Auto merge of #5440 - wjordan:fips_enabled_compact_index, r=indirect

Enable compact index when OpenSSL FIPS mode is enabled but not active Fixes #5433. Since there is no easy accessor in Ruby to detect whether or not FIPS mode is currently active, the best approach I could come up with is to `fork` a separate process and attempt to generate a build MD5 object as a test of whether MD5 module is currently available. Because `fork` approach won't work on some platforms (JRuby, Windows etc), `md5_supported?` returns `false` on any platforms where FIPS mode is enabled and `Process.respond_to?(:fork)` is `false`. I've added a spec that simulates behavior when OpenSSL FIPS mode is active - an error message is output to STDERR and the process is killed with the `ABRT` signal.
rubygems · Feb 18, 2017 · 13f4cc1 · 13f4cc1
2 parents f23034b + 21b3358
commit 13f4cc1
Show file tree

Hide file tree

Showing 2 changed files with 38 additions and 15 deletions.
diff --git a/lib/bundler/fetcher/compact_index.rb b/lib/bundler/fetcher/compact_index.rb
@@ -122,14 +122,13 @@ def call(path, headers)
       end
 
       def md5_available?
-        begin
-          require "openssl"
-          return false if defined?(OpenSSL::OPENSSL_FIPS) && OpenSSL::OPENSSL_FIPS
-        rescue LoadError
-          nil
-        end
-
+        require "openssl"
+        OpenSSL::Digest::MD5.digest("")
+        true
+      rescue LoadError
         true
+      rescue OpenSSL::Digest::DigestError
+        false
       end
     end
   end

diff --git a/spec/bundler/fetcher/compact_index_spec.rb b/spec/bundler/fetcher/compact_index_spec.rb
@@ -3,8 +3,8 @@
 
 RSpec.describe Bundler::Fetcher::CompactIndex do
   let(:downloader)  { double(:downloader) }
-  let(:remote)      { double(:remote, :cache_slug => "lsjdf") }
   let(:display_uri) { URI("http://sampleuri.com") }
+  let(:remote)      { double(:remote, :cache_slug => "lsjdf", :uri => display_uri) }
   let(:compact_index) { described_class.new(downloader, remote, display_uri) }
 
   before do
@@ -26,17 +26,41 @@
     end
 
     describe "#available?" do
-      context "when OpenSSL is in FIPS mode", :ruby => ">= 2.0.0" do
-        before { stub_const("OpenSSL::OPENSSL_FIPS", true) }
+      before do
+        allow(compact_index).to receive(:compact_index_client).
+          and_return(double(:compact_index_client, :update_and_parse_checksums! => true))
+      end
+
+      it "returns true" do
+        expect(compact_index).to be_available
+      end
+
+      context "when OpenSSL is not available" do
+        before do
+          allow(compact_index).to receive(:require).with("openssl").and_raise(LoadError)
+        end
 
-        it "returns false" do
-          expect(compact_index).to_not be_available
+        it "returns true" do
+          expect(compact_index).to be_available
         end
+      end
+
+      context "when OpenSSL is FIPS-enabled", :ruby => ">= 2.0.0" do
+        before { stub_const("OpenSSL::OPENSSL_FIPS", true) }
+
+        context "when FIPS-mode is active" do
+          before do
+            allow(OpenSSL::Digest::MD5).to receive(:digest).
+              and_raise(OpenSSL::Digest::DigestError)
+          end
 
-        it "never requires digest/md5" do
-          expect(Kernel).to receive(:require).with("digest/md5").never
+          it "returns false" do
+            expect(compact_index).to_not be_available
+          end
+        end
 
-          compact_index.available?
+        it "returns true" do
+          expect(compact_index).to be_available
         end
       end
     end