rubygems-update 3.4.10 → 3.4.14

data/test/rubygems/test_webauthn_listener.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener"
+
+class WebauthnListenerTest < Gem::TestCase
+  def setup
+    super
+    @server = TCPServer.new 0
+    @port = @server.addr[1].to_s
+  end
+
+  def test_wait_for_otp_code_get_follows_options
+    wait_for_otp_code
+    assert Gem::MockBrowser.options(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPNoContent
+    assert Gem::MockBrowser.get(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPOK
+  end
+
+  def test_wait_for_otp_code_options_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.options URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPNoContent
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+  end
+
+  def test_wait_for_otp_code_get_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPOK
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "7", response["Content-Length"]
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+    assert_equal "success", response.body
+
+    @thread.join
+    assert_equal "xyz", @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_invalid_post_req_method
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Invalid HTTP method POST received.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}?code=xyz")
+
+    assert response
+    assert response.is_a? Net::HTTPMethodNotAllowed
+    assert_equal "GET, OPTIONS", response["allow"]
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_path
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Page at /path not found.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}/path?code=xyz")
+
+    assert response.is_a? Net::HTTPNotFound
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_no_params_response
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_params
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?param=xyz")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  private
+
+  def wait_for_otp_code
+    @thread = Thread.new do
+      Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+
+  def wait_for_otp_code_expect_error_with_message(message)
+    @thread = Thread.new do
+      error = assert_raise Gem::WebauthnVerificationError do
+        Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+      end
+
+      assert_equal message, error.message
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+end

data/test/rubygems/test_webauthn_listener_response.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener/response"
+
+class WebauthnListenerResponseTest < Gem::TestCase
+  def setup
+    super
+    @host = "rubygems.example"
+  end
+
+  def test_ok_response_to_s
+    to_s = Gem::WebauthnListener::OkResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 200 OK\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 7\r
+      \r
+      success
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_no_to_s_response_to_s
+    to_s = Gem::WebauthnListener::NoContentResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 204 No Content\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_allowed_response_to_s
+    to_s = Gem::WebauthnListener::MethodNotAllowedResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 405 Method Not Allowed\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      allow: GET, OPTIONS\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_found_response_to_s
+    to_s = Gem::WebauthnListener::NotFoundResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 404 Not Found\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_bad_request_response_to_s
+    to_s = Gem::WebauthnListener::BadRequestResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 400 Bad Request\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 22\r
+      \r
+      missing code parameter
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+end

data/test/rubygems/utilities.rb

@@ -167,7 +167,7 @@ end
 #
 # Example:
 #
-#   HTTPResponseFactory.create(
+#   Gem::HTTPResponseFactory.create(
 #     body: "",
 #     code: 301,
 #     msg: "Moved Permanently",
@@ -175,7 +175,7 @@ end
 #   )
 #
 
-class HTTPResponseFactory
+class Gem::HTTPResponseFactory
   def self.create(body:, code:, msg:, headers: {})
     response = Net::HTTPResponse.send(:response_class, code.to_s).new("1.0", code.to_s, msg)
     response.instance_variable_set(:@body, body)
@@ -186,6 +186,41 @@ class HTTPResponseFactory
   end
 end
 
+##
+# A Gem::MockBrowser is used in tests to mock a browser in that it can
+# send HTTP requests to the defined URI.
+#
+# Example:
+#
+#   # Sends a get request to http://localhost:5678
+#   Gem::MockBrowser.get URI("http://localhost:5678")
+#
+# See RubyGems' tests for more examples of MockBrowser.
+#
+
+class Gem::MockBrowser
+  def self.options(uri)
+    options = Net::HTTP::Options.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(options)
+    end
+  end
+
+  def self.get(uri)
+    get = Net::HTTP::Get.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(get)
+    end
+  end
+
+  def self.post(uri)
+    post = Net::HTTP::Post.new(uri)
+    Net::HTTP.start(uri.hostname, uri.port) do |http|
+      http.request(post)
+    end
+  end
+end
+
 # :stopdoc:
 class Gem::RemoteFetcher
   def self.fetcher=(fetcher)
@@ -372,7 +407,7 @@ end
 #
 # This class was added to flush out problems in Rubinius' IO implementation.
 
-class TempIO < Tempfile
+class Gem::TempIO < Tempfile
   ##
   # Creates a new TempIO that will be initialized to contain +string+.
 
@@ -391,3 +426,8 @@ class TempIO < Tempfile
     Gem.read_binary path
   end
 end
+
+class Gem::TestCase
+  TempIO = Gem::TempIO
+  HTTPResponseFactory = Gem::HTTPResponseFactory
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.4.10
+  version: 3.4.14
 platform: ruby
 authors:
 - Jim Weirich
@@ -16,7 +16,7 @@ authors:
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2023-03-27 00:00:00.000000000 Z
+date: 2023-06-12 00:00:00.000000000 Z
 dependencies: []
 description: |-
   A package (also known as a library) contains a set of functionality
@@ -236,6 +236,7 @@ files:
 - bundler/lib/bundler/rubygems_gem_installer.rb
 - bundler/lib/bundler/rubygems_integration.rb
 - bundler/lib/bundler/runtime.rb
+- bundler/lib/bundler/safe_marshal.rb
 - bundler/lib/bundler/self_manager.rb
 - bundler/lib/bundler/settings.rb
 - bundler/lib/bundler/settings/validator.rb
@@ -596,6 +597,8 @@ files:
 - lib/rubygems/validator.rb
 - lib/rubygems/version.rb
 - lib/rubygems/version_option.rb
+- lib/rubygems/webauthn_listener.rb
+- lib/rubygems/webauthn_listener/response.rb
 - rubygems-update.gemspec
 - setup.rb
 - test/rubygems/alternate_cert.pem
@@ -809,15 +812,18 @@ files:
 - test/rubygems/test_remote_fetch_error.rb
 - test/rubygems/test_require.rb
 - test/rubygems/test_rubygems.rb
+- test/rubygems/test_webauthn_listener.rb
+- test/rubygems/test_webauthn_listener_response.rb
 - test/rubygems/utilities.rb
 - test/rubygems/wrong_key_cert.pem
 - test/rubygems/wrong_key_cert_32.pem
 - test/test_changelog_generator.rb
-homepage: https://rubygems.org
+homepage: https://guides.rubygems.org
 licenses:
 - Ruby
 - MIT
-metadata: {}
+metadata:
+  source_code_uri: https://github.com/rubygems/rubygems
 post_install_message:
 rdoc_options:
 - "--main"
@@ -836,8 +842,9 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.4.10
+rubygems_version: 3.4.14
 signing_key:
 specification_version: 4
-summary: RubyGems is a package management framework for Ruby.
+summary: RubyGems is a package management framework for Ruby. This gem is downloaded
+  and installed by `gem update --system`, so that the `gem` CLI can update itself.
 test_files: []