newrelic_security 0.1.0

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client04.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require 'digest/sha1'
+require 'base64'
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Client04 < Client
+        # @see NewRelic::Security::WebSocket::Handshake::Base#valid?
+        def valid?
+          super && verify_accept && verify_protocol
+        end
+
+        private
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          keys = [
+            %w[Upgrade websocket],
+            %w[Connection Upgrade]
+          ]
+          host = @handshake.host
+          host += ":#{@handshake.port}" unless @handshake.default_port?
+          keys << ['Host', host]
+          keys += super
+          keys << ['Sec-WebSocket-Origin', @handshake.origin] if @handshake.origin
+          keys << ['Sec-WebSocket-Version', @handshake.version]
+          keys << ['Sec-WebSocket-Key', key]
+          keys << ['Sec-WebSocket-Protocol', @handshake.protocols.join(', ')] if @handshake.protocols.any?
+          keys
+        end
+
+        # Sec-WebSocket-Key value
+        # @return [String] key
+        def key
+          @key ||= Base64.encode64((1..16).map { rand(255).chr } * '').strip
+        end
+
+        # Value of Sec-WebSocket-Accept that should be delivered back by server
+        # @return [Sering] accept
+        def accept
+          @accept ||= Base64.encode64(Digest::SHA1.digest(key + '258EAFA5-E914-47DA-95CA-C5AB0DC85B11')).strip
+        end
+
+        # Verify if received header Sec-WebSocket-Accept matches generated one.
+        # @return [Boolean] True if accept is matching. False otherwise(appropriate error is set)
+        def verify_accept
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication unless @handshake.headers['sec-websocket-accept'] == accept
+          true
+        end
+
+        def supported_protocols
+          @handshake.protocols
+        end
+
+        def provided_protocols
+          @handshake.headers['sec-websocket-protocol'].to_s.split(/ *, */)
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client11.rb

@@ -0,0 +1,22 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Client11 < Client04
+        private
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          super.collect do |key_pair|
+            if key_pair[0] == 'Sec-WebSocket-Origin'
+              ['Origin', key_pair[1]]
+            else
+              key_pair
+            end
+          end
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client75.rb

@@ -0,0 +1,39 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Client75 < Client
+        # @see NewRelic::Security::WebSocket::Handshake::Base#valid?
+        def valid?
+          super && verify_protocol
+        end
+
+        private
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          keys = [
+            %w[Upgrade WebSocket],
+            %w[Connection Upgrade]
+          ]
+          host = @handshake.host
+          host += ":#{@handshake.port}" unless @handshake.default_port?
+          keys << ['Host', host]
+          keys << ['Origin', @handshake.origin] if @handshake.origin
+          keys << ['WebSocket-Protocol', @handshake.protocols.first] if @handshake.protocols.any?
+          keys += super
+          keys
+        end
+
+        def supported_protocols
+          Array(@handshake.protocols.first)
+        end
+
+        def provided_protocols
+          Array(@handshake.headers['websocket-protocol'].to_s.strip)
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/client76.rb

@@ -0,0 +1,105 @@
+# frozen_string_literal: true
+
+require 'digest/md5'
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Client76 < Client75
+        # @see NewRelic::Security::WebSocket::Handshake::Base#valid?
+        def valid?
+          super && verify_challenge && verify_protocol
+        end
+
+        private
+
+        # @see NewRelic::Security::WebSocket::Handshake::Base#reserved_leftover_lines
+        def reserved_leftover_lines
+          1
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          keys = super
+          keys << ['Sec-WebSocket-Key1', key1]
+          keys << ['Sec-WebSocket-Key2', key2]
+          keys
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#finishing_line
+        def finishing_line
+          key3
+        end
+
+        # Sec-WebSocket-Key1 value
+        # @return [String] key
+        def key1
+          @key1 ||= generate_key(:key1)
+        end
+
+        # Sec-WebSocket-Key2 value
+        # @return [String] key
+        def key2
+          @key2 ||= generate_key(:key2)
+        end
+
+        # Value of third key, sent in body
+        # @return [String] key
+        def key3
+          @key3 ||= generate_key3
+        end
+
+        # Expected challenge that should be sent by server
+        # @return [String] challenge
+        def challenge
+          return @challenge if defined?(@challenge)
+          key1 && key2
+          sum = [@key1_number].pack('N*') +
+                [@key2_number].pack('N*') +
+                key3
+
+          @challenge = Digest::MD5.digest(sum).strip
+        end
+
+        # Verify if challenge sent by server match generated one
+        # @return [Boolena] True if challenge matches, false otherwise(sets appropriate error)
+        def verify_challenge
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication unless @handshake.leftovers == challenge
+          true
+        end
+
+        NOISE_CHARS = ("\x21".."\x2f").to_a + ("\x3a".."\x7e").to_a
+
+        # Generate Sec-WebSocket-Key1 and Sec-WebSocket-Key2
+        # @param key [String] name of key. Will be used to set number variable needed later. Valid values: key1, key2
+        # @return [String] generated key
+        def generate_key(key)
+          spaces = rand(1..12)
+          max = 0xffffffff / spaces
+          number = rand(max + 1)
+          instance_variable_set("@#{key}_number", number)
+          key = (number * spaces).to_s
+          rand(1..12).times do
+            char = NOISE_CHARS[rand(NOISE_CHARS.size)]
+            pos = rand(key.size + 1)
+            key[pos...pos] = char
+          end
+          spaces.times do
+            pos = 1 + rand(key.size - 1)
+            key[pos...pos] = ' '
+          end
+          key
+        end
+
+        # Generate third key
+        def generate_key3
+          [rand(0x100000000)].pack('N') + [rand(0x100000000)].pack('N')
+        end
+
+        def provided_protocols
+          Array(@handshake.headers['sec-websocket-protocol'].to_s.strip)
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Server < Base
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server04.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+require 'digest/sha1'
+require 'base64'
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Server04 < Server
+        # @see NewRelic::Security::WebSocket::Handshake::Base#valid?
+        def valid?
+          super && verify_key
+        end
+
+        private
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#header_line
+        def header_line
+          'HTTP/1.1 101 Switching Protocols'
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          [
+            %w[Upgrade websocket],
+            %w[Connection Upgrade],
+            ['Sec-WebSocket-Accept', signature]
+          ] + protocol
+        end
+
+        # Signature of response, created from client request Sec-WebSocket-Key
+        # @return [String] signature
+        def signature
+          return unless key
+          string_to_sign = "#{key}258EAFA5-E914-47DA-95CA-C5AB0DC85B11"
+          Base64.encode64(Digest::SHA1.digest(string_to_sign)).chomp
+        end
+
+        def verify_key
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication unless key
+          true
+        end
+
+        def key
+          @handshake.headers['sec-websocket-key']
+        end
+
+        def protocol
+          return [] unless @handshake.headers.key?('sec-websocket-protocol')
+          protos = @handshake.headers['sec-websocket-protocol'].split(/ *, */) & @handshake.protocols
+          [['Sec-WebSocket-Protocol', protos.first]]
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server75.rb

@@ -0,0 +1,40 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Server75 < Server
+        private
+
+        def headers
+          {
+            origin: 'WebSocket-Origin',
+            location: 'WebSocket-Location',
+            protocol: 'WebSocket-Protocol'
+          }.freeze
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#header_line
+        def header_line
+          'HTTP/1.1 101 Web Socket Protocol Handshake'
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#handshake_keys
+        def handshake_keys
+          [
+            %w[Upgrade WebSocket],
+            %w[Connection Upgrade],
+            [headers[:origin], @handshake.headers['origin']],
+            [headers[:location], @handshake.uri]
+          ] + protocol
+        end
+
+        def protocol
+          return [] unless @handshake.headers.key?(headers[:protocol].downcase)
+          proto = @handshake.headers[headers[:protocol].downcase]
+          [[headers[:protocol], @handshake.protocols.include?(proto) ? proto : nil]]
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler/server76.rb

@@ -0,0 +1,75 @@
+# frozen_string_literal: true
+
+require 'digest/md5'
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      class Server76 < Server75
+        # @see NewRelic::Security::WebSocket::Handshake::Base#valid?
+        def valid?
+          super && !finishing_line.nil?
+        end
+
+        private
+
+        def headers
+          {
+            origin: 'Sec-WebSocket-Origin',
+            location: 'Sec-WebSocket-Location',
+            protocol: 'Sec-WebSocket-Protocol'
+          }.freeze
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Base#reserved_leftover_lines
+        def reserved_leftover_lines
+          1
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#header_line
+        def header_line
+          'HTTP/1.1 101 WebSocket Protocol Handshake'
+        end
+
+        # @see NewRelic::Security::WebSocket::Handshake::Handler::Base#finishing_line
+        def finishing_line
+          @finishing_line ||= challenge_response
+        end
+
+        # Response to client challenge from request Sec-WebSocket-Key1, Sec-WebSocket-Key2 and leftovers
+        # @return [String] Challenge response or nil if error occured
+        def challenge_response
+          # Refer to 5.2 4-9 of the draft 76
+          first = numbers_over_spaces(@handshake.headers['sec-websocket-key1'].to_s)
+          second = numbers_over_spaces(@handshake.headers['sec-websocket-key2'].to_s)
+          third = @handshake.leftovers
+
+          sum = [first].pack('N*') +
+                [second].pack('N*') +
+                third
+          Digest::MD5.digest(sum)
+        end
+
+        # Calculate numbers over spaces, according to spec 5.2
+        # @param [String] string Key to parse
+        # @return [Integer] Result of calculations or nil if error occured
+        def numbers_over_spaces(string)
+          numbers = string.scan(/[0-9]/).join.to_i
+
+          spaces = string.scan(/ /).size
+          # As per 5.2.5, abort the connection if spaces are zero.
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication if spaces.zero?
+
+          # As per 5.2.6, abort if numbers is not an integral multiple of spaces
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication if numbers % spaces != 0
+
+          quotient = numbers / spaces
+
+          raise NewRelic::Security::WebSocket::Error::Handshake::InvalidAuthentication if quotient > 2**32 - 1
+
+          quotient
+        end
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/handler.rb

@@ -0,0 +1,21 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    module Handler
+      autoload :Base,     "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/base"
+
+      autoload :Client,   "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client"
+      autoload :Client01, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client01"
+      autoload :Client04, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client04"
+      autoload :Client11, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client11"
+      autoload :Client75, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client75"
+      autoload :Client76, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/client76"
+
+      autoload :Server,   "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/server"
+      autoload :Server04, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/server04"
+      autoload :Server75, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/server75"
+      autoload :Server76, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler/server76"
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake/server.rb

@@ -0,0 +1,179 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    # Construct or parse a server WebSocket handshake.
+    #
+    # @example
+    #   handshake = NewRelic::Security::WebSocket::Handshake::Server.new
+    #
+    #   # Parse client request
+    #   @handshake << <<EOF
+    #   GET /demo HTTP/1.1\r
+    #   Upgrade: websocket\r
+    #   Connection: Upgrade\r
+    #   Host: example.com\r
+    #   Origin: http://example.com\r
+    #   Sec-WebSocket-Version: 13\r
+    #   Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==\r
+    #   \r
+    #   EOF
+    #
+    #   # All data received?
+    #   @handshake.finished?
+    #
+    #   # No parsing errors?
+    #   @handshake.valid?
+    #
+    #   # Create response
+    #   @handshake.to_s # HTTP/1.1 101 Switching Protocols
+    #                   # Upgrade: websocket
+    #                   # Connection: Upgrade
+    #                   # Sec-WebSocket-Accept: s3pPLMBiTxaQ9kYGzzhZRbK+xOo=
+    #
+    class Server < Base
+      # Initialize new WebSocket Server
+      #
+      # @param [Hash] args Arguments for server
+      #
+      # @option args [Boolean] :secure If true then server will use wss:// protocol
+      # @option args [Array<String>] :protocols an array of supported sub-protocols
+      #
+      # @example
+      #   Websocket::Handshake::Server.new(secure: true)
+      def initialize(args = {})
+        super
+        @secure ||= false
+      end
+
+      # Add text of request from Client. This method will parse content immediately and update version, state and error(if neccessary)
+      #
+      # @param [String] data Data to add
+      #
+      # @example
+      #   @handshake << <<EOF
+      #   GET /demo HTTP/1.1
+      #   Upgrade: websocket
+      #   Connection: Upgrade
+      #   Host: example.com
+      #   Origin: http://example.com
+      #   Sec-WebSocket-Version: 13
+      #   Sec-WebSocket-Key: dGhlIHNhbXBsZSBub25jZQ==
+      #
+      #   EOF
+      def <<(data)
+        super
+        set_version if parse_data
+      end
+      rescue_method :<<
+
+      # Parse the request from a rack environment
+      # @param env Rack Environment
+      #
+      # @example
+      #   @handshake.from_rack(env)
+      def from_rack(env)
+        @headers = env.select { |key, _value| key.to_s.start_with? 'HTTP_' }.each_with_object({}) do |tuple, memo|
+          key, value = tuple
+          memo[key.gsub(/\AHTTP_/, '').tr('_', '-').downcase] = value
+        end
+
+        @path      = env['REQUEST_PATH']
+        @query     = env['QUERY_STRING']
+
+        set_version
+
+        # Passenger is blocking on read
+        # Unicorn doesn't support readpartial
+        # Maybe someone is providing even plain string?
+        # Better safe than sorry...
+        if @version == 76
+          input = env['rack.input']
+          @leftovers = if input.respond_to?(:readpartial)
+                         input.readpartial
+                       elsif input.respond_to?(:read)
+                         input.read
+                       else
+                         input.to_s
+                       end
+        end
+
+        @state = :finished
+      end
+
+      # Parse the request from hash
+      # @param hash Hash to import data
+      # @option hash [Hash] :headers HTTP headers of request, downcased
+      # @option hash [String] :path Path for request(without host and query string)
+      # @option hash [String] :query Query string for request
+      # @option hash [String] :body Body of request(if exists)
+      #
+      # @example
+      #   @handshake.from_hash(hash)
+      def from_hash(hash)
+        @headers = hash[:headers] || {}
+        @path = hash[:path] || '/'
+        @query = hash[:query] || ''
+        @leftovers = hash[:body]
+
+        set_version
+        @state = :finished
+      end
+
+      # Should send content to client after finished parsing?
+      # @return [Boolean] true
+      def should_respond?
+        true
+      end
+
+      # Host of server according to client header
+      # @return [String] host
+      def host
+        @host || @headers['host'].to_s.split(':')[0].to_s
+      end
+
+      # Port of server according to client header
+      # @return [Integer] port
+      def port
+        (@port || @headers['host'].to_s.split(':')[1] || default_port).to_i
+      end
+
+      private
+
+      # Set version of protocol basing on client requets. AFter cotting method calls include_version.
+      def set_version
+        @version = @headers['sec-websocket-version'].to_i if @headers['sec-websocket-version']
+        @version ||= @headers['sec-websocket-draft'].to_i if @headers['sec-websocket-draft']
+        @version ||= 76 if @headers['sec-websocket-key1']
+        @version ||= 75
+        include_version
+      end
+
+      # Include set of methods for selected protocol version
+      # @return [Boolean] false if protocol number is unknown, otherwise true
+      def include_version
+        @handler = case @version
+                   when 75 then Handler::Server75.new(self)
+                   when 76, 0..3 then Handler::Server76.new(self)
+                   when 4..17 then Handler::Server04.new(self)
+                   else raise NewRelic::Security::WebSocket::Error::Handshake::UnknownVersion
+                   end
+      end
+
+      PATH = %r{^(\w+) (\/[^\s]*) HTTP\/1\.1$}
+
+      # Parse first line of Client response.
+      # @param [String] line Line to parse
+      # @return [Boolean] True if parsed correctly. False otherwise
+      def parse_first_line(line)
+        line_parts = line.match(PATH)
+        raise NewRelic::Security::WebSocket::Error::Handshake::InvalidHeader unless line_parts
+        method = line_parts[1].strip
+        raise NewRelic::Security::WebSocket::Error::Handshake::GetRequestRequired unless method == 'GET'
+
+        resource_name = line_parts[2].strip
+        @path, @query = resource_name.split('?', 2)
+      end
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/handshake.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module Handshake
+    autoload :Base,    "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/base"
+    autoload :Client,  "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/client"
+    autoload :Handler, "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/handler"
+    autoload :Server,  "#{NewRelic::Security::WebSocket::ROOT}/websocket/handshake/server"
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/nice_inspect.rb

@@ -0,0 +1,12 @@
+# frozen_string_literal: true
+
+module NewRelic::Security::WebSocket
+  module NiceInspect
+    # Recreate inspect as #to_s will be overwritten
+    def inspect
+      vars = instance_variables.map { |v| "#{v}=#{instance_variable_get(v).inspect}" }.join(', ')
+      insp = Kernel.format("#{self.class}:0x%08x", __id__)
+      "<#{insp} #{vars}>"
+    end
+  end
+end

data/lib/newrelic_security/websocket-client-simple/websocket-ruby/lib/websocket/version.rb

@@ -0,0 +1,5 @@
+# frozen_string_literal: true
+
+module WebSocket
+  VERSION = '1.2.9'.freeze
+end