[rubygems/rubygems] Vendor a pure ruby implementation of SHA1

This allows `Source::Git` to no longer load the `digest` gem as it is causing
issues on Ruby 3.1.

c19a9f2ff7

lib/bundler.rb

@@ -43,6 +43,7 @@ module Bundler
   autoload :Dependency,             File.expand_path("bundler/dependency", __dir__)
   autoload :DepProxy,               File.expand_path("bundler/dep_proxy", __dir__)
   autoload :Deprecate,              File.expand_path("bundler/deprecate", __dir__)
+  autoload :Digest,                 File.expand_path("bundler/digest", __dir__)
   autoload :Dsl,                    File.expand_path("bundler/dsl", __dir__)
   autoload :EndpointSpecification,  File.expand_path("bundler/endpoint_specification", __dir__)
   autoload :Env,                    File.expand_path("bundler/env", __dir__)

lib/bundler/digest.rb

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+
+# This code was extracted from https://github.com/Solistra/ruby-digest which is under public domain
+module Bundler
+  module Digest
+    # The initial constant values for the 32-bit constant words A, B, C, D, and
+    # E, respectively.
+    SHA1_WORDS = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0].freeze
+
+    # The 8-bit field used for bitwise `AND` masking. Defaults to `0xFFFFFFFF`.
+    SHA1_MASK = 0xFFFFFFFF
+
+    class << self
+      def sha1(string)
+        unless string.is_a?(String)
+          raise TypeError, "can't convert #{string.class.inspect} into String"
+        end
+
+        buffer = string.b
+
+        words = SHA1_WORDS.dup
+        generate_split_buffer(buffer) do |chunk|
+          w = []
+          chunk.each_slice(4) do |a, b, c, d|
+            w << (((a << 8 | b) << 8 | c) << 8 | d)
+          end
+          a, b, c, d, e = *words
+          (16..79).each do |i|
+            w[i] = SHA1_MASK & rotate((w[i-3] ^ w[i-8] ^ w[i-14] ^ w[i-16]), 1)
+          end
+          0.upto(79) do |i|
+            case i
+            when  0..19
+              f = ((b & c) | (~b & d))
+              k = 0x5A827999
+            when 20..39
+              f = (b ^ c ^ d)
+              k = 0x6ED9EBA1
+            when 40..59
+              f = ((b & c) | (b & d) | (c & d))
+              k = 0x8F1BBCDC
+            when 60..79
+              f = (b ^ c ^ d)
+              k = 0xCA62C1D6
+            end
+            t = SHA1_MASK & (SHA1_MASK & rotate(a, 5) + f + e + k + w[i])
+            a, b, c, d, e = t, a, SHA1_MASK & rotate(b, 30), c, d # rubocop:disable Style/ParallelAssignment
+          end
+          mutated = [a, b, c, d, e]
+          words.map!.with_index {|word, index| SHA1_MASK & (word + mutated[index]) }
+        end
+
+        words.pack("N*").unpack("H*").first
+      end
+
+      private
+
+      def generate_split_buffer(string, &block)
+        size   = string.bytesize * 8
+        buffer = string.bytes << 128
+        buffer << 0 while buffer.size % 64 != 56
+        [size].pack("Q").bytes.reverse_each {|b| buffer << b }
+        buffer.each_slice(64, &block)
+      end
+
+      def rotate(value, spaces)
+        value << spaces | value >> (32 - spaces)
+      end
+    end
+  end
+end

lib/bundler/gem_helper.rb

@@ -107,7 +107,7 @@ module Bundler
       SharedHelpers.filesystem_access(File.join(base, "checksums")) {|p| FileUtils.mkdir_p(p) }
       file_name = "#{File.basename(built_gem_path)}.sha512"
       require "digest/sha2"
-      checksum = Digest::SHA512.new.hexdigest(built_gem_path.to_s)
+      checksum = ::Digest::SHA512.new.hexdigest(built_gem_path.to_s)
       target = File.join(base, "checksums", file_name)
       File.write(target, checksum)
       Bundler.ui.confirm "#{name} #{version} checksum written to checksums/#{file_name}."

lib/bundler/source/git.rb

@@ -307,7 +307,9 @@ module Bundler
           # If there is no URI scheme, assume it is an ssh/git URI
           input = uri
         end
-        SharedHelpers.digest(:SHA1).hexdigest(input)
+        # We use SHA1 here for historical reason and to preserve backward compatibility.
+        # But a transition to a simpler mangling algorithm would be welcome.
+        Bundler::Digest.sha1(input)
       end
 
       def cached_revision

spec/bundler/bundler/digest_spec.rb

@@ -0,0 +1,17 @@
+# frozen_string_literal: true
+
+require "digest"
+require "bundler/digest"
+
+RSpec.describe Bundler::Digest do
+  context "SHA1" do
+    subject { Bundler::Digest }
+    let(:stdlib) { ::Digest::SHA1 }
+
+    it "is compatible with stdlib" do
+      ["foo", "skfjsdlkfjsdf", "3924m", "ldskfj"].each do |payload|
+        expect(subject.sha1(payload)).to be == stdlib.hexdigest(payload)
+      end
+    end
+  end
+end

spec/bundler/runtime/setup_spec.rb

@@ -1228,6 +1228,41 @@ end
   end
 
   describe "with gemified standard libraries" do
+    it "does not load Digest", :ruby_repo do
+      skip "Only for Ruby 3.0+" unless RUBY_VERSION >= "3.0"
+
+      build_git "bar", :gemspec => false do |s|
+        s.write "lib/bar/version.rb", %(BAR_VERSION = '1.0')
+        s.write "bar.gemspec", <<-G
+          require_relative 'lib/bar/version'
+
+          Gem::Specification.new do |s|
+            s.name        = 'bar'
+            s.version     = BAR_VERSION
+            s.summary     = 'Bar'
+            s.files       = Dir["lib/**/*.rb"]
+            s.author      = 'no one'
+
+            s.add_runtime_dependency 'digest'
+          end
+        G
+      end
+
+      gemfile <<-G
+        source "#{file_uri_for(gem_repo1)}"
+        gem "bar", :git => "#{lib_path("bar-1.0")}"
+      G
+
+      bundle :install
+
+      ruby <<-RUBY
+        require '#{entrypoint}/setup'
+        puts defined?(::Digest) ? "Digest defined" : "Digest undefined"
+        require 'digest'
+      RUBY
+      expect(out).to eq("Digest undefined")
+    end
+
     it "does not load Psych" do
       gemfile "source \"#{file_uri_for(gem_repo1)}\""
       ruby <<-RUBY