manticore 0.7.1-java → 0.9.1-java
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/.travis.yml +10 -6
- data/CHANGELOG.md +19 -0
- data/Gemfile +9 -7
- data/README.md +1 -1
- data/Rakefile +2 -0
- data/lib/commons-codec/commons-codec/1.15/commons-codec-1.15.jar +0 -0
- data/lib/manticore/client/trust_strategies.rb +119 -0
- data/lib/manticore/client.rb +104 -41
- data/lib/manticore/version.rb +1 -1
- data/lib/manticore.rb +1 -0
- data/lib/manticore_jars.rb +16 -6
- data/lib/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar +0 -0
- data/lib/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar +0 -0
- data/lib/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar +0 -0
- data/lib/org/manticore/manticore-ext.jar +0 -0
- data/manticore.gemspec +3 -5
- data/spec/manticore/client_spec.rb +59 -14
- data/spec/manticore/client_trust_strategies_spec.rb +168 -0
- data/spec/spec_helper.rb +1 -0
- metadata +15 -40
- data/lib/commons-codec/commons-codec/1.10/commons-codec-1.10.jar +0 -0
- data/lib/org/apache/httpcomponents/httpclient/4.5.2/httpclient-4.5.2.jar +0 -0
- data/lib/org/apache/httpcomponents/httpcore/4.4.4/httpcore-4.4.4.jar +0 -0
- data/lib/org/apache/httpcomponents/httpmime/4.5.2/httpmime-4.5.2.jar +0 -0
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA256:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 381fa920f4a6ca174342719444ebdf44d3f1b23694840cbe942e2806094656b4
|
4
|
+
data.tar.gz: cb27a429bd009ab358c28beb8e77143fccb384076f1a03fcfd325e9d8055576b
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: dc3b33be3c5fe29ba240859cfd25455a3d30b45285414773426e9780e5eab016ca7373fdb2d7fed368af00781e502650a1c75b03f577ca316206ef8c1abc1bd3
|
7
|
+
data.tar.gz: f983c8e4b6cf27bb91909d0cd83227d684498ac4a6ca72d3249a54cc43a4e5a5051069ba32ee40d7bc9028792fb07b70472907b7214cd4a2ab6a858e4d648bd8
|
data/.travis.yml
CHANGED
@@ -4,18 +4,22 @@ cache:
|
|
4
4
|
- bundler
|
5
5
|
- directories:
|
6
6
|
- $HOME/.m2
|
7
|
-
rvm:
|
8
|
-
- jruby-9.2.16.0 # Ruby 2.5
|
9
|
-
jdk:
|
10
|
-
- oraclejdk8
|
11
|
-
- openjdk8
|
12
|
-
- openjdk11
|
13
7
|
before_install:
|
14
8
|
- gem install bundler -v 1.17.3
|
15
9
|
matrix:
|
16
10
|
include:
|
17
11
|
- rvm: jruby-head
|
18
12
|
jdk: openjdk11
|
13
|
+
- rvm: jruby-9.3.4.0 # Ruby 2.6
|
14
|
+
jdk: openjdk11
|
15
|
+
- rvm: jruby-9.3.4.0
|
16
|
+
jdk: openjdk11
|
17
|
+
env:
|
18
|
+
- JRUBY_OPTS="-Xcompile.invokedynamic -Xjit.threshold=0"
|
19
|
+
- rvm: jruby-9.2.20.0 # Ruby 2.5
|
20
|
+
jdk: oraclejdk8
|
21
|
+
- rvm: jruby-9.2.20.0
|
22
|
+
jdk: openjdk11
|
19
23
|
- rvm: jruby-9.1.17.0 # Ruby 2.3
|
20
24
|
jdk: openjdk8
|
21
25
|
allow_failures:
|
data/CHANGELOG.md
CHANGED
@@ -1,3 +1,22 @@
|
|
1
|
+
### v0.9.1
|
2
|
+
|
3
|
+
* [fix] work-around JRuby 9.3.4 compatibility
|
4
|
+
* [refactor] delay closing async request queue on client.close
|
5
|
+
|
6
|
+
### v0.9.0
|
7
|
+
|
8
|
+
* [feat] revamped client.close to release resources (#108)
|
9
|
+
* [fix] null password handling when loading keystore
|
10
|
+
* [fix] ambiguous Java method selection
|
11
|
+
* [refactor] revisit hostname verification (#103)
|
12
|
+
* [feat] ssl[:trust_strategy]: wrapper for `org.apache.http.conn.ssl.TrustStrategy` (#106)
|
13
|
+
|
14
|
+
### v0.8.0
|
15
|
+
|
16
|
+
* [feat] restore compat with (legacy) verify: false (#102)
|
17
|
+
* Accept untrusted certs when SSL verify is disabled (#100)
|
18
|
+
* [deps] update http-client to 4.5.13 (#99)
|
19
|
+
|
1
20
|
## v0.7
|
2
21
|
|
3
22
|
### v0.7.1
|
data/Gemfile
CHANGED
@@ -4,13 +4,15 @@ source 'https://rubygems.org'
|
|
4
4
|
gemspec
|
5
5
|
|
6
6
|
group :development, :test do
|
7
|
-
gem "
|
7
|
+
gem "rake-compiler", require: false
|
8
|
+
gem "simplecov"
|
9
|
+
|
8
10
|
gem "rspec", "~> 3.0"
|
9
11
|
gem "rspec-its"
|
10
|
-
|
11
|
-
gem "rack", ">= 2.1.4"
|
12
|
-
gem "
|
13
|
-
gem "
|
14
|
-
gem "
|
15
|
-
gem "
|
12
|
+
|
13
|
+
gem "rack", ">= 2.1.4", require: false
|
14
|
+
gem "json", require: false
|
15
|
+
gem "webrick", require: false
|
16
|
+
gem "net-http-server", require: false
|
17
|
+
gem "gserver", require: false
|
16
18
|
end
|
data/README.md
CHANGED
@@ -2,7 +2,7 @@
|
|
2
2
|
|
3
3
|
**Note**: While I'll continue to maintain the library here, I've moved the canonical copy to Gitlab at https://gitlab.com/cheald/manticore - it is preferred that you submit issues and PRs there.
|
4
4
|
|
5
|
-
[![Build Status](https://travis-ci.
|
5
|
+
[![Build Status](https://app.travis-ci.com/cheald/manticore.svg?branch=master)](https://app.travis-ci.com/cheald/manticore)
|
6
6
|
|
7
7
|
Manticore is a fast, robust HTTP client built on the Apache HTTPClient libraries. It is only compatible with JRuby.
|
8
8
|
|
data/Rakefile
CHANGED
@@ -36,6 +36,7 @@ task :generate_certs do
|
|
36
36
|
# Create the CA
|
37
37
|
"#{openssl} genrsa 4096 | #{openssl} pkcs8 -topk8 -nocrypt -out #{root}/root-ca.key",
|
38
38
|
"#{openssl} req -sha256 -x509 -newkey rsa:4096 -nodes -key #{root}/root-ca.key -sha256 -days 365 -out #{root}/root-ca.crt -subj \"/C=US/ST=The Internet/L=The Internet/O=Manticore CA/OU=Manticore/CN=localhost\"",
|
39
|
+
"#{openssl} req -sha256 -x509 -newkey rsa:4096 -nodes -key #{root}/root-ca.key -sha256 -days 365 -out #{root}/root-untrusted-ca.crt -subj \"/C=US/ST=The Darknet/L=The Darknet/O=Manticore CA/OU=Manticore/CN=localhost\"",
|
39
40
|
|
40
41
|
# Create the client CSR, key, and signed cert
|
41
42
|
"#{openssl} genrsa 4096 | #{openssl} pkcs8 -topk8 -nocrypt -out #{root}/client.key",
|
@@ -48,6 +49,7 @@ task :generate_certs do
|
|
48
49
|
"#{openssl} req -sha256 -key #{root}/host.key -newkey rsa:4096 -out #{root}/host.csr -subj \"/C=US/ST=The Internet/L=The Internet/O=Manticore Host/OU=Manticore/CN=localhost\"",
|
49
50
|
"#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host.crt -sha256 -days 1",
|
50
51
|
"#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host-expired.crt -sha256 -days -7",
|
52
|
+
"#{openssl} x509 -req -in #{root}/host.csr -CA #{root}/root-untrusted-ca.crt -CAkey #{root}/root-ca.key -CAcreateserial -out #{root}/host-untrusted.crt -sha256 -days 1",
|
51
53
|
|
52
54
|
"#{keytool} -import -file #{root}/root-ca.crt -alias rootCA -keystore #{root}/truststore.jks -noprompt -storepass test123",
|
53
55
|
"#{openssl} pkcs12 -export -clcerts -out #{root}/client.p12 -inkey #{root}/client.key -in #{root}/client.crt -certfile #{root}/root-ca.crt -password pass:test123",
|
Binary file
|
@@ -0,0 +1,119 @@
|
|
1
|
+
module Manticore
|
2
|
+
class Client
|
3
|
+
##
|
4
|
+
# TrustStrategies is a utility module that provides helpers for
|
5
|
+
# working with org.apache.http.conn.ssl.TrustStrategy
|
6
|
+
module TrustStrategies
|
7
|
+
# Coerces to org.apache.http.conn.ssl.TrustStrategy, allowing nil pass-through
|
8
|
+
#
|
9
|
+
# @overload coerce(coercible)
|
10
|
+
# @param coercible [nil|TrustStrategy]
|
11
|
+
# @return [nil,TrustStrategy]
|
12
|
+
# @overload coerce(coercible)
|
13
|
+
# @param coercible [Proc<(Array<OpenSSL::X509::Certificate>,String)>:Boolean]
|
14
|
+
# A proc that accepts two arguments and returns a boolean value, and is effectively a
|
15
|
+
# Ruby-native implementation of `org.apache.http.conn.ssl.TrustStrategy#isTrusted`.
|
16
|
+
# @param cert_chain [Enumerable<OpenSSL::X509::Certificate>]: the peer's certificate chain
|
17
|
+
# @param auth_type [String]: the authentication type based on the client certificate
|
18
|
+
# @raise [OpenSSL::X509::CertificateError]: thrown if the certificate is not trusted or invalid
|
19
|
+
# @return [Boolean]: true if the certificate can be trusted without verification by the trust manager,
|
20
|
+
# false otherwise.
|
21
|
+
# @example: CA Trusted Fingerprint
|
22
|
+
# ca_trusted_fingerprint = lambda do |cert_chain, type|
|
23
|
+
# cert_chain.lazy
|
24
|
+
# .map(&:to_der)
|
25
|
+
# .map(&::Digest::SHA256.method(:hexdigest))
|
26
|
+
# .include?("324a87eebb19265ffb675dc345eb0f3b5d9de3f015159227a00fe552291d4cc4")
|
27
|
+
# end
|
28
|
+
# TrustStrategies.coerce(ca_trusted_fingerprint)
|
29
|
+
def self.coerce(coercible)
|
30
|
+
case coercible
|
31
|
+
when org.apache.http.conn.ssl.TrustStrategy, nil then coercible
|
32
|
+
when ::Proc then CustomTrustStrategy.new(coercible)
|
33
|
+
else fail(ArgumentError, "No implicit conversion of #{coercible} to #{self}")
|
34
|
+
end
|
35
|
+
end
|
36
|
+
|
37
|
+
# Combines two possibly-nil TrustStrategies-coercible objects into a
|
38
|
+
# single org.apache.http.conn.ssl.TrustStrategy, or to nil if both are nil.
|
39
|
+
#
|
40
|
+
# @param lhs [nil|TrustStrategie#coerce]
|
41
|
+
# @param rhs [nil|TrustStrategies#coerce]
|
42
|
+
# @return [nil,org.apache.http.conn.ssl.TrustStrategy]
|
43
|
+
def self.combine(lhs, rhs)
|
44
|
+
return coerce(rhs) if lhs.nil?
|
45
|
+
return coerce(lhs) if rhs.nil?
|
46
|
+
|
47
|
+
CombinedTrustStrategy.new(coerce(lhs), coerce(rhs))
|
48
|
+
end
|
49
|
+
end
|
50
|
+
|
51
|
+
##
|
52
|
+
# @api private
|
53
|
+
# A CombinedTrustStrategy can be used to bypass the Trust Manager if
|
54
|
+
# *EITHER* TrustStrategy trusts the provided certificate chain.
|
55
|
+
# @see TrustStrategies::combine
|
56
|
+
class CombinedTrustStrategy
|
57
|
+
include org.apache.http.conn.ssl.TrustStrategy
|
58
|
+
|
59
|
+
##
|
60
|
+
# @api private
|
61
|
+
# @see TrustStrategies::combine
|
62
|
+
def initialize(lhs, rhs)
|
63
|
+
@lhs = lhs
|
64
|
+
@rhs = rhs
|
65
|
+
super()
|
66
|
+
end
|
67
|
+
|
68
|
+
##
|
69
|
+
# @override (see org.apache.http.conn.ssl.TrustStrategy#isTrusted)
|
70
|
+
def trusted?(chain, type)
|
71
|
+
@lhs.trusted?(chain, type) || @rhs.trusted?(chain, type)
|
72
|
+
end
|
73
|
+
end
|
74
|
+
|
75
|
+
|
76
|
+
##
|
77
|
+
# @api private
|
78
|
+
# A CustomTrustStrategy is an org.apache.http.conn.ssl.TrustStrategy
|
79
|
+
# defined with a proc that uses Ruby OpenSSL::X509::Certificates
|
80
|
+
# @see TrustStrategies::coerce(Proc)
|
81
|
+
class CustomTrustStrategy
|
82
|
+
include org.apache.http.conn.ssl.TrustStrategy
|
83
|
+
|
84
|
+
##
|
85
|
+
# @see TrustStrategies.coerce(Proc)
|
86
|
+
def initialize(proc)
|
87
|
+
fail(ArgumentError, "2-arity proc required") unless proc.arity == 2
|
88
|
+
@trust_strategy = proc
|
89
|
+
end
|
90
|
+
|
91
|
+
CONVERT_JAVA_CERTIFICATE_TO_RUBY = -> (java_cert) { ::OpenSSL::X509::Certificate.new(java_cert.encoded) }
|
92
|
+
private_constant :CONVERT_JAVA_CERTIFICATE_TO_RUBY
|
93
|
+
|
94
|
+
##
|
95
|
+
# @override (see org.apache.http.conn.ssl.TrustStrategy#isTrusted)
|
96
|
+
def trusted?(java_chain, type)
|
97
|
+
@trust_strategy.call(java_chain.lazy.map(&CONVERT_JAVA_CERTIFICATE_TO_RUBY), String.new(type))
|
98
|
+
rescue OpenSSL::X509::CertificateError => e
|
99
|
+
raise java_certificate_exception(e)
|
100
|
+
end
|
101
|
+
|
102
|
+
private
|
103
|
+
|
104
|
+
begin
|
105
|
+
# Ruby exceptions can be converted to Throwable since JRuby 9.2
|
106
|
+
Exception.new("sentinel").to_java(java.lang.Throwable)
|
107
|
+
def java_certificate_exception(ruby_certificate_error)
|
108
|
+
throwable = ruby_certificate_error.to_java(java.lang.Throwable)
|
109
|
+
java.security.cert.CertificateException.new(throwable)
|
110
|
+
end
|
111
|
+
rescue TypeError
|
112
|
+
def java_certificate_exception(ruby_certificate_error)
|
113
|
+
message = ruby_certificate_error.message
|
114
|
+
java.security.cert.CertificateException.new(message)
|
115
|
+
end
|
116
|
+
end
|
117
|
+
end
|
118
|
+
end
|
119
|
+
end
|
data/lib/manticore/client.rb
CHANGED
@@ -69,7 +69,6 @@ module Manticore
|
|
69
69
|
include_package "org.apache.http.client.config"
|
70
70
|
include_package "org.apache.http.config"
|
71
71
|
include_package "org.apache.http.conn.socket"
|
72
|
-
include_package "org.apache.http.impl.client"
|
73
72
|
include_package "org.apache.http.impl.conn"
|
74
73
|
include_package "org.apache.http.entity"
|
75
74
|
include_package "org.apache.http.message"
|
@@ -86,24 +85,43 @@ module Manticore
|
|
86
85
|
java_import "org.manticore.HttpGetWithEntity"
|
87
86
|
java_import "org.manticore.HttpDeleteWithEntity"
|
88
87
|
java_import "org.apache.http.auth.UsernamePasswordCredentials"
|
88
|
+
java_import "org.apache.http.conn.ssl.DefaultHostnameVerifier"
|
89
|
+
java_import "org.apache.http.conn.ssl.NoopHostnameVerifier"
|
89
90
|
java_import "org.apache.http.conn.ssl.SSLConnectionSocketFactory"
|
90
|
-
java_import "org.apache.http.conn.ssl.
|
91
|
+
java_import "org.apache.http.conn.ssl.TrustAllStrategy"
|
91
92
|
java_import "org.apache.http.conn.ssl.TrustSelfSignedStrategy"
|
92
93
|
java_import "org.apache.http.client.utils.URIBuilder"
|
93
94
|
java_import "org.apache.http.impl.DefaultConnectionReuseStrategy"
|
95
|
+
java_import "org.apache.http.impl.NoConnectionReuseStrategy"
|
94
96
|
java_import "org.apache.http.impl.auth.BasicScheme"
|
97
|
+
java_import "org.apache.http.impl.client.BasicAuthCache"
|
98
|
+
java_import "org.apache.http.impl.client.BasicCookieStore"
|
99
|
+
java_import "org.apache.http.impl.client.BasicCredentialsProvider"
|
100
|
+
java_import "org.apache.http.impl.client.HttpClientBuilder"
|
101
|
+
java_import "org.apache.http.ssl.SSLContextBuilder"
|
102
|
+
java_import "org.apache.http.ssl.TrustStrategy"
|
95
103
|
|
96
104
|
# This is a class rather than a proc because the proc holds a closure around
|
97
105
|
# the instance of the Client that creates it.
|
98
106
|
class ExecutorThreadFactory
|
99
|
-
include
|
107
|
+
include java.util.concurrent.ThreadFactory
|
108
|
+
|
109
|
+
java_import 'java.lang.Thread'
|
110
|
+
|
111
|
+
@@factory_no = java.util.concurrent.atomic.AtomicInteger.new
|
112
|
+
|
113
|
+
def initialize(client)
|
114
|
+
@thread_no = java.util.concurrent.atomic.AtomicInteger.new
|
115
|
+
@name_prefix = "manticore##{client.object_id}-#{@@factory_no.increment_and_get}-"
|
116
|
+
end
|
100
117
|
|
101
118
|
def newThread(runnable)
|
102
|
-
thread =
|
103
|
-
thread.
|
104
|
-
|
119
|
+
thread = Thread.new(runnable, @name_prefix + @thread_no.increment_and_get.to_s)
|
120
|
+
thread.setDaemon(true)
|
121
|
+
thread
|
105
122
|
end
|
106
123
|
end
|
124
|
+
private_constant :ExecutorThreadFactory
|
107
125
|
|
108
126
|
include ProxiesInterface
|
109
127
|
|
@@ -161,10 +179,12 @@ module Manticore
|
|
161
179
|
# @option options [Hash] ssl Hash of options for configuring SSL
|
162
180
|
# @option options [Array<String>] ssl[:protocols] (nil) A list of protocols that Manticore should accept
|
163
181
|
# @option options [Array<String>] ssl[:cipher_suites] (nil) A list of cipher suites that Manticore should accept
|
164
|
-
# @option options [Symbol] ssl[:verify] (:
|
182
|
+
# @option options [Symbol] ssl[:verify] (:default) Hostname verification setting. Set to `:none` to turn off hostname verification. Setting to `:browser` will
|
165
183
|
# cause Manticore to accept a certificate for *.foo.com for all subdomains and sub-subdomains (eg a.b.foo.com).
|
166
|
-
# The default `:
|
184
|
+
# The default `:default` is like `:browser` but more strict - only accepts a single level of subdomains for wildcards,
|
167
185
|
# eg `b.foo.com` will be accepted for a `*.foo.com` certificate, but `a.b.foo.com` will not be.
|
186
|
+
# @option options [Client::TrustStrategiesInterface] ssl[:trust_strategy] (nil) A trust strategy to use in addition to any built by `ssl[:verify]`.
|
187
|
+
# @see Client::TrustStrategiesInterface#coerce
|
168
188
|
# @option options [String] ssl[:truststore] (nil) Path to a custom trust store to use the verifying SSL connections
|
169
189
|
# @option options [String] ssl[:truststore_password] (nil) Password used for decrypting the server trust store
|
170
190
|
# @option options [String] ssl[:truststore_type] (nil) Format of the trust store, ie "JKS" or "PKCS12". If left nil, the type will be inferred from the truststore filename.
|
@@ -177,8 +197,8 @@ module Manticore
|
|
177
197
|
# @option options [boolean] ssl[:track_state] (false) Turn on or off connection state tracking. This helps prevent SSL information from leaking across threads, but means that connections
|
178
198
|
# can't be shared across those threads. This should generally be left off unless you know what you're doing.
|
179
199
|
def initialize(options = {})
|
180
|
-
@
|
181
|
-
self.class.shutdown_on_finalize self, @
|
200
|
+
@finalizer = Finalizer.new
|
201
|
+
self.class.shutdown_on_finalize self, @finalizer
|
182
202
|
|
183
203
|
builder = client_builder
|
184
204
|
builder.set_user_agent options.fetch(:user_agent, "Manticore #{VERSION}")
|
@@ -198,7 +218,7 @@ module Manticore
|
|
198
218
|
|
199
219
|
@keepalive = options.fetch(:keepalive, true)
|
200
220
|
if @keepalive == false
|
201
|
-
builder.set_connection_reuse_strategy
|
221
|
+
builder.set_connection_reuse_strategy NoConnectionReuseStrategy::INSTANCE # return false
|
202
222
|
else
|
203
223
|
builder.set_connection_reuse_strategy DefaultConnectionReuseStrategy.new
|
204
224
|
end
|
@@ -344,21 +364,58 @@ module Manticore
|
|
344
364
|
end
|
345
365
|
end
|
346
366
|
|
347
|
-
#
|
348
|
-
|
349
|
-
|
367
|
+
# Release resources held by this client, namely:
|
368
|
+
# - close the internal http client
|
369
|
+
# - shutdown the connection pool
|
370
|
+
# - stops accepting async requests in the executor
|
371
|
+
#
|
372
|
+
# After this call the client is no longer usable.
|
373
|
+
# @note In versions before 0.9 this method only closed the underlying `CloseableHttpClient`
|
374
|
+
def close(await: nil)
|
375
|
+
ObjectSpace.undefine_finalizer(self)
|
376
|
+
@finalizer.call # which does ~ :
|
377
|
+
# @executor&.shutdown rescue nil
|
378
|
+
# @client&.close
|
379
|
+
# @pool&.shutdown rescue nil
|
380
|
+
case await
|
381
|
+
when false, nil
|
382
|
+
@executor&.shutdown_now rescue nil
|
383
|
+
when Numeric
|
384
|
+
# NOTE: the concept of awaiting gracefully might/should also be used with the pool/client closing
|
385
|
+
millis = java.util.concurrent.TimeUnit::MILLISECONDS
|
386
|
+
@executor&.await_termination(await * 1000, millis) rescue nil
|
387
|
+
else
|
388
|
+
nil
|
389
|
+
end
|
390
|
+
@async_requests.close
|
350
391
|
end
|
351
392
|
|
393
|
+
# @private
|
394
|
+
class Finalizer
|
395
|
+
|
396
|
+
def initialize
|
397
|
+
@_objs = []
|
398
|
+
end
|
399
|
+
|
400
|
+
def push(obj, args)
|
401
|
+
@_objs.unshift [java.lang.ref.WeakReference.new(obj), Array(args)]
|
402
|
+
end
|
403
|
+
|
404
|
+
def call(id = nil) # when called on finalization an object id arg is passed
|
405
|
+
@_objs.each { |obj, args| obj.get&.send(*args) rescue nil }
|
406
|
+
end
|
407
|
+
|
408
|
+
end
|
409
|
+
private_constant :Finalizer
|
410
|
+
|
352
411
|
# Get at the underlying ExecutorService used to invoke asynchronous calls.
|
353
412
|
def executor
|
354
|
-
|
355
|
-
@executor
|
413
|
+
@executor ||= create_executor
|
356
414
|
end
|
357
415
|
|
358
|
-
|
359
|
-
|
360
|
-
|
361
|
-
}
|
416
|
+
# @private
|
417
|
+
def self.shutdown_on_finalize(client, finalizer)
|
418
|
+
ObjectSpace.define_finalizer(client, finalizer)
|
362
419
|
end
|
363
420
|
|
364
421
|
protected
|
@@ -366,8 +423,9 @@ module Manticore
|
|
366
423
|
# Takes an object and a message to pass to the object to destroy it. This is done rather than
|
367
424
|
# a proc to avoid creating a closure that would maintain a reference to this client, which
|
368
425
|
# would prevent the client from being cleaned up.
|
426
|
+
# @private
|
369
427
|
def finalize(object, args)
|
370
|
-
@
|
428
|
+
@finalizer.push(object, args)
|
371
429
|
end
|
372
430
|
|
373
431
|
def url_as_regex(url)
|
@@ -387,7 +445,7 @@ module Manticore
|
|
387
445
|
|
388
446
|
# :nocov:
|
389
447
|
if options[:ignore_ssl_validation]
|
390
|
-
|
448
|
+
warn "The options[:ignore_ssl_validation] setting is deprecated in favor of options[:ssl][:verify]"
|
391
449
|
options[:ssl] ||= {}
|
392
450
|
options[:ssl] = {:verify => !options.delete(:ignore_ssl_validation)}.merge(options[:ssl])
|
393
451
|
end
|
@@ -419,17 +477,16 @@ module Manticore
|
|
419
477
|
socket_config_builder.build
|
420
478
|
end
|
421
479
|
|
422
|
-
def
|
423
|
-
|
424
|
-
|
425
|
-
|
480
|
+
def create_executor
|
481
|
+
executor = Executors.new_cached_thread_pool(ExecutorThreadFactory.new(self))
|
482
|
+
finalize executor, :shutdown
|
483
|
+
executor
|
426
484
|
end
|
427
485
|
|
428
486
|
def request(klass, url, options, &block)
|
429
487
|
req, context = request_from_options(klass, url, options)
|
430
488
|
async = options.delete(:async)
|
431
489
|
background = options.delete(:async_background)
|
432
|
-
create_executor_if_needed if (background || async)
|
433
490
|
response = response_object_for(req, context, &block)
|
434
491
|
|
435
492
|
if async
|
@@ -524,7 +581,6 @@ module Manticore
|
|
524
581
|
end
|
525
582
|
|
526
583
|
def get_proxy_host(opt)
|
527
|
-
host = nil
|
528
584
|
if opt.is_a? String
|
529
585
|
uri = URI.parse(opt)
|
530
586
|
if uri.host
|
@@ -609,20 +665,27 @@ module Manticore
|
|
609
665
|
|
610
666
|
# Configure the SSL Context
|
611
667
|
def ssl_socket_factory_from_options(ssl_options)
|
612
|
-
|
613
|
-
|
614
|
-
|
615
|
-
|
616
|
-
|
617
|
-
|
618
|
-
|
668
|
+
trust_strategy = nil
|
669
|
+
|
670
|
+
case ssl_options.fetch(:verify, :default)
|
671
|
+
when :none, :disable
|
672
|
+
trust_strategy = TrustAllStrategy::INSTANCE
|
673
|
+
verifier = NoopHostnameVerifier::INSTANCE
|
674
|
+
when false # compatibility
|
675
|
+
trust_strategy = TrustSelfSignedStrategy::INSTANCE
|
619
676
|
verifier = SSLConnectionSocketFactory::ALLOW_ALL_HOSTNAME_VERIFIER
|
620
677
|
when :browser
|
621
678
|
verifier = SSLConnectionSocketFactory::BROWSER_COMPATIBLE_HOSTNAME_VERIFIER
|
622
|
-
when
|
679
|
+
when :default, true
|
680
|
+
verifier = DefaultHostnameVerifier.new
|
681
|
+
when :strict # compatibility
|
623
682
|
verifier = SSLConnectionSocketFactory::STRICT_HOSTNAME_VERIFIER
|
624
683
|
else
|
625
|
-
raise "Invalid value for :verify. Valid values are (:
|
684
|
+
raise "Invalid value for :verify. Valid values are (:default, :browser, :none)"
|
685
|
+
end
|
686
|
+
|
687
|
+
if ssl_options.include?(:trust_strategy)
|
688
|
+
trust_strategy = TrustStrategies.combine(trust_strategy, ssl_options.fetch(:trust_strategy))
|
626
689
|
end
|
627
690
|
|
628
691
|
context = SSLContextBuilder.new
|
@@ -646,7 +709,7 @@ module Manticore
|
|
646
709
|
end
|
647
710
|
end
|
648
711
|
|
649
|
-
context.
|
712
|
+
context.java_send :loadTrustMaterial, [KeyStore, TrustStrategy], trust_store, trust_strategy
|
650
713
|
end
|
651
714
|
|
652
715
|
KEY_EXTRACTION_REGEXP = /(?:^-----BEGIN(.* )PRIVATE KEY-----\n)(.*?)(?:-----END\1PRIVATE KEY.*$)/m
|
@@ -658,7 +721,6 @@ module Manticore
|
|
658
721
|
# Support OpenSSL-style bare X.509 certs with an RSA key
|
659
722
|
if ssl_options[:client_cert] && ssl_options[:client_key]
|
660
723
|
key_store ||= blank_keystore
|
661
|
-
certs, key = nil, nil
|
662
724
|
|
663
725
|
cert_str = if ssl_options[:client_cert].is_a?(OpenSSL::X509::Certificate)
|
664
726
|
ssl_options[:client_cert].to_s
|
@@ -697,7 +759,7 @@ module Manticore
|
|
697
759
|
def get_store(prefix, options)
|
698
760
|
KeyStore.get_instance(options[:"#{prefix}_type"] || guess_store_type(options[prefix])).tap do |store|
|
699
761
|
instream = open(options[prefix], "rb").to_inputstream
|
700
|
-
store.load(instream, options.fetch(:"#{prefix}_password", nil).to_java
|
762
|
+
store.load(instream, options.fetch(:"#{prefix}_password", nil).to_java&.toCharArray)
|
701
763
|
end
|
702
764
|
end
|
703
765
|
|
@@ -722,10 +784,11 @@ module Manticore
|
|
722
784
|
end
|
723
785
|
end
|
724
786
|
|
725
|
-
class LoggingStandardRetryHandler <
|
787
|
+
class LoggingStandardRetryHandler < org.apache.http.impl.client.StandardHttpRequestRetryHandler
|
726
788
|
def retryRequest(exception, executionCount, context)
|
727
789
|
context.setAttribute "retryCount", executionCount
|
728
790
|
super(exception, executionCount, context)
|
729
791
|
end
|
730
792
|
end
|
793
|
+
private_constant :LoggingStandardRetryHandler
|
731
794
|
end
|
data/lib/manticore/version.rb
CHANGED
data/lib/manticore.rb
CHANGED
@@ -67,6 +67,7 @@ module Manticore
|
|
67
67
|
|
68
68
|
require_relative "./manticore/java_extensions"
|
69
69
|
require_relative "./manticore/client/proxies"
|
70
|
+
require_relative "./manticore/client/trust_strategies"
|
70
71
|
require_relative "./manticore/client"
|
71
72
|
require_relative "./manticore/response"
|
72
73
|
require_relative "./manticore/stubbed_response"
|
data/lib/manticore_jars.rb
CHANGED
@@ -1,8 +1,18 @@
|
|
1
1
|
# this is a generated file, to avoid over-writing it just delete this comment
|
2
|
-
|
2
|
+
begin
|
3
|
+
require 'jar_dependencies'
|
4
|
+
rescue LoadError
|
5
|
+
require 'commons-logging/commons-logging/1.2/commons-logging-1.2.jar'
|
6
|
+
require 'commons-codec/commons-codec/1.15/commons-codec-1.15.jar'
|
7
|
+
require 'org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar'
|
8
|
+
require 'org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar'
|
9
|
+
require 'org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar'
|
10
|
+
end
|
3
11
|
|
4
|
-
|
5
|
-
require_jar
|
6
|
-
require_jar
|
7
|
-
require_jar
|
8
|
-
require_jar
|
12
|
+
if defined? Jars
|
13
|
+
require_jar 'commons-logging', 'commons-logging', '1.2'
|
14
|
+
require_jar 'commons-codec', 'commons-codec', '1.15'
|
15
|
+
require_jar 'org.apache.httpcomponents', 'httpcore', '4.4.14'
|
16
|
+
require_jar 'org.apache.httpcomponents', 'httpclient', '4.5.13'
|
17
|
+
require_jar 'org.apache.httpcomponents', 'httpmime', '4.5.13'
|
18
|
+
end
|
Binary file
|
Binary file
|
Binary file
|
data/manticore.gemspec
CHANGED
@@ -29,13 +29,11 @@ Gem::Specification.new do |spec|
|
|
29
29
|
|
30
30
|
spec.add_dependency "openssl_pkcs8_pure"
|
31
31
|
|
32
|
-
spec.add_development_dependency "bundler"
|
33
|
-
spec.add_development_dependency "rake"
|
34
32
|
spec.add_development_dependency "jar-dependencies", "~> 0.4.1"
|
35
33
|
|
36
|
-
spec.requirements << "jar org.apache.httpcomponents:httpclient, '~> 4.5.
|
37
|
-
spec.requirements << "jar org.apache.httpcomponents:httpmime, '~> 4.5.
|
34
|
+
spec.requirements << "jar org.apache.httpcomponents:httpclient, '~> 4.5.13'"
|
35
|
+
spec.requirements << "jar org.apache.httpcomponents:httpmime, '~> 4.5.13'"
|
38
36
|
spec.requirements << "jar commons-logging:commons-logging, '~> 1.2'"
|
39
37
|
spec.requirements << "jar commons-codec:commons-codec, '~> 1.9'"
|
40
|
-
spec.requirements << "jar org.apache.httpcomponents:httpcore, '~> 4.4.
|
38
|
+
spec.requirements << "jar org.apache.httpcomponents:httpcore, '~> 4.4.14'"
|
41
39
|
end
|
@@ -1,12 +1,11 @@
|
|
1
1
|
# encoding: utf-8
|
2
2
|
require "spec_helper"
|
3
3
|
|
4
|
-
java_import "org.apache.http.entity.mime.MultipartEntityBuilder"
|
5
|
-
java_import "org.apache.http.entity.ContentType"
|
6
|
-
|
7
4
|
describe Manticore::Client do
|
8
5
|
let(:client) { Manticore::Client.new }
|
9
6
|
|
7
|
+
after { client.close }
|
8
|
+
|
10
9
|
it "fetches a URL and return a response" do
|
11
10
|
expect(client.get(local_server)).to be_a Manticore::Response
|
12
11
|
end
|
@@ -96,7 +95,7 @@ describe Manticore::Client do
|
|
96
95
|
|
97
96
|
describe "ignore_ssl_validation (deprecated option)" do
|
98
97
|
context "when on" do
|
99
|
-
let(:client) { Manticore::Client.new ssl: {verify: false} }
|
98
|
+
let(:client) { Manticore::Client.new ssl: { verify: false } }
|
100
99
|
|
101
100
|
it "does not break on SSL validation errors" do
|
102
101
|
expect { client.get("https://localhost:55444/").body }.to_not raise_exception
|
@@ -104,7 +103,7 @@ describe Manticore::Client do
|
|
104
103
|
end
|
105
104
|
|
106
105
|
context "when off" do
|
107
|
-
let(:client) { Manticore::Client.new ssl: {verify: true} }
|
106
|
+
let(:client) { Manticore::Client.new ssl: { verify: true } }
|
108
107
|
|
109
108
|
it "breaks on SSL validation errors" do
|
110
109
|
expect { client.get("https://localhost:55444/").call }.to raise_exception(Manticore::ClientProtocolException)
|
@@ -148,6 +147,29 @@ describe Manticore::Client do
|
|
148
147
|
end
|
149
148
|
end
|
150
149
|
|
150
|
+
context "when on and custom trust strategy is given" do
|
151
|
+
# let(:custom_trust_strategy) { Proc.new {|chain,type| true } }
|
152
|
+
let(:client) { Manticore::Client.new :ssl => {:verify => :strict, :trust_strategy => custom_trust_strategy} }
|
153
|
+
context 'and trust strategy approves the cert chain' do
|
154
|
+
let(:custom_trust_strategy) { Proc.new { |chain,type| true } }
|
155
|
+
it "verifies the request and succeed" do
|
156
|
+
expect { client.get("https://localhost:55444/").body }.to_not raise_exception
|
157
|
+
end
|
158
|
+
end
|
159
|
+
context 'and trust strategy does not approve the cert chain' do
|
160
|
+
let(:custom_trust_strategy) { Proc.new { |chain,type| false } }
|
161
|
+
it "breaks on SSL validation errors" do
|
162
|
+
begin
|
163
|
+
client.get("https://localhost:55445/").body
|
164
|
+
rescue Manticore::ClientProtocolException => e
|
165
|
+
expect( e.cause ).to be_a javax.net.ssl.SSLHandshakeException
|
166
|
+
else
|
167
|
+
fail "exception not raised"
|
168
|
+
end
|
169
|
+
end
|
170
|
+
end
|
171
|
+
end
|
172
|
+
|
151
173
|
context "when the client specifies a protocol list" do
|
152
174
|
let(:client) { Manticore::Client.new :ssl => {verify: :strict, truststore: File.expand_path("../../ssl/truststore.jks", __FILE__), truststore_password: "test123", protocols: ["TLSv1", "TLSv1.1", "TLSv1.2"]} }
|
153
175
|
|
@@ -157,10 +179,10 @@ describe Manticore::Client do
|
|
157
179
|
end
|
158
180
|
|
159
181
|
context "when on and custom trust store is given with the wrong password" do
|
160
|
-
let(:
|
182
|
+
let(:ssl_opts) { { verify: :strict, truststore: File.expand_path("../../ssl/truststore.jks", __FILE__), truststore_password: "wrongpass" } }
|
161
183
|
|
162
184
|
it "fails to load the keystore" do
|
163
|
-
expect {
|
185
|
+
expect { Manticore::Client.new(:ssl => ssl_opts) }.to raise_exception(Java::JavaIo::IOException)
|
164
186
|
end
|
165
187
|
end
|
166
188
|
|
@@ -193,7 +215,7 @@ describe Manticore::Client do
|
|
193
215
|
let(:client) {
|
194
216
|
Manticore::Client.new(
|
195
217
|
:ssl => {
|
196
|
-
verify: :
|
218
|
+
verify: :default,
|
197
219
|
ca_file: File.expand_path("../../ssl/root-ca.crt", __FILE__),
|
198
220
|
client_cert: OpenSSL::X509::Certificate.new(File.read(File.expand_path("../../ssl/client.crt", __FILE__))),
|
199
221
|
client_key: OpenSSL::PKey::RSA.new(File.read(File.expand_path("../../ssl/client.key", __FILE__))),
|
@@ -210,7 +232,7 @@ describe Manticore::Client do
|
|
210
232
|
let(:client) {
|
211
233
|
Manticore::Client.new(
|
212
234
|
:ssl => {
|
213
|
-
verify: :
|
235
|
+
verify: :default,
|
214
236
|
ca_file: File.expand_path("../../ssl/root-ca.crt", __FILE__),
|
215
237
|
client_cert: File.read(File.expand_path("../../ssl/client.crt", __FILE__)),
|
216
238
|
client_key: File.read(File.expand_path("../../ssl/client.key", __FILE__)),
|
@@ -233,6 +255,27 @@ describe Manticore::Client do
|
|
233
255
|
it "does not break on expired SSL certificates" do
|
234
256
|
expect { client.get("https://localhost:55446/").body }.to_not raise_exception
|
235
257
|
end
|
258
|
+
|
259
|
+
it "does not break on untrusted certificates" do
|
260
|
+
expect { client.get("https://localhost:55447/").body }.to_not raise_exception
|
261
|
+
end
|
262
|
+
|
263
|
+
context "when custom trust strategy is given" do
|
264
|
+
# let(:custom_trust_strategy) { Proc.new {|chain,type| true } }
|
265
|
+
let(:client) { Manticore::Client.new :ssl => {:verify => :disable, :trust_strategy => custom_trust_strategy} }
|
266
|
+
context 'and trust strategy approves the cert chain' do
|
267
|
+
let(:custom_trust_strategy) { Proc.new { |chain,type| true } }
|
268
|
+
it "verifies the request and succeed" do
|
269
|
+
expect { client.get("https://localhost:55444/").body }.to_not raise_exception
|
270
|
+
end
|
271
|
+
end
|
272
|
+
context 'and trust strategy does not approve the cert chain' do
|
273
|
+
let(:custom_trust_strategy) { Proc.new { |chain,type| false } }
|
274
|
+
it "verifies the request and succeed" do
|
275
|
+
expect { client.get("https://localhost:55444/").body }.to_not raise_exception
|
276
|
+
end
|
277
|
+
end
|
278
|
+
end
|
236
279
|
end
|
237
280
|
|
238
281
|
context "against a server that verifies clients" do
|
@@ -272,11 +315,11 @@ describe Manticore::Client do
|
|
272
315
|
end
|
273
316
|
|
274
317
|
describe ":cipher_suites" do
|
275
|
-
skip
|
318
|
+
skip 'TODO: someone should write the spec'
|
276
319
|
end
|
277
320
|
|
278
321
|
describe ":protocols" do
|
279
|
-
skip
|
322
|
+
skip 'TODO: someone should write the spec'
|
280
323
|
end
|
281
324
|
end
|
282
325
|
|
@@ -531,7 +574,9 @@ describe Manticore::Client do
|
|
531
574
|
|
532
575
|
it "sends an arbitrary entity" do
|
533
576
|
f = open(File.expand_path(File.join(__FILE__, "..", "..", "spec_helper.rb")), "r").to_inputstream
|
534
|
-
multipart_entity = MultipartEntityBuilder.create.
|
577
|
+
multipart_entity = org.apache.http.entity.mime.MultipartEntityBuilder.create.
|
578
|
+
add_text_body("foo", "bar").
|
579
|
+
add_binary_body("whatever", f, org.apache.http.entity.ContentType::TEXT_PLAIN, __FILE__)
|
535
580
|
response = client.post(local_server, entity: multipart_entity.build)
|
536
581
|
expect(response.body).to match "RSpec.configure"
|
537
582
|
end
|
@@ -742,14 +787,13 @@ describe Manticore::Client do
|
|
742
787
|
context "with a misbehaving endpoint" do
|
743
788
|
let(:port) do
|
744
789
|
p = 4000
|
745
|
-
server = nil
|
746
790
|
begin
|
747
791
|
server = TCPServer.new p
|
748
792
|
rescue Errno::EADDRINUSE
|
749
793
|
p += 1
|
750
794
|
retry
|
751
795
|
ensure
|
752
|
-
server
|
796
|
+
server&.close
|
753
797
|
end
|
754
798
|
p
|
755
799
|
end
|
@@ -770,6 +814,7 @@ describe Manticore::Client do
|
|
770
814
|
].join("\n"))
|
771
815
|
client.close
|
772
816
|
rescue IOError => e
|
817
|
+
warn "caught an error: #{e.inspect}"
|
773
818
|
break
|
774
819
|
end
|
775
820
|
end
|
@@ -0,0 +1,168 @@
|
|
1
|
+
# encoding: utf-8
|
2
|
+
require "spec_helper"
|
3
|
+
describe Manticore::Client::TrustStrategies do
|
4
|
+
describe '#coerce' do
|
5
|
+
subject(:coerced) { described_class.coerce(input) }
|
6
|
+
context 'with a nil value' do
|
7
|
+
let(:input) { nil }
|
8
|
+
it 'returns the value unchanged' do
|
9
|
+
expect(coerced).to be_nil
|
10
|
+
end
|
11
|
+
end
|
12
|
+
context 'with an implementation of org.apache.http.conn.ssl.TrustStrategy' do
|
13
|
+
let(:input) { org.apache.http.conn.ssl.TrustAllStrategy::INSTANCE }
|
14
|
+
it 'returns the value unchanged' do
|
15
|
+
expect(coerced).to be input
|
16
|
+
end
|
17
|
+
end
|
18
|
+
context 'with a Proc' do
|
19
|
+
let(:input) { ->(chain, type) { true } }
|
20
|
+
it 'wraps the proc in a `CustomTrustStrategy`' do
|
21
|
+
expect(Manticore::Client::CustomTrustStrategy).to receive(:new).with(input).and_call_original
|
22
|
+
expect(described_class.coerce(input)).to be_a_kind_of Manticore::Client::CustomTrustStrategy
|
23
|
+
end
|
24
|
+
end
|
25
|
+
end
|
26
|
+
|
27
|
+
describe '#combine' do
|
28
|
+
context 'when left-hand value is nil' do
|
29
|
+
let(:left_hand_strategy) { nil }
|
30
|
+
let(:right_hand_strategy) { described_class.coerce(->(chain,type){ true }) }
|
31
|
+
it 'returns the right-hand value coerced' do
|
32
|
+
expect(described_class).to receive(:coerce).with(right_hand_strategy).and_call_original
|
33
|
+
expect(described_class.combine(left_hand_strategy, right_hand_strategy)).to be right_hand_strategy
|
34
|
+
end
|
35
|
+
end
|
36
|
+
context 'when the right-hand value is nil' do
|
37
|
+
let(:left_hand_strategy) { described_class.coerce(->(chain,type){ true }) }
|
38
|
+
let(:right_hand_strategy) { nil }
|
39
|
+
it 'returns the left-hand value coerced' do
|
40
|
+
expect(described_class).to receive(:coerce).with(left_hand_strategy).and_call_original
|
41
|
+
expect(described_class.combine(left_hand_strategy, right_hand_strategy)).to be left_hand_strategy
|
42
|
+
end
|
43
|
+
end
|
44
|
+
context 'when neither value is nil' do
|
45
|
+
let(:left_hand_strategy) { described_class.coerce(->(chain,type){ true }) }
|
46
|
+
let(:right_hand_strategy) { described_class.coerce(->(chain,type){ true }) }
|
47
|
+
|
48
|
+
it 'returns a CombinedTrustStrategy' do
|
49
|
+
expect(Manticore::Client::CombinedTrustStrategy)
|
50
|
+
.to receive(:new).with(left_hand_strategy, right_hand_strategy).and_call_original
|
51
|
+
|
52
|
+
# ensures that the values are coerced.
|
53
|
+
expect(described_class).to receive(:coerce).with(left_hand_strategy).and_call_original
|
54
|
+
expect(described_class).to receive(:coerce).with(right_hand_strategy).and_call_original
|
55
|
+
|
56
|
+
combined = described_class.combine(left_hand_strategy, right_hand_strategy)
|
57
|
+
expect(combined).to be_a_kind_of Manticore::Client::CombinedTrustStrategy
|
58
|
+
end
|
59
|
+
end
|
60
|
+
context 'when both values are nil' do
|
61
|
+
let(:left_hand_strategy) { nil }
|
62
|
+
let(:right_hand_strategy) { nil }
|
63
|
+
|
64
|
+
it 'returns nil' do
|
65
|
+
expect(described_class.combine(left_hand_strategy, right_hand_strategy)).to be nil
|
66
|
+
end
|
67
|
+
end
|
68
|
+
end
|
69
|
+
end
|
70
|
+
|
71
|
+
describe Manticore::Client::CustomTrustStrategy do
|
72
|
+
|
73
|
+
subject(:custom_trust_strategy) { described_class.new(trust_strategy_proc) }
|
74
|
+
|
75
|
+
context 'when called via Java interface' do
|
76
|
+
def load_java_cert(file_path)
|
77
|
+
pem_contents = File.read(file_path)
|
78
|
+
cf = java.security.cert.CertificateFactory::getInstance("X.509")
|
79
|
+
is = java.io.ByteArrayInputStream.new(pem_contents.to_java_bytes)
|
80
|
+
cf.generateCertificate(is)
|
81
|
+
end
|
82
|
+
|
83
|
+
let(:java_host_cert) { load_java_cert(File.expand_path("../../ssl/host.crt", __FILE__)) }
|
84
|
+
let(:java_root_cert) { load_java_cert(File.expand_path("../../ssl/root-ca.crt", __FILE__)) }
|
85
|
+
let(:java_chain) { [java_host_cert, java_root_cert].to_java(java.security.cert.X509Certificate) }
|
86
|
+
let(:java_type) { java.lang.String.new("my_type".to_java_bytes) }
|
87
|
+
|
88
|
+
subject(:java_trust_strategy) { custom_trust_strategy.to_java(org.apache.http.conn.ssl.TrustStrategy) }
|
89
|
+
|
90
|
+
context 'when called with Java Certs and a Java String' do
|
91
|
+
let(:trust_strategy_proc) { ->(chain,type) { true } }
|
92
|
+
it 'yields an enum of equivalent Ruby certs and an equivalent Ruby String' do
|
93
|
+
expect(trust_strategy_proc).to receive(:call) do |chain, type|
|
94
|
+
expect(chain.to_a.length).to eq java_chain.length
|
95
|
+
chain.each_with_index do |cert, idx|
|
96
|
+
expect(cert).to be_a_kind_of OpenSSL::X509::Certificate
|
97
|
+
expect(cert.to_der).to eq String.from_java_bytes(java_chain[idx].encoded)
|
98
|
+
end
|
99
|
+
expect(type).to be_a_kind_of String
|
100
|
+
expect(type).to eq String.from_java_bytes(java_type.bytes)
|
101
|
+
end
|
102
|
+
|
103
|
+
expect(java_trust_strategy.isTrusted(java_chain, java_type)).to be true
|
104
|
+
end
|
105
|
+
end
|
106
|
+
|
107
|
+
context 'when the ruby block returns false' do
|
108
|
+
let(:trust_strategy_proc) { ->(chain,type) { false } }
|
109
|
+
it 'returns false' do
|
110
|
+
expect(java_trust_strategy.isTrusted(java_chain, java_type)).to be false
|
111
|
+
end
|
112
|
+
end
|
113
|
+
|
114
|
+
context 'when the ruby block returns true' do
|
115
|
+
let(:trust_strategy_proc) { ->(chain,type) { true } }
|
116
|
+
it 'returns true' do
|
117
|
+
expect(java_trust_strategy.isTrusted(java_chain, java_type)).to be true
|
118
|
+
end
|
119
|
+
end
|
120
|
+
|
121
|
+
context 'when the ruby block raises an exception' do
|
122
|
+
let(:trust_strategy_proc) { ->(chain, type) { fail(OpenSSL::X509::CertificateError, 'intentional') } }
|
123
|
+
it 'throws a CertificateException' do
|
124
|
+
expect {
|
125
|
+
java_trust_strategy.isTrusted(java_chain, java_type)
|
126
|
+
}.to raise_exception(java.security.cert.CertificateException)
|
127
|
+
end
|
128
|
+
end
|
129
|
+
end
|
130
|
+
end
|
131
|
+
|
132
|
+
describe Manticore::Client::CombinedTrustStrategy do
|
133
|
+
let(:always_trust_strategy) { ->(chain,type) { true } }
|
134
|
+
let(:never_trust_strategy) { ->(chain,type) { false } }
|
135
|
+
|
136
|
+
subject(:combined_trust_strategy) { Manticore::Client::TrustStrategies.combine(left_hand_strategy, right_hand_strategy) }
|
137
|
+
|
138
|
+
context 'when left-hand strategy trusts' do
|
139
|
+
let(:left_hand_strategy) { always_trust_strategy }
|
140
|
+
context 'when right-hand strategy trusts' do
|
141
|
+
let(:right_hand_strategy) { always_trust_strategy }
|
142
|
+
it 'trusts' do
|
143
|
+
expect(combined_trust_strategy.trusted?([],'ignored')).to be true
|
144
|
+
end
|
145
|
+
end
|
146
|
+
context 'when right-hand strategy does not trust' do
|
147
|
+
let(:right_hand_strategy) { never_trust_strategy }
|
148
|
+
it 'trusts' do
|
149
|
+
expect(combined_trust_strategy.trusted?([],'ignored')).to be true
|
150
|
+
end
|
151
|
+
end
|
152
|
+
end
|
153
|
+
context 'when left-hand strategy does not trust' do
|
154
|
+
let(:left_hand_strategy) { never_trust_strategy }
|
155
|
+
context 'when right-hand strategy trusts' do
|
156
|
+
let(:right_hand_strategy) { always_trust_strategy }
|
157
|
+
it 'trusts' do
|
158
|
+
expect(combined_trust_strategy.trusted?([],'ignored')).to be true
|
159
|
+
end
|
160
|
+
end
|
161
|
+
context 'when right-hand strategy does not trust' do
|
162
|
+
let(:right_hand_strategy) { never_trust_strategy }
|
163
|
+
it 'does not trust' do
|
164
|
+
expect(combined_trust_strategy.trusted?([],'ignored')).to be false
|
165
|
+
end
|
166
|
+
end
|
167
|
+
end
|
168
|
+
end
|
data/spec/spec_helper.rb
CHANGED
@@ -151,6 +151,7 @@ RSpec.configure do |c|
|
|
151
151
|
start_ssl_server 55444
|
152
152
|
start_ssl_server 55445, :SSLVerifyClient => OpenSSL::SSL::VERIFY_PEER | OpenSSL::SSL::VERIFY_FAIL_IF_NO_PEER_CERT, :SSLCACertificateFile => File.expand_path("../ssl/root-ca.crt", __FILE__)
|
153
153
|
start_ssl_server 55446, cert: File.expand_path("../ssl/host-expired.crt", __FILE__)
|
154
|
+
start_ssl_server 55447, cert: File.expand_path("../ssl/host-untrusted.crt", __FILE__), SSLCACertificateFile: File.expand_path("../ssl/root-untrusted-ca.crt", __FILE__)
|
154
155
|
|
155
156
|
Manticore.disable_httpcomponents_logging!
|
156
157
|
}
|
metadata
CHANGED
@@ -1,14 +1,14 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: manticore
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.
|
4
|
+
version: 0.9.1
|
5
5
|
platform: java
|
6
6
|
authors:
|
7
7
|
- Chris Heald
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2022-06-13 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
requirement: !ruby/object:Gem::Requirement
|
@@ -17,36 +17,8 @@ dependencies:
|
|
17
17
|
- !ruby/object:Gem::Version
|
18
18
|
version: '0'
|
19
19
|
name: openssl_pkcs8_pure
|
20
|
-
type: :runtime
|
21
|
-
prerelease: false
|
22
|
-
version_requirements: !ruby/object:Gem::Requirement
|
23
|
-
requirements:
|
24
|
-
- - ">="
|
25
|
-
- !ruby/object:Gem::Version
|
26
|
-
version: '0'
|
27
|
-
- !ruby/object:Gem::Dependency
|
28
|
-
requirement: !ruby/object:Gem::Requirement
|
29
|
-
requirements:
|
30
|
-
- - ">="
|
31
|
-
- !ruby/object:Gem::Version
|
32
|
-
version: '0'
|
33
|
-
name: bundler
|
34
|
-
type: :development
|
35
|
-
prerelease: false
|
36
|
-
version_requirements: !ruby/object:Gem::Requirement
|
37
|
-
requirements:
|
38
|
-
- - ">="
|
39
|
-
- !ruby/object:Gem::Version
|
40
|
-
version: '0'
|
41
|
-
- !ruby/object:Gem::Dependency
|
42
|
-
requirement: !ruby/object:Gem::Requirement
|
43
|
-
requirements:
|
44
|
-
- - ">="
|
45
|
-
- !ruby/object:Gem::Version
|
46
|
-
version: '0'
|
47
|
-
name: rake
|
48
|
-
type: :development
|
49
20
|
prerelease: false
|
21
|
+
type: :runtime
|
50
22
|
version_requirements: !ruby/object:Gem::Requirement
|
51
23
|
requirements:
|
52
24
|
- - ">="
|
@@ -59,8 +31,8 @@ dependencies:
|
|
59
31
|
- !ruby/object:Gem::Version
|
60
32
|
version: 0.4.1
|
61
33
|
name: jar-dependencies
|
62
|
-
type: :development
|
63
34
|
prerelease: false
|
35
|
+
type: :development
|
64
36
|
version_requirements: !ruby/object:Gem::Requirement
|
65
37
|
requirements:
|
66
38
|
- - "~>"
|
@@ -86,12 +58,13 @@ files:
|
|
86
58
|
- ext/manticore/org/manticore/HttpGetWithEntity.java
|
87
59
|
- ext/manticore/org/manticore/Manticore.java
|
88
60
|
- gem-public_cert.pem
|
89
|
-
- lib/commons-codec/commons-codec/1.
|
61
|
+
- lib/commons-codec/commons-codec/1.15/commons-codec-1.15.jar
|
90
62
|
- lib/commons-logging/commons-logging/1.2/commons-logging-1.2.jar
|
91
63
|
- lib/faraday/adapter/manticore.rb
|
92
64
|
- lib/manticore.rb
|
93
65
|
- lib/manticore/client.rb
|
94
66
|
- lib/manticore/client/proxies.rb
|
67
|
+
- lib/manticore/client/trust_strategies.rb
|
95
68
|
- lib/manticore/cookie.rb
|
96
69
|
- lib/manticore/facade.rb
|
97
70
|
- lib/manticore/java_extensions.rb
|
@@ -99,13 +72,14 @@ files:
|
|
99
72
|
- lib/manticore/stubbed_response.rb
|
100
73
|
- lib/manticore/version.rb
|
101
74
|
- lib/manticore_jars.rb
|
102
|
-
- lib/org/apache/httpcomponents/httpclient/4.5.
|
103
|
-
- lib/org/apache/httpcomponents/httpcore/4.4.
|
104
|
-
- lib/org/apache/httpcomponents/httpmime/4.5.
|
75
|
+
- lib/org/apache/httpcomponents/httpclient/4.5.13/httpclient-4.5.13.jar
|
76
|
+
- lib/org/apache/httpcomponents/httpcore/4.4.14/httpcore-4.4.14.jar
|
77
|
+
- lib/org/apache/httpcomponents/httpmime/4.5.13/httpmime-4.5.13.jar
|
105
78
|
- lib/org/manticore/manticore-ext.jar
|
106
79
|
- manticore.gemspec
|
107
80
|
- spec/manticore/client_proxy_spec.rb
|
108
81
|
- spec/manticore/client_spec.rb
|
82
|
+
- spec/manticore/client_trust_strategies_spec.rb
|
109
83
|
- spec/manticore/cookie_spec.rb
|
110
84
|
- spec/manticore/facade_spec.rb
|
111
85
|
- spec/manticore/response_spec.rb
|
@@ -131,18 +105,19 @@ required_rubygems_version: !ruby/object:Gem::Requirement
|
|
131
105
|
- !ruby/object:Gem::Version
|
132
106
|
version: '0'
|
133
107
|
requirements:
|
134
|
-
- jar org.apache.httpcomponents:httpclient, '~> 4.5.
|
135
|
-
- jar org.apache.httpcomponents:httpmime, '~> 4.5.
|
108
|
+
- jar org.apache.httpcomponents:httpclient, '~> 4.5.13'
|
109
|
+
- jar org.apache.httpcomponents:httpmime, '~> 4.5.13'
|
136
110
|
- jar commons-logging:commons-logging, '~> 1.2'
|
137
111
|
- jar commons-codec:commons-codec, '~> 1.9'
|
138
|
-
- jar org.apache.httpcomponents:httpcore, '~> 4.4.
|
139
|
-
rubygems_version: 3.
|
112
|
+
- jar org.apache.httpcomponents:httpcore, '~> 4.4.14'
|
113
|
+
rubygems_version: 3.1.6
|
140
114
|
signing_key:
|
141
115
|
specification_version: 4
|
142
116
|
summary: Manticore is an HTTP client built on the Apache HttpCore components
|
143
117
|
test_files:
|
144
118
|
- spec/manticore/client_proxy_spec.rb
|
145
119
|
- spec/manticore/client_spec.rb
|
120
|
+
- spec/manticore/client_trust_strategies_spec.rb
|
146
121
|
- spec/manticore/cookie_spec.rb
|
147
122
|
- spec/manticore/facade_spec.rb
|
148
123
|
- spec/manticore/response_spec.rb
|
Binary file
|
Binary file
|
Binary file
|
Binary file
|