libgems 0.0.1

data/lib/libgems/package/tar_input.rb

@@ -0,0 +1,222 @@
+# -*- coding: iso-8859-1 -*-
+#++
+# Copyright (C) 2004 Mauricio Julio Fern�ndez Pradier
+# See LICENSE.txt for additional licensing information.
+#--
+
+require 'zlib'
+LibGems.load_yaml
+
+class LibGems::Package::TarInput
+
+  include LibGems::Package::FSyncDir
+  include Enumerable
+
+  attr_reader :metadata
+
+  private_class_method :new
+
+  def self.open(io, security_policy = nil,  &block)
+    is = new io, security_policy
+
+    yield is
+  ensure
+    is.close if is
+  end
+
+  def initialize(io, security_policy = nil)
+    @io = io
+    @tarreader = LibGems::Package::TarReader.new @io
+    has_meta = false
+
+    data_sig, meta_sig, data_dgst, meta_dgst = nil, nil, nil, nil
+    dgst_algo = security_policy ? LibGems::Security::OPT[:dgst_algo] : nil
+
+    @tarreader.each do |entry|
+      case entry.full_name
+      when "metadata"
+        @metadata = load_gemspec entry.read
+        has_meta = true
+      when "metadata.gz"
+        begin
+          # if we have a security_policy, then pre-read the metadata file
+          # and calculate it's digest
+          sio = nil
+          if security_policy
+            LibGems.ensure_ssl_available
+            sio = StringIO.new(entry.read)
+            meta_dgst = dgst_algo.digest(sio.string)
+            sio.rewind
+          end
+
+          gzis = Zlib::GzipReader.new(sio || entry)
+          # YAML wants an instance of IO
+          @metadata = load_gemspec(gzis)
+          has_meta = true
+        ensure
+          gzis.close unless gzis.nil?
+        end
+      when 'metadata.gz.sig'
+        meta_sig = entry.read
+      when 'data.tar.gz.sig'
+        data_sig = entry.read
+      when 'data.tar.gz'
+        if security_policy
+          LibGems.ensure_ssl_available
+          data_dgst = dgst_algo.digest(entry.read)
+        end
+      end
+    end
+
+    if security_policy then
+      LibGems.ensure_ssl_available
+
+      # map trust policy from string to actual class (or a serialized YAML
+      # file, if that exists)
+      if String === security_policy then
+        if LibGems::Security::Policies.key? security_policy then
+          # load one of the pre-defined security policies
+          security_policy = LibGems::Security::Policies[security_policy]
+        elsif File.exist? security_policy then
+          # FIXME: this doesn't work yet
+          security_policy = YAML.load File.read(security_policy)
+        else
+          raise LibGems::Exception, "Unknown trust policy '#{security_policy}'"
+        end
+      end
+
+      if data_sig && data_dgst && meta_sig && meta_dgst then
+        # the user has a trust policy, and we have a signed gem
+        # file, so use the trust policy to verify the gem signature
+
+        begin
+          security_policy.verify_gem(data_sig, data_dgst, @metadata.cert_chain)
+        rescue Exception => e
+          raise "Couldn't verify data signature: #{e}"
+        end
+
+        begin
+          security_policy.verify_gem(meta_sig, meta_dgst, @metadata.cert_chain)
+        rescue Exception => e
+          raise "Couldn't verify metadata signature: #{e}"
+        end
+      elsif security_policy.only_signed
+        raise LibGems::Exception, "Unsigned gem"
+      else
+        # FIXME: should display warning here (trust policy, but
+        # either unsigned or badly signed gem file)
+      end
+    end
+
+    @tarreader.rewind
+    @fileops = LibGems::FileOperations.new
+
+    raise LibGems::Package::FormatError, "No metadata found!" unless has_meta
+  end
+
+  def close
+    @io.close
+    @tarreader.close
+  end
+
+  def each(&block)
+    @tarreader.each do |entry|
+      next unless entry.full_name == "data.tar.gz"
+      is = zipped_stream entry
+
+      begin
+        LibGems::Package::TarReader.new is do |inner|
+          inner.each(&block)
+        end
+      ensure
+        is.close if is
+      end
+    end
+
+    @tarreader.rewind
+  end
+
+  def extract_entry(destdir, entry, expected_md5sum = nil)
+    if entry.directory? then
+      dest = File.join destdir, entry.full_name
+
+      if File.directory? dest then
+        @fileops.chmod entry.header.mode, dest, :verbose => false
+      else
+        @fileops.mkdir_p dest, :mode => entry.header.mode, :verbose => false
+      end
+
+      fsync_dir dest
+      fsync_dir File.join(dest, "..")
+
+      return
+    end
+
+    # it's a file
+    md5 = Digest::MD5.new if expected_md5sum
+    destdir = File.join destdir, File.dirname(entry.full_name)
+    @fileops.mkdir_p destdir, :mode => 0755, :verbose => false
+    destfile = File.join destdir, File.basename(entry.full_name)
+    @fileops.chmod 0600, destfile, :verbose => false rescue nil # Errno::ENOENT
+
+    open destfile, "wb", entry.header.mode do |os|
+      loop do
+        data = entry.read 4096
+        break unless data
+        # HACK shouldn't we check the MD5 before writing to disk?
+        md5 << data if expected_md5sum
+        os.write(data)
+      end
+
+      os.fsync
+    end
+
+    @fileops.chmod entry.header.mode, destfile, :verbose => false
+    fsync_dir File.dirname(destfile)
+    fsync_dir File.join(File.dirname(destfile), "..")
+
+    if expected_md5sum && expected_md5sum != md5.hexdigest then
+      raise LibGems::Package::BadCheckSum
+    end
+  end
+
+  # Attempt to YAML-load a gemspec from the given _io_ parameter.  Return
+  # nil if it fails.
+  def load_gemspec(io)
+    LibGems::Specification.from_yaml io
+  rescue LibGems::Exception
+    nil
+  end
+
+  ##
+  # Return an IO stream for the zipped entry.
+  #
+  # NOTE:  Originally this method used two approaches, Return a GZipReader
+  # directly, or read the GZipReader into a string and return a StringIO on
+  # the string.  The string IO approach was used for versions of ZLib before
+  # 1.2.1 to avoid buffer errors on windows machines.  Then we found that
+  # errors happened with 1.2.1 as well, so we changed the condition.  Then
+  # we discovered errors occurred with versions as late as 1.2.3.  At this
+  # point (after some benchmarking to show we weren't seriously crippling
+  # the unpacking speed) we threw our hands in the air and declared that
+  # this method would use the String IO approach on all platforms at all
+  # times.  And that's the way it is.
+
+  def zipped_stream(entry)
+    if defined? Rubinius or defined? Maglev then
+      # these implementations have working Zlib
+      zis = Zlib::GzipReader.new entry
+      dis = zis.read
+      is = StringIO.new(dis)
+    else
+      # This is Jamis Buck's Zlib workaround for some unknown issue
+      entry.read(10) # skip the gzip header
+      zis = Zlib::Inflate.new(-Zlib::MAX_WBITS)
+      is = StringIO.new(zis.inflate(entry.read))
+    end
+  ensure
+    zis.finish if zis
+  end
+
+end
+

data/lib/libgems/package/tar_output.rb

@@ -0,0 +1,144 @@
+# -*- coding: utf-8 -*-
+#--
+# Copyright (C) 2004 Mauricio Julio Fernández Pradier
+# See LICENSE.txt for additional licensing information.
+#++
+
+##
+# TarOutput is a wrapper to TarWriter that builds gem-format tar file.
+#
+# LibGems-format tar files contain the following files:
+# [data.tar.gz] A gzipped tar file containing the files that compose the gem
+#               which will be extracted into the gem/ dir on installation.
+# [metadata.gz] A YAML format LibGems::Specification.
+# [data.tar.gz.sig] A signature for the gem's data.tar.gz.
+# [metadata.gz.sig] A signature for the gem's metadata.gz.
+#
+# See TarOutput::open for usage details.
+
+class LibGems::Package::TarOutput
+
+  ##
+  # Creates a new TarOutput which will yield a TarWriter object for the
+  # data.tar.gz portion of a gem-format tar file.
+  #
+  # See #initialize for details on +io+ and +signer+.
+  #
+  # See #add_gem_contents for details on adding metadata to the tar file.
+
+  def self.open(io, signer = nil, &block) # :yield: data_tar_writer
+    tar_outputter = new io, signer
+    tar_outputter.add_gem_contents(&block)
+    tar_outputter.add_metadata
+    tar_outputter.add_signatures
+
+  ensure
+    tar_outputter.close
+  end
+
+  ##
+  # Creates a new TarOutput that will write a gem-format tar file to +io+.  If
+  # +signer+ is given, the data.tar.gz and metadata.gz will be signed and
+  # the signatures will be added to the tar file.
+
+  def initialize(io, signer)
+    @io = io
+    @signer = signer
+
+    @tar_writer = LibGems::Package::TarWriter.new @io
+
+    @metadata = nil
+
+    @data_signature = nil
+    @meta_signature = nil
+  end
+
+  ##
+  # Yields a TarWriter for the data.tar.gz inside a gem-format tar file.
+  # The yielded TarWriter has been extended with a #metadata= method for
+  # attaching a YAML format LibGems::Specification which will be written by
+  # add_metadata.
+
+  def add_gem_contents
+    @tar_writer.add_file "data.tar.gz", 0644 do |inner|
+      sio = @signer ? StringIO.new : nil
+      Zlib::GzipWriter.wrap(sio || inner) do |os|
+
+        LibGems::Package::TarWriter.new os do |data_tar_writer|
+          # :stopdoc:
+          def data_tar_writer.metadata() @metadata end
+          def data_tar_writer.metadata=(metadata) @metadata = metadata end
+          # :startdoc:
+
+          yield data_tar_writer
+
+          @metadata = data_tar_writer.metadata
+        end
+      end
+
+      # if we have a signing key, then sign the data
+      # digest and return the signature
+      if @signer then
+        digest = LibGems::Security::OPT[:dgst_algo].digest sio.string
+        @data_signature = @signer.sign digest
+        inner.write sio.string
+      end
+    end
+
+    self
+  end
+
+  ##
+  # Adds metadata.gz to the gem-format tar file which was saved from a
+  # previous #add_gem_contents call.
+
+  def add_metadata
+    return if @metadata.nil?
+
+    @tar_writer.add_file "metadata.gz", 0644 do |io|
+      begin
+        sio = @signer ? StringIO.new : nil
+        gzos = Zlib::GzipWriter.new(sio || io)
+        gzos.write @metadata
+      ensure
+        gzos.flush
+        gzos.finish
+
+        # if we have a signing key, then sign the metadata digest and return
+        # the signature
+        if @signer then
+          digest = LibGems::Security::OPT[:dgst_algo].digest sio.string
+          @meta_signature = @signer.sign digest
+          io.write sio.string
+        end
+      end
+    end
+  end
+
+  ##
+  # Adds data.tar.gz.sig and metadata.gz.sig to the gem-format tar files if
+  # a LibGems::Security::Signer was sent to initialize.
+
+  def add_signatures
+    if @data_signature then
+      @tar_writer.add_file 'data.tar.gz.sig', 0644 do |io|
+        io.write @data_signature
+      end
+    end
+
+    if @meta_signature then
+      @tar_writer.add_file 'metadata.gz.sig', 0644 do |io|
+        io.write @meta_signature
+      end
+    end
+  end
+
+  ##
+  # Closes the TarOutput.
+
+  def close
+    @tar_writer.close
+  end
+
+end
+

data/lib/libgems/package/tar_reader.rb

@@ -0,0 +1,106 @@
+# -*- coding: utf-8 -*-
+#--
+# Copyright (C) 2004 Mauricio Julio Fernández Pradier
+# See LICENSE.txt for additional licensing information.
+#++
+
+##
+# TarReader reads tar files and allows iteration over their items
+
+class LibGems::Package::TarReader
+
+  include LibGems::Package
+
+  ##
+  # Raised if the tar IO is not seekable
+
+  class UnexpectedEOF < StandardError; end
+
+  ##
+  # Creates a new TarReader on +io+ and yields it to the block, if given.
+
+  def self.new(io)
+    reader = super
+
+    return reader unless block_given?
+
+    begin
+      yield reader
+    ensure
+      reader.close
+    end
+
+    nil
+  end
+
+  ##
+  # Creates a new tar file reader on +io+ which needs to respond to #pos,
+  # #eof?, #read, #getc and #pos=
+
+  def initialize(io)
+    @io = io
+    @init_pos = io.pos
+  end
+
+  ##
+  # Close the tar file
+
+  def close
+  end
+
+  ##
+  # Iterates over files in the tarball yielding each entry
+
+  def each
+    loop do
+      return if @io.eof?
+
+      header = LibGems::Package::TarHeader.from @io
+      return if header.empty?
+
+      entry = LibGems::Package::TarReader::Entry.new header, @io
+      size = entry.header.size
+
+      yield entry
+
+      skip = (512 - (size % 512)) % 512
+      pending = size - entry.bytes_read
+
+      begin
+        # avoid reading...
+        @io.seek pending, IO::SEEK_CUR
+        pending = 0
+      rescue Errno::EINVAL, NameError
+        while pending > 0 do
+          bytes_read = @io.read([pending, 4096].min).size
+          raise UnexpectedEOF if @io.eof?
+          pending -= bytes_read
+        end
+      end
+
+      @io.read skip # discard trailing zeros
+
+      # make sure nobody can use #read, #getc or #rewind anymore
+      entry.close
+    end
+  end
+
+  alias each_entry each
+
+  ##
+  # NOTE: Do not call #rewind during #each
+
+  def rewind
+    if @init_pos == 0 then
+      raise LibGems::Package::NonSeekableIO unless @io.respond_to? :rewind
+      @io.rewind
+    else
+      raise LibGems::Package::NonSeekableIO unless @io.respond_to? :pos=
+      @io.pos = @init_pos
+    end
+  end
+
+end
+
+require 'libgems/package/tar_reader/entry'
+