rubygems-update 2.6.4 → 2.6.5

data/test/rubygems/test_gem_package.rb

@@ -141,7 +141,9 @@ class TestGemPackage < Gem::Package::TarTestCase
 
     FileUtils.mkdir_p 'lib'
     open 'lib/code.rb',  'w' do |io| io.write '# lib/code.rb'  end
-    File.symlink('lib/code.rb', 'lib/code_sym.rb')
+
+    # NOTE: 'code.rb' is correct, because it's relative to lib/code_sym.rb
+    File.symlink('code.rb', 'lib/code_sym.rb')
 
     package = Gem::Package.new 'bogus.gem'
     package.spec = spec
@@ -156,12 +158,16 @@ class TestGemPackage < Gem::Package::TarTestCase
 
     Gem::Package::TarReader.new tar do |tar_io|
       tar_io.each_entry do |entry|
-        (entry.symlink? ? symlinks : files) << entry.full_name
+        if entry.symlink?
+          symlinks << { entry.full_name => entry.header.linkname }
+        else
+          files << entry.full_name
+        end
       end
     end
 
     assert_equal %w[lib/code.rb], files
-    assert_equal %w[lib/code_sym.rb], symlinks
+    assert_equal [{'lib/code_sym.rb' => 'lib/code.rb'}], symlinks
   end
 
   def test_build

data/test/rubygems/test_gem_package_tar_writer.rb

@@ -229,6 +229,22 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
 
     assert_equal ["#{'qwer/' * 19}bla", 'a' * 151],
                  @tar_writer.split_name("#{'a' * 151}/#{'qwer/' * 19}bla")
+    names = [
+      ([''] + ['123456789'] * 9 + ['1234567890']).join('/'),  # 101 bytes (several pieces)
+      (['123456789'] * 9 + ['1234567890'] + ['']).join('/'),  # 101 bytes (several pieces)
+      '/' * 99,
+      '/' * 100,
+      '/' * 101,
+      '/' * 102,
+    ]
+    names.each do |name|
+      newname, prefix = @tar_writer.split_name(name)
+      assert(!(newname.empty?), "split_name() returned empty name")
+      assert(newname.bytesize <= 100, "split_name() returned name longer than 100 bytes: '#{newname}' for '#{name}'")
+      assert(prefix.bytesize <= 155, "split_name() returned prefix longer than 155 bytes: '#{prefix}' for '#{name}'")
+      newname = [prefix, newname].join('/') unless prefix.empty?
+      assert_equal name, newname
+    end
   end
 
   def test_split_name_too_long_name
@@ -240,6 +256,14 @@ class TestGemPackageTarWriter < Gem::Package::TarTestCase
       @tar_writer.split_name name
     end
     assert_includes exception.message, name
+
+    # note, GNU tar 1.28 is unable to handle this case too,
+    # tested with "tar --format=ustar -cPf /tmp/foo.tartar -- /aaaaaa....a"
+    name = '/'  + 'a' * 100
+    exception = assert_raises Gem::Package::TooLongFileName do
+      @tar_writer.split_name name
+    end
+    assert_includes exception.message, name
   end
 
   def test_split_name_too_long_prefix

data/test/rubygems/test_gem_remote_fetcher.rb

@@ -81,7 +81,6 @@ gems:
   # Generated via:
   #   x = OpenSSL::PKey::DH.new(2048) # wait a while...
   #   x.to_s => pem
-  #   x.priv_key.to_s => hex for OpenSSL::BN.new
   TEST_KEY_DH2048 =  OpenSSL::PKey::DH.new <<-_end_of_pem_
 -----BEGIN DH PARAMETERS-----
 MIIBCAKCAQEA3Ze2EHSfYkZLUn557torAmjBgPsqzbodaRaGZtgK1gEU+9nNJaFV
@@ -93,17 +92,6 @@ PeIQQkFng2VVot/WAQbv3ePqWq07g1BBcwIBAg==
 -----END DH PARAMETERS-----
     _end_of_pem_
 
-  TEST_KEY_DH2048.priv_key = OpenSSL::BN.new("108911488509734781344423639" \
-     "5585749502236089033416160524030987005037540379474123441273555416835" \
-     "4725688238369352738266590757370603937618499698665047757588998555345" \
-     "3446251978586372525530219375408331096098220027413238477359960428372" \
-     "0195464393332338164504352015535549496585792320286513563739305843396" \
-     "9294344974028713065472959376197728193162272314514335882399554394661" \
-     "5306385003430991221886779612878793446851681835397455333989268503748" \
-     "7862488679178398716189205737442996155432191656080664090596502674943" \
-     "7902481557157485795980326766117882761941455140582265347052939604724" \
-     "964857770053363840471912215799994973597613931991572884", 16)
-
   def setup
     @proxies = %w[https_proxy http_proxy HTTP_PROXY http_proxy_user HTTP_PROXY_USER http_proxy_pass HTTP_PROXY_PASS no_proxy NO_PROXY]
     @old_proxies = @proxies.map {|k| ENV[k] }

data/test/rubygems/test_gem_security_signer.rb

@@ -205,5 +205,13 @@ c7NM7KZZjj7G++SXjYTEI1PHSA7aFQ/i/+qSUvx+Pg==
     end
   end
 
+  def test_sign_no_certs
+    signer = Gem::Security::Signer.new ALTERNATE_KEY, []
+
+    assert_raises Gem::Security::Exception do
+      signer.sign 'hello'
+    end
+  end
+
 end if defined?(OpenSSL::SSL)
 

data/test/rubygems/test_gem_specification.rb

@@ -3080,7 +3080,7 @@ Did you mean 'Ruby'?
         end
       end
 
-      err = 'specification_version must be a Fixnum (did you mean version?)'
+      err = 'specification_version must be a Integer (did you mean version?)'
       assert_equal err, e.message
     end
   end

data/test/rubygems/wrong_key_cert.pem

@@ -1,6 +1,6 @@
 -----BEGIN CERTIFICATE-----
-MIIC7jCCAdagAwIBAgIBEjANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv
-ZHkxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMCAXDTEyMTIwODAwMDAwMFoYDzk5
+MIIDDTCCAfWgAwIBAgIBEjANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv
+ZHkxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMCAXDTEyMDEwMTAwMDAwMFoYDzk5
 OTkxMjMxMjM1OTU5WjAqMQ8wDQYDVQQDDAZub2JvZHkxFzAVBgoJkiaJk/IsZAEZ
 FgdleGFtcGxlMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAvZQipBa1
 xH3M9OonkrUYhGZeX9UHAcJhe6jJbUr/uHXkh1Tu2ERWNnblm85upqBfjyZEnKer
@@ -8,11 +8,12 @@ xH3M9OonkrUYhGZeX9UHAcJhe6jJbUr/uHXkh1Tu2ERWNnblm85upqBfjyZEnKer
 kNyXUmLLGoZ3id2K0eK5C/AJ0j+p84OqPnVhylsjrZmXfIZrh7lkHhgCIrzPefjE
 3pOloi/tz6fh2ktb0FYKQMfweT3Ba2TMeflG13PEOW80AD5w0THxDutGG0zPNCDy
 DEoT7UU1a3B3RMHYuUxEk1GUEYWq9L6a6SMpZISWTSpCp0Ww1QB55PONiCCn+o6v
-cIy46jI71dATAQIDAQABox0wGzAZBgNVHREEEjAQgQ5ub2JvZHlAZXhhbXBsZTAN
-BgkqhkiG9w0BAQUFAAOCAQEATOGl3DvDpWn6pOAjNkZz67UYNlTANSzMaXklJmxW
-pQGxy1g+CWRwExfbH7lYAOag3BB7X7h3RolLGhIpxmWriby+SFd/VJAOpCq4nz5P
-6spZ4hqkXchBGzBgbK6TSyNxjITC3iquBBJWTXZMAuvRTuSlZsCe2k0uWJ8ycmge
-wKhcdDLwVwCz2aMAGbwr/nZyzuIx/pkI3PWMw5Xk9PLUryaYHRSSFGm7mYQ6G7HE
-7yn0ZIy7nQxrsVYOV3MMyEJNRBld+MgnGfDMf5gZIH6k4NbRNKABtiCKmvD3nk4h
-3A863HaHH6wa8yKHXfyN71m/QwzaH3AbaORqKhfHl2uysQ==
+cIy46jI71dATAQIDAQABozwwOjAZBgNVHREEEjAQgQ5ub2JvZHlAZXhhbXBsZTAd
+BgNVHQ4EFgQUyvn/FwcZnA7AkzPjmoooB4/tKgcwDQYJKoZIhvcNAQEFBQADggEB
+ABswixv3veo8S0Omyhbch3t19xAd/I4ZAx/lq6a/Ubl+X33hRbZQ7ulXja6Y5ZCs
+iIkezGcpc182e7hZdHuEGGnJ1fJwxz3rbFWvs+MrtRSaCC73HbbxF1x0mQY6Kc7W
+PahB2v+Dx5n3dIN6ah5p+STUHmzhKGr3bsQswtSHrFn74wt6mBu/hyCz+t6UaQ7b
+rpRpzDFO1q3tZB8MeIHg57Lk2bu0LtfaHdkGDghNa3t7oZfV5A6pruiTy/EdQvFL
+ZJpvDgHCyUsDmukMMjz6U4ts+nx7kZ9JoIH9K2lMJo3SGw4iZ8rB+HTfsbUdRfBj
+UlyNcLqCW+FPlUHgHgNugFA=
 -----END CERTIFICATE-----

data/test/rubygems/wrong_key_cert_32.pem

@@ -1,6 +1,6 @@
 -----BEGIN CERTIFICATE-----
-MIIC7DCCAdSgAwIBAgIBEzANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv
-ZHkxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMB4XDTEyMTIwODAwMDAwMFoXDTM4
+MIIDCzCCAfOgAwIBAgIBEzANBgkqhkiG9w0BAQUFADAqMQ8wDQYDVQQDDAZub2Jv
+ZHkxFzAVBgoJkiaJk/IsZAEZFgdleGFtcGxlMB4XDTEyMDEwMTAwMDAwMFoXDTM4
 MDExOTAzMTQwN1owKjEPMA0GA1UEAwwGbm9ib2R5MRcwFQYKCZImiZPyLGQBGRYH
 ZXhhbXBsZTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAL2UIqQWtcR9
 zPTqJ5K1GIRmXl/VBwHCYXuoyW1K/7h15IdU7thEVjZ25ZvObqagX48mRJynq+7g
@@ -8,11 +8,12 @@ XMMJJL5orFYAvLgRAsprAcbhCMNK34imBJy7tAekolhWM93WD0vdmwSu1ZLNv5Dc
 l1JiyxqGd4nditHiuQvwCdI/qfODqj51YcpbI62Zl3yGa4e5ZB4YAiK8z3n4xN6T
 paIv7c+n4dpLW9BWCkDH8Hk9wWtkzHn5RtdzxDlvNAA+cNEx8Q7rRhtMzzQg8gxK
 E+1FNWtwd0TB2LlMRJNRlBGFqvS+mukjKWSElk0qQqdFsNUAeeTzjYggp/qOr3CM
-uOoyO9XQEwECAwEAAaMdMBswGQYDVR0RBBIwEIEObm9ib2R5QGV4YW1wbGUwDQYJ
-KoZIhvcNAQEFBQADggEBAArsJU2zZfkHI90XNz69wSIrPMytM2Le0uFTXU4GUBix
-8G4451leIwRD8fIMBlc82iE39PjsF8w4svCMqyVHzv10xEjIZq5917hbvxupKKM/
-UX6u3TWEpF9j5s+JtXT+yfyG1TyWXp+Dqlx455I9oRyUJkRe7UeqUqqiResJBTV/
-aImNyeG33MFKilQEyxz0UVZBjSy/JZlTUwAV3dqvh1tRSXfMmk2hxbkiewYIJ48f
-Vu5uEnW1m866WLUIo0dz/KnGZ9aIq2XM+OhRl94MOpZ5tgA8e2R9RFDfzthbCnfU
-G+cnGdtRxnyo0/+SmC7WhSpfSZ7wju9Z04zGa6VsMjI=
+uOoyO9XQEwECAwEAAaM8MDowGQYDVR0RBBIwEIEObm9ib2R5QGV4YW1wbGUwHQYD
+VR0OBBYEFMr5/xcHGZwOwJMz45qKKAeP7SoHMA0GCSqGSIb3DQEBBQUAA4IBAQCU
+VkESWkNeiJ1L3MfkMl2ybP2QPWP5nlhz+NOqwOCJSmEXF86Dq2XTY/GgSu1iPp4s
+pPm1RSpnjujtiV7gjCziNif/XqAxeSjU2deApvq4mknyk958N0IS8c86dUXms1DQ
+Rncmb3pxxvzP1d6Is35Uwoc5KqheJWR3aDwE8ejaFfO8pq/ncUDB25bc7OyslHMJ
+7Ah+2YlFjvHYuPvN8bP44UMYyAPZCCJnjIPn7m7giyQiIo6SA9aiLQ8F7+NN3SU4
+7I9ED0F7RTDxNYISr1sLZ7aNtnXkTAnZclwKohuGfZD3OGAOshLZZXIB2pIRr/Kj
+6zxTef39tli6orheYQXp
 -----END CERTIFICATE-----

data/util/ci

@@ -0,0 +1,73 @@
+#!/usr/bin/env ruby
+
+class Tool
+  def initialize(name)
+    @name = name
+  end
+
+  def bundler?
+    @name == 'bundler'
+  end
+
+  def rubygems?
+    @name == 'rubygems'
+  end
+
+  def dir
+    if rubygems?
+      File.expand_path('../..', __FILE__)
+    else
+      File.expand_path('../../bundler', __FILE__)
+    end
+  end
+end
+
+TOOL = Tool.new(ENV.fetch("TEST_TOOL") { abort "must specify a TEST_TOOL" })
+
+def run(command, args = [])
+  Dir.chdir(TOOL.dir) do
+    unless system(command, *args)
+      abort "running `#{command} #{args.join(" ")}` failed"
+    end
+  end
+end
+
+def with_retries(attempts = 3)
+  yield
+rescue
+  attempts -= 1
+  if attempts > 0
+    warn "Command failed. Retrying #{attempts -= 1} more times."
+    retry
+  else
+    raise
+  end
+end
+
+case ARGV
+when %w(before_script)
+  if TOOL.rubygems?
+    run('gem', %W(uninstall executable-hooks gem-wrappers -x --force -i #{`gem env home`.strip}@global))
+    run('gem', %W(install rake -v #{'~> 10.5'} --no-document))
+    run('gem', %W(install hoe -v #{'3.15.0'} --no-document))
+    run('gem', %w(install hoe-travis --no-document))
+    run('gem', %W(install minitest -v #{'~> 4.7'} --no-document))
+    run('rake', %w(travis:before -t))
+    run('gem', %w(list --details))
+    run('gem', %w(env))
+  else
+    with_retries { run('rake', %w(spec:travis:deps)) }
+  end
+when %w(after_script)
+  if TOOL.rubygems?
+    run('rake', %w(travis:after -t))
+  end
+when %w(script)
+  if TOOL.rubygems?
+    run('rake', %w(travis))
+  else
+    run('rake', %w(spec:travis -t))
+  end
+else
+  abort "unknown args #{ARGV.inspect}"
+end

data/util/create_certs.rb

@@ -4,37 +4,41 @@ require 'time'
 
 class CertificateBuilder
 
-  attr_reader :today
+  attr_reader :start
 
   def initialize key_size = 2048
-    today           = Time.now.utc
-    @today          = Time.utc today.year, today.month, today.day
+    @start          = Time.utc 2012, 01, 01, 00, 00, 00
     @end_of_time    = Time.utc 9999, 12, 31, 23, 59, 59
     @end_of_time_32 = Time.utc 2038, 01, 19, 03, 14, 07
 
+    @key_size = key_size
     @serial = 0
   end
 
-  def create_certificates(key, subject, issuer_key = key, issuer = subject,
-                          not_before: @today, not_after: :end_of_time)
+  def create_certificates(key, subject, issuer_key = key, issuer_cert = nil,
+                          not_before: @start, not_after: :end_of_time,
+                          is_ca: false)
     certificates = []
 
     not_before, not_before_32 = validity_for not_before
     not_after,  not_after_32  = validity_for not_after
+    issuer_cert, issuer_cert_32 = issuer_cert
 
     certificates <<
-      create_certificate(key, subject, issuer_key, issuer,
-                         not_before, not_after)
+      create_certificate(key, subject, issuer_key, issuer_cert,
+                         not_before, not_after, is_ca)
     certificates <<
-      create_certificate(key, subject, issuer_key, issuer,
-                         not_before_32, not_after_32)
+      create_certificate(key, subject, issuer_key, issuer_cert_32,
+                         not_before_32, not_after_32, is_ca)
 
     certificates
   end
 
-  def create_certificate key, subject, issuer_key, issuer, not_before, not_after
-    puts "creating cert - subject: #{subject}, issuer: #{issuer}"
+  def create_certificate(key, subject, issuer_key, issuer_cert,
+                         not_before, not_after, is_ca)
     cert = OpenSSL::X509::Certificate.new
+    issuer_cert ||= cert # if not specified, create self signing cert
+
     cert.version    = 2
     cert.serial     = 0
 
@@ -45,25 +49,34 @@ class CertificateBuilder
 
     cert.public_key = key.public_key
 
-    cert.subject =
-      OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
-    cert.issuer  =
-      OpenSSL::X509::Name.new [%W[CN #{issuer}],  %w[DC example]]
+    cert.subject = OpenSSL::X509::Name.new [%W[CN #{subject}], %w[DC example]]
+    cert.issuer  = issuer_cert.subject
 
-    ef = OpenSSL::X509::ExtensionFactory.new nil, cert
+    ef = OpenSSL::X509::ExtensionFactory.new issuer_cert, cert
 
     cert.extensions = [
-      ef.create_extension('subjectAltName', "email:#{subject}@example")
+      ef.create_extension('subjectAltName', "email:#{subject}@example"),
+      ef.create_extension('subjectKeyIdentifier', 'hash')
     ]
 
+    if cert != issuer_cert then # not self-signed cert
+      cert.add_extension ef.create_extension('authorityKeyIdentifier', 'keyid:always')
+    end
+
+    if is_ca then
+      cert.add_extension ef.create_extension('basicConstraints', 'CA:TRUE', true)
+      cert.add_extension ef.create_extension('keyUsage', 'keyCertSign', true)
+    end
+
     cert.sign issuer_key, OpenSSL::Digest::SHA1.new
 
+    puts "created cert - subject: #{cert.subject}, issuer: #{cert.issuer}"
     cert
   end
 
   def create_key
     puts "creating key"
-    OpenSSL::PKey::RSA.new 2048
+    OpenSSL::PKey::RSA.new @key_size
   end
 
   def create_keys names
@@ -108,37 +121,39 @@ keys = cb.create_keys [
 
 keys[:public] = keys[:private].public_key
 
-certs = {
-  alternate:
-    cb.create_certificates(keys[:alternate], 'alternate'),
-  child:
-    cb.create_certificates(keys[:child], 'child',
-                           keys[:private], 'nobody'),
-  expired:
-    cb.create_certificates(keys[:private], 'nobody',
-                           not_before: Time.at(0),
-                           not_after: Time.at(0)),
-  future:
-    cb.create_certificates(keys[:private], 'nobody',
-                           not_before: :end_of_time,
-                           not_after: :end_of_time),
-  grandchild:
-    cb.create_certificates(keys[:grandchild], 'grandchild',
-                           keys[:child], 'child'),
-  invalid_issuer:
-    cb.create_certificates(keys[:invalid], 'invalid',
-                           keys[:invalid], 'nobody'),
-  invalid_signer:
-    cb.create_certificates(keys[:invalid], 'invalid',
-                           keys[:private], 'invalid'),
-  invalidchild:
-    cb.create_certificates(keys[:invalidchild], 'invalidchild',
-                           keys[:invalid], 'child'),
-  public:
-    cb.create_certificates(keys[:private], 'nobody'),
-  wrong_key:
-    cb.create_certificates(keys[:alternate], 'nobody'),
-}
+certs = {}
+certs[:public] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         is_ca: true)
+certs[:child] =
+  cb.create_certificates(keys[:child], 'child',
+                         keys[:private], certs[:public],
+                         is_ca: true)
+certs[:alternate] =
+  cb.create_certificates(keys[:alternate], 'alternate')
+certs[:expired] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         not_before: Time.at(0),
+                         not_after: Time.at(0))
+certs[:future] =
+  cb.create_certificates(keys[:private], 'nobody',
+                         not_before: :end_of_time,
+                         not_after: :end_of_time)
+certs[:invalid_issuer] =
+  cb.create_certificates(keys[:invalid], 'invalid',
+                         keys[:invalid], certs[:public],
+                         is_ca: true)
+certs[:grandchild] =
+  cb.create_certificates(keys[:grandchild], 'grandchild',
+                         keys[:child], certs[:child])
+certs[:invalid_signer] =
+  cb.create_certificates(keys[:invalid], 'invalid',
+                         keys[:private], certs[:invalid])
+certs[:invalidchild] =
+  cb.create_certificates(keys[:invalidchild], 'invalidchild',
+                         keys[:invalid], certs[:child])
+certs[:wrong_key] =
+  cb.create_certificates(keys[:alternate], 'nobody')
 
 base_dir = 'test/rubygems'
 

data/util/update_bundled_ca_certificates.rb

@@ -1,6 +1,7 @@
 # frozen_string_literal: true
 require 'net/http'
 require 'openssl'
+require 'fileutils'
 
 URIS = [
   URI('https://rubygems.org'),
@@ -10,6 +11,12 @@ URIS = [
   URI('https://rubygems.global.ssl.fastly.net'),
 ]
 
+HOSTNAMES_TO_MAP = [
+  'rubygems.global.ssl.fastly.net',
+  'rubygems.org',
+  'index.rubygems.org'
+]
+
 def connect_to uri, store
   # None of the URIs are IPv6, so URI::Generic#hostname(ruby 1.9.3+) isn't needed
   http = Net::HTTP.new uri.host, uri.port
@@ -79,13 +86,27 @@ def test_uri uri, certificates
   nil
 end
 
+def hostname_certificate_mapping certificates
+  mapping = {}
+  HOSTNAMES_TO_MAP.each do |hostname|
+    uri = URI("https://#{hostname}")
+    certificates.each do |cert|
+      match = test_uri uri, [cert]
+      mapping[hostname] = cert if match && !mapping.values.include?(cert)
+    end
+  end
+  mapping
+end
+
 def write_certificates certificates
-  certificates.each do |certificate|
+  mapping = hostname_certificate_mapping(certificates)
+  mapping.each do |hostname, certificate|
     subject = certificate.subject.to_a
     name = (subject.assoc('CN') || subject.assoc('OU'))[1]
     name = name.delete ' .-'
 
-    destination = "lib/rubygems/ssl_certs/#{name}.pem"
+    FileUtils.mkdir_p("lib/rubygems/ssl_certs/#{hostname}")
+    destination = "lib/rubygems/ssl_certs/#{hostname}/#{name}.pem"
 
     warn "overwriting certificate #{name}" if File.exist? destination