diff options
| author | Will Jordan <will@code.org> | 2017-02-16 10:52:04 -0800 |
|---|---|---|
| committer | Will Jordan <will@code.org> | 2017-02-16 15:18:15 -0800 |
| commit | 873bac15ae7ddb3032114fb61587314840444ba3 (patch) | |
| tree | 84e30545f29da897318216359bec20056cfcf6ae | |
| parent | 713ea1086efe9545a1c473a6d59ec6a0f6e1b97a (diff) | |
| download | bundler-873bac15ae7ddb3032114fb61587314840444ba3.tar.gz | |
Enable compact index when OpenSSL FIPS mode is enabled but not active
| -rw-r--r-- | lib/bundler/fetcher/compact_index.rb | 16 | ||||
| -rw-r--r-- | spec/bundler/fetcher/compact_index_spec.rb | 44 |
2 files changed, 51 insertions, 9 deletions
diff --git a/lib/bundler/fetcher/compact_index.rb b/lib/bundler/fetcher/compact_index.rb index dcc9d57c13..896f69592e 100644 --- a/lib/bundler/fetcher/compact_index.rb +++ b/lib/bundler/fetcher/compact_index.rb @@ -122,14 +122,24 @@ module Bundler end def md5_available? + return true unless fips_enabled? && Process.respond_to?(:fork) + pid = fork do + $stderr.reopen(File.new("/dev/null", "w")) + require "digest/md5" + Digest::MD5.new + exit + end + Process.wait pid + $?.success? + end + + def fips_enabled? begin require "openssl" - return false if defined?(OpenSSL::OPENSSL_FIPS) && OpenSSL::OPENSSL_FIPS rescue LoadError nil end - - true + defined?(OpenSSL::OPENSSL_FIPS) && OpenSSL::OPENSSL_FIPS end end end diff --git a/spec/bundler/fetcher/compact_index_spec.rb b/spec/bundler/fetcher/compact_index_spec.rb index 5e85f906ba..7888dbf1bd 100644 --- a/spec/bundler/fetcher/compact_index_spec.rb +++ b/spec/bundler/fetcher/compact_index_spec.rb @@ -3,8 +3,8 @@ require "spec_helper" RSpec.describe Bundler::Fetcher::CompactIndex do let(:downloader) { double(:downloader) } - let(:remote) { double(:remote, :cache_slug => "lsjdf") } let(:display_uri) { URI("http://sampleuri.com") } + let(:remote) { double(:remote, :cache_slug => "lsjdf", :uri => display_uri) } let(:compact_index) { described_class.new(downloader, remote, display_uri) } before do @@ -26,16 +26,48 @@ RSpec.describe Bundler::Fetcher::CompactIndex do end describe "#available?" do - context "when OpenSSL is in FIPS mode", :ruby => ">= 2.0.0" do + before do + allow(compact_index).to receive(:compact_index_client). + and_return(double(:compact_index_client, :update_and_parse_checksums! => true)) + end + + it "returns true" do + expect(compact_index).to be_available + end + + it "does not fork" do + expect(compact_index).to receive(:fork).never + compact_index.available? + end + + context "when OpenSSL is FIPS-enabled", :ruby => ">= 2.0.0" do before { stub_const("OpenSSL::OPENSSL_FIPS", true) } - it "returns false" do - expect(compact_index).to_not be_available + context "when FIPS-mode is active" do + before do + allow(Digest::MD5).to receive(:new) do + # OpenSSL writes to STDERR and kills the current process with SIGABRT + # when FIPS mode prevents MD5 from being used. + $stderr.write "Digest MD5 forbidden in FIPS mode!" + Process.kill("ABRT", Process.pid) + end + end + + it "returns false" do + expect(compact_index).to_not be_available + end + + it "outputs nothing to stderr" do + expect { compact_index.available? }.to_not output.to_stderr_from_any_process + end end - it "never requires digest/md5" do - expect(Kernel).to receive(:require).with("digest/md5").never + it "returns true" do + expect(compact_index).to be_available + end + it "does fork" do + expect(compact_index).to receive(:fork).and_call_original compact_index.available? end end |