* lib/rubygems: Update to RubyGems 1.8.23 which contains security

fixes: RubyGems now disallows redirection from HTTPS to HTTP. RubyGems now verifies SSL connections. See https://github.com/rubygems/rubygems/blob/1.8/History.txt for changes since 1.8.22. * test/rubygems: ditto. git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35404 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
author: drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2012-04-19 23:07:48 +0000
committer: drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> 2012-04-19 23:07:48 +0000
commit: 064bf602e0f42a925f470c219962e3a430bc5ca8 (patch)
tree: 908b5285fcb003da1dafd069cb6f174d203c9205 /test/rubygems/test_gem_remote_fetcher.rb
parent: 83ed985182c5bbaba2c2a3c32bf1a4ecb6c0edde (diff)
download: ruby-064bf602e0f42a925f470c219962e3a430bc5ca8.tar.gz
1 files changed, 101 insertions, 0 deletions
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb
index 3bdba5e072..6d370cfe3d 100644
--- a/test/rubygems/test_gem_remote_fetcher.rb
+++ b/test/rubygems/test_gem_remote_fetcher.rb
@@ -1,6 +1,7 @@
 require 'rubygems/test_case'
 require 'ostruct'
 require 'webrick'
+require 'webrick/https'
 require 'rubygems/remote_fetcher'
 require 'rubygems/format'
 
@@ -73,6 +74,8 @@ gems:
   PROXY_PORT = process_based_port + 100 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
   SERVER_PORT = process_based_port + 200 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i
 
+  DIR = File.expand_path(File.dirname(__FILE__))
+
   def setup
     super
     self.class.start_servers
@@ -740,6 +743,53 @@ gems:
     end
   end
 
+  def test_ssl_connection
+    ssl_server = self.class.start_ssl_server
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem')
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+    end
+  end
+
+  def test_do_not_allow_insecure_ssl_connection_by_default
+    ssl_server = self.class.start_ssl_server
+    with_configured_fetcher do |fetcher|
+      assert_raises Gem::RemoteFetcher::FetchError do
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+      end
+    end
+  end
+
+  def test_ssl_connection_allow_verify_none
+    ssl_server = self.class.start_ssl_server
+    with_configured_fetcher(":ssl_verify_mode: 0") do |fetcher|
+      fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml")
+    end
+  end
+
+  def test_do_not_follow_insecure_redirect
+    ssl_server = self.class.start_ssl_server
+    temp_ca_cert = File.join(DIR, 'ca_cert.pem'),
+    with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher|
+      assert_raises Gem::RemoteFetcher::FetchError do
+        fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/insecure_redirect?to=#{@server_uri}")
+      end
+    end
+  end
+
+  def with_configured_fetcher(config_str = nil, &block)
+    if config_str
+      temp_conf = File.join @tempdir, '.gemrc'
+      File.open temp_conf, 'w' do |fp|
+        fp.puts config_str
+      end
+      Gem.configuration = Gem::ConfigFile.new %W[--config-file #{temp_conf}]
+    end
+    yield Gem::RemoteFetcher.new
+  ensure
+    Gem.configuration = nil
+  end
+
   def util_stub_connection_for hash
     def @fetcher.connection= conn
       @conn = conn
@@ -802,6 +852,49 @@ gems:
       @enable_zip = false
     end
 
+    DIR = File.expand_path(File.dirname(__FILE__))
+    DH_PARAM = OpenSSL::PKey::DH.new(128)
+
+    def start_ssl_server(config = {})
+      null_logger = NilLog.new
+      server = WEBrick::HTTPServer.new({
+        :Port => 0,
+        :Logger => null_logger,
+        :AccessLog => [],
+        :SSLEnable => true,
+        :SSLCACertificateFile => File.join(DIR, 'ca_cert.pem'),
+        :SSLCertificate => cert('ssl_cert.pem'),
+        :SSLPrivateKey => key('ssl_key.pem'),
+        :SSLVerifyClient => nil,
+        :SSLCertName => nil
+      }.merge(config))
+      server.mount_proc("/yaml") { |req, res|
+        res.body = "--- true\n"
+      }
+      server.mount_proc("/insecure_redirect") { |req, res|
+        res.set_redirect(WEBrick::HTTPStatus::MovedPermanently, req.query['to'])
+      }
+      server.ssl_context.tmp_dh_callback = proc { DH_PARAM }
+      t = Thread.new do
+        begin
+          server.start
+        rescue Exception => ex
+          abort ex.message
+          puts "ERROR during server thread: #{ex.message}"
+        end
+      end
+      while server.status != :Running
+        sleep 0.1
+        unless t.alive?
+          t.join
+          raise
+        end
+      end
+      server
+    end
+
+
+
     private
 
     def start_server(port, data)
@@ -844,6 +937,14 @@ gems:
       end
       sleep 0.2                 # Give the servers time to startup
     end
+
+    def cert(filename)
+      OpenSSL::X509::Certificate.new(File.read(File.join(DIR, filename)))
+    end
+
+    def key(filename)
+      OpenSSL::PKey::RSA.new(File.read(File.join(DIR, filename)))
+    end
   end
 
   def test_correct_for_windows_path
author	drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2012-04-19 23:07:48 +0000
committer	drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e>	2012-04-19 23:07:48 +0000
commit	064bf602e0f42a925f470c219962e3a430bc5ca8 (patch)
tree	908b5285fcb003da1dafd069cb6f174d203c9205 /test/rubygems/test_gem_remote_fetcher.rb
parent	83ed985182c5bbaba2c2a3c32bf1a4ecb6c0edde (diff)
download	ruby-064bf602e0f42a925f470c219962e3a430bc5ca8.tar.gz