faye-websocket 0.10.9 → 0.11.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f7b7147b0be962c2d274d1483bc8f20804afc187033055ca76b46830b5380a01
-  data.tar.gz: 54c1b097b2f21b5ad2ba0ccfe15c2b935de6b2e924c6ccd27635dceaae885e36
+  metadata.gz: 42cb4ec90fb1f2d1fd16739908d415035255136b33c1b8100f4370417d7afeee
+  data.tar.gz: b75409884d2ac82e84a59752027085106d1995e92d9603628400b13d7214bc4d
 SHA512:
-  metadata.gz: 70c5f89236c7204ca9af93f9f7e3e965fe16092dcc6160ddbe1a97bfaf7f85206586383e020e3fba729a18819607df87eb3cd0010b391cd15c7599720fedb60b
-  data.tar.gz: 7a945496751f19145a63088efe91d8b06866e2cda8ff56c7fd00f5670fbd192d9437db338a20a33b92c1b69c11f454cf2fb4a55be515b54ebec78c82c5532a6d
+  metadata.gz: 23293a16e2b1068bb1bd9a7c4e7516f9031185393e50d766833fe468bff7fb3b807d69015c022f35545cf41abb3e5ff9cf96282bb797ecba0eee60cea63de428
+  data.tar.gz: 46ac66a36431ee0adc04dbe5286499c38904b79e4da3259bb42c57c49ff97736568957da641fd640fedc237f67e258d06d5cbd0abb5d3d10eaf662f991368b67

data/CHANGELOG.md

@@ -1,3 +1,10 @@
+### 0.11.0 / 2020-07-31
+
+- Implement TLS certificate verification and enable it by default on client
+  connections
+- Add a `:tls` option to the client with sub-fields `:root_cert_file` and
+  `:verify_peer` for configuring TLS verification
+
 ### 0.10.9 / 2019-06-13
 
 - Use the EventMachine API rather than `IO#write` to write data; this uses the

data/LICENSE.md

@@ -0,0 +1,12 @@
+Copyright 2010-2020 James Coglan
+
+Licensed under the Apache License, Version 2.0 (the "License"); you may not use
+this file except in compliance with the License. You may obtain a copy of the
+License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software distributed
+under the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR
+CONDITIONS OF ANY KIND, either express or implied. See the License for the
+specific language governing permissions and limitations under the License.

data/README.md

@@ -198,6 +198,38 @@ is an optional hash containing any of these keys:
   These are passed along to EventMachine and you can find
   [more details here](http://rubydoc.info/gems/eventmachine/EventMachine%2FConnection%3Astart_tls)
 
+### Secure sockets
+
+Starting with version 0.11.0, `Faye::WebSocket::Client` will verify the server
+certificate for `wss` connections. This is not the default behaviour for
+EventMachine's TLS interface, and so our defaults for the `:tls` option are a
+little different.
+
+First, `:verify_peer` is enabled by default. Our implementation checks that the
+chain of certificates sent by the server is trusted by your root certificates,
+and that the final certificate's hostname matches the hostname in the request
+URL.
+
+By default, we use your system's root certificate store by invoking
+`OpenSSL::X509::Store#set_default_paths`. If you want to use a different set of
+root certificates, you can pass them via the `:root_cert_file` option, which
+takes a path or an array of paths to the certificates you want to use.
+
+```ruby
+ws = Faye::WebSocket::Client.new('wss://example.com/', [], :tls => {
+  :root_cert_file => ['path/to/certificate.pem']
+})
+```
+
+If you want to switch off certificate verification altogether, then set
+`:verify_peer` to `false`.
+
+```ruby
+ws = Faye::WebSocket::Client.new('wss://example.com/', [], :tls => {
+  :verify_peer => false
+})
+```
+
 ## WebSocket API
 
 Both the server- and client-side `WebSocket` objects support the following API:
@@ -206,7 +238,8 @@ Both the server- and client-side `WebSocket` objects support the following API:
   Event has no attributes.
 - **`on(:message) { |event| }`** fires when the socket receives a message. Event
   has one attribute, **`data`**, which is either a `String` (for text frames) or
-  an `Array` of byte-sized integers (for binary frames).
+  an `Array` of unsigned integers, i.e. integers in the range `0..255` (for
+  binary frames).
 - **`on(:error) { |event| }`** fires when there is a protocol error due to bad
   data sent by the other peer. This event is purely informational, you do not
   need to implement error recovery.

data/lib/faye/websocket.rb

@@ -17,9 +17,10 @@ module Faye
   class WebSocket
     root = File.expand_path('../websocket', __FILE__)
 
-    autoload :Adapter, root + '/adapter'
-    autoload :API,     root + '/api'
-    autoload :Client,  root + '/client'
+    autoload :Adapter,      root + '/adapter'
+    autoload :API,          root + '/api'
+    autoload :Client,       root + '/client'
+    autoload :SslVerifier,  root + '/ssl_verifier'
 
     ADAPTERS = {
       'goliath'  => :Goliath,

data/lib/faye/websocket/client.rb

@@ -17,20 +17,18 @@ module Faye
         super(options) { ::WebSocket::Driver.client(self, :max_length => options[:max_length], :protocols => protocols) }
 
         proxy       = options.fetch(:proxy, {})
-        endpoint    = URI.parse(proxy[:origin] || @url)
-        port        = endpoint.port || DEFAULT_PORTS[endpoint.scheme]
-        @secure     = SECURE_PROTOCOLS.include?(endpoint.scheme)
+        @endpoint   = URI.parse(proxy[:origin] || @url)
+        port        = @endpoint.port || DEFAULT_PORTS[@endpoint.scheme]
         @origin_tls = options.fetch(:tls, {})
         @socket_tls = proxy[:origin] ? proxy.fetch(:tls, {}) : @origin_tls
 
         configure_proxy(proxy)
 
-        EventMachine.connect(endpoint.host, port, Connection) do |conn|
+        EventMachine.connect(@endpoint.host, port, Connection) do |conn|
           conn.parent = self
         end
       rescue => error
-        emit_error("Network error: #{ url }: #{ error.message }")
-        finalize_close
+        on_network_error(error)
       end
 
     private
@@ -46,31 +44,45 @@ module Faye
         end
 
         @proxy.on(:connect) do
-          uri    = URI.parse(@url)
-          secure = SECURE_PROTOCOLS.include?(uri.scheme)
           @proxy = nil
-
-          if secure
-            origin_tls = { :sni_hostname => uri.host }.merge(@origin_tls)
-            @stream.start_tls(origin_tls)
-          end
-
+          start_tls(URI.parse(@url), @origin_tls)
           @driver.start
         end
       end
 
+      def start_tls(uri, options)
+        return unless SECURE_PROTOCOLS.include?(uri.scheme)
+
+        tls_options = { :sni_hostname => uri.host, :verify_peer => true }.merge(options)
+        @ssl_verifier = SslVerifier.new(uri.host, tls_options)
+        @stream.start_tls(tls_options)
+      end
+
       def on_connect(stream)
         @stream = stream
-
-        if @secure
-          socket_tls = { :sni_hostname => URI.parse(@url).host }.merge(@socket_tls)
-          @stream.start_tls(socket_tls)
-        end
+        start_tls(@endpoint, @socket_tls)
 
         worker = @proxy || @driver
         worker.start
       end
 
+      def on_network_error(error)
+        emit_error("Network error: #{ @url }: #{ error.message }")
+        finalize_close
+      end
+
+      def ssl_verify_peer(cert)
+        @ssl_verifier.ssl_verify_peer(cert)
+      rescue => error
+        on_network_error(error)
+      end
+
+      def ssl_handshake_completed
+        @ssl_verifier.ssl_handshake_completed
+      rescue => error
+        on_network_error(error)
+      end
+
       module Connection
         attr_accessor :parent
 
@@ -78,6 +90,14 @@ module Faye
           parent.__send__(:on_connect, self)
         end
 
+        def ssl_verify_peer(cert)
+          parent.__send__(:ssl_verify_peer, cert)
+        end
+
+        def ssl_handshake_completed
+          parent.__send__(:ssl_handshake_completed)
+        end
+
         def receive_data(data)
           parent.__send__(:parse, data)
         end

data/lib/faye/websocket/ssl_verifier.rb

@@ -0,0 +1,89 @@
+# This code is based on the implementation in Faraday:
+#
+#     https://github.com/lostisland/faraday/blob/v1.0.1/lib/faraday/adapter/em_http_ssl_patch.rb
+#
+# Faraday is published under the MIT license as detailed here:
+#
+#     https://github.com/lostisland/faraday/blob/v1.0.1/LICENSE.md
+#
+# Copyright (c) 2009-2019 Rick Olson, Zack Hobson
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy
+# of this software and associated documentation files (the "Software"), to deal
+# in the Software without restriction, including without limitation the rights
+# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+# copies of the Software, and to permit persons to whom the Software is
+# furnished to do so, subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in
+# all copies or substantial portions of the Software.
+
+require 'openssl'
+
+module Faye
+  class WebSocket
+
+    SSLError = Class.new(OpenSSL::SSL::SSLError)
+
+    class SslVerifier
+      def initialize(hostname, ssl_opts)
+        @hostname   = hostname
+        @ssl_opts   = ssl_opts
+        @cert_store = OpenSSL::X509::Store.new
+
+        if root = @ssl_opts[:root_cert_file]
+          [root].flatten.each { |ca_path| @cert_store.add_file(ca_path) }
+        else
+          @cert_store.set_default_paths
+        end
+      end
+
+      def ssl_verify_peer(cert_text)
+        return true unless should_verify?
+
+        certificate = parse_cert(cert_text)
+        return false unless certificate
+
+        unless @cert_store.verify(certificate)
+          raise SSLError, "Unable to verify the server certificate for '#{ @hostname }'"
+        end
+
+        store_cert(certificate)
+        @last_cert = certificate
+
+        true
+      end
+
+      def ssl_handshake_completed
+        return unless should_verify?
+
+        unless identity_verified?
+          raise SSLError, "Host '#{ @hostname }' does not match the server certificate"
+        end
+      end
+
+    private
+
+      def should_verify?
+        @ssl_opts[:verify_peer] != false
+      end
+
+      def parse_cert(cert_text)
+        OpenSSL::X509::Certificate.new(cert_text)
+      rescue OpenSSL::X509::CertificateError
+        nil
+      end
+
+      def store_cert(certificate)
+        @cert_store.add_cert(certificate)
+      rescue OpenSSL::X509::StoreError => error
+        raise error unless error.message == 'cert already in hash table'
+      end
+
+      def identity_verified?
+        @last_cert and OpenSSL::SSL.verify_certificate_identity(@last_cert, @hostname)
+      end
+    end
+
+  end
+end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: faye-websocket
 version: !ruby/object:Gem::Version
-  version: 0.10.9
+  version: 0.11.0
 platform: ruby
 authors:
 - James Coglan
-autorequire: 
+autorequire:
 bindir: bin
 cert_chain: []
-date: 2019-06-13 00:00:00.000000000 Z
+date: 2020-07-31 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: eventmachine
@@ -178,7 +178,7 @@ dependencies:
     - - ">="
       - !ruby/object:Gem::Version
         version: 4.0.0
-description: 
+description:
 email: jcoglan@gmail.com
 executables: []
 extensions: []
@@ -186,17 +186,8 @@ extra_rdoc_files:
 - README.md
 files:
 - CHANGELOG.md
+- LICENSE.md
 - README.md
-- examples/app.rb
-- examples/autobahn_client.rb
-- examples/client.rb
-- examples/config.ru
-- examples/haproxy.conf
-- examples/proxy_server.rb
-- examples/rainbows.conf
-- examples/server.rb
-- examples/sse.html
-- examples/ws.html
 - lib/faye/adapters/goliath.rb
 - lib/faye/adapters/rainbows.rb
 - lib/faye/adapters/rainbows_client.rb
@@ -209,11 +200,12 @@ files:
 - lib/faye/websocket/api/event.rb
 - lib/faye/websocket/api/event_target.rb
 - lib/faye/websocket/client.rb
+- lib/faye/websocket/ssl_verifier.rb
 homepage: https://github.com/faye/faye-websocket-ruby
 licenses:
 - Apache-2.0
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options:
 - "--main"
 - README.md
@@ -232,8 +224,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.0.3
-signing_key: 
+rubygems_version: 3.1.2
+signing_key:
 specification_version: 4
 summary: Standards-compliant WebSocket server and client
 test_files: []

data/examples/app.rb

@@ -1,54 +0,0 @@
-require 'faye/websocket'
-require 'permessage_deflate'
-require 'rack'
-
-static  = Rack::File.new(File.dirname(__FILE__))
-options = { :extensions => [PermessageDeflate], :ping => 5 }
-
-App = lambda do |env|
-  if Faye::WebSocket.websocket?(env)
-    ws = Faye::WebSocket.new(env, ['irc', 'xmpp'], options)
-    p [:open, ws.url, ws.version, ws.protocol]
-
-    ws.onmessage = lambda do |event|
-      ws.send(event.data)
-    end
-
-    ws.onclose = lambda do |event|
-      p [:close, event.code, event.reason]
-      ws = nil
-    end
-
-    ws.rack_response
-
-  elsif Faye::EventSource.eventsource?(env)
-    es   = Faye::EventSource.new(env)
-    time = es.last_event_id.to_i
-
-    p [:open, es.url, es.last_event_id]
-
-    loop = EM.add_periodic_timer(2) do
-      time += 1
-      es.send("Time: #{ time }")
-      EM.add_timer(1) do
-        es.send('Update!!', :event => 'update', :id => time) if es
-      end
-    end
-
-    es.send("Welcome!\n\nThis is an EventSource server.")
-
-    es.onclose = lambda do |event|
-      EM.cancel_timer(loop)
-      p [:close, es.url]
-      es = nil
-    end
-
-    es.rack_response
-
-  else
-    static.call(env)
-  end
-end
-
-def App.log(message)
-end

data/examples/autobahn_client.rb

@@ -1,49 +0,0 @@
-require 'bundler/setup'
-require 'cgi'
-require 'faye/websocket'
-require 'permessage_deflate'
-require 'progressbar'
-
-EM.run {
-  ruby    = RUBY_PLATFORM =~ /java/ ? 'jruby' : 'mri-ruby'
-  version = defined?(RUBY_ENGINE_VERSION) ? RUBY_ENGINE_VERSION : RUBY_VERSION
-  version += " (#{ RUBY_VERSION })" if ruby == 'jruby'
-
-  host    = 'ws://0.0.0.0:9001'
-  agent   = CGI.escape("#{ ruby }-#{ version }")
-  cases   = 0
-  options = { :extensions => [PermessageDeflate] }
-
-  socket   = Faye::WebSocket::Client.new("#{ host }/getCaseCount")
-  progress = nil
-
-  socket.onmessage = lambda do |event|
-    puts "Total cases to run: #{ event.data }"
-    cases = event.data.to_i
-    progress = ProgressBar.create(:title => 'Autobahn', :total => cases)
-  end
-
-  run_case = lambda do |n|
-    if n > cases
-      socket = Faye::WebSocket::Client.new("#{ host }/updateReports?agent=#{ agent }")
-      socket.onclose = lambda { |e| EM.stop }
-      next
-    end
-
-    url = "#{ host }/runCase?case=#{ n }&agent=#{ agent }"
-    socket = Faye::WebSocket::Client.new(url, [], options)
-
-    socket.onmessage = lambda do |event|
-      socket.send(event.data)
-    end
-
-    socket.on :close do |event|
-      progress.increment
-      run_case[n + 1]
-    end
-  end
-
-  socket.onclose = lambda do |event|
-    run_case[1]
-  end
-}

data/examples/client.rb

@@ -1,33 +0,0 @@
-require 'bundler/setup'
-require 'faye/websocket'
-require 'eventmachine'
-require 'permessage_deflate'
-
-EM.run {
-  url   = ARGV[0]
-  proxy = ARGV[1]
-
-  ws = Faye::WebSocket::Client.new(url, [],
-    :proxy      => { :origin => proxy, :headers => { 'User-Agent' => 'Echo' } },
-    :headers    => { 'Origin' => 'http://faye.jcoglan.com' },
-    :extensions => [PermessageDeflate]
-  )
-
-  ws.onopen = lambda do |event|
-    p [:open, ws.headers]
-    ws.send('mic check')
-  end
-
-  ws.onclose = lambda do |close|
-    p [:close, close.code, close.reason]
-    EM.stop
-  end
-
-  ws.onerror = lambda do |error|
-    p [:error, error.message]
-  end
-
-  ws.onmessage = lambda do |message|
-    p [:message, message.data]
-  end
-}

data/examples/config.ru

@@ -1,12 +0,0 @@
-# Run using your favourite server:
-#
-#     thin start -R examples/config.ru -p 7000
-#     rainbows -c examples/rainbows.conf -E production examples/config.ru -p 7000
-
-require 'bundler/setup'
-require File.expand_path('../app', __FILE__)
-
-Faye::WebSocket.load_adapter('thin')
-Faye::WebSocket.load_adapter('rainbows')
-
-run App

data/examples/haproxy.conf

@@ -1,20 +0,0 @@
-defaults
-   mode http
-   timeout client  5s
-   timeout connect 5s
-   timeout server  5s
-
-frontend all 0.0.0.0:3000
-   mode http
-   timeout client 120s
-
-   option forwardfor
-   option http-server-close
-   option http-pretend-keepalive
-
-   default_backend sockets
-
-backend sockets
-   balance uri depth 2
-   timeout server  120s
-   server socket1 127.0.0.1:7000

data/examples/proxy_server.rb

@@ -1,13 +0,0 @@
-require 'bundler/setup'
-require 'eventmachine'
-require 'websocket/driver'
-
-require File.expand_path('../../spec/proxy_server', __FILE__)
-
-port   = ARGV[0]
-secure = ARGV[1] == 'tls'
-
-EM.run {
-  proxy = ProxyServer.new(:debug => true)
-  proxy.listen(port, secure)
-}

data/examples/rainbows.conf

@@ -1,3 +0,0 @@
-Rainbows! do
-  use :EventMachine
-end

data/examples/server.rb

@@ -1,51 +0,0 @@
-require 'bundler/setup'
-require 'rack/content_length'
-require 'rack/chunked'
-
-port   = ARGV[0] || 7000
-secure = ARGV[1] == 'tls'
-engine = ARGV[2] || 'thin'
-spec   = File.expand_path('../../spec', __FILE__)
-
-require File.expand_path('../app', __FILE__)
-Faye::WebSocket.load_adapter(engine)
-
-case engine
-
-when 'goliath'
-  class WebSocketServer < Goliath::API
-    def response(env)
-      App.call(env)
-    end
-  end
-
-when 'puma'
-  require 'puma/binder'
-  require 'puma/events'
-  events = Puma::Events.new($stdout, $stderr)
-  binder = Puma::Binder.new(events)
-  binder.parse(["tcp://0.0.0.0:#{ port }"], App)
-  server = Puma::Server.new(App, events)
-  server.binder = binder
-  server.run.join
-
-when 'rainbows'
-  rackup = Unicorn::Configurator::RACKUP
-  rackup[:port] = port
-  rackup[:set_listener] = true
-  options = rackup[:options]
-  options[:config_file] = File.expand_path('../rainbows.conf', __FILE__)
-  Rainbows::HttpServer.new(App, options).start.join
-
-when 'thin'
-  thin = Rack::Handler.get('thin')
-  thin.run(App, :Host => '0.0.0.0', :Port => port) do |server|
-    if secure
-      server.ssl_options = {
-        :private_key_file => spec + '/server.key',
-        :cert_chain_file  => spec + '/server.crt'
-      }
-      server.ssl = true
-    end
-  end
-end

data/examples/sse.html

@@ -1,38 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
-    <title>EventSource test</title>
-  </head>
-  <body>
-
-    <h1>EventSource test</h1>
-    <ul></ul>
-
-    <script type="text/javascript">
-      var logger = document.getElementsByTagName('ul')[0],
-          socket = new EventSource('/');
-
-      var log = function(text) {
-        logger.innerHTML += '<li>' + text + '</li>';
-      };
-
-      socket.onopen = function() {
-        log('OPEN');
-      };
-
-      socket.onmessage = function(event) {
-        log('MESSAGE: ' + event.data);
-      };
-
-      socket.addEventListener('update', function(event) {
-        log('UPDATE(' + event.lastEventId + '): ' + event.data);
-      });
-
-      socket.onerror = function(event) {
-        log('ERROR: ' + event.message);
-      };
-    </script>
-
-  </body>
-</html>

data/examples/ws.html

@@ -1,43 +0,0 @@
-<!doctype html>
-<html>
-  <head>
-    <meta http-equiv="Content-type" content="text/html; charset=utf-8">
-    <title>WebSocket test</title>
-  </head>
-  <body>
-
-    <h1>WebSocket test</h1>
-    <ul></ul>
-
-    <script type="text/javascript">
-      var logger = document.getElementsByTagName('ul')[0],
-          Socket = window.MozWebSocket || window.WebSocket,
-          protos = ['foo', 'bar', 'xmpp'],
-          socket = new Socket('ws://' + location.hostname + ':' + location.port + '/', protos),
-          index  = 0;
-
-      var log = function(text) {
-        logger.innerHTML += '<li>' + text + '</li>';
-      };
-
-      socket.addEventListener('open', function() {
-        log('OPEN: ' + socket.protocol);
-        socket.send('Hello, world');
-      });
-
-      socket.onerror = function(event) {
-        log('ERROR: ' + event.message);
-      };
-
-      socket.onmessage = function(event) {
-        log('MESSAGE: ' + event.data);
-        setTimeout(function() { socket.send(++index + ' ' + event.data) }, 2000);
-      };
-
-      socket.onclose = function(event) {
-        log('CLOSE: ' + event.code + ', ' + event.reason);
-      };
-    </script>
-
-  </body>
-</html>