newrelic_security 0.1.0

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/error.rb

@@ -0,0 +1,129 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  class Error < RuntimeError
+    class Frame < NewRelic::Security::WebSocket::Error
+      class ControlFramePayloadTooLong < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :control_frame_payload_too_long
+        end
+      end
+
+      class DataFrameInsteadContinuation < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :data_frame_instead_continuation
+        end
+      end
+
+      class FragmentedControlFrame < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :fragmented_control_frame
+        end
+      end
+
+      class Invalid < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :invalid_frame
+        end
+      end
+
+      class InvalidPayloadEncoding < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :invalid_payload_encoding
+        end
+      end
+
+      class MaskTooShort < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :mask_is_too_short
+        end
+      end
+
+      class ReservedBitUsed < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :reserved_bit_used
+        end
+      end
+
+      class TooLong < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :frame_too_long
+        end
+      end
+
+      class UnexpectedContinuationFrame < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :unexpected_continuation_frame
+        end
+      end
+
+      class UnknownFrameType < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :unknown_frame_type
+        end
+      end
+
+      class UnknownOpcode < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :unknown_opcode
+        end
+      end
+
+      class UnknownCloseCode < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :unknown_close_code
+        end
+      end
+
+      class UnknownVersion < NewRelic::Security::WebSocket::Error::Frame
+        def message
+          :unknown_protocol_version
+        end
+      end
+    end
+
+    class Handshake < NewRelic::Security::WebSocket::Error
+      class GetRequestRequired < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :get_request_required
+        end
+      end
+
+      class InvalidAuthentication < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :invalid_handshake_authentication
+        end
+      end
+
+      class InvalidHeader < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :invalid_header
+        end
+      end
+
+      class UnsupportedProtocol < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :unsupported_protocol
+        end
+      end
+
+      class InvalidStatusCode < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :invalid_status_code
+        end
+      end
+
+      class NoHostProvided < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :no_host_provided
+        end
+      end
+
+      class UnknownVersion < NewRelic::Security::WebSocket::Error::Handshake
+        def message
+          :unknown_protocol_version
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/exception_handler.rb

@@ -0,0 +1,32 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module ExceptionHandler
+    attr_accessor :error
+
+    def self.included(base)
+      base.extend(ClassMethods)
+    end
+
+    module ClassMethods
+      # Rescue from NewRelic::Security::WebSocket::Error errors.
+      #
+      # @param [String] method_name Name of method that should be wrapped and rescued
+      # @param [Hash] options Options for rescue
+      #
+      # @option options [Any] :return Value that should be returned instead of raised error
+      def rescue_method(method_name, options = {})
+        define_method "#{method_name}_with_rescue" do |*args|
+          begin
+            send("#{method_name}_without_rescue", *args)
+          rescue NewRelic::Security::WebSocket::Error => e
+            self.error = e.message.to_sym
+            NewRelic::Security::WebSocket.should_raise ? raise : options[:return]
+          end
+        end
+        alias_method "#{method_name}_without_rescue", method_name
+        alias_method method_name, "#{method_name}_with_rescue"
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/base.rb

@@ -0,0 +1,62 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    # @abstract Subclass and override to implement custom frames
+    class Base
+      include ExceptionHandler
+      include NiceInspect
+
+      attr_reader :type, :version, :error
+      attr_accessor :data, :code
+
+      # Initialize frame
+      # @param args [Hash] Arguments for frame
+      # @option args [String]  :data default data for frame
+      # @option args [String]  :type Type of frame - available types are "text", "binary", "ping", "pong" and "close"(support depends on draft version)
+      # @option args [Integer] :code Code for close frame. Supported by drafts > 05.
+      # @option args [Integer] :version Version of draft. Currently supported version are 75, 76 and 00-13.
+      def initialize(args = {})
+        @type = args[:type].to_sym if args[:type]
+        @code = args[:code]
+        @data = Data.new(args[:data].to_s)
+        @version = args[:version] || DEFAULT_VERSION
+        @handler = nil
+        include_version
+      end
+      rescue_method :initialize
+
+      # Check if some errors occured
+      # @return [Boolean] True if error is set
+      def error?
+        !@error.nil?
+      end
+
+      # Is selected type supported for selected handler?
+      def support_type?
+        @handler.supported_frames.include?(@type)
+      end
+
+      # Implement in submodules
+      def supported_frames
+        raise NotImplementedError
+      end
+
+      private
+
+      # Include set of methods for selected protocol version
+      # @return [Boolean] false if protocol number is unknown, otherwise true
+      def include_version
+        @handler = case @version
+                   when 75..76 then Handler::Handler75.new(self)
+                   when 0..2 then Handler::Handler75.new(self)
+                   when 3 then Handler::Handler03.new(self)
+                   when 4 then Handler::Handler04.new(self)
+                   when 5..6 then Handler::Handler05.new(self)
+                   when 7..13 then Handler::Handler07.new(self)
+                   else raise NewRelic::Security::WebSocket::Error::Frame::UnknownVersion
+                   end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/data.rb

@@ -0,0 +1,49 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    class Data < String
+      def initialize(*args)
+        super(*convert_args(args))
+        @masking_key = nil
+      end
+
+      def <<(*args)
+        super(*convert_args(args))
+      end
+
+      # Convert all arguments to ASCII-8BIT for easier traversing
+      def convert_args(args)
+        args.collect { |arg| arg.dup.force_encoding('ASCII-8BIT') }
+      end
+
+      # Extract mask from 4 first bytes according to spec
+      def set_mask
+        raise NewRelic::Security::WebSocket::Error::Frame::MaskTooShort if bytesize < 4
+        @masking_key = self[0..3].bytes.to_a
+      end
+
+      # Remove mask flag - it will still be present in payload
+      def unset_mask
+        @masking_key = nil
+      end
+
+      # Extract `count` bytes starting from `start_index` and unmask it if needed.
+      def getbytes(start_index, count)
+        data = self[start_index, count]
+        data = mask(data.bytes.to_a, @masking_key).pack('C*') if @masking_key
+        data
+      end
+
+      # Mask whole payload using mask key
+      def mask(payload, mask)
+        return mask_native(payload, mask) if respond_to?(:mask_native)
+        result = []
+        payload.each_with_index do |byte, i|
+          result[i] = byte ^ mask[i % 4]
+        end
+        result
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/base.rb

@@ -0,0 +1,41 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    module Handler
+      class Base
+        def initialize(frame)
+          @frame = frame
+        end
+
+        # Convert data to raw frame ready to send to client
+        # @return [String] Encoded frame
+        def encode_frame
+          raise NotImplementedError
+        end
+
+        # Convert raw data to decoded frame
+        # @return [NewRelic::Security::WebSocket::Frame::Incoming] Frame if found, nil otherwise
+        def decode_frame
+          raise NotImplementedError
+        end
+
+        private
+
+        # Check if frame is one of control frames
+        # @param [Symbol] frame_type Frame type
+        # @return [Boolean] True if given frame type is control frame
+        def control_frame?(frame_type)
+          !%i[text binary continuation].include?(frame_type)
+        end
+
+        # Check if frame is one of data frames
+        # @param [Symbol] frame_type Frame type
+        # @return [Boolean] True if given frame type is data frame
+        def data_frame?(frame_type)
+          %i[text binary].include?(frame_type)
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler03.rb

@@ -0,0 +1,224 @@
+# encoding: binary
+# frozen_string_literal: true
+
+require 'securerandom'
+
+module NewRelic::Security::WebSocket
+  module Frame
+    module Handler
+      class Handler03 < Base
+        # Hash of frame names and it's opcodes
+        FRAME_TYPES = {
+          continuation: 0,
+          close: 1,
+          ping: 2,
+          pong: 3,
+          text: 4,
+          binary: 5
+        }.freeze
+
+        # Hash of frame opcodes and it's names
+        FRAME_TYPES_INVERSE = FRAME_TYPES.invert.freeze
+
+        def initialize(frame)
+          super
+          @application_data_buffer = nil
+        end
+
+        # @see NewRelic::Security::WebSocket::Frame::Base#supported_frames
+        def supported_frames
+          %i[text binary close ping pong]
+        end
+
+        # @see NewRelic::Security::WebSocket::Frame::Handler::Base#encode_frame
+        def encode_frame
+          frame = if @frame.outgoing_masking?
+                    masking_key = SecureRandom.random_bytes(4)
+                    tmp_data = Data.new(masking_key + @frame.data)
+                    tmp_data.set_mask
+                    masking_key + tmp_data.getbytes(4, tmp_data.size)
+                  else
+                    @frame.data
+                  end
+
+          encode_header + frame
+        end
+
+        # @see NewRelic::Security::WebSocket::Frame::Handler::Base#decode_frame
+        def decode_frame
+          while @frame.data.size > 1
+            valid_header, more, frame_type, mask, payload_length = decode_header
+            return unless valid_header
+
+            application_data = decode_payload(payload_length, mask)
+
+            if more
+              decode_continuation_frame(application_data, frame_type)
+            elsif frame_type == :continuation
+              return decode_finish_continuation_frame(application_data)
+            else
+              raise(NewRelic::Security::WebSocket::Error::Frame::InvalidPayloadEncoding) if frame_type == :text && !application_data.valid_encoding?
+              return @frame.class.new(version: @frame.version, type: frame_type, data: application_data, decoded: true)
+            end
+          end
+          nil
+        end
+
+        # Allow turning on or off masking
+        def masking?
+          false
+        end
+
+        private
+
+        # This allows flipping the more bit to fin for draft 04
+        def fin
+          false
+        end
+
+        # Convert frame type name to opcode
+        # @param [Symbol] frame_type Frame type name
+        # @return [Integer] opcode or nil
+        # @raise [NewRelic::Security::WebSocket::Error] if frame opcode is not known
+        def type_to_opcode(frame_type)
+          FRAME_TYPES[frame_type] || raise(NewRelic::Security::WebSocket::Error::Frame::UnknownFrameType)
+        end
+
+        # Convert frame opcode to type name
+        # @param [Integer] opcode Opcode
+        # @return [Symbol] Frame type name or nil
+        # @raise [NewRelic::Security::WebSocket::Error] if frame type name is not known
+        def opcode_to_type(opcode)
+          FRAME_TYPES_INVERSE[opcode] || raise(NewRelic::Security::WebSocket::Error::Frame::UnknownOpcode)
+        end
+
+        def encode_header
+          mask = @frame.outgoing_masking? ? 0b10000000 : 0b00000000
+
+          output = String.new('')
+          output << (type_to_opcode(@frame.type) | (fin ? 0b10000000 : 0b00000000)) # since more, rsv1-3 are 0 and 0x80 for Draft 4
+          output << encode_payload_length(@frame.data.size, mask)
+          output
+        end
+
+        def encode_payload_length(length, mask)
+          output = String.new('')
+          if length <= 125
+            output << (length | mask) # since rsv4 is 0
+          elsif length < 65_536 # write 2 byte length
+            output << (126 | mask)
+            output << [length].pack('n')
+          else # write 8 byte length
+            output << (127 | mask)
+            output << [length >> 32, length & 0xFFFFFFFF].pack('NN')
+          end
+          output
+        end
+
+        def decode_header
+          more, frame_type = decode_first_byte
+          header_length, payload_length, mask = decode_second_byte(frame_type)
+          return unless header_length
+
+          # Compute the expected frame length
+          frame_length = header_length + payload_length
+          frame_length += 4 if mask
+
+          raise(NewRelic::Security::WebSocket::Error::Frame::TooLong) if frame_length > NewRelic::Security::WebSocket.max_frame_size
+
+          # Check buffer size
+          return unless buffer_exists?(frame_length) # Buffer incomplete
+
+          # Remove frame header
+          @frame.data.slice!(0...header_length)
+
+          [true, more, frame_type, mask, payload_length]
+        end
+
+        def buffer_exists?(buffer_number)
+          !@frame.data.getbyte(buffer_number - 1).nil?
+        end
+
+        def decode_first_byte
+          first_byte = @frame.data.getbyte(0)
+
+          raise(NewRelic::Security::WebSocket::Error::Frame::ReservedBitUsed) if first_byte & 0b01110000 != 0b00000000
+
+          more = ((first_byte & 0b10000000) == 0b10000000) ^ fin
+          frame_type = opcode_to_type first_byte & 0b00001111
+
+          raise(NewRelic::Security::WebSocket::Error::Frame::FragmentedControlFrame) if more && control_frame?(frame_type)
+          raise(NewRelic::Security::WebSocket::Error::Frame::DataFrameInsteadContinuation) if data_frame?(frame_type) && !@application_data_buffer.nil?
+
+          [more, frame_type]
+        end
+
+        def decode_second_byte(frame_type)
+          second_byte = @frame.data.getbyte(1)
+
+          mask = @frame.incoming_masking? && (second_byte & 0b10000000) == 0b10000000
+          length = second_byte & 0b01111111
+
+          raise(NewRelic::Security::WebSocket::Error::Frame::ControlFramePayloadTooLong) if length > 125 && control_frame?(frame_type)
+
+          header_length, payload_length = decode_payload_length(length)
+
+          [header_length, payload_length, mask]
+        end
+
+        def decode_payload_length(length)
+          case length
+          when 127 # Length defined by 8 bytes
+            # Check buffer size
+            return unless buffer_exists?(10) # Buffer incomplete
+
+            # Only using the last 4 bytes for now, till I work out how to
+            # unpack 8 bytes. I'm sure 4GB frames will do for now :)
+            [10, @frame.data.getbytes(6, 4).unpack('N').first]
+          when 126 # Length defined by 2 bytes
+            # Check buffer size
+            return unless buffer_exists?(4) # Buffer incomplete
+
+            [4, @frame.data.getbytes(2, 2).unpack('n').first]
+          else
+            [2, length]
+          end
+        end
+
+        def decode_payload(payload_length, mask)
+          pointer = 0
+
+          # Read application data (unmasked if required)
+          @frame.data.set_mask if mask
+          pointer += 4 if mask
+          payload = @frame.data.getbytes(pointer, payload_length)
+          payload.force_encoding('UTF-8')
+          pointer += payload_length
+          @frame.data.unset_mask if mask
+
+          # Throw away data up to pointer
+          @frame.data.slice!(0...pointer)
+
+          payload
+        end
+
+        def decode_continuation_frame(application_data, frame_type)
+          @application_data_buffer ||= String.new('')
+          @application_data_buffer << application_data
+          @frame_type ||= frame_type
+        end
+
+        def decode_finish_continuation_frame(application_data)
+          raise(NewRelic::Security::WebSocket::Error::Frame::UnexpectedContinuationFrame) unless @frame_type
+          @application_data_buffer << application_data
+          # Test valid UTF-8 encoding
+          raise(NewRelic::Security::WebSocket::Error::Frame::InvalidPayloadEncoding) if @frame_type == :text && !@application_data_buffer.valid_encoding?
+          message = @frame.class.new(version: @frame.version, type: @frame_type, data: @application_data_buffer, decoded: true)
+          @application_data_buffer = nil
+          @frame_type = nil
+          message
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler04.rb

@@ -0,0 +1,18 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    module Handler
+      class Handler04 < Handler03
+        private
+
+        # The only difference between draft 03 framing and draft 04 framing is
+        # that the MORE bit has been changed to a FIN bit
+        def fin
+          true
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler05.rb

@@ -0,0 +1,15 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    module Handler
+      class Handler05 < Handler04
+        # Since handler 5 masking should be enabled by default
+        def masking?
+          true
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/frame/handler/handler07.rb

@@ -0,0 +1,78 @@
+# encoding: binary
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Frame
+    module Handler
+      class Handler07 < Handler05
+        # Hash of frame names and it's opcodes
+        FRAME_TYPES = {
+          continuation: 0,
+          text: 1,
+          binary: 2,
+          close: 8,
+          ping: 9,
+          pong: 10
+        }.freeze
+
+        # Hash of frame opcodes and it's names
+        FRAME_TYPES_INVERSE = FRAME_TYPES.invert.freeze
+
+        def encode_frame
+          if @frame.type == :close
+            code = @frame.code || 1000
+            raise NewRelic::Security::WebSocket::Error::Frame::UnknownCloseCode unless valid_code?(code)
+            @frame.data = Data.new([code].pack('n') + @frame.data.to_s)
+            @frame.code = nil
+          end
+          super
+        end
+
+        def decode_frame
+          result = super
+          if close_code?(result)
+            code = result.data.slice!(0..1)
+            result.code = code.unpack('n').first
+            raise NewRelic::Security::WebSocket::Error::Frame::UnknownCloseCode unless valid_code?(result.code)
+            raise NewRelic::Security::WebSocket::Error::Frame::InvalidPayloadEncoding unless valid_encoding?(result.data)
+          end
+          result
+        end
+
+        private
+
+        def valid_code?(code)
+          [1000, 1001, 1002, 1003, 1007, 1008, 1009, 1010, 1011].include?(code) || (3000..4999).cover?(code)
+        end
+
+        def valid_encoding?(data)
+          return true if data.nil?
+          data.encode('UTF-8')
+          true
+        rescue StandardError
+          false
+        end
+
+        def close_code?(frame)
+          frame && frame.type == :close && !frame.data.empty?
+        end
+
+        # Convert frame type name to opcode
+        # @param [Symbol] frame_type Frame type name
+        # @return [Integer] opcode or nil
+        # @raise [NewRelic::Security::WebSocket::Error] if frame opcode is not known
+        def type_to_opcode(frame_type)
+          FRAME_TYPES[frame_type] || raise(NewRelic::Security::WebSocket::Error::Frame::UnknownFrameType)
+        end
+
+        # Convert frame opcode to type name
+        # @param [Integer] opcode Opcode
+        # @return [Symbol] Frame type name or nil
+        # @raise [NewRelic::Security::WebSocket::Error] if frame type name is not known
+        def opcode_to_type(opcode)
+          FRAME_TYPES_INVERSE[opcode] || raise(NewRelic::Security::WebSocket::Error::Frame::UnknownOpcode)
+        end
+      end
+    end
+  end
+end