123456789_123456789_123456789_123456789_123456789_

Class: Gem::Commands::CertCommand

Relationships & Source Files
Super Chains via Extension / Inclusion / Inheritance
Class Chain:
Instance Chain:
Inherits: Gem::Command
Defined in: lib/rubygems/commands/cert_command.rb

Constant Summary

::Gem::Command - Inherited

HELP

Class Attribute Summary

::Gem::Command - Inherited

.build_args

Arguments used when building gems.

.build_args=, .extra_args, .extra_args=

Class Method Summary

::Gem::Command - Inherited

.add_common_option,
.add_specific_extra_args

Add a list of extra arguments for the given command.

.common_options,
.new

Initializes a generic gem command named command.

.specific_extra_args

Return an array of extra arguments for the command.

.specific_extra_args_hash

Accessor for the specific extra args hash (self initializing).

Instance Attribute Summary

::Gem::Command - Inherited

#command

The name of the command.

#defaults

The default options for the command.

#deprecated?,
#options

The options for the command.

#program_name

The name of the command for command-line invocation.

#summary

A short description of the command.

::Gem::DefaultUserInteraction - Included

Instance Method Summary

::Gem::Command - Inherited

#add_extra_args

Adds extra args from ~/.gemrc.

#add_option

Add a command-line option and handler to the command.

#arguments

Override to provide details of the arguments a command takes.

#begins?

True if long begins with the characters from short.

#check_deprecated_options,
#defaults_str

Override to display the default values of the command options.

#deprecate_option

Mark a command-line option as deprecated, and optionally specify a deprecation horizon.

#description

Override to display a longer description of what this command does.

#execute

Override to provide command handling.

#get_all_gem_names

Get all gem names from the command line.

#get_all_gem_names_and_versions

Get all [gem, version] from the command line.

#get_one_gem_name

Get a single gem name from the command line.

#get_one_optional_argument

Get a single optional argument from the command line.

#handle_options

Handle the given list of arguments by parsing them and recording the results.

#handles?

True if the command handles the given argument list.

#invoke

Invoke the command with the given list of arguments.

#invoke_with_build_args

Invoke the command with the given list of normal arguments and additional build arguments.

#merge_options

Merge a set of command options with the set of default options (without modifying the default option hash).

#remove_option

Remove previously defined command-line argument name.

#show_help

Display the help message for the command.

#show_lookup_failure

Display to the user that a gem couldn’t be found and reasons why –.

#usage

Override to display the usage for an individual gem command.

#when_invoked

Call the given block when invoked.

#add_parser_run_info

Adds a section with title and content to the parser help view.

#configure_options,
#create_option_parser

Creates an option parser and fills it in with the help info for the command.

#option_is_deprecated?,
#parser

Create on demand parser.

#wrap

Wraps text to width

#extract_gem_name_and_version, #add_parser_description, #add_parser_options, #add_parser_summary

::Gem::UserInteraction - Included

#alert

Displays an alert statement.

#alert_error

Displays an error statement to the error output location.

#alert_warning

Displays a warning statement to the warning output location.

#ask

Asks a question and returns the answer.

#ask_for_password

Asks for a password with a prompt

#ask_yes_no

Asks a yes or no question.

#choose_from_list

Asks the user to answer question with an answer from the given list.

#say

Displays the given statement on the standard output (or equivalent).

#terminate_interaction

Terminates the RubyGems process with the given exit_code

#verbose

Calls say with msg or the results of the block if really_verbose is true.

::Gem::DefaultUserInteraction - Included

::Gem::Text - Included

#clean_text

Remove any non-printable characters and make the text suitable for printing.

#format_text

Wraps text to wrap characters and optionally indents by indent characters.

#levenshtein_distance

Returns a value representing the “cost” of transforming str1 into str2 Vendored version of DidYouMean::Levenshtein.distance from the ruby/did_you_mean gem @ 1.4.0 github.com/ruby/did_you_mean/blob/2ddf39b874808685965dbc47d344cf6c7651807c/lib/did_you_mean/levenshtein.rb#L7-L37.

#truncate_text, #min3

Constructor Details

.newCertCommand

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 7

def initialize
  super "cert", "Manage RubyGems certificates and signing settings",
        :add => [], :remove => [], :list => [], :build => [], :sign => []

  add_option("-a", "--add CERT",
             "Add a trusted certificate.") do |cert_file, options|
    options[:add] << open_cert(cert_file)
  end

  add_option("-l", "--list [FILTER]",
             "List trusted certificates where the",
             "subject contains FILTER") do |filter, options|
    filter ||= ""

    options[:list] << filter
  end

  add_option("-r", "--remove FILTER",
             "Remove trusted certificates where the",
             "subject contains FILTER") do |filter, options|
    options[:remove] << filter
  end

  add_option("-b", "--build EMAIL_ADDR",
             "Build private key and self-signed",
             "certificate for EMAIL_ADDR") do |email_address, options|
    options[:build] << email_address
  end

  add_option("-C", "--certificate CERT",
             "Signing certificate for --sign") do |cert_file, options|
    options[:issuer_cert] = open_cert(cert_file)
    options[:issuer_cert_file] = cert_file
  end

  add_option("-K", "--private-key KEY",
             "Key for --sign or --build") do |key_file, options|
    options[:key] = open_private_key(key_file)
  end

  add_option("-A", "--key-algorithm ALGORITHM",
             "Select which key algorithm to use for --build") do |algorithm, options|
    options[:key_algorithm] = algorithm
  end

  add_option("-s", "--sign CERT",
             "Signs CERT with the key from -K",
             "and the certificate from -C") do |cert_file, options|
    raise Gem::OptionParser::InvalidArgument, "#{cert_file}: does not exist" unless
      File.file? cert_file

    options[:sign] << cert_file
  end

  add_option("-d", "--days NUMBER_OF_DAYS",
             "Days before the certificate expires") do |days, options|
    options[:expiration_length_days] = days.to_i
  end

  add_option("-R", "--re-sign",
             "Re-signs the certificate from -C with the key from -K") do |resign, options|
    options[:resign] = resign
  end
end

Instance Method Details

#add_certificate(certificate)

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 72

def add_certificate(certificate) # :nodoc:
  Gem::Security.trust_dir.trust_cert certificate

  say "Added '#{certificate.subject}'"
end

#build(email)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 138

def build(email)
  if !valid_email?(email)
    raise Gem::CommandLineError, "Invalid email address #{email}"
  end

  key, key_path = build_key
  cert_path = build_cert email, key

  say "Certificate: #{cert_path}"

  if key_path
    say "Private Key: #{key_path}"
    say "Don't forget to move the key file to somewhere private!"
  end
end

#build_cert(email, key)

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 154

def build_cert(email, key) # :nodoc:
  expiration_length_days = options[:expiration_length_days] ||
                           Gem.configuration.cert_expiration_length_days

  cert = Gem::Security.create_cert_email(
    email,
    key,
    (Gem::Security::ONE_DAY * expiration_length_days)
  )

  Gem::Security.write cert, "gem-public_cert.pem"
end

#build_key

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 167

def build_key # :nodoc:
  return options[:key] if options[:key]

  passphrase = ask_for_password "Passphrase for your Private Key:"
  say "\n"

  passphrase_confirmation = ask_for_password "Please repeat the passphrase for your Private Key:"
  say "\n"

  raise Gem::CommandLineError,
        "Passphrase and passphrase confirmation don't match" unless passphrase == passphrase_confirmation

  algorithm = options[:key_algorithm] || Gem::Security::DEFAULT_KEY_ALGORITHM
  key = Gem::Security.create_key(algorithm)
  key_path = Gem::Security.write key, "gem-private_key.pem", 0600, passphrase

  return key, key_path
end

#certificates_matching(filter)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 186

def certificates_matching(filter)
  return enum_for __method__, filter unless block_given?

  Gem::Security.trusted_certificates.select do |certificate, _|
    subject = certificate.subject.to_s
    subject.downcase.index filter
  end.sort_by do |certificate, _|
    certificate.subject.to_a.map {|name, data,| [name, data] }
  end.each do |certificate, path|
    yield certificate, path
  end
end

#check_openssl

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 78

def check_openssl
  return if Gem::HAVE_OPENSSL

  alert_error "OpenSSL library is required for the cert command"
  terminate_interaction 1
end

#description

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 199

def description # :nodoc:
  <<-EOF
The cert command manages signing keys and certificates for creating signed
gems.  Your signing certificate and private key are typically stored in
~/.gem/gem-public_cert.pem and ~/.gem/gem-private_key.pem respectively.

To build a certificate for signing gems:

gem cert --build you@example

If you already have an RSA key, or are creating a new certificate for an
existing key:

gem cert --build you@example --private-key /path/to/key.pem

If you wish to trust a certificate you can add it to the trust list with:

gem cert --add /path/to/cert.pem

You can list trusted certificates with:

gem cert --list

or:

gem cert --list cert_subject_substring

If you wish to remove a previously trusted certificate:

gem cert --remove cert_subject_substring

To sign another gem author's certificate:

gem cert --sign /path/to/other_cert.pem

For further reading on signing gems see `ri Gem::Security`.
  EOF
end

#execute

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 108

def execute
  check_openssl

  options[:add].each do |certificate|
    add_certificate certificate
  end

  options[:remove].each do |filter|
    remove_certificates_matching filter
  end

  options[:list].each do |filter|
    list_certificates_matching filter
  end

  options[:build].each do |email|
    build email
  end

  if options[:resign]
    re_sign_cert(
      options[:issuer_cert],
      options[:issuer_cert_file],
      options[:key]
    )
  end

  sign_certificates unless options[:sign].empty?
end

#list_certificates_matching(filter)

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 238

def list_certificates_matching(filter) # :nodoc:
  certificates_matching filter do |certificate, _|
    # this could probably be formatted more gracefully
    say certificate.subject.to_s
  end
end

#load_default_cert

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 245

def load_default_cert
  cert_file = File.join Gem.default_cert_path
  cert = File.read cert_file
  options[:issuer_cert] = OpenSSL::X509::Certificate.new cert
rescue Errno::ENOENT
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::X509::CertificateError
  alert_error \
    "--certificate not specified and ~/.gem/gem-public_cert.pem is not valid"

  terminate_interaction 1
end

#load_default_key

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 261

def load_default_key
  key_file = File.join Gem.default_key_path
  key = File.read key_file
  passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
  options[:key] = OpenSSL::PKey.read key, passphrase

rescue Errno::ENOENT
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem does not exist"

  terminate_interaction 1
rescue OpenSSL::PKey::PKeyError
  alert_error \
    "--private-key not specified and ~/.gem/gem-private_key.pem is not valid"

  terminate_interaction 1
end

#load_defaults

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 279

def load_defaults # :nodoc:
  load_default_cert unless options[:issuer_cert]
  load_default_key  unless options[:key]
end

#open_cert(certificate_file)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 85

def open_cert(certificate_file)
  check_openssl
  OpenSSL::X509::Certificate.new File.read certificate_file
rescue Errno::ENOENT
  raise Gem::OptionParser::InvalidArgument, "#{certificate_file}: does not exist"
rescue OpenSSL::X509::CertificateError
  raise Gem::OptionParser::InvalidArgument,
    "#{certificate_file}: invalid X509 certificate"
end

#open_private_key(key_file)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 95

def open_private_key(key_file)
  check_openssl
  passphrase = ENV["GEM_PRIVATE_KEY_PASSPHRASE"]
  key = OpenSSL::PKey.read File.read(key_file), passphrase
  raise Gem::OptionParser::InvalidArgument,
    "#{key_file}: private key not found" unless key.private?
  key
rescue Errno::ENOENT
  raise Gem::OptionParser::InvalidArgument, "#{key_file}: does not exist"
rescue OpenSSL::PKey::PKeyError, ArgumentError
  raise Gem::OptionParser::InvalidArgument, "#{key_file}: invalid RSA, DSA, or EC key"
end

#re_sign_cert(cert, cert_path, private_key)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 313

def re_sign_cert(cert, cert_path, private_key)
  Gem::Security::Signer.re_sign_cert(cert, cert_path, private_key) do |expired_cert_path, new_expired_cert_path|
    alert("Your certificate #{expired_cert_path} has been re-signed")
    alert("Your expired certificate will be located at: #{new_expired_cert_path}")
  end
end

#remove_certificates_matching(filter)

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 284

def remove_certificates_matching(filter) # :nodoc:
  certificates_matching filter do |certificate, path|
    FileUtils.rm path
    say "Removed '#{certificate.subject}'"
  end
end

#sign(cert_file)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 291

def sign(cert_file)
  cert = File.read cert_file
  cert = OpenSSL::X509::Certificate.new cert

  permissions = File.stat(cert_file).mode & 0777

  issuer_cert = options[:issuer_cert]
  issuer_key = options[:key]

  cert = Gem::Security.sign cert, issuer_key, issuer_cert

  Gem::Security.write cert, cert_file, permissions
end

#sign_certificates

This method is for internal use only.
[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 305

def sign_certificates # :nodoc:
  load_defaults unless options[:sign].empty?

  options[:sign].each do |cert_file|
    sign cert_file
  end
end

#valid_email?(email) ⇒ Boolean (private)

[ GitHub ]

  
# File 'lib/rubygems/commands/cert_command.rb', line 322

def valid_email?(email)
  # It's simple, but is all we need
  email =~ /\A.@.\z/
end