bunny 2.7.4 → 2.22.0

data/lib/bunny/test_kit.rb

@@ -1,9 +1,23 @@
 # -*- coding: utf-8 -*-
+
+require "timeout"
+
 module Bunny
   # Unit, integration and stress testing toolkit
   class TestKit
     class << self
 
+      def poll_while(timeout = 60, &probe)
+        Timeout.timeout(timeout) {
+          sleep 0.1 while probe.call
+        }
+      end
+      def poll_until(timeout = 60, &probe)
+        Timeout.timeout(timeout) {
+          sleep 0.1 until probe.call
+        }
+      end
+
       # @return [Integer] Random integer in the range of [a, b]
       # @api private
       def random_in_range(a, b)

data/lib/bunny/transport.rb

@@ -25,14 +25,41 @@ module Bunny
     DEFAULT_READ_TIMEOUT  = 30.0
     DEFAULT_WRITE_TIMEOUT = 30.0
 
+    # mimics METHODS_MAP in ssl.rb but also lists TLS 1.3
+    # and string constants
+    TLS_VERSION_ALIASES = {
+      TLSv1: OpenSSL::SSL::TLS1_VERSION,
+      TLSv1_1: OpenSSL::SSL::TLS1_1_VERSION,
+      TLSv1_2: OpenSSL::SSL::TLS1_2_VERSION,
+      "1.0": OpenSSL::SSL::TLS1_VERSION,
+      "1.1": OpenSSL::SSL::TLS1_1_VERSION,
+      "1.2": OpenSSL::SSL::TLS1_2_VERSION,
+      OpenSSL::SSL::TLS1_VERSION => OpenSSL::SSL::TLS1_VERSION,
+      OpenSSL::SSL::TLS1_1_VERSION => OpenSSL::SSL::TLS1_1_VERSION,
+      OpenSSL::SSL::TLS1_2_VERSION => OpenSSL::SSL::TLS1_2_VERSION
+    }
+
+    # older OpenSSL versions won't support for TLS 1.3 and won't
+    # have this constant defined.
+    if defined?(OpenSSL::SSL::TLS1_3_VERSION)
+      TLS_VERSION_ALIASES["1.3"]                        = OpenSSL::SSL::TLS1_3_VERSION
+      TLS_VERSION_ALIASES[:TLSv1_3]                     = OpenSSL::SSL::TLS1_3_VERSION
+      TLS_VERSION_ALIASES[OpenSSL::SSL::TLS1_3_VERSION] = OpenSSL::SSL::TLS1_3_VERSION
+    end
+
+    TLS_VERSION_ALIASES.freeze
+
     attr_reader :session, :host, :port, :socket, :connect_timeout, :read_timeout, :write_timeout, :disconnect_timeout
-    attr_reader :tls_context
+    attr_reader :tls_context, :verify_peer, :tls_ca_certificates, :tls_certificate_path, :tls_key_path
 
-    attr_writer :read_timeout
+    def read_timeout=(v)
+      @read_timeout = v
+      @read_timeout = nil if @read_timeout == 0
+    end
 
     def initialize(session, host, port, opts)
       @session        = session
-      @session_thread = opts[:session_thread]
+      @session_error_handler = opts[:session_error_handler]
       @host    = host
       @port    = port
       @opts    = opts
@@ -54,6 +81,8 @@ module Bunny
 
       @writes_mutex       = @session.mutex_impl.new
 
+      @socket = nil
+
       prepare_tls_context(opts) if @tls_enabled
     end
 
@@ -77,10 +106,29 @@ module Bunny
 
 
     def connect
-      if uses_ssl?
-        @socket.connect
-        if uses_tls? && @verify_peer
-          @socket.post_connection_check(host)
+      if uses_tls?
+        begin
+          @socket.connect
+        rescue OpenSSL::SSL::SSLError => e
+          @logger.error { "TLS connection failed: #{e.message}" }
+          raise e
+        end
+
+        log_peer_certificate_info(Logger::DEBUG, @socket.peer_cert)
+        log_peer_certificate_chain_info(Logger::DEBUG, @socket.peer_cert_chain)
+
+        begin
+          @socket.post_connection_check(host) if @verify_peer
+        rescue OpenSSL::SSL::SSLError => e
+          @logger.error do
+            msg = "Peer verification of target server failed: #{e.message}. "
+            msg += "Target hostname: #{hostname}, see peer certificate chain details below."
+            msg
+          end
+          log_peer_certificate_info(Logger::ERROR, @socket.peer_cert)
+          log_peer_certificate_chain_info(Logger::ERROR, @socket.peer_cert_chain)
+
+          raise e
         end
 
         @status = :connected
@@ -122,7 +170,7 @@ module Bunny
           if @session.automatically_recover?
             @session.handle_network_failure(e)
           else
-            @session_thread.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
+            @session_error_handler.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
           end
         end
       end
@@ -146,24 +194,25 @@ module Bunny
           if @session.automatically_recover?
             @session.handle_network_failure(e)
           else
-            @session_thread.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
+            @session_error_handler.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
           end
         end
       end
     end
 
     # Writes data to the socket without timeout checks
-    def write_without_timeout(data)
+    def write_without_timeout(data, raise_exceptions = false)
       begin
         @writes_mutex.synchronize { @socket.write(data) }
         @socket.flush
       rescue SystemCallError, Bunny::ConnectionError, IOError => e
         close
+        raise e if raise_exceptions
 
         if @session.automatically_recover?
           @session.handle_network_failure(e)
         else
-          @session_thread.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
+          @session_error_handler.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
         end
       end
     end
@@ -220,7 +269,7 @@ module Bunny
         if @session.automatically_recover?
           raise
         else
-          @session_thread.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
+          @session_error_handler.raise(Bunny::NetworkFailure.new("detected a network failure: #{e.message}", e))
         end
       end
     end
@@ -298,17 +347,21 @@ module Bunny
     protected
 
     def tls_enabled?(opts)
-      return opts[:tls] unless opts[:tls].nil?
-      return opts[:ssl] unless opts[:ssl].nil?
+      return !!opts[:tls] unless opts[:tls].nil?
+      return !!opts[:ssl] unless opts[:ssl].nil?
       (opts[:port] == AMQ::Protocol::TLS_PORT) || false
     end
 
+    def tls_ca_certificates_paths_from(opts)
+      Array(opts[:cacertfile] || opts[:tls_ca_certificates] || opts[:ssl_ca_certificates])
+    end
+
     def tls_certificate_path_from(opts)
-      opts[:tls_cert] || opts[:ssl_cert] || opts[:tls_cert_path] || opts[:ssl_cert_path] || opts[:tls_certificate_path] || opts[:ssl_certificate_path]
+      opts[:certfile] || opts[:tls_cert] || opts[:ssl_cert] || opts[:tls_cert_path] || opts[:ssl_cert_path] || opts[:tls_certificate_path] || opts[:ssl_certificate_path]
     end
 
     def tls_key_path_from(opts)
-      opts[:tls_key] || opts[:ssl_key] || opts[:tls_key_path] || opts[:ssl_key_path]
+      opts[:keyfile] || opts[:tls_key] || opts[:ssl_key] || opts[:tls_key_path] || opts[:ssl_key_path]
     end
 
     def tls_certificate_from(opts)
@@ -327,6 +380,29 @@ module Bunny
       end
     end
 
+    def peer_certificate_info(peer_cert, prefix = "Peer's leaf certificate")
+      exts = peer_cert.extensions.map { |x| x.value }
+      # Subject Alternative Names
+      sans = exts.select { |s| s =~ /^DNS/ }.map { |s| s.gsub(/^DNS:/, "") }
+
+      msg = "#{prefix} subject: #{peer_cert.subject}, "
+      msg += "subject alternative names: #{sans.join(', ')}, "
+      msg += "issuer: #{peer_cert.issuer}, "
+      msg += "not valid after: #{peer_cert.not_after}, "
+      msg += "X.509 usage extensions: #{exts.join(', ')}"
+
+      msg
+    end
+
+    def log_peer_certificate_info(severity, peer_cert, prefix = "Peer's leaf certificate")
+      @logger.add(severity) { peer_certificate_info(peer_cert, prefix) }
+    end
+
+    def log_peer_certificate_chain_info(severity, chain)
+      chain.each do |cert|
+        self.log_peer_certificate_info(severity, cert, "Peer's certificate chain entry")
+      end
+    end
 
     def inline_client_certificate_from(opts)
       opts[:tls_certificate] || opts[:ssl_cert_string] || opts[:tls_cert]
@@ -337,7 +413,7 @@ module Bunny
     end
 
     def prepare_tls_context(opts)
-      if (opts[:verify_ssl] || opts[:verify_peer]).nil?
+      if opts.values_at(:verify_ssl, :verify_peer, :verify).all?(&:nil?)
         opts[:verify_peer] = true
       end
 
@@ -349,12 +425,22 @@ module Bunny
       @tls_key               = tls_key_from(opts)
       @tls_certificate_store = opts[:tls_certificate_store]
 
-      @tls_ca_certificates   = opts.fetch(:tls_ca_certificates, default_tls_certificates)
-      @verify_peer           = (opts[:verify_ssl] || opts[:verify_peer])
+      @verify_peer           = as_boolean(opts[:verify_ssl] || opts[:verify_peer] || opts[:verify])
 
       @tls_context = initialize_tls_context(OpenSSL::SSL::SSLContext.new, opts)
     end
 
+    def as_boolean(val)
+      case val
+      when true    then true
+      when false   then false
+      when "true"  then true
+      when "false" then false
+      else
+        !!val
+      end
+    end
+
     def wrap_in_tls_socket(socket)
       raise ArgumentError, "cannot wrap nil into TLS socket, @tls_context is nil. This is a Bunny bug." unless socket
       raise "cannot wrap a socket into TLS socket, @tls_context is nil. This is a Bunny bug." unless @tls_context
@@ -391,19 +477,22 @@ module Bunny
       end
     end
 
-    def initialize_tls_context(ctx, opts={})
+    def initialize_tls_context(ctx, opts = {})
       ctx.cert       = OpenSSL::X509::Certificate.new(@tls_certificate) if @tls_certificate
-      ctx.key        = OpenSSL::PKey::RSA.new(@tls_key) if @tls_key
+      ctx.key        = OpenSSL::PKey.read(@tls_key) if @tls_key
       ctx.cert_store = if @tls_certificate_store
                          @tls_certificate_store
                        else
+                         # this ivar exists so that this value can be exposed in the API
+                         @tls_ca_certificates = tls_ca_certificates_paths_from(opts)
                          initialize_tls_certificate_store(@tls_ca_certificates)
                        end
+      should_silence_warnings = opts.fetch(:tls_silence_warnings, false)
 
-      if !@tls_certificate
+      if !@tls_certificate && !should_silence_warnings
         @logger.warn <<-MSG
-Using TLS but no client certificate is provided! If RabbitMQ is configured to verify peer
-certificate, connection upgrade will fail!
+Using TLS but no client certificate is provided. If RabbitMQ is configured to require & verify peer
+certificate, connection will be rejected. Learn more at https://www.rabbitmq.com/ssl.html
         MSG
       end
       if @tls_certificate && !@tls_key
@@ -415,45 +504,33 @@ certificate, connection upgrade will fail!
       else
         OpenSSL::SSL::VERIFY_NONE
       end
+      @logger.debug { "Will use peer verification mode #{verify_mode}" }
       ctx.verify_mode = verify_mode
 
-      if !@verify_peer
+      if !@verify_peer && !should_silence_warnings
         @logger.warn <<-MSG
 Using TLS but peer hostname verification is disabled. This is convenient for local development
-but prone to man-in-the-middle attacks. Please set verify_peer: true in production!
+but prone to man-in-the-middle attacks. Please set verify_peer: true in production. Learn more at https://www.rabbitmq.com/ssl.html
         MSG
       end
 
-      ssl_version = opts[:tls_protocol] || opts[:ssl_version]
-      ctx.ssl_version = ssl_version if ssl_version
+      ssl_version = opts[:tls_protocol] || opts[:ssl_version] || :TLSv1_2
+      if ssl_version
+        v = tls_version_constant(ssl_version)
+        ctx.min_version = v
+        ctx.max_version = v
+      end
 
       ctx
     end
 
-    def default_tls_certificates
-      if defined?(JRUBY_VERSION)
-        # see https://github.com/jruby/jruby/issues/1055. MK.
-        []
-      else
-        default_ca_file = ENV[OpenSSL::X509::DEFAULT_CERT_FILE_ENV] || OpenSSL::X509::DEFAULT_CERT_FILE
-        default_ca_path = ENV[OpenSSL::X509::DEFAULT_CERT_DIR_ENV] || OpenSSL::X509::DEFAULT_CERT_DIR
-
-        [
-          default_ca_file,
-          File.join(default_ca_path, 'ca-certificates.crt'), # Ubuntu/Debian
-          File.join(default_ca_path, 'ca-bundle.crt'),       # Amazon Linux & Fedora/RHEL
-          File.join(default_ca_path, 'ca-bundle.pem')        # OpenSUSE
-          ].uniq
-      end
-    end
-
     def initialize_tls_certificate_store(certs)
       cert_files = []
       cert_inlines = []
       certs.each do |cert|
         # if it starts with / or C:/ then it's a file path that may or may not
         # exist (e.g. a default OpenSSL path). MK.
-        if File.readable?(cert) || cert =~ /^([a-z]:?)?\//i
+        if File.readable?(cert) || cert =~ /\A([a-z]:?)?\//i
           cert_files.push(cert)
         else
           cert_inlines.push(cert)
@@ -461,10 +538,8 @@ but prone to man-in-the-middle attacks. Please set verify_peer: true in producti
       end
       @logger.debug { "Using CA certificates at #{cert_files.join(', ')}" }
       @logger.debug { "Using #{cert_inlines.count} inline CA certificates" }
-      if certs.empty?
-        @logger.error "No CA certificates found, add one with :tls_ca_certificates"
-      end
       OpenSSL::X509::Store.new.tap do |store|
+        store.set_default_paths
         cert_files.select { |path| File.readable?(path) }.
           each { |path| store.add_file(path) }
         cert_inlines.
@@ -472,6 +547,14 @@ but prone to man-in-the-middle attacks. Please set verify_peer: true in producti
       end
     end
 
+
+    def tls_version_constant(value)
+      # OpenSSL::SSL::TLS1_3_VERSION and similar constants
+      # are just integers, so use the value itself as fallback since
+      # there is no class to case switch on
+      TLS_VERSION_ALIASES[value] || value
+    end
+
     def timeout_from(options)
       options[:connect_timeout] || options[:connection_timeout] || options[:timeout] || DEFAULT_CONNECTION_TIMEOUT
     end

data/lib/bunny/version.rb

@@ -2,5 +2,5 @@
 
 module Bunny
   # @return [String] Version of the library
-  VERSION = "2.7.4"
+  VERSION = "2.22.0"
 end

data/lib/bunny.rb

@@ -53,17 +53,58 @@ module Bunny
   # Instantiates a new connection. The actual network
   # connection is started with {Bunny::Session#start}
   #
+  # @param [String, Hash] connection_string_or_opts Connection string or a hash of connection options
+  # @param [Hash] optz Extra options not related to connection
+  #
+  # @option connection_string_or_opts [String] :host ("127.0.0.1") Hostname or IP address to connect to
+  # @option connection_string_or_opts [Array<String>] :hosts (["127.0.0.1"]) list of hostname or IP addresses to select hostname from when connecting
+  # @option connection_string_or_opts [Array<String>] :addresses (["127.0.0.1:5672"]) list of addresses to select hostname and port from when connecting
+  # @option connection_string_or_opts [Integer] :port (5672) Port RabbitMQ listens on
+  # @option connection_string_or_opts [String] :username ("guest") Username
+  # @option connection_string_or_opts [String] :password ("guest") Password
+  # @option connection_string_or_opts [String] :vhost ("/") Virtual host to use
+  # @option connection_string_or_opts [Integer, Symbol] :heartbeat (:server) Heartbeat timeout to offer to the server. :server means use the value suggested by RabbitMQ. 0 means heartbeats and socket read timeouts will be disabled (not recommended).
+  # @option connection_string_or_opts [Integer] :network_recovery_interval (4) Recovery interval periodic network recovery will use. This includes initial pause after network failure.
+  # @option connection_string_or_opts [Boolean] :tls (false) Should TLS/SSL be used?
+  # @option connection_string_or_opts [String] :tls_cert (nil) Path to client TLS/SSL certificate file (.pem)
+  # @option connection_string_or_opts [String] :tls_key (nil) Path to client TLS/SSL private key file (.pem)
+  # @option connection_string_or_opts [Array<String>] :tls_ca_certificates Array of paths to TLS/SSL CA files (.pem), by default detected from OpenSSL configuration
+  # @option connection_string_or_opts [String] :verify_peer (true) Whether TLS peer verification should be performed
+  # @option connection_string_or_opts [Symbol] :tls_protocol (negotiated) What TLS version should be used (:TLSv1, :TLSv1_1, or :TLSv1_2)
+  # @option connection_string_or_opts [Integer] :channel_max (2047) Maximum number of channels allowed on this connection, minus 1 to account for the special channel 0.
+  # @option connection_string_or_opts [Integer] :continuation_timeout (15000) Timeout for client operations that expect a response (e.g. {Bunny::Queue#get}), in milliseconds.
+  # @option connection_string_or_opts [Integer] :connection_timeout (30) Timeout in seconds for connecting to the server.
+  # @option connection_string_or_opts [Integer] :read_timeout (30) TCP socket read timeout in seconds. If heartbeats are disabled this will be ignored.
+  # @option connection_string_or_opts [Integer] :write_timeout (30) TCP socket write timeout in seconds.
+  # @option connection_string_or_opts [Proc] :hosts_shuffle_strategy a callable that reorders a list of host strings, defaults to Array#shuffle
+  # @option connection_string_or_opts [Proc] :recovery_completed a callable that will be called when a network recovery is performed
+  # @option connection_string_or_opts [Logger] :logger The logger.  If missing, one is created using :log_file and :log_level.
+  # @option connection_string_or_opts [IO, String] :log_file The file or path to use when creating a logger.  Defaults to STDOUT.
+  # @option connection_string_or_opts [IO, String] :logfile DEPRECATED: use :log_file instead.  The file or path to use when creating a logger.  Defaults to STDOUT.
+  # @option connection_string_or_opts [Integer] :log_level The log level to use when creating a logger.  Defaults to LOGGER::WARN
+  # @option connection_string_or_opts [Boolean] :automatically_recover (true) Should automatically recover from network failures?
+  # @option connection_string_or_opts [Integer] :recovery_attempts (nil) Max number of recovery attempts, nil means forever
+  # @option connection_string_or_opts [Integer] :reset_recovery_attempts_after_reconnection (true) Should recovery attempt counter be reset after successful reconnection? When set to false, the attempt counter will last through the entire lifetime of the connection object.
+  # @option connection_string_or_opts [Proc] :recovery_attempt_started (nil) Will be called before every connection recovery attempt
+  # @option connection_string_or_opts [Proc] :recovery_completed (nil) Will be called after successful connection recovery
+  # @option connection_string_or_opts [Boolean] :recover_from_connection_close (true) Should this connection recover after receiving a server-sent connection.close (e.g. connection was force closed)?
+  # @option connection_string_or_opts [Object] :session_error_handler (Thread.current) Object which responds to #raise that will act as a session error handler. Defaults to Thread.current, which will raise asynchronous exceptions in the thread that created the session.
+  #
+  # @option optz [String] :auth_mechanism ("PLAIN") Authentication mechanism, PLAIN or EXTERNAL
+  # @option optz [String] :locale ("PLAIN") Locale RabbitMQ should use
+  # @option optz [String] :connection_name (nil) Client-provided connection name, if any. Note that the value returned does not uniquely identify a connection and cannot be used as a connection identifier in HTTP API requests.
+  #
   # @return [Bunny::Session]
   # @see Bunny::Session#start
   # @see http://rubybunny.info/articles/getting_started.html
   # @see http://rubybunny.info/articles/connecting.html
   # @api public
-  def self.new(connection_string_or_opts = ENV['RABBITMQ_URL'], opts = {})
-    if connection_string_or_opts.respond_to?(:keys) && opts.empty?
-      opts = connection_string_or_opts
+  def self.new(connection_string_or_opts = ENV['RABBITMQ_URL'], optz = {})
+    if connection_string_or_opts.respond_to?(:keys) && optz.empty?
+      optz = connection_string_or_opts
     end
 
-    conn = Session.new(connection_string_or_opts, opts)
+    conn = Session.new(connection_string_or_opts, optz)
     @default_connection ||= conn
 
     conn