without_credentials).to eq(original_uri)
+      end
+    end
+
+    context "when the original URI has a username and password" do
+      let(:original_uri) { URI("https://username:password@gems.example.com") }
+
+      it "returns the URI without username and password" do
+        expect(anonymizable_uri.without_credentials).to eq(URI("https://gems.example.com"))
+      end
+    end
+
+    context "when the original URI has only a username" do
+      let(:original_uri) { URI("https://SeCrEt-ToKeN@gem.fury.io/me/") }
+
+      it "returns the URI without username and password" do
+        expect(anonymizable_uri.without_credentials).to eq(URI("https://gem.fury.io/me/"))
+      end
+    end
+  end
+end

data/spec/install/gems/dependency_api_spec.rb

@@ -444,6 +444,19 @@ describe "gemcutter's dependency API" do
       expect(out).not_to include("#{user}:#{password}")
     end
 
+    it "strips http basic auth creds when warning about ambiguous sources" do
+      gemfile <<-G
+        source "#{basic_auth_source_uri}"
+        source "file://#{gem_repo1}"
+        gem "rack"
+      G
+
+      bundle :install, :artifice => "endpoint_basic_authentication"
+      expect(out).to include("Warning: the gem 'rack' was found in multiple sources.")
+      expect(out).not_to include("#{user}:#{password}")
+      should_be_installed "rack 1.0.0"
+    end
+
     it "does not pass the user / password to different hosts on redirect" do
       gemfile <<-G
         source "#{basic_auth_source_uri}"

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: bundler
 version: !ruby/object:Gem::Version
-  version: 1.7.7
+  version: 1.7.8
 platform: ruby
 authors:
 - André Arko
@@ -11,7 +11,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2014-11-21 00:00:00.000000000 Z
+date: 2014-12-07 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: mustache
@@ -95,6 +95,7 @@ files:
 - bin/bundler
 - bundler.gemspec
 - lib/bundler.rb
+- lib/bundler/anonymizable_uri.rb
 - lib/bundler/capistrano.rb
 - lib/bundler/cli.rb
 - lib/bundler/cli/binstubs.rb
@@ -264,6 +265,7 @@ files:
 - man/bundle.ronn
 - man/gemfile.5.ronn
 - man/index.txt
+- spec/bundler/anonymizable_uri_spec.rb
 - spec/bundler/bundler_spec.rb
 - spec/bundler/cli_spec.rb
 - spec/bundler/definition_spec.rb
@@ -397,6 +399,7 @@ signing_key:
 specification_version: 4
 summary: The best way to manage your application's dependencies
 test_files:
+- spec/bundler/anonymizable_uri_spec.rb
 - spec/bundler/bundler_spec.rb
 - spec/bundler/cli_spec.rb
 - spec/bundler/definition_spec.rb