rubygems-update 3.4.10 → 3.4.12

data/test/rubygems/test_gem_gemcutter_utilities.rb

@@ -230,10 +230,77 @@ class TestGemGemcutterUtilities < Gem::TestCase
     assert_equal "111111", @fetcher.last_request["OTP"]
   end
 
-  def util_sign_in(response, host = nil, args = [], extra_input = "")
-    email            = "you@example.com"
-    password         = "secret"
-    profile_response = HTTPResponseFactory.create(body: "mfa: disabled\n", code: 200, msg: "OK")
+  def test_sign_in_with_webauthn_enabled
+    webauthn_verification_url = "rubygems.org/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication"
+    api_key = "a5fdbb6ba150cbb83aad2bb2fede64cf040453903"
+    port = 5678
+    server = TCPServer.new(port)
+
+    TCPServer.stub(:new, server) do
+      Gem::WebauthnListener.stub(:wait_for_otp_code, "Uvh6T57tkWuUnWYo") do
+        util_sign_in(proc do
+          @call_count ||= 0
+          if (@call_count += 1).odd?
+            HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized")
+          else
+            HTTPResponseFactory.create(body: api_key, code: 200, msg: "OK")
+          end
+        end, nil, [], "", webauthn_verification_url)
+      end
+    ensure
+      server.close
+    end
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @sign_in_ui.output
+    assert_match "You are verified with a security device. You may close the browser window.", @sign_in_ui.output
+    assert_equal "Uvh6T57tkWuUnWYo", @fetcher.last_request["OTP"]
+  end
+
+  def test_sign_in_with_webauthn_enabled_with_error
+    webauthn_verification_url = "rubygems.org/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication"
+    api_key = "a5fdbb6ba150cbb83aad2bb2fede64cf040453903"
+    port = 5678
+    server = TCPServer.new(port)
+    raise_error = ->(*_args) { raise Gem::WebauthnVerificationError, "Something went wrong" }
+
+    error = assert_raise Gem::MockGemUi::TermError do
+      TCPServer.stub(:new, server) do
+        Gem::WebauthnListener.stub(:wait_for_otp_code, raise_error) do
+          util_sign_in(proc do
+            @call_count ||= 0
+            if (@call_count += 1).odd?
+              HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized")
+            else
+              HTTPResponseFactory.create(body: api_key, code: 200, msg: "OK")
+            end
+          end, nil, [], "", webauthn_verification_url)
+        end
+      ensure
+        server.close
+      end
+    end
+    assert_equal 1, error.exit_code
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @sign_in_ui.output
+    assert_match "ERROR:  Security device verification failed: Something went wrong", @sign_in_ui.error
+    refute_match "You are verified with a security device. You may close the browser window.", @sign_in_ui.output
+    refute_match "Signed in with API key:", @sign_in_ui.output
+  end
+
+  def util_sign_in(response, host = nil, args = [], extra_input = "", webauthn_url = nil)
+    email             = "you@example.com"
+    password          = "secret"
+    profile_response  = HTTPResponseFactory.create(body: "mfa: disabled\n", code: 200, msg: "OK")
+    webauthn_response =
+      if webauthn_url
+        HTTPResponseFactory.create(body: webauthn_url, code: 200, msg: "OK")
+      else
+        HTTPResponseFactory.create(body: "You don't have any security devices", code: 422, msg: "Unprocessable Entity")
+      end
 
     if host
       ENV["RUBYGEMS_HOST"] = host
@@ -244,6 +311,7 @@ class TestGemGemcutterUtilities < Gem::TestCase
     @fetcher = Gem::FakeFetcher.new
     @fetcher.data["#{host}/api/v1/api_key"] = response
     @fetcher.data["#{host}/api/v1/profile/me.yaml"] = profile_response
+    @fetcher.data["#{host}/api/v1/webauthn_verification"] = webauthn_response
     Gem::RemoteFetcher.fetcher = @fetcher
 
     @sign_in_ui = Gem::MockGemUi.new("#{email}\n#{password}\n\n\n\n\n\n\n\n\n" + extra_input)

data/test/rubygems/test_kernel.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require_relative "helper"
 
-class TestKernel < Gem::TestCase
+class TestGemKernel < Gem::TestCase
   def setup
     super
 

data/test/rubygems/test_project_sanity.rb

@@ -3,13 +3,36 @@
 require_relative "helper"
 require "open3"
 
-class TestProjectSanity < Gem::TestCase
+class TestGemProjectSanity < Gem::TestCase
+  def setup
+  end
+
+  def teardown
+  end
+
   def test_manifest_is_up_to_date
-    pend unless File.exist?(File.expand_path("../../Rakefile", __dir__))
+    pend unless File.exist?("#{root}/Rakefile")
 
     _, status = Open3.capture2e("rake check_manifest")
 
-    assert status.success?, "Expected Manifest.txt to be up to date, but it's not. Run `rake update_manifest` to sync it."
+    unless status.success?
+      original_contents = File.read("#{root}/Manifest.txt")
+
+      # Update the manifest to see if it fixes the problem
+      Open3.capture2e("rake update_manifest")
+
+      out, status = Open3.capture2e("rake check_manifest")
+
+      # If `rake update_manifest` fixed the problem, that was the original
+      # issue, otherwise it was an unknown error, so print the error output
+      if status.success?
+        File.write("#{root}/Manifest.txt", original_contents)
+
+        raise "Expected Manifest.txt to be up to date, but it's not. Run `rake update_manifest` to sync it."
+      else
+        raise "There was an error running `rake check_manifest`: #{out}"
+      end
+    end
   end
 
   def test_require_rubygems_package
@@ -17,4 +40,10 @@ class TestProjectSanity < Gem::TestCase
 
     assert status.success?, err
   end
+
+  private
+
+  def root
+    File.expand_path("../..", __dir__)
+  end
 end

data/test/rubygems/test_remote_fetch_error.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require_relative "helper"
 
-class TestRemoteFetchError < Gem::TestCase
+class TestGemRemoteFetchError < Gem::TestCase
   def test_password_redacted
     error = Gem::RemoteFetcher::FetchError.new("There was an error fetching", "https://user:secret@gemsource.org")
     refute_match %r{secret}, error.to_s

data/test/rubygems/test_webauthn_listener.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener"
+
+class WebauthnListenerTest < Gem::TestCase
+  def setup
+    super
+    @server = TCPServer.new 0
+    @port = @server.addr[1].to_s
+  end
+
+  def test_wait_for_otp_code_get_follows_options
+    wait_for_otp_code
+    assert Gem::MockBrowser.options(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPNoContent
+    assert Gem::MockBrowser.get(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPOK
+  end
+
+  def test_wait_for_otp_code_options_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.options URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPNoContent
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+  end
+
+  def test_wait_for_otp_code_get_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPOK
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "7", response["Content-Length"]
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+    assert_equal "success", response.body
+
+    @thread.join
+    assert_equal "xyz", @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_invalid_post_req_method
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Invalid HTTP method POST received.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}?code=xyz")
+
+    assert response
+    assert response.is_a? Net::HTTPMethodNotAllowed
+    assert_equal "GET, OPTIONS", response["allow"]
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_path
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Page at /path not found.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}/path?code=xyz")
+
+    assert response.is_a? Net::HTTPNotFound
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_no_params_response
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_params
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?param=xyz")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  private
+
+  def wait_for_otp_code
+    @thread = Thread.new do
+      Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+
+  def wait_for_otp_code_expect_error_with_message(message)
+    @thread = Thread.new do
+      error = assert_raise Gem::WebauthnVerificationError do
+        Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+      end
+
+      assert_equal message, error.message
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+end

data/test/rubygems/test_webauthn_listener_response.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener/response"
+
+class WebauthnListenerResponseTest < Gem::TestCase
+  def setup
+    super
+    @host = "rubygems.example"
+  end
+
+  def test_ok_response_to_s
+    to_s = Gem::WebauthnListener::OkResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 200 OK\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 7\r
+      \r
+      success
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_no_to_s_response_to_s
+    to_s = Gem::WebauthnListener::NoContentResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 204 No Content\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_allowed_response_to_s
+    to_s = Gem::WebauthnListener::MethodNotAllowedResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 405 Method Not Allowed\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      allow: GET, OPTIONS\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_found_response_to_s
+    to_s = Gem::WebauthnListener::NotFoundResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 404 Not Found\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_bad_request_response_to_s
+    to_s = Gem::WebauthnListener::BadRequestResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 400 Bad Request\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 22\r
+      \r
+      missing code parameter
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+end

data/test/rubygems/utilities.rb

@@ -167,7 +167,7 @@ end
 #
 # Example:
 #
-#   HTTPResponseFactory.create(
+#   Gem::HTTPResponseFactory.create(
 #     body: "",
 #     code: 301,
 #     msg: "Moved Permanently",
@@ -175,7 +175,7 @@ end
 #   )
 #
 
-class HTTPResponseFactory
+class Gem::HTTPResponseFactory
   def self.create(body:, code:, msg:, headers: {})
     response = Net::HTTPResponse.send(:response_class, code.to_s).new("1.0", code.to_s, msg)
     response.instance_variable_set(:@body, body)
@@ -186,6 +186,41 @@ class HTTPResponseFactory
   end
 end
 
+##
+# A Gem::MockBrowser is used in tests to mock a browser in that it can
+# send HTTP requests to the defined URI.
+#
+# Example:
+#
+#   # Sends a get request to http://localhost:5678
+#   Gem::MockBrowser.get URI("http://localhost:5678")
+#
+# See RubyGems' tests for more examples of MockBrowser.
+#
+
+class Gem::MockBrowser
+  def self.options(uri)
+    options = Net::HTTP::Options.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(options)
+    end
+  end
+
+  def self.get(uri)
+    get = Net::HTTP::Get.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(get)
+    end
+  end
+
+  def self.post(uri)
+    post = Net::HTTP::Post.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(post)
+    end
+  end
+end
+
 # :stopdoc:
 class Gem::RemoteFetcher
   def self.fetcher=(fetcher)
@@ -372,7 +407,7 @@ end
 #
 # This class was added to flush out problems in Rubinius' IO implementation.
 
-class TempIO < Tempfile
+class Gem::TempIO < Tempfile
   ##
   # Creates a new TempIO that will be initialized to contain +string+.
 
@@ -391,3 +426,8 @@ class TempIO < Tempfile
     Gem.read_binary path
   end
 end
+
+class Gem::TestCase
+  TempIO = Gem::TempIO
+  HTTPResponseFactory = Gem::HTTPResponseFactory
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.4.10
+  version: 3.4.12
 platform: ruby
 authors:
 - Jim Weirich
@@ -16,7 +16,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-27 00:00:00.000000000 Z
+date: 2023-04-11 00:00:00.000000000 Z
 dependencies: []
 description: |-
   A package (also known as a library) contains a set of functionality
@@ -596,6 +596,8 @@ files:
 - lib/rubygems/validator.rb
 - lib/rubygems/version.rb
 - lib/rubygems/version_option.rb
+- lib/rubygems/webauthn_listener.rb
+- lib/rubygems/webauthn_listener/response.rb
 - rubygems-update.gemspec
 - setup.rb
 - test/rubygems/alternate_cert.pem
@@ -809,6 +811,8 @@ files:
 - test/rubygems/test_remote_fetch_error.rb
 - test/rubygems/test_require.rb
 - test/rubygems/test_rubygems.rb
+- test/rubygems/test_webauthn_listener.rb
+- test/rubygems/test_webauthn_listener_response.rb
 - test/rubygems/utilities.rb
 - test/rubygems/wrong_key_cert.pem
 - test/rubygems/wrong_key_cert_32.pem
@@ -836,7 +840,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.12
 signing_key:
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby.