diff options
author | Tim Moore <tmoore@incrementalism.net> | 2014-11-16 16:37:58 +1100 |
---|---|---|
committer | Tim Moore <tmoore@incrementalism.net> | 2014-12-02 08:16:50 +1100 |
commit | 7245613ec6b54e676fc52b4ac876b6fa05f383c0 (patch) | |
tree | 2acc1c34c8503ed3c361e1be4f918489d58d2f5a | |
parent | a28f318d257e540522d01ccdf5a95467d71a5f8c (diff) | |
download | bundler-7245613ec6b54e676fc52b4ac876b6fa05f383c0.tar.gz |
Strip credentials from ambiguous source warnings.
Fixes #3249.
-rw-r--r-- | lib/bundler.rb | 1 | ||||
-rw-r--r-- | lib/bundler/anonymizable_uri.rb | 16 | ||||
-rw-r--r-- | lib/bundler/fetcher.rb | 8 | ||||
-rw-r--r-- | lib/bundler/source/rubygems.rb | 14 | ||||
-rw-r--r-- | spec/bundler/anonymizable_uri_spec.rb | 32 | ||||
-rw-r--r-- | spec/install/gems/dependency_api_spec.rb | 13 |
6 files changed, 73 insertions, 11 deletions
diff --git a/lib/bundler.rb b/lib/bundler.rb index 69287a3ebf..428723c082 100644 --- a/lib/bundler.rb +++ b/lib/bundler.rb @@ -12,6 +12,7 @@ module Bundler preserve_gem_path ORIGINAL_ENV = ENV.to_hash + autoload :AnonymizableURI, 'bundler/anonymizable_uri' autoload :Definition, 'bundler/definition' autoload :Dependency, 'bundler/dependency' autoload :DepProxy, 'bundler/dep_proxy' diff --git a/lib/bundler/anonymizable_uri.rb b/lib/bundler/anonymizable_uri.rb new file mode 100644 index 0000000000..032346fd25 --- /dev/null +++ b/lib/bundler/anonymizable_uri.rb @@ -0,0 +1,16 @@ +module Bundler + class AnonymizableURI + attr_reader :original_uri, + :without_credentials + + def initialize(original_uri) + @original_uri = original_uri.freeze + @without_credentials ||= + if original_uri.userinfo + original_uri.dup.tap { |uri| uri.user = uri.password = nil }.freeze + else + original_uri + end + end + end +end diff --git a/lib/bundler/fetcher.rb b/lib/bundler/fetcher.rb index 13fbbd6497..465c7817bd 100644 --- a/lib/bundler/fetcher.rb +++ b/lib/bundler/fetcher.rb @@ -96,8 +96,7 @@ module Bundler @max_retries = 3 # How many retries for the API call @remote_uri = Bundler::Source.mirror_for(remote_uri) - @public_uri = @remote_uri.dup - @public_uri.user, @public_uri.password = nil, nil # don't print these + @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup) unless @remote_uri.nil? Socket.do_not_reverse_lookup = true connection # create persistent connection @@ -131,7 +130,7 @@ module Bundler end def uri - @public_uri + @anonymizable_uri.without_credentials unless @anonymizable_uri.nil? end # fetch a gem specification @@ -186,7 +185,7 @@ module Bundler spec = RemoteSpecification.new(name, version, platform, self) end spec.source = source - spec.source_uri = @remote_uri + spec.source_uri = @anonymizable_uri index << spec end @@ -387,6 +386,7 @@ module Bundler raise AuthenticationRequiredError.new(uri) if auth.nil? @remote_uri.user, @remote_uri.password = *auth.split(":", 2) + @anonymizable_uri = AnonymizableURI.new(@remote_uri.dup) yield end diff --git a/lib/bundler/source/rubygems.rb b/lib/bundler/source/rubygems.rb index 044b363244..2f1d7410cc 100644 --- a/lib/bundler/source/rubygems.rb +++ b/lib/bundler/source/rubygems.rb @@ -83,9 +83,8 @@ module Bundler # by rubygems.org are broken and wrong. if spec.source_uri # Check for this spec from other sources - uris = [spec.source_uri] + uris = [spec.source_uri.without_credentials] uris += source_uris_for_spec(spec) - uris.compact! uris.uniq! Installer.ambiguous_gems << [spec.name, *uris] if uris.length > 1 @@ -186,14 +185,15 @@ module Bundler end end - protected + private def source_uris_for_spec(spec) - specs.search_all(spec.name).map{|s| s.source_uri } + specs.search_all(spec.name).inject([]) do |uris, spec| + uris << spec.source_uri.without_credentials if spec.source_uri + uris + end end - private - def cached_gem(spec) cached_gem = cached_path(spec) unless cached_gem @@ -330,7 +330,7 @@ module Bundler def fetch_gem(spec) return false unless spec.source_uri - Fetcher.download_gem_from_uri(spec, spec.source_uri) + Fetcher.download_gem_from_uri(spec, spec.source_uri.original_uri) end def builtin_gem?(spec) diff --git a/spec/bundler/anonymizable_uri_spec.rb b/spec/bundler/anonymizable_uri_spec.rb new file mode 100644 index 0000000000..e5d9faeb84 --- /dev/null +++ b/spec/bundler/anonymizable_uri_spec.rb @@ -0,0 +1,32 @@ +require 'spec_helper' +require 'bundler/anonymizable_uri' + +describe Bundler::AnonymizableURI do + let(:anonymizable_uri) { Bundler::AnonymizableURI.new(original_uri) } + + describe "#without_credentials" do + context "when the original URI has no credentials" do + let(:original_uri) { URI('https://rubygems.org') } + + it "returns the original URI" do + expect(anonymizable_uri.without_credentials).to eq(original_uri) + end + end + + context "when the original URI has a username and password" do + let(:original_uri) { URI("https://username:password@gems.example.com") } + + it "returns the URI without username and password" do + expect(anonymizable_uri.without_credentials).to eq(URI("https://gems.example.com")) + end + end + + context "when the original URI has only a username" do + let(:original_uri) { URI("https://SeCrEt-ToKeN@gem.fury.io/me/") } + + it "returns the URI without username and password" do + expect(anonymizable_uri.without_credentials).to eq(URI("https://gem.fury.io/me/")) + end + end + end +end diff --git a/spec/install/gems/dependency_api_spec.rb b/spec/install/gems/dependency_api_spec.rb index b8f8011f99..4749a0790a 100644 --- a/spec/install/gems/dependency_api_spec.rb +++ b/spec/install/gems/dependency_api_spec.rb @@ -444,6 +444,19 @@ describe "gemcutter's dependency API" do expect(out).not_to include("#{user}:#{password}") end + it "strips http basic auth creds when warning about ambiguous sources" do + gemfile <<-G + source "#{basic_auth_source_uri}" + source "file://#{gem_repo1}" + gem "rack" + G + + bundle :install, :artifice => "endpoint_basic_authentication" + expect(out).to include("Warning: the gem 'rack' was found in multiple sources.") + expect(out).not_to include("#{user}:#{password}") + should_be_installed "rack 1.0.0" + end + it "does not pass the user / password to different hosts on redirect" do gemfile <<-G source "#{basic_auth_source_uri}" |