Fix handling for sources with basic auth.

Closes #3132.

3 files changed, 40 insertions, 4 deletions

diff --git a/lib/bundler/definition.rb b/lib/bundler/definition.rb
index f03e7e7f..ed522748 100644
--- a/lib/bundler/definition.rb
+++ b/lib/bundler/definition.rb
@@ -462,8 +462,19 @@ module Bundler
     def converge_sources
       changes = false
 
-      # Get the Rubygems source from the Gemfile.lock
-      locked_gem = @locked_sources.select { |s| s.kind_of?(Source::Rubygems) }
+      # Get the Rubygems sources from the Gemfile.lock
+      locked_gem_sources = @locked_sources.select { |s| s.kind_of?(Source::Rubygems) }
+      # Get the Rubygems sources from the Gemfile
+      actual_gem_sources = @sources.rubygems_sources
+
+      # If there is a Rubygems source in both
+      unless locked_gem_sources.empty? && actual_gem_sources.empty?
+        actual_remotes = actual_gem_sources.map(&:remotes).flatten.uniq
+        locked_gem_sources.each do |locked_gem|
+          # Merge the remotes from the Gemfile into the Gemfile.lock
+          changes = changes | locked_gem.replace_remotes(actual_remotes)
+        end
+      end
 
       # Replace the sources from the Gemfile with the sources from the Gemfile.lock,
       # if they exist in the Gemfile.lock and are `==`. If you can't find an equivalent
diff --git a/lib/bundler/source/rubygems.rb b/lib/bundler/source/rubygems.rb
index d31acdb9..f78d9f11 100644
--- a/lib/bundler/source/rubygems.rb
+++ b/lib/bundler/source/rubygems.rb
@@ -35,7 +35,7 @@ module Bundler
       end
 
       def eql?(o)
-        o.is_a?(Rubygems) && remotes == o.remotes
+        o.is_a?(Rubygems) && remotes_equal?(o.remotes)
       end
 
       alias == eql?
@@ -163,6 +163,15 @@ module Bundler
         @remotes.unshift(uri) unless @remotes.include?(uri)
       end
 
+      def replace_remotes(other_remotes)
+        return false if other_remotes == @remotes
+
+        @remotes = []
+        other_remotes.reverse_each do |r|
+          add_remote r.to_s
+        end
+      end
+
     protected
 
       def source_uris_for_spec(spec)
@@ -193,7 +202,7 @@ module Bundler
       end
 
       def suppress_configured_credentials(remote)
-        remote_nouser = remote.tap { |uri| uri.user = uri.password = nil }.to_s
+        remote_nouser = remote.dup.tap { |uri| uri.user = uri.password = nil }.to_s
         if remote.userinfo && remote.userinfo == Bundler.settings[remote_nouser]
           remote_nouser
         else
@@ -331,6 +340,10 @@ module Bundler
         # Ruby 2.0, where gemspecs are stored in specifications/default/
         spec.loaded_from && spec.loaded_from.include?("specifications/default/")
       end
+
+      def remotes_equal?(other_remotes)
+        remotes.map(&method(:suppress_configured_credentials)) == other_remotes.map(&method(:suppress_configured_credentials))
+      end
     end
   end
 end
diff --git a/spec/install/deploy_spec.rb b/spec/install/deploy_spec.rb
index fdfe64bf..c3ba3215 100644
--- a/spec/install/deploy_spec.rb
+++ b/spec/install/deploy_spec.rb
@@ -67,6 +67,18 @@ describe "install with --deployment or --frozen" do
     expect(exitstatus).to eq(0)
   end
 
+  it "works when there are credentials in the source URL" do
+    install_gemfile(<<-G, :artifice => "endpoint_strict_basic_authentication", :quiet => true)
+      source "http://user:pass@localgemserver.test/"
+
+      gem "rack-obama", ">= 1.0"
+    G
+
+    bundle "install --deployment", :exitstatus => true, :artifice => "endpoint_strict_basic_authentication"
+
+    expect(exitstatus).to eq(0)
+  end
+
   describe "with an existing lockfile" do
     before do
       bundle "install"