1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
|
# frozen_string_literal: true
require "rubygems/security"
# unfortunately, testing signed gems with a provided CA is extremely difficult
# as 'gem cert' is currently the only way to add CAs to the system.
RSpec.describe "policies with unsigned gems" do
before do
build_security_repo
gemfile <<-G
source "https://gems.security"
gem "myrack"
gem "signed_gem"
G
end
it "will work after you try to deploy without a lock" do
bundle "install --deployment", raise_on_error: false
bundle :install
expect(the_bundle).to include_gems "myrack 1.0", "signed_gem 1.0"
end
it "will fail when given invalid security policy" do
bundle "install --trust-policy=InvalidPolicyName", raise_on_error: false
expect(err).to include("RubyGems doesn't know about trust policy")
end
it "will fail with High Security setting due to presence of unsigned gem" do
bundle "install --trust-policy=HighSecurity", raise_on_error: false
expect(err).to include("security policy didn't allow")
end
it "will fail with Medium Security setting due to presence of unsigned gem" do
bundle "install --trust-policy=MediumSecurity", raise_on_error: false
expect(err).to include("security policy didn't allow")
end
it "will succeed with no policy" do
bundle "install"
end
end
RSpec.describe "policies with signed gems and no CA" do
before do
build_security_repo
gemfile <<-G
source "https://gems.security"
gem "signed_gem"
G
end
it "will fail with High Security setting, gem is self-signed" do
bundle "install --trust-policy=HighSecurity", raise_on_error: false
expect(err).to include("security policy didn't allow")
end
it "will fail with Medium Security setting, gem is self-signed" do
bundle "install --trust-policy=MediumSecurity", raise_on_error: false
expect(err).to include("security policy didn't allow")
end
it "will succeed with Low Security setting, low security accepts self signed gem" do
bundle "install --trust-policy=LowSecurity"
expect(the_bundle).to include_gems "signed_gem 1.0"
end
it "will succeed with no policy" do
bundle "install"
expect(the_bundle).to include_gems "signed_gem 1.0"
end
end
|
