diff options
author | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-04-19 23:07:48 +0000 |
---|---|---|
committer | drbrain <drbrain@b2dd03c8-39d4-4d8f-98ff-823fe69b080e> | 2012-04-19 23:07:48 +0000 |
commit | 064bf602e0f42a925f470c219962e3a430bc5ca8 (patch) | |
tree | 908b5285fcb003da1dafd069cb6f174d203c9205 /test/rubygems/test_gem_remote_fetcher.rb | |
parent | 83ed985182c5bbaba2c2a3c32bf1a4ecb6c0edde (diff) | |
download | ruby-064bf602e0f42a925f470c219962e3a430bc5ca8.tar.gz |
* lib/rubygems: Update to RubyGems 1.8.23 which contains security
fixes:
RubyGems now disallows redirection from HTTPS to HTTP.
RubyGems now verifies SSL connections.
See https://github.com/rubygems/rubygems/blob/1.8/History.txt for
changes since 1.8.22.
* test/rubygems: ditto.
git-svn-id: svn+ssh://ci.ruby-lang.org/ruby/trunk@35404 b2dd03c8-39d4-4d8f-98ff-823fe69b080e
Diffstat (limited to 'test/rubygems/test_gem_remote_fetcher.rb')
-rw-r--r-- | test/rubygems/test_gem_remote_fetcher.rb | 101 |
1 files changed, 101 insertions, 0 deletions
diff --git a/test/rubygems/test_gem_remote_fetcher.rb b/test/rubygems/test_gem_remote_fetcher.rb index 3bdba5e072..6d370cfe3d 100644 --- a/test/rubygems/test_gem_remote_fetcher.rb +++ b/test/rubygems/test_gem_remote_fetcher.rb @@ -1,6 +1,7 @@ require 'rubygems/test_case' require 'ostruct' require 'webrick' +require 'webrick/https' require 'rubygems/remote_fetcher' require 'rubygems/format' @@ -73,6 +74,8 @@ gems: PROXY_PORT = process_based_port + 100 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i SERVER_PORT = process_based_port + 200 + $1.to_i * 100 + $2.to_i * 10 + $3.to_i + DIR = File.expand_path(File.dirname(__FILE__)) + def setup super self.class.start_servers @@ -740,6 +743,53 @@ gems: end end + def test_ssl_connection + ssl_server = self.class.start_ssl_server + temp_ca_cert = File.join(DIR, 'ca_cert.pem') + with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher| + fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml") + end + end + + def test_do_not_allow_insecure_ssl_connection_by_default + ssl_server = self.class.start_ssl_server + with_configured_fetcher do |fetcher| + assert_raises Gem::RemoteFetcher::FetchError do + fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml") + end + end + end + + def test_ssl_connection_allow_verify_none + ssl_server = self.class.start_ssl_server + with_configured_fetcher(":ssl_verify_mode: 0") do |fetcher| + fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/yaml") + end + end + + def test_do_not_follow_insecure_redirect + ssl_server = self.class.start_ssl_server + temp_ca_cert = File.join(DIR, 'ca_cert.pem'), + with_configured_fetcher(":ssl_ca_cert: #{temp_ca_cert}") do |fetcher| + assert_raises Gem::RemoteFetcher::FetchError do + fetcher.fetch_path("https://localhost:#{ssl_server.config[:Port]}/insecure_redirect?to=#{@server_uri}") + end + end + end + + def with_configured_fetcher(config_str = nil, &block) + if config_str + temp_conf = File.join @tempdir, '.gemrc' + File.open temp_conf, 'w' do |fp| + fp.puts config_str + end + Gem.configuration = Gem::ConfigFile.new %W[--config-file #{temp_conf}] + end + yield Gem::RemoteFetcher.new + ensure + Gem.configuration = nil + end + def util_stub_connection_for hash def @fetcher.connection= conn @conn = conn @@ -802,6 +852,49 @@ gems: @enable_zip = false end + DIR = File.expand_path(File.dirname(__FILE__)) + DH_PARAM = OpenSSL::PKey::DH.new(128) + + def start_ssl_server(config = {}) + null_logger = NilLog.new + server = WEBrick::HTTPServer.new({ + :Port => 0, + :Logger => null_logger, + :AccessLog => [], + :SSLEnable => true, + :SSLCACertificateFile => File.join(DIR, 'ca_cert.pem'), + :SSLCertificate => cert('ssl_cert.pem'), + :SSLPrivateKey => key('ssl_key.pem'), + :SSLVerifyClient => nil, + :SSLCertName => nil + }.merge(config)) + server.mount_proc("/yaml") { |req, res| + res.body = "--- true\n" + } + server.mount_proc("/insecure_redirect") { |req, res| + res.set_redirect(WEBrick::HTTPStatus::MovedPermanently, req.query['to']) + } + server.ssl_context.tmp_dh_callback = proc { DH_PARAM } + t = Thread.new do + begin + server.start + rescue Exception => ex + abort ex.message + puts "ERROR during server thread: #{ex.message}" + end + end + while server.status != :Running + sleep 0.1 + unless t.alive? + t.join + raise + end + end + server + end + + + private def start_server(port, data) @@ -844,6 +937,14 @@ gems: end sleep 0.2 # Give the servers time to startup end + + def cert(filename) + OpenSSL::X509::Certificate.new(File.read(File.join(DIR, filename))) + end + + def key(filename) + OpenSSL::PKey::RSA.new(File.read(File.join(DIR, filename))) + end end def test_correct_for_windows_path |