puppet_forge 2.2.9 → 2.3.0.rc1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
-SHA1:
-  metadata.gz: 087cdfb02de51471d14bcba37ac3078357222548
-  data.tar.gz: 2ef26cd5527d3fa26fcea35e08d1d4f582fb4d7a
+SHA256:
+  metadata.gz: 64f21c02537bec3836cf2c243c266f884470e6bef0a2b8e210275b1b3a5c9114
+  data.tar.gz: 62e479ce167179d7a909340289a2f92a6ec94663556ce58e7de3dde2fe1f0a53
 SHA512:
-  metadata.gz: 81308719c9f7f99699c59a6f5515a05851eccd2bd2255366be9ee513c2e475b50a59ec75aebab51b6c8ab8c1c9844f5e8f3992be5cf150b78fdee46a7cc9b3a1
-  data.tar.gz: 52031222a7327eab0eb58edc12d6274c99b4ce5f6fb01d9f14e2f90eb7f9295b8b07e78b51857ce3303a353f52c4947dcb257dedddd6ddb31ce8e400e86f5bab
+  metadata.gz: 5cadd116c11b384a988be7383e4fd60b75fb3f73ca373bbca6bc72c5e2f3fbaa274199629276c798239ab04a5b27410fcb643bd373baa2e2ee928fd135eaa847
+  data.tar.gz: 158d1a6c08feecb61bc942b71907cea20c994daca341eec89bb43e50c0dd1e7290c6a3a33afe9c6cd6facb9b85f07fb966f5b6fb1ab177014351f604c9066ea9

data/.travis.yml

@@ -0,0 +1,22 @@
+dist: xenial
+language: ruby
+rvm:
+  - 2.6
+  - 2.5
+  - 2.3
+  - 2.1
+# TODO: enable integration testing
+script: bundle exec rspec spec/unit
+jobs:
+  include:
+    - stage: deploy
+      if: tag IS present
+      rvm: 2.6
+      script: echo "Deploying to rubygems.org..."
+      deploy:
+        on:
+          all_branches: true
+        provider: rubygems
+        gem: puppet_forge
+        api_key:
+          secure: 066s1nJoYzCPzujfTAZ1OiDbbHghLIfW2SxZ/xTom7SbtYlb4SVOUkzOr6dLMysUBAWLQRwiFvgNij+iWwHoNEPqNA+JeGZIiL32ShQI0NW+lTcjPzeAe8Ppy/1pxgXFSJAPHLzdpdgiK91eM4vMWHIaOqPeT/4+X2+kmWbg71E=

data/CHANGELOG.md

@@ -3,6 +3,13 @@
 Starting with v2.0.0, all notable changes to this project will be documented in this file.
 This project adheres to [Semantic Versioning](http://semver.org/).
 
+## v2.3.0 - 2019-07-09
+
+### Changed
+
+* Updated `PuppetForge::V3::Release#verify` method to use `file_sha256` checksum from Forge API when available.
+* Added an `allow_md5` param to `PuppetForge::V3::Release#verify` method to control whether or not fallback to MD5 checksum will be allowed in cases where SHA-256 checksum is not available.
+
 ## v2.2.9 - 2017-12-01
 
 ### Changed

data/README.md

@@ -227,6 +227,13 @@ to create a free account to add new tickets.
 4. Push to the branch (`git push origin my-new-feature`)
 5. Create a new Pull Request
 
+## Releasing
+
+1. Make sure version, changelog, etc. have been updated.
+1. Commit and tag with new version number: e.g. `v1.2.3`
+1. Push tag to Github: `git push upstream --tags` (where `upstream` is the remote name of the puppetlabs fork of this repo)
+1. Wait for Travis CI to test and push new release to Rubygems.
+
 ## Contributors
 
 * Pieter van de Bruggen, Puppet Labs
@@ -237,9 +244,4 @@ to create a free account to add new tickets.
 
 ## Maintenance
 
-Maintainers:
-
-* Jesse Scott, jesse@puppet.com
-* Anderson Mills, anderson@puppet.com
-
 Tickets: File at https://tickets.puppet.com/browse/FORGE

data/lib/puppet_forge/connection/connection_failure.rb

@@ -9,11 +9,19 @@ module PuppetForge
         @app.call(env)
       rescue Faraday::ConnectionFailed => e
         baseurl = env[:url].dup
-        baseurl.path = ''
         if proxy = env[:request][:proxy]
-          errmsg = _("Unable to connect to %{url} (using proxy %{proxy})") % {url: baseurl.to_s, proxy: proxy.uri.to_s}
+          errmsg = _("Unable to connect to %{scheme}://%{host} (using proxy %{proxy}) (for request %{path_query})") % {
+            scheme: baseurl.scheme,
+            host: baseurl.host,
+            proxy: proxy.uri.to_s,
+            path_query: baseurl.request_uri,
+          }
         else
-          errmsg = _("Unable to connect to %{url}") % {url: baseurl.to_s}
+          errmsg = _("Unable to connect to %{scheme}://%{host} (for request %{path_query})") % {
+            scheme: baseurl.scheme,
+            host: baseurl.host,
+            path_query: baseurl.request_uri,
+          }
         end
         errmsg << ": #{e.message}"
         m = Faraday::ConnectionFailed.new(errmsg)

data/lib/puppet_forge/v3/release.rb

@@ -1,6 +1,8 @@
 require 'puppet_forge/v3/base'
 require 'puppet_forge/v3/module'
 
+require 'digest'
+
 module PuppetForge
   module V3
 
@@ -36,21 +38,36 @@ module PuppetForge
         end
       end
 
-      # Verify that a downloaded module matches the checksum in the metadata for this release.
+      # Verify that a downloaded module matches the best available checksum in the metadata for this release,
+      # validates SHA-256 checksum if available, otherwise validates MD5 checksum
       #
       # @param path [Pathname]
       # @return [void]
-      def verify(path)
-        expected_md5 = file_md5
-        file_md5     = Digest::MD5.file(path).hexdigest
-        if expected_md5 != file_md5
-          raise ChecksumMismatch.new("Expected #{path} checksum to be #{expected_md5}, got #{file_md5}")
-        end
+      def verify(path, allow_md5 = true)
+        checksum =
+          if self.respond_to?(:file_sha256) && !self.file_sha256.nil? && !self.file_sha256.size.zero?
+            {
+              type: "SHA-256",
+              expected: self.file_sha256,
+              actual: Digest::SHA256.file(path).hexdigest,
+            }
+          elsif allow_md5
+            {
+              type: "MD5",
+              expected: self.file_md5,
+              actual: Digest::MD5.file(path).hexdigest,
+            }
+          else
+            raise PuppetForge::Error.new("Cannot verify module release: SHA-256 checksum is not available in API response and fallback to MD5 has been forbidden.")
+          end
+
+        return if checksum[:expected] == checksum[:actual]
+
+        raise ChecksumMismatch.new("Unable to validate #{checksum[:type]} checksum for #{path}, download may be corrupt!")
       end
 
       class ChecksumMismatch < StandardError
       end
-
     end
   end
 end

data/lib/puppet_forge/version.rb

@@ -1,3 +1,3 @@
 module PuppetForge
-  VERSION = '2.2.9' # Library version
+  VERSION = '2.3.0.rc1' # Library version
 end

data/spec/unit/forge/connection/connection_failure_spec.rb

@@ -18,7 +18,7 @@ describe PuppetForge::Connection::ConnectionFailure do
   it "includes the base URL in the error message" do
     expect {
       subject.get('/connectfail')
-    }.to raise_error(Faraday::ConnectionFailed, "Unable to connect to https://my-site.url: getaddrinfo: Name or service not known")
+    }.to raise_error(Faraday::ConnectionFailed, /unable to connect to.*\/connectfail.*name or service not known/i)
   end
 
   it "includes the proxy host in the error message when set" do
@@ -30,6 +30,6 @@ describe PuppetForge::Connection::ConnectionFailure do
 
     expect {
       subject.get('/connectfail')
-    }.to raise_error(Faraday::ConnectionFailed, "Unable to connect to https://my-site.url (using proxy https://some-unreachable.proxy:3128): getaddrinfo: Name or service not known")
+    }.to raise_error(Faraday::ConnectionFailed, /unable to connect to.*using proxy.*\/connectfail.*name or service not known/i)
   end
 end

data/spec/unit/forge/v3/base_spec.rb

@@ -59,33 +59,56 @@ describe PuppetForge::V3::Base do
   end
 
   describe 'the host url setting' do
-    before do
-    end
+    context 'without a path prefix' do
+      before(:each) do
+        @orig_host = PuppetForge.host
+        PuppetForge.host = 'https://api.example.com'
 
-    it 'should handle a host url with no path prefix' do
-      stub_api_for(PuppetForge::V3::Base) do |stubs|
-        stub_fixture(stubs, :get, '/v3/bases/puppet')
+        # Trigger connection reset
+        PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
       end
 
-      # Trigger connection reset
-      PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
+      after(:each) do
+        PuppetForge.host = @orig_host
+
+        # Trigger connection reset
+        PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
+      end
 
-      base = PuppetForge::V3::Base.find 'puppet'
-      expect(base.username).to eq('foo')
+      it 'should work' do
+        stub_api_for(PuppetForge::V3::Base) do |stubs|
+          stub_fixture(stubs, :get, '/v3/bases/puppet')
+        end
+
+        base = PuppetForge::V3::Base.find 'puppet'
+        expect(base.username).to eq('foo')
+      end
     end
 
-    it 'should handle a path prefix in the host' do
-      PuppetForge.host = 'https://api.example.com/uri/prefix'
+    context 'with a path prefix' do
+      before(:each) do
+        @orig_host = PuppetForge.host
+        PuppetForge.host = 'https://api.example.com/uri/prefix'
 
-      stub_api_for(PuppetForge::V3::Base, PuppetForge.host) do |stubs|
-        stub_fixture(stubs, :get, '/uri/prefix/v3/bases/puppet')
+        # Trigger connection reset
+        PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
       end
 
-      # Trigger connection reset
-      PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
+      after(:each) do
+        PuppetForge.host = @orig_host
 
-      base = PuppetForge::V3::Base.find 'puppet'
-      expect(base.username).to eq('bar')
+        # Trigger connection reset
+        PuppetForge::V3::Base.conn = PuppetForge::Connection.default_connection
+      end
+
+      it 'should work' do
+        stub_api_for(PuppetForge::V3::Base, PuppetForge.host) do |stubs|
+          stub_fixture(stubs, :get, '/uri/prefix/v3/bases/puppet')
+        end
+
+        base = PuppetForge::V3::Base.find 'puppet'
+        expect(base.username).to eq('bar')
+      end
     end
   end
 end

data/spec/unit/forge/v3/release_spec.rb

@@ -149,6 +149,58 @@ describe PuppetForge::V3::Release do
       end
     end
 
+    describe '#verify' do
+      let(:release) { PuppetForge::V3::Release.find('puppetlabs-apache-0.0.1') }
+      let(:tarball) { "#{PROJECT_ROOT}/spec/tmp/module.tgz" }
+      let(:allow_md5) { true }
+
+      before(:each) do
+        FileUtils.rm tarball rescue nil
+        release.download(Pathname.new(tarball))
+      end
+
+      after(:each) { FileUtils.rm tarball rescue nil }
+
+      context 'file_sha256 is available' do
+        before(:each) do
+          allow(release).to receive(:file_sha256).and_return("810ff2fb242a5dee4220f2cb0e6a519891fb67f2f828a6cab4ef8894633b1f50")
+        end
+
+        let(:mock_sha256) { double(Digest::SHA256, hexdigest: release.file_sha256) }
+
+        it 'only verifies sha-256 checksum' do
+          expect(Digest::SHA256).to receive(:file).and_return(mock_sha256)
+          expect(Digest::MD5).not_to receive(:file)
+
+          release.verify(tarball, allow_md5)
+        end
+      end
+
+      context 'file_sha256 is not available' do
+        let(:mock_md5) { double(Digest::MD5, hexdigest: release.file_md5) }
+
+        it 'only verfies the md5 checksum' do
+          expect(Digest::SHA256).not_to receive(:file)
+          expect(Digest::MD5).to receive(:file).and_return(mock_md5)
+
+          release.verify(tarball, allow_md5)
+        end
+      end
+
+      context 'when allow_md5=false' do
+        let(:allow_md5) { false }
+
+        context 'file_sha256 is not available' do
+          it 'raises an appropriate error' do
+            expect(Digest::SHA256).not_to receive(:file)
+            expect(Digest::MD5).not_to receive(:file)
+
+            expect { release.verify(tarball, allow_md5) }.to raise_error(PuppetForge::Error, /cannot verify module release.*md5.*forbidden/i)
+          end
+        end
+      end
+    end
+
     describe '#metadata' do
       let(:release) { PuppetForge::V3::Release.find('puppetlabs-apache-0.0.1') }
 

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: puppet_forge
 version: !ruby/object:Gem::Version
-  version: 2.2.9
+  version: 2.3.0.rc1
 platform: ruby
 authors:
 - Puppet Labs
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-12-01 00:00:00.000000000 Z
+date: 2019-07-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: faraday
@@ -213,6 +213,7 @@ extensions: []
 extra_rdoc_files: []
 files:
 - ".gitignore"
+- ".travis.yml"
 - CHANGELOG.md
 - Gemfile
 - LICENSE.txt
@@ -306,12 +307,12 @@ required_ruby_version: !ruby/object:Gem::Requirement
       version: 1.9.3
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - ">="
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.8
+rubygems_version: 2.7.7
 signing_key: 
 specification_version: 4
 summary: Access the Puppet Forge API from Ruby for resource information and to download