icaprb-server 0.0.1

data/lib/icaprb/server/services.rb

@@ -0,0 +1,241 @@
+require 'timeout'
+module ICAPrb
+  module Server
+    # this module contains the code, which is required to build an ICAP service
+    module Services
+      # Base class for ICAP services
+      class ServiceBase
+        # the name of the service which is used in the response header (Service-Name)
+        attr_accessor :service_name
+        # send the ttl via options header - the options are valid for the given time
+        attr_accessor :options_ttl
+        # the supported methods for this service. This must be an +Array+ which contains symbols.
+        # The values are:
+        #
+        # :request_mod:: request mod is supported
+        # :response_mod:: response mod is supported
+        #
+        # Do not add :options - this would be wrong here!
+        attr_accessor :supported_methods
+        # The preview size has to be set if the server supports previews. Otherwise use +nil+ here.
+        # If your service supports previews
+        attr_accessor :preview_size
+        # +Array+ of file extensions which should be always sent to the +ICAP+ server (no preview)
+        attr_accessor :transfer_complete
+        # +Array+ of file extensions which should not be sent to the +ICAP+ server (not even a preview)
+        attr_accessor :transfer_ignore
+        # +Array+ of file extensions which need a preview sent to the +ICAP+ server
+        # (do not send the full file in advance)
+        attr_accessor :transfer_preview
+        # Maximum amount of concurrent connections per IP. The server will not accept more connections and answers with
+        # an error
+        attr_accessor :max_connections
+        # The IS-Tag is a required header. If you change it, the cache of the proxy will be flushed.
+        # You usually do not need to change this header. You may want to add your service name here.
+        attr_accessor :is_tag
+        # If you want to send a service id header to the +ICAP+ client, you can set it here. Use nil to disable
+        # this header.
+        attr_accessor :service_id
+        # the counter is used to determine if too many connections are opened by the proxy.
+        # If this is the case, the the server answers with an error
+        attr_reader :counter
+        # timeout for the service
+        attr_accessor :timeout
+
+        # initialize a new service
+        def initialize(service_name,supported_methods  = [], preview_size = nil, options_ttl = 60,
+                       transfer_preview = nil, transfer_ignore = nil, transfer_complete = nil, max_connections = 100000)  #TODO Work in progress; sort
+          @service_name = service_name
+          @options_ttl = options_ttl
+          @supported_methods = supported_methods
+          @preview_size = preview_size
+
+          @transfer_preview = transfer_preview
+          @transfer_ignore = transfer_ignore
+          @transfer_complete = transfer_complete
+          @max_connections = max_connections
+          @is_tag = nil
+          @service_id = nil
+          @timeout = nil
+
+          @counter = {}
+        end
+
+        # parameters:
+        # server:: reference to the icap server
+        # ip:: ip address of the peer
+        # socket:: socket to communicate
+        # data:: the parsed request
+        def process_request(_,_,_,_)
+          raise :not_implemented
+        end
+
+        # returns if this service supports previews which means it can request the rest of the data if they are
+        # required. If you do not override this method, this will return false so you will get the complete request.
+        def supports_preview?
+          return false if @preview_size.nil?
+          return  preview_size >= 0
+        end
+
+        # include the ChunkedEncodingHelper for previews
+        include ::ICAPrb::Server::Parser::ChunkedEncodingHelper
+
+        # returns true if we already got all data or if we are in a preview.
+        # if we are not in a preview, the preview header is not present => outside of a preview
+        # and if the ieof is set, there is no data left - we have all data
+        # everything else means there is data left to request.
+        # NOTE: this will only work once! Do not request data after calling this method and call it again -
+        # you will get a false negative.
+        def got_all_data?(data)
+          return true unless data[:icap_data][:header]['Preview']
+          return true if data[:http_response_body].ieof
+          return false
+        end
+
+        # When we get a preview, we can answer it or request the rest of the data.
+        # This method will send the status "100 Continue" to request the rest of the data and
+        # it will then request all the data which is left and returns this data as a single string.
+        #
+        # You may want to concatenate it with the data you already got in the preview using the << operator.
+        #
+        # WARNING: DO NOT CALL THIS METHOD IF YOU ARE NOT IN A PREVIEW!
+        def get_the_rest_of_the_data(io)
+          data = ''
+          Response.continue(io)
+          until (line,_ = read_chunk(io); line) && line == :eof
+            data += line
+          end
+          return data
+        end
+
+        # this method is called by the server when it receives a new ICAP request
+        # it will increase the counter by one, call process_request and decreases the counter by one.
+        def do_process(server,ip,io,data)
+          begin
+            enter(ip)
+          rescue
+            Response.display_error_page(io,503,{'title' => 'ICAP Error',
+                                                        'content' => 'Sorry, too much work for me',
+                                                        :http_version => '1.1',
+                                                        :http_status => 500})
+            return
+          end
+
+          begin
+            unless @supported_methods.include? data[:icap_data][:request_line][:icap_method]
+              Response.display_error_page(io,501,{'title' => 'Method not implemented',
+                                                          'content' => 'I do not know what to do with that...',
+                                                          :http_version => '1.1',
+                                                          :http_status => 500})
+              return
+            end
+            if @timeout
+              begin
+                Timeout::timeout(@timeout) do
+                  process_request(server,ip,io,data)
+                end
+              rescue Timeout::Error => e
+                # do not do a graceful shutdown of the connection as the client may fail
+                server.logger.error e
+                io.close
+              end
+            else
+              process_request(server,ip,io,data)
+            end
+          rescue
+            leave(ip)
+            raise
+          end
+          leave(ip)
+        end
+
+        # when the connection enters this method will increase the counter. If the counter exceeds the limit,
+        # the request will be rejected
+        def enter(ip)
+          if @counter[ip]
+            raise :connection_limit_exceeded unless (@counter[ip] < @max_connections) || @max_connections.nil?
+            @counter[ip] += 1
+          else
+            @counter[ip] = 1
+          end
+        end
+
+        # when the request is answered we can allow the next one by decrementing the counter
+        def leave(ip)
+          @counter[ip] -= 1
+        end
+
+        # This method is called by the server when the client sends an options request which is not a
+        # mandatory upgrade.
+        #
+        # The data used here is set by the constructor and it should be configured when the Service
+        # is initialized.
+        #
+        # Parameters:
+        # +io+ the socket used to answer the request
+        def generate_options_response(io)
+          response = ::ICAPrb::Server::Response.new
+          response.components << ::ICAPrb::Server::NullBody.new
+          methods = []
+          methods << 'REQMOD' if @supported_methods.include? :request_mod
+          methods << 'RESPMOD' if @supported_methods.include? :response_mod
+          response.icap_header['Methods'] = methods.join(', ')
+          set_generic_icap_headers(response.icap_header)
+          response.icap_header['Max-Connections'] = @max_connections if @max_connections
+          response.icap_header['Options-TTL'] = @options_ttl if @options_ttl
+          response.icap_header['Preview'] = @preview_size if @preview_size
+          response.icap_header['Transfer-Ignore'] = @transfer_ignore.join(', ') if @transfer_ignore
+          response.icap_header['Transfer-Complete'] = @transfer_complete.join(', ') if @transfer_complete
+          response.icap_header['Transfer-Preview'] = @transfer_preview.join(', ') if @transfer_preview
+          response.icap_header['Allow'] = '204'
+          response.write_headers_to_socket io
+        end
+
+        # set headers independently from the response type
+        #
+        # parameters:
+        # +icap_header+:: The hash which holds the ICAP headers.
+        def set_generic_icap_headers(icap_header)
+          icap_header['Service-Name'] = @service_name
+          icap_header['ISTag'] = @is_tag if @is_tag
+          icap_header['Service-ID'] = @service_id if @service_id
+        end
+      end
+
+      # Sample Service to test the server
+      # it will echo the complete request to the client
+      class EchoService < ServiceBase
+        # initializes the EchoService - the name of the echo service is echo
+        def initialize
+          super('echo',[:request_mod, :response_mod],1024,60,nil,nil,nil,1000)
+          @timeout = nil
+        end
+
+        # return the request to the client
+        def process_request(icap_server,ip,socket,data)
+          logger = icap_server.logger
+          logger.debug 'Start processing data via echo service...'
+          response = ::ICAPrb::Server::Response.new
+          response.icap_status_code = 200
+          if data[:icap_data][:request_line][:icap_method] == :response_mod
+            http_resp_header = data[:http_response_header]
+            http_resp_body = data[:http_response_body]
+          else
+            http_resp_header = data[:http_request_header]
+            http_resp_body = data[:http_request_body]
+          end
+
+          http_resp_body << get_the_rest_of_the_data(socket) if http_resp_body && !(got_all_data? data)
+          response.components << http_resp_header
+          response.components << http_resp_body
+          response.write_headers_to_socket socket
+          if http_resp_body.instance_of? ResponseBody
+            socket.write(http_resp_body.to_chunk)
+            ::ICAPrb::Server::Response.send_last_chunk(socket,false)
+          end
+          logger.debug 'Answered request in echo service'
+        end
+      end
+    end
+  end
+end

data/lib/icaprb/server/version.rb

@@ -0,0 +1,6 @@
+module ICAPrb
+  module Server
+    # current version number of this library
+    VERSION = '0.0.1'
+  end
+end

data/lib/icaprb/server.rb

@@ -0,0 +1,211 @@
+require 'icaprb/server/version'
+require 'openssl'
+require 'socket'
+require 'logger'
+
+require_relative './server/request_parser'
+require_relative './server/response'
+require_relative './server/services'
+# nodoc
+module ICAPrb
+  # The server code of our project.
+  module Server
+    # This class contains the network related stuff like waiting for connections.
+    # It is the main class of this project.
+    class ICAPServer
+      # supported ICAP versions
+      SUPPORTED_ICAP_VERSIONS = ['1.0']
+      # logger for the server; default level is Logger::WARN and it writes to STDOUT
+      attr_accessor :logger
+      # services registered on the server
+      attr_accessor :services
+
+      # Create a new ICAP server
+      #
+      # * <b>host</b> the host on which the socket should be bound to
+      # * <b>port</b> the port on which the socket should be bound to - this is usually 1344
+      # * <b>options</b> when you want to use TLS, you can pass a Hash containing the following information
+      #   :secure:: true if TLS should be used
+      #   :certificate:: the path of the certificate
+      #   :key:: the path of the key file
+      def initialize(host = 'localhost', port = 1344, options = nil)
+        @host, @port = host,port
+        @secure = false
+        @certificate = nil
+        @key = nil
+        if (options.is_a? Hash) && (@secure = options[:secure])
+          @key = options[:key]
+          @certificate = options[:certificate]
+        end
+
+        if (options.is_a? Hash) && options[:logfile]
+          @logger = Logger.new(options[:logfile])
+        else
+          @logger = Logger.new(STDOUT)
+        end
+
+        if (options.is_a? Hash) && options[:log_level]
+          @logger.level = options[:log_level]
+        else
+          @logger.level = Logger::WARN
+        end
+
+        @services = {}
+
+        @enable_tls_1_1 = options[:enable_tls_1_1] unless options.nil?
+
+        @tls_socket = false
+        if (options.is_a? Hash) && options[:tls_socket]
+          @tls_socket = options[:tls_socket]
+        end
+      end
+
+      # this methods starts the server and passes the connection to the method handle_request
+      # as well as the ip and the port.
+      # It will log the information about the connection if the level is set to info or lower.
+      #
+      # this method will most likely never crash. It is blocking so you may want to run it in
+      # its own thread.
+      def run
+        # run the server
+        server = create_server
+        loop do
+
+          Thread.start(server.accept) do |connection|
+
+            if connection.is_a? OpenSSL::SSL::SSLSocket
+              port, ip = Socket.unpack_sockaddr_in(connection.io.getpeername)
+            else
+              port, ip = Socket.unpack_sockaddr_in(connection.getpeername)
+            end
+            @logger.info "[CONNECT] Client from #{ip}:#{port} connected to this server"
+            begin
+              until connection.closed? do
+                handle_request(connection,ip)
+              end
+            rescue Errno::ECONNRESET => e
+              @logger.error "[CONNECTION ERROR] Client #{ip}:#{port} got disconnected (CONNECTION RESET BY PEER): #{e}"
+            end
+          end
+
+        end
+      end
+
+      # this method handles the connection to the client. It will call the parser and sends the request to the service.
+      # The service must return anything and handle the request. The important classes are in response.rb
+      # This method includes a lot of error handling. It will respond with an error page if
+      # * The ICAP version is not supported
+      # * It cannot read the header
+      # * The method is not supported by the service
+      # * The request has an upgrade header, which is not supported
+      # * the client requested an upgrade to tls, but the server has not been configured to use it
+      # * the client requested a service, which does not exist
+      def handle_request(connection, ip)
+        # handles the request
+        begin
+          parser = RequestParser.new(connection, ip, self)
+          parsed_data = parser.parse
+        rescue Exception => e
+          #puts $@
+          logger.error "[PARSER ERROR] Error while parsing request - Error Message is: #{e}"
+          Response.display_error_page(connection,400,
+                                      {http_version: '1.0',http_status: 400, 'title' => 'Invalid Request',
+                                       'content' => 'Your client sent a malformed request - please fix it and try it again.'})
+          return
+        end
+
+        unless SUPPORTED_ICAP_VERSIONS.include? parsed_data[:icap_data][:request_line][:version]
+          Response.display_error_page(connection,505,
+                                      {http_version: '1.0',
+                                       http_status: 500,
+                                       'title' => 'Unknown ICAP-version used',
+                                       'content' => 'We are sorry but your ICAP version is not known by this server.'})
+        end
+
+        # send the data to the service framework
+        path = parsed_data[:icap_data][:request_line][:uri].path
+        path = path[1...path.length] if path != '*'
+        if (service = @services[path])
+          icap_method = parsed_data[:icap_data][:request_line][:icap_method]
+          if icap_method == :options
+            return service.generate_options_response(connection)
+          else
+            if service.supported_methods.include? icap_method
+              service.do_process(self,ip,connection,parsed_data)
+              return
+            else
+              Response.display_error_page(connection,405,
+                                          {http_version: '1.0',http_status: 500, 'title' => 'ICAP Error',
+                                           'content' => 'Your client accessed the service with the wrong method.'})
+            end
+          end
+
+        elsif (path == '*') &&  (parsed_data[:icap_data][:request_line][:icap_method] == :options)
+          # check for an upgrade header
+          icap_data = parsed_data[:icap_data]
+          if icap_data[:header]['Connection'] == 'Upgrade' && connection.class == OpenSSL::SSL::SSLSocket
+            case icap_data[:header]['Upgrade']
+              when /^TLS\/[\d\.]+, ICAP\/[\d\.]+$/
+                response = Response.new
+                response.icap_status_code = 101
+                response.icap_header['Upgrade'] = "TLS/1.2, ICAP/#{icap_data[:request_line][:version]}"
+                response.write_headers_to_socket connection
+                connection.accept # upgrade connection to use tls
+              else
+                Response.display_error_page(connection,400,{'title' => 'ICAP Error',
+                                                            'content' => 'Upgrade header is missing',
+                                                            :http_version => '1.1',
+                                                            :http_status => 500})
+            end
+          else
+            Response.display_error_page(connection,500,{'title' => 'ICAP Error',
+                                                        'content' => 'This server has no TLS support.',
+                                                        :http_version => '1.1',
+                                                        :http_status => 500})
+          end
+          return
+        else
+          Response.display_error_page(connection,404,
+                                      {http_version: '1.0',http_status: 500, 'title' => 'Not Found',
+                                       'content' => 'Sorry, but the ICAP service does not exist.'})
+          return
+        end
+
+      end
+
+      private
+      # this method will create a server based on the information we got on initialisation.
+      # It will create an +TCPServer+ with the host and port given at initialisation.
+      # If @secure evaluates to true, a +SSLServer+ will be crated and wraps this +TCPServer+.
+      # By default, only TLS 1.2 is supported for security reasons but TLS 1.1 can be enabled
+      # as well when the option is set at initialization.
+      # For security reasons, the encryption algorithms +RC4+ and +DES+ are disabled as well as the
+      # digest algorithm +SHA1+.
+      # returns: An instance of TCPServer or SSLServer
+      def create_server
+        tcp_server = TCPServer.new(@host, @port)
+        if @secure
+          ctx = OpenSSL::SSL::SSLContext.new(:TLSv1_2_server)
+          ctx.cert = OpenSSL::X509::Certificate.new(File.read(@certificate))
+          ctx.key  = OpenSSL::PKey::RSA.new(File.read(@key))
+          # secure OpenSSL
+          ###############################
+          # do not allow ssl v2 or ssl v3
+          ctx.options |= (OpenSSL::SSL::OP_NO_SSLv2 | OpenSSL::SSL::OP_NO_SSLv3 | OpenSSL::SSL::OP_NO_TLSv1)
+          # disable TLS 1.1 unless the user requests it
+          ctx.options |= OpenSSL::SSL::OP_NO_TLSv1_1 unless @enable_tls_1_1
+
+          # I do not want to have something encrypted with RC4 or with a DES variant and it should not use the digest
+          # algorithm SHA1
+          ctx.ciphers =
+            OpenSSL::SSL::SSLContext::DEFAULT_PARAMS[:ciphers].split(':').select do |cipher_suite|
+              !((cipher_suite =~ /RC4|DES/) || (cipher_suite =~ /SHA$/))
+            end.join(':')
+          tcp_server = OpenSSL::SSL::SSLServer.new(tcp_server, ctx)
+          tcp_server.start_immediately = @tls_socket # requires accept call later
+        end
+        @tcp_server = tcp_server
+      end
+    end
+  end
+end

metadata

@@ -0,0 +1,107 @@
+--- !ruby/object:Gem::Specification
+name: icaprb-server
+version: !ruby/object:Gem::Version
+  version: 0.0.1
+platform: ruby
+authors:
+- Fabian Franz
+autorequire: 
+bindir: exe
+cert_chain: []
+date: 2016-06-16 00:00:00.000000000 Z
+dependencies:
+- !ruby/object:Gem::Dependency
+  name: bundler
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '1.11'
+- !ruby/object:Gem::Dependency
+  name: rake
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '10.0'
+- !ruby/object:Gem::Dependency
+  name: rspec
+  requirement: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+  type: :development
+  prerelease: false
+  version_requirements: !ruby/object:Gem::Requirement
+    requirements:
+    - - "~>"
+      - !ruby/object:Gem::Version
+        version: '3.0'
+description: 
+email:
+- fabian.franz@students.fh-hagenberg.at
+executables: []
+extensions: []
+extra_rdoc_files: []
+files:
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
+- Gemfile
+- LICENSE
+- README.md
+- README.rdoc
+- Rakefile
+- bin/console
+- bin/setup
+- bin/start_server.rb
+- icaprb-server.gemspec
+- lib/icaprb/icapuri.rb
+- lib/icaprb/server.rb
+- lib/icaprb/server/constants.rb
+- lib/icaprb/server/data_structures.rb
+- lib/icaprb/server/request_parser.rb
+- lib/icaprb/server/response.rb
+- lib/icaprb/server/services.rb
+- lib/icaprb/server/version.rb
+homepage: https://github.com/fabianfrz/ICAPrb-Server
+licenses: []
+metadata: {}
+post_install_message: 
+rdoc_options: []
+require_paths:
+- lib
+required_ruby_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+required_rubygems_version: !ruby/object:Gem::Requirement
+  requirements:
+  - - ">="
+    - !ruby/object:Gem::Version
+      version: '0'
+requirements: []
+rubyforge_project: 
+rubygems_version: 2.5.1
+signing_key: 
+specification_version: 4
+summary: This project includes an ICAP server fully implemented in Ruby but it does
+  not include services.
+test_files: []
+has_rdoc: