diff options
Diffstat (limited to 'lib/rubygems/security')
-rw-r--r-- | lib/rubygems/security/policies.rb | 75 | ||||
-rw-r--r-- | lib/rubygems/security/policy.rb | 19 | ||||
-rw-r--r-- | lib/rubygems/security/signer.rb | 15 | ||||
-rw-r--r-- | lib/rubygems/security/trust_dir.rb | 21 |
4 files changed, 67 insertions, 63 deletions
diff --git a/lib/rubygems/security/policies.rb b/lib/rubygems/security/policies.rb index d28005223e..41f66043ad 100644 --- a/lib/rubygems/security/policies.rb +++ b/lib/rubygems/security/policies.rb @@ -1,17 +1,17 @@ # frozen_string_literal: true -module Gem::Security +module Gem::Security ## # No security policy: all package signature checks are disabled. NoSecurity = Policy.new( "No Security", - :verify_data => false, - :verify_signer => false, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false + verify_data: false, + verify_signer: false, + verify_chain: false, + verify_root: false, + only_trusted: false, + only_signed: false ) ## @@ -24,12 +24,12 @@ module Gem::Security AlmostNoSecurity = Policy.new( "Almost No Security", - :verify_data => true, - :verify_signer => false, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false + verify_data: true, + verify_signer: false, + verify_chain: false, + verify_root: false, + only_trusted: false, + only_signed: false ) ## @@ -41,12 +41,12 @@ module Gem::Security LowSecurity = Policy.new( "Low Security", - :verify_data => true, - :verify_signer => true, - :verify_chain => false, - :verify_root => false, - :only_trusted => false, - :only_signed => false + verify_data: true, + verify_signer: true, + verify_chain: false, + verify_root: false, + only_trusted: false, + only_signed: false ) ## @@ -60,12 +60,12 @@ module Gem::Security MediumSecurity = Policy.new( "Medium Security", - :verify_data => true, - :verify_signer => true, - :verify_chain => true, - :verify_root => true, - :only_trusted => true, - :only_signed => false + verify_data: true, + verify_signer: true, + verify_chain: true, + verify_root: true, + only_trusted: true, + only_signed: false ) ## @@ -79,12 +79,12 @@ module Gem::Security HighSecurity = Policy.new( "High Security", - :verify_data => true, - :verify_signer => true, - :verify_chain => true, - :verify_root => true, - :only_trusted => true, - :only_signed => true + verify_data: true, + verify_signer: true, + verify_chain: true, + verify_root: true, + only_trusted: true, + only_signed: true ) ## @@ -92,12 +92,12 @@ module Gem::Security SigningPolicy = Policy.new( "Signing Policy", - :verify_data => false, - :verify_signer => true, - :verify_chain => true, - :verify_root => true, - :only_trusted => false, - :only_signed => false + verify_data: false, + verify_signer: true, + verify_chain: true, + verify_root: true, + only_trusted: false, + only_signed: false ) ## @@ -111,5 +111,4 @@ module Gem::Security "HighSecurity" => HighSecurity, # SigningPolicy is not intended for use by `gem -P` so do not list it }.freeze - end diff --git a/lib/rubygems/security/policy.rb b/lib/rubygems/security/policy.rb index 959880ddc1..7b86ac5763 100644 --- a/lib/rubygems/security/policy.rb +++ b/lib/rubygems/security/policy.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + require_relative "../user_interaction" ## @@ -134,7 +135,7 @@ class Gem::Security::Policy raise Gem::Security::Exception, "missing root certificate" unless root raise Gem::Security::Exception, - "root certificate #{root.subject} is not self-signed " + + "root certificate #{root.subject} is not self-signed " \ "(issuer #{root.issuer})" if root.issuer != root.subject @@ -170,7 +171,7 @@ class Gem::Security::Policy cert_dgst = digester.digest pkey_str raise Gem::Security::Exception, - "trusted root certificate #{root.subject} checksum " + + "trusted root certificate #{root.subject} checksum " \ "does not match signing root certificate checksum" unless save_dgst == cert_dgst @@ -191,11 +192,8 @@ class Gem::Security::Policy end def inspect # :nodoc: - ("[Policy: %s - data: %p signer: %p chain: %p root: %p " + - "signed-only: %p trusted-only: %p]") % [ - @name, @verify_chain, @verify_data, @verify_root, @verify_signer, - @only_signed, @only_trusted - ] + format("[Policy: %s - data: %p signer: %p chain: %p root: %p " \ + "signed-only: %p trusted-only: %p]", @name, @verify_chain, @verify_data, @verify_root, @verify_signer, @only_signed, @only_trusted) end ## @@ -205,8 +203,7 @@ class Gem::Security::Policy # # If +key+ is given it is used to validate the signing certificate. - def verify(chain, key = nil, digests = {}, signatures = {}, - full_name = "(unknown)") + def verify(chain, key = nil, digests = {}, signatures = {}, full_name = "(unknown)") if signatures.empty? if @only_signed raise Gem::Security::Exception, @@ -225,7 +222,7 @@ class Gem::Security::Policy trust_dir = opt[:trust_dir] time = Time.now - _, signer_digests = digests.find do |algorithm, file_digests| + _, signer_digests = digests.find do |_algorithm, file_digests| file_digests.values.first.name == Gem::Security::DIGEST_NAME end @@ -287,5 +284,5 @@ class Gem::Security::Policy true end - alias to_s name # :nodoc: + alias_method :to_s, :name # :nodoc: end diff --git a/lib/rubygems/security/signer.rb b/lib/rubygems/security/signer.rb index cca82f1cf8..5732fb57fd 100644 --- a/lib/rubygems/security/signer.rb +++ b/lib/rubygems/security/signer.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + ## # Basic OpenSSL-based package signing class. @@ -105,7 +106,7 @@ class Gem::Security::Signer # this value is preferred, otherwise the subject is used. def extract_name(cert) # :nodoc: - subject_alt_name = cert.extensions.find {|e| "subjectAltName" == e.oid } + subject_alt_name = cert.extensions.find {|e| e.oid == "subjectAltName" } if subject_alt_name /\Aemail:/ =~ subject_alt_name.value # rubocop:disable Performance/StartWith @@ -174,10 +175,18 @@ class Gem::Security::Signer old_cert = @cert_chain.last disk_cert_path = File.join(Gem.default_cert_path) - disk_cert = File.read(disk_cert_path) rescue nil + disk_cert = begin + File.read(disk_cert_path) + rescue StandardError + nil + end disk_key_path = File.join(Gem.default_key_path) - disk_key = OpenSSL::PKey.read(File.read(disk_key_path), @passphrase) rescue nil + disk_key = begin + OpenSSL::PKey.read(File.read(disk_key_path), @passphrase) + rescue StandardError + nil + end return unless disk_key diff --git a/lib/rubygems/security/trust_dir.rb b/lib/rubygems/security/trust_dir.rb index df59680d84..d23d161cfe 100644 --- a/lib/rubygems/security/trust_dir.rb +++ b/lib/rubygems/security/trust_dir.rb @@ -1,4 +1,5 @@ # frozen_string_literal: true + ## # The TrustDir manages the trusted certificates for gem signature # verification. @@ -8,8 +9,8 @@ class Gem::Security::TrustDir # Default permissions for the trust directory and its contents DEFAULT_PERMISSIONS = { - :trust_dir => 0700, - :trusted_cert => 0600, + trust_dir: 0o700, + trusted_cert: 0o600, }.freeze ## @@ -44,13 +45,11 @@ class Gem::Security::TrustDir glob = File.join @dir, "*.pem" Dir[glob].each do |certificate_file| - begin - certificate = load_certificate certificate_file + certificate = load_certificate certificate_file - yield certificate, certificate_file - rescue OpenSSL::X509::CertificateError - next # HACK warn - end + yield certificate, certificate_file + rescue OpenSSL::X509::CertificateError + next # HACK: warn end end @@ -92,7 +91,7 @@ class Gem::Security::TrustDir destination = cert_path certificate - File.open destination, "wb", 0600 do |io| + File.open destination, "wb", 0o600 do |io| io.write certificate.to_pem io.chmod(@permissions[:trusted_cert]) end @@ -110,9 +109,9 @@ class Gem::Security::TrustDir "trust directory #{@dir} is not a directory" unless File.directory? @dir - FileUtils.chmod 0700, @dir + FileUtils.chmod 0o700, @dir else - FileUtils.mkdir_p @dir, :mode => @permissions[:trust_dir] + FileUtils.mkdir_p @dir, mode: @permissions[:trust_dir] end end end |