# frozen_string_literal: true
require_relative "vendored_persistent"
require_relative "vendored_timeout"
require "cgi"
require "securerandom"
require "zlib"
module Bundler
# Handles all the fetching with the rubygems server
class Fetcher
autoload :Base, File.expand_path("fetcher/base", __dir__)
autoload :CompactIndex, File.expand_path("fetcher/compact_index", __dir__)
autoload :Downloader, File.expand_path("fetcher/downloader", __dir__)
autoload :Dependency, File.expand_path("fetcher/dependency", __dir__)
autoload :Index, File.expand_path("fetcher/index", __dir__)
# This error is raised when it looks like the network is down
class NetworkDownError < HTTPError; end
# This error is raised if we should rate limit our requests to the API
class TooManyRequestsError < HTTPError; end
# This error is raised if the API returns a 413 (only printed in verbose)
class FallbackError < HTTPError; end
# This is the error raised if OpenSSL fails the cert verification
class CertificateFailureError < HTTPError
def initialize(remote_uri)
remote_uri = filter_uri(remote_uri)
super "Could not verify the SSL certificate for #{remote_uri}.\nThere" \
" is a chance you are experiencing a man-in-the-middle attack, but" \
" most likely your system doesn't have the CA certificates needed" \
" for verification. For information about OpenSSL certificates, see" \
" https://railsapps.github.io/openssl-certificate-verify-failed.html."
end
end
# This is the error raised when a source is HTTPS and OpenSSL didn't load
class SSLError < HTTPError
def initialize(msg = nil)
super msg || "Could not load OpenSSL.\n" \
"You must recompile Ruby with OpenSSL support."
end
end
# This error is raised if HTTP authentication is required, but not provided.
class AuthenticationRequiredError < HTTPError
def initialize(remote_uri)
remote_uri = filter_uri(remote_uri)
super "Authentication is required for #{remote_uri}.\n" \
"Please supply credentials for this source. You can do this by running:\n" \
"`bundle config set --global #{remote_uri} username:password`\n" \
"or by storing the credentials in the `#{Settings.key_for(remote_uri)}` environment variable"
end
end
# This error is raised if HTTP authentication is provided, but incorrect.
class BadAuthenticationError < HTTPError
def initialize(remote_uri)
remote_uri = filter_uri(remote_uri)
super "Bad username or password for #{remote_uri}.\n" \
"Please double-check your credentials and correct them."
end
end
# This error is raised if HTTP authentication is correct, but lacks
# necessary permissions.
class AuthenticationForbiddenError < HTTPError
def initialize(remote_uri)
remote_uri = filter_uri(remote_uri)
super "Access token could not be authenticated for #{remote_uri}.\n" \
"Make sure it's valid and has the necessary scopes configured."
end
end
# Exceptions classes that should bypass retry attempts. If your password didn't work the
# first time, it's not going to the third time.
NET_ERRORS = [:HTTPBadGateway, :HTTPBadRequest, :HTTPFailedDependency,
:HTTPForbidden, :HTTPInsufficientStorage, :HTTPMethodNotAllowed,
:HTTPMovedPermanently, :HTTPNoContent, :HTTPNotFound,
:HTTPNotImplemented, :HTTPPreconditionFailed, :HTTPRequestEntityTooLarge,
:HTTPRequestURITooLong, :HTTPUnauthorized, :HTTPUnprocessableEntity,
:HTTPUnsupportedMediaType, :HTTPVersionNotSupported].freeze
FAIL_ERRORS = begin
fail_errors = [AuthenticationRequiredError, BadAuthenticationError, AuthenticationForbiddenError, FallbackError, SecurityError]
fail_errors << Gem::Requirement::BadRequirementError
fail_errors.concat(NET_ERRORS.map {|e| Gem::Net.const_get(e) })
end.freeze
class << self
attr_accessor :disable_endpoint, :api_timeout, :redirect_limit, :max_retries
end
self.redirect_limit = Bundler.settings[:redirect] # How many redirects to allow in one request
self.api_timeout = Bundler.settings[:timeout] # How long to wait for each API call
self.max_retries = Bundler.settings[:retry] # How many retries for the API call
def initialize(remote)
@cis = nil
@remote = remote
Socket.do_not_reverse_lookup = true
connection # create persistent connection
end
def uri
@remote.anonymized_uri
end
# fetch a gem specification
def fetch_spec(spec)
spec -= [nil, "ruby", ""]
spec_file_name = "#{spec.join "-"}.gemspec"
uri = Bundler::URI.parse("#{remote_uri}#{Gem::MARSHAL_SPEC_DIR}#{spec_file_name}.rz")
spec = if uri.scheme == "file"
path = Gem::Util.correct_for_windows_path(uri.path)
Bundler.safe_load_marshal Bundler.rubygems.inflate(Gem.read_binary(path))
elsif cached_spec_path = gemspec_cached_path(spec_file_name)
Bundler.load_gemspec(cached_spec_path)
else
Bundler.safe_load_marshal Bundler.rubygems.inflate(downloader.fetch(uri).body)
end
raise MarshalError, "is #{spec.inspect}" unless spec.is_a?(Gem::Specification)
spec
rescue MarshalError
raise HTTPError, "Gemspec #{spec} contained invalid data.\n" \
"Your network or your gem server is probably having issues right now."
end
# return the specs in the bundler format as an index with retries
def specs_with_retry(gem_names, source)
Bundler::Retry.new("fetcher", FAIL_ERRORS).attempts do
specs(gem_names, source)
end
end
# return the specs in the bundler format as an index
def specs(gem_names, source)
index = Bundler::Index.new
fetch_specs(gem_names).each do |name, version, platform, dependencies, metadata|
spec = if dependencies
EndpointSpecification.new(name, version, platform, self, dependencies, metadata).tap do |es|
source.checksum_store.replace(es, es.checksum)
end
else
RemoteSpecification.new(name, version, platform, self)
end
spec.source = source
spec.remote = @remote
index << spec
end
index
rescue CertificateFailureError
Bundler.ui.info "" if gem_names && api_fetcher? # newline after dots
raise
end
def user_agent
@user_agent ||= begin
ruby = Bundler::RubyVersion.system
agent = String.new("bundler/#{Bundler::VERSION}")
agent << " rubygems/#{Gem::VERSION}"
agent << " ruby/#{ruby.versions_string(ruby.versions)}"
agent << " (#{ruby.host})"
agent << " command/#{ARGV.first}"
if ruby.engine != "ruby"
# engine_version raises on unknown engines
engine_version = begin
ruby.engine_versions
rescue RuntimeError
"???"
end
agent << " #{ruby.engine}/#{ruby.versions_string(engine_version)}"
end
agent << " options/#{Bundler.settings.all.join(",")}"
agent << " ci/#{cis.join(",")}" if cis.any?
# add a random ID so we can consolidate runs server-side
agent << " " << SecureRandom.hex(8)
# add any user agent strings set in the config
extra_ua = Bundler.settings[:user_agent]
agent << " " << extra_ua if extra_ua
agent
end
end
def http_proxy
return unless uri = connection.proxy_uri
uri.to_s
end
def inspect
"#<#{self.class}:0x#{object_id} uri=#{uri}>"
end
def api_fetcher?
fetchers.first.api_fetcher?
end
def gem_remote_fetcher
@gem_remote_fetcher ||= begin
require_relative "fetcher/gem_remote_fetcher"
fetcher = GemRemoteFetcher.new Gem.configuration[:http_proxy]
fetcher.headers["User-Agent"] = user_agent
fetcher.headers["X-Gemfile-Source"] = @remote.original_uri.to_s if @remote.original_uri
fetcher
end
end
private
def available_fetchers
if Bundler::Fetcher.disable_endpoint
[Index]
elsif remote_uri.scheme == "file"
Bundler.ui.debug("Using a local server, bundler won't use the CompactIndex API")
[Index]
else
[CompactIndex, Dependency, Index]
end
end
def fetchers
@fetchers ||= available_fetchers.map {|f| f.new(downloader, @remote, uri, gem_remote_fetcher) }.drop_while {|f| !f.available? }
end
def fetch_specs(gem_names)
fetchers.reject!(&:api_fetcher?) unless gem_names
fetchers.reject! do |f|
specs = f.specs(gem_names)
return specs if specs
true
end
[]
end
def cis
@cis ||= Bundler::CIDetector.ci_strings
end
def connection
@connection ||= begin
needs_ssl = remote_uri.scheme == "https" ||
Bundler.settings[:ssl_verify_mode] ||
Bundler.settings[:ssl_client_cert]
raise SSLError if needs_ssl && !defined?(OpenSSL::SSL)
con = Gem::Net::HTTP::Persistent.new name: "bundler", proxy: :ENV
if gem_proxy = Gem.configuration[:http_proxy]
con.proxy = Bundler::URI.parse(gem_proxy) if gem_proxy != :no_proxy
end
if remote_uri.scheme == "https"
con.verify_mode = (Bundler.settings[:ssl_verify_mode] ||
OpenSSL::SSL::VERIFY_PEER)
con.cert_store = bundler_cert_store
end
ssl_client_cert = Bundler.settings[:ssl_client_cert] ||
(Gem.configuration.ssl_client_cert if
Gem.configuration.respond_to?(:ssl_client_cert))
if ssl_client_cert
pem = File.read(ssl_client_cert)
con.cert = OpenSSL::X509::Certificate.new(pem)
con.key = OpenSSL::PKey::RSA.new(pem)
end
con.read_timeout = Fetcher.api_timeout
con.open_timeout = Fetcher.api_timeout
con.override_headers["User-Agent"] = user_agent
con.override_headers["X-Gemfile-Source"] = @remote.original_uri.to_s if @remote.original_uri
con
end
end
# cached gem specification path, if one exists
def gemspec_cached_path(spec_file_name)
paths = Bundler.rubygems.spec_cache_dirs.map {|dir| File.join(dir, spec_file_name) }
paths.find {|path| File.file? path }
end
HTTP_ERRORS = [
Gem::Timeout::Error, EOFError, SocketError, Errno::ENETDOWN, Errno::ENETUNREACH,
Errno::EINVAL, Errno::ECONNRESET, Errno::ETIMEDOUT, Errno::EAGAIN,
Gem::Net::HTTPBadResponse, Gem::Net::HTTPHeaderSyntaxError, Gem::Net::ProtocolError,
Gem::Net::HTTP::Persistent::Error, Zlib::BufError, Errno::EHOSTUNREACH
].freeze
def bundler_cert_store
store = OpenSSL::X509::Store.new
ssl_ca_cert = Bundler.settings[:ssl_ca_cert] ||
(Gem.configuration.ssl_ca_cert if
Gem.configuration.respond_to?(:ssl_ca_cert))
if ssl_ca_cert
if File.directory? ssl_ca_cert
store.add_path ssl_ca_cert
else
store.add_file ssl_ca_cert
end
else
store.set_default_paths
require "rubygems/request"
Gem::Request.get_cert_files.each {|c| store.add_file c }
end
store
end
def remote_uri
@remote.uri
end
def downloader
@downloader ||= Downloader.new(connection, self.class.redirect_limit)
end
end
end