Merge pull request #9050 from mhashizume/PUP-11718/main/old-rubies

joshcooper · web-flow · commit f7d2e26ebbec · 2023-04-12T15:17:38.000-07:00
(PUP-11718) Delete Ruby < 3.1 and OpenSSL < 1.1.1 code paths
diff --git a/Gemfile b/Gemfile
@@ -42,9 +42,9 @@ group(:test) do
   gem "rspec", "~> 3.1", require: false
   gem "rspec-expectations", ["~> 3.9", "!= 3.9.3"]
   gem "rspec-its", "~> 1.1", require: false
-  gem 'vcr', RUBY_VERSION.to_f >= 3.2 ? '~> 6.1' : '~> 5.0', require: false
+  gem 'vcr', '~> 6.1', require: false
   gem 'webmock', '~> 3.0', require: false
-  gem 'webrick', '~> 1.7', require: false if RUBY_VERSION.to_f >= 3.0
+  gem 'webrick', '~> 1.7', require: false
   gem 'yard', require: false
 
   gem 'rubocop', '1.28.0', require: false, platforms: [:ruby]
diff --git a/lib/puppet/ssl/ssl_provider.rb b/lib/puppet/ssl/ssl_provider.rb
@@ -235,7 +235,7 @@ def print(ssl_context, alg = 'SHA256')
   def default_flags
     # checking the signature of the self-signed cert doesn't add any security,
     # but it's a sanity check to make sure the cert isn't corrupt. This option
-    # is only available in openssl 1.1+
+    # is not available in JRuby's OpenSSL library.
     if defined?(OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE)
       OpenSSL::X509::V_FLAG_CHECK_SS_SIGNATURE
     else
diff --git a/lib/puppet/util.rb b/lib/puppet/util.rb
@@ -34,15 +34,10 @@ def default_env
   end
   module_function :default_env
 
-  if RUBY_VERSION >= "2.6"
-    def create_erb(content)
-      ERB.new(content, trim_mode: '-')
-    end
-  else
-    def create_erb(content)
-      ERB.new(content, 0, '-')
-    end
+  def create_erb(content)
+    ERB.new(content, trim_mode: '-')
   end
+
   module_function :create_erb
 
   # @param name [String] The name of the environment variable to retrieve
diff --git a/lib/puppet/util/monkey_patches.rb b/lib/puppet/util/monkey_patches.rb
@@ -29,39 +29,13 @@ def daemonize
   end
 end
 
-if RUBY_VERSION.to_f < 3.0
-  # absolute/relative were optimized to avoid chop_basename in ruby 3
-  # see https://github.com/ruby/ruby/commit/39312cf4d6c2ab3f07d688ad1a467c8f84b58db0
-  require 'pathname'
-  class Pathname
-    if File.dirname('A:') == 'A:.' # DOSish drive letter
-      ABSOLUTE_PATH = /\A(?:[A-Za-z]:|#{SEPARATOR_PAT})/o
-    else
-      ABSOLUTE_PATH = /\A#{SEPARATOR_PAT}/o
-    end
-    private_constant :ABSOLUTE_PATH
-
-    def absolute?
-      ABSOLUTE_PATH.match? @path
-    end
-
-    def relative?
-      !absolute?
-    end
-  end
-end
-
-# (#19151) Reject all SSLv2 ciphers and handshakes
 require_relative '../../puppet/ssl/openssl_loader'
 unless Puppet::Util::Platform.jruby_fips?
   class OpenSSL::SSL::SSLContext
     if DEFAULT_PARAMS[:options]
-      DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
+      DEFAULT_PARAMS[:options] |= OpenSSL::SSL::OP_NO_SSLv3
     else
-      DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3
-    end
-    if DEFAULT_PARAMS[:ciphers]
-      DEFAULT_PARAMS[:ciphers] << ':!SSLv2'
+      DEFAULT_PARAMS[:options] = OpenSSL::SSL::OP_NO_SSLv3
     end
 
     alias __original_initialize initialize
diff --git a/spec/unit/http/factory_spec.rb b/spec/unit/http/factory_spec.rb
@@ -140,7 +140,7 @@ def create_connection(site)
   end
 
   context 'tls' do
-    it "sets the minimum version to TLS 1.0", if: RUBY_VERSION.to_f >= 2.5 do
+    it "sets the minimum version to TLS 1.0" do
       conn = create_connection(site)
       expect(conn.min_version).to eq(OpenSSL::SSL::TLS1_VERSION)
     end
diff --git a/spec/unit/util/monkey_patches_spec.rb b/spec/unit/util/monkey_patches_spec.rb
@@ -29,21 +29,10 @@
 end
 
 describe OpenSSL::SSL::SSLContext do
-  it 'disables SSLv2 via the SSLContext#options bitmask' do
-    expect(subject.options & OpenSSL::SSL::OP_NO_SSLv2).to eq(OpenSSL::SSL::OP_NO_SSLv2)
-  end
-
   it 'disables SSLv3 via the SSLContext#options bitmask' do
     expect(subject.options & OpenSSL::SSL::OP_NO_SSLv3).to eq(OpenSSL::SSL::OP_NO_SSLv3)
   end
 
-  it 'explicitly disable SSLv2 ciphers using the ! prefix so they cannot be re-added' do
-    cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
-    if cipher_str
-      expect(cipher_str.split(':')).to include('!SSLv2')
-    end
-  end
-
   it 'does not exclude SSLv3 ciphers shared with TLSv1' do
     cipher_str = OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers]
     if cipher_str
@@ -55,13 +44,6 @@
     expect_any_instance_of(described_class).to receive(:set_params)
     subject
   end
-
-  it 'has no ciphers with version SSLv2 enabled' do
-    ciphers = subject.ciphers.select do |name, version, bits, alg_bits|
-      /SSLv2/.match(version)
-    end
-    expect(ciphers).to be_empty
-  end
 end
 
 
