httpclient 2.8.2.4 → 2.9.0

data/lib/httpclient/ssl_config.rb

@@ -39,26 +39,28 @@ class HTTPClient
     if SSLEnabled
       include OpenSSL
 
-      module ::OpenSSL
-        module X509
-          class Store
-            attr_reader :_httpclient_cert_store_items
-
-            # TODO: use prepend instead when we drop JRuby + 1.9.x support
-            wrapped = {}
-
-            wrapped[:initialize] = instance_method(:initialize)
-            define_method(:initialize) do |*args|
-              wrapped[:initialize].bind(self).call(*args)
-              @_httpclient_cert_store_items = [ENV['SSL_CERT_FILE'] || :default]
-            end
+      if defined? JRUBY_VERSION
+        module ::OpenSSL
+          module X509
+            class Store
+              attr_reader :_httpclient_cert_store_items
+
+              # TODO: use prepend instead when we drop JRuby + 1.9.x support
+              wrapped = {}
+
+              wrapped[:initialize] = instance_method(:initialize)
+              define_method(:initialize) do |*args|
+                wrapped[:initialize].bind(self).call(*args)
+                @_httpclient_cert_store_items = [ENV['SSL_CERT_FILE'] || :default]
+              end
 
-            [:add_cert, :add_file, :add_path].each do |m|
-              wrapped[m] = instance_method(m)
-              define_method(m) do |cert|
-                res = wrapped[m].bind(self).call(cert)
-                @_httpclient_cert_store_items << cert
-                res
+              [:add_cert, :add_file, :add_path].each do |m|
+                wrapped[m] = instance_method(m)
+                define_method(m) do |cert|
+                  res = wrapped[m].bind(self).call(cert)
+                  @_httpclient_cert_store_items << cert
+                  res
+                end
               end
             end
           end
@@ -66,58 +68,81 @@ class HTTPClient
       end
     end
 
+    class << self
+    private
+      def attr_config(symbol)
+        name = symbol.to_s
+        ivar_name = "@#{name}"
+        define_method(name) {
+          instance_variable_get(ivar_name)
+        }
+        define_method("#{name}=") { |rhs|
+          if instance_variable_get(ivar_name) != rhs
+            instance_variable_set(ivar_name, rhs)
+            change_notify
+          end
+        }
+        symbol
+      end
+    end
+
+
     CIPHERS_DEFAULT = "ALL:!aNULL:!eNULL:!SSLv2" # OpenSSL >1.0.0 default
 
     # Which TLS protocol version (also called method) will be used. Defaults
-    # to :auto which means that OpenSSL decides (In my tests this resulted 
+    # to :auto which means that OpenSSL decides (In my tests this resulted
     # with always the highest available protocol being used).
     # String name of OpenSSL's SSL version method name: TLSv1_2, TLSv1_1, TLSv1,
     # SSLv2, SSLv23, SSLv3 or :auto (and nil) to allow version negotiation (default).
     # See {OpenSSL::SSL::SSLContext::METHODS} for a list of available versions
     # in your specific Ruby environment.
-    attr_reader :ssl_version
+    attr_config :ssl_version
     # OpenSSL::X509::Certificate:: certificate for SSL client authentication.
     # nil by default. (no client authentication)
-    attr_reader :client_cert
+    attr_config :client_cert
     # OpenSSL::PKey::PKey:: private key for SSL client authentication.
     # nil by default. (no client authentication)
-    attr_reader :client_key
-    attr_reader :client_key_pass
+    attr_config :client_key
+    # OpenSSL::PKey::PKey:: private key pass phrase for client_key.
+    # nil by default. (no pass phrase)
+    attr_config :client_key_pass
 
     # A number which represents OpenSSL's verify mode.  Default value is
     # OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT.
-    attr_reader :verify_mode
+    attr_config :verify_mode
     # A number of verify depth.  Certification path which length is longer than
     # this depth is not allowed.
     # CAUTION: this is OpenSSL specific option and ignored on JRuby.
-    attr_reader :verify_depth
+    attr_config :verify_depth
     # A callback handler for custom certificate verification.  nil by default.
     # If the handler is set, handler.call is invoked just after general
     # OpenSSL's verification.  handler.call is invoked with 2 arguments,
     # ok and ctx; ok is a result of general OpenSSL's verification.  ctx is a
     # OpenSSL::X509::StoreContext.
-    attr_reader :verify_callback
+    attr_config :verify_callback
     # SSL timeout in sec.  nil by default.
-    attr_reader :timeout
+    attr_config :timeout
     # A number of OpenSSL's SSL options.  Default value is
     # OpenSSL::SSL::OP_ALL | OpenSSL::SSL::OP_NO_SSLv2
     # CAUTION: this is OpenSSL specific option and ignored on JRuby.
     # Use ssl_version to specify the TLS version you want to use.
-    attr_reader :options
+    attr_config :options
     # A String of OpenSSL's cipher configuration.  Default value is
     # ALL:!ADH:!LOW:!EXP:!MD5:+SSLv2:@STRENGTH
     # See ciphers(1) man in OpenSSL for more detail.
-    attr_reader :ciphers
+    attr_config :ciphers
 
     # OpenSSL::X509::X509::Store used for verification.  You can reset the
     # store with clear_cert_store and set the new store with cert_store=.
     attr_reader :cert_store # don't use if you don't know what it is.
 
     # For server side configuration.  Ignore this.
-    attr_reader :client_ca # :nodoc:
+    attr_config :client_ca # :nodoc:
 
     # These array keeps original files/dirs that was added to @cert_store
-    def cert_store_items; @cert_store._httpclient_cert_store_items; end
+    if defined? JRUBY_VERSION
+      def cert_store_items; @cert_store._httpclient_cert_store_items; end
+    end
     attr_reader :cert_store_crl_items
 
     # Creates a SSLConfig.
@@ -126,7 +151,7 @@ class HTTPClient
       @client = client
       @cert_store = X509::Store.new
       @cert_store_crl_items = []
-      @client_cert = @client_key = @client_ca = nil
+      @client_cert = @client_key = @client_key_pass = @client_ca = nil
       @verify_mode = SSL::VERIFY_PEER | SSL::VERIFY_FAIL_IF_NO_PEER_CERT
       @verify_depth = nil
       @verify_callback = nil
@@ -144,42 +169,18 @@ class HTTPClient
       @cacerts_loaded = false
     end
 
-    # Sets SSL version method String.  Possible values: "SSLv2" for SSL2,
-    # "SSLv3" for SSL3 and TLS1.x, "SSLv23" for SSL3 with fallback to SSL2.
-    def ssl_version=(ssl_version)
-      @ssl_version = ssl_version
-      change_notify
-    end
-
-    # Sets certificate (OpenSSL::X509::Certificate) for SSL client
-    # authentication.
-    # client_key and client_cert must be a pair.
-    #
-    # Calling this method resets all existing sessions.
-    def client_cert=(client_cert)
-      @client_cert = client_cert
-      change_notify
-    end
-
-    # Sets private key (OpenSSL::PKey::PKey) for SSL client authentication.
-    # client_key and client_cert must be a pair.
-    #
-    # Calling this method resets all existing sessions.
-    def client_key=(client_key)
-      @client_key = client_key
-      change_notify
-    end
-
     # Sets certificate and private key for SSL client authentication.
     # cert_file:: must be a filename of PEM/DER formatted file.
     # key_file:: must be a filename of PEM/DER formatted file.  Key must be an
     #            RSA key.  If you want to use other PKey algorithm,
     #            use client_key=.
     #
-    # Calling this method resets all existing sessions.
+    # Calling this method resets all existing sessions if value is changed.
     def set_client_cert_file(cert_file, key_file, pass = nil)
-      @client_cert, @client_key, @client_key_pass = cert_file, key_file, pass
-      change_notify
+      if (@client_cert != cert_file) || (@client_key != key_file) || (@client_key_pass != pass)
+        @client_cert, @client_key, @client_key_pass = cert_file, key_file, pass
+        change_notify
+      end
     end
 
     # Sets OpenSSL's default trusted CA certificates.  Generally, OpenSSL is
@@ -207,7 +208,9 @@ class HTTPClient
     def clear_cert_store
       @cacerts_loaded = true # avoid lazy override
       @cert_store = X509::Store.new
-      @cert_store._httpclient_cert_store_items.clear
+      if defined? JRUBY_VERSION
+        @cert_store._httpclient_cert_store_items.clear
+      end
       change_notify
     end
 
@@ -216,9 +219,12 @@ class HTTPClient
     #
     # Calling this method resets all existing sessions.
     def cert_store=(cert_store)
-      @cacerts_loaded = true # avoid lazy override
-      @cert_store = cert_store
-      change_notify
+      # This is object equality check, since OpenSSL::X509::Store doesn't overload ==
+      if !@cacerts_loaded || (@cert_store != cert_store)
+        @cacerts_loaded = true # avoid lazy override
+        @cert_store = cert_store
+        change_notify
+      end
     end
 
     # Sets trust anchor certificate(s) for verification.
@@ -276,62 +282,6 @@ class HTTPClient
     end
     alias set_crl add_crl
 
-    # Sets verify mode of OpenSSL.  New value must be a combination of
-    # constants OpenSSL::SSL::VERIFY_*
-    #
-    # Calling this method resets all existing sessions.
-    def verify_mode=(verify_mode)
-      @verify_mode = verify_mode
-      change_notify
-    end
-
-    # Sets verify depth.  New value must be a number.
-    #
-    # Calling this method resets all existing sessions.
-    def verify_depth=(verify_depth)
-      @verify_depth = verify_depth
-      change_notify
-    end
-
-    # Sets callback handler for custom certificate verification.
-    # See verify_callback.
-    #
-    # Calling this method resets all existing sessions.
-    def verify_callback=(verify_callback)
-      @verify_callback = verify_callback
-      change_notify
-    end
-
-    # Sets SSL timeout in sec.
-    #
-    # Calling this method resets all existing sessions.
-    def timeout=(timeout)
-      @timeout = timeout
-      change_notify
-    end
-
-    # Sets SSL options.  New value must be a combination of # constants
-    # OpenSSL::SSL::OP_*
-    #
-    # Calling this method resets all existing sessions.
-    def options=(options)
-      @options = options
-      change_notify
-    end
-
-    # Sets cipher configuration.  New value must be a String.
-    #
-    # Calling this method resets all existing sessions.
-    def ciphers=(ciphers)
-      @ciphers = ciphers
-      change_notify
-    end
-
-    def client_ca=(client_ca) # :nodoc:
-      @client_ca = client_ca
-      change_notify
-    end
-
     def verify?
       @verify_mode && (@verify_mode & OpenSSL::SSL::VERIFY_PEER != 0)
     end
@@ -459,6 +409,9 @@ class HTTPClient
         return true
       end
 
+      if pathlen > 2
+        warn('pathlen > 2') if $DEBUG
+      end
       return false
     end
 
@@ -471,7 +424,6 @@ class HTTPClient
 
     # Use 2048 bit certs trust anchor
     def load_cacerts(cert_store)
-      ver = OpenSSL::OPENSSL_VERSION
       file = File.join(File.dirname(__FILE__), 'cacert.pem')
       add_trust_ca_to_store(cert_store, file)
     end

data/lib/httpclient/ssl_socket.rb

@@ -14,43 +14,31 @@ class HTTPClient
   # Wraps up OpenSSL::SSL::SSLSocket and offers debugging features.
   class SSLSocket
     def self.create_socket(session)
+      opts = {
+        :debug_dev => session.debug_dev
+      }
       site = session.proxy || session.dest
       socket = session.create_socket(site.host, site.port)
       begin
         if session.proxy
           session.connect_ssl_proxy(socket, Util.urify(session.dest.to_s))
         end
-        ssl_socket = new(socket, session.ssl_config, session.debug_dev)
-        ssl_socket.ssl_connect(session.dest.host)
-        ssl_socket
+        new(socket, session.dest, session.ssl_config, opts)
       rescue
         socket.close
         raise
       end
     end
 
-    def initialize(socket, context, debug_dev = nil)
+    def initialize(socket, dest, config, opts = {})
       unless SSLEnabled
         raise ConfigurationError.new('Ruby/OpenSSL module is required')
       end
       @socket = socket
-      @context = context
+      @config = config
       @ssl_socket = create_openssl_socket(@socket)
-      @debug_dev = debug_dev
-    end
-
-    def ssl_connect(hostname = nil)
-      if hostname && @ssl_socket.respond_to?(:hostname=)
-        @ssl_socket.hostname = hostname
-      end
-      @ssl_socket.connect
-      if $DEBUG
-        if @ssl_socket.respond_to?(:ssl_version)
-          warn("Protocol version: #{@ssl_socket.ssl_version}")
-        end
-        warn("Cipher: #{@ssl_socket.cipher.inspect}")
-      end
-      post_connection_check(hostname)
+      @debug_dev = opts[:debug_dev]
+      ssl_connect(dest.host)
     end
 
     def peer_cert
@@ -108,8 +96,22 @@ class HTTPClient
 
   private
 
+    def ssl_connect(hostname = nil)
+      if hostname && @ssl_socket.respond_to?(:hostname=)
+        @ssl_socket.hostname = hostname
+      end
+      @ssl_socket.connect
+      if $DEBUG
+        if @ssl_socket.respond_to?(:ssl_version)
+          warn("Protocol version: #{@ssl_socket.ssl_version}")
+        end
+        warn("Cipher: #{@ssl_socket.cipher.inspect}")
+      end
+      post_connection_check(hostname)
+    end
+
     def post_connection_check(hostname)
-      verify_mode = @context.verify_mode || OpenSSL::SSL::VERIFY_NONE
+      verify_mode = @config.verify_mode || OpenSSL::SSL::VERIFY_NONE
       if verify_mode == OpenSSL::SSL::VERIFY_NONE
         return
       elsif @ssl_socket.peer_cert.nil? and
@@ -119,7 +121,7 @@ class HTTPClient
       if @ssl_socket.respond_to?(:post_connection_check) and RUBY_VERSION > "1.8.4"
         @ssl_socket.post_connection_check(hostname)
       else
-        @context.post_connection_check(@ssl_socket.peer_cert, hostname)
+        @config.post_connection_check(@ssl_socket.peer_cert, hostname)
       end
     end
 
@@ -131,11 +133,11 @@ class HTTPClient
       ssl_socket = nil
       if OpenSSL::SSL.const_defined?("SSLContext")
         ctx = OpenSSL::SSL::SSLContext.new
-        @context.set_context(ctx)
+        @config.set_context(ctx)
         ssl_socket = OpenSSL::SSL::SSLSocket.new(socket, ctx)
       else
         ssl_socket = OpenSSL::SSL::SSLSocket.new(socket)
-        @context.set_context(ssl_socket)
+        @config.set_context(ssl_socket)
       end
       ssl_socket
     end

data/lib/httpclient/util.rb

@@ -64,7 +64,7 @@ class HTTPClient
         # Overwrites the original definition just for one line...
         def authority
           self.host && @authority ||= (begin
-            authority = ""
+            authority = "".dup
             if self.userinfo != nil
               authority << "#{self.userinfo}@"
             end

data/lib/httpclient/version.rb

@@ -1,3 +1,3 @@
 class HTTPClient
-  VERSION = '2.8.2.4'
+  VERSION = '2.9.0'
 end

data/lib/httpclient.rb

@@ -355,6 +355,8 @@ class HTTPClient
   # if your ruby is older than 2005-09-06, do not set socket_sync = false to
   # avoid an SSL socket blocking bug in openssl/buffering.rb.
   attr_proxy(:socket_sync, true)
+  # Enables TCP keepalive; no timing settings exist at present
+  attr_proxy(:tcp_keepalive, true)
   # User-Agent header in HTTP request.
   attr_proxy(:agent_name, true)
   # From header in HTTP request.
@@ -751,6 +753,10 @@ class HTTPClient
     request(:patch, uri, new_args, &block)
   end
 
+  # :call-seq:
+  #   post(uri, {query: query, body: body, header: header, follow_redirect: follow_redirect}) -> HTTP::Message
+  #   post(uri, body, header, follow_redirect) -> HTTP::Message
+  #
   # Sends POST request to the specified URL.  See request for arguments.
   # You should not depend on :follow_redirect => true for POST method.  It
   # sends the same POST method to the new location which is prohibited in HTTP spec.
@@ -1234,7 +1240,7 @@ private
       conn.push(res)
       return res
     end
-    content = block ? nil : ''
+    content = block ? nil : ''.dup
     res = HTTP::Message.new_response(content, req.header)
     @debug_dev << "= Request\n\n" if @debug_dev
     sess = @session_manager.query(req, proxy)

data/lib/jsonclient.rb

@@ -2,7 +2,7 @@ require 'httpclient'
 require 'json'
  
 # JSONClient auto-converts Hash <-> JSON in request and response.
-# * For POST or PUT request, convert Hash body to JSON String with 'application/json; charset=utf-8' header.
+# * For PATCH, POST or PUT request, convert Hash body to JSON String with 'application/json; charset=utf-8' header.
 # * For response, convert JSON String to Hash when content-type is '(application|text)/(x-)?json'
 class JSONClient < HTTPClient
   CONTENT_TYPE_JSON_REGEX = /(application|text)\/(x-)?json/i
@@ -17,6 +17,10 @@ class JSONClient < HTTPClient
     @content_type_json_response_regex = CONTENT_TYPE_JSON_REGEX
   end
  
+  def patch(uri, *args, &block)
+    request(:patch, uri, argument_to_hash_for_json(args), &block)
+  end
+ 
   def post(uri, *args, &block)
     request(:post, uri, argument_to_hash_for_json(args), &block)
   end
@@ -37,7 +41,7 @@ private
 
   def argument_to_hash_for_json(args)
     hash = argument_to_hash(args, :body, :header, :follow_redirect)
-    if hash[:body].is_a?(Hash)
+    if hash[:body].is_a?(Hash) || hash[:body].is_a?(Array)
       hash[:header] = json_header(hash[:header])
       hash[:body] = JSON.generate(hash[:body])
     end
@@ -47,11 +51,10 @@ private
   def json_header(header)
     header ||= {}
     if header.is_a?(Hash)
-      header['Content-Type'] = @content_type_json_request
+      header.merge('Content-Type' => @content_type_json_request)
     else
-      header << ['Content-Type', @content_type_json_request]
+      header + [['Content-Type', @content_type_json_request]]
     end
-    header
   end
 
   def wrap_json_response(original)

data/sample/auth.rb

@@ -7,5 +7,5 @@ c.debug_dev = STDOUT
 #c.set_proxy_auth("admin", "admin")
 
 # for WWW authentication: supports Basic, Digest and Negotiate.
-c.set_auth("http://dev.ctor.org/http-access2/", "user", "user")
+c.set_auth("http://dev.ctor.org/http-access2/", "username", "password")
 p c.get("http://dev.ctor.org/http-access2/login")

data/sample/generate_test_keys.rb

@@ -0,0 +1,99 @@
+require "openssl"
+
+def build_ca
+  root_key = OpenSSL::PKey::RSA.new 2048 # the CA's public/private key
+  root_ca = OpenSSL::X509::Certificate.new
+  root_ca.version = 2 # cf. RFC 5280 - to make it a "v3" certificate
+  root_ca.serial = 1
+  root_ca.subject = OpenSSL::X509::Name.parse "C=JP,O=JIN.GR.JP,OU=RRR,CN=CA"
+  root_ca.issuer = root_ca.subject # root CA's are "self-signed"
+  root_ca.public_key = root_key.public_key
+  root_ca.not_before = Time.now
+  root_ca.not_after = root_ca.not_before + 10 * 365 * 24 * 60 * 60 # 10 years validity
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = root_ca
+  ef.issuer_certificate = root_ca
+  root_ca.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
+  root_ca.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+  root_ca.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+  root_ca.add_extension(ef.create_extension("authorityKeyIdentifier","keyid:always",false))
+  root_ca.sign(root_key, OpenSSL::Digest::SHA256.new)
+  [root_key, root_ca]
+end
+
+root_key, root_ca = build_ca
+
+File.write("test/ca.cert", root_ca.to_s)
+File.write("test/ca.key", root_key.to_s)
+
+def sub_cert(root_key, root_ca, cn, intermediate: false)
+  key = OpenSSL::PKey::RSA.new 2048
+  cert = OpenSSL::X509::Certificate.new
+  cert.version = 2
+  cert.serial = 2
+  cert.subject = OpenSSL::X509::Name.parse "C=JP,O=JIN.GR.JP,OU=RRR,CN=#{cn}"
+  cert.issuer = root_ca.subject # root CA is the issuer
+  cert.public_key = key.public_key
+  cert.not_before = Time.now
+  cert.not_after = cert.not_before + 9 * 365 * 24 * 60 * 60 # 9 years validity
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = cert
+  ef.issuer_certificate = root_ca
+  cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+  if intermediate
+    cert.add_extension(ef.create_extension("keyUsage","keyCertSign, cRLSign", true))
+    cert.add_extension(ef.create_extension("basicConstraints","CA:TRUE",true))
+  else
+    cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyEncipherment", true))
+    cert.add_extension(ef.create_extension("extendedKeyUsage", "serverAuth"))
+  end
+  cert.sign(root_key, OpenSSL::Digest::SHA256.new)
+  [key, cert]
+end
+
+sub_key, sub_cert = sub_cert(root_key, root_ca, "SubCA", intermediate: true)
+File.write("test/subca.cert", sub_cert.to_s)
+File.write("test/subca.key", sub_key.to_s)
+
+server_key, server_cert = sub_cert(sub_key, sub_cert, "localhost")
+File.write("test/server.cert", server_cert.to_s)
+File.write("test/server.key", server_key.to_s)
+
+client_key, client_cert = sub_cert(root_key, root_ca, "localhost")
+File.write("test/client.cert", client_cert.to_s)
+File.write("test/client.key", client_key.to_s)
+
+system(
+  "openssl", "rsa", "-aes256",
+  "-in", "test/client.key",
+  "-out", "test/client-pass.key",
+  "-passout", "pass:pass4key",
+)
+
+File.write("test/ca-chain.pem", root_ca.to_s + sub_cert.to_s)
+
+verify_key = OpenSSL::PKey::RSA.new 2048
+File.write("test/fixtures/verify.key", verify_key.to_s)
+
+def build_self_signed(key, cn)
+  cert = OpenSSL::X509::Certificate.new
+  cert.version = 2
+  cert.serial = 2
+  cert.subject = OpenSSL::X509::Name.parse "C=JP,O=JIN.GR.JP,OU=RRR,CN=#{cn}"
+  cert.issuer = cert.subject
+  cert.public_key = key.public_key
+  cert.not_before = Time.now
+  cert.not_after = cert.not_before + 9 * 365 * 24 * 60 * 60 # 9 years validity
+  ef = OpenSSL::X509::ExtensionFactory.new
+  ef.subject_certificate = cert
+  ef.issuer_certificate = cert
+  cert.add_extension(ef.create_extension("subjectKeyIdentifier","hash",false))
+  cert.add_extension(ef.create_extension("keyUsage","digitalSignature, keyEncipherment", true))
+  cert.add_extension(ef.create_extension("extendedKeyUsage", "serverAuth"))
+  cert.sign(key, OpenSSL::Digest::SHA256.new)
+  cert
+end
+
+File.write("test/fixtures/verify.localhost.cert", build_self_signed(verify_key, "localhost").to_s)
+File.write("test/fixtures/verify.foo.cert", build_self_signed(verify_key, "foo").to_s)
+File.write("test/fixtures/verify.alt.cert", build_self_signed(verify_key, "alt").to_s)