RubyGems - httpx - Versions diffs - 0.19.2 → 0.19.5 - Mend

httpx 0.19.2 → 0.19.5

Files changed (24) hide show

checksums.yaml +4 -4
data/doc/release_notes/0_19_3.md +6 -0
data/doc/release_notes/0_19_4.md +14 -0
data/doc/release_notes/0_19_5.md +13 -0
data/lib/httpx/adapters/webmock.rb +1 -0
data/lib/httpx/headers.rb +2 -0
data/lib/httpx/io.rb +3 -16
data/lib/httpx/options.rb +3 -2
data/lib/httpx/plugins/proxy/ssh.rb +0 -6
data/lib/httpx/plugins/proxy.rb +0 -6
data/lib/httpx/plugins/retries.rb +1 -1
data/lib/httpx/pool.rb +1 -1
data/lib/httpx/resolver/https.rb +33 -13
data/lib/httpx/resolver/native.rb +57 -30
data/lib/httpx/resolver/resolver.rb +3 -1
data/lib/httpx/resolver/system.rb +2 -0
data/lib/httpx/version.rb +1 -1
data/sig/resolver/https.rbs +2 -2
data/sig/resolver/native.rbs +4 -2
metadata +8 -6
data/lib/httpx/io/tls/box.rb +0 -365
data/lib/httpx/io/tls/context.rb +0 -199
data/lib/httpx/io/tls/ffi.rb +0 -390
data/lib/httpx/io/tls.rb +0 -218

data/lib/httpx/io/tls/box.rb DELETED Viewed

@@ -1,365 +0,0 @@
-# frozen_string_literal: true
-# Copyright (c) 2004-2013 Cotag Media
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is furnished
-# to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-class HTTPX::TLS
-  class Box
-    InstanceLookup = ::Concurrent::Map.new
-    READ_BUFFER = 2048
-    SSL_VERIFY_PEER = 0x01
-    SSL_VERIFY_CLIENT_ONCE = 0x04
-    VerifyCB = FFI::Function.new(:int, %i[int pointer]) do |preverify_ok, x509_store|
-      x509 = SSL.X509_STORE_CTX_get_current_cert(x509_store)
-      ssl = SSL.X509_STORE_CTX_get_ex_data(x509_store, SSL.SSL_get_ex_data_X509_STORE_CTX_idx)
-      bio_out = SSL.BIO_new(SSL.BIO_s_mem)
-      ret = SSL.PEM_write_bio_X509(bio_out, x509)
-      if ret
-        len = SSL.BIO_pending(bio_out)
-        buffer = FFI::MemoryPointer.new(:char, len, false)
-        size = SSL.BIO_read(bio_out, buffer, len)
-        # THis is the callback into the ruby class
-        cert = buffer.read_string(size)
-        SSL.BIO_free(bio_out)
-        # InstanceLookup[ssl.address].verify(cert) || preverify_ok.zero? ? 1 : 0
-        depth = SSL.X509_STORE_CTX_get_error_depth(ssl)
-        box = InstanceLookup[ssl.address]
-        if preverify_ok == 1
-          hostname_verify = box.verify(cert)
-          if hostname_verify
-            1
-          else
-            # SSL.X509_STORE_CTX_set_error(x509_store, SSL::X509_V_ERR_HOSTNAME_MISMATCH)
-            0
-          end
-        else
-          1
-        end
-      else
-        SSL.BIO_free(bio_out)
-        SSL.X509_STORE_CTX_set_error(x509_store, SSL::X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT)
-        0
-      end
-    end
-    attr_reader :is_server, :context, :handshake_completed, :hosts, :ssl_version, :cipher, :verify_peer
-    def initialize(is_server, transport, options = {})
-      @ready = true
-      @handshake_completed = false
-      @handshake_signaled = false
-      @alpn_negotiated = false
-      @transport = transport
-      @read_buffer = FFI::MemoryPointer.new(:char, READ_BUFFER, false)
-      @is_server = is_server
-      @context = Context.new(is_server, options)
-      @bioRead = SSL.BIO_new(SSL.BIO_s_mem)
-      @bioWrite = SSL.BIO_new(SSL.BIO_s_mem)
-      @ssl = SSL.SSL_new(@context.ssl_ctx)
-      SSL.SSL_set_bio(@ssl, @bioRead, @bioWrite)
-      @write_queue = []
-      InstanceLookup[@ssl.address] = self
-      @verify_peer = options[:verify_peer]
-      if @verify_peer
-        SSL.SSL_set_verify(@ssl, SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, VerifyCB)
-      end
-      # Add Server Name Indication (SNI) for client connections
-      if (hostname = options[:hostname])
-        if is_server
-          @hosts = ::Concurrent::Map.new
-          @hosts[hostname.to_s] = @context
-          @context.add_server_name_indication
-        else
-          SSL.SSL_set_tlsext_host_name(@ssl, hostname)
-        end
-      end
-      SSL.SSL_connect(@ssl) unless is_server
-    end
-    def add_host(hostname:, **options)
-      raise Error, "Server Name Indication (SNI) not configured for default host" unless @hosts
-      raise Error, "only valid for server mode context" unless @is_server
-      context = Context.new(true, options)
-      @hosts[hostname.to_s] = context
-      context.add_server_name_indication
-      nil
-    end
-    # Careful with this.
-    # If you remove all the hosts you'll end up with a segfault
-    def remove_host(hostname)
-      raise Error, "Server Name Indication (SNI) not configured for default host" unless @hosts
-      raise Error, "only valid for server mode context" unless @is_server
-      context = @hosts[hostname.to_s]
-      if context
-        @hosts.delete(hostname.to_s)
-        context.cleanup
-      end
-      nil
-    end
-    def get_peer_cert
-      return "" unless @ready
-      SSL.SSL_get_peer_certificate(@ssl)
-    end
-    def start
-      return unless @ready
-      dispatch_cipher_text
-    end
-    def encrypt(data)
-      return unless @ready
-      wrote = put_plain_text data
-      if wrote < 0
-        @transport.close_cb
-      else
-        dispatch_cipher_text
-      end
-    end
-    SSL_ERROR_WANT_READ = 2
-    SSL_ERROR_SSL = 1
-    def decrypt(data)
-      return unless @ready
-      put_cipher_text data
-      unless SSL.is_init_finished(@ssl)
-        resp = @is_server ? SSL.SSL_accept(@ssl) : SSL.SSL_connect(@ssl)
-        if resp < 0
-          err_code = SSL.SSL_get_error(@ssl, resp)
-          if err_code != SSL_ERROR_WANT_READ
-            if err_code == SSL_ERROR_SSL
-              verify_msg = SSL.X509_verify_cert_error_string(SSL.SSL_get_verify_result(@ssl))
-              @transport.close_cb(verify_msg)
-            end
-            return
-          end
-        end
-        @handshake_completed = true
-        @ssl_version = SSL.get_version(@ssl)
-        @cipher = SSL.get_current_cipher(@ssl)
-        signal_handshake unless @handshake_signaled
-      end
-      loop do
-        size = get_plain_text(@read_buffer, READ_BUFFER)
-        if size > 0
-          @transport.dispatch_cb @read_buffer.read_string(size)
-        else
-          break
-        end
-      end
-      dispatch_cipher_text
-    end
-    def signal_handshake
-      @handshake_signaled = true
-      # Check protocol support here
-      if @context.alpn_set
-        proto = alpn_negotiated_protocol
-        if proto == :failed
-          if @alpn_negotiated
-            # We should shutdown if this is the case
-            # TODO: send back proper error message
-            @transport.close_cb
-            return
-          end
-        end
-        @transport.alpn_protocol_cb(proto)
-      end
-      @transport.handshake_cb
-    end
-    def alpn_negotiated!
-      @alpn_negotiated = true
-    end
-    SSL_RECEIVED_SHUTDOWN = 2
-    def cleanup
-      return unless @ready
-      @ready = false
-      InstanceLookup.delete @ssl.address
-      if (SSL.SSL_get_shutdown(@ssl) & SSL_RECEIVED_SHUTDOWN) != 0
-        SSL.SSL_shutdown @ssl
-      else
-        SSL.SSL_clear @ssl
-      end
-      SSL.SSL_free @ssl
-      if @hosts
-        @hosts.each_value(&:cleanup)
-        @hosts = nil
-      else
-        @context.cleanup
-      end
-    end
-    # Called from class level callback function
-    def verify(cert)
-      @transport.verify_cb(cert)
-    end
-    def close(msg)
-      @transport.close_cb(msg)
-    end
-    private
-    def alpn_negotiated_protocol
-      return nil unless @context.alpn_set
-      proto = FFI::MemoryPointer.new(:pointer, 1, true)
-      len = FFI::MemoryPointer.new(:uint, 1, true)
-      SSL.SSL_get0_alpn_selected(@ssl, proto, len)
-      resp = proto.get_pointer(0)
-      return :failed if resp.address == 0
-      length = len.get_uint(0)
-      resp.read_string(length)
-    end
-    def get_plain_text(buffer, ready)
-      # Read the buffered clear text
-      size = SSL.SSL_read(@ssl, buffer, ready)
-      if size >= 0
-        size
-      else
-        SSL.SSL_get_error(@ssl, size) == SSL_ERROR_WANT_READ ? 0 : -1
-      end
-    end
-    def pending_data(bio)
-      SSL.BIO_pending(bio)
-    end
-    def get_cipher_text(buffer, length)
-      SSL.BIO_read(@bioWrite, buffer, length)
-    end
-    def put_cipher_text(data)
-      len = data.bytesize
-      wrote = SSL.BIO_write(@bioRead, data, len)
-      wrote == len
-    end
-    SSL_ERROR_WANT_WRITE = 3
-    def put_plain_text(data)
-      @write_queue.push(data) if data
-      return 0 unless SSL.is_init_finished(@ssl)
-      fatal = false
-      did_work = false
-      until @write_queue.empty?
-        data = @write_queue.pop
-        len = data.bytesize
-        wrote = SSL.SSL_write(@ssl, data, len)
-        if wrote > 0
-          did_work = true
-        else
-          err_code = SSL.SSL_get_error(@ssl, wrote)
-          if (err_code != SSL_ERROR_WANT_READ) && (err_code != SSL_ERROR_WANT_WRITE)
-            fatal = true
-          else
-            # Not fatal - add back to the queue
-            @write_queue.unshift data
-          end
-          break
-        end
-      end
-      if did_work
-        1
-      elsif fatal
-        -1
-      else
-        0
-      end
-    end
-    CIPHER_DISPATCH_FAILED = "Cipher text dispatch failed"
-    def dispatch_cipher_text
-      loop do
-        did_work = false
-        # Get all the encrypted data and transmit it
-        pending = pending_data(@bioWrite)
-        if pending > 0
-          buffer = FFI::MemoryPointer.new(:char, pending, false)
-          resp = get_cipher_text(buffer, pending)
-          raise Error, CIPHER_DISPATCH_FAILED unless resp > 0
-          @transport.transmit_cb(buffer.read_string(resp))
-          did_work = true
-        end
-        # Send any queued out going data
-        unless @write_queue.empty?
-          resp = put_plain_text nil
-          if resp > 0
-            did_work = true
-          elsif resp < 0
-            @transport.close_cb
-          end
-        end
-        break unless did_work
-      end
-    end
-  end
-end

data/lib/httpx/io/tls/context.rb DELETED Viewed

@@ -1,199 +0,0 @@
-# frozen_string_literal: true
-# Copyright (c) 2004-2013 Cotag Media
-#
-# Permission is hereby granted, free of charge, to any person obtaining a copy
-# of this software and associated documentation files (the "Software"), to deal
-# in the Software without restriction, including without limitation the rights
-# to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
-# copies of the Software, and to permit persons to whom the Software is furnished
-# to do so, subject to the following conditions:
-#
-# The above copyright notice and this permission notice shall be included in all
-# copies or substantial portions of the Software.
-#
-# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
-# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
-# FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
-# AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
-# LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
-# OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN
-# THE SOFTWARE.
-#
-class HTTPX::TLS
-  class Context
-    # Based on information from https://raymii.org/s/tutorials/Strong_SSL_Security_On_nginx.html
-    CIPHERS = "EECDH+AESGCM:EDH+AESGCM:ECDHE-RSA-AES128-GCM-SHA256:AES256+EECDH:DHE-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:ECDHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4"
-    SESSION = "ruby-tls"
-    ALPN_LOOKUP = ::Concurrent::Map.new
-    ALPN_Select_CB = FFI::Function.new(:int, [
-                                         # array of str, unit8 out,uint8 in,        *arg
-                                         :pointer, :pointer, :pointer, :string, :uint, :pointer
-                                       ]) do |ssl_p, out, outlen, inp, inlen, _arg|
-      ssl = Box::InstanceLookup[ssl_p.address]
-      return SSL::SSL_TLSEXT_ERR_ALERT_FATAL unless ssl
-      protos = ssl.context.alpn_str
-      status = SSL.SSL_select_next_proto(out, outlen, protos, protos.length, inp, inlen)
-      ssl.alpn_negotiated
-      case status
-      when SSL::OPENSSL_NPN_UNSUPPORTED
-        SSL::SSL_TLSEXT_ERR_ALERT_FATAL
-      when SSL::OPENSSL_NPN_NEGOTIATED
-        SSL::SSL_TLSEXT_ERR_OK
-      when SSL::OPENSSL_NPN_NO_OVERLAP
-        SSL::SSL_TLSEXT_ERR_ALERT_WARNING
-      end
-    end
-    attr_reader :is_server, :ssl_ctx, :alpn_set, :alpn_str
-    def initialize(server, options = {})
-      @is_server = server
-      if @is_server
-        @ssl_ctx = SSL.SSL_CTX_new(SSL.TLS_server_method)
-        set_private_key(options[:private_key] || SSL::DEFAULT_PRIVATE)
-        set_certificate(options[:cert_chain]  || SSL::DEFAULT_CERT)
-        set_client_ca(options[:client_ca])
-      else
-        @ssl_ctx = SSL.SSL_CTX_new(SSL.TLS_client_method)
-      end
-      SSL.SSL_CTX_set_options(@ssl_ctx, SSL::SSL_OP_ALL)
-      SSL.SSL_CTX_set_mode(@ssl_ctx, SSL::SSL_MODE_RELEASE_BUFFERS)
-      SSL.SSL_CTX_set_cipher_list(@ssl_ctx, options[:ciphers] || CIPHERS)
-      set_min_version(options[:version])
-      if @is_server
-        SSL.SSL_CTX_sess_set_cache_size(@ssl_ctx, 128)
-        SSL.SSL_CTX_set_session_id_context(@ssl_ctx, SESSION, 8)
-      else
-        set_private_key(options[:private_key])
-        set_certificate(options[:cert_chain])
-      end
-      set_alpn_negotiation(options[:protocols])
-    end
-    def cleanup
-      return unless @ssl_ctx
-      SSL.SSL_CTX_free(@ssl_ctx)
-      @ssl_ctx = nil
-    end
-    def add_server_name_indication
-      raise Error, "only valid for server mode context" unless @is_server
-      SSL.SSL_CTX_set_tlsext_servername_callback(@ssl_ctx, ServerNameCB)
-    end
-    ServerNameCB = FFI::Function.new(:int, %i[pointer pointer pointer]) do |ssl, _, _|
-      ruby_ssl = Box::InstanceLookup[ssl.address]
-      return SSL::SSL_TLSEXT_ERR_NOACK unless ruby_ssl
-      ctx = ruby_ssl.hosts[SSL.SSL_get_servername(ssl, SSL::TLSEXT_NAMETYPE_host_name)]
-      if ctx
-        SSL.SSL_set_SSL_CTX(ssl, ctx.ssl_ctx)
-        SSL::SSL_TLSEXT_ERR_OK
-      else
-        SSL::SSL_TLSEXT_ERR_ALERT_FATAL
-      end
-    end
-    private
-    def self.build_alpn_string(protos)
-      protos.reduce("".b) do |buffer, proto|
-        buffer << proto.bytesize
-        buffer << proto
-      end
-    end
-    # Version can be one of:
-    # :SSL3, :TLS1, :TLS1_1, :TLS1_2, :TLS1_3, :TLS_MAX
-    if SSL::VERSION_SUPPORTED
-      def set_min_version(version)
-        return unless version
-        num = SSL.const_get("#{version}_VERSION")
-        SSL.SSL_CTX_set_min_proto_version(@ssl_ctx, num) == 1
-      rescue NameError
-        raise Error, "#{version} is unsupported"
-      end
-    else
-      def set_min_version(_version); end
-    end
-    if SSL::ALPN_SUPPORTED
-      def set_alpn_negotiation(protocols)
-        @alpn_set = false
-        return unless protocols
-        if @is_server
-          @alpn_str = Context.build_alpn_string(protocols)
-          SSL.SSL_CTX_set_alpn_select_cb(@ssl_ctx, ALPN_Select_CB, nil)
-          @alpn_set = true
-        else
-          protocols = Context.build_alpn_string(protocols)
-          @alpn_set = SSL.SSL_CTX_set_alpn_protos(@ssl_ctx, protocols, protocols.length) == 0
-        end
-      end
-    else
-      def set_alpn_negotiation(_protocols); end
-    end
-    def set_private_key(key)
-      err = if key.is_a? FFI::Pointer
-        SSL.SSL_CTX_use_PrivateKey(@ssl_ctx, key)
-      elsif key && File.file?(key)
-        SSL.SSL_CTX_use_PrivateKey_file(@ssl_ctx, key, SSL_FILETYPE_PEM)
-      else
-        1
-      end
-      # Check for errors
-      if err <= 0
-        # TODO: : ERR_print_errors_fp or ERR_print_errors
-        # So we can properly log the issue
-        cleanup
-        raise Error, "invalid private key or file not found"
-      end
-    end
-    def set_certificate(cert)
-      err = if cert.is_a? FFI::Pointer
-        SSL.SSL_CTX_use_certificate(@ssl_ctx, cert)
-      elsif cert && File.file?(cert)
-        SSL.SSL_CTX_use_certificate_chain_file(@ssl_ctx, cert)
-      else
-        1
-      end
-      if err <= 0
-        cleanup
-        raise Error, "invalid certificate or file not found"
-      end
-    end
-    def set_client_ca(ca)
-      return unless ca
-      if File.file?(ca) && (ca_ptr = SSL.SSL_load_client_CA_file(ca))
-        # there is no error checking provided by SSL_CTX_set_client_CA_list
-        SSL.SSL_CTX_set_client_CA_list(@ssl_ctx, ca_ptr)
-      else
-        cleanup
-        raise Error, "invalid ca certificate or file not found"
-      end
-    end
-  end
-end