rubygems-update 3.2.26 → 3.2.30

data/lib/rubygems/resolver.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
-require 'rubygems/dependency'
-require 'rubygems/exceptions'
-require 'rubygems/util/list'
+require_relative 'dependency'
+require_relative 'exceptions'
+require_relative 'util/list'
 
 ##
 # Given a set of Gem::Dependency objects as +needed+ and a way to query the
@@ -10,7 +10,7 @@ require 'rubygems/util/list'
 # all the requirements.
 
 class Gem::Resolver
-  require 'rubygems/resolver/molinillo'
+  require_relative 'resolver/molinillo'
 
   ##
   # If the DEBUG_RESOLVER environment variable is set then debugging mode is
@@ -318,30 +318,30 @@ class Gem::Resolver
   private :amount_constrained
 end
 
-require 'rubygems/resolver/activation_request'
-require 'rubygems/resolver/conflict'
-require 'rubygems/resolver/dependency_request'
-require 'rubygems/resolver/requirement_list'
-require 'rubygems/resolver/stats'
-
-require 'rubygems/resolver/set'
-require 'rubygems/resolver/api_set'
-require 'rubygems/resolver/composed_set'
-require 'rubygems/resolver/best_set'
-require 'rubygems/resolver/current_set'
-require 'rubygems/resolver/git_set'
-require 'rubygems/resolver/index_set'
-require 'rubygems/resolver/installer_set'
-require 'rubygems/resolver/lock_set'
-require 'rubygems/resolver/vendor_set'
-require 'rubygems/resolver/source_set'
-
-require 'rubygems/resolver/specification'
-require 'rubygems/resolver/spec_specification'
-require 'rubygems/resolver/api_specification'
-require 'rubygems/resolver/git_specification'
-require 'rubygems/resolver/index_specification'
-require 'rubygems/resolver/installed_specification'
-require 'rubygems/resolver/local_specification'
-require 'rubygems/resolver/lock_specification'
-require 'rubygems/resolver/vendor_specification'
+require_relative 'resolver/activation_request'
+require_relative 'resolver/conflict'
+require_relative 'resolver/dependency_request'
+require_relative 'resolver/requirement_list'
+require_relative 'resolver/stats'
+
+require_relative 'resolver/set'
+require_relative 'resolver/api_set'
+require_relative 'resolver/composed_set'
+require_relative 'resolver/best_set'
+require_relative 'resolver/current_set'
+require_relative 'resolver/git_set'
+require_relative 'resolver/index_set'
+require_relative 'resolver/installer_set'
+require_relative 'resolver/lock_set'
+require_relative 'resolver/vendor_set'
+require_relative 'resolver/source_set'
+
+require_relative 'resolver/specification'
+require_relative 'resolver/spec_specification'
+require_relative 'resolver/api_specification'
+require_relative 'resolver/git_specification'
+require_relative 'resolver/index_specification'
+require_relative 'resolver/installed_specification'
+require_relative 'resolver/local_specification'
+require_relative 'resolver/lock_specification'
+require_relative 'resolver/vendor_specification'

data/lib/rubygems/s3_uri_signer.rb

@@ -1,5 +1,4 @@
-require 'digest'
-require 'rubygems/openssl'
+require_relative 'openssl'
 
 ##
 # S3URISigner implements AWS SigV4 for S3 Source to avoid a dependency on the aws-sdk-* gems
@@ -87,7 +86,7 @@ class Gem::S3URISigner
       "AWS4-HMAC-SHA256",
       date_time,
       credential_info,
-      Digest::SHA256.hexdigest(canonical_request),
+      OpenSSL::Digest::SHA256.hexdigest(canonical_request),
     ].join("\n")
   end
 
@@ -140,8 +139,8 @@ class Gem::S3URISigner
 
   def ec2_metadata_credentials_json
     require 'net/http'
-    require 'rubygems/request'
-    require 'rubygems/request/connection_pools'
+    require_relative 'request'
+    require_relative 'request/connection_pools'
     require 'json'
 
     iam_info = ec2_metadata_request(EC2_IAM_INFO)

data/lib/rubygems/security/policy.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-require 'rubygems/user_interaction'
+require_relative '../user_interaction'
 
 ##
 # A Gem::Security::Policy object encapsulates the settings for verifying
@@ -115,9 +115,11 @@ class Gem::Security::Policy
       raise Gem::Security::Exception, 'missing key or signature'
     end
 
+    public_key = Gem::Security.get_public_key(key)
+
     raise Gem::Security::Exception,
       "certificate #{signer.subject} does not match the signing key" unless
-        signer.public_key.to_pem == key.public_key.to_pem
+        signer.public_key.to_pem == public_key.to_pem
 
     true
   end
@@ -164,9 +166,9 @@ class Gem::Security::Policy
     end
 
     save_cert = OpenSSL::X509::Certificate.new File.read path
-    save_dgst = digester.digest save_cert.public_key.to_s
+    save_dgst = digester.digest save_cert.public_key.to_pem
 
-    pkey_str = root.public_key.to_s
+    pkey_str = root.public_key.to_pem
     cert_dgst = digester.digest pkey_str
 
     raise Gem::Security::Exception,

data/lib/rubygems/security/signer.rb

@@ -2,7 +2,7 @@
 ##
 # Basic OpenSSL-based package signing class.
 
-require "rubygems/user_interaction"
+require_relative "../user_interaction"
 
 class Gem::Security::Signer
   include Gem::UserInteraction
@@ -83,8 +83,8 @@ class Gem::Security::Signer
     @digest_name      = Gem::Security::DIGEST_NAME
     @digest_algorithm = Gem::Security.create_digest(@digest_name)
 
-    if @key && !@key.is_a?(OpenSSL::PKey::RSA)
-      @key = OpenSSL::PKey::RSA.new(File.read(@key), @passphrase)
+    if @key && !@key.is_a?(OpenSSL::PKey::PKey)
+      @key = OpenSSL::PKey.read(File.read(@key), @passphrase)
     end
 
     if @cert_chain
@@ -177,8 +177,7 @@ class Gem::Security::Signer
     disk_cert = File.read(disk_cert_path) rescue nil
 
     disk_key_path = File.join(Gem.default_key_path)
-    disk_key =
-      OpenSSL::PKey::RSA.new(File.read(disk_key_path), @passphrase) rescue nil
+    disk_key = OpenSSL::PKey.read(File.read(disk_key_path), @passphrase) rescue nil
 
     return unless disk_key
 

data/lib/rubygems/security.rb

@@ -5,7 +5,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems/exceptions'
+require_relative 'exceptions'
 require_relative 'openssl'
 
 ##
@@ -152,6 +152,7 @@ require_relative 'openssl'
 #                                      certificate for EMAIL_ADDR
 #     -C, --certificate CERT           Signing certificate for --sign
 #     -K, --private-key KEY            Key for --sign or --build
+#     -A, --key-algorithm ALGORITHM    Select key algorithm for --build from RSA, DSA, or EC. Defaults to RSA.
 #     -s, --sign CERT                  Signs CERT with the key from -K
 #                                      and the certificate from -C
 #     -d, --days NUMBER_OF_DAYS        Days before the certificate expires
@@ -317,7 +318,6 @@ require_relative 'openssl'
 # * Honor extension restrictions
 # * Might be better to store the certificate chain as a PKCS#7 or PKCS#12
 #   file, instead of an array embedded in the metadata.
-# * Flexible signature and key algorithms, not hard-coded to RSA and SHA1.
 #
 # == Original author
 #
@@ -337,17 +337,19 @@ module Gem::Security
   DIGEST_NAME = 'SHA256' # :nodoc:
 
   ##
-  # Algorithm for creating the key pair used to sign gems
+  # Length of keys created by RSA and DSA keys
 
-  KEY_ALGORITHM =
-    if defined?(OpenSSL::PKey::RSA)
-      OpenSSL::PKey::RSA
-    end
+  RSA_DSA_KEY_LENGTH = 3072
 
   ##
-  # Length of keys created by KEY_ALGORITHM
+  # Default algorithm to use when building a key pair
 
-  KEY_LENGTH = 3072
+  DEFAULT_KEY_ALGORITHM = 'RSA'
+
+  ##
+  # Named curve used for Elliptic Curve
+
+  EC_NAME = 'secp384r1'
 
   ##
   # Cipher used to encrypt the key pair used to sign gems.
@@ -400,7 +402,7 @@ module Gem::Security
                        serial = 1)
     cert = OpenSSL::X509::Certificate.new
 
-    cert.public_key = key.public_key
+    cert.public_key = get_public_key(key)
     cert.version    = 2
     cert.serial     = serial
 
@@ -418,6 +420,24 @@ module Gem::Security
     cert
   end
 
+  ##
+  # Gets the right public key from a PKey instance
+
+  def self.get_public_key(key)
+    return key.public_key unless key.is_a?(OpenSSL::PKey::EC)
+
+    ec_key = OpenSSL::PKey::EC.new(key.group.curve_name)
+    ec_key.public_key = key.public_key
+    ec_key
+  end
+
+  ##
+  # In Ruby 2.3 EC doesn't implement the private_key? but not the private? method
+
+  if defined?(OpenSSL::PKey::EC) && Gem::Version.new(String.new(RUBY_VERSION)) < Gem::Version.new("2.4.0")
+    OpenSSL::PKey::EC.send(:alias_method, :private?, :private_key?)
+  end
+
   ##
   # Creates a self-signed certificate with an issuer and subject from +email+,
   # a subject alternative name of +email+ and the given +extensions+ for the
@@ -459,11 +479,25 @@ module Gem::Security
   end
 
   ##
-  # Creates a new key pair of the specified +length+ and +algorithm+.  The
-  # default is a 3072 bit RSA key.
-
-  def self.create_key(length = KEY_LENGTH, algorithm = KEY_ALGORITHM)
-    algorithm.new length
+  # Creates a new key pair of the specified +algorithm+. RSA, DSA, and EC
+  # are supported.
+
+  def self.create_key(algorithm)
+    if defined?(OpenSSL::PKey)
+      case algorithm.downcase
+      when 'dsa'
+        OpenSSL::PKey::DSA.new(RSA_DSA_KEY_LENGTH)
+      when 'rsa'
+        OpenSSL::PKey::RSA.new(RSA_DSA_KEY_LENGTH)
+      when 'ec'
+        domain_key = OpenSSL::PKey::EC.new(EC_NAME)
+        domain_key.generate_key
+        domain_key
+      else
+        raise Gem::Security::Exception,
+        "#{algorithm} algorithm not found. RSA, DSA, and EC algorithms are supported."
+      end
+    end
   end
 
   ##
@@ -492,7 +526,7 @@ module Gem::Security
     raise Gem::Security::Exception,
           "incorrect signing key for re-signing " +
           "#{expired_certificate.subject}" unless
-      expired_certificate.public_key.to_pem == private_key.public_key.to_pem
+      expired_certificate.public_key.to_pem == get_public_key(private_key).to_pem
 
     unless expired_certificate.subject.to_s ==
            expired_certificate.issuer.to_s
@@ -592,9 +626,9 @@ module Gem::Security
 end
 
 if Gem::HAVE_OPENSSL
-  require 'rubygems/security/policy'
-  require 'rubygems/security/policies'
-  require 'rubygems/security/trust_dir'
+  require_relative 'security/policy'
+  require_relative 'security/policies'
+  require_relative 'security/trust_dir'
 end
 
-require 'rubygems/security/signer'
+require_relative 'security/signer'

data/lib/rubygems/security_option.rb

@@ -5,7 +5,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems'
+require_relative '../rubygems'
 
 # forward-declare
 
@@ -20,7 +20,7 @@ end
 module Gem::SecurityOption
   def add_security_option
     OptionParser.accept Gem::Security::Policy do |value|
-      require 'rubygems/security'
+      require_relative 'security'
 
       raise OptionParser::InvalidArgument, 'OpenSSL not installed' unless
         defined?(Gem::Security::HighSecurity)

data/lib/rubygems/server.rb

@@ -3,8 +3,8 @@ require 'zlib'
 require 'erb'
 require 'uri'
 
-require 'rubygems'
-require 'rubygems/rdoc'
+require_relative '../rubygems'
+require_relative 'rdoc'
 
 ##
 # Gem::Server and allows users to serve gems for consumption by

data/lib/rubygems/source/git.rb

@@ -225,7 +225,7 @@ class Gem::Source::Git < Gem::Source
   # A hash for the git gem based on the git repository URI.
 
   def uri_hash # :nodoc:
-    require 'digest' # required here to avoid deadlocking in Gem.activate_bin_path (because digest is a gem on 2.5+)
+    require_relative '../openssl'
 
     normalized =
       if @repository =~ %r{^\w+://(\w+@)?}
@@ -235,6 +235,6 @@ class Gem::Source::Git < Gem::Source
         @repository
       end
 
-    Digest::SHA1.hexdigest normalized
+    OpenSSL::Digest::SHA1.hexdigest normalized
   end
 end

data/lib/rubygems/source.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require "rubygems/text"
+require_relative "text"
 ##
 # A Source knows how to list and fetch gems from a RubyGems marshal index.
 #
@@ -238,9 +238,9 @@ class Gem::Source
   end
 end
 
-require 'rubygems/source/git'
-require 'rubygems/source/installed'
-require 'rubygems/source/specific_file'
-require 'rubygems/source/local'
-require 'rubygems/source/lock'
-require 'rubygems/source/vendor'
+require_relative 'source/git'
+require_relative 'source/installed'
+require_relative 'source/specific_file'
+require_relative 'source/local'
+require_relative 'source/lock'
+require_relative 'source/vendor'

data/lib/rubygems/spec_fetcher.rb

@@ -1,9 +1,9 @@
 # frozen_string_literal: true
-require 'rubygems/remote_fetcher'
-require 'rubygems/user_interaction'
-require 'rubygems/errors'
-require 'rubygems/text'
-require 'rubygems/name_tuple'
+require_relative 'remote_fetcher'
+require_relative 'user_interaction'
+require_relative 'errors'
+require_relative 'text'
+require_relative 'name_tuple'
 
 ##
 # SpecFetcher handles metadata updates from remote gem repositories.

data/lib/rubygems/specification.rb

@@ -6,11 +6,11 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems/deprecate'
-require 'rubygems/basic_specification'
-require 'rubygems/stub_specification'
-require 'rubygems/specification_policy'
-require 'rubygems/util/list'
+require_relative 'deprecate'
+require_relative 'basic_specification'
+require_relative 'stub_specification'
+require_relative 'specification_policy'
+require_relative 'util/list'
 
 ##
 # The Specification class contains the information for a gem.  Typically
@@ -105,7 +105,7 @@ class Gem::Specification < Gem::BasicSpecification
   # rubocop:disable Style/MutableConstant
   LOAD_CACHE = {} # :nodoc:
   # rubocop:enable Style/MutableConstant
-  LOAD_CACHE_MUTEX = Mutex.new
+  LOAD_CACHE_MUTEX = Thread::Mutex.new
 
   private_constant :LOAD_CACHE if defined? private_constant
 
@@ -1556,8 +1556,8 @@ class Gem::Specification < Gem::BasicSpecification
   # the gem.build_complete file is missing.
 
   def build_extensions # :nodoc:
-    return if default_gem?
     return if extensions.empty?
+    return if default_gem?
     return if File.exist? gem_build_complete_path
     return if !File.writable?(base_dir)
     return if !File.exist?(File.join(base_dir, 'extensions'))
@@ -1568,9 +1568,9 @@ class Gem::Specification < Gem::BasicSpecification
       unresolved_deps = Gem::Specification.unresolved_deps.dup
       Gem::Specification.unresolved_deps.clear
 
-      require 'rubygems/config_file'
-      require 'rubygems/ext'
-      require 'rubygems/user_interaction'
+      require_relative 'config_file'
+      require_relative 'ext'
+      require_relative 'user_interaction'
 
       ui = Gem::SilentUI.new
       Gem::DefaultUserInteraction.use_ui ui do
@@ -2120,8 +2120,8 @@ class Gem::Specification < Gem::BasicSpecification
   # probably want to build_extensions
 
   def missing_extensions?
-    return false if default_gem?
     return false if extensions.empty?
+    return false if default_gem?
     return false if File.exist? gem_build_complete_path
 
     true
@@ -2525,7 +2525,7 @@ class Gem::Specification < Gem::BasicSpecification
     # back, we have to check again here to make sure that our
     # psych code was properly loaded, and load it if not.
     unless Gem.const_defined?(:NoAliasYAMLTree)
-      require 'rubygems/psych_tree'
+      require_relative 'psych_tree'
     end
 
     builder = Gem::NoAliasYAMLTree.create

data/lib/rubygems/specification_policy.rb

@@ -1,4 +1,4 @@
-require 'rubygems/user_interaction'
+require_relative 'user_interaction'
 
 class Gem::SpecificationPolicy
   include Gem::UserInteraction
@@ -381,7 +381,7 @@ http://spdx.org/licenses or '#{Gem::Licenses::NONSTANDARD}' for a nonstandard li
   end
 
   LAZY = '"FIxxxXME" or "TOxxxDO"'.gsub(/xxx/, '')
-  LAZY_PATTERN = /FI XME|TO DO/x.freeze
+  LAZY_PATTERN = /\AFI XME|\ATO DO/x.freeze
   HOMEPAGE_URI_PATTERN = /\A[a-z][a-z\d+.-]*:/i.freeze
 
   def validate_lazy_metadata

data/lib/rubygems/uninstaller.rb

@@ -6,11 +6,11 @@
 #++
 
 require 'fileutils'
-require 'rubygems'
-require 'rubygems/installer_uninstaller_utils'
-require 'rubygems/dependency_list'
-require 'rubygems/rdoc'
-require 'rubygems/user_interaction'
+require_relative '../rubygems'
+require_relative 'installer_uninstaller_utils'
+require_relative 'dependency_list'
+require_relative 'rdoc'
+require_relative 'user_interaction'
 
 ##
 # An Uninstaller.
@@ -357,7 +357,7 @@ class Gem::Uninstaller
     # of what it did for us to find rather than trying to recreate
     # it again.
     if @format_executable
-      require 'rubygems/installer'
+      require_relative 'installer'
       Gem::Installer.exec_format % File.basename(filename)
     else
       filename

data/lib/rubygems/uri.rb

@@ -0,0 +1,111 @@
+# frozen_string_literal: true
+
+##
+# The Uri handles rubygems source URIs.
+#
+
+class Gem::Uri
+  def initialize(source_uri)
+    @parsed_uri = parse(source_uri)
+  end
+
+  def redacted
+    return self unless valid_uri?
+
+    if token? || oauth_basic?
+      with_redacted_user
+    elsif password?
+      with_redacted_password
+    else
+      self
+    end
+  end
+
+  def to_s
+    @parsed_uri.to_s
+  end
+
+  def redact_credentials_from(text)
+    return text unless valid_uri? && password?
+
+    text.sub(password, 'REDACTED')
+  end
+
+  def method_missing(method_name, *args, &blk)
+    if @parsed_uri.respond_to?(method_name)
+      @parsed_uri.send(method_name, *args, &blk)
+    else
+      super
+    end
+  end
+
+  def respond_to_missing?(method_name, include_private = false)
+    @parsed_uri.respond_to?(method_name, include_private) || super
+  end
+
+  protected
+
+  # Add a protected reader for the cloned instance to access the original object's parsed uri
+  attr_reader :parsed_uri
+
+  private
+
+  ##
+  # Parses the #uri, raising if it's invalid
+
+  def parse!(uri)
+    require "uri"
+
+    raise URI::InvalidURIError unless uri
+
+    # Always escape URI's to deal with potential spaces and such
+    # It should also be considered that source_uri may already be
+    # a valid URI with escaped characters. e.g. "{DESede}" is encoded
+    # as "%7BDESede%7D". If this is escaped again the percentage
+    # symbols will be escaped.
+    begin
+      URI.parse(uri)
+    rescue URI::InvalidURIError
+      URI.parse(URI::DEFAULT_PARSER.escape(uri))
+    end
+  end
+
+  ##
+  # Parses the #uri, returning the original uri if it's invalid
+
+  def parse(uri)
+    return uri unless uri.is_a?(String)
+
+    parse!(uri)
+  rescue URI::InvalidURIError
+    uri
+  end
+
+  def with_redacted_user
+    clone.tap {|uri| uri.user = 'REDACTED' }
+  end
+
+  def with_redacted_password
+    clone.tap {|uri| uri.password = 'REDACTED' }
+  end
+
+  def valid_uri?
+    !@parsed_uri.is_a?(String)
+  end
+
+  def password?
+    !!password
+  end
+
+  def oauth_basic?
+    password == 'x-oauth-basic'
+  end
+
+  def token?
+    !user.nil? && password.nil?
+  end
+
+  def initialize_copy(original)
+    @parsed_uri = original.parsed_uri.clone
+  end
+end

data/lib/rubygems/user_interaction.rb

@@ -5,8 +5,8 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems/deprecate'
-require 'rubygems/text'
+require_relative 'deprecate'
+require_relative 'text'
 
 ##
 # Module that defines the default UserInteraction.  Any class including this
@@ -543,7 +543,7 @@ class Gem::StreamUI
   # A progress reporter that behaves nicely with threaded downloading.
 
   class ThreadedDownloadReporter
-    MUTEX = Mutex.new
+    MUTEX = Thread::Mutex.new
 
     ##
     # The current file name being displayed

data/lib/rubygems/util/licenses.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-require 'rubygems/text'
+require_relative '../text'
 
 class Gem::Licenses
   extend Gem::Text

data/lib/rubygems/util.rb

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
-require 'rubygems/deprecate'
+require_relative 'deprecate'
 
 ##
 # This module contains various utility methods as module methods.

data/lib/rubygems/validator.rb

@@ -5,8 +5,8 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems/package'
-require 'rubygems/installer'
+require_relative 'package'
+require_relative 'installer'
 
 ##
 # Validator performs various gem file and gem database validation

data/lib/rubygems/version_option.rb

@@ -5,7 +5,7 @@
 # See LICENSE.txt for permissions.
 #++
 
-require 'rubygems'
+require_relative '../rubygems'
 
 ##
 # Mixin methods for --version and --platform Gem::Command options.