monorail 0.0.1

data/lib/monorail/app.rb

@@ -0,0 +1,132 @@
+# $Id: app.rb 2374 2006-04-24 02:51:49Z francis $
+#
+# Monorail::Application
+# This runs a monorail system from a command-line binary.
+# The binary is generated by rake and invokes us here.
+#
+#--
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+
+
+
+
+require 'ostruct'
+require 'optparse'
+
+
+module Monorail
+
+  # TODO, this is not unified with the version string in the Rakefile.
+  Version = "0.0.1"
+
+  def self.application
+    Application.new
+  end
+
+
+class Application
+
+
+  def initialize
+  end
+
+
+  def run
+    parse_arguments
+    Monorail.new( @options ).run
+  end
+
+
+  def parse_arguments
+    @options = OpenStruct.new
+    @options.host = "127.0.0.1"
+    @options.port = 8090
+    @options.ssl = false
+    @options.daemon = false
+    @options.rails = nil
+    @options.monorail = nil
+
+    opts = OptionParser.new {|opts|
+
+      opts.separator ""
+      opts.separator "Options summary:"
+
+      opts.on("-a", "--addr IP-address",
+        "Requires the host IP address to listen on",
+        "    default: 127.0.0.1") {|addr|
+          @options.host = addr
+      }
+
+      opts.on("-p", "--port TCP port",
+        "Requires the TCP port to listen on",
+        "    default: 8090") {|port|
+          @options.port = port.to_i
+      }
+
+      opts.on("-s", "--[no-]ssl", "Require SSL (HTTPS)",
+        "    default: false") {|ssl|
+          @options.ssl = ssl
+      }
+
+      opts.on("-d", "--[no-]daemon", "Run in the background",
+        "    default: false") {|d|
+          @options.daemon = d
+      }
+
+      # TODO, wrong, we need one parameter to select the environment, not several.
+      opts.on("--rails [DIR]", "run a rails app in the specified directory",
+        "    default: the current directory") {|d|
+          @options.rails = d || "."
+      }
+
+      opts.on("--monorail [DIR]", "run a monorails app in the specified directory",
+        "    default: the current directory") {|d|
+          @options.monorail = d || "."
+      }
+
+      # Options summary
+      opts.on_tail("-h", "--help", "Show this message") {
+        puts opts
+        exit
+      }
+      # Version
+      opts.on_tail("--version", "Show version") {
+        puts Monorail::Version
+        exit
+      }
+
+
+    }
+
+    opts.parse!(ARGV)
+
+  end
+
+
+
+end # class Application
+
+
+end # module Monorail
+
+
+#----------------------
+

data/lib/monorail/monorail_webd.rb

@@ -0,0 +1,753 @@
+# MONORAIL for WEBD
+# $Id: monorail_webd.rb 2190 2006-04-03 08:49:46Z francis $
+#
+#--
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+#
+# This program is free software; you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation; either version 2 of the License, or
+# (at your option) any later version.
+# 
+# This program is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+# 
+# You should have received a copy of the GNU General Public License
+# along with this program; if not, write to the Free Software
+# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
+#
+
+
+
+
+require 'dl/import'
+require 'timeout'
+require 'stringio'
+require 'cgi'
+require 'erb'
+require 'singleton'
+require 'md5'
+
+
+module Monorail
+
+
+
+#
+# Link in the external library for WEBD (socket-machine handler).
+# And set up the callbacks so we can handle requests here.
+#
+=begin
+  extend DL::Importable
+  dlload "./libwebd"
+
+  def request_callback
+    m = Request.new
+    resp = m.generate_response
+    fulfill_webd_request m.http_response_code, resp, resp.length
+  end
+
+  RequestCallback = callback "void request_callback()"
+
+  extern "void initialize_webd (void*)"
+  extern "void fulfill_webd_request (int, const char*, int)"
+  extern "const void *retrieve_post_content()"
+=end
+
+
+#
+# class SessionManager
+# Generate sessions and session keys.
+# This singleton class is used to support Monorail requests.
+# We get our session keys from a system entropy machine.
+# This version REQUIRES uuidgen and throws a fatal error
+# if it's not present.
+#
+class SessionManager
+  include Singleton
+
+  class TooManySessions < Exception; end
+
+  # TODO, make the session timeout (currently hardcoded to 10 minutes) configurable.
+  SessionTimeout = 600
+  # Authorization timeout is an interval after which we must re-authorize against
+  # an authoritative source. It's to make sure we cut the user off in case his
+  # access rights should expire or be revoked during a session.
+  AuthorizationTimeout = 120
+  # MaxSessions is the top number of sessions we permit at a time.
+  # May need to become configurable
+  MaxSessions = 100
+
+  #
+  # initialize
+  #
+  def initialize
+    # generate one key and throw it away. That way if there is a problem
+    # with the entropy generator, it'll generate an exception at the top
+    # of the run.
+    generate_key
+    @sessions = {}
+  end
+
+
+  #
+  # get_key_seed
+  # This method uses uuidgen, which must be present on the system.
+  # Override here to use some other mechanism.
+  #
+  def get_key_seed
+    `uuidgen -r`.chomp.gsub(/[\-]/, "")
+  end
+
+  #
+  # generate_key
+  #
+  def generate_key
+    if !@key_suffix or @key_suffix > 1000000
+      @key_seed = get_key_seed
+      raise "Invalid session-key seed" unless @key_seed.length > 8
+      @key_suffix = 0
+    end
+    @key_suffix += 1
+    format( "%s%08x", @key_seed, @key_suffix )
+  end
+
+  #
+  # retrieve_or_create_session
+  #
+  def retrieve_or_create_session session_name
+    sc = @sessions[session_name]
+
+    if sc
+      if sc.is_expired?
+        @sessions.delete sc.session_name
+        sc = nil
+      else
+        sc.touch
+      end
+    end
+
+    sc or create_session
+
+  end
+
+
+  #
+  # create_session
+  # This is as a good a place as any to purge expired sessions.
+  # We also throttle the total number of sessions open at any given time.
+  #
+  def create_session
+    purge_expired_sessions
+
+    unless @sessions.size < MaxSessions
+      raise TooManySessions
+    end
+
+    sc = Session.new
+    @sessions [sc.session_name.dup] = sc
+    sc
+  end
+
+
+  #
+  # purge_expired_sessions
+  #
+  def purge_expired_sessions
+    @sessions.delete_if {|k,v|
+      v.is_expired?
+    }
+  end
+
+end
+
+
+#
+# class Session
+#
+class Session < Hash
+
+  attr_reader :session_name
+  attr_reader :username
+  attr_reader :password
+
+  #
+  # initialize
+  #
+  def initialize
+    super()
+    @session_name = SessionManager.instance.generate_key
+    @first_use = true
+    @created_at = Time.now
+    @last_retrieved = nil
+  end
+
+  #
+  # first_use?
+  #
+  def first_use?
+    @last_retrieved == nil
+  end
+
+  #
+  # is_expired?
+  #
+  def is_expired?
+    last_touch = (@last_retrieved or @created_at)
+    (Time.now - last_touch) > SessionManager::SessionTimeout
+  end
+
+  #
+  # touch
+  #
+  def touch
+    @last_retrieved = Time.now
+  end
+
+  #
+  # set_credential
+  #
+  def set_credential user, psw
+    @username,@password = user,psw
+  end
+
+
+  #
+  # authorize
+  #
+  def authorize
+    @last_authorized = Time.now
+  end
+
+  #
+  # unauthorize
+  # Used to implement a logout function.
+  # Must null out the stored credential, otherwise the authorizer
+  # will just go back to the system function and try again.
+  # Security risk: Must make sure somehow that these session objects never
+  # get swapped out.
+  #
+  def unauthorize
+    @last_authorized = nil
+    @username = nil
+    @password = nil
+  end
+
+  #
+  # authorized?
+  #
+  def authorized?
+    @last_authorized and ((Time.now - @last_authorized) < SessionManager::AuthorizationTimeout)
+  end
+
+end # class Session
+
+
+#
+# class Request
+#
+class Request
+
+  attr_reader :http_response_code
+
+  class FileNotFound < Exception; end
+  class DirectoryBrowsed < Exception; end
+  class UndefinedController < Exception; end
+  class UndefinedControllerModule < Exception; end
+  class TemplateNotFound < Exception; end
+  class InvalidVerb < Exception; end
+  class Unauthorized < Exception; end
+
+  #
+  # authentication-page parameters
+  # These are set by configuration.
+  # @@authpage_directory is a real directory on the filesystem
+  # containing a monorail controller that generates a login page.
+  # @@authpage_controller is the name of the controller to invoke.
+  # If either of these is not initialized, then accesses requiring
+  # authentication will just fail with a 403 error.
+  #
+  @@authpage_directory = nil
+  @@authpage_controller = nil
+  #
+  # authentication_page
+  # Called by a configurator to specify the real directory and controller name
+  # of a single (global) page that will generate an auth challenge.
+  def Request::authentication_page actual, controller
+    @@authpage_directory,@@authpage_controller = actual,controller
+  end
+
+  #
+  # use_sessions
+  # This is a class method that sets the class variable @@use_sessions.
+  # When true, a session will automatically be created and maintained for
+  # each user. It will automatically be made available to controllers
+  # and page templates.
+  # Sessions may be used without authentication. Authentication REQUIRES sessions.
+  # Sessions are NOT used by default.
+  # Session cookies are hardcoded here in a class variable. Make it configurable someday.
+  #
+  @@use_sessions = false
+  @@session_cookie_name = "monorail_session"
+  def Request::use_sessions sess
+    @@use_sessions = sess
+  end 
+
+  #
+  # authorization_proc
+  # This is a proc object which expects two parameters, a user and a password.
+  # It must be specified before authorization will work. This permits
+  # pluggable auth/az methods.
+  #
+  @@authorization_proc = nil
+  def Request::authorization_proc pr
+    @@authorization_proc = pr
+  end
+
+  #
+  # mime mappings
+  #
+  @@mime_mappings = {
+    "gif" => "image/gif",
+    "jpg" => "image/jpeg",
+    "jpeg" => "image/jpeg",
+    "txt" => "text/plain",
+    "html" => "text/html",
+    "js" => "text/javascript",
+    "css" => "text/css",
+  }
+  def Request::mime_mapping suffix, mimetype
+    @mime_mappings [suffix] = mimetype
+  end
+
+
+  #
+  # verbose flag
+  # Defaults false, triggers debugging info to stderr.
+  # Needs to be configurable.
+  #
+  @@verbose = false
+  def Request::verbose v
+    @@verbose = v
+  end
+
+  #
+  # debug flag
+  # When set, this will select behaviors appropriate for development.
+  # For example, controller files will be loaded on every request
+  # instead of just required.
+  @@debug = false
+  def Request::debug d
+    @@debug = d
+  end
+
+
+
+  # class DirectoryAlias
+  #
+  class DirectoryAlias
+
+    attr_reader :prefix, :actual, :processor
+
+    #
+    # initialize
+    #
+    def initialize prefix, actual, processor, auth_required
+      unless prefix =~ /^\//
+        prefix = "/" + prefix
+      end
+      unless prefix =~ /\/$/
+        prefix = prefix + "/"
+      end
+      unless actual =~ /\/$/
+        actual = actual + "/"
+      end
+
+      @prefix = prefix
+      @prefix_pattern = Regexp.new( "^#{prefix}" )
+      @actual = actual
+      @processor = processor
+      @auth_required = auth_required
+    end
+
+    #
+    # auth_required?
+    #
+    def auth_required?
+      @auth_required
+    end
+
+    #
+    # match_request
+    # Does our prefix match that of the incoming path_info?
+    # Return T/F
+    #
+    def match_request path_info
+      path_info =~ @prefix_pattern
+    end
+
+    #
+    # default_resource
+    # Generate a default resource, such as for requests that don't
+    # specify one. For now we only handle directory requests, and
+    # we hardcode index.html. Eventually this needs to become more
+    # flexible.
+    def default_resource
+      case @processor
+      when :directory
+        "index.html"
+      else
+        ""
+      end
+    end
+
+
+    #
+    # translate_pathname
+    #
+    def translate_pathname path_info
+      if path_info =~ @prefix_pattern
+        filename = $' || ""
+        filename.length > 0 or filename = default_resource
+        @actual + filename
+      end
+    end
+
+    #
+    # get_path_tail
+    #
+    def get_path_tail path_info
+      if path_info =~ @prefix_pattern
+        $'
+      end
+    end
+
+  end # class DirectoryAlias
+  # directory_aliases class variable is an array of DirectoryAlias objects
+  @@directory_aliases = []
+
+
+  #
+  # Request::directory_alias
+  # This is used to specify directories. Could also do it via a config file,
+  # that might be better.
+  # Each entry consists of a prefix name which is head-matched against incoming
+  # HTTP requests, an actual pathname in the filesystem, which should be FQ,
+  # a responder type (:directory and :monorail are currently defined),
+  # and an authentication-required flag (T/F).
+  # There is one oddity: we support a notion of a "default" directory, where
+  # the prefix is "/". Now this array of directory aliases is searched in
+  # order, but there is a problem with the default directory because a prefix
+  # of "/" will head-match any request. So as a special case, we ENSURE here
+  # that any such directory will be added to the bottom of the list.
+  # Use a sort instead of a tail-inspection because there could be more than
+  # one default directory specified (even though that would make no sense).
+  #
+  def Request::directory_alias prefix, actual, responder, authreq
+    @@directory_aliases << DirectoryAlias.new( prefix, actual, responder, authreq )
+    @@directory_aliases.sort! {|a,b| ((a.prefix == '/') ? 1 : 0) <=> ((b.prefix == '/') ? 1 : 0) }
+  end
+
+  #
+  # initialize
+  #
+  def initialize
+    @headers = {"content-type" => "text/html"}
+    @cookies = []
+    @http_response_code = 200
+  end
+
+
+  #
+  # initialize_session
+  # We use a HARDCODED cookie name. Revise this later
+  # if it's necessary to support multiple applications with
+  # distinct sessions.
+  # When initializing a CGI::Cookie, DON'T LEAVE OUT THE PATH.
+  # It's optional but the default is the current path, not the whole site,
+  # so it's not really a session cookie.
+  # WARNING, that may not end up being good enough.
+  #
+  def initialize_session
+    return unless @@use_sessions
+    sc = @cgi.cookies[@@session_cookie_name] and sc = sc.shift
+    @session = SessionManager.instance.retrieve_or_create_session( sc )
+    if @session.first_use?
+      @cookies << CGI::Cookie::new( 'name' => @@session_cookie_name, 'value' => [@session.session_name], 'path' => "/" )
+    end
+  end
+
+
+  #
+  # generate_content
+  #
+  def generate_content
+    diralias = @@directory_aliases.detect {|da| da.match_request @cgi.path_info }
+
+    diralias or raise FileNotFound
+
+    if diralias.auth_required? and !check_authorization
+      if @@authpage_directory and @@authpage_controller
+        generate_content_from_monorail( @@authpage_directory, @@authpage_controller )
+      else
+        raise Unauthorized
+      end
+
+    else
+      # here, we're either authorized or no auth is required. Gen the page.
+      case diralias.processor
+      when :directory
+        generate_content_from_directory( diralias.translate_pathname( @cgi.path_info ))
+      when :monorail
+        generate_content_from_monorail( diralias.actual, diralias.get_path_tail( @cgi.path_info ))
+      else
+        raise FileNotFound
+      end
+
+    end
+
+  end
+
+
+  #
+  # check_authorization
+  #
+  def check_authorization
+    if @session
+      if @session.authorized?
+        true
+      elsif @@authorization_proc and @@authorization_proc.call( @session.username, @session.password )
+        @session.authorize
+        true
+      end
+    end
+  end
+
+
+  #
+  # compute_file_etag
+  # We concatenate the inode mtime and size from a filename
+  # and MD5-hash them.
+  # We expect valid input so throw an exception on error.
+  #
+  def compute_file_etag filename
+    MD5.new( "#{File.mtime( filename ).to_i}::#{File.size( filename )}" ).to_s
+  end
+
+  #
+  # generate_content_from_directory
+  # We come here to generate content by reading a file on the filesystem.
+  #
+  def generate_content_from_directory filename
+    if filename =~ /[\/]+$/
+      @@verbose and $stderr.puts "failing directory request: #{filename}"
+      raise DirectoryBrowsed
+    end
+    if File.exist?(filename) && !File.directory?(filename)
+      etag = compute_file_etag( filename )
+      if if_none_match = ENV["IF_NONE_MATCH"] and if_none_match == etag
+        @@verbose and $stderr.puts "fulfilling directory request (Etag): #{filename}"
+        @http_response_code = 304
+        ""
+      else
+        @@verbose and $stderr.puts "fulfilling directory request: #{filename}"
+        @headers['ETag'] = etag
+        compute_content_type
+        File.read filename
+      end
+    else
+      raise FileNotFound
+    end
+  end
+
+
+  #
+  # generate_content_from_monorail
+  # We load up a ruby file based on the name in the path_info.
+  # OBSERVE: there are no subdirectories. The ruby module needs
+  # to be in the top subdirectory under the actual pathname.
+  # Any rendered pages will be in subdirectory "pages"
+  # which is a security feature. Since we won't let a URL
+  # specify a controller file below the top-level, that means
+  # the files which define page templates are not accessible
+  # by URL.
+  # Observe that there is a debug path available when mixin in the
+  # controller personality, but it hardcodes that the controller filename
+  # end in .rb.
+  #
+  def generate_content_from_monorail path_prefix, pathname
+    @@verbose and $stderr.puts "fulfilling monorail request: #{path_prefix} :: #{pathname}"
+    paths = pathname.split(/[\/]+/)
+    (action = paths.shift || "index") and action.gsub!(/[\.]/, "_")
+
+    verb = paths.shift || "index"
+
+    # Before mixing in the personality, make sure the request verb
+    # isn't already present in this class. This prevents people calling
+    # things like initialize.
+    raise InvalidVerb if self.respond_to?( verb )
+    
+    # load action handler
+    begin
+      if @@debug
+        load File.join( path_prefix, action ) + ".rb"
+      else
+        require File.join( path_prefix, action )
+      end
+      instance_eval "extend Controller_#{action}"
+    rescue LoadError
+      raise UndefinedController
+    rescue NameError
+      raise UndefinedControllerModule
+    end
+
+    # Now throw something if the requested verb has NOT been mixed in.
+    raise InvalidVerb unless self.respond_to?( verb )
+
+    @headers ['Pragma'] = "no-cache"
+    @headers ['Expires'] = "-1"
+    @headers ['Cache-control'] = "no-cache"
+
+    @extra_paths = paths || []
+    @path_prefix = File.join( path_prefix, "pages" )
+    instance_eval verb
+
+  end
+
+
+  #
+  # read_post_contents
+  #
+  def read_post_contents
+    return unless @cgi.request_method == "POST"
+    clen = ENV["POST_CONTENT_LENGTH"] and clen = clen.to_i
+    return unless clen && (clen > 0)
+
+    pc = ::Monorail::module_eval { retrieve_post_content }
+    if pc and pc.respond_to?(:to_s)
+      pc = pc.to_s( clen )
+      if pc and pc.length == clen
+        if @cgi.content_type.downcase == "application/x-www-form-urlencoded"
+          @cgi.params.merge!( CGI::parse( pc ))
+        else
+          # We have some kind of possibly binary content.
+          # Might be multipart too.
+          # Sit on it until we need to do something with it.
+          @post_content = pc
+        end
+      end
+    end
+
+  end
+
+  #
+  # generate_response
+  #
+  def generate_response
+    content = begin
+      timeout(3) {
+        @cgi = CGI.new
+        initialize_session
+        read_post_contents
+        generate_content
+      }
+    rescue Timeout::Error
+      @http_response_code = 500
+      "Timeout Error: #{$!}"
+    rescue RuntimeError
+      @http_response_code = 500
+      "Runtime Error: #{$!.message}"
+    rescue FileNotFound, UndefinedController, UndefinedControllerModule, TemplateNotFound, InvalidVerb
+      @http_response_code = 404
+      $!.message # Add a custom 404 handler here if desired
+    rescue DirectoryBrowsed
+      @http_response_code = 403
+      "Directory browsing not permitted" # Add a custom 403 handler here if desired
+    rescue Unauthorized
+      @http_response_code = 403
+      "Unauthorized" # Add a custom 403 handler here if desired
+    rescue SessionManager::TooManySessions
+      @http_response_code = 500
+      $!
+    rescue
+      @http_response_code = 500
+      "Unspecified Error: #{$!}"
+    end
+
+    ss = StringIO.new
+    ss << "HTTP/1.1 #{@http_response_code} ...\r\n"
+
+    @headers.each {|k,v| ss << "#{k}: #{v}\r\n" }
+    @cookies.each {|c| ss << "Set-Cookie: #{c.to_s}\r\n" }
+    ss << "Content-length: #{content.to_s.length}\r\n"
+    ss << "\r\n"
+    ss << content
+
+    ss.string
+  end
+
+  #
+  # compute_content_type
+  # This is probably too crude and will need to be modified.
+  # We look at the tail of the path_info and infer a mime type.
+  # This is really only appropriate for requests fulfilled out
+  # of the filesystem. For script-generated responses, they will
+  # want to define content-type manually.
+  #
+  def compute_content_type
+    hdr = "text/html"
+    path_tail = if @cgi
+      if @cgi.path_info =~ /\.([^\.]+)$/i
+        $1
+      end
+    end
+    if path_tail and @@mime_mappings.has_key?(path_tail)
+      hdr = @@mime_mappings[path_tail]
+    end
+
+    @headers["content-type"] = hdr
+  end
+
+
+  #
+  # render
+  #
+  def render filename, context = binding
+    filename = File.join( @path_prefix, filename )
+    unless File.exist?(filename) and !File.directory?(filename)
+      raise TemplateNotFound
+    end
+    template = File.read( filename )
+    ERB.new( template ).result( context )
+  end
+
+  #
+  # redirect_to
+  # Sets up a 301 redirect and returns a empty string.
+  # So it can be used as the last line in a controller.
+  #
+  def redirect_to url
+    @headers['Location'] = url
+    @http_response_code = 301
+    ""
+  end
+
+
+end
+
+
+end # module Monorail
+
+
+
+#-----------------------------------------------------
+
+if __FILE__ == $0
+  puts "No default behavior for #{__FILE__}"
+end
+