puma 5.0.4 → 5.6.4

data/ext/puma_http11/org/jruby/puma/MiniSSL.java

@@ -6,6 +6,7 @@ import org.jruby.RubyModule;
 import org.jruby.RubyObject;
 import org.jruby.RubyString;
 import org.jruby.anno.JRubyMethod;
+import org.jruby.exceptions.RaiseException;
 import org.jruby.javasupport.JavaEmbedUtils;
 import org.jruby.runtime.Block;
 import org.jruby.runtime.ObjectAllocator;
@@ -80,11 +81,11 @@ public class MiniSSL extends RubyObject {
     /**
      * Writes bytes to the buffer after ensuring there's room
      */
-    public void put(byte[] bytes) {
-      if (buffer.remaining() < bytes.length) {
-        resize(buffer.limit() + bytes.length);
+    private void put(byte[] bytes, final int offset, final int length) {
+      if (buffer.remaining() < length) {
+        resize(buffer.limit() + length);
       }
-      buffer.put(bytes);
+      buffer.put(bytes, offset, length);
     }
 
     /**
@@ -115,7 +116,7 @@ public class MiniSSL extends RubyObject {
 
       buffer.get(bss);
       buffer.clear();
-      return new ByteList(bss);
+      return new ByteList(bss, false);
     }
 
     @Override
@@ -174,8 +175,6 @@ public class MiniSSL extends RubyObject {
   @JRubyMethod
   public IRubyObject initialize(ThreadContext threadContext, IRubyObject miniSSLContext)
       throws KeyStoreException, NoSuchAlgorithmException, KeyManagementException {
-    KeyStore ks = KeyStore.getInstance(KeyStore.getDefaultType());
-    KeyStore ts = KeyStore.getInstance(KeyStore.getDefaultType());
 
     String keystoreFile = miniSSLContext.callMethod(threadContext, "keystore").convertToString().asJavaString();
     KeyManagerFactory kmf = keyManagerFactoryMap.get(keystoreFile);
@@ -230,14 +229,9 @@ public class MiniSSL extends RubyObject {
 
   @JRubyMethod
   public IRubyObject inject(IRubyObject arg) {
-    try {
-      byte[] bytes = arg.convertToString().getBytes();
-      inboundNetData.put(bytes);
-      return this;
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
-    }
+    ByteList bytes = arg.convertToString().getByteList();
+    inboundNetData.put(bytes.unsafeBytes(), bytes.getBegin(), bytes.getRealSize());
+    return this;
   }
 
   private enum SSLOperation {
@@ -297,7 +291,7 @@ public class MiniSSL extends RubyObject {
   }
 
   @JRubyMethod
-  public IRubyObject read() throws Exception {
+  public IRubyObject read() {
     try {
       inboundNetData.flip();
 
@@ -342,55 +336,46 @@ public class MiniSSL extends RubyObject {
         return getRuntime().getNil();
       }
 
-      RubyString str = getRuntime().newString("");
-      str.setValue(appDataByteList);
-      return str;
-    } catch (Exception e) {
-      throw getRuntime().newEOFError(e.getMessage());
+      return RubyString.newString(getRuntime(), appDataByteList);
+    } catch (SSLException e) {
+      RaiseException re = getRuntime().newEOFError(e.getMessage());
+      re.initCause(e);
+      throw re;
     }
   }
 
   @JRubyMethod
   public IRubyObject write(IRubyObject arg) {
-    try {
-      byte[] bls = arg.convertToString().getBytes();
-      outboundAppData = new MiniSSLBuffer(bls);
+    byte[] bls = arg.convertToString().getBytes();
+    outboundAppData = new MiniSSLBuffer(bls);
 
-      return getRuntime().newFixnum(bls.length);
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
-    }
+    return getRuntime().newFixnum(bls.length);
   }
 
   @JRubyMethod
-  public IRubyObject extract() throws SSLException {
+  public IRubyObject extract(ThreadContext context) {
     try {
       ByteList dataByteList = outboundNetData.asByteList();
       if (dataByteList != null) {
-        RubyString str = getRuntime().newString("");
-        str.setValue(dataByteList);
-        return str;
+        return RubyString.newString(context.runtime, dataByteList);
       }
 
       if (!outboundAppData.hasRemaining()) {
-        return getRuntime().getNil();
+        return context.nil;
       }
 
       outboundNetData.clear();
       doOp(SSLOperation.WRAP, outboundAppData, outboundNetData);
       dataByteList = outboundNetData.asByteList();
       if (dataByteList == null) {
-        return getRuntime().getNil();
+        return context.nil;
       }
 
-      RubyString str = getRuntime().newString("");
-      str.setValue(dataByteList);
-
-      return str;
-    } catch (Exception e) {
-      e.printStackTrace();
-      throw new RuntimeException(e);
+      return RubyString.newString(context.runtime, dataByteList);
+    } catch (SSLException e) {
+      RaiseException ex = context.runtime.newRuntimeError(e.toString());
+      ex.initCause(e);
+      throw ex;
     }
   }
 
@@ -398,7 +383,7 @@ public class MiniSSL extends RubyObject {
   public IRubyObject peercert() throws CertificateEncodingException {
     try {
       return JavaEmbedUtils.javaToRuby(getRuntime(), engine.getSession().getPeerCertificates()[0].getEncoded());
-    } catch (SSLPeerUnverifiedException ex) {
+    } catch (SSLPeerUnverifiedException e) {
       return getRuntime().getNil();
     }
   }

data/ext/puma_http11/puma_http11.c

@@ -40,7 +40,9 @@ static VALUE global_http_version;
 static VALUE global_request_path;
 
 /** Defines common length and error messages for input length validation. */
-#define DEF_MAX_LENGTH(N,length) const size_t MAX_##N##_LENGTH = length; const char *MAX_##N##_LENGTH_ERR = "HTTP element " # N  " is longer than the " # length " allowed length (was %d)"
+#define QUOTE(s) #s
+#define EXPLAIN_MAX_LENGTH_VALUE(s) QUOTE(s)
+#define DEF_MAX_LENGTH(N,length) const size_t MAX_##N##_LENGTH = length; const char *MAX_##N##_LENGTH_ERR = "HTTP element " # N  " is longer than the " EXPLAIN_MAX_LENGTH_VALUE(length) " allowed length (was %d)"
 
 /** Validates the max length of given input and throws an HttpParserError exception if over. */
 #define VALIDATE_MAX_LENGTH(len, N) if(len > MAX_##N##_LENGTH) { rb_raise(eHttpParserError, MAX_##N##_LENGTH_ERR, len); }
@@ -50,12 +52,16 @@ static VALUE global_request_path;
 
 
 /* Defines the maximum allowed lengths for various input elements.*/
+#ifndef PUMA_QUERY_STRING_MAX_LENGTH
+#define PUMA_QUERY_STRING_MAX_LENGTH (1024 * 10)
+#endif
+
 DEF_MAX_LENGTH(FIELD_NAME, 256);
 DEF_MAX_LENGTH(FIELD_VALUE, 80 * 1024);
 DEF_MAX_LENGTH(REQUEST_URI, 1024 * 12);
 DEF_MAX_LENGTH(FRAGMENT, 1024); /* Don't know if this length is specified somewhere or not */
 DEF_MAX_LENGTH(REQUEST_PATH, 8192);
-DEF_MAX_LENGTH(QUERY_STRING, (1024 * 10));
+DEF_MAX_LENGTH(QUERY_STRING, PUMA_QUERY_STRING_MAX_LENGTH);
 DEF_MAX_LENGTH(HEADER, (1024 * (80 + 32)));
 
 struct common_field {
@@ -445,7 +451,7 @@ VALUE HttpParser_body(VALUE self) {
 void Init_mini_ssl(VALUE mod);
 #endif
 
-void Init_puma_http11()
+void Init_puma_http11(void)
 {
 
   VALUE mPuma = rb_define_module("Puma");

data/lib/puma/app/status.rb

@@ -1,4 +1,5 @@
 # frozen_string_literal: true
+require 'puma/json_serialization'
 
 module Puma
   module App
@@ -22,10 +23,6 @@ module Puma
           return rack_response(403, 'Invalid auth token', 'text/plain')
         end
 
-        if env['PATH_INFO'] =~ /\/(gc-stats|stats|thread-backtraces)$/
-          require 'json'
-        end
-
         # resp_type is processed by following case statement, return
         # is a number (status) or a string used as the body of a 200 response
         resp_type =
@@ -49,17 +46,17 @@ module Puma
             GC.start ; 200
 
           when 'gc-stats'
-            GC.stat.to_json
+            Puma::JSONSerialization.generate GC.stat
 
           when 'stats'
-            @launcher.stats.to_json
+            Puma::JSONSerialization.generate @launcher.stats
 
           when 'thread-backtraces'
             backtraces = []
             @launcher.thread_status do |name, backtrace|
               backtraces << { name: name, backtrace: backtrace }
             end
-            backtraces.to_json
+            Puma::JSONSerialization.generate backtraces
 
           else
             return rack_response(404, "Unsupported action", 'text/plain')

data/lib/puma/binder.rb

@@ -13,7 +13,7 @@ module Puma
     require 'puma/minissl'
     require 'puma/minissl/context_builder'
 
-    # Odd bug in 'pure Ruby' nio4r verion 2.5.2, which installs with Ruby 2.3.
+    # Odd bug in 'pure Ruby' nio4r version 2.5.2, which installs with Ruby 2.3.
     # NIO doesn't create any OpenSSL objects, but it rescues an OpenSSL error.
     # The bug was that it did not require openssl.
     # @todo remove when Ruby 2.3 support is dropped
@@ -30,6 +30,7 @@ module Puma
 
     def initialize(events, conf = Configuration.new)
       @events = events
+      @conf = conf
       @listeners = []
       @inherited_fds = {}
       @activated_sockets = {}
@@ -41,6 +42,7 @@ module Puma
         "rack.multithread".freeze => conf.options[:max_threads] > 1,
         "rack.multiprocess".freeze => conf.options[:workers] >= 1,
         "rack.run_once".freeze => false,
+        RACK_URL_SCHEME => conf.options[:rack_url_scheme],
         "SCRIPT_NAME".freeze => ENV['SCRIPT_NAME'] || "",
 
         # I'd like to set a default CONTENT_TYPE here but some things
@@ -56,6 +58,7 @@ module Puma
 
       @envs = {}
       @ios = []
+      localhost_authority
     end
 
     attr_reader :ios
@@ -95,6 +98,7 @@ module Puma
     # @version 5.0.0
     #
     def create_activated_fds(env_hash)
+      @events.debug "ENV['LISTEN_FDS'] #{ENV['LISTEN_FDS'].inspect}  env_hash['LISTEN_PID'] #{env_hash['LISTEN_PID'].inspect}"
       return [] unless env_hash['LISTEN_FDS'] && env_hash['LISTEN_PID'].to_i == $$
       env_hash['LISTEN_FDS'].to_i.times do |index|
         sock = TCPServer.for_fd(socket_activation_fd(index))
@@ -111,6 +115,43 @@ module Puma
       ["LISTEN_FDS", "LISTEN_PID"] # Signal to remove these keys from ENV
     end
 
+    # Synthesize binds from systemd socket activation
+    #
+    # When systemd socket activation is enabled, it can be tedious to keep the
+    # binds in sync. This method can synthesize any binds based on the received
+    # activated sockets. Any existing matching binds will be respected.
+    #
+    # When only_matching is true in, all binds that do not match an activated
+    # socket is removed in place.
+    #
+    # It's a noop if no activated sockets were received.
+    def synthesize_binds_from_activated_fs(binds, only_matching)
+      return binds unless activated_sockets.any?
+
+      activated_binds = []
+
+      activated_sockets.keys.each do |proto, addr, port|
+        if port
+          tcp_url = "#{proto}://#{addr}:#{port}"
+          ssl_url = "ssl://#{addr}:#{port}"
+          ssl_url_prefix = "#{ssl_url}?"
+
+          existing = binds.find { |bind| bind == tcp_url || bind == ssl_url || bind.start_with?(ssl_url_prefix) }
+
+          activated_binds << (existing || tcp_url)
+        else
+          # TODO: can there be a SSL bind without a port?
+          activated_binds << "#{proto}://#{addr}"
+        end
+      end
+
+      if only_matching
+        activated_binds
+      else
+        binds | activated_binds
+      end
+    end
+
     def parse(binds, logger, log_msg = 'Listening')
       binds.each do |str|
         uri = URI.parse str
@@ -123,21 +164,16 @@ module Puma
             io = inherit_tcp_listener uri.host, uri.port, sock
             logger.log "* Activated #{str}"
           else
+            ios_len = @ios.length
             params = Util.parse_query uri.query
 
-            opt = params.key?('low_latency')
-            bak = params.fetch('backlog', 1024).to_i
+            opt = params.key?('low_latency') && params['low_latency'] != 'false'
+            backlog = params.fetch('backlog', 1024).to_i
 
-            io = add_tcp_listener uri.host, uri.port, opt, bak
-
-            @ios.each do |i|
-              next unless TCPServer === i
-              addr = if i.local_address.ipv6?
-                "[#{i.local_address.ip_unpack[0]}]:#{i.local_address.ip_unpack[1]}"
-              else
-                i.local_address.ip_unpack.join(':')
-              end
+            io = add_tcp_listener uri.host, uri.port, opt, backlog
 
+            @ios[ios_len..-1].each do |i|
+              addr = loc_addr_str i
               logger.log "* #{log_msg} on http://#{addr}"
             end
           end
@@ -145,11 +181,20 @@ module Puma
           @listeners << [str, io] if io
         when "unix"
           path = "#{uri.host}#{uri.path}".gsub("%20", " ")
+          abstract = false
+          if str.start_with? 'unix://@'
+            raise "OS does not support abstract UNIXSockets" unless Puma.abstract_unix_socket?
+            abstract = true
+            path = "@#{path}"
+          end
 
           if fd = @inherited_fds.delete(str)
+            @unix_paths << path unless abstract
             io = inherit_unix_listener path, fd
             logger.log "* Inherited #{str}"
-          elsif sock = @activated_sockets.delete([ :unix, path ])
+          elsif sock = @activated_sockets.delete([ :unix, path ]) ||
+              @activated_sockets.delete([ :unix, File.realdirpath(path) ])
+            @unix_paths << path unless abstract || File.exist?(path)
             io = inherit_unix_listener path, sock
             logger.log "* Activated #{str}"
           else
@@ -173,6 +218,7 @@ module Puma
               end
             end
 
+            @unix_paths << path unless abstract || File.exist?(path)
             io = add_unix_listener path, umask, mode, backlog
             logger.log "* #{log_msg} on #{str}"
           end
@@ -183,7 +229,25 @@ module Puma
           raise "Puma compiled without SSL support" unless HAS_SSL
 
           params = Util.parse_query uri.query
-          ctx = MiniSSL::ContextBuilder.new(params, @events).context
+
+          # If key and certs are not defined and localhost gem is required.
+          # localhost gem will be used for self signed
+          # Load localhost authority if not loaded.
+          if params.values_at('cert', 'key').all? { |v| v.to_s.empty? }
+            ctx = localhost_authority && localhost_authority_context
+          end
+
+          ctx ||=
+            begin
+              # Extract cert_pem and key_pem from options[:store] if present
+              ['cert', 'key'].each do |v|
+                if params[v] && params[v].start_with?('store:')
+                  index = Integer(params.delete(v).split('store:').last)
+                  params["#{v}_pem"] = @conf.options[:store][index]
+                end
+              end
+              MiniSSL::ContextBuilder.new(params, @events).context
+            end
 
           if fd = @inherited_fds.delete(str)
             logger.log "* Inherited #{str}"
@@ -192,8 +256,14 @@ module Puma
             io = inherit_ssl_listener sock, ctx
             logger.log "* Activated #{str}"
           else
-            io = add_ssl_listener uri.host, uri.port, ctx
-            logger.log "* Listening on #{str}"
+            ios_len = @ios.length
+            backlog = params.fetch('backlog', 1024).to_i
+            io = add_ssl_listener uri.host, uri.port, ctx, optimize_for_latency = true, backlog
+
+            @ios[ios_len..-1].each do |i|
+              addr = loc_addr_str i
+              logger.log "* #{log_msg} on ssl://#{addr}?#{uri.query}"
+            end
           end
 
           @listeners << [str, io] if io
@@ -221,17 +291,37 @@ module Puma
       end
 
       # Also close any unused activated sockets
-      @activated_sockets.each do |key, sock|
-        logger.log "* Closing unused activated socket: #{key.join ':'}"
-        begin
-          sock.close
-        rescue SystemCallError
+      unless @activated_sockets.empty?
+        fds = @ios.map(&:to_i)
+        @activated_sockets.each do |key, sock|
+          next if fds.include? sock.to_i
+          logger.log "* Closing unused activated socket: #{key.first}://#{key[1..-1].join ':'}"
+          begin
+            sock.close
+          rescue SystemCallError
+          end
+          # We have to unlink a unix socket path that's not being used
+          File.unlink key[1] if key.first == :unix
         end
-        # We have to unlink a unix socket path that's not being used
-        File.unlink key[1] if key[0] == :unix
       end
     end
 
+    def localhost_authority
+      @localhost_authority ||= Localhost::Authority.fetch if defined?(Localhost::Authority) && !Puma::IS_JRUBY
+    end
+
+    def localhost_authority_context
+      return unless localhost_authority
+
+      key_path, crt_path = if [:key_path, :certificate_path].all? { |m| localhost_authority.respond_to?(m) }
+        [localhost_authority.key_path, localhost_authority.certificate_path]
+      else
+        local_certificates_path = File.expand_path("~/.localhost")
+        [File.join(local_certificates_path, "localhost.key"), File.join(local_certificates_path, "localhost.crt")]
+      end
+      MiniSSL::ContextBuilder.new({ "key" => key_path, "cert" => crt_path }, @events).context
+    end
+
     # Tell the server to listen on host +host+, port +port+.
     # If +optimize_for_latency+ is true (the default) then clients connecting
     # will be optimized for latency over throughput.
@@ -249,6 +339,7 @@ module Puma
 
       host = host[1..-2] if host and host[0..0] == '['
       tcp_server = TCPServer.new(host, port)
+
       if optimize_for_latency
         tcp_server.setsockopt(Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1)
       end
@@ -260,11 +351,7 @@ module Puma
     end
 
     def inherit_tcp_listener(host, port, fd)
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = TCPServer.for_fd(fd)
-      end
+      s = fd.kind_of?(::TCPServer) ? fd : ::TCPServer.for_fd(fd)
 
       @ios << s
       s
@@ -274,6 +361,8 @@ module Puma
                          optimize_for_latency=true, backlog=1024)
 
       raise "Puma compiled without SSL support" unless HAS_SSL
+      # Puma will try to use local authority context if context is supplied nil
+      ctx ||= localhost_authority_context
 
       if host == "localhost"
         loopback_addresses.each do |addr|
@@ -301,12 +390,11 @@ module Puma
 
     def inherit_ssl_listener(fd, ctx)
       raise "Puma compiled without SSL support" unless HAS_SSL
+      # Puma will try to use local authority context if context is supplied nil
+      ctx ||= localhost_authority_context
+
+      s = fd.kind_of?(::TCPServer) ? fd : ::TCPServer.for_fd(fd)
 
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = TCPServer.for_fd(fd)
-      end
       ssl = MiniSSL::Server.new(s, ctx)
 
       env = @proto_env.dup
@@ -321,8 +409,6 @@ module Puma
     # Tell the server to listen on +path+ as a UNIX domain socket.
     #
     def add_unix_listener(path, umask=nil, mode=nil, backlog=1024)
-      @unix_paths << path unless File.exist? path
-
       # Let anyone connect by default
       umask ||= 0
 
@@ -339,8 +425,7 @@ module Puma
             raise "There is already a server bound to: #{path}"
           end
         end
-
-        s = UNIXServer.new(path)
+        s = UNIXServer.new path.sub(/\A@/, "\0") # check for abstract UNIXSocket
         s.listen backlog
         @ios << s
       ensure
@@ -359,13 +444,8 @@ module Puma
     end
 
     def inherit_unix_listener(path, fd)
-      @unix_paths << path unless File.exist? path
+      s = fd.kind_of?(::TCPServer) ? fd : ::UNIXServer.for_fd(fd)
 
-      if fd.kind_of? TCPServer
-        s = fd
-      else
-        s = UNIXServer.for_fd fd
-      end
       @ios << s
 
       env = @proto_env.dup
@@ -376,24 +456,24 @@ module Puma
     end
 
     def close_listeners
-      listeners.each do |l, io|
-        io.close unless io.closed? # Ruby 2.2 issue
-        uri = URI.parse(l)
+      @listeners.each do |l, io|
+        io.close unless io.closed?
+        uri = URI.parse l
         next unless uri.scheme == 'unix'
         unix_path = "#{uri.host}#{uri.path}"
-        File.unlink unix_path if unix_paths.include? unix_path
+        File.unlink unix_path if @unix_paths.include?(unix_path) && File.exist?(unix_path)
       end
     end
 
     def redirects_for_restart
-      redirects = listeners.map { |a| [a[1].to_i, a[1].to_i] }.to_h
+      redirects = @listeners.map { |a| [a[1].to_i, a[1].to_i] }.to_h
       redirects[:close_others] = true
       redirects
     end
 
     # @version 5.0.0
     def redirects_for_restart_env
-      listeners.each_with_object({}).with_index do |(listen, memo), i|
+      @listeners.each_with_object({}).with_index do |(listen, memo), i|
         memo["PUMA_INHERIT_#{i}"] = "#{listen[1].to_i}:#{listen[0]}"
       end
     end
@@ -407,6 +487,15 @@ module Puma
       end.map { |addrinfo| addrinfo.ip_address }.uniq
     end
 
+    def loc_addr_str(io)
+      loc_addr = io.to_io.local_address
+      if loc_addr.ipv6?
+        "[#{loc_addr.ip_unpack[0]}]:#{loc_addr.ip_unpack[1]}"
+      else
+        loc_addr.ip_unpack.join(':')
+      end
+    end
+
     # @version 5.0.0
     def socket_activation_fd(int)
       int + 3 # 3 is the magic number you add to follow the SA protocol

data/lib/puma/cli.rb

@@ -11,16 +11,17 @@ require 'puma/events'
 
 module Puma
   class << self
-    # The CLI exports its Puma::Configuration object here to allow
-    # apps to pick it up. An app needs to use it conditionally though
-    # since it is not set if the app is launched via another
-    # mechanism than the CLI class.
+    # The CLI exports a Puma::Configuration instance here to allow
+    # apps to pick it up. An app must load this object conditionally
+    # because it is not set if the app is launched via any mechanism
+    # other than the CLI class.
     attr_accessor :cli_config
   end
 
   # Handles invoke a Puma::Server in a command line style.
   #
   class CLI
+    # @deprecated 6.0.0
     KEYS_NOT_TO_PERSIST_IN_STATE = Launcher::KEYS_NOT_TO_PERSIST_IN_STATE
 
     # Create a new CLI object using +argv+ as the command line
@@ -104,10 +105,19 @@ module Puma
             user_config.bind arg
           end
 
+          o.on "--bind-to-activated-sockets [only]", "Bind to all activated sockets" do |arg|
+            user_config.bind_to_activated_sockets(arg || true)
+          end
+
           o.on "-C", "--config PATH", "Load PATH as a config file" do |arg|
             file_config.load arg
           end
 
+          # Identical to supplying --config "-", but more semantic
+          o.on "--no-config", "Prevent Puma from searching for a config file" do |arg|
+            file_config.load "-"
+          end
+
           o.on "--control-url URL", "The bind url to use for the control server. Use 'auto' to use temp unix server" do |arg|
             configure_control_url(arg)
           end
@@ -175,6 +185,10 @@ module Puma
             user_config.restart_command cmd
           end
 
+          o.on "-s", "--silent", "Do not log prompt messages other than errors" do
+            @events = Events.new NullIO.new, $stderr
+          end
+
           o.on "-S", "--state PATH", "Where to store the state details" do |arg|
             user_config.state_path arg
           end