aspera-cli 4.5.0 → 4.8.0

data/lib/aspera/secret_hider.rb

@@ -0,0 +1,68 @@
+# frozen_string_literal: true
+
+require 'logger'
+
+module Aspera
+  # remove secret from logs and output
+  class SecretHider
+    # display string for hidden secrets
+    HIDDEN_PASSWORD = '🔑'
+    # keys in hash that contain secrets
+    SECRET_KEYWORDS = %w[password secret private_key passphrase].freeze
+    # regex that define namec captures :begin and :end
+    REGEX_LOG_REPLACES=[
+      # replace values in logs with rendered JSON
+      /(?<begin>["':][^"]*(#{SECRET_KEYWORDS.join('|')})[^"]*["']?[=>: ]+")[^"]+(?<end>")/,
+      # option "secret"
+      /(?<begin>"[^"]*(secret)[^"]*"=>{)[^}]+(?<end>})/,
+      # option "secrets"
+      /(?<begin>(secrets)={)[^}]+(?<end>})/,
+      # private key values
+      /(?<begin>--+BEGIN .+ KEY--+)[[:ascii:]]+?(?<end>--+?END .+ KEY--+)/
+    ].freeze
+    private_constant :HIDDEN_PASSWORD,:SECRET_KEYWORDS
+    @log_secrets = false
+    class << self
+      attr_accessor :log_secrets
+      def log_formatter(original_formatter)
+        original_formatter ||= Logger::Formatter.new
+        # note that @log_secrets may be set AFTER this init is done, so it's done at runtime
+        return lambda do |severity, datetime, progname, msg|
+          if msg.is_a?(String) && !@log_secrets
+            REGEX_LOG_REPLACES.each do |regx|
+              msg = msg.gsub(regx){"#{Regexp.last_match(:begin)}#{HIDDEN_PASSWORD}#{Regexp.last_match(:end)}"}
+            end
+          end
+          original_formatter.call(severity, datetime, progname, msg)
+        end
+      end
+
+      def secret?(keyword,value)
+        keyword=keyword.to_s if keyword.is_a?(Symbol)
+        # only Strings can be secrets, not booleans, or hash, arrays
+        keyword.is_a?(String) && SECRET_KEYWORDS.any?{|kw|keyword.include?(kw)} && value.is_a?(String)
+      end
+
+      def deep_remove_secret(obj,is_name_value: false)
+        case obj
+        when Array
+          if is_name_value
+            obj.each do |i|
+              i['value']=HIDDEN_PASSWORD if secret?(i['parameter'],i['value'])
+            end
+          else
+            obj.each{|i|deep_remove_secret(i)}
+          end
+        when Hash
+          obj.each do |k,v|
+            if secret?(k,v)
+              obj[k] = HIDDEN_PASSWORD
+            elsif obj[k].is_a?(Hash)
+              deep_remove_secret(obj[k])
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/aspera/ssh.rb

@@ -1,9 +1,12 @@
+# frozen_string_literal: true
+
 require 'net/ssh'
 
 # Hack: deactivate ed25519 and ecdsa private keys from ssh identities, as it usually hurts
 begin
-module Net; module SSH; module Authentication; class Session; private def default_keys; %w(~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa);end;end;end;end;end
-rescue
+  module Net;module SSH;module Authentication;class Session;private; def default_keys; %w[~/.ssh/id_dsa ~/.ssh/id_rsa ~/.ssh2/id_dsa ~/.ssh2/id_rsa];end;end;end;end;end # rubocop:disable Layout/AccessModifierIndentation, Layout/EmptyLinesAroundAccessModifier, Layout/LineLength
+rescue StandardError
+  # ignore errors
 end
 
 module Aspera
@@ -14,40 +17,41 @@ module Aspera
     # see: https://net-ssh.github.io/net-ssh/classes/Net/SSH.html#method-c-start
     def initialize(host,username,ssh_options)
       Log.log.debug("ssh:#{username}@#{host}")
-      @host=host
-      @username=username
-      @ssh_options=ssh_options
-      @ssh_options[:logger]=Log.log
+      @host = host
+      @username = username
+      @ssh_options = ssh_options
+      @ssh_options[:logger] = Log.log
     end
 
     def execute(cmd,input=nil)
       if cmd.is_a?(Array)
         # concatenate arguments, enclose in double quotes
-        cmd=cmd.map{|v|'"'+v+'"'}.join(" ")
+        cmd = cmd.map{|v|%Q("#{v}")}.join(' ')
       end
       Log.log.debug("cmd=#{cmd}")
-      response = ''
+      response = []
       Net::SSH.start(@host, @username, @ssh_options) do |session|
-        ssh_channel=session.open_channel do |channel|
+        ssh_channel = session.open_channel do |channel|
           # prepare stdout processing
-          channel.on_data{|chan,data|response << data}
+          channel.on_data{|_chan,data|response.push(data)}
           # prepare stderr processing, stderr if type = 1
-          channel.on_extended_data do |chan, type, data|
-            errormsg="#{cmd}: [#{data.chomp}]"
+          channel.on_extended_data do |_chan, _type, data|
+            errormsg = "#{cmd}: [#{data.chomp}]"
             # Happens when windows user hasn't logged in and created home account.
-            if data.include?("Could not chdir to home directory")
-              errormsg=errormsg+"\nHint: home not created in Windows?"
+            if data.include?('Could not chdir to home directory')
+              errormsg += "\nHint: home not created in Windows?"
             end
             raise errormsg
           end
-          channel.exec(cmd){|ch,success|channel.send_data(input) unless input.nil?}
+          # send commannd to SSH channel (execute)
+          channel.send('cexe'.reverse,cmd){|_ch,_success|channel.send_data(input) unless input.nil?}
         end
         # wait for channel to finish (command exit)
         ssh_channel.wait
         # main ssh session loop
         session.loop
       end # session
-      return response
+      return response.join
     end
   end
 end

data/lib/aspera/sync.rb

@@ -1,48 +1,50 @@
+# frozen_string_literal: true
+
 require 'aspera/command_line_builder'
 
 module Aspera
   # builds command line arg for async
   class Sync
-    INSTANCE_PARAMS=
-    {
-      'alt_logdir'           => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'watchd'               => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'apply_local_docroot'  => { :cltype => :opt_without_arg},
-      'quiet'                => { :cltype => :opt_without_arg},
-    }
-    SESSION_PARAMS=
-    {
-      'name'                 => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'local_dir'            => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'remote_dir'           => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'local_db_dir'         => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'remote_db_dir'        => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'host'                 => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'user'                 => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'private_key_path'     => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'direction'            => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'checksum'             => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'tcp_port'             => { :cltype => :opt_with_arg, :accepted_types=>:int},
-      'rate_policy'          => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'target_rate'          => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'cooloff'              => { :cltype => :opt_with_arg, :accepted_types=>:int},
-      'pending_max'          => { :cltype => :opt_with_arg, :accepted_types=>:int},
-      'scan_intensity'       => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'cipher'               => { :cltype => :opt_with_arg, :accepted_types=>:string},
-      'transfer_threads'     => { :cltype => :opt_with_arg, :accepted_types=>:int},
-      'preserve_time'        => { :cltype => :opt_without_arg},
-      'preserve_access_time' => { :cltype => :opt_without_arg},
-      'preserve_modification_time' => { :cltype => :opt_without_arg},
-      'preserve_uid'         => { :cltype => :opt_without_arg},
-      'preserve_gid'         => { :cltype => :opt_without_arg},
-      'create_dir'           => { :cltype => :opt_without_arg},
-      'reset'                => { :cltype => :opt_without_arg},
-      # note: only one env var, but multiple sessions... may be a problem
-      'remote_password'      => { :cltype => :envvar, :clvarname=>'ASPERA_SCP_PASS'},
-      'cookie'               => { :cltype => :envvar, :clvarname=>'ASPERA_SCP_COOKIE'},
-      'token'                => { :cltype => :envvar, :clvarname=>'ASPERA_SCP_TOKEN'},
-      'license'              => { :cltype => :envvar, :clvarname=>'ASPERA_SCP_LICENSE'},
-    }
+    INSTANCE_PARAMS =
+      {
+        'alt_logdir'          => { cltype: :opt_with_arg, accepted_types: :string},
+        'watchd'              => { cltype: :opt_with_arg, accepted_types: :string},
+        'apply_local_docroot' => { cltype: :opt_without_arg},
+        'quiet'               => { cltype: :opt_without_arg}
+      }.freeze
+    SESSION_PARAMS =
+      {
+        'name'                       => { cltype: :opt_with_arg, accepted_types: :string},
+        'local_dir'                  => { cltype: :opt_with_arg, accepted_types: :string},
+        'remote_dir'                 => { cltype: :opt_with_arg, accepted_types: :string},
+        'local_db_dir'               => { cltype: :opt_with_arg, accepted_types: :string},
+        'remote_db_dir'              => { cltype: :opt_with_arg, accepted_types: :string},
+        'host'                       => { cltype: :opt_with_arg, accepted_types: :string},
+        'user'                       => { cltype: :opt_with_arg, accepted_types: :string},
+        'private_key_path'           => { cltype: :opt_with_arg, accepted_types: :string},
+        'direction'                  => { cltype: :opt_with_arg, accepted_types: :string},
+        'checksum'                   => { cltype: :opt_with_arg, accepted_types: :string},
+        'tcp_port'                   => { cltype: :opt_with_arg, accepted_types: :int},
+        'rate_policy'                => { cltype: :opt_with_arg, accepted_types: :string},
+        'target_rate'                => { cltype: :opt_with_arg, accepted_types: :string},
+        'cooloff'                    => { cltype: :opt_with_arg, accepted_types: :int},
+        'pending_max'                => { cltype: :opt_with_arg, accepted_types: :int},
+        'scan_intensity'             => { cltype: :opt_with_arg, accepted_types: :string},
+        'cipher'                     => { cltype: :opt_with_arg, accepted_types: :string},
+        'transfer_threads'           => { cltype: :opt_with_arg, accepted_types: :int},
+        'preserve_time'              => { cltype: :opt_without_arg},
+        'preserve_access_time'       => { cltype: :opt_without_arg},
+        'preserve_modification_time' => { cltype: :opt_without_arg},
+        'preserve_uid'               => { cltype: :opt_without_arg},
+        'preserve_gid'               => { cltype: :opt_without_arg},
+        'create_dir'                 => { cltype: :opt_without_arg},
+        'reset'                      => { cltype: :opt_without_arg},
+        # note: only one env var, but multiple sessions... may be a problem
+        'remote_password'            => { cltype: :envvar, clvarname: 'ASPERA_SCP_PASS'},
+        'cookie'                     => { cltype: :envvar, clvarname: 'ASPERA_SCP_COOKIE'},
+        'token'                      => { cltype: :envvar, clvarname: 'ASPERA_SCP_TOKEN'},
+        'license'                    => { cltype: :envvar, clvarname: 'ASPERA_SCP_LICENSE'}
+      }.freeze
 
     Aspera::CommandLineBuilder.normalize_description(INSTANCE_PARAMS)
     Aspera::CommandLineBuilder.normalize_description(SESSION_PARAMS)
@@ -50,33 +52,34 @@ module Aspera
     private_constant :INSTANCE_PARAMS,:SESSION_PARAMS
 
     def initialize(sync_params)
-      @sync_params=sync_params
+      @sync_params = sync_params
     end
 
-    MANDATORY_KEYS=['instance','sessions']
+    MANDATORY_KEYS = %w[instance sessions].freeze
 
     def compute_args
-      raise StandardError,"parameter must be Hash" unless @sync_params.is_a?(Hash)
-      raise StandardError,"parameter hash must have at least 'sessions', and optionally 'instance' keys." unless @sync_params.keys.push('instance').uniq.sort.eql?(MANDATORY_KEYS)
-      raise StandardError,"sessions key must be Array" unless @sync_params['sessions'].is_a?(Array)
-      raise StandardError,"sessions key must has at least one element (hash)" unless @sync_params['sessions'].first.is_a?(Hash)
+      raise StandardError,'parameter must be Hash' unless @sync_params.is_a?(Hash)
+      raise StandardError,"parameter hash must have at least 'sessions', and optionally 'instance' keys." unless
+        @sync_params.keys.push('instance').uniq.sort.eql?(MANDATORY_KEYS)
+      raise StandardError,'sessions key must be Array' unless @sync_params['sessions'].is_a?(Array)
+      raise StandardError,'sessions key must has at least one element (hash)' unless @sync_params['sessions'].first.is_a?(Hash)
 
-      env_args={
-        :args=>[],
-        :env=>{}
+      env_args = {
+        args: [],
+        env:  {}
       }
 
       if @sync_params.has_key?('instance')
-        raise StandardError,"instance key must be hash" unless @sync_params['instance'].is_a?(Hash)
-        instance_builder=CommandLineBuilder.new(@sync_params['instance'],INSTANCE_PARAMS)
+        raise StandardError,'instance key must be hash' unless @sync_params['instance'].is_a?(Hash)
+        instance_builder = CommandLineBuilder.new(@sync_params['instance'],INSTANCE_PARAMS)
         instance_builder.process_params
         instance_builder.add_env_args(env_args[:env],env_args[:args])
       end
 
       @sync_params['sessions'].each do |session_params|
-        raise StandardError,"sessions must contain hashes" unless session_params.is_a?(Hash)
-        raise StandardError,"session must contain at leat name" unless session_params.has_key?('name')
-        session_builder=CommandLineBuilder.new(session_params,SESSION_PARAMS)
+        raise StandardError,'sessions must contain hashes' unless session_params.is_a?(Hash)
+        raise StandardError,'session must contain at leat name' unless session_params.has_key?('name')
+        session_builder = CommandLineBuilder.new(session_params,SESSION_PARAMS)
         session_builder.process_params
         session_builder.add_env_args(env_args[:env],env_args[:args])
       end

data/lib/aspera/temp_file_manager.rb

@@ -1,3 +1,5 @@
+# frozen_string_literal: true
+
 require 'singleton'
 require 'fileutils'
 require 'etc'
@@ -6,14 +8,14 @@ module Aspera
   # create a temp file name for a given folder
   # files can be deleted on process exit by calling cleanup
   class TempFileManager
-    SEC_IN_DAY=86400
+    SEC_IN_DAY = 86_400
     # assume no transfer last longer than this
     # (garbage collect file list which were not deleted after transfer)
-    FILE_LIST_AGE_MAX_SEC=5*SEC_IN_DAY
-    private_constant :SEC_IN_DAY,:FILE_LIST_AGE_MAX_SEC
+    FILE_LIST_AGE_MAX_SEC = 5 * SEC_IN_DAY
+    private_constant :SEC_IN_DAY, :FILE_LIST_AGE_MAX_SEC
     include Singleton
     def initialize
-      @created_files=[]
+      @created_files = []
     end
 
     # call this on process exit
@@ -21,36 +23,40 @@ module Aspera
       @created_files.each do |filepath|
         File.delete(filepath) if File.file?(filepath)
       end
-      @created_files=[]
+      @created_files = []
     end
 
     # ensure that provided folder exists, or create it, generate a unique filename
     # @return path to that unique file
-    def new_file_path_in_folder(temp_folder,add_base='')
+    def new_file_path_in_folder(temp_folder, add_base = '')
       FileUtils.mkdir_p(temp_folder) unless Dir.exist?(temp_folder)
-      new_file=File.join(temp_folder,add_base+SecureRandom.uuid)
+      new_file = File.join(temp_folder, add_base + SecureRandom.uuid)
       @created_files.push(new_file)
-      return new_file
+      new_file
     end
 
     # same as above but in global temp folder
     def new_file_path_global(base_name)
-      username = Etc.getlogin || Etc.getpwuid(Process.uid).name || 'unknown_user' rescue 'unknown_user'
-      return new_file_path_in_folder(Etc.systmpdir,base_name+'_'+username+'_')
+      username =
+        begin
+          Etc.getlogin || Etc.getpwuid(Process.uid).name || 'unknown_user'
+        rescue StandardError
+          'unknown_user'
+        end
+      new_file_path_in_folder(Etc.systmpdir, base_name + '_' + username + '_')
     end
 
     def cleanup_expired(temp_folder)
       # garbage collect undeleted files
       Dir.entries(temp_folder).each do |name|
-        file_path=File.join(temp_folder,name)
-        age_sec=(Time.now - File.stat(file_path).mtime).to_i
+        file_path = File.join(temp_folder, name)
+        age_sec = (Time.now - File.stat(file_path).mtime).to_i
         # check age of file, delete too old
-        if File.file?(file_path) and age_sec > FILE_LIST_AGE_MAX_SEC
+        if File.file?(file_path) && (age_sec > FILE_LIST_AGE_MAX_SEC)
           Log.log.debug("garbage collecting #{name}")
           File.delete(file_path)
         end
       end
-
     end
   end
 end

data/lib/aspera/timer_limiter.rb

@@ -1,19 +1,21 @@
+# frozen_string_literal: true
+
 module Aspera
   # used to throttle logs
   class TimerLimiter
     # @param delay in seconds (float)
     def initialize(delay)
-      @delay=delay
-      @last_time=nil
-      @count=0
+      @delay = delay
+      @last_time = nil
+      @count = 0
     end
 
     def trigger?
-      old_time=@last_time
-      @last_time=Time.now.to_f
-      @count+=1
-      if old_time.nil? or (@last_time-old_time)>@delay
-        @count=0
+      old_time = @last_time
+      @last_time = Time.now.to_f
+      @count += 1
+      if old_time.nil? || ((@last_time - old_time) > @delay)
+        @count = 0
         return true
       end
       return false

data/lib/aspera/uri_reader.rb

@@ -1,25 +1,24 @@
+# frozen_string_literal: true
+
 require 'uri'
-require 'net/http'
-require 'net/https'
+require 'aspera/rest'
 
 module Aspera
   module UriReader
     # read some content from some URI, support file: , http: and https: schemes
-    def self.read(proxy_pac_uri)
-      proxy_uri=URI.parse(proxy_pac_uri)
-      if proxy_uri.scheme.eql?('http')
-        return Net::HTTP.start(proxy_uri.host, proxy_uri.port){|http|http.get(proxy_uri.path)}.body
-      elsif proxy_uri.scheme.eql?('https')
-        return Net::HTTPS.start(proxy_uri.host, proxy_uri.port){|http|http.get(proxy_uri.path)}.body
-      elsif proxy_uri.scheme.eql?('file')
-        local_file_path=proxy_uri.path
-        raise "URL shall have a path, check syntax" if local_file_path.nil?
-        local_file_path=File.expand_path(local_file_path.gsub(/^\//,'')) if local_file_path.match(/^\/(~|.|..)\//)
+    def self.read(uri_to_read)
+      proxy_uri = URI.parse(uri_to_read)
+      case proxy_uri.scheme
+      when 'http','https'
+        return Rest.new(base_url: uri_to_read,redirect_max: 5).call(operation: 'GET', subpath: '', headers: {'Accept' => 'text/plain'})[:data]
+      when 'file',NilClass
+        local_file_path = proxy_uri.path
+        raise 'URL shall have a path, check syntax' if local_file_path.nil?
+        local_file_path = File.expand_path(local_file_path.gsub(/^\//,'')) if /^\/(~|.|..)\//.match?(local_file_path)
         return File.read(local_file_path)
-      elsif proxy_uri.scheme.eql?('')
-        return File.read(proxy_uri)
+      else
+        raise "unknown scheme: [#{proxy_uri.scheme}] for [#{uri_to_read}]"
       end
-      raise "no scheme: [#{proxy_uri.scheme}] for [#{proxy_pac_uri}]"
     end
   end
 end

data/lib/aspera/web_auth.rb

@@ -1,105 +1,110 @@
+# frozen_string_literal: true
+
 require 'webrick'
 require 'webrick/https'
-require 'thread'
+require 'stringio'
 
 module Aspera
-  class WebAuth
-    # server for auth page
-    class FxGwServlet < WEBrick::HTTPServlet::AbstractServlet
-      def initialize(server,info) # additional args get here
-        @shared=info
-      end
+  # servlet called on callback: it records the callback request
+  class WebAuthServlet < WEBrick::HTTPServlet::AbstractServlet
+    def initialize(server,application) # additional args get here
+      Log.log.debug('WebAuthServlet initialize')
+      super(server)
+      @app = application
+    end
 
-      def do_GET (request, response)
-        if ! request.path.eql?(@shared[:expected_path])
-          response.status=400
-          return
-        end
-        @shared[:mutex].synchronize do
-          @shared[:query]=request.query
-          @shared[:cond].signal
-        end
-        response.status=200
-        response.content_type = 'text/html'
-        response.body='<html><head><title>Ok</title></head><body><h1>Thank you !</h1><p>You can close this window.</p></body></html>'
+    def service(request, response)
+      Log.log.debug("received request from browser #{request.request_method} #{request.path}")
+      raise WEBrick::HTTPStatus::MethodNotAllowed,"unexpected method: #{request.request_method}" unless request.request_method.eql?('GET')
+      raise WEBrick::HTTPStatus::NotFound,"unexpected path: #{request.path}" unless request.path.eql?(@app.expected_path)
+      # acquire lock and signal change
+      @app.mutex.synchronize do
+        @app.query = request.query
+        @app.cond.signal
       end
-    end # FxGwServlet
-
-    # generates and adds self signed cert to provided webrick options
-    def fill_self_signed_cert(options)
-      key = OpenSSL::PKey::RSA.new(4096)
-      cert = OpenSSL::X509::Certificate.new
-      cert.subject = cert.issuer = OpenSSL::X509::Name.parse('/C=FR/O=Test/OU=Test/CN=Test')
-      cert.not_before = Time.now
-      cert.not_after = Time.now + 365 * 24 * 60 * 60
-      cert.public_key = key.public_key
-      cert.serial = 0x0
-      cert.version = 2
-      ef = OpenSSL::X509::ExtensionFactory.new
-      ef.issuer_certificate = cert
-      ef.subject_certificate = cert
-      cert.extensions = [
-        ef.create_extension('basicConstraints','CA:TRUE', true),
-        ef.create_extension('subjectKeyIdentifier', 'hash'),
-        # ef.create_extension('keyUsage', 'cRLSign,keyCertSign', true),
-      ]
-      cert.add_extension(ef.create_extension('authorityKeyIdentifier','keyid:always,issuer:always'))
-      cert.sign(key, OpenSSL::Digest::SHA256.new)
-      options[:SSLPrivateKey]  = key
-      options[:SSLCertificate] = cert
+      response.status = 200
+      response.content_type = 'text/html'
+      response.body = '<html><head><title>Ok</title></head><body><h1>Thank you !</h1><p>You can close this window.</p></body></html>'
+      return nil
     end
+  end # WebAuthServlet
+
+  # generates and adds self signed cert to provided webrick options
+  #def fill_self_signed_cert(cert,key)
+  #  cert.subject = cert.issuer = OpenSSL::X509::Name.parse('/C=FR/O=Test/OU=Test/CN=Test')
+  #  cert.not_before = Time.now
+  #  cert.not_after = Time.now + 365 * 24 * 60 * 60
+  #  cert.public_key = key.public_key
+  #  cert.serial = 0x0
+  #  cert.version = 2
+  #  ef = OpenSSL::X509::ExtensionFactory.new
+  #  ef.issuer_certificate = cert
+  #  ef.subject_certificate = cert
+  #  cert.extensions = [
+  #    ef.create_extension('basicConstraints','CA:TRUE', true),
+  #    ef.create_extension('subjectKeyIdentifier', 'hash'),
+  #    # ef.create_extension('keyUsage', 'cRLSign,keyCertSign', true),
+  #  ]
+  #  cert.add_extension(ef.create_extension('authorityKeyIdentifier','keyid:always,issuer:always'))
+  #  cert.sign(key, OpenSSL::Digest::SHA256.new)
+  #end
 
+  # start a local web server, then start a browser that will callback the local server upon authentication
+  class WebAuth
+    attr_reader :expected_path,:mutex,:cond
+    attr_writer :query
+    # @param endpoint_url [String] e.g. 'https://127.0.0.1:12345'
     def initialize(endpoint_url)
-      uri=URI.parse(endpoint_url)
+      uri = URI.parse(endpoint_url)
+      # parameters for servlet
+      @query = nil
+      @mutex = Mutex.new
+      @cond = ConditionVariable.new
+      @expected_path = uri.path.empty? ? '/' : uri.path
+      # see https://www.rubydoc.info/stdlib/webrick/WEBrick/Config
       webrick_options = {
-        :app                => WebAuth,
-        :Port               => uri.port,
-        :Logger             => Log.log
+        BindAddress: uri.host,
+        Port:        uri.port,
+        Logger:      Log.log,
+        AccessLog:   [[self, WEBrick::AccessLog::COMMON_LOG_FORMAT]] # replace default access log to call local method "<<" below
       }
-      uri_path=uri.path.empty? ? '/' : uri.path
       case uri.scheme
       when 'http'
         Log.log.debug('HTTP mode')
       when 'https'
-        webrick_options[:SSLEnable]=true
-        webrick_options[:SSLVerifyClient]=OpenSSL::SSL::VERIFY_NONE
-        case 0
-        when 0
-          # generate self signed cert
-          fill_self_signed_cert(webrick_options)
-        when 1
-          # short
-          webrick_options[:SSLCertName]    = [ [ 'CN',WEBrick::Utils::getservername ] ]
-          Log.log.error(">>>#{webrick_options[:SSLCertName]}")
-        when 2
-          # good cert
-          webrick_options[:SSLPrivateKey] =OpenSSL::PKey::RSA.new(File.read('/Users/laurent/workspace/Tools/certificate/myserver.key'))
-          webrick_options[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.read('/Users/laurent/workspace/Tools/certificate/myserver.crt'))
-        end
+        webrick_options[:SSLEnable] = true
+        # a- automatic certificate generation
+        webrick_options[:SSLCertName] = [['CN',WEBrick::Utils.getservername]]
+        # b- generate self signed cert
+        #webrick_options[:SSLPrivateKey]   = OpenSSL::PKey::RSA.new(4096)
+        #webrick_options[:SSLCertificate]  = OpenSSL::X509::Certificate.new
+        #self.class.fill_self_signed_cert(webrick_options[:SSLCertificate],webrick_options[:SSLPrivateKey])
+        ## c- good cert
+        #webrick_options[:SSLPrivateKey]  = OpenSSL::PKey::RSA.new(File.read('.../myserver.key'))
+        #webrick_options[:SSLCertificate] = OpenSSL::X509::Certificate.new(File.read('.../myserver.crt'))
       end
-      # parameters for servlet
-      @shared_info={
-        expected_path: uri_path,
-        mutex: Mutex.new,
-        cond: ConditionVariable.new
-      }
-      @server = WEBrick::HTTPServer.new(webrick_options)
-      @server.mount(uri_path, FxGwServlet, @shared_info) # additional args provided to constructor
+      # self signed certificate generates characters on STDERR, see create_self_signed_cert in webrick/ssl.rb
+      Log.capture_stderr { @server = WEBrick::HTTPServer.new(webrick_options) }
+      @server.mount(@expected_path, WebAuthServlet, self) # additional args provided to constructor
       Thread.new { @server.start }
     end
 
+    # log web server access ( option AccessLog )
+    def <<(access_log)
+      Log.log.debug{"webrick log #{access_log.chomp}"}
+    end
+
     # wait for request on web server
     # @return Hash the query
-    def get_request
-      Log.log.debug('get_request')
-      # called only once
-      raise "error, called twice ?" if @server.nil?
-      @shared_info[:mutex].synchronize do
-        @shared_info[:cond].wait(@shared_info[:mutex])
-      end
+    def received_request
+      # shall be called only once
+      raise 'error, received_request called twice ?' if @server.nil?
+      # wait for signal from thread
+      @mutex.synchronize{@cond.wait(@mutex)}
+      # tell server thread to stop
       @server.shutdown
-      @server=nil
-      return @shared_info[:query]
+      @server = nil
+      return @query
     end
   end
 end