Merge pull request #3850 from rubygems/openssl_one_more

Try to fix openssl availability issues on jruby

(cherry picked from commit 8fd5dee)

.github/workflows/install-rubygems.yml

@@ -26,11 +26,14 @@ jobs:
         run: ruby -Ilib -S rake install 2> errors.txt
       - name: Check rubygems install produced no warnings
         run: test ! -s errors.txt || (cat errors.txt && exit 1)
-      - name: Simulate no openssl
-        run: ruby util/remove_openssl.rb
+      - name: Run a local rubygems command
+        run: gem list bundler
+        env:
+          RUBYOPT: -Itest/rubygems/fake_certlib
         if: matrix.openssl == false
       - name: Run a local rubygems command
         run: gem list bundler
+        if: matrix.openssl == true
       - name: Run a remote rubygems command
         run: gem outdated
         if: matrix.openssl == true

bundler/Rakefile

@@ -188,7 +188,6 @@ end
 # We currently include the following changes over the official version:
 # * Avoid requiring the optional `net-http-pipeline` dependency, so that its version can be selected by end users.
 # * We also include changes to require the vendored dependencies `uri` and `connection_pool` relatively.
-# * Avoid autoloading `OpenSSL` since it causes problems on jruby.
 desc "Vendor a specific version of net-http-persistent"
 Automatiek::RakeTask.new("net-http-persistent") do |lib|
   lib.version = "v4.0.0"

bundler/lib/bundler/env.rb

@@ -105,7 +105,7 @@ def self.environment
       out << ["  User Home", Gem.user_home]
       out << ["  User Path", Gem.user_dir]
       out << ["  Bin Dir", Gem.bindir]
-      if defined?(OpenSSL)
+      if defined?(OpenSSL::SSL)
         out << ["OpenSSL"]
         out << ["  Compiled", OpenSSL::OPENSSL_VERSION] if defined?(OpenSSL::OPENSSL_VERSION)
         out << ["  Loaded", OpenSSL::OPENSSL_LIBRARY_VERSION] if defined?(OpenSSL::OPENSSL_LIBRARY_VERSION)

bundler/lib/bundler/vendor/net-http-persistent/lib/net/http/persistent.rb

@@ -3,6 +3,8 @@
 require 'cgi' # for escaping
 require_relative '../../../../connection_pool/lib/connection_pool'
 
+autoload :OpenSSL, 'openssl'
+
 ##
 # Persistent connections for Net::HTTP
 #
@@ -147,14 +149,9 @@ class Bundler::Persistent::Net::HTTP::Persistent
   EPOCH = Time.at 0 # :nodoc:
 
   ##
-  # Is OpenSSL available?
+  # Is OpenSSL available?  This test works with autoload
 
-  HAVE_OPENSSL = begin # :nodoc:
-                   require 'openssl'
-                   true
-                 rescue LoadError
-                   false
-                 end
+  HAVE_OPENSSL = defined? OpenSSL::SSL # :nodoc:
 
   ##
   # The default connection pool size is 1/4 the allowed open files

bundler/spec/bundler/env_spec.rb

@@ -1,6 +1,5 @@
 # frozen_string_literal: true
 
-require "openssl"
 require "bundler/settings"
 
 RSpec.describe Bundler::Env do

lib/rubygems/commands/cert_command.rb

@@ -311,4 +311,4 @@ def valid_email?(email)
     # It's simple, but is all we need
     email =~ /\A.+@.+\z/
   end
-end if defined?(OpenSSL::SSL)
+end if Gem::HAVE_OPENSSL

lib/rubygems/openssl.rb

@@ -1,7 +1,7 @@
 # frozen_string_literal: true
 
-begin
-  require "openssl"
-rescue LoadError => e
-  raise unless e.path == 'openssl'
+autoload :OpenSSL, "openssl"
+
+module Gem
+  HAVE_OPENSSL = defined? OpenSSL::SSL # :nodoc:
 end

lib/rubygems/remote_fetcher.rb

@@ -263,7 +263,7 @@ def fetch_path(uri, mtime = nil, head = false)
   rescue Timeout::Error
     raise UnknownHostError.new('timed out', uri)
   rescue IOError, SocketError, SystemCallError,
-         *(OpenSSL::SSL::SSLError if defined?(OpenSSL)) => e
+         *(OpenSSL::SSL::SSLError if Gem::HAVE_OPENSSL) => e
     if e.message =~ /getaddrinfo/
       raise UnknownHostError.new('no such name', uri)
     else

lib/rubygems/request.rb

@@ -45,7 +45,8 @@ def self.get_cert_files
   end
 
   def self.configure_connection_for_https(connection, cert_files)
-    require 'openssl'
+    raise Gem::Exception.new('OpenSSl is not available. Install OpenSSL and rebuild Ruby (preferred) or use non-HTTPS sources') unless Gem::HAVE_OPENSSL
+
     connection.use_ssl = true
     connection.verify_mode =
       Gem.configuration.ssl_verify_mode || OpenSSL::SSL::VERIFY_PEER
@@ -125,7 +126,7 @@ def self.verify_certificate_message(error_number, cert)
 
   def connection_for(uri)
     @connection_pool.checkout
-  rescue defined?(OpenSSL::SSL) ? OpenSSL::SSL::SSLError : Errno::EHOSTDOWN,
+  rescue Gem::HAVE_OPENSSL ? OpenSSL::SSL::SSLError : Errno::EHOSTDOWN,
          Errno::EHOSTDOWN => e
     raise Gem::RemoteFetcher::FetchError.new(e.message, uri)
   end

lib/rubygems/security.rb

@@ -592,7 +592,7 @@ def self.write(pemmable, path, permissions = 0600, passphrase = nil, cipher = KE
 
 end
 
-if defined?(OpenSSL::SSL)
+if Gem::HAVE_OPENSSL
   require 'rubygems/security/policy'
   require 'rubygems/security/policies'
   require 'rubygems/security/trust_dir'

lib/rubygems/test_case.rb

@@ -1504,7 +1504,7 @@ def self.key_path(key_name)
     PRIVATE_KEY = nil
     PUBLIC_KEY  = nil
     PUBLIC_CERT = nil
-  end if defined?(OpenSSL::SSL)
+  end if Gem::HAVE_OPENSSL
 end
 
 require 'rubygems/test_utilities'

test/rubygems/test_bundled_ca.rb

@@ -3,7 +3,7 @@
 require 'net/http'
 require 'rubygems/openssl'
 
-unless defined?(OpenSSL::SSL)
+unless Gem::HAVE_OPENSSL
   warn 'Skipping bundled certificates tests.  openssl not found.'
 end
 
@@ -53,4 +53,4 @@ def test_accessing_fastly
   def test_accessing_new_index
     assert_https('fastly.rubygems.org')
   end
-end if defined?(OpenSSL::SSL)
+end if Gem::HAVE_OPENSSL

test/rubygems/test_gem_commands_build_command.rb

@@ -390,7 +390,7 @@ def test_execute_force
   end
 
   def test_build_signed_gem
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL) && !java_platform?
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL && !java_platform?
 
     trust_dir = Gem::Security.trust_dir
 
@@ -417,7 +417,7 @@ def test_build_signed_gem
   end
 
   def test_build_signed_gem_with_cert_expiration_length_days
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL) && !java_platform?
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL && !java_platform?
 
     gem_path = File.join Gem.user_home, ".gem"
     Dir.mkdir gem_path
@@ -461,7 +461,7 @@ def test_build_signed_gem_with_cert_expiration_length_days
   end
 
   def test_build_auto_resign_cert
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL) && !java_platform?
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL && !java_platform?
 
     gem_path = File.join Gem.user_home, ".gem"
     Dir.mkdir gem_path

test/rubygems/test_gem_commands_cert_command.rb

@@ -2,7 +2,7 @@
 require 'rubygems/test_case'
 require 'rubygems/commands/cert_command'
 
-unless defined?(OpenSSL::SSL)
+unless Gem::HAVE_OPENSSL
   warn 'Skipping `gem cert` tests.  openssl not found.'
 end
 
@@ -805,4 +805,4 @@ def test_handle_options_sign_nonexistent
     assert_equal "invalid argument: --sign #{nonexistent}: does not exist",
                  e.message
   end
-end if defined?(OpenSSL::SSL) && !Gem.java_platform?
+end if Gem::HAVE_OPENSSL && !Gem.java_platform?

test/rubygems/test_gem_commands_help_command.rb

@@ -43,7 +43,7 @@ def test_gem_help_commands
         assert_match(/\s+#{cmd}\s+\S+/, out)
       end
 
-      if defined?(OpenSSL::SSL)
+      if Gem::HAVE_OPENSSL
         assert_empty err
 
         refute_match 'No command found for ', out

test/rubygems/test_gem_dependency_installer.rb

@@ -842,7 +842,7 @@ def test_install_platform_is_ignored_when_a_file_is_specified
 
   require 'rubygems/openssl'
 
-  if defined? OpenSSL
+  if Gem::HAVE_OPENSSL
     def test_install_security_policy
       util_setup_gems
 

test/rubygems/test_gem_install_update_options.rb

@@ -30,7 +30,7 @@ def test_add_install_update_options
 
     args.concat %w[--vendor] unless Gem.java_platform?
 
-    args.concat %w[-P HighSecurity] if defined?(OpenSSL::SSL)
+    args.concat %w[-P HighSecurity] if Gem::HAVE_OPENSSL
 
     assert @cmd.handles?(args)
   end
@@ -92,15 +92,15 @@ def test_document_rdoc
   end
 
   def test_security_policy
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     @cmd.handle_options %w[-P HighSecurity]
 
     assert_equal Gem::Security::HighSecurity, @cmd.options[:security_policy]
   end
 
   def test_security_policy_unknown
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     @cmd.add_install_update_options
 

test/rubygems/test_gem_installer.rb

@@ -287,7 +287,7 @@ def test_ensure_loadable_spec
   end
 
   def test_ensure_loadable_spec_security_policy
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     _, a_gem = util_gem 'a', 2 do |s|
       s.add_dependency 'garbage ~> 5'

test/rubygems/test_gem_package.rb

@@ -252,7 +252,7 @@ def test_build
   end
 
   def test_build_auto_signed
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     FileUtils.mkdir_p File.join(Gem.user_home, '.gem')
 
@@ -295,7 +295,7 @@ def test_build_auto_signed
   end
 
   def test_build_auto_signed_encrypted_key
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     FileUtils.mkdir_p File.join(Gem.user_home, '.gem')
 
@@ -364,7 +364,7 @@ def test_build_invalid_arguments
   end
 
   def test_build_signed
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     spec = Gem::Specification.new 'build', '1'
     spec.summary = 'build'
@@ -401,7 +401,7 @@ def test_build_signed
   end
 
   def test_build_signed_encrypted_key
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     spec = Gem::Specification.new 'build', '1'
     spec.summary = 'build'
@@ -957,7 +957,7 @@ def test_verify_duplicate_file
   end
 
   def test_verify_security_policy
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     package = Gem::Package.new @gem
     package.security_policy = Gem::Security::HighSecurity
@@ -974,7 +974,7 @@ def test_verify_security_policy
   end
 
   def test_verify_security_policy_low_security
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     @spec.cert_chain = [PUBLIC_CERT.to_pem]
     @spec.signing_key = PRIVATE_KEY
@@ -994,7 +994,7 @@ def test_verify_security_policy_low_security
   end
 
   def test_verify_security_policy_checksum_missing
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     @spec.cert_chain = [PUBLIC_CERT.to_pem]
     @spec.signing_key = PRIVATE_KEY

test/rubygems/test_gem_package_old.rb

@@ -23,7 +23,7 @@ def test_contents
     end
 
     def test_contents_security_policy
-      skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+      skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
       @package.security_policy = Gem::Security::AlmostNoSecurity
 
@@ -44,7 +44,7 @@ def test_extract_files
     end
 
     def test_extract_files_security_policy
-      skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+      skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
       @package.security_policy = Gem::Security::AlmostNoSecurity
 
@@ -58,7 +58,7 @@ def test_spec
     end
 
     def test_spec_security_policy
-      skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+      skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
       @package.security_policy = Gem::Security::AlmostNoSecurity
 
@@ -68,7 +68,7 @@ def test_spec_security_policy
     end
 
     def test_verify
-      skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+      skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
       assert @package.verify
 

test/rubygems/test_gem_package_tar_writer.rb

@@ -117,7 +117,7 @@ def test_add_file_digest_multiple
   end
 
   def test_add_file_signer
-    skip 'openssl is missing' unless defined?(OpenSSL::SSL)
+    skip 'openssl is missing' unless Gem::HAVE_OPENSSL
 
     signer = Gem::Security::Signer.new PRIVATE_KEY, [PUBLIC_CERT]
 

test/rubygems/test_gem_remote_fetcher.rb

@@ -2,13 +2,9 @@
 require 'rubygems/test_case'
 
 require 'webrick'
-begin
-  require 'webrick/https'
-rescue LoadError => e
-  raise unless e.path == 'openssl'
-end
+require 'webrick/https' if Gem::HAVE_OPENSSL
 
-unless defined?(OpenSSL::SSL)
+unless Gem::HAVE_OPENSSL
   warn 'Skipping Gem::RemoteFetcher tests.  openssl not found.'
 end
 
@@ -1145,4 +1141,4 @@ def cert(filename)
   def key(filename)
     OpenSSL::PKey::RSA.new(File.read(File.join(__dir__, filename)))
   end
-end if defined?(OpenSSL::SSL)
+end if Gem::HAVE_OPENSSL

test/rubygems/test_gem_request.rb

@@ -4,7 +4,7 @@
 require 'ostruct'
 require 'base64'
 
-unless defined?(OpenSSL::SSL)
+unless Gem::HAVE_OPENSSL
   warn 'Skipping Gem::Request tests.  openssl not found.'
 end
 
@@ -506,4 +506,4 @@ def request(req)
       @response
     end
   end
-end if defined?(OpenSSL::SSL)
+end if Gem::HAVE_OPENSSL