puma 3.12.1 → 5.6.4

data/lib/puma/app/status.rb

@@ -1,73 +1,92 @@
+# frozen_string_literal: true
+require 'puma/json_serialization'
+
 module Puma
   module App
+    # Check out {#call}'s source code to see what actions this web application
+    # can respond to.
     class Status
-      def initialize(cli)
-        @cli = cli
-        @auth_token = nil
-      end
       OK_STATUS = '{ "status": "ok" }'.freeze
 
-      attr_accessor :auth_token
-
-      def authenticate(env)
-        return true unless @auth_token
-        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
-      end
-
-      def rack_response(status, body, content_type='application/json')
-        headers = {
-          'Content-Type' => content_type,
-          'Content-Length' => body.bytesize.to_s
-        }
-
-        [status, headers, [body]]
+      # @param launcher [::Puma::Launcher]
+      # @param token [String, nil] the token used for authentication
+      #
+      def initialize(launcher, token = nil)
+        @launcher = launcher
+        @auth_token = token
       end
 
+      # most commands call methods in `::Puma::Launcher` based on command in
+      # `env['PATH_INFO']`
       def call(env)
         unless authenticate(env)
           return rack_response(403, 'Invalid auth token', 'text/plain')
         end
 
-        case env['PATH_INFO']
-        when /\/stop$/
-          @cli.stop
-          return rack_response(200, OK_STATUS)
+        # resp_type is processed by following case statement, return
+        # is a number (status) or a string used as the body of a 200 response
+        resp_type =
+          case env['PATH_INFO'][/\/([^\/]+)$/, 1]
+          when 'stop'
+            @launcher.stop ; 200
 
-        when /\/halt$/
-          @cli.halt
-          return rack_response(200, OK_STATUS)
+          when 'halt'
+            @launcher.halt ; 200
 
-        when /\/restart$/
-          @cli.restart
-          return rack_response(200, OK_STATUS)
+          when 'restart'
+            @launcher.restart ; 200
 
-        when /\/phased-restart$/
-          if !@cli.phased_restart
-            return rack_response(404, '{ "error": "phased restart not available" }')
-          else
-            return rack_response(200, OK_STATUS)
-          end
+          when 'phased-restart'
+            @launcher.phased_restart ? 200 : 404
+
+          when 'reload-worker-directory'
+            @launcher.send(:reload_worker_directory) ? 200 : 404
+
+          when 'gc'
+            GC.start ; 200
+
+          when 'gc-stats'
+            Puma::JSONSerialization.generate GC.stat
+
+          when 'stats'
+            Puma::JSONSerialization.generate @launcher.stats
+
+          when 'thread-backtraces'
+            backtraces = []
+            @launcher.thread_status do |name, backtrace|
+              backtraces << { name: name, backtrace: backtrace }
+            end
+            Puma::JSONSerialization.generate backtraces
 
-        when /\/reload-worker-directory$/
-          if !@cli.send(:reload_worker_directory)
-            return rack_response(404, '{ "error": "reload_worker_directory not available" }')
           else
-            return rack_response(200, OK_STATUS)
+            return rack_response(404, "Unsupported action", 'text/plain')
           end
 
-        when /\/gc$/
-          GC.start
-          return rack_response(200, OK_STATUS)
+        case resp_type
+        when String
+          rack_response 200, resp_type
+        when 200
+          rack_response 200, OK_STATUS
+        when 404
+          str = env['PATH_INFO'][/\/(\S+)/, 1].tr '-', '_'
+          rack_response 404, "{ \"error\": \"#{str} not available\" }"
+        end
+      end
 
-        when /\/gc-stats$/
-          json = "{" + GC.stat.map { |k, v| "\"#{k}\": #{v}" }.join(",") + "}"
-          return rack_response(200, json)
+      private
 
-        when /\/stats$/
-          return rack_response(200, @cli.stats)
-        else
-          rack_response 404, "Unsupported action", 'text/plain'
-        end
+      def authenticate(env)
+        return true unless @auth_token
+        env['QUERY_STRING'].to_s.split(/&;/).include?("token=#{@auth_token}")
+      end
+
+      def rack_response(status, body, content_type='application/json')
+        headers = {
+          'Content-Type' => content_type,
+          'Content-Length' => body.bytesize.to_s
+        }
+
+        [status, headers, [body]]
       end
     end
   end

data/lib/puma/binder.rb

@@ -5,15 +5,32 @@ require 'socket'
 
 require 'puma/const'
 require 'puma/util'
+require 'puma/configuration'
 
 module Puma
+
+  if HAS_SSL
+    require 'puma/minissl'
+    require 'puma/minissl/context_builder'
+
+    # Odd bug in 'pure Ruby' nio4r version 2.5.2, which installs with Ruby 2.3.
+    # NIO doesn't create any OpenSSL objects, but it rescues an OpenSSL error.
+    # The bug was that it did not require openssl.
+    # @todo remove when Ruby 2.3 support is dropped
+    #
+    if windows? && RbConfig::CONFIG['ruby_version'] == '2.3.0'
+      require 'openssl'
+    end
+  end
+
   class Binder
     include Puma::Const
 
-    RACK_VERSION = [1,3].freeze
+    RACK_VERSION = [1,6].freeze
 
-    def initialize(events)
+    def initialize(events, conf = Configuration.new)
       @events = events
+      @conf = conf
       @listeners = []
       @inherited_fds = {}
       @activated_sockets = {}
@@ -22,9 +39,10 @@ module Puma
       @proto_env = {
         "rack.version".freeze => RACK_VERSION,
         "rack.errors".freeze => events.stderr,
-        "rack.multithread".freeze => true,
-        "rack.multiprocess".freeze => false,
+        "rack.multithread".freeze => conf.options[:max_threads] > 1,
+        "rack.multiprocess".freeze => conf.options[:workers] >= 1,
         "rack.run_once".freeze => false,
+        RACK_URL_SCHEME => conf.options[:rack_url_scheme],
         "SCRIPT_NAME".freeze => ENV['SCRIPT_NAME'] || "",
 
         # I'd like to set a default CONTENT_TYPE here but some things
@@ -40,9 +58,16 @@ module Puma
 
       @envs = {}
       @ios = []
+      localhost_authority
     end
 
-    attr_reader :listeners, :ios
+    attr_reader :ios
+
+    # @version 5.0.0
+    attr_reader :activated_sockets, :envs, :inherited_fds, :listeners, :proto_env, :unix_paths
+
+    # @version 5.0.0
+    attr_writer :ios, :listeners
 
     def env(sock)
       @envs.fetch(sock, @proto_env)
@@ -50,43 +75,84 @@ module Puma
 
     def close
       @ios.each { |i| i.close }
-      @unix_paths.each { |i| File.unlink i }
     end
 
-    def import_from_env
-      remove = []
-
-      ENV.each do |k,v|
-        if k =~ /PUMA_INHERIT_\d+/
-          fd, url = v.split(":", 2)
-          @inherited_fds[url] = fd.to_i
-          remove << k
-        elsif k == 'LISTEN_FDS' && ENV['LISTEN_PID'].to_i == $$
-          v.to_i.times do |num|
-            fd = num + 3
-            sock = TCPServer.for_fd(fd)
-            begin
-              key = [ :unix, Socket.unpack_sockaddr_un(sock.getsockname) ]
-            rescue ArgumentError
-              port, addr = Socket.unpack_sockaddr_in(sock.getsockname)
-              if addr =~ /\:/
-                addr = "[#{addr}]"
-              end
-              key = [ :tcp, addr, port ]
-            end
-            @activated_sockets[key] = sock
-            @events.debug "Registered #{key.join ':'} for activation from LISTEN_FDS"
-          end
-          remove << k << 'LISTEN_PID'
+    # @!attribute [r] connected_ports
+    # @version 5.0.0
+    def connected_ports
+      ios.map { |io| io.addr[1] }.uniq
+    end
+
+    # @version 5.0.0
+    def create_inherited_fds(env_hash)
+      env_hash.select {|k,v| k =~ /PUMA_INHERIT_\d+/}.each do |_k, v|
+        fd, url = v.split(":", 2)
+        @inherited_fds[url] = fd.to_i
+      end.keys # pass keys back for removal
+    end
+
+    # systemd socket activation.
+    # LISTEN_FDS = number of listening sockets. e.g. 2 means accept on 2 sockets w/descriptors 3 and 4.
+    # LISTEN_PID = PID of the service process, aka us
+    # @see https://www.freedesktop.org/software/systemd/man/systemd-socket-activate.html
+    # @version 5.0.0
+    #
+    def create_activated_fds(env_hash)
+      @events.debug "ENV['LISTEN_FDS'] #{ENV['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}"
+      return [] unless env_hash['LISTEN_FDS'] && env_hash['LISTEN_PID'].to_i == $$
+      env_hash['LISTEN_FDS'].to_i.times do |index|
+        sock = TCPServer.for_fd(socket_activation_fd(index))
+        key = begin # Try to parse as a path
+          [:unix, Socket.unpack_sockaddr_un(sock.getsockname)]
+        rescue ArgumentError # Try to parse as a port/ip
+          port, addr = Socket.unpack_sockaddr_in(sock.getsockname)
+          addr = "[#{addr}]" if addr =~ /\:/
+          [:tcp, addr, port]
         end
+        @activated_sockets[key] = sock
+        @events.debug "Registered #{key.join ':'} for activation from LISTEN_FDS"
       end
+      ["LISTEN_FDS", "LISTEN_PID"] # Signal to remove these keys from ENV
+    end
 
-      remove.each do |k|
-        ENV.delete k
+    # Synthesize binds from systemd socket activation
+    #
+    # When systemd socket activation is enabled, it can be tedious to keep the
+    # binds in sync. This method can synthesize any binds based on the received
+    # activated sockets. Any existing matching binds will be respected.
+    #
+    # When only_matching is true in, all binds that do not match an activated
+    # socket is removed in place.
+    #
+    # It's a noop if no activated sockets were received.
+    def synthesize_binds_from_activated_fs(binds, only_matching)
+      return binds unless activated_sockets.any?
+
+      activated_binds = []
+
+      activated_sockets.keys.each do |proto, addr, port|
+        if port
+          tcp_url = "#{proto}://#{addr}:#{port}"
+          ssl_url = "ssl://#{addr}:#{port}"
+          ssl_url_prefix = "#{ssl_url}?"
+
+          existing = binds.find { |bind| bind == tcp_url || bind == ssl_url || bind.start_with?(ssl_url_prefix) }
+
+          activated_binds << (existing || tcp_url)
+        else
+          # TODO: can there be a SSL bind without a port?
+          activated_binds << "#{proto}://#{addr}"
+        end
+      end
+
+      if only_matching
+        activated_binds
+      else
+        binds | activated_binds
       end
     end
 
-    def parse(binds, logger)
+    def parse(binds, logger, log_msg = 'Listening')
       binds.each do |str|
         uri = URI.parse str
         case uri.scheme
@@ -98,23 +164,37 @@ module Puma
             io = inherit_tcp_listener uri.host, uri.port, sock
             logger.log "* Activated #{str}"
           else
+            ios_len = @ios.length
             params = Util.parse_query uri.query
 
-            opt = params.key?('low_latency')
-            bak = params.fetch('backlog', 1024).to_i
+            opt = params.key?('low_latency') && params['low_latency'] != 'false'
+            backlog = params.fetch('backlog', 1024).to_i
+
+            io = add_tcp_listener uri.host, uri.port, opt, backlog
 
-            io = add_tcp_listener uri.host, uri.port, opt, bak
-            logger.log "* Listening on #{str}"
+            @ios[ios_len..-1].each do |i|
+              addr = loc_addr_str i
+              logger.log "* #{log_msg} on http://#{addr}"
+            end
           end
 
           @listeners << [str, io] if io
         when "unix"
           path = "#{uri.host}#{uri.path}".gsub("%20", " ")
+          abstract = false
+          if str.start_with? 'unix://@'
+            raise "OS does not support abstract UNIXSockets" unless Puma.abstract_unix_socket?
+            abstract = true
+            path = "@#{path}"
+          end
 
           if fd = @inherited_fds.delete(str)
+            @unix_paths << path unless abstract
             io = inherit_unix_listener path, fd
             logger.log "* Inherited #{str}"
-          elsif sock = @activated_sockets.delete([ :unix, path ])
+          elsif sock = @activated_sockets.delete([ :unix, path ]) ||
+              @activated_sockets.delete([ :unix, File.realdirpath(path) ])
+            @unix_paths << path unless abstract || File.exist?(path)
             io = inherit_unix_listener path, sock
             logger.log "* Activated #{str}"
           else
@@ -138,69 +218,37 @@ module Puma
               end
             end
 
+            @unix_paths << path unless abstract || File.exist?(path)
             io = add_unix_listener path, umask, mode, backlog
-            logger.log "* Listening on #{str}"
+            logger.log "* #{log_msg} on #{str}"
           end
 
           @listeners << [str, io]
         when "ssl"
-          params = Util.parse_query uri.query
-          require 'puma/minissl'
-
-          MiniSSL.check
-
-          ctx = MiniSSL::Context.new
-
-          if defined?(JRUBY_VERSION)
-            unless params['keystore']
-              @events.error "Please specify the Java keystore via 'keystore='"
-            end
-
-            ctx.keystore = params['keystore']
-
-            unless params['keystore-pass']
-              @events.error "Please specify the Java keystore password  via 'keystore-pass='"
-            end
-
-            ctx.keystore_pass = params['keystore-pass']
-            ctx.ssl_cipher_list = params['ssl_cipher_list'] if params['ssl_cipher_list']
-          else
-            unless params['key']
-              @events.error "Please specify the SSL key via 'key='"
-            end
 
-            ctx.key = params['key']
+          raise "Puma compiled without SSL support" unless HAS_SSL
 
-            unless params['cert']
-              @events.error "Please specify the SSL cert via 'cert='"
-            end
+          params = Util.parse_query uri.query
 
-            ctx.cert = params['cert']
+          # If key and certs are not defined and localhost gem is required.
+          # localhost gem will be used for self signed
+          # Load localhost authority if not loaded.
+          if params.values_at('cert', 'key').all? { |v| v.to_s.empty? }
+            ctx = localhost_authority && localhost_authority_context
+          end
 
-            if ['peer', 'force_peer'].include?(params['verify_mode'])
-              unless params['ca']
-                @events.error "Please specify the SSL ca via 'ca='"
+          ctx ||=
+            begin
+              # Extract cert_pem and key_pem from options[:store] if present
+              ['cert', 'key'].each do |v|
+                if params[v] && params[v].start_with?('store:')
+                  index = Integer(params.delete(v).split('store:').last)
+                  params["#{v}_pem"] = @conf.options[:store][index]
+                end
               end
+              MiniSSL::ContextBuilder.new(params, @events).context
             end
 
-            ctx.ca = params['ca'] if params['ca']
-            ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter']
-          end
-
-          if params['verify_mode']
-            ctx.verify_mode = case params['verify_mode']
-                              when "peer"
-                                MiniSSL::VERIFY_PEER
-                              when "force_peer"
-                                MiniSSL::VERIFY_PEER | MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
-                              when "none"
-                                MiniSSL::VERIFY_NONE
-                              else
-                                @events.error "Please specify a valid verify_mode="
-                                MiniSSL::VERIFY_NONE
-                              end
-          end
-
           if fd = @inherited_fds.delete(str)
             logger.log "* Inherited #{str}"
             io = inherit_ssl_listener fd, ctx
@@ -208,8 +256,14 @@ module Puma
             io = inherit_ssl_listener sock, ctx
             logger.log "* Activated #{str}"
           else
-            io = add_ssl_listener uri.host, uri.port, ctx
-            logger.log "* Listening on #{str}"
+            ios_len = @ios.length
+            backlog = params.fetch('backlog', 1024).to_i
+            io = add_ssl_listener uri.host, uri.port, ctx, optimize_for_latency = true, backlog
+
+            @ios[ios_len..-1].each do |i|
+              addr = loc_addr_str i
+              logger.log "* #{log_msg} on ssl://#{addr}?#{uri.query}"
+            end
           end
 
           @listeners << [str, io] if io
@@ -237,21 +291,35 @@ module Puma
       end
 
       # Also close any unused activated sockets
-      @activated_sockets.each do |key, sock|
-        logger.log "* Closing unused activated socket: #{key.join ':'}"
-        begin
-          sock.close
-        rescue SystemCallError
+      unless @activated_sockets.empty?
+        fds = @ios.map(&:to_i)
+        @activated_sockets.each do |key, sock|
+          next if fds.include? sock.to_i
+          logger.log "* Closing unused activated socket: #{key.first}://#{key[1..-1].join ':'}"
+          begin
+            sock.close
+          rescue SystemCallError
+          end
+          # We have to unlink a unix socket path that's not being used
+          File.unlink key[1] if key.first == :unix
         end
-        # We have to unlink a unix socket path that's not being used
-        File.unlink key[1] if key[0] == :unix
       end
     end
 
-    def loopback_addresses
-      Socket.ip_address_list.select do |addrinfo|
-        addrinfo.ipv6_loopback? || addrinfo.ipv4_loopback?
-      end.map { |addrinfo| addrinfo.ip_address }.uniq
+    def localhost_authority
+      @localhost_authority ||= Localhost::Authority.fetch if defined?(Localhost::Authority) && !Puma::IS_JRUBY
+    end
+
+    def localhost_authority_context
+      return unless localhost_authority
+
+      key_path, crt_path = if [:key_path, :certificate_path].all? { |m| localhost_authority.respond_to?(m) }
+        [localhost_authority.key_path, localhost_authority.certificate_path]
+      else
+        local_certificates_path = File.expand_path("~/.localhost")
+        [File.join(local_certificates_path, "localhost.key"), File.join(local_certificates_path, "localhost.crt")]
+      end
+      MiniSSL::ContextBuilder.new({ "key" => key_path, "cert" => crt_path }, @events).context
     end
 
     # Tell the server to listen on host +host+, port +port+.
@@ -270,26 +338,20 @@ module Puma
       end
 
       host = host[1..-2] if host and host[0..0] == '['
-      s = TCPServer.new(host, port)
+      tcp_server = TCPServer.new(host, port)
+
       if optimize_for_latency
-        s.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
+        tcp_server.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
       end
-      s.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
-      s.listen backlog
-      @connected_port = s.addr[1]
+      tcp_server.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
+      tcp_server.listen backlog
 
-      @ios << s
-      s
+      @ios << tcp_server
+      tcp_server
     end
 
-    attr_reader :connected_port
-
     def inherit_tcp_listener(host, port, fd)
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = TCPServer.for_fd(fd)
-      end
+      s = fd.kind_of?(::TCPServer) ? fd : ::TCPServer.for_fd(fd)
 
       @ios << s
       s
@@ -297,9 +359,10 @@ module Puma
 
     def add_ssl_listener(host, port, ctx,
                          optimize_for_latency=true, backlog=1024)
-      require 'puma/minissl'
 
-      MiniSSL.check
+      raise "Puma compiled without SSL support" unless HAS_SSL
+      # Puma will try to use local authority context if context is supplied nil
+      ctx ||= localhost_authority_context
 
       if host == "localhost"
         loopback_addresses.each do |addr|
@@ -316,7 +379,6 @@ module Puma
       s.setsockopt(Socket::SOL_SOCKET,Socket::SO_REUSEADDR, true)
       s.listen backlog
 
-
       ssl = MiniSSL::Server.new s, ctx
       env = @proto_env.dup
       env[HTTPS_KEY] = HTTPS
@@ -327,14 +389,12 @@ module Puma
     end
 
     def inherit_ssl_listener(fd, ctx)
-      require 'puma/minissl'
-      MiniSSL.check
+      raise "Puma compiled without SSL support" unless HAS_SSL
+      # Puma will try to use local authority context if context is supplied nil
+      ctx ||= localhost_authority_context
+
+      s = fd.kind_of?(::TCPServer) ? fd : ::TCPServer.for_fd(fd)
 
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = TCPServer.for_fd(fd)
-      end
       ssl = MiniSSL::Server.new(s, ctx)
 
       env = @proto_env.dup
@@ -349,8 +409,6 @@ module Puma
     # Tell the server to listen on +path+ as a UNIX domain socket.
     #
     def add_unix_listener(path, umask=nil, mode=nil, backlog=1024)
-      @unix_paths << path
-
       # Let anyone connect by default
       umask ||= 0
 
@@ -367,8 +425,7 @@ module Puma
             raise "There is already a server bound to: #{path}"
           end
         end
-
-        s = UNIXServer.new(path)
+        s = UNIXServer.new path.sub(/\A@/, "\0") # check for abstract UNIXSocket
         s.listen backlog
         @ios << s
       ensure
@@ -387,13 +444,8 @@ module Puma
     end
 
     def inherit_unix_listener(path, fd)
-      @unix_paths << path
+      s = fd.kind_of?(::TCPServer) ? fd : ::UNIXServer.for_fd(fd)
 
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = UNIXServer.for_fd fd
-      end
       @ios << s
 
       env = @proto_env.dup
@@ -403,5 +455,50 @@ module Puma
       s
     end
 
+    def close_listeners
+      @listeners.each do |l, io|
+        io.close unless io.closed?
+        uri = URI.parse l
+        next unless uri.scheme == 'unix'
+        unix_path = "#{uri.host}#{uri.path}"
+        File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
+      end
+    end
+
+    def redirects_for_restart
+      redirects = @listeners.map { |a| [a[1].to_i, a[1].to_i] }.to_h
+      redirects[:close_others] = true
+      redirects
+    end
+
+    # @version 5.0.0
+    def redirects_for_restart_env
+      @listeners.each_with_object({}).with_index do |(listen, memo), i|
+        memo["PUMA_INHERIT_#{i}"] = "#{listen[1].to_i}:#{listen[0]}"
+      end
+    end
+
+    private
+
+    # @!attribute [r] loopback_addresses
+    def loopback_addresses
+      Socket.ip_address_list.select do |addrinfo|
+        addrinfo.ipv6_loopback? || addrinfo.ipv4_loopback?
+      end.map { |addrinfo| addrinfo.ip_address }.uniq
+    end
+
+    def loc_addr_str(io)
+      loc_addr = io.to_io.local_address
+      if loc_addr.ipv6?
+        "[#{loc_addr.ip_unpack[0]}]:#{loc_addr.ip_unpack[1]}"
+      else
+        loc_addr.ip_unpack.join(':')
+      end
+    end
+
+    # @version 5.0.0
+    def socket_activation_fd(int)
+      int + 3 # 3 is the magic number you add to follow the SA protocol
+    end
   end
 end