rubygems-update 3.7.0 → 3.7.2

data/lib/rubygems/commands/sources_command.rb

@@ -18,6 +18,14 @@ class Gem::Commands::SourcesCommand < Gem::Command
       options[:add] = value
     end
 
+    add_option "--append SOURCE_URI", "Append source (can be used multiple times)" do |value, options|
+      options[:append] = value
+    end
+
+    add_option "-p", "--prepend SOURCE_URI", "Prepend source (can be used multiple times)" do |value, options|
+      options[:prepend] = value
+    end
+
     add_option "-l", "--list", "List sources" do |value, options|
       options[:list] = value
     end
@@ -26,8 +34,7 @@ class Gem::Commands::SourcesCommand < Gem::Command
       options[:remove] = value
     end
 
-    add_option "-c", "--clear-all",
-               "Remove all sources (clear the cache)" do |value, options|
+    add_option "-c", "--clear-all", "Remove all sources (clear the cache)" do |value, options|
       options[:clear_all] = value
     end
 
@@ -68,6 +75,60 @@ class Gem::Commands::SourcesCommand < Gem::Command
     end
   end
 
+  def append_source(source_uri) # :nodoc:
+    check_rubygems_https source_uri
+
+    source = Gem::Source.new source_uri
+
+    check_typo_squatting(source)
+
+    begin
+      source.load_specs :released
+      was_present = Gem.sources.include?(source)
+      Gem.sources.append source
+      Gem.configuration.write
+
+      if was_present
+        say "#{source_uri} moved to end of sources"
+      else
+        say "#{source_uri} added to sources"
+      end
+    rescue Gem::URI::Error, ArgumentError
+      say "#{source_uri} is not a URI"
+      terminate_interaction 1
+    rescue Gem::RemoteFetcher::FetchError => e
+      say "Error fetching #{Gem::Uri.redact(source.uri)}:\n\t#{e.message}"
+      terminate_interaction 1
+    end
+  end
+
+  def prepend_source(source_uri) # :nodoc:
+    check_rubygems_https source_uri
+
+    source = Gem::Source.new source_uri
+
+    check_typo_squatting(source)
+
+    begin
+      source.load_specs :released
+      was_present = Gem.sources.include?(source)
+      Gem.sources.prepend source
+      Gem.configuration.write
+
+      if was_present
+        say "#{source_uri} moved to top of sources"
+      else
+        say "#{source_uri} added to sources"
+      end
+    rescue Gem::URI::Error, ArgumentError
+      say "#{source_uri} is not a URI"
+      terminate_interaction 1
+    rescue Gem::RemoteFetcher::FetchError => e
+      say "Error fetching #{Gem::Uri.redact(source.uri)}:\n\t#{e.message}"
+      terminate_interaction 1
+    end
+  end
+
   def check_typo_squatting(source)
     if source.typo_squatting?("rubygems.org")
       question = <<-QUESTION.chomp
@@ -128,7 +189,7 @@ yourself to use your own gem server.
 Without any arguments the sources lists your currently configured sources:
 
   $ gem sources
-  *** CURRENT SOURCES ***
+  *** NO CONFIGURED SOURCES, DEFAULT SOURCES LISTED BELOW ***
 
   https://rubygems.org
 
@@ -147,33 +208,49 @@ Since all of these sources point to the same set of gems you only need one
 of them in your list.  https://rubygems.org is recommended as it brings the
 protections of an SSL connection to gem downloads.
 
-To add a source use the --add argument:
+To add a private gem source use the --prepend argument to insert it before
+the default source. This is usually the best place for private gem sources:
 
-    $ gem sources --add https://rubygems.org
-    https://rubygems.org added to sources
+    $ gem sources --prepend https://my.private.source
+    https://my.private.source added to sources
 
 RubyGems will check to see if gems can be installed from the source given
 before it is added.
 
+To add or move a source after all other sources, use --append:
+
+    $ gem sources --append https://rubygems.org
+    https://rubygems.org moved to end of sources
+
 To remove a source use the --remove argument:
 
-    $ gem sources --remove https://rubygems.org/
-    https://rubygems.org/ removed from sources
+    $ gem sources --remove https://my.private.source/
+    https://my.private.source/ removed from sources
 
     EOF
   end
 
   def list # :nodoc:
-    say "*** CURRENT SOURCES ***"
+    if configured_sources
+      header = "*** CURRENT SOURCES ***"
+      list = configured_sources
+    else
+      header = "*** NO CONFIGURED SOURCES, DEFAULT SOURCES LISTED BELOW ***"
+      list = Gem.sources
+    end
+
+    say header
     say
 
-    Gem.sources.each do |src|
+    list.each do |src|
       say src
     end
   end
 
   def list? # :nodoc:
     !(options[:add] ||
+      options[:prepend] ||
+      options[:append] ||
       options[:clear_all] ||
       options[:remove] ||
       options[:update])
@@ -182,11 +259,13 @@ To remove a source use the --remove argument:
   def execute
     clear_all if options[:clear_all]
 
-    source_uri = options[:add]
-    add_source source_uri if source_uri
+    add_source options[:add] if options[:add]
+
+    prepend_source options[:prepend] if options[:prepend]
+
+    append_source options[:append] if options[:append]
 
-    source_uri = options[:remove]
-    remove_source source_uri if source_uri
+    remove_source options[:remove] if options[:remove]
 
     update if options[:update]
 
@@ -194,13 +273,21 @@ To remove a source use the --remove argument:
   end
 
   def remove_source(source_uri) # :nodoc:
-    if Gem.sources.include? source_uri
-      Gem.sources.delete source_uri
+    source = Gem::Source.new source_uri
+
+    if configured_sources&.include? source
+      Gem.sources.delete source
       Gem.configuration.write
 
-      say "#{source_uri} removed from sources"
+      if default_sources.include?(source) && configured_sources.one?
+        alert_warning "Removing a default source when it is the only source has no effect. Add a different source to #{config_file_name} if you want to stop using it as a source."
+      else
+        say "#{source_uri} removed from sources"
+      end
+    elsif configured_sources
+      say "source #{source_uri} cannot be removed because it's not present in #{config_file_name}"
     else
-      say "source #{source_uri} not present in cache"
+      say "source #{source_uri} cannot be removed because there are no configured sources in #{config_file_name}"
     end
   end
 
@@ -224,4 +311,21 @@ To remove a source use the --remove argument:
       say "*** Unable to remove #{desc} source cache ***"
     end
   end
+
+  private
+
+  def default_sources
+    Gem::SourceList.from(Gem.default_sources)
+  end
+
+  def configured_sources
+    return @configured_sources if defined?(@configured_sources)
+
+    configuration_sources = Gem.configuration.sources
+    @configured_sources = Gem::SourceList.from(configuration_sources) if configuration_sources
+  end
+
+  def config_file_name
+    Gem.configuration.config_file_name
+  end
 end

data/lib/rubygems/defaults.rb

@@ -13,7 +13,7 @@ module Gem
   # An Array of the default sources that come with RubyGems
 
   def self.default_sources
-    %w[https://rubygems.org/]
+    @default_sources ||= %w[https://rubygems.org/]
   end
 
   ##

data/lib/rubygems/exceptions.rb

@@ -21,20 +21,11 @@ class Gem::UnknownCommandError < Gem::Exception
   end
 
   def self.attach_correctable
-    return if defined?(@attached)
+    return if method_defined?(:corrections)
 
-    if defined?(DidYouMean::SPELL_CHECKERS) && defined?(DidYouMean::Correctable)
-      if DidYouMean.respond_to?(:correct_error)
-        DidYouMean.correct_error(Gem::UnknownCommandError, Gem::UnknownCommandSpellChecker)
-      else
-        DidYouMean::SPELL_CHECKERS["Gem::UnknownCommandError"] =
-          Gem::UnknownCommandSpellChecker
-
-        prepend DidYouMean::Correctable
-      end
+    if defined?(DidYouMean) && DidYouMean.respond_to?(:correct_error)
+      DidYouMean.correct_error(Gem::UnknownCommandError, Gem::UnknownCommandSpellChecker)
     end
-
-    @attached = true
   end
 end
 

data/lib/rubygems/platform.rb

@@ -90,7 +90,7 @@ class Gem::Platform
     when String then
       cpu, os = arch.sub(/-+$/, "").split("-", 2)
 
-      @cpu = if cpu.match?(/i\d86/)
+      @cpu = if cpu&.match?(/i\d86/)
         "x86"
       else
         cpu

data/lib/rubygems/s3_uri_signer.rb

@@ -1,11 +1,14 @@
 # frozen_string_literal: true
 
 require_relative "openssl"
+require_relative "user_interaction"
 
 ##
 # S3URISigner implements AWS SigV4 for S3 Source to avoid a dependency on the aws-sdk-* gems
 # More on AWS SigV4: https://docs.aws.amazon.com/AmazonS3/latest/API/sig-v4-authenticating-requests.html
 class Gem::S3URISigner
+  include Gem::UserInteraction
+
   class ConfigurationError < Gem::Exception
     def initialize(message)
       super message
@@ -147,17 +150,40 @@ class Gem::S3URISigner
     require_relative "request/connection_pools"
     require "json"
 
-    iam_info = ec2_metadata_request(EC2_IAM_INFO)
+    # First try V2 fallback to V1
+    res = nil
+    begin
+      res = ec2_metadata_credentials_imds_v2
+    rescue InstanceProfileError
+      alert_warning "Unable to access ec2 credentials via IMDSv2, falling back to IMDSv1"
+      res = ec2_metadata_credentials_imds_v1
+    end
+    res
+  end
+
+  def ec2_metadata_credentials_imds_v2
+    token = ec2_metadata_token
+    iam_info = ec2_metadata_request(EC2_IAM_INFO, token:)
     # Expected format: arn:aws:iam::<id>:instance-profile/<role_name>
     role_name = iam_info["InstanceProfileArn"].split("/").last
-    ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name)
+    ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name, token:)
   end
 
-  def ec2_metadata_request(url)
-    uri = Gem::URI(url)
-    @request_pool ||= create_request_pool(uri)
-    request = Gem::Request.new(uri, Gem::Net::HTTP::Get, nil, @request_pool)
-    response = request.fetch
+  def ec2_metadata_credentials_imds_v1
+    iam_info = ec2_metadata_request(EC2_IAM_INFO, token: nil)
+    # Expected format: arn:aws:iam::<id>:instance-profile/<role_name>
+    role_name = iam_info["InstanceProfileArn"].split("/").last
+    ec2_metadata_request(EC2_IAM_SECURITY_CREDENTIALS + role_name, token: nil)
+  end
+
+  def ec2_metadata_request(url, token:)
+    request = ec2_iam_request(Gem::URI(url), Gem::Net::HTTP::Get)
+
+    response = request.fetch do |req|
+      if token
+        req.add_field "X-aws-ec2-metadata-token", token
+      end
+    end
 
     case response
     when Gem::Net::HTTPOK then
@@ -167,6 +193,26 @@ class Gem::S3URISigner
     end
   end
 
+  def ec2_metadata_token
+    request = ec2_iam_request(Gem::URI(EC2_IAM_TOKEN), Gem::Net::HTTP::Put)
+
+    response = request.fetch do |req|
+      req.add_field "X-aws-ec2-metadata-token-ttl-seconds", 60
+    end
+
+    case response
+    when Gem::Net::HTTPOK then
+      response.body
+    else
+      raise InstanceProfileError.new("Unable to fetch AWS metadata from #{uri}: #{response.message} #{response.code}")
+    end
+  end
+
+  def ec2_iam_request(uri, verb)
+    @request_pool ||= create_request_pool(uri)
+    Gem::Request.new(uri, verb, nil, @request_pool)
+  end
+
   def create_request_pool(uri)
     proxy_uri = Gem::Request.proxy_uri(Gem::Request.get_proxy_from_env(uri.scheme))
     certs = Gem::Request.get_cert_files
@@ -174,6 +220,7 @@ class Gem::S3URISigner
   end
 
   BASE64_URI_TRANSLATE = { "+" => "%2B", "/" => "%2F", "=" => "%3D", "\n" => "" }.freeze
+  EC2_IAM_TOKEN = "http://169.254.169.254/latest/api/token"
   EC2_IAM_INFO = "http://169.254.169.254/latest/meta-data/iam/info"
   EC2_IAM_SECURITY_CREDENTIALS = "http://169.254.169.254/latest/meta-data/iam/security-credentials/"
 end

data/lib/rubygems/source_list.rb

@@ -59,6 +59,42 @@ class Gem::SourceList
     src
   end
 
+  ##
+  # Prepends +obj+ to the beginning of the source list which may be a Gem::Source, Gem::URI or URI
+  # Moves +obj+ to the beginning of the list if already present.
+  # String.
+
+  def prepend(obj)
+    src = case obj
+          when Gem::Source
+            obj
+          else
+            Gem::Source.new(obj)
+    end
+
+    @sources.delete(src) if @sources.include?(src)
+    @sources.unshift(src)
+    src
+  end
+
+  ##
+  # Appends +obj+ to the end of the source list, moving it if already present.
+  # +obj+ may be a Gem::Source, Gem::URI or URI String.
+  # Moves +obj+ to the end of the list if already present.
+
+  def append(obj)
+    src = case obj
+          when Gem::Source
+            obj
+          else
+            Gem::Source.new(obj)
+    end
+
+    @sources.delete(src) if @sources.include?(src)
+    @sources << src
+    src
+  end
+
   ##
   # Replaces this SourceList with the sources in +other+  See #<< for
   # acceptable items in +other+.

data/lib/rubygems.rb

@@ -9,7 +9,7 @@
 require "rbconfig"
 
 module Gem
-  VERSION = "3.7.0"
+  VERSION = "3.7.2"
 end
 
 # Must be first since it unloads the prelude from 1.9.2
@@ -298,6 +298,13 @@ module Gem
     spec = find_and_activate_spec_for_exe name, exec_name, requirements
 
     if spec.name == "bundler"
+      # Old versions of Bundler need a workaround to support nested `bundle
+      # exec` invocations by overriding `Gem.activate_bin_path`. However,
+      # RubyGems now uses this new `Gem.activate_and_load_bin_path` helper in
+      # binstubs, which is of course not overridden in Bundler since it didn't
+      # exist at the time. So, include the override here to workaround that.
+      load ENV["BUNDLE_BIN_PATH"] if ENV["BUNDLE_BIN_PATH"] && spec.version <= "2.5.22"
+
       # Make sure there's no version of Bundler in `$LOAD_PATH` that's different
       # from the version we just activated. If that was the case (it happens
       # when testing Bundler from ruby/ruby), we would load Bundler extensions

data/rubygems-update.gemspec

@@ -2,7 +2,7 @@
 
 Gem::Specification.new do |s|
   s.name = "rubygems-update"
-  s.version = "3.7.0"
+  s.version = "3.7.2"
   s.authors = ["Jim Weirich", "Chad Fowler", "Eric Hodel", "Luis Lavena", "Aaron Patterson", "Samuel Giddins", "André Arko", "Evan Phoenix", "Hiroshi SHIBATA"]
   s.email = ["", "", "drbrain@segment7.net", "luislavena@gmail.com", "aaron@tenderlovemaking.com", "segiddins@segiddins.me", "andre@arko.net", "evan@phx.io", "hsbt@ruby-lang.org"]
 

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rubygems-update
 version: !ruby/object:Gem::Version
-  version: 3.7.0
+  version: 3.7.2
 platform: ruby
 authors:
 - Jim Weirich
@@ -731,7 +731,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.7.0
+rubygems_version: 3.7.2
 specification_version: 4
 summary: RubyGems is a package management framework for Ruby. This gem is downloaded
   and installed by `gem update --system`, so that the `gem` CLI can update itself.