blob: 07e4e12fa679fda2774ad8bbbc945875d5ec0e07 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
|
# frozen_string_literal: true
require "rubygems/security"
# unfortunately, testing signed gems with a provided CA is extremely difficult
# as 'gem cert' is currently the only way to add CAs to the system.
RSpec.describe "policies with unsigned gems" do
before do
build_security_repo
gemfile <<-G
source "#{file_uri_for(security_repo)}"
gem "rack"
gem "signed_gem"
G
end
it "will work after you try to deploy without a lock" do
bundle "install --deployment", :raise_on_error => false
bundle :install
expect(exitstatus).to eq(0) if exitstatus
expect(the_bundle).to include_gems "rack 1.0", "signed_gem 1.0"
end
it "will fail when given invalid security policy" do
bundle "install --trust-policy=InvalidPolicyName", :raise_on_error => false
expect(err).to include("RubyGems doesn't know about trust policy")
end
it "will fail with High Security setting due to presence of unsigned gem" do
bundle "install --trust-policy=HighSecurity", :raise_on_error => false
expect(err).to include("security policy didn't allow")
end
it "will fail with Medium Security setting due to presence of unsigned gem" do
bundle "install --trust-policy=MediumSecurity", :raise_on_error => false
expect(err).to include("security policy didn't allow")
end
it "will succeed with no policy" do
bundle "install"
expect(exitstatus).to eq(0) if exitstatus
end
end
RSpec.describe "policies with signed gems and no CA" do
before do
build_security_repo
gemfile <<-G
source "#{file_uri_for(security_repo)}"
gem "signed_gem"
G
end
it "will fail with High Security setting, gem is self-signed" do
bundle "install --trust-policy=HighSecurity", :raise_on_error => false
expect(err).to include("security policy didn't allow")
end
it "will fail with Medium Security setting, gem is self-signed" do
bundle "install --trust-policy=MediumSecurity", :raise_on_error => false
expect(err).to include("security policy didn't allow")
end
it "will succeed with Low Security setting, low security accepts self signed gem" do
bundle "install --trust-policy=LowSecurity"
expect(exitstatus).to eq(0) if exitstatus
expect(the_bundle).to include_gems "signed_gem 1.0"
end
it "will succeed with no policy" do
bundle "install"
expect(exitstatus).to eq(0) if exitstatus
expect(the_bundle).to include_gems "signed_gem 1.0"
end
end
|
