diff options
Diffstat (limited to 'spec/bundler/install/gemfile/sources_spec.rb')
| -rw-r--r-- | spec/bundler/install/gemfile/sources_spec.rb | 192 |
1 files changed, 81 insertions, 111 deletions
diff --git a/spec/bundler/install/gemfile/sources_spec.rb b/spec/bundler/install/gemfile/sources_spec.rb index bc6929ef73..7572fad90b 100644 --- a/spec/bundler/install/gemfile/sources_spec.rb +++ b/spec/bundler/install/gemfile/sources_spec.rb @@ -28,15 +28,32 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "refuses to install mismatched checksum because one gem has been tampered with", :bundler => "< 3" do + lockfile <<~L + GEM + remote: https://gem.repo3/ + remote: https://gem.repo1/ + specs: + rack (1.0.0) + + PLATFORMS + #{local_platform} + + DEPENDENCIES + depends_on_rack! + + BUNDLED WITH + #{Bundler::VERSION} + L + bundle :install, :artifice => "compact_index", :raise_on_error => false expect(exitstatus).to eq(37) expect(err).to eq <<~E.strip [DEPRECATED] Your Gemfile contains multiple global sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. Bundler found mismatched checksums. This is a potential security risk. - #{checksum_for_repo_gem(gem_repo1, "rack", "1.0.0")} + #{checksum_to_lock(gem_repo1, "rack", "1.0.0")} from the API at https://gem.repo1/ - #{checksum_for_repo_gem(gem_repo3, "rack", "1.0.0")} + #{checksum_to_lock(gem_repo3, "rack", "1.0.0")} from the API at https://gem.repo3/ Mismatched checksums each have an authoritative source: @@ -129,7 +146,7 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "works in standalone mode", :bundler => "< 3" do - gem_checksum = checksum_for_repo_gem(gem_repo4, "foo", "1.0").split(Bundler::Checksum::ALGO_SEPARATOR).last + gem_checksum = checksum_digest(gem_repo4, "foo", "1.0") bundle "install --standalone", :artifice => "compact_index", :env => { "BUNDLER_SPEC_FOO_CHECKSUM" => gem_checksum } end end @@ -314,9 +331,9 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(err).to eq(<<~E.strip) [DEPRECATED] Your Gemfile contains multiple global sources. Using `source` more than once without a block is a security risk, and may result in installing unexpected gems. To resolve this warning, use a block to indicate which gems should come from the secondary source. Bundler found mismatched checksums. This is a potential security risk. - #{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")} + #{checksum_to_lock(gem_repo2, "rack", "1.0.0")} from the API at https://gem.repo2/ - #{checksum_for_repo_gem(gem_repo1, "rack", "1.0.0")} + #{checksum_to_lock(gem_repo1, "rack", "1.0.0")} from the API at https://gem.repo1/ Mismatched checksums each have an authoritative source: @@ -340,7 +357,7 @@ RSpec.describe "bundle install with gems on multiple sources" do rack (1.0.0) sha256=#{rack_checksum} from the API at https://gem.repo2/ and the API at https://gem.repo1/ - #{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")} + #{checksum_to_lock(gem_repo2, "rack", "1.0.0")} from the gem at #{default_bundle_path("cache", "rack-1.0.0.gem")} If you trust the API at https://gem.repo2/, to resolve this issue you can: @@ -354,15 +371,15 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "installs from the other source and warns about ambiguous gems when the sources have the same checksum", :bundler => "< 3" do - gem_checksum = checksum_for_repo_gem(gem_repo2, "rack", "1.0.0").split(Bundler::Checksum::ALGO_SEPARATOR).last + gem_checksum = checksum_digest(gem_repo2, "rack", "1.0.0") bundle :install, :artifice => "compact_index", :env => { "BUNDLER_SPEC_RACK_CHECKSUM" => gem_checksum, "DEBUG" => "1" } expect(err).to include("Warning: the gem 'rack' was found in multiple sources.") expect(err).to include("Installed from: https://gem.repo2") - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo3, "depends_on_rack", "1.0.1" - c.repo_gem gem_repo2, "rack", "1.0.0" + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo3, "depends_on_rack", "1.0.1" + c.checksum gem_repo2, "rack", "1.0.0" end expect(lockfile).to eq <<~L @@ -383,10 +400,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES depends_on_rack! - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -403,7 +417,7 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(err).to include("Warning: the gem 'rack' was found in multiple sources.") expect(err).to include("Installed from: https://gem.repo2") - expected_checksums = checksum_section do |c| + checksums = checksums_section_when_existing do |c| c.no_checksum "depends_on_rack", "1.0.1" c.no_checksum "rack", "1.0.0" end @@ -426,10 +440,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES depends_on_rack! - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -772,6 +783,21 @@ RSpec.describe "bundle install with gems on multiple sources" do end G + @locked_checksums = checksums_section_when_existing do |c| + c.checksum gem_repo2, "activesupport", "6.0.3.4" + c.checksum gem_repo2, "concurrent-ruby", "1.1.8" + c.checksum gem_repo2, "connection_pool", "2.2.3" + c.checksum gem_repo2, "i18n", "1.8.9" + c.checksum gem_repo2, "minitest", "5.14.3" + c.checksum gem_repo2, "rack", "2.2.3" + c.checksum gem_repo2, "redis", "4.2.5" + c.checksum gem_repo2, "sidekiq", "6.1.3" + c.checksum gem_repo3, "sidekiq-pro", "5.2.1" + c.checksum gem_repo2, "thread_safe", "0.3.6" + c.checksum gem_repo2, "tzinfo", "1.2.9" + c.checksum gem_repo2, "zeitwerk", "2.4.2" + end + lockfile <<~L GEM remote: https://gem.repo2/ @@ -808,7 +834,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES activesupport sidekiq-pro! - + #{@locked_checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -825,21 +851,6 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(the_bundle).to include_gems("concurrent-ruby 1.1.8") expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.9") - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo2, "activesupport", "6.0.3.4" - c.repo_gem gem_repo2, "concurrent-ruby", "1.1.8" - c.repo_gem gem_repo2, "connection_pool", "2.2.3" - c.repo_gem gem_repo2, "i18n", "1.8.9" - c.repo_gem gem_repo2, "minitest", "5.14.3" - c.repo_gem gem_repo2, "rack", "2.2.3" - c.repo_gem gem_repo2, "redis", "4.2.5" - c.repo_gem gem_repo2, "sidekiq", "6.1.3" - c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1" - c.repo_gem gem_repo2, "thread_safe", "0.3.6" - c.repo_gem gem_repo2, "tzinfo", "1.2.9" - c.repo_gem gem_repo2, "zeitwerk", "2.4.2" - end - expect(lockfile).to eq <<~L GEM remote: https://gem.repo2/ @@ -879,10 +890,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES activesupport sidekiq-pro! - - CHECKSUMS - #{expected_checksums} - + #{@locked_checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -923,24 +931,16 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(the_bundle).not_to include_gems("activesupport 6.0.3.4") expect(the_bundle).to include_gems("activesupport 6.1.2.1") + @locked_checksums.checksum gem_repo2, "activesupport", "6.1.2.1" + expect(the_bundle).not_to include_gems("tzinfo 1.2.9") expect(the_bundle).to include_gems("tzinfo 2.0.4") + @locked_checksums.checksum gem_repo2, "tzinfo", "2.0.4" + @locked_checksums.delete "thread_safe" + expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.8") expect(the_bundle).to include_gems("concurrent-ruby 1.1.9") - - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo2, "activesupport", "6.1.2.1" - c.repo_gem gem_repo2, "concurrent-ruby", "1.1.9" - c.repo_gem gem_repo2, "connection_pool", "2.2.3" - c.repo_gem gem_repo2, "i18n", "1.8.9" - c.repo_gem gem_repo2, "minitest", "5.14.3" - c.repo_gem gem_repo2, "rack", "2.2.3" - c.repo_gem gem_repo2, "redis", "4.2.5" - c.repo_gem gem_repo2, "sidekiq", "6.1.3" - c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1" - c.repo_gem gem_repo2, "tzinfo", "2.0.4" - c.repo_gem gem_repo2, "zeitwerk", "2.4.2" - end + @locked_checksums.checksum gem_repo2, "concurrent-ruby", "1.1.9" expect(lockfile).to eq <<~L GEM @@ -980,10 +980,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES activesupport sidekiq-pro! - - CHECKSUMS - #{expected_checksums} - + #{@locked_checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1000,20 +997,7 @@ RSpec.describe "bundle install with gems on multiple sources" do expect(the_bundle).to include_gems("concurrent-ruby 1.1.9") expect(the_bundle).not_to include_gems("concurrent-ruby 1.1.8") - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo2, "activesupport", "6.0.3.4" - c.repo_gem gem_repo2, "concurrent-ruby", "1.1.9" - c.repo_gem gem_repo2, "connection_pool", "2.2.3" - c.repo_gem gem_repo2, "i18n", "1.8.9" - c.repo_gem gem_repo2, "minitest", "5.14.3" - c.repo_gem gem_repo2, "rack", "2.2.3" - c.repo_gem gem_repo2, "redis", "4.2.5" - c.repo_gem gem_repo2, "sidekiq", "6.1.3" - c.repo_gem gem_repo3, "sidekiq-pro", "5.2.1" - c.repo_gem gem_repo2, "thread_safe", "0.3.6" - c.repo_gem gem_repo2, "tzinfo", "1.2.9" - c.repo_gem gem_repo2, "zeitwerk", "2.4.2" - end + @locked_checksums.checksum gem_repo2, "concurrent-ruby", "1.1.9" expect(lockfile).to eq <<~L GEM @@ -1054,10 +1038,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES activesupport sidekiq-pro! - - CHECKSUMS - #{expected_checksums} - + #{@locked_checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1125,10 +1106,10 @@ RSpec.describe "bundle install with gems on multiple sources" do end it "installs from the default source without any warnings or errors and generates a proper lockfile" do - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo3, "handsoap", "0.2.5.5" - c.repo_gem gem_repo2, "nokogiri", "1.11.1" - c.repo_gem gem_repo2, "racca", "1.5.2" + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo3, "handsoap", "0.2.5.5" + c.checksum gem_repo2, "nokogiri", "1.11.1" + c.checksum gem_repo2, "racca", "1.5.2" end expected_lockfile = <<~L @@ -1151,10 +1132,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES handsoap! nokogiri - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1243,7 +1221,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES rack! - + #{checksums_section} BUNDLED WITH #{Bundler::VERSION} L @@ -1302,8 +1280,8 @@ RSpec.describe "bundle install with gems on multiple sources" do bundle "install", :artifice => "compact_index", :raise_on_error => false - api_checksum1 = checksum_for_repo_gem(gem_repo1, "rack", "0.9.1").split("sha256=").last - api_checksum3 = checksum_for_repo_gem(gem_repo3, "rack", "0.9.1").split("sha256=").last + api_checksum1 = checksum_digest(gem_repo1, "rack", "0.9.1") + api_checksum3 = checksum_digest(gem_repo3, "rack", "0.9.1") expect(exitstatus).to eq(37) expect(err).to eq(<<~E.strip) @@ -1712,9 +1690,9 @@ RSpec.describe "bundle install with gems on multiple sources" do it "upgrades the lockfile correctly" do bundle "lock --update", :artifice => "compact_index" - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo2, "capybara", "2.5.0" - c.repo_gem gem_repo4, "mime-types", "3.0.0" + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo2, "capybara", "2.5.0" + c.checksum gem_repo4, "mime-types", "3.0.0" end expect(lockfile).to eq <<~L @@ -1735,10 +1713,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES capybara (~> 2.5.0) mime-types (~> 3.0)! - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1774,6 +1749,11 @@ RSpec.describe "bundle install with gems on multiple sources" do it "handles that fine" do bundle "install", :artifice => "compact_index_extra", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s } + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo4, "pdf-writer", "1.1.8" + c.checksum gem_repo2, "ruport", "1.7.0.3" + end + expect(lockfile).to eq <<~L GEM remote: https://localgemserver.test/ @@ -1791,11 +1771,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES ruport (= 1.7.0.3)! - - CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "pdf-writer", "1.1.8"} - #{checksum_for_repo_gem gem_repo2, "ruport", "1.7.0.3"} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1831,9 +1807,9 @@ RSpec.describe "bundle install with gems on multiple sources" do it "handles that fine" do bundle "install", :artifice => "compact_index_extra", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s } - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo4, "pdf-writer", "1.1.8" - c.repo_gem gem_repo2, "ruport", "1.7.0.3" + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo4, "pdf-writer", "1.1.8" + c.checksum gem_repo2, "ruport", "1.7.0.3" end expect(lockfile).to eq <<~L @@ -1853,10 +1829,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES ruport (= 1.7.0.3)! - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L @@ -1886,8 +1859,8 @@ RSpec.describe "bundle install with gems on multiple sources" do it "handles that fine" do bundle "install --verbose", :artifice => "endpoint", :env => { "BUNDLER_SPEC_GEM_REPO" => gem_repo4.to_s } - expected_checksums = checksum_section do |c| - c.repo_gem gem_repo4, "pdf-writer", "1.1.8" + checksums = checksums_section_when_existing do |c| + c.checksum gem_repo4, "pdf-writer", "1.1.8" end expect(lockfile).to eq <<~L @@ -1901,10 +1874,7 @@ RSpec.describe "bundle install with gems on multiple sources" do DEPENDENCIES pdf-writer (= 1.1.8) - - CHECKSUMS - #{expected_checksums} - + #{checksums} BUNDLED WITH #{Bundler::VERSION} L |