rubygems-update 3.4.10 → 3.4.15

data/test/rubygems/test_gem_commands_yank_command.rb

@@ -72,6 +72,9 @@ class TestGemCommandsYankCommand < Gem::TestCase
       HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized"),
       HTTPResponseFactory.create(body: "Successfully yanked", code: 200, msg: "OK"),
     ]
+    webauthn_uri = "http://example/api/v1/webauthn_verification"
+    @fetcher.data[webauthn_uri] =
+      HTTPResponseFactory.create(body: "You don't have any security devices", code: 422, msg: "Unprocessable Entity")
 
     @cmd.options[:args]           = %w[a]
     @cmd.options[:added_platform] = true
@@ -93,6 +96,9 @@ class TestGemCommandsYankCommand < Gem::TestCase
     response = "You have enabled multifactor authentication but your request doesn't have the correct OTP code. Please check it and retry."
     yank_uri = "http://example/api/v1/gems/yank"
     @fetcher.data[yank_uri] = HTTPResponseFactory.create(body: response, code: 401, msg: "Unauthorized")
+    webauthn_uri = "http://example/api/v1/webauthn_verification"
+    @fetcher.data[webauthn_uri] =
+      HTTPResponseFactory.create(body: "You don't have any security devices", code: 422, msg: "Unprocessable Entity")
 
     @cmd.options[:args]           = %w[a]
     @cmd.options[:added_platform] = true
@@ -109,6 +115,84 @@ class TestGemCommandsYankCommand < Gem::TestCase
     assert_equal "111111", @fetcher.last_request["OTP"]
   end
 
+  def test_with_webauthn_enabled_success
+    webauthn_verification_url = "http://example/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication but your request doesn't have the correct OTP code. Please check it and retry."
+    yank_uri = "http://example/api/v1/gems/yank"
+    webauthn_uri = "http://example/api/v1/webauthn_verification"
+    port = 5678
+    server = TCPServer.new(port)
+
+    @fetcher.data[webauthn_uri] = HTTPResponseFactory.create(body: webauthn_verification_url, code: 200, msg: "OK")
+    @fetcher.data[yank_uri] = [
+      HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized"),
+      HTTPResponseFactory.create(body: "Successfully yanked", code: 200, msg: "OK"),
+    ]
+
+    @cmd.options[:args]           = %w[a]
+    @cmd.options[:added_platform] = true
+    @cmd.options[:version]        = req("= 1.0")
+
+    TCPServer.stub(:new, server) do
+      Gem::WebauthnListener.stub(:wait_for_otp_code, "Uvh6T57tkWuUnWYo") do
+        use_ui @ui do
+          @cmd.execute
+        end
+      end
+    ensure
+      server.close
+    end
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+    assert_match %r{Yanking gem from http://example}, @ui.output
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @ui.output
+    assert_match "You are verified with a security device. You may close the browser window.", @ui.output
+    assert_equal "Uvh6T57tkWuUnWYo", @fetcher.last_request["OTP"]
+    assert_match "Successfully yanked", @ui.output
+  end
+
+  def test_with_webauthn_enabled_failure
+    webauthn_verification_url = "http://example/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication but your request doesn't have the correct OTP code. Please check it and retry."
+    yank_uri = "http://example/api/v1/gems/yank"
+    webauthn_uri = "http://example/api/v1/webauthn_verification"
+    port = 5678
+    server = TCPServer.new(port)
+    raise_error = ->(*_args) { raise Gem::WebauthnVerificationError, "Something went wrong" }
+
+    @fetcher.data[webauthn_uri] = HTTPResponseFactory.create(body: webauthn_verification_url, code: 200, msg: "OK")
+    @fetcher.data[yank_uri] = [
+      HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized"),
+      HTTPResponseFactory.create(body: "Successfully yanked", code: 200, msg: "OK"),
+    ]
+
+    @cmd.options[:args]           = %w[a]
+    @cmd.options[:added_platform] = true
+    @cmd.options[:version]        = req("= 1.0")
+
+    error = assert_raise Gem::MockGemUi::TermError do
+      TCPServer.stub(:new, server) do
+        Gem::WebauthnListener.stub(:wait_for_otp_code, raise_error) do
+          use_ui @ui do
+            @cmd.execute
+          end
+        end
+      ensure
+        server.close
+      end
+    end
+    assert_equal 1, error.exit_code
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+
+    assert_match @fetcher.last_request["Authorization"], Gem.configuration.rubygems_api_key
+    assert_match %r{Yanking gem from http://example}, @ui.output
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @ui.output
+    assert_match "ERROR:  Security device verification failed: Something went wrong", @ui.error
+    refute_match "You are verified with a security device. You may close the browser window.", @ui.output
+    refute_match "Successfully yanked", @ui.output
+  end
+
   def test_execute_key
     yank_uri = "http://example/api/v1/gems/yank"
     @fetcher.data[yank_uri] = HTTPResponseFactory.create(body: "Successfully yanked", code: 200, msg: "OK")

data/test/rubygems/test_gem_ext_cargo_builder.rb

@@ -145,6 +145,7 @@ class TestGemExtCargoBuilder < Gem::TestCase
     system(@rust_envs, "cargo", "-V", out: IO::NULL, err: [:child, :out])
     pend "cargo not present" unless $?.success?
     pend "ruby.h is not provided by ruby repo" if ruby_repo?
+    pend "rust toolchain of mingw is broken" if mingw_windows?
   end
 
   def assert_ffi_handle(bundle, name)

data/test/rubygems/test_gem_gem_runner.rb

@@ -3,9 +3,6 @@ require_relative "helper"
 
 class TestGemGemRunner < Gem::TestCase
   def setup
-    @orig_gem_home = ENV["GEM_HOME"]
-    ENV["GEM_HOME"] = @gemhome
-
     require "rubygems/command"
     @orig_args = Gem::Command.build_args
     @orig_specific_extra_args = Gem::Command.specific_extra_args_hash.dup
@@ -13,18 +10,21 @@ class TestGemGemRunner < Gem::TestCase
 
     super
 
+    @orig_gem_home = ENV["GEM_HOME"]
+    ENV["GEM_HOME"] = @gemhome
+
     require "rubygems/gem_runner"
     @runner = Gem::GemRunner.new
   end
 
   def teardown
+    ENV["GEM_HOME"] = @orig_gem_home
+
     super
 
     Gem::Command.build_args = @orig_args
     Gem::Command.specific_extra_args_hash = @orig_specific_extra_args
     Gem::Command.extra_args = @orig_extra_args
-
-    ENV["GEM_HOME"] = @orig_gem_home
   end
 
   def test_do_configuration

data/test/rubygems/test_gem_gemcutter_utilities.rb

@@ -230,10 +230,77 @@ class TestGemGemcutterUtilities < Gem::TestCase
     assert_equal "111111", @fetcher.last_request["OTP"]
   end
 
-  def util_sign_in(response, host = nil, args = [], extra_input = "")
-    email            = "you@example.com"
-    password         = "secret"
-    profile_response = HTTPResponseFactory.create(body: "mfa: disabled\n", code: 200, msg: "OK")
+  def test_sign_in_with_webauthn_enabled
+    webauthn_verification_url = "rubygems.org/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication"
+    api_key = "a5fdbb6ba150cbb83aad2bb2fede64cf040453903"
+    port = 5678
+    server = TCPServer.new(port)
+
+    TCPServer.stub(:new, server) do
+      Gem::WebauthnListener.stub(:wait_for_otp_code, "Uvh6T57tkWuUnWYo") do
+        util_sign_in(proc do
+          @call_count ||= 0
+          if (@call_count += 1).odd?
+            HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized")
+          else
+            HTTPResponseFactory.create(body: api_key, code: 200, msg: "OK")
+          end
+        end, nil, [], "", webauthn_verification_url)
+      end
+    ensure
+      server.close
+    end
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @sign_in_ui.output
+    assert_match "You are verified with a security device. You may close the browser window.", @sign_in_ui.output
+    assert_equal "Uvh6T57tkWuUnWYo", @fetcher.last_request["OTP"]
+  end
+
+  def test_sign_in_with_webauthn_enabled_with_error
+    webauthn_verification_url = "rubygems.org/api/v1/webauthn_verification/odow34b93t6aPCdY"
+    response_fail = "You have enabled multifactor authentication"
+    api_key = "a5fdbb6ba150cbb83aad2bb2fede64cf040453903"
+    port = 5678
+    server = TCPServer.new(port)
+    raise_error = ->(*_args) { raise Gem::WebauthnVerificationError, "Something went wrong" }
+
+    error = assert_raise Gem::MockGemUi::TermError do
+      TCPServer.stub(:new, server) do
+        Gem::WebauthnListener.stub(:wait_for_otp_code, raise_error) do
+          util_sign_in(proc do
+            @call_count ||= 0
+            if (@call_count += 1).odd?
+              HTTPResponseFactory.create(body: response_fail, code: 401, msg: "Unauthorized")
+            else
+              HTTPResponseFactory.create(body: api_key, code: 200, msg: "OK")
+            end
+          end, nil, [], "", webauthn_verification_url)
+        end
+      ensure
+        server.close
+      end
+    end
+    assert_equal 1, error.exit_code
+
+    url_with_port = "#{webauthn_verification_url}?port=#{port}"
+    assert_match "You have enabled multi-factor authentication. Please visit #{url_with_port} to authenticate via security device. If you can't verify using WebAuthn but have OTP enabled, you can re-run the gem signin command with the `--otp [your_code]` option.", @sign_in_ui.output
+    assert_match "ERROR:  Security device verification failed: Something went wrong", @sign_in_ui.error
+    refute_match "You are verified with a security device. You may close the browser window.", @sign_in_ui.output
+    refute_match "Signed in with API key:", @sign_in_ui.output
+  end
+
+  def util_sign_in(response, host = nil, args = [], extra_input = "", webauthn_url = nil)
+    email             = "you@example.com"
+    password          = "secret"
+    profile_response  = HTTPResponseFactory.create(body: "mfa: disabled\n", code: 200, msg: "OK")
+    webauthn_response =
+      if webauthn_url
+        HTTPResponseFactory.create(body: webauthn_url, code: 200, msg: "OK")
+      else
+        HTTPResponseFactory.create(body: "You don't have any security devices", code: 422, msg: "Unprocessable Entity")
+      end
 
     if host
       ENV["RUBYGEMS_HOST"] = host
@@ -244,6 +311,7 @@ class TestGemGemcutterUtilities < Gem::TestCase
     @fetcher = Gem::FakeFetcher.new
     @fetcher.data["#{host}/api/v1/api_key"] = response
     @fetcher.data["#{host}/api/v1/profile/me.yaml"] = profile_response
+    @fetcher.data["#{host}/api/v1/webauthn_verification"] = webauthn_response
     Gem::RemoteFetcher.fetcher = @fetcher
 
     @sign_in_ui = Gem::MockGemUi.new("#{email}\n#{password}\n\n\n\n\n\n\n\n\n" + extra_input)

data/test/rubygems/test_gem_installer.rb

@@ -766,7 +766,7 @@ gem 'other', version
   def test_generate_plugins
     installer = util_setup_installer do |spec|
       write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-        io.write "puts __FILE__"
+        io.write "# do nothing"
       end
 
       spec.files += %w[lib/rubygems_plugin.rb]
@@ -853,11 +853,59 @@ gem 'other', version
     refute_includes File.read(build_root_path), build_root
   end
 
+  class << self
+    attr_accessor :plugin_loaded
+    attr_accessor :post_install_is_called
+  end
+
+  def test_use_plugin_immediately
+    self.class.plugin_loaded = false
+    self.class.post_install_is_called = false
+    spec_version = nil
+    plugin_path = nil
+    installer = util_setup_installer do |spec|
+      spec_version = spec.version
+      plugin_path = File.join("lib", "rubygems_plugin.rb")
+      write_file File.join(@tempdir, plugin_path) do |io|
+        io.write <<-PLUGIN
+#{self.class}.plugin_loaded = true
+Gem.post_install do
+  #{self.class}.post_install_is_called = true
+end
+        PLUGIN
+      end
+      spec.files += [plugin_path]
+      plugin_path = File.join(spec.gem_dir, plugin_path)
+    end
+    build_rake_in do
+      installer.install
+    end
+    assert self.class.plugin_loaded, "plugin is not loaded"
+    assert self.class.post_install_is_called,
+           "post install hook registered by plugin is not called"
+
+    self.class.plugin_loaded = false
+    $LOADED_FEATURES.delete(plugin_path)
+    installer_new = util_setup_installer do |spec_new|
+      spec_new.version = spec_version.version.succ
+      plugin_path = File.join("lib", "rubygems_plugin.rb")
+      write_file File.join(@tempdir, plugin_path) do |io|
+        io.write "#{self.class}.plugin_loaded = true"
+      end
+      spec_new.files += [plugin_path]
+    end
+    build_rake_in do
+      installer_new.install
+    end
+    assert !self.class.plugin_loaded,
+           "plugin is loaded even when old version is already loaded"
+  end
+
   def test_keeps_plugins_up_to_date
     # NOTE: version a-2 is already installed by setup hooks
 
     write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-      io.write "puts __FILE__"
+      io.write "# do nothing"
     end
 
     build_rake_in do

data/test/rubygems/test_gem_uninstaller.rb

@@ -172,7 +172,7 @@ class TestGemUninstaller < Gem::InstallerTestCase
 
   def test_remove_plugins
     write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-      io.write "puts __FILE__"
+      io.write "# do nothing"
     end
 
     @spec.files += %w[lib/rubygems_plugin.rb]
@@ -189,7 +189,7 @@ class TestGemUninstaller < Gem::InstallerTestCase
 
   def test_remove_plugins_with_install_dir
     write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-      io.write "puts __FILE__"
+      io.write "# do nothing"
     end
 
     @spec.files += %w[lib/rubygems_plugin.rb]
@@ -207,7 +207,7 @@ class TestGemUninstaller < Gem::InstallerTestCase
 
   def test_regenerate_plugins_for
     write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-      io.write "puts __FILE__"
+      io.write "# do nothing"
     end
 
     @spec.files += %w[lib/rubygems_plugin.rb]
@@ -634,7 +634,7 @@ create_makefile '#{@spec.name}'
 
   def test_uninstall_keeps_plugins_up_to_date
     write_file File.join(@tempdir, "lib", "rubygems_plugin.rb") do |io|
-      io.write "puts __FILE__"
+      io.write "# do nothing"
     end
 
     plugin_path = File.join Gem.plugindir, "a_plugin.rb"

data/test/rubygems/test_kernel.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require_relative "helper"
 
-class TestKernel < Gem::TestCase
+class TestGemKernel < Gem::TestCase
   def setup
     super
 

data/test/rubygems/test_project_sanity.rb

@@ -3,13 +3,36 @@
 require_relative "helper"
 require "open3"
 
-class TestProjectSanity < Gem::TestCase
+class TestGemProjectSanity < Gem::TestCase
+  def setup
+  end
+
+  def teardown
+  end
+
   def test_manifest_is_up_to_date
-    pend unless File.exist?(File.expand_path("../../Rakefile", __dir__))
+    pend unless File.exist?("#{root}/Rakefile")
 
     _, status = Open3.capture2e("rake check_manifest")
 
-    assert status.success?, "Expected Manifest.txt to be up to date, but it's not. Run `rake update_manifest` to sync it."
+    unless status.success?
+      original_contents = File.read("#{root}/Manifest.txt")
+
+      # Update the manifest to see if it fixes the problem
+      Open3.capture2e("rake update_manifest")
+
+      out, status = Open3.capture2e("rake check_manifest")
+
+      # If `rake update_manifest` fixed the problem, that was the original
+      # issue, otherwise it was an unknown error, so print the error output
+      if status.success?
+        File.write("#{root}/Manifest.txt", original_contents)
+
+        raise "Expected Manifest.txt to be up to date, but it's not. Run `rake update_manifest` to sync it."
+      else
+        raise "There was an error running `rake check_manifest`: #{out}"
+      end
+    end
   end
 
   def test_require_rubygems_package
@@ -17,4 +40,10 @@ class TestProjectSanity < Gem::TestCase
 
     assert status.success?, err
   end
+
+  private
+
+  def root
+    File.expand_path("../..", __dir__)
+  end
 end

data/test/rubygems/test_remote_fetch_error.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 require_relative "helper"
 
-class TestRemoteFetchError < Gem::TestCase
+class TestGemRemoteFetchError < Gem::TestCase
   def test_password_redacted
     error = Gem::RemoteFetcher::FetchError.new("There was an error fetching", "https://user:secret@gemsource.org")
     refute_match %r{secret}, error.to_s

data/test/rubygems/test_webauthn_listener.rb

@@ -0,0 +1,120 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener"
+
+class WebauthnListenerTest < Gem::TestCase
+  def setup
+    super
+    @server = TCPServer.new 0
+    @port = @server.addr[1].to_s
+  end
+
+  def test_wait_for_otp_code_get_follows_options
+    wait_for_otp_code
+    assert Gem::MockBrowser.options(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPNoContent
+    assert Gem::MockBrowser.get(URI("http://localhost:#{@port}?code=xyz")).is_a? Net::HTTPOK
+  end
+
+  def test_wait_for_otp_code_options_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.options URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPNoContent
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+  end
+
+  def test_wait_for_otp_code_get_request
+    wait_for_otp_code
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?code=xyz")
+
+    assert response.is_a? Net::HTTPOK
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "7", response["Content-Length"]
+    assert_equal Gem.host, response["access-control-allow-origin"]
+    assert_equal "POST", response["access-control-allow-methods"]
+    assert_equal "Content-Type, Authorization, x-csrf-token", response["access-control-allow-headers"]
+    assert_equal "close", response["Connection"]
+    assert_equal "success", response.body
+
+    @thread.join
+    assert_equal "xyz", @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_invalid_post_req_method
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Invalid HTTP method POST received.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}?code=xyz")
+
+    assert response
+    assert response.is_a? Net::HTTPMethodNotAllowed
+    assert_equal "GET, OPTIONS", response["allow"]
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_path
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Page at /path not found.")
+    response = Gem::MockBrowser.post URI("http://localhost:#{@port}/path?code=xyz")
+
+    assert response.is_a? Net::HTTPNotFound
+    assert_equal "close", response["Connection"]
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_no_params_response
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  def test_wait_for_otp_code_incorrect_params
+    wait_for_otp_code_expect_error_with_message("Security device verification failed: Did not receive OTP from https://rubygems.org.")
+    response = Gem::MockBrowser.get URI("http://localhost:#{@port}?param=xyz")
+
+    assert response.is_a? Net::HTTPBadRequest
+    assert_equal "text/plain", response["Content-Type"]
+    assert_equal "22", response["Content-Length"]
+    assert_equal "close", response["Connection"]
+    assert_equal "missing code parameter", response.body
+
+    @thread.join
+    assert_nil @thread[:otp]
+  end
+
+  private
+
+  def wait_for_otp_code
+    @thread = Thread.new do
+      Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+
+  def wait_for_otp_code_expect_error_with_message(message)
+    @thread = Thread.new do
+      error = assert_raise Gem::WebauthnVerificationError do
+        Thread.current[:otp] = Gem::WebauthnListener.wait_for_otp_code(Gem.host, @server)
+      end
+
+      assert_equal message, error.message
+    end
+    @thread.abort_on_exception = true
+    @thread.report_on_exception = false
+  end
+end

data/test/rubygems/test_webauthn_listener_response.rb

@@ -0,0 +1,93 @@
+# frozen_string_literal: true
+
+require_relative "helper"
+require "rubygems/webauthn_listener/response"
+
+class WebauthnListenerResponseTest < Gem::TestCase
+  def setup
+    super
+    @host = "rubygems.example"
+  end
+
+  def test_ok_response_to_s
+    to_s = Gem::WebauthnListener::OkResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 200 OK\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 7\r
+      \r
+      success
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_no_to_s_response_to_s
+    to_s = Gem::WebauthnListener::NoContentResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 204 No Content\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_allowed_response_to_s
+    to_s = Gem::WebauthnListener::MethodNotAllowedResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 405 Method Not Allowed\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      allow: GET, OPTIONS\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_method_not_found_response_to_s
+    to_s = Gem::WebauthnListener::NotFoundResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 404 Not Found\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      \r
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+
+  def test_bad_request_response_to_s
+    to_s = Gem::WebauthnListener::BadRequestResponse.new(@host).to_s
+
+    expected_to_s = <<~RESPONSE
+      HTTP/1.1 400 Bad Request\r
+      connection: close\r
+      access-control-allow-origin: rubygems.example\r
+      access-control-allow-methods: POST\r
+      access-control-allow-headers: Content-Type, Authorization, x-csrf-token\r
+      content-type: text/plain\r
+      content-length: 22\r
+      \r
+      missing code parameter
+    RESPONSE
+
+    assert_equal expected_to_s, to_s
+  end
+end