RubyGems - hyperion-rb - Versions diffs - 1.0.0.rc17 → 1.0.0.rc18 - Mend

hyperion-rb 1.0.0.rc17 → 1.0.0.rc18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (10) hide show

checksums.yaml CHANGED Viewed

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: bcb08723cb65420d073fe0e239c039946649ed4b2d5ec913391edaa9f9022f5c
-  data.tar.gz: 87f88b3956f6879defe23ba4f9e4b6a5b41bcf4db787b553ed7a3608ef9f6760
+  metadata.gz: d339041ba36ea34d86f65b15d4160dc3e8e3484e793b59bb6bd4381e496d6ef7
+  data.tar.gz: 156ba026f90f7d422623be5d1f708d45d328567a7f708ac788f91fea80f5d63b
 SHA512:
-  metadata.gz: b0fecfb34f4cd2a2b272858305fc43a46a9f09d0ac9a77e13b2977c0793bd92a5eac024d8d6f080eaaa565f99f87e092d919a1ff4662eb3a205a29cefa9826fd
-  data.tar.gz: 4a86ffdf69d7ba24e3dbac045c26c26aed00ee07f43db3eaabe725c3ce5a52b9b3af7f94cfefa80ca743a75db0c882d931e1ae4953131acc70a20b5104ccdbf0
+  metadata.gz: 8b8a5516872e28faa553398dcd8fb3debfc41d6e3a17e7cb31563f8a4db7a52044984826909015a31f8176e5fcebffeba4ec3129b0891f6c773a938b41ee1e0c
+  data.tar.gz: f8c9fb9a2f0bd2935aa8d70b191107923870aaeb0030e6357f4f30469ec1284e3432dc3706168537c1218fa95a3ce3f0cc6e1fb9f56349b6ab7cf580aae7263c

data/README.md CHANGED Viewed

@@ -2,12 +2,12 @@
 High-performance Ruby HTTP server. Falcon-class fiber concurrency, Puma-class compatibility.
-[![Specs](https://img.shields.io/badge/specs-114%20passing-brightgreen)]()
-[![Ruby](https://img.shields.io/badge/ruby-%3E%3D%203.2-red)]()
-[![License](https://img.shields.io/badge/license-MIT-blue)]()
+[![CI](https://github.com/andrew-woblavobla/hyperion/actions/workflows/ci.yml/badge.svg)](https://github.com/andrew-woblavobla/hyperion/actions/workflows/ci.yml)
+[![Gem Version](https://img.shields.io/gem/v/hyperion-rb.svg)](https://rubygems.org/gems/hyperion-rb)
+[![License: MIT](https://img.shields.io/github/license/andrew-woblavobla/hyperion.svg)](https://github.com/andrew-woblavobla/hyperion/blob/master/LICENSE)
 ```sh
-gem install hyperion
+gem install hyperion-rb --pre
 bundle exec hyperion config.ru
 ```

data/lib/hyperion/cli.rb CHANGED Viewed

@@ -25,8 +25,16 @@ module Hyperion
         o.on('-t', '--threads N', Integer, 'Rack handler thread pool size (0 disables)') do |t|
           cli_opts[:thread_count] = t
         end
-        o.on('--tls-cert PATH', 'TLS certificate (PEM)') do |p|
-          cli_opts[:tls_cert] = OpenSSL::X509::Certificate.new(File.read(p))
+        o.on('--tls-cert PATH', 'TLS certificate (PEM; chained intermediates supported)') do |p|
+          # Parse every BEGIN/END block in the file — production certs ship
+          # as leaf+intermediate(s) bundled together. `OpenSSL::X509::Certificate.new`
+          # only reads the first block, so loading via that single call would
+          # silently drop the chain. See Hyperion::TLS.parse_pem_chain.
+          certs = Hyperion::TLS.parse_pem_chain(File.read(p))
+          abort("[hyperion] no certificates found in #{p}") if certs.empty?
+          cli_opts[:tls_cert]  = certs.first
+          cli_opts[:tls_chain] = certs[1..]
         end
         o.on('--tls-key PATH', 'TLS private key (PEM)') do |p|
           cli_opts[:tls_key] = OpenSSL::PKey.read(File.read(p))

data/lib/hyperion/logger.rb CHANGED Viewed

@@ -51,6 +51,13 @@ module Hyperion
       # routes both streams to the same target (e.g. a StringIO in specs).
       @out = io || out
       @err = io || err
+      # Force line-immediate mode on real IO destinations. When stdout is
+      # redirected (piped, journald, kubectl logs), Ruby/glibc default to
+      # 4-KiB block buffering and small log lines never reach the consumer
+      # until the buffer fills or the process exits. Operators expect to see
+      # boot lines + access logs in real time. Match Puma's behaviour.
+      @out.sync = true if @out.is_a?(::IO) && @out.respond_to?(:sync=)
+      @err.sync = true if @err.is_a?(::IO) && @err.respond_to?(:sync=)
       @level = parse_level(level || ENV.fetch('HYPERION_LOG_LEVEL', 'info'))
       requested = format || ENV['HYPERION_LOG_FORMAT']
       @format = pick_format(requested)

data/lib/hyperion/server.rb CHANGED Viewed

@@ -39,7 +39,7 @@ module Hyperion
       @port = tcp.addr[1]
       if @tls
-        @ssl_ctx = TLS.context(cert: @tls[:cert], key: @tls[:key])
+        @ssl_ctx = TLS.context(cert: @tls[:cert], key: @tls[:key], chain: @tls[:chain])
         ssl_server = ::OpenSSL::SSL::SSLServer.new(tcp, @ssl_ctx)
         ssl_server.start_immediately = false
         @server = ssl_server
@@ -67,7 +67,7 @@ module Hyperion
               else
                 sock.local_address.ip_port
               end
-      @ssl_ctx = TLS.context(cert: @tls[:cert], key: @tls[:key]) if @tls
+      @ssl_ctx = TLS.context(cert: @tls[:cert], key: @tls[:key], chain: @tls[:chain]) if @tls
       self
     end

data/lib/hyperion/tls.rb CHANGED Viewed

@@ -11,12 +11,18 @@ module Hyperion
   module TLS
     SUPPORTED_PROTOCOLS = %w[h2 http/1.1].freeze
+    PEM_CERT_RE = /-----BEGIN CERTIFICATE-----.+?-----END CERTIFICATE-----/m
     module_function
-    def context(cert:, key:)
+    def context(cert:, key:, chain: nil)
       ctx = OpenSSL::SSL::SSLContext.new
       ctx.cert = cert
       ctx.key = key
+      # NB: do NOT switch to `chain.present?` — that's ActiveSupport, which
+      # this gem does not depend on (would NameError at runtime). The
+      # explicit guard below is the plain-Ruby equivalent.
+      ctx.extra_chain_cert = chain unless chain.nil? || chain.empty?
       ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
       ctx.alpn_protocols = SUPPORTED_PROTOCOLS
       ctx.alpn_select_cb = lambda do |client_protocols|
@@ -25,5 +31,14 @@ module Hyperion
       end
       ctx
     end
+    # Split a PEM blob into one OpenSSL::X509::Certificate per BEGIN/END
+    # block. Production cert files commonly bundle leaf + intermediate(s) in
+    # a single file, but `OpenSSL::X509::Certificate.new(pem)` only parses
+    # the FIRST block — so if we don't split here the intermediates are
+    # silently dropped and clients see an incomplete chain.
+    def parse_pem_chain(pem)
+      pem.scan(PEM_CERT_RE).map { |block| OpenSSL::X509::Certificate.new(block) }
+    end
   end
 end

data/lib/hyperion/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Hyperion
-  VERSION = '1.0.0.rc17'
+  VERSION = '1.0.0.rc18'
 end

data/lib/hyperion/worker.rb CHANGED Viewed

@@ -77,7 +77,7 @@ module Hyperion
       sock.listen(::Socket::SOMAXCONN)
       if @tls
-        ctx = Hyperion::TLS.context(cert: @tls[:cert], key: @tls[:key])
+        ctx = Hyperion::TLS.context(cert: @tls[:cert], key: @tls[:key], chain: @tls[:chain])
         ssl = ::OpenSSL::SSL::SSLServer.new(sock, ctx)
         ssl.start_immediately = false
         ssl

data/lib/hyperion-rb.rb ADDED Viewed

@@ -0,0 +1,8 @@
+# frozen_string_literal: true
+# Convenience shim so Bundler's auto-require pattern works:
+#
+#   gem 'hyperion-rb'   # in a Gemfile, no `require:` needed
+#
+# The canonical require path remains `require 'hyperion'`.
+require 'hyperion'

metadata CHANGED Viewed

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: hyperion-rb
 version: !ruby/object:Gem::Version
-  version: 1.0.0.rc17
+  version: 1.0.0.rc18
 platform: ruby
 authors:
 - Andrey Lobanov
@@ -145,6 +145,7 @@ files:
 - ext/hyperion_http/llhttp/llhttp.c
 - ext/hyperion_http/llhttp/llhttp.h
 - ext/hyperion_http/parser.c
+- lib/hyperion-rb.rb
 - lib/hyperion.rb
 - lib/hyperion/adapter/rack.rb
 - lib/hyperion/c_parser.rb