2018-11-02 19:07:56 -04:00
|
|
|
# frozen_string_literal: true
|
|
|
|
|
|
|
|
require "rubygems/security"
|
|
|
|
|
|
|
|
# unfortunately, testing signed gems with a provided CA is extremely difficult
|
|
|
|
# as 'gem cert' is currently the only way to add CAs to the system.
|
|
|
|
|
|
|
|
RSpec.describe "policies with unsigned gems" do
|
|
|
|
before do
|
|
|
|
build_security_repo
|
|
|
|
gemfile <<-G
|
2019-05-06 12:06:21 -04:00
|
|
|
source "#{file_uri_for(security_repo)}"
|
2018-11-02 19:07:56 -04:00
|
|
|
gem "rack"
|
|
|
|
gem "signed_gem"
|
|
|
|
G
|
|
|
|
end
|
|
|
|
|
|
|
|
it "will work after you try to deploy without a lock" do
|
|
|
|
bundle "install --deployment"
|
|
|
|
bundle :install
|
|
|
|
expect(exitstatus).to eq(0) if exitstatus
|
|
|
|
expect(the_bundle).to include_gems "rack 1.0", "signed_gem 1.0"
|
|
|
|
end
|
|
|
|
|
|
|
|
it "will fail when given invalid security policy" do
|
|
|
|
bundle "install --trust-policy=InvalidPolicyName"
|
2019-04-14 02:01:35 -04:00
|
|
|
expect(err).to include("RubyGems doesn't know about trust policy")
|
2018-11-02 19:07:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it "will fail with High Security setting due to presence of unsigned gem" do
|
|
|
|
bundle "install --trust-policy=HighSecurity"
|
2019-04-14 02:01:35 -04:00
|
|
|
expect(err).to include("security policy didn't allow")
|
2018-11-02 19:07:56 -04:00
|
|
|
end
|
|
|
|
|
2019-04-14 02:01:35 -04:00
|
|
|
it "will fail with Medium Security setting due to presence of unsigned gem" do
|
2018-11-02 19:07:56 -04:00
|
|
|
bundle "install --trust-policy=MediumSecurity"
|
2019-04-14 02:01:35 -04:00
|
|
|
expect(err).to include("security policy didn't allow")
|
2018-11-02 19:07:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it "will succeed with no policy" do
|
|
|
|
bundle "install"
|
|
|
|
expect(exitstatus).to eq(0) if exitstatus
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
RSpec.describe "policies with signed gems and no CA" do
|
|
|
|
before do
|
|
|
|
build_security_repo
|
|
|
|
gemfile <<-G
|
2019-05-06 12:06:21 -04:00
|
|
|
source "#{file_uri_for(security_repo)}"
|
2018-11-02 19:07:56 -04:00
|
|
|
gem "signed_gem"
|
|
|
|
G
|
|
|
|
end
|
|
|
|
|
|
|
|
it "will fail with High Security setting, gem is self-signed" do
|
|
|
|
bundle "install --trust-policy=HighSecurity"
|
2019-04-14 02:01:35 -04:00
|
|
|
expect(err).to include("security policy didn't allow")
|
2018-11-02 19:07:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it "will fail with Medium Security setting, gem is self-signed" do
|
|
|
|
bundle "install --trust-policy=MediumSecurity"
|
2019-04-14 02:01:35 -04:00
|
|
|
expect(err).to include("security policy didn't allow")
|
2018-11-02 19:07:56 -04:00
|
|
|
end
|
|
|
|
|
|
|
|
it "will succeed with Low Security setting, low security accepts self signed gem" do
|
|
|
|
bundle "install --trust-policy=LowSecurity"
|
|
|
|
expect(exitstatus).to eq(0) if exitstatus
|
|
|
|
expect(the_bundle).to include_gems "signed_gem 1.0"
|
|
|
|
end
|
|
|
|
|
|
|
|
it "will succeed with no policy" do
|
|
|
|
bundle "install"
|
|
|
|
expect(exitstatus).to eq(0) if exitstatus
|
|
|
|
expect(the_bundle).to include_gems "signed_gem 1.0"
|
|
|
|
end
|
|
|
|
end
|