rubygems-update 3.0.4 → 3.0.9

data/lib/rubygems/installer.rb

@@ -320,8 +320,11 @@ class Gem::Installer
       build_extensions
       write_build_info_file
       run_post_build_hooks
+    end
+
+    generate_bin
 
-      generate_bin
+    unless @options[:install_as_default]
       write_spec
       write_cache_file
     end
@@ -799,7 +802,7 @@ TEXT
       # stub & ruby.exe withing same folder.  Portable
       <<-TEXT
 @ECHO OFF
-@"%~dp0ruby.exe" "%~dpn0" %*
+@"%~dp0#{ruby_exe}" "%~dpn0" %*
       TEXT
     elsif bindir.downcase.start_with? rb_topdir.downcase
       # stub within ruby folder, but not standard bin.  Portable
@@ -809,14 +812,14 @@ TEXT
       rel  = to.relative_path_from from
       <<-TEXT
 @ECHO OFF
-@"%~dp0#{rel}/ruby.exe" "%~dpn0" %*
+@"%~dp0#{rel}/#{ruby_exe}" "%~dpn0" %*
       TEXT
     else
       # outside ruby folder, maybe -user-install or bundler.  Portable, but ruby
       # is dependent on PATH
       <<-TEXT
 @ECHO OFF
-@ruby.exe "%~dpn0" %*
+@#{ruby_exe} "%~dpn0" %*
       TEXT
     end
   end
@@ -857,7 +860,7 @@ TEXT
   # without the full gem installed.
 
   def extract_bin
-    @package.extract_files gem_dir, "bin/*"
+    @package.extract_files gem_dir, "#{spec.bindir}/*"
   end
 
   ##

data/lib/rubygems/installer_test_case.rb

@@ -119,9 +119,9 @@ class Gem::InstallerTestCase < Gem::TestCase
   # The executable is also written to the bin dir in @tmpdir and the installed
   # gem directory for +spec+.
 
-  def util_make_exec(spec = @spec, shebang = "#!/usr/bin/ruby")
+  def util_make_exec(spec = @spec, shebang = "#!/usr/bin/ruby", bindir = "bin")
     spec.executables = %w[executable]
-    spec.files << 'bin/executable'
+    spec.bindir = bindir
 
     exec_path = spec.bin_file "executable"
     write_file exec_path do |io|

data/lib/rubygems/package/tar_header.rb

@@ -107,8 +107,8 @@ class Gem::Package::TarHeader
 
     new :name     => fields.shift,
         :mode     => strict_oct(fields.shift),
-        :uid      => strict_oct(fields.shift),
-        :gid      => strict_oct(fields.shift),
+        :uid      => oct_or_256based(fields.shift),
+        :gid      => oct_or_256based(fields.shift),
         :size     => strict_oct(fields.shift),
         :mtime    => strict_oct(fields.shift),
         :checksum => strict_oct(fields.shift),
@@ -130,6 +130,15 @@ class Gem::Package::TarHeader
     raise ArgumentError, "#{str.inspect} is not an octal string"
   end
 
+  def self.oct_or_256based(str)
+    # \x80 flags a positive 256-based number
+    # \ff flags a negative 256-based number
+    # In case we have a match, parse it as a signed binary value
+    # in big-endian order, except that the high-order bit is ignored.
+    return str.unpack('N2').last if str =~ /\A[\x80\xff]/n
+    strict_oct(str)
+  end
+
   ##
   # Creates a new TarHeader using +vals+
 

data/lib/rubygems/remote_fetcher.rb

@@ -1,9 +1,10 @@
 # frozen_string_literal: true
 require 'rubygems'
 require 'rubygems/request'
+require 'rubygems/request/connection_pools'
+require 'rubygems/s3_uri_signer'
 require 'rubygems/uri_formatter'
 require 'rubygems/user_interaction'
-require 'rubygems/request/connection_pools'
 require 'resolv'
 
 ##
@@ -173,7 +174,7 @@ class Gem::RemoteFetcher
         path = source_uri.path
         path = File.dirname(path) if File.extname(path) == '.gem'
 
-        remote_gem_path = correct_for_windows_path(File.join(path, 'gems', gem_file_name))
+        remote_gem_path = Gem::Util.correct_for_windows_path(File.join(path, 'gems', gem_file_name))
 
         FileUtils.cp(remote_gem_path, local_gem_path)
       rescue Errno::EACCES
@@ -210,7 +211,7 @@ class Gem::RemoteFetcher
   # File Fetcher. Dispatched by +fetch_path+. Use it instead.
 
   def fetch_file(uri, *_)
-    Gem.read_binary correct_for_windows_path uri.path
+    Gem.read_binary Gem::Util.correct_for_windows_path uri.path
   end
 
   ##
@@ -275,7 +276,7 @@ class Gem::RemoteFetcher
   rescue Timeout::Error
     raise UnknownHostError.new('timed out', uri.to_s)
   rescue IOError, SocketError, SystemCallError,
-    *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
+         *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
     if e.message =~ /getaddrinfo/
       raise UnknownHostError.new('no such name', uri.to_s)
     else
@@ -284,10 +285,19 @@ class Gem::RemoteFetcher
   end
 
   def fetch_s3(uri, mtime = nil, head = false)
-    public_uri = sign_s3_url(uri)
+    begin
+      public_uri = s3_uri_signer(uri).sign
+    rescue Gem::S3URISigner::ConfigurationError, Gem::S3URISigner::InstanceProfileError => e
+      raise FetchError.new(e.message, "s3://#{uri.host}")
+    end
     fetch_https public_uri, mtime, head
   end
 
+  # we have our own signing code here to avoid a dependency on the aws-sdk gem
+  def s3_uri_signer(uri)
+    Gem::S3URISigner.new(uri)
+  end
+
   ##
   # Downloads +uri+ to +path+ if necessary. If no path is given, it just
   # passes the data.
@@ -317,14 +327,6 @@ class Gem::RemoteFetcher
     response['content-length'].to_i
   end
 
-  def correct_for_windows_path(path)
-    if path[0].chr == '/' && path[1].chr =~ /[a-z]/i && path[2].chr == ':'
-      path[1..-1]
-    else
-      path
-    end
-  end
-
   ##
   # Performs a Net::HTTP request of type +request_class+ on +uri+ returning
   # a Net::HTTP response object.  request maintains a table of persistent
@@ -349,31 +351,6 @@ class Gem::RemoteFetcher
     @pools.each_value {|pool| pool.close_all}
   end
 
-  protected
-
-  # we have our own signing code here to avoid a dependency on the aws-sdk gem
-  # fortunately, a simple GET request isn't too complex to sign properly
-  def sign_s3_url(uri, expiration = nil)
-    require 'base64'
-    require 'openssl'
-
-    id, secret = s3_source_auth uri
-
-    expiration ||= s3_expiration
-    canonical_path = "/#{uri.host}#{uri.path}"
-    payload = "GET\n\n\n#{expiration}\n#{canonical_path}"
-    digest = OpenSSL::HMAC.digest('sha1', secret, payload)
-    # URI.escape is deprecated, and there isn't yet a replacement that does quite what we want
-    signature = Base64.encode64(digest).gsub("\n", '').gsub(/[\+\/=]/) { |c| BASE64_URI_TRANSLATE[c] }
-    URI.parse("https://#{uri.host}.s3.amazonaws.com#{uri.path}?AWSAccessKeyId=#{id}&Expires=#{expiration}&Signature=#{signature}")
-  end
-
-  def s3_expiration
-    (Time.now + 3600).to_i # one hour from now
-  end
-
-  BASE64_URI_TRANSLATE = { '+' => '%2B', '/' => '%2F', '=' => '%3D' }.freeze
-
   private
 
   def proxy_for(proxy, uri)
@@ -386,20 +363,4 @@ class Gem::RemoteFetcher
     end
   end
 
-  def s3_source_auth(uri)
-    return [uri.user, uri.password] if uri.user && uri.password
-
-    s3_source = Gem.configuration[:s3_source] || Gem.configuration['s3_source']
-    host = uri.host
-    raise FetchError.new("no s3_source key exists in .gemrc", "s3://#{host}") unless s3_source
-
-    auth = s3_source[host] || s3_source[host.to_sym]
-    raise FetchError.new("no key for host #{host} in s3_source in .gemrc", "s3://#{host}") unless auth
-
-    id = auth[:id] || auth['id']
-    secret = auth[:secret] || auth['secret']
-    raise FetchError.new("s3_source for #{host} missing id or secret", "s3://#{host}") unless id and secret
-
-    [id, secret]
-  end
 end

data/lib/rubygems/request.rb

@@ -283,7 +283,7 @@ class Gem::Request
     end
     ua << ")"
 
-    ua << " #{RUBY_ENGINE}" if defined?(RUBY_ENGINE) and RUBY_ENGINE != 'ruby'
+    ua << " #{RUBY_ENGINE}" if RUBY_ENGINE != 'ruby'
 
     ua
   end

data/lib/rubygems/request_set/gem_dependency_api.rb

@@ -782,7 +782,7 @@ Gem dependencies file #{@path} includes git reference for both ref/branch and ta
   # You may also provide +engine:+ and +engine_version:+ options to restrict
   # this gem dependencies file to a particular ruby engine and its engine
   # version.  This matching is performed by using the RUBY_ENGINE and
-  # engine_specific VERSION constants.  (For JRuby, JRUBY_VERSION).
+  # RUBY_ENGINE_VERSION constants.
 
   def ruby(version, options = {})
     engine         = options[:engine]
@@ -809,11 +809,9 @@ Gem dependencies file #{@path} includes git reference for both ref/branch and ta
     end
 
     if engine_version
-      my_engine_version = Object.const_get "#{Gem.ruby_engine.upcase}_VERSION"
-
-      if engine_version != my_engine_version
+      if engine_version != RUBY_ENGINE_VERSION
         message =
-          "Your Ruby engine version is #{Gem.ruby_engine} #{my_engine_version}, " +
+          "Your Ruby engine version is #{Gem.ruby_engine} #{RUBY_ENGINE_VERSION}, " +
           "but your #{gem_deps_file} requires #{engine} #{engine_version}"
 
         raise Gem::RubyVersionMismatch, message

data/lib/rubygems/resolver.rb

@@ -124,7 +124,10 @@ class Gem::Resolver
 
     data = yield
     $stderr.printf "%10s (%d entries)\n", stage.to_s.upcase, data.size
-    PP.pp data, $stderr unless data.empty?
+    unless data.empty?
+      require 'pp'
+      PP.pp data, $stderr
+    end
   end
 
   ##

data/lib/rubygems/s3_uri_signer.rb

@@ -0,0 +1,183 @@
+require 'base64'
+require 'digest'
+require 'openssl'
+
+##
+# S3URISigner implements AWS SigV4 for S3 Source to avoid a dependency on the aws-sdk-* gems
+# More on AWS SigV4: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
+class Gem::S3URISigner
+
+  class ConfigurationError < Gem::Exception
+
+    def initialize(message)
+      super message
+    end
+
+    def to_s # :nodoc:
+      "#{super}"
+    end
+
+  end
+
+  class InstanceProfileError < Gem::Exception
+
+    def initialize(message)
+      super message
+    end
+
+    def to_s # :nodoc:
+      "#{super}"
+    end
+
+  end
+
+  attr_accessor :uri
+
+  def initialize(uri)
+    @uri = uri
+  end
+
+  ##
+  # Signs S3 URI using query-params according to the reference: https://docs.aws.amazon.com/AmazonS3/latest/API/sigv4-query-string-auth.html
+  def sign(expiration = 86400)
+    s3_config = fetch_s3_config
+
+    current_time = Time.now.utc
+    date_time = current_time.strftime("%Y%m%dT%H%m%SZ")
+    date = date_time[0,8]
+
+    credential_info = "#{date}/#{s3_config.region}/s3/aws4_request"
+    canonical_host = "#{uri.host}.s3.#{s3_config.region}.amazonaws.com"
+
+    query_params = generate_canonical_query_params(s3_config, date_time, credential_info, expiration)
+    canonical_request = generate_canonical_request(canonical_host, query_params)
+    string_to_sign = generate_string_to_sign(date_time, credential_info, canonical_request)
+    signature = generate_signature(s3_config, date, string_to_sign)
+
+    URI.parse("https://#{canonical_host}#{uri.path}?#{query_params}&X-Amz-Signature=#{signature}")
+  end
+
+  private
+
+  S3Config = Struct.new :access_key_id, :secret_access_key, :security_token, :region
+
+  def generate_canonical_query_params(s3_config, date_time, credential_info, expiration)
+    canonical_params = {}
+    canonical_params["X-Amz-Algorithm"] = "AWS4-HMAC-SHA256"
+    canonical_params["X-Amz-Credential"] = "#{s3_config.access_key_id}/#{credential_info}"
+    canonical_params["X-Amz-Date"] = date_time
+    canonical_params["X-Amz-Expires"] = expiration.to_s
+    canonical_params["X-Amz-SignedHeaders"] = "host"
+    canonical_params["X-Amz-Security-Token"] = s3_config.security_token if s3_config.security_token
+
+    # Sorting is required to generate proper signature
+    canonical_params.sort.to_h.map do |key, value|
+      "#{base64_uri_escape(key)}=#{base64_uri_escape(value)}"
+    end.join("&")
+  end
+
+  def generate_canonical_request(canonical_host, query_params)
+    [
+      "GET",
+      uri.path,
+      query_params,
+      "host:#{canonical_host}",
+      "", # empty params
+      "host",
+      "UNSIGNED-PAYLOAD",
+    ].join("\n")
+  end
+
+  def generate_string_to_sign(date_time, credential_info, canonical_request)
+    [
+      "AWS4-HMAC-SHA256",
+      date_time,
+      credential_info,
+      Digest::SHA256.hexdigest(canonical_request)
+    ].join("\n")
+  end
+
+  def generate_signature(s3_config, date, string_to_sign)
+    date_key = OpenSSL::HMAC.digest("sha256", "AWS4" + s3_config.secret_access_key, date)
+    date_region_key = OpenSSL::HMAC.digest("sha256", date_key, s3_config.region)
+    date_region_service_key = OpenSSL::HMAC.digest("sha256", date_region_key, "s3")
+    signing_key = OpenSSL::HMAC.digest("sha256", date_region_service_key, "aws4_request")
+    OpenSSL::HMAC.hexdigest("sha256", signing_key, string_to_sign)
+  end
+
+  ##
+  # Extracts S3 configuration for S3 bucket
+  def fetch_s3_config
+    return S3Config.new(uri.user, uri.password, nil, "us-east-1") if uri.user && uri.password
+
+    s3_source = Gem.configuration[:s3_source] || Gem.configuration["s3_source"]
+    host = uri.host
+    raise ConfigurationError.new("no s3_source key exists in .gemrc") unless s3_source
+
+    auth = s3_source[host] || s3_source[host.to_sym]
+    raise ConfigurationError.new("no key for host #{host} in s3_source in .gemrc") unless auth
+
+    provider = auth[:provider] || auth["provider"]
+    case provider
+    when "env"
+      id = ENV["AWS_ACCESS_KEY_ID"]
+      secret = ENV["AWS_SECRET_ACCESS_KEY"]
+      security_token = ENV["AWS_SESSION_TOKEN"]
+    when "instance_profile"
+      credentials = ec2_metadata_credentials_json
+      id = credentials["AccessKeyId"]
+      secret = credentials["SecretAccessKey"]
+      security_token = credentials["Token"]
+    else
+      id = auth[:id] || auth["id"]
+      secret = auth[:secret] || auth["secret"]
+      security_token = auth[:security_token] || auth["security_token"]
+    end
+
+    raise ConfigurationError.new("s3_source for #{host} missing id or secret") unless id && secret
+
+    region = auth[:region] || auth["region"] || "us-east-1"
+    S3Config.new(id, secret, security_token, region)
+  end
+
+  def base64_uri_escape(str)
+    str.gsub(/[\+\/=\n]/, BASE64_URI_TRANSLATE)
+  end
+
+  def ec2_metadata_credentials_json
+    require 'net/http'
+    require 'rubygems/request'
+    require 'rubygems/request/connection_pools'
+    require 'json'
+
+    iam_info = ec2_metadata_request(EC2_IAM_INFO)
+    # Expected format: arn:aws:iam::<id>:instance-profile/<role_name>
+    role_name = iam_info['InstanceProfileArn'].split('/').last
+    ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name)
+  end
+
+  def ec2_metadata_request(url)
+    uri = URI(url)
+    @request_pool ||= create_request_pool(uri)
+    request = Gem::Request.new(uri, Net::HTTP::Get, nil, @request_pool)
+    response = request.fetch
+
+    case response
+    when Net::HTTPOK then
+      JSON.parse(response.body)
+    else
+      raise InstanceProfileError.new("Unable to fetch AWS metadata from #{uri}: #{response.message} #{response.code}")
+    end
+  end
+
+  def create_request_pool(uri)
+    proxy_uri = Gem::Request.proxy_uri(Gem::Request.get_proxy_from_env(uri.scheme))
+    certs = Gem::Request.get_cert_files
+    Gem::Request::ConnectionPools.new(proxy_uri, certs).pool_for(uri)
+  end
+
+  BASE64_URI_TRANSLATE = { "+" => "%2B", "/" => "%2F", "=" => "%3D", "\n" => "" }.freeze
+  EC2_IAM_INFO = "http://169.254.169.254/latest/meta-data/iam/info".freeze
+  EC2_IAM_SECURITY_CREDENTIALS = "http://169.254.169.254/latest/meta-data/iam/security-credentials/".freeze
+
+end

data/lib/rubygems/security_option.rb

@@ -19,7 +19,6 @@ end
 
 module Gem::SecurityOption
   def add_security_option
-    # TODO: use @parser.accept
     OptionParser.accept Gem::Security::Policy do |value|
       require 'rubygems/security'