oversip 0.9.0

data/lib/oversip/websocket/listeners/ipv4_tcp_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv4TcpServer < TcpServer
+
+    @ip_type = :ipv4
+    @transport = :tcp
+
+    LOG_ID = "WS TCP IPv4 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/ipv4_tls_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv4TlsServer < TlsServer
+
+    @ip_type = :ipv4
+    @transport = :tls
+
+    LOG_ID = "WS TLS IPv4 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/ipv4_tls_tunnel_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv4TlsTunnelServer < TlsTunnelServer
+
+    @ip_type = :ipv4
+    @transport = :tls
+
+    LOG_ID = "WS TLS-Tunnel IPv4 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/ipv6_tcp_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv6TcpServer < TcpServer
+
+    @ip_type = :ipv6
+    @transport = :tcp
+
+    LOG_ID = "WS TCP IPv6 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/ipv6_tls_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv6TlsServer < TlsServer
+
+    @ip_type = :ipv6
+    @transport = :tls
+
+    LOG_ID = "WS TLS IPv6 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/ipv6_tls_tunnel_server.rb

@@ -0,0 +1,15 @@
+module OverSIP::WebSocket
+
+  class IPv6TlsTunnelServer < TlsTunnelServer
+
+    @ip_type = :ipv6
+    @transport = :tls
+
+    LOG_ID = "WS TLS-Tunnel IPv6 server"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/listeners/tcp_server.rb

@@ -0,0 +1,265 @@
+module OverSIP::WebSocket
+
+  class TcpServer < ::EM::Connection
+
+    include ::OverSIP::Logger
+    include ::OverSIP::WebSocket::DefaultPolicy
+    include ::OverSIP::WebSocket::Policy  rescue nil  # As it could not exist (i.e. the user deleted the file).
+
+    # Max size (bytes) of the buffered data when receiving message headers
+    # (avoid DoS attacks).
+    HEADERS_MAX_SIZE = 2048
+
+    WS_MAGIC_GUID_04 = "258EAFA5-E914-47DA-95CA-C5AB0DC85B11".freeze
+    WS_VERSIONS = { 7=>true, 8=>true, 13=>true }
+    HDR_SUPPORTED_WEBSOCKET_VERSIONS = [ "X-Supported-WebSocket-Versions: #{WS_VERSIONS.keys.join(", ")}" ]
+
+
+    class << self
+      attr_accessor :ip_type, :transport
+    end
+
+    attr_accessor :ws_protocol, :ws_app_klass
+    attr_reader :connection_log_id, :remote_ip_type, :remote_ip, :remote_port
+
+
+    def initialize
+      @http_parser = ::OverSIP::WebSocket::HttpRequestParser.new
+      @buffer = ::IO::Buffer.new
+      @state = :init
+    end
+
+
+    def post_connection
+      begin
+        @remote_port, @remote_ip = ::Socket.unpack_sockaddr_in(get_peername)
+      rescue => e
+        log_system_error "error obtaining remote IP/port (#{e.class}: #{e.message}), closing connection"
+        close_connection
+        @state = :ignore
+        return
+      end
+      @connection_log_id = ::SecureRandom.hex(4)
+
+      log_system_info "connection opened from " << remote_desc
+    end
+
+
+    def remote_desc force=nil
+      if force
+        @remote_desc = case @remote_ip_type
+          when :ipv4  ; "#{@remote_ip}:#{@remote_port.to_s}"
+          when :ipv6  ; "[#{@remote_ip}]:#{@remote_port.to_s}"
+          end
+      else
+        @remote_desc ||= case self.class.ip_type
+          when :ipv4  ; "#{@remote_ip}:#{@remote_port.to_s}"
+          when :ipv6  ; "[#{@remote_ip}]:#{@remote_port.to_s}"
+          end
+      end
+    end
+
+
+    def unbind cause=nil
+      @local_closed = true  if cause == ::Errno::ETIMEDOUT
+
+      log_msg = "connection from #{remote_desc} "
+      log_msg << ( @local_closed ? "locally closed" : "remotely closed" )
+      log_msg << " (cause: #{cause.inspect})"  if cause
+      log_system_debug log_msg  if $oversip_debug
+
+      @ws_framing.tcp_closed  if @ws_framing
+    end
+
+
+    def receive_data data
+      @state == :ignore and return
+      @buffer << data
+
+      while (case @state
+        when :init
+          @http_request = ::OverSIP::WebSocket::HttpRequest.new
+          @http_parser.reset
+          @http_parser_nbytes = 0
+          @bytes_remaining = 0
+          @state = :http_headers
+
+        when :http_headers
+          parse_http_headers
+
+        when :check_http_request
+          check_http_request
+
+        when :accept_ws_handshake
+          accept_ws_handshake
+
+        when :websocket_frames
+          return false  if @buffer.size.zero?
+
+          @ws_framing.receive_data
+          false
+
+        when :ignore
+          false
+        end)
+      end  # while
+
+    end
+
+
+    def parse_http_headers
+      return false if @buffer.empty?
+
+      # Parse the currently buffered data. If parsing fails @http_parser_nbytes gets nil value.
+      unless @http_parser_nbytes = @http_parser.execute(@http_request, @buffer.to_str, @http_parser_nbytes)
+        log_system_warn "parsing error: \"#{@http_parser.error}\""
+        close_connection_after_writing
+        @state = :ignore
+        return false
+      end
+
+      # Avoid flood attacks in TCP (very long headers).
+      if @http_parser_nbytes > HEADERS_MAX_SIZE
+        log_system_warn "DoS attack detected: headers size exceedes #{HEADERS_MAX_SIZE} bytes, closing connection with #{remote_desc}"
+        close_connection
+        @state = :ignore
+        return false
+      end
+
+      return false  unless @http_parser.finished?
+
+      # Clear parsed data from the buffer.
+      @buffer.read(@http_parser_nbytes)
+
+      @http_request.connection = self
+      @http_request.transport = self.class.transport
+      @http_request.source_ip = @remote_ip
+      @http_request.source_port = @remote_port
+      @http_request.source_ip_type = @remote_ip_type ||= self.class.ip_type
+
+      @state = :check_http_request
+      true
+    end  # parse_headers
+
+
+    def check_http_request
+
+      # HTTP method must be GET.
+      if @http_request.http_method != :GET
+        log_system_notice "rejecting HTTP #{@http_request.http_method} request => 405"
+        http_reject 405
+        return false
+      end
+
+      # "Sec-WebSocket-Version" must be 8.
+      unless WS_VERSIONS[@http_request.hdr_sec_websocket_version]
+        if @http_request.hdr_sec_websocket_version
+          log_system_notice "WebSocket version #{@http_request.hdr_sec_websocket_version} not implemented => 426"
+        else
+          log_system_notice "WebSocket version header not present => 426"
+        end
+        http_reject 426, nil, HDR_SUPPORTED_WEBSOCKET_VERSIONS
+        return false
+      end
+
+      # Connection header must include "upgrade".
+      unless @http_request.hdr_connection and @http_request.hdr_connection.include? "upgrade"
+        log_system_notice "Connection header must include \"upgrade\" => 400"
+        http_reject 400, "Connection header must include \"upgrade\""
+        return false
+      end
+
+      # "Upgrade: websocket" is required.
+      unless @http_request.hdr_upgrade == "websocket"
+        log_system_notice "Upgrade header must be \"websocket\" => 400"
+        http_reject 400, "Upgrade header must be \"websocket\""
+        return false
+      end
+
+      # Sec-WebSocket-Key is required.
+      unless @http_request.hdr_sec_websocket_key
+        log_system_notice "Sec-WebSocket-Key header not present => 400"
+        http_reject 400, "Sec-WebSocket-Key header not present"
+        return false
+      end
+
+      # Check Sec-WebSocket-Protocol.
+      if @http_request.hdr_sec_websocket_protocol
+        if @http_request.hdr_sec_websocket_protocol.include? @ws_protocol
+          @websocket_protocol_negotiated = true
+        else
+          log_system_notice "Sec-WebSocket-Protocol does not contain a supported protocol but #{@http_request.hdr_sec_websocket_protocol} => 501"
+          http_reject 501, "No Suitable WebSocket Protocol"
+          return false
+        end
+      end
+
+      # Check WebSocket policy.
+
+      unless check_hostport(@http_request.host, @http_request.port)
+        log_system_notice "host/port policy not satisfied (host=#{@http_request.host.inspect}, port=#{@http_request.port.inspect}) => 403"
+        http_reject 403, "request host/port not satisfied"
+        return false
+      end
+
+      unless check_origin(@http_request.hdr_origin)
+        log_system_notice "'Origin' policy not satisfied (origin=#{@http_request.hdr_origin.inspect}) => 403"
+        http_reject 403, "request 'Origin' not satisfied"
+        return false
+      end
+
+      unless check_request_uri(@http_request.uri_path, @http_request.uri_query)
+        log_system_notice "request URI path/query not satisfied (path=#{@http_request.uri_path.inspect}, query=#{@http_request.uri_query.inspect}) => 403"
+        http_reject 403, "request URI path/query not satisfied"
+        return false
+      end
+
+      @state = :accept_ws_handshake
+      true
+    end
+
+
+    def accept_ws_handshake
+      sec_websocket_accept = Digest::SHA1::base64digest @http_request.hdr_sec_websocket_key + WS_MAGIC_GUID_04
+
+      extra_headers = [
+        "Upgrade: websocket",
+        "Connection: Upgrade",
+        "Sec-WebSocket-Accept: #{sec_websocket_accept}"
+      ]
+
+      if @websocket_protocol_negotiated
+        extra_headers << "Sec-WebSocket-Protocol: #{@ws_protocol}"
+      end
+
+      if @websocket_extensions
+        extra_headers << "Sec-WebSocket-Extensions: #{@websocket_extensions.to_s}"
+      end
+
+      @http_request.reply 101, nil, extra_headers
+
+      # Set the WS framming layer and WS application layer.
+      @ws_framing = ::OverSIP::WebSocket::WsFraming.new(self, @buffer)
+      @ws_framing.ws_app = @ws_app_klass.new(self, @ws_framing)
+
+      @state = :websocket_frames
+      true
+    end
+
+
+    def http_reject status_code, reason_phrase=nil, extra_headers=nil
+      @http_request.reply(status_code, reason_phrase, extra_headers)
+      close_connection_after_writing
+      @state = :ignore
+    end
+
+
+    def ignore_incoming_data
+      @state = :ignore  # The WS application needs to set the connection in :ignore state
+                        # after sending a close frame to the client.
+    end
+
+  end  # class TcpServer
+
+end
+

data/lib/oversip/websocket/listeners/tls_server.rb

@@ -0,0 +1,69 @@
+module OverSIP::WebSocket
+
+  class TlsServer < TcpServer
+
+    TLS_HANDSHAKE_MAX_TIME = 8
+
+
+    def post_init
+      @client_pems = []
+      @client_last_pem = false
+
+      start_tls({
+        :verify_peer => true,
+        :cert_chain_file => ::OverSIP.tls_public_cert,
+        :private_key_file => ::OverSIP.tls_private_cert
+      })
+
+      # If the remote client does never send us a TLS certificate
+      # after the TCP connection we would leak by storing more and
+      # more messages in @pending_messages array.
+      @timer_tls_handshake = ::EM::Timer.new(TLS_HANDSHAKE_MAX_TIME) do
+        unless @connected
+          log_system_notice "TLS handshake not performed within #{TLS_HANDSHAKE_MAX_TIME} seconds, closing the connection"
+          close_connection
+        end
+      end
+    end
+
+
+    def ssl_verify_peer pem
+      # TODO: Dirty workaround for bug https://github.com/eventmachine/eventmachine/issues/194.
+      return true  if @client_last_pem == pem
+
+      @client_last_pem = pem
+      @client_pems << pem
+
+      log_system_debug "received certificate num #{@client_pems.size} from client"  if $oversip_debug
+
+      # Validation must be done in ssl_handshake_completed after receiving all the certs, so return true.
+      return true
+    end
+
+
+    def ssl_handshake_completed
+      log_system_info "TLS connection established from " << remote_desc
+
+      # TODO: What to do it falidation fails? always do validation?
+
+      validated, cert, tls_error, tls_error_string = ::OverSIP::TLS.validate @client_pems.pop, @client_pems
+      if validated
+        log_system_info "client provides a valid TLS certificate"
+      else
+        log_system_notice "client's TLS certificate validation failed (TLS error: #{tls_error.inspect}, description: #{tls_error_string.inspect})"
+      end
+
+      # @connected in TlsServer means "TLS connection" rather than
+      # just "TCP connection".
+      @connected = true
+      @timer_tls_handshake.cancel  if @timer_tls_handshake
+    end
+
+
+    def unbind cause=nil
+      super
+      @timer_tls_handshake.cancel  if @timer_tls_handshake
+    end
+
+  end
+end

data/lib/oversip/websocket/listeners/tls_tunnel_server.rb

@@ -0,0 +1,100 @@
+module OverSIP::WebSocket
+
+  class TlsTunnelServer < TcpServer
+
+    def initialize
+      @http_parser = ::OverSIP::WebSocket::HttpRequestParser.new
+      @buffer = ::IO::Buffer.new
+      @state = :init
+    end
+
+
+    def post_connection
+      begin
+        @remote_port, @remote_ip = ::Socket.unpack_sockaddr_in(get_peername)
+      rescue => e
+        log_system_error "error obtaining remote IP/port (#{e.class}: #{e.message}), closing connection"
+        close_connection
+        @state = :ignore
+        return
+      end
+      @connection_log_id = ::SecureRandom.hex(4)
+
+      log_system_info "connection from the TLS tunnel " << remote_desc
+    end
+
+
+    def receive_data data
+      @state == :ignore and return
+      @buffer << data
+
+      while (case @state
+        when :init
+          @http_request = ::OverSIP::WebSocket::HttpRequest.new
+          @http_parser.reset
+          @http_parser_nbytes = 0
+          @bytes_remaining = 0
+          # If it's a TCP connection from the TLS proxy then parse the HAProxy Protocol line
+          # if it's not yet done.
+          unless @haproxy_protocol_parsed
+            @state = :haproxy_protocol
+          else
+            @state = :http_headers
+          end
+
+        when :haproxy_protocol
+          parse_haproxy_protocol
+
+        when :http_headers
+          parse_http_headers
+
+        when :check_http_request
+          check_http_request
+
+        when :accept_ws_handshake
+          accept_ws_handshake
+
+        when :websocket_frames
+          return false  if @buffer.size.zero?
+
+          @ws_framing.receive_data
+          false
+
+        when :ignore
+          false
+        end)
+      end  # while
+
+    end
+
+
+    def parse_haproxy_protocol
+      if (haproxy_protocol_data = ::OverSIP::Utils.parse_haproxy_protocol(@buffer.to_str))
+        @haproxy_protocol_parsed = true
+
+        # Update connection information.
+        @remote_ip_type = haproxy_protocol_data[1]
+        @remote_ip = haproxy_protocol_data[2]
+        @remote_port = haproxy_protocol_data[3]
+
+        # Update log information.
+        remote_desc true
+
+        # Remove the HAProxy Protocol line from the received data.
+        @buffer.read haproxy_protocol_data[0]
+
+        @state = :http_headers
+
+      # If parsing fails then the TLS proxy has sent us a wrong HAProxy Protocol line ¿?
+      else
+        log_system_error "HAProxy Protocol parsing error, closing connection"
+        close_connection_after_writing
+        @state = :ignore
+        return false
+      end
+    end
+
+  end
+
+end
+

data/lib/oversip/websocket/listeners.rb

@@ -0,0 +1,12 @@
+# OverSIP files
+
+require "oversip/websocket/listeners/tcp_server"
+require "oversip/websocket/listeners/tls_server"
+require "oversip/websocket/listeners/tls_tunnel_server"
+
+require "oversip/websocket/listeners/ipv4_tcp_server"
+require "oversip/websocket/listeners/ipv6_tcp_server"
+require "oversip/websocket/listeners/ipv4_tls_server"
+require "oversip/websocket/listeners/ipv6_tls_server"
+require "oversip/websocket/listeners/ipv4_tls_tunnel_server"
+require "oversip/websocket/listeners/ipv6_tls_tunnel_server"

data/lib/oversip/websocket/ws_app.rb

@@ -0,0 +1,75 @@
+module OverSIP::WebSocket
+
+  class WsApp
+
+    include ::OverSIP::Logger
+
+
+    def self.class_init
+      @@max_message_size = ::OverSIP.configuration[:websocket][:max_ws_message_size]
+      @@ws_keepalive_interval = ::OverSIP.configuration[:websocket][:ws_keepalive_interval]
+    end
+
+
+    def initialize connection, ws_framing
+      @connection = connection
+      @ws_framing = ws_framing
+      @ws_message = ::IO::Buffer.new
+
+      # Mantain WebSocket keepalive.
+      @ws_framing.do_keep_alive @@ws_keepalive_interval  if @@ws_keepalive_interval
+    end
+
+
+    def close_connection status=nil, reason=nil
+      @ws_framing.send_close_frame status, reason
+    end
+
+
+    def receive_payload_data payload_data
+      # payload_data is always Encoding::BINARY so also @ws_message.to_str.
+      @ws_message << payload_data
+
+      # Check max message size.
+      if @ws_message.size > @@max_message_size
+        close_connection 1009, "message too big"
+        return false
+      end
+      true
+    end
+
+
+    def message_done type
+      log_system_debug "received WS message: length=#{@ws_message.size}"  if $oversip_debug
+
+      case type
+
+      when :text
+        ws_message = @ws_message.to_str.force_encoding ::Encoding::UTF_8
+        process_text_message ws_message
+
+      when :binary
+        process_binary_message @ws_message.to_str  # As IO::Buffer#to_str always generates Encoding::BINARY.
+      end
+
+      @ws_message.clear
+      true
+    end
+
+
+    def tcp_closed
+      nil
+    end
+
+
+    # Methods to be overriden by child classes.
+    def process_text_message ws_message
+    end
+
+    def process_binary_message ws_message
+    end
+
+
+  end  # WsApplication
+
+end

data/lib/oversip/websocket/ws_apps/ipv4_ws_sip_app.rb

@@ -0,0 +1,21 @@
+module OverSIP::WebSocket
+
+  class IPv4WsSipApp < WsSipApp
+
+    @ip_type = :ipv4
+    @transport = :ws
+    @connections = {}
+    @invite_server_transactions = {}
+    @non_invite_server_transactions = {}
+    @invite_client_transactions = {}
+    @non_invite_client_transactions = {}
+    @is_reliable_transport_listener = true
+
+    LOG_ID = "WS IPv4 SIP app"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/ws_apps/ipv4_wss_sip_app.rb

@@ -0,0 +1,21 @@
+module OverSIP::WebSocket
+
+  class IPv4WssSipApp < WsSipApp
+
+    @ip_type = :ipv4
+    @transport = :wss
+    @connections = {}
+    @invite_server_transactions = {}
+    @non_invite_server_transactions = {}
+    @invite_client_transactions = {}
+    @non_invite_client_transactions = {}
+    @is_reliable_transport_listener = true
+
+    LOG_ID = "WSS IPv4 SIP app"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end

data/lib/oversip/websocket/ws_apps/ipv6_ws_sip_app.rb

@@ -0,0 +1,21 @@
+module OverSIP::WebSocket
+
+  class IPv6WsSipApp < WsSipApp
+
+    @ip_type = :ipv6
+    @transport = :ws
+    @connections = {}
+    @invite_server_transactions = {}
+    @non_invite_server_transactions = {}
+    @invite_client_transactions = {}
+    @non_invite_client_transactions = {}
+    @is_reliable_transport_listener = true
+
+    LOG_ID = "WS IPv6 SIP app"
+    def log_id
+      LOG_ID
+    end
+
+  end
+
+end