puma 4.3.5 → 6.0.1

data/lib/puma/minissl/context_builder.rb

@@ -1,12 +1,9 @@
 module Puma
   module MiniSSL
     class ContextBuilder
-      def initialize(params, events)
-        require 'puma/minissl'
-        MiniSSL.check
-
+      def initialize(params, log_writer)
         @params = params
-        @events = events
+        @log_writer = log_writer
       end
 
       def context
@@ -14,42 +11,55 @@ module Puma
 
         if defined?(JRUBY_VERSION)
           unless params['keystore']
-            events.error "Please specify the Java keystore via 'keystore='"
+            log_writer.error "Please specify the Java keystore via 'keystore='"
           end
 
           ctx.keystore = params['keystore']
 
           unless params['keystore-pass']
-            events.error "Please specify the Java keystore password  via 'keystore-pass='"
+            log_writer.error "Please specify the Java keystore password  via 'keystore-pass='"
           end
 
           ctx.keystore_pass = params['keystore-pass']
-          ctx.ssl_cipher_list = params['ssl_cipher_list'] if params['ssl_cipher_list']
+          ctx.keystore_type = params['keystore-type']
+
+          if truststore = params['truststore']
+            ctx.truststore = truststore.eql?('default') ? :default : truststore
+            ctx.truststore_pass = params['truststore-pass']
+            ctx.truststore_type = params['truststore-type']
+          end
+
+          ctx.cipher_suites = params['cipher_suites'] || params['ssl_cipher_list']
+          ctx.protocols = params['protocols'] if params['protocols']
         else
-          unless params['key']
-            events.error "Please specify the SSL key via 'key='"
+          if params['key'].nil? && params['key_pem'].nil?
+            log_writer.error "Please specify the SSL key via 'key=' or 'key_pem='"
           end
 
-          ctx.key = params['key']
+          ctx.key = params['key'] if params['key']
+          ctx.key_pem = params['key_pem'] if params['key_pem']
 
-          unless params['cert']
-            events.error "Please specify the SSL cert via 'cert='"
+          if params['cert'].nil? && params['cert_pem'].nil?
+            log_writer.error "Please specify the SSL cert via 'cert=' or 'cert_pem='"
           end
 
-          ctx.cert = params['cert']
+          ctx.cert = params['cert'] if params['cert']
+          ctx.cert_pem = params['cert_pem'] if params['cert_pem']
 
           if ['peer', 'force_peer'].include?(params['verify_mode'])
             unless params['ca']
-              events.error "Please specify the SSL ca via 'ca='"
+              log_writer.error "Please specify the SSL ca via 'ca='"
             end
           end
 
           ctx.ca = params['ca'] if params['ca']
           ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter']
+
+          ctx.reuse = params['reuse'] if params['reuse']
         end
 
-        ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true'
-        ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'
+        ctx.no_tlsv1   = params['no_tlsv1'] == 'true'
+        ctx.no_tlsv1_1 = params['no_tlsv1_1'] == 'true'
 
         if params['verify_mode']
           ctx.verify_mode = case params['verify_mode']
@@ -60,17 +70,23 @@ module Puma
                             when "none"
                               MiniSSL::VERIFY_NONE
                             else
-                              events.error "Please specify a valid verify_mode="
+                              log_writer.error "Please specify a valid verify_mode="
                               MiniSSL::VERIFY_NONE
                             end
         end
 
+        if params['verification_flags']
+          ctx.verification_flags = params['verification_flags'].split(',').
+            map { |flag| MiniSSL::VERIFICATION_FLAGS.fetch(flag) }.
+            inject { |sum, flag| sum ? sum | flag : flag }
+        end
+
         ctx
       end
 
       private
 
-      attr_reader :params, :events
+      attr_reader :params, :log_writer
     end
   end
 end

data/lib/puma/minissl.rb

@@ -1,19 +1,32 @@
 # frozen_string_literal: true
 
 begin
-  require 'io/wait'
+  require 'io/wait' unless Puma::HAS_NATIVE_IO_WAIT
 rescue LoadError
 end
 
+# need for Puma::MiniSSL::OPENSSL constants used in `HAS_TLS1_3`
+# use require, see https://github.com/puma/puma/pull/2381
+require 'puma/puma_http11'
+
 module Puma
   module MiniSSL
+    # Define constant at runtime, as it's easy to determine at built time,
+    # but Puma could (it shouldn't) be loaded with an older OpenSSL version
+    # @version 5.0.0
+    HAS_TLS1_3 = IS_JRUBY ||
+        ((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
+         (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
+
     class Socket
       def initialize(socket, engine)
         @socket = socket
         @engine = engine
         @peercert = nil
+        @reuse = nil
       end
 
+      # @!attribute [r] to_io
       def to_io
         @socket
       end
@@ -22,6 +35,27 @@ module Puma
         @socket.closed?
       end
 
+      # Returns a two element array,
+      # first is protocol version (SSL_get_version),
+      # second is 'handshake' state (SSL_state_string)
+      #
+      # Used for dropping tcp connections to ssl.
+      # See OpenSSL ssl/ssl_stat.c SSL_state_string for info
+      # @!attribute [r] ssl_version_state
+      # @version 5.0.0
+      #
+      def ssl_version_state
+        IS_JRUBY ? [nil, nil] : @engine.ssl_vers_st
+      end
+
+      # Used to check the handshake status, in particular when a TCP connection
+      # is made with TLSv1.3 as an available protocol
+      # @version 5.0.0
+      def bad_tlsv1_3?
+        HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
+      end
+      private :bad_tlsv1_3?
+
       def readpartial(size)
         while true
           output = @engine.read
@@ -67,6 +101,7 @@ module Puma
             # ourselves.
             raise IO::EAGAINWaitReadable
           elsif data.nil?
+            raise SSLError.exception "HTTP connection?" if bad_tlsv1_3?
             return nil
           end
 
@@ -84,22 +119,23 @@ module Puma
       def write(data)
         return 0 if data.empty?
 
-        need = data.bytesize
+        data_size = data.bytesize
+        need = data_size
 
         while true
           wrote = @engine.write data
-          enc = @engine.extract
 
-          while enc
-            @socket.write enc
-            enc = @engine.extract
+          enc_wr = +''
+          while (enc = @engine.extract)
+            enc_wr << enc
           end
+          @socket.write enc_wr unless enc_wr.empty?
 
           need -= wrote
 
-          return data.bytesize if need == 0
+          return data_size if need == 0
 
-          data = data[wrote..-1]
+          data = data.byteslice(wrote..-1)
         end
       end
 
@@ -107,14 +143,18 @@ module Puma
       alias_method :<<, :write
 
       # This is a temporary fix to deal with websockets code using
-      # write_nonblock. The problem with implementing it properly
+      # write_nonblock.
+
+      # The problem with implementing it properly
       # is that it means we'd have to have the ability to rewind
       # an engine because after we write+extract, the socket
       # write_nonblock call might raise an exception and later
       # code would pass the same data in, but the engine would think
-      # it had already written the data in. So for the time being
-      # (and since write blocking is quite rare), go ahead and actually
-      # block in write_nonblock.
+      # it had already written the data in.
+      #
+      # So for the time being (and since write blocking is quite rare),
+      # go ahead and actually block in write_nonblock.
+      #
       def write_nonblock(data, *_)
         write data
       end
@@ -123,39 +163,27 @@ module Puma
         @socket.flush
       end
 
-      def read_and_drop(timeout = 1)
-        return :timeout unless IO.select([@socket], nil, nil, timeout)
-        return :eof unless read_nonblock(1024)
-        :drop
-      rescue Errno::EAGAIN
-        # do nothing
-        :eagain
-      end
-
-      def should_drop_bytes?
-        @engine.init? || !@engine.shutdown
-      end
-
       def close
         begin
-          # Read any drop any partially initialized sockets and any received bytes during shutdown.
-          # Don't let this socket hold this loop forever.
-          # If it can't send more packets within 1s, then give up.
-          while should_drop_bytes?
-            return if [:timeout, :eof].include?(read_and_drop(1))
+          unless @engine.shutdown
+            while alert_data = @engine.extract
+              @socket.write alert_data
+            end
           end
         rescue IOError, SystemCallError
-          Thread.current.purge_interrupt_queue if Thread.current.respond_to? :purge_interrupt_queue
+          Puma::Util.purge_interrupt_queue
           # nothing
         ensure
           @socket.close
         end
       end
 
+      # @!attribute [r] peeraddr
       def peeraddr
         @socket.peeraddr
       end
 
+      # @!attribute [r] peercert
       def peercert
         return @peercert if @peercert
 
@@ -166,12 +194,9 @@ module Puma
       end
     end
 
-    if defined?(JRUBY_VERSION)
-      class SSLError < StandardError
-        # Define this for jruby even though it isn't used.
-      end
-
-      def self.check; end
+    if IS_JRUBY
+      OPENSSL_NO_SSL3 = false
+      OPENSSL_NO_TLS1 = false
     end
 
     class Context
@@ -181,21 +206,72 @@ module Puma
       def initialize
         @no_tlsv1   = false
         @no_tlsv1_1 = false
+        @key = nil
+        @cert = nil
+        @key_pem = nil
+        @cert_pem = nil
+        @reuse = nil
+        @reuse_cache_size = nil
+        @reuse_timeout = nil
       end
 
-      if defined?(JRUBY_VERSION)
+      def check_file(file, desc)
+        raise ArgumentError, "#{desc} file '#{file}' does not exist" unless File.exist? file
+        raise ArgumentError, "#{desc} file '#{file}' is not readable" unless File.readable? file
+      end
+
+      if IS_JRUBY
         # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
         attr_reader :keystore
+        attr_reader :keystore_type
         attr_accessor :keystore_pass
-        attr_accessor :ssl_cipher_list
+        attr_reader :truststore
+        attr_reader :truststore_type
+        attr_accessor :truststore_pass
+        attr_reader :cipher_suites
+        attr_reader :protocols
 
         def keystore=(keystore)
-          raise ArgumentError, "No such keystore file '#{keystore}'" unless File.exist? keystore
+          check_file keystore, 'Keystore'
           @keystore = keystore
         end
 
+        def truststore=(truststore)
+          # NOTE: historically truststore was assumed the same as keystore, this is kept for backwards
+          # compatibility, to rely on JVM's trust defaults we allow setting `truststore = :default`
+          unless truststore.eql?(:default)
+            raise ArgumentError, "No such truststore file '#{truststore}'" unless File.exist?(truststore)
+          end
+          @truststore = truststore
+        end
+
+        def keystore_type=(type)
+          raise ArgumentError, "Invalid keystore type: #{type.inspect}" unless ['pkcs12', 'jks', nil].include?(type)
+          @keystore_type = type
+        end
+
+        def truststore_type=(type)
+          raise ArgumentError, "Invalid truststore type: #{type.inspect}" unless ['pkcs12', 'jks', nil].include?(type)
+          @truststore_type = type
+        end
+
+        def cipher_suites=(list)
+          list = list.split(',').map(&:strip) if list.is_a?(String)
+          @cipher_suites = list
+        end
+
+        # aliases for backwards compatibility
+        alias_method :ssl_cipher_list, :cipher_suites
+        alias_method :ssl_cipher_list=, :cipher_suites=
+
+        def protocols=(list)
+          list = list.split(',').map(&:strip) if list.is_a?(String)
+          @protocols = list
+        end
+
         def check
           raise "Keystore not configured" unless @keystore
+          # @truststore defaults to @keystore due backwards compatibility
         end
 
       else
@@ -203,38 +279,84 @@ module Puma
         attr_reader :key
         attr_reader :cert
         attr_reader :ca
+        attr_reader :cert_pem
+        attr_reader :key_pem
         attr_accessor :ssl_cipher_filter
+        attr_accessor :verification_flags
+
+        attr_reader :reuse, :reuse_cache_size, :reuse_timeout
 
         def key=(key)
-          raise ArgumentError, "No such key file '#{key}'" unless File.exist? key
+          check_file key, 'Key'
           @key = key
         end
 
         def cert=(cert)
-          raise ArgumentError, "No such cert file '#{cert}'" unless File.exist? cert
+          check_file cert, 'Cert'
           @cert = cert
         end
 
         def ca=(ca)
-          raise ArgumentError, "No such ca file '#{ca}'" unless File.exist? ca
+          check_file ca, 'ca'
           @ca = ca
         end
 
+        def cert_pem=(cert_pem)
+          raise ArgumentError, "'cert_pem' is not a String" unless cert_pem.is_a? String
+          @cert_pem = cert_pem
+        end
+
+        def key_pem=(key_pem)
+          raise ArgumentError, "'key_pem' is not a String" unless key_pem.is_a? String
+          @key_pem = key_pem
+        end
+
         def check
-          raise "Key not configured" unless @key
-          raise "Cert not configured" unless @cert
+          raise "Key not configured" if @key.nil? && @key_pem.nil?
+          raise "Cert not configured" if @cert.nil? && @cert_pem.nil?
+        end
+
+        # Controls session reuse.  Allowed values are as follows:
+        # * 'off' - matches the behavior of Puma 5.6 and earlier.  This is included
+        #   in case reuse 'on' is made the default in future Puma versions.
+        # * 'dflt' - sets session reuse on, with OpenSSL default cache size of
+        #   20k and default timeout of 300 seconds.
+        # * 's,t' - where s and t are integer strings, for size and timeout.
+        # * 's' - where s is an integer strings for size.
+        # * ',t' - where t is an integer strings for timeout.
+        #
+        def reuse=(reuse_str)
+          case reuse_str
+          when 'off'
+            @reuse = nil
+          when 'dflt'
+            @reuse = true
+          when /\A\d+\z/
+            @reuse = true
+            @reuse_cache_size = reuse_str.to_i
+          when /\A\d+,\d+\z/
+            @reuse = true
+            size, time = reuse_str.split ','
+            @reuse_cache_size = size.to_i
+            @reuse_timeout = time.to_i
+          when /\A,\d+\z/
+            @reuse = true
+            @reuse_timeout = reuse_str.delete(',').to_i
+          end
         end
       end
 
       # disables TLSv1
+      # @!attribute [w] no_tlsv1=
       def no_tlsv1=(tlsv1)
-        raise ArgumentError, "Invalid value of no_tlsv1" unless ['true', 'false', true, false].include?(tlsv1)
+        raise ArgumentError, "Invalid value of no_tlsv1=" unless ['true', 'false', true, false].include?(tlsv1)
         @no_tlsv1 = tlsv1
       end
 
       # disables TLSv1 and TLSv1.1.  Overrides `#no_tlsv1=`
+      # @!attribute [w] no_tlsv1_1=
       def no_tlsv1_1=(tlsv1_1)
-        raise ArgumentError, "Invalid value of no_tlsv1" unless ['true', 'false', true, false].include?(tlsv1_1)
+        raise ArgumentError, "Invalid value of no_tlsv1_1=" unless ['true', 'false', true, false].include?(tlsv1_1)
         @no_tlsv1_1 = tlsv1_1
       end
 
@@ -244,35 +366,71 @@ module Puma
     VERIFY_PEER = 1
     VERIFY_FAIL_IF_NO_PEER_CERT = 2
 
+    # https://github.com/openssl/openssl/blob/master/include/openssl/x509_vfy.h.in
+    # /* Certificate verify flags */
+    VERIFICATION_FLAGS = {
+      "USE_CHECK_TIME"       => 0x2,
+      "CRL_CHECK"            => 0x4,
+      "CRL_CHECK_ALL"        => 0x8,
+      "IGNORE_CRITICAL"      => 0x10,
+      "X509_STRICT"          => 0x20,
+      "ALLOW_PROXY_CERTS"    => 0x40,
+      "POLICY_CHECK"         => 0x80,
+      "EXPLICIT_POLICY"      => 0x100,
+      "INHIBIT_ANY"          => 0x200,
+      "INHIBIT_MAP"          => 0x400,
+      "NOTIFY_POLICY"        => 0x800,
+      "EXTENDED_CRL_SUPPORT" => 0x1000,
+      "USE_DELTAS"           => 0x2000,
+      "CHECK_SS_SIGNATURE"   => 0x4000,
+      "TRUSTED_FIRST"        => 0x8000,
+      "SUITEB_128_LOS_ONLY"  => 0x10000,
+      "SUITEB_192_LOS"       => 0x20000,
+      "SUITEB_128_LOS"       => 0x30000,
+      "PARTIAL_CHAIN"        => 0x80000,
+      "NO_ALT_CHAINS"        => 0x100000,
+      "NO_CHECK_TIME"        => 0x200000
+    }.freeze
+
     class Server
       def initialize(socket, ctx)
         @socket = socket
         @ctx = ctx
-      end
-
-      def to_io
-        @socket
+        @eng_ctx = IS_JRUBY ? @ctx : SSLContext.new(ctx)
       end
 
       def accept
         @ctx.check
         io = @socket.accept
-        engine = Engine.server @ctx
-
+        engine = Engine.server @eng_ctx
         Socket.new io, engine
       end
 
       def accept_nonblock
         @ctx.check
         io = @socket.accept_nonblock
-        engine = Engine.server @ctx
-
+        engine = Engine.server @eng_ctx
         Socket.new io, engine
       end
 
+      # @!attribute [r] to_io
+      def to_io
+        @socket
+      end
+
+      # @!attribute [r] addr
+      # @version 5.0.0
+      def addr
+        @socket.addr
+      end
+
       def close
         @socket.close unless @socket.closed?       # closed? call is for Windows
       end
+
+      def closed?
+        @socket.closed?
+      end
     end
   end
 end

data/lib/puma/null_io.rb

@@ -9,13 +9,17 @@ module Puma
       nil
     end
 
+    def string
+      ""
+    end
+
     def each
     end
 
     # Mimics IO#read with no data.
     #
     def read(count = nil, _buffer = nil)
-      (count && count > 0) ? nil : ""
+      count && count > 0 ? nil : ""
     end
 
     def rewind
@@ -32,6 +36,10 @@ module Puma
       true
     end
 
+    def sync
+      true
+    end
+
     def sync=(v)
     end
 
@@ -40,5 +48,14 @@ module Puma
 
     def write(*ary)
     end
+
+    def flush
+      self
+    end
+
+    # This is used as singleton class, so can't have state.
+    def closed?
+      false
+    end
   end
 end

data/lib/puma/plugin/tmp_restart.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'puma/plugin'
+require_relative '../plugin'
 
 Puma::Plugin.create do
   def start(launcher)

data/lib/puma/plugin.rb

@@ -10,7 +10,7 @@ module Puma
 
     def create(name)
       if cls = Plugins.find(name)
-        plugin = cls.new(Plugin)
+        plugin = cls.new
         @instances << plugin
         return plugin
       end
@@ -64,7 +64,7 @@ module Puma
     def fire_background
       @background.each_with_index do |b, i|
         Thread.new do
-          Puma.set_thread_name "plugin background #{i}"
+          Puma.set_thread_name "plgn bg #{i}"
           b.call
         end
       end
@@ -91,7 +91,7 @@ module Puma
       path = ary.first[CALLER_FILE]
 
       m = %r!puma/plugin/([^/]*)\.rb$!.match(path)
-      return m[1]
+      m[1]
     end
 
     def self.create(&blk)
@@ -104,17 +104,8 @@ module Puma
       Plugins.register name, cls
     end
 
-    def initialize(loader)
-      @loader = loader
-    end
-
     def in_background(&blk)
       Plugins.add_background blk
     end
-
-    def workers_supported?
-      return false if Puma.jruby? || Puma.windows?
-      true
-    end
   end
 end

data/lib/puma/rack/builder.rb

@@ -67,10 +67,6 @@ module Puma::Rack
           options[:environment] = e
         }
 
-        opts.on("-D", "--daemonize", "run daemonized in the background") { |d|
-          options[:daemonize] = d ? true : false
-        }
-
         opts.on("-P", "--pid FILE", "file to store PID") { |f|
           options[:pid] = ::File.expand_path(f)
         }
@@ -106,13 +102,13 @@ module Puma::Rack
       begin
         info = []
         server = Rack::Handler.get(options[:server]) || Rack::Handler.default(options)
-        if server && server.respond_to?(:valid_options)
+        if server&.respond_to?(:valid_options)
           info << ""
           info << "Server-specific options for #{server.name}:"
 
           has_options = false
           server.valid_options.each do |name, description|
-            next if name.to_s =~ /^(Host|Port)[^a-zA-Z]/ # ignore handler's host and port options, we do our own.
+            next if /^(Host|Port)[^a-zA-Z]/.match? name.to_s  # ignore handler's host and port options, we do our own.
 
             info << "  -O %-21s %s" % [name, description]
             has_options = true
@@ -169,7 +165,7 @@ module Puma::Rack
         require config
         app = Object.const_get(::File.basename(config, '.rb').capitalize)
       end
-      return app, options
+      [app, options]
     end
 
     def self.new_from_string(builder_script, file="(rackup)")
@@ -280,7 +276,7 @@ module Puma::Rack
       app = @map ? generate_map(@run, @map) : @run
       fail "missing run or map statement" unless app
       app = @use.reverse.inject(app) { |a,e| e[a] }
-      @warmup.call(app) if @warmup
+      @warmup&.call app
       app
     end
 
@@ -291,7 +287,7 @@ module Puma::Rack
     private
 
     def generate_map(default_app, mapping)
-      require 'puma/rack/urlmap'
+      require_relative 'urlmap'
 
       mapped = default_app ? {'/' => default_app} : {}
       mapping.each { |r,b| mapped[r] = self.class.new(default_app, &b).to_app }