Auto merge of #5440 - wjordan:fips_enabled_compact_index, r=indirect

Enable compact index when OpenSSL FIPS mode is enabled but not active

Fixes #5433. Since there is no easy accessor in Ruby to detect whether or not FIPS mode is currently active, the best approach I could come up with is to `fork` a separate process and attempt to generate a build MD5 object as a test of whether MD5 module is currently available.

Because `fork` approach won't work on some platforms (JRuby, Windows etc), `md5_supported?` returns `false` on any platforms where FIPS mode is enabled and `Process.respond_to?(:fork)` is `false`.

I've added a spec that simulates behavior when OpenSSL FIPS mode is active - an error message is output to STDERR and the process is killed with the `ABRT` signal.

2 files changed, 38 insertions, 15 deletions

diff --git a/lib/bundler/fetcher/compact_index.rb b/lib/bundler/fetcher/compact_index.rb
index dcc9d57c13..97de88101b 100644
--- a/lib/bundler/fetcher/compact_index.rb
+++ b/lib/bundler/fetcher/compact_index.rb
@@ -122,14 +122,13 @@ module Bundler
       end
 
       def md5_available?
-        begin
-          require "openssl"
-          return false if defined?(OpenSSL::OPENSSL_FIPS) && OpenSSL::OPENSSL_FIPS
-        rescue LoadError
-          nil
-        end
-
+        require "openssl"
+        OpenSSL::Digest::MD5.digest("")
+        true
+      rescue LoadError
         true
+      rescue OpenSSL::Digest::DigestError
+        false
       end
     end
   end
diff --git a/spec/bundler/fetcher/compact_index_spec.rb b/spec/bundler/fetcher/compact_index_spec.rb
index 5e85f906ba..e653c1ea43 100644
--- a/spec/bundler/fetcher/compact_index_spec.rb
+++ b/spec/bundler/fetcher/compact_index_spec.rb
@@ -3,8 +3,8 @@ require "spec_helper"
 
 RSpec.describe Bundler::Fetcher::CompactIndex do
   let(:downloader)  { double(:downloader) }
-  let(:remote)      { double(:remote, :cache_slug => "lsjdf") }
   let(:display_uri) { URI("http://sampleuri.com") }
+  let(:remote)      { double(:remote, :cache_slug => "lsjdf", :uri => display_uri) }
   let(:compact_index) { described_class.new(downloader, remote, display_uri) }
 
   before do
@@ -26,17 +26,41 @@ RSpec.describe Bundler::Fetcher::CompactIndex do
     end
 
     describe "#available?" do
-      context "when OpenSSL is in FIPS mode", :ruby => ">= 2.0.0" do
-        before { stub_const("OpenSSL::OPENSSL_FIPS", true) }
+      before do
+        allow(compact_index).to receive(:compact_index_client).
+          and_return(double(:compact_index_client, :update_and_parse_checksums! => true))
+      end
+
+      it "returns true" do
+        expect(compact_index).to be_available
+      end
+
+      context "when OpenSSL is not available" do
+        before do
+          allow(compact_index).to receive(:require).with("openssl").and_raise(LoadError)
+        end
 
-        it "returns false" do
-          expect(compact_index).to_not be_available
+        it "returns true" do
+          expect(compact_index).to be_available
         end
+      end
+
+      context "when OpenSSL is FIPS-enabled", :ruby => ">= 2.0.0" do
+        before { stub_const("OpenSSL::OPENSSL_FIPS", true) }
+
+        context "when FIPS-mode is active" do
+          before do
+            allow(OpenSSL::Digest::MD5).to receive(:digest).
+              and_raise(OpenSSL::Digest::DigestError)
+          end
 
-        it "never requires digest/md5" do
-          expect(Kernel).to receive(:require).with("digest/md5").never
+          it "returns false" do
+            expect(compact_index).to_not be_available
+          end
+        end
 
-          compact_index.available?
+        it "returns true" do
+          expect(compact_index).to be_available
         end
       end
     end