123456789_123456789_123456789_123456789_123456789_

Class: Gem::Package

Relationships & Source Files
Namespace Children
Classes:
DigestIO, FileSource, IOSource, Old, Source, TarHeader, TarReader, TarTestCase, TarWriter
Exceptions:
Error, FormatError, NonSeekableIO, PathError, TarInvalidError, TooLongFileName
Extension / Inclusion / Inheritance Descendants
Subclasses:
Old
Super Chains via Extension / Inclusion / Inheritance
Instance Chain:
self, UserInteraction, DefaultUserInteraction, Text
Inherits: Object
Defined in: lib/rubygems/package.rb

Class Method Summary

Instance Attribute Summary

DefaultUserInteraction - Included

#ui

See DefaultUserInteraction.ui
#ui=

See DefaultUserInteraction.ui=

Instance Method Summary

UserInteraction - Included

#alert

Displays an alert statement.
#alert_error

Displays an error statement to the error output location.
#alert_warning

Displays a warning statement to the warning output location.
#ask

Asks a question and returns the answer.
#ask_for_password

Asks for a password with a prompt
#ask_yes_no

Asks a yes or no question.
#choose_from_list

Asks the user to answer question with an answer from the given list.
#say

Displays the given statement on the standard output (or equivalent).
#terminate_interaction

Terminates the RubyGems process with the given exit_code
#verbose

Calls say with msg or the results of the block if really_verbose is true.

DefaultUserInteraction - Included

#use_ui

See DefaultUserInteraction.use_ui

Text - Included

#clean_text

Remove any non-printable characters and make the text suitable for printing.
#format_text

Wraps text to wrap characters and optionally indents by indent characters.
#levenshtein_distance

This code is based directly on the Text gem implementation Returns a value representing the “cost” of transforming str1 into str2.
#truncate_text, #min3

Constructor Details

.new(gem, security_policy = nil) ⇒ Package

Creates a new Package for the file at gem. gem can also be provided as an IO object.

If gem is an existing file in the old format a Package::Old will be returned.

[ GitHub ] 

  


# File 'lib/rubygems/package.rb', line 139



def self.new(gem, security_policy = nil)
  gem = if gem.is_a?(Gem::Package::Source)
          gem
        elsif gem.respond_to? :read
          Gem::Package::IOSource.new gem
        else
          Gem::Package::FileSource.new gem
        end

  return super unless Gem::Package == self
  return super unless gem.present?

  return super unless gem.start
  return super unless gem.start.include? 'MD5SUM ='

  Gem::Package::Old.new gem
end


  






  

  

    #initialize(gem, security_policy)  ⇒ Package 
  



  

    

Creates a new package that will read or write to the file gem.


  





  


  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 160



def initialize(gem, security_policy) # :notnew:
  @gem = gem

  @build_time      = ENV["SOURCE_DATE_EPOCH"] ? Time.at(ENV["SOURCE_DATE_EPOCH"].to_i).utc : Time.now
  @checksums       = {}
  @contents        = nil
  @digests         = Hash.new { |h, algorithm| h[algorithm] = {} }
  @files           = nil
  @security_policy = security_policy
  @signatures      = {}
  @signer          = nil
  @spec            = nil
end


  







Class Method Details



  

    .build(spec, skip_validation = false, strict_validation = false, file_name = nil)  
  

  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 122



def self.build(spec, skip_validation = false, strict_validation = false, file_name = nil)
  gem_file = file_name || spec.file_name

  package = new gem_file
  package.spec = spec
  package.build skip_validation, strict_validation

  gem_file
end


  







Instance Attribute Details



  

    #build_time   (rw)
  

  

    This method is for internal use only.
  

  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 87



attr_accessor :build_time # :nodoc:


  








  

    #checksums   (readonly)
  



  

    

Checksums for the contents of the package


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 92



attr_reader :checksums


  








  

    #data_mode   (rw)
  



  

    

Permission for other files


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 120



attr_accessor :data_mode


  








  

    #dir_mode   (rw)
  



  

    

Permission for directories


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 112



attr_accessor :dir_mode


  








  

    #files   (readonly)
  



  

    

The files in this package.  This is not the contents of the gem, just the files in the top-level container.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 98



attr_reader :files


  








  

    #prog_mode   (rw)
  



  

    

Permission for program files


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 116



attr_accessor :prog_mode


  








  

    #security_policy   (rw)
  



  

    

The security policy used for verifying the contents of this package.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 103



attr_accessor :security_policy


  








  

    #spec   (rw)
  



  

    

The spec for this gem.



If this is a package for a built gem the spec is loaded from the gem and returned.  If this is a package for a gem being built the provided spec is returned.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 570



def spec
  verify unless @spec

  @spec
end


  








  

    #spec=(value)   (rw)
  



  

    

Sets the Specification to use to build this package.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 108



attr_writer :spec


  







Instance Method Details



  

    #add_checksums(tar)  
  



  

    

Adds a checksum for each entry in the gem to checksums.yaml.gz.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 184



def add_checksums(tar)
  Gem.load_yaml

  checksums_by_algorithm = Hash.new { |h, algorithm| h[algorithm] = {} }

  @checksums.each do |name, digests|
    digests.each do |algorithm, digest|
      checksums_by_algorithm[algorithm][name] = digest.hexdigest
    end
  end

  tar.add_file_signed 'checksums.yaml.gz', 0444, @signer do |io|
    gzip_to io do |gz_io|
      YAML.dump checksums_by_algorithm, gz_io
    end
  end
end


  








  

    #add_contents(tar)  
  

  

    This method is for internal use only.
  



  

    

Adds the files listed in the packages’s Specification to data.tar.gz and adds this file to the tar.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 206



def add_contents(tar) # :nodoc:
  digests = tar.add_file_signed 'data.tar.gz', 0444, @signer do |io|
    gzip_to io do |gz_io|
      Gem::Package::TarWriter.new gz_io do |data_tar|
        add_files data_tar
      end
    end
  end

  @checksums['data.tar.gz'] = digests
end


  








  

    #add_files(tar)  
  

  

    This method is for internal use only.
  



  

    

Adds files included the package’s Specification to the tar file


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 221



def add_files(tar) # :nodoc:
  @spec.files.each do |file|
    stat = File.lstat file

    if stat.symlink?
      target_path = File.readlink(file)

      unless target_path.start_with? '.'
        relative_dir = File.dirname(file).sub("#{Dir.pwd}/", '')
        target_path = File.join(relative_dir, target_path)
      end

      tar.add_symlink file, target_path, stat.mode
    end

    next unless stat.file?

    tar.add_file_simple file, stat.mode, stat.size do |dst_io|
      File.open file, 'rb' do |src_io|
        dst_io.write src_io.read 16384 until src_io.eof?
      end
    end
  end
end


  








  

    #add_metadata(tar)  
  

  

    This method is for internal use only.
  



  

    

Adds the package’s Specification to the tar file


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 249



def add_metadata(tar) # :nodoc:
  digests = tar.add_file_signed 'metadata.gz', 0444, @signer do |io|
    gzip_to io do |gz_io|
      gz_io.write @spec.to_yaml
    end
  end

  @checksums['metadata.gz'] = digests
end


  








  

    #build(skip_validation = false, strict_validation = false)  
  



  

    

Builds this package based on the specification set by #spec=


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 262



def build(skip_validation = false, strict_validation = false)
  raise ArgumentError, "skip_validation = true and strict_validation = true are incompatible" if skip_validation && strict_validation

  Gem.load_yaml
  require 'rubygems/security'

  @spec.mark_version
  @spec.validate true, strict_validation unless skip_validation

  setup_signer(
    signer_options: {
      expiration_length_days: Gem.configuration.cert_expiration_length_days
    }
  )

  @gem.with_write_io do |gem_io|
    Gem::Package::TarWriter.new gem_io do |gem|
      add_metadata gem
      add_contents gem
      add_checksums gem
    end
  end

  say <<-EOM
Successfully built RubyGem
Name: #{@spec.name}
Version: #{@spec.version}
File: #{File.basename @gem.path}
EOM
ensure
  @signer = nil
end


  








  

    #contents  
  



  

    

A list of file names contained in this gem


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 298



def contents
  return @contents if @contents

  verify unless @spec

  @contents = []

  @gem.with_read_io do |io|
    gem_tar = Gem::Package::TarReader.new io

    gem_tar.each do |entry|
      next unless entry.full_name == 'data.tar.gz'

      open_tar_gz entry do |pkg_tar|
        pkg_tar.each do |contents_entry|
          @contents << contents_entry.full_name
        end
      end

      return @contents
    end
  end
end


  








  

    #copy_to(path)  
  



  

    

Copies this package to Gem.path (if possible)


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 177



def copy_to(path)
  FileUtils.cp @gem.path, path unless File.exist? path
end


  








  

    #digest(entry)  
  

  

    This method is for internal use only.
  



  

    

Creates a digest of the TarEntry entry from the digest algorithm set by the security policy.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 326



def digest(entry) # :nodoc:
  algorithms = if @checksums
                 @checksums.keys
               else
                 [Gem::Security::DIGEST_NAME].compact
               end

  algorithms.each do |algorithm|
    digester =
      if defined?(OpenSSL::Digest)
        OpenSSL::Digest.new algorithm
      else
        Digest.const_get(algorithm).new
      end

    digester << entry.read(16384) until entry.eof?

    entry.rewind

    @digests[algorithm][entry.full_name] = digester
  end

  @digests
end


  








  

    #extract_files(destination_dir, pattern = "*")  
  



  

    

Extracts the files in this package into destination_dir



If pattern is specified, only entries matching that glob will be extracted.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 357



def extract_files(destination_dir, pattern = "*")
  verify unless @spec

  FileUtils.mkdir_p destination_dir, :mode => dir_mode && 0755

  @gem.with_read_io do |io|
    reader = Gem::Package::TarReader.new io

    reader.each do |entry|
      next unless entry.full_name == 'data.tar.gz'

      extract_tar_gz entry, destination_dir, pattern

      return # ignore further entries
    end
  end
end


  








  

    #extract_tar_gz(io, destination_dir, pattern = "*")  
  

  

    This method is for internal use only.
  



  

    

Extracts all the files in the gzipped tar archive io into destination_dir.



If an entry in the archive contains a relative path above destination_dir or an absolute path is encountered an exception is raised.



If pattern is specified, only entries matching that glob will be extracted.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 386



def extract_tar_gz(io, destination_dir, pattern = "*") # :nodoc:
  directories = [] if dir_mode
  open_tar_gz io do |tar|
    tar.each do |entry|
      next unless File.fnmatch pattern, entry.full_name, File::FNM_DOTMATCH

      destination = install_location entry.full_name, destination_dir

      FileUtils.rm_rf destination

      mkdir_options = {}
      mkdir_options[:mode] = dir_mode ? 0755 : (entry.header.mode if entry.directory?)
      mkdir =
        if entry.directory?
          destination
        else
          File.dirname destination
        end
      directories << mkdir if directories

      mkdir_p_safe mkdir, mkdir_options, destination_dir, entry.full_name

      File.open destination, 'wb' do |out|
        out.write entry.read
        FileUtils.chmod file_mode(entry.header.mode), destination
      end if entry.file?

      File.symlink(entry.header.linkname, destination) if entry.symlink?

      verbose destination
    end
  end

  if directories
    directories.uniq!
    File.chmod(dir_mode, *directories)
  end
end


  








  

    #file_mode(mode)  
  

  

    This method is for internal use only.
  

  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 425



def file_mode(mode) # :nodoc:
  ((mode & 0111).zero? ? data_mode : prog_mode) || mode
end


  








  

    #gzip_to(io)  
  



  

    

Gzips content written to gz_io to io.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 435



def gzip_to(io) # :yields: gz_io
  gz_io = Zlib::GzipWriter.new io, Zlib::BEST_COMPRESSION
  gz_io.mtime = @build_time

  yield gz_io
ensure
  gz_io.close
end


  








  

    #install_location(filename, destination_dir)  
  

  

    This method is for internal use only.
  



  

    

Returns the full path for installing filename.



If filename is not inside destination_dir an exception is raised.


  





  
Raises:





  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 449



def install_location(filename, destination_dir) # :nodoc:
  raise Gem::Package::PathError.new(filename, destination_dir) if
    filename.start_with? '/'

  destination_dir = File.expand_path(File.realpath(destination_dir))
  destination = File.expand_path(File.join(destination_dir, filename))

  raise Gem::Package::PathError.new(destination, destination_dir) unless
    destination.start_with? destination_dir + '/'

  begin
    real_destination = File.expand_path(File.realpath(destination))
  rescue
    # it's fine if the destination doesn't exist, because rm -rf'ing it can't cause any damage
    nil
  else
    raise Gem::Package::PathError.new(real_destination, destination_dir) unless
      real_destination.start_with? destination_dir + '/'
  end

  destination.untaint
  destination
end


  








  

    #load_spec(entry)  
  

  

    This method is for internal use only.
  



  

    

Loads a Specification from the TarEntry entry


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 500



def load_spec(entry) # :nodoc:
  case entry.full_name
  when 'metadata' then
    @spec = Gem::Specification.from_yaml entry.read
  when 'metadata.gz' then
    args = [entry]
    args << { :external_encoding => Encoding::UTF_8 } if
      Zlib::GzipReader.method(:wrap).arity != 1

    Zlib::GzipReader.wrap(*args) do |gzio|
      @spec = Gem::Specification.from_yaml gzio.read
    end
  end
end


  








  

    #mkdir_p_safe(mkdir, mkdir_options, destination_dir, file_name)  
  

  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 481



def mkdir_p_safe(mkdir, mkdir_options, destination_dir, file_name)
  destination_dir = File.realpath(File.expand_path(destination_dir))
  parts = mkdir.split(File::SEPARATOR)
  parts.reduce do |path, basename|
    path = File.realpath(path) unless path == ""
    path = File.expand_path(path + File::SEPARATOR + basename)
    lstat = File.lstat path rescue nil
    if !lstat || !lstat.directory?
      unless normalize_path(path).start_with? normalize_path(destination_dir) and (FileUtils.mkdir path, mkdir_options rescue false)
        raise Gem::Package::PathError.new(file_name, destination_dir)
      end
    end
    path
  end
end


  








  

    #normalize_path(pathname)  
  

  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 473



def normalize_path(pathname)
  if Gem.win_platform?
    pathname.downcase
  else
    pathname
  end
end


  








  

    #open_tar_gz(io)  
  

  

    This method is for internal use only.
  



  

    

Opens io as a gzipped tar archive


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 518



def open_tar_gz(io) # :nodoc:
  Zlib::GzipReader.wrap io do |gzio|
    tar = Gem::Package::TarReader.new gzio

    yield tar
  end
end


  








  

    #read_checksums(gem)  
  



  

    

Reads and loads checksums.yaml.gz from the tar file gem


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 529



def read_checksums(gem)
  Gem.load_yaml

  @checksums = gem.seek 'checksums.yaml.gz' do |entry|
    Zlib::GzipReader.wrap entry do |gz_io|
      Gem::SafeYAML.safe_load gz_io.read
    end
  end
end


  








  

    #setup_signer(signer_options: {})  
  



  

    

Prepares the gem for signing and checksum generation.  If a signing certificate and key are not present only checksum generation is set up.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 543



def setup_signer(signer_options: {})
  passphrase = ENV['GEM_PRIVATE_KEY_PASSPHRASE']
  if @spec.signing_key
    @signer =
      Gem::Security::Signer.new(
        @spec.signing_key,
        @spec.cert_chain,
        passphrase,
        signer_options
      )

    @spec.signing_key = nil
    @spec.cert_chain = @signer.cert_chain.map { |cert| cert.to_s }
  else
    @signer = Gem::Security::Signer.new nil, nil, passphrase
    @spec.cert_chain = @signer.cert_chain.map { |cert| cert.to_pem } if
      @signer.cert_chain
  end
end


  








  

    #verify  
  



  

    

Verifies that this gem:


  • 

    Contains a valid gem specification
    

  • 

    Contains a contents archive
    

  • 

    The contents archive is not corrupt
    




After verification the gem specification from the gem is available from #spec


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 586



def verify
  @files     = []
  @spec      = nil

  @gem.with_read_io do |io|
    Gem::Package::TarReader.new io do |reader|
      read_checksums reader

      verify_files reader
    end
  end

  verify_checksums @digests, @checksums

  @security_policy.verify_signatures @spec, @digests, @signatures if
    @security_policy

  true
rescue Gem::Security::Exception
  @spec = nil
  @files = []
  raise
rescue Errno::ENOENT => e
  raise Gem::Package::FormatError.new e.message
rescue Gem::Package::TarInvalidError => e
  raise Gem::Package::FormatError.new e.message, @gem
end


  








  

    #verify_checksums(digests, checksums)  
  

  

    This method is for internal use only.
  



  

    

Verifies the #checksums against the digests.  This check is not cryptographically secure.  Missing checksums are ignored.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 618



def verify_checksums(digests, checksums) # :nodoc:
  return unless checksums

  checksums.sort.each do |algorithm, gem_digests|
    gem_digests.sort.each do |file_name, gem_hexdigest|
      computed_digest = digests[algorithm][file_name]

      unless computed_digest.hexdigest == gem_hexdigest
        raise Gem::Package::FormatError.new \
          "#{algorithm} checksum mismatch for #{file_name}", @gem
      end
    end
  end
end


  








  

    #verify_entry(entry)  
  



  

    

Verifies entry in a .gem file.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 636



def verify_entry(entry)
  file_name = entry.full_name
  @files << file_name

  case file_name
  when /\.sig$/ then
    @signatures[$`] = entry.read if @security_policy
    return
  else
    digest entry
  end

  case file_name
  when "metadata", "metadata.gz" then
    load_spec entry
  when 'data.tar.gz' then
    verify_gz entry
  end
rescue => e
  message = "package is corrupt, exception while verifying: " +
            "#{e.message} (#{e.class})"
  raise Gem::Package::FormatError.new message, @gem
end


  








  

    #verify_files(gem)  
  



  

    

Verifies the files of the gem


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 663



def verify_files(gem)
  gem.each do |entry|
    verify_entry entry
  end

  unless @spec
    raise Gem::Package::FormatError.new 'package metadata is missing', @gem
  end

  unless @files.include? 'data.tar.gz'
    raise Gem::Package::FormatError.new \
            'package content (data.tar.gz) is missing', @gem
  end

  if duplicates = @files.group_by {|f| f }.select {|k,v| v.size > 1 }.map(&:first) and duplicates.any?
    raise Gem::Security::Exception, "duplicate files in the package: (#{duplicates.map(&:inspect).join(', ')})"
  end
end


  








  

    #verify_gz(entry)  
  

  

    This method is for internal use only.
  



  

    

Verifies that entry is a valid gzipped file.


  



  [ GitHub ]


  

  


# File 'lib/rubygems/package.rb', line 685



def verify_gz(entry) # :nodoc:
  Zlib::GzipReader.wrap entry do |gzio|
    gzio.read 16384 until gzio.eof? # gzip checksum verification
  end
rescue Zlib::GzipFile::Error => e
  raise Gem::Package::FormatError.new(e.message, entry.full_name)
end