puma 5.6.4 → 6.0.2

data/lib/puma/minissl/context_builder.rb

@@ -1,9 +1,9 @@
 module Puma
   module MiniSSL
     class ContextBuilder
-      def initialize(params, events)
+      def initialize(params, log_writer)
         @params = params
-        @events = events
+        @log_writer = log_writer
       end
 
       def context
@@ -11,27 +11,36 @@ module Puma
 
         if defined?(JRUBY_VERSION)
           unless params['keystore']
-            events.error "Please specify the Java keystore via 'keystore='"
+            log_writer.error "Please specify the Java keystore via 'keystore='"
           end
 
           ctx.keystore = params['keystore']
 
           unless params['keystore-pass']
-            events.error "Please specify the Java keystore password  via 'keystore-pass='"
+            log_writer.error "Please specify the Java keystore password  via 'keystore-pass='"
           end
 
           ctx.keystore_pass = params['keystore-pass']
-          ctx.ssl_cipher_list = params['ssl_cipher_list'] if params['ssl_cipher_list']
+          ctx.keystore_type = params['keystore-type']
+
+          if truststore = params['truststore']
+            ctx.truststore = truststore.eql?('default') ? :default : truststore
+            ctx.truststore_pass = params['truststore-pass']
+            ctx.truststore_type = params['truststore-type']
+          end
+
+          ctx.cipher_suites = params['cipher_suites'] || params['ssl_cipher_list']
+          ctx.protocols = params['protocols'] if params['protocols']
         else
           if params['key'].nil? && params['key_pem'].nil?
-            events.error "Please specify the SSL key via 'key=' or 'key_pem='"
+            log_writer.error "Please specify the SSL key via 'key=' or 'key_pem='"
           end
 
           ctx.key = params['key'] if params['key']
           ctx.key_pem = params['key_pem'] if params['key_pem']
 
           if params['cert'].nil? && params['cert_pem'].nil?
-            events.error "Please specify the SSL cert via 'cert=' or 'cert_pem='"
+            log_writer.error "Please specify the SSL cert via 'cert=' or 'cert_pem='"
           end
 
           ctx.cert = params['cert'] if params['cert']
@@ -39,16 +48,18 @@ module Puma
 
           if ['peer', 'force_peer'].include?(params['verify_mode'])
             unless params['ca']
-              events.error "Please specify the SSL ca via 'ca='"
+              log_writer.error "Please specify the SSL ca via 'ca='"
             end
           end
 
           ctx.ca = params['ca'] if params['ca']
           ctx.ssl_cipher_filter = params['ssl_cipher_filter'] if params['ssl_cipher_filter']
+
+          ctx.reuse = params['reuse'] if params['reuse']
         end
 
-        ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true'
-        ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'
+        ctx.no_tlsv1   = params['no_tlsv1'] == 'true'
+        ctx.no_tlsv1_1 = params['no_tlsv1_1'] == 'true'
 
         if params['verify_mode']
           ctx.verify_mode = case params['verify_mode']
@@ -59,7 +70,7 @@ module Puma
                             when "none"
                               MiniSSL::VERIFY_NONE
                             else
-                              events.error "Please specify a valid verify_mode="
+                              log_writer.error "Please specify a valid verify_mode="
                               MiniSSL::VERIFY_NONE
                             end
         end
@@ -75,7 +86,7 @@ module Puma
 
       private
 
-      attr_reader :params, :events
+      attr_reader :params, :log_writer
     end
   end
 end

data/lib/puma/minissl.rb

@@ -1,11 +1,12 @@
 # frozen_string_literal: true
 
 begin
-  require 'io/wait'
+  require 'io/wait' unless Puma::HAS_NATIVE_IO_WAIT
 rescue LoadError
 end
 
 # need for Puma::MiniSSL::OPENSSL constants used in `HAS_TLS1_3`
+# use require, see https://github.com/puma/puma/pull/2381
 require 'puma/puma_http11'
 
 module Puma
@@ -13,15 +14,16 @@ module Puma
     # Define constant at runtime, as it's easy to determine at built time,
     # but Puma could (it shouldn't) be loaded with an older OpenSSL version
     # @version 5.0.0
-    HAS_TLS1_3 = !IS_JRUBY &&
-      (OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
-      (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1
+    HAS_TLS1_3 = IS_JRUBY ||
+        ((OPENSSL_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) != -1 &&
+         (OPENSSL_LIBRARY_VERSION[/ \d+\.\d+\.\d+/].split('.').map(&:to_i) <=> [1,1,1]) !=-1)
 
     class Socket
       def initialize(socket, engine)
         @socket = socket
         @engine = engine
         @peercert = nil
+        @reuse = nil
       end
 
       # @!attribute [r] to_io
@@ -50,7 +52,7 @@ module Puma
       # is made with TLSv1.3 as an available protocol
       # @version 5.0.0
       def bad_tlsv1_3?
-        HAS_TLS1_3 && @engine.ssl_vers_st == ['TLSv1.3', 'SSLERR']
+        HAS_TLS1_3 && ssl_version_state == ['TLSv1.3', 'SSLERR']
       end
       private :bad_tlsv1_3?
 
@@ -123,7 +125,7 @@ module Puma
         while true
           wrote = @engine.write data
 
-          enc_wr = ''.dup
+          enc_wr = +''
           while (enc = @engine.extract)
             enc_wr << enc
           end
@@ -195,10 +197,6 @@ module Puma
     if IS_JRUBY
       OPENSSL_NO_SSL3 = false
       OPENSSL_NO_TLS1 = false
-
-      class SSLError < StandardError
-        # Define this for jruby even though it isn't used.
-      end
     end
 
     class Context
@@ -212,21 +210,68 @@ module Puma
         @cert = nil
         @key_pem = nil
         @cert_pem = nil
+        @reuse = nil
+        @reuse_cache_size = nil
+        @reuse_timeout = nil
+      end
+
+      def check_file(file, desc)
+        raise ArgumentError, "#{desc} file '#{file}' does not exist" unless File.exist? file
+        raise ArgumentError, "#{desc} file '#{file}' is not readable" unless File.readable? file
       end
 
       if IS_JRUBY
         # jruby-specific Context properties: java uses a keystore and password pair rather than a cert/key pair
         attr_reader :keystore
+        attr_reader :keystore_type
         attr_accessor :keystore_pass
-        attr_accessor :ssl_cipher_list
+        attr_reader :truststore
+        attr_reader :truststore_type
+        attr_accessor :truststore_pass
+        attr_reader :cipher_suites
+        attr_reader :protocols
 
         def keystore=(keystore)
-          raise ArgumentError, "No such keystore file '#{keystore}'" unless File.exist? keystore
+          check_file keystore, 'Keystore'
           @keystore = keystore
         end
 
+        def truststore=(truststore)
+          # NOTE: historically truststore was assumed the same as keystore, this is kept for backwards
+          # compatibility, to rely on JVM's trust defaults we allow setting `truststore = :default`
+          unless truststore.eql?(:default)
+            raise ArgumentError, "No such truststore file '#{truststore}'" unless File.exist?(truststore)
+          end
+          @truststore = truststore
+        end
+
+        def keystore_type=(type)
+          raise ArgumentError, "Invalid keystore type: #{type.inspect}" unless ['pkcs12', 'jks', nil].include?(type)
+          @keystore_type = type
+        end
+
+        def truststore_type=(type)
+          raise ArgumentError, "Invalid truststore type: #{type.inspect}" unless ['pkcs12', 'jks', nil].include?(type)
+          @truststore_type = type
+        end
+
+        def cipher_suites=(list)
+          list = list.split(',').map(&:strip) if list.is_a?(String)
+          @cipher_suites = list
+        end
+
+        # aliases for backwards compatibility
+        alias_method :ssl_cipher_list, :cipher_suites
+        alias_method :ssl_cipher_list=, :cipher_suites=
+
+        def protocols=(list)
+          list = list.split(',').map(&:strip) if list.is_a?(String)
+          @protocols = list
+        end
+
         def check
           raise "Keystore not configured" unless @keystore
+          # @truststore defaults to @keystore due backwards compatibility
         end
 
       else
@@ -239,18 +284,20 @@ module Puma
         attr_accessor :ssl_cipher_filter
         attr_accessor :verification_flags
 
+        attr_reader :reuse, :reuse_cache_size, :reuse_timeout
+
         def key=(key)
-          raise ArgumentError, "No such key file '#{key}'" unless File.exist? key
+          check_file key, 'Key'
           @key = key
         end
 
         def cert=(cert)
-          raise ArgumentError, "No such cert file '#{cert}'" unless File.exist? cert
+          check_file cert, 'Cert'
           @cert = cert
         end
 
         def ca=(ca)
-          raise ArgumentError, "No such ca file '#{ca}'" unless File.exist? ca
+          check_file ca, 'ca'
           @ca = ca
         end
 
@@ -268,6 +315,35 @@ module Puma
           raise "Key not configured" if @key.nil? && @key_pem.nil?
           raise "Cert not configured" if @cert.nil? && @cert_pem.nil?
         end
+
+        # Controls session reuse.  Allowed values are as follows:
+        # * 'off' - matches the behavior of Puma 5.6 and earlier.  This is included
+        #   in case reuse 'on' is made the default in future Puma versions.
+        # * 'dflt' - sets session reuse on, with OpenSSL default cache size of
+        #   20k and default timeout of 300 seconds.
+        # * 's,t' - where s and t are integer strings, for size and timeout.
+        # * 's' - where s is an integer strings for size.
+        # * ',t' - where t is an integer strings for timeout.
+        #
+        def reuse=(reuse_str)
+          case reuse_str
+          when 'off'
+            @reuse = nil
+          when 'dflt'
+            @reuse = true
+          when /\A\d+\z/
+            @reuse = true
+            @reuse_cache_size = reuse_str.to_i
+          when /\A\d+,\d+\z/
+            @reuse = true
+            size, time = reuse_str.split ','
+            @reuse_cache_size = size.to_i
+            @reuse_timeout = time.to_i
+          when /\A,\d+\z/
+            @reuse = true
+            @reuse_timeout = reuse_str.delete(',').to_i
+          end
+        end
       end
 
       # disables TLSv1

data/lib/puma/null_io.rb

@@ -52,5 +52,10 @@ module Puma
     def flush
       self
     end
+
+    # This is used as singleton class, so can't have state.
+    def closed?
+      false
+    end
   end
 end

data/lib/puma/plugin/tmp_restart.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'puma/plugin'
+require_relative '../plugin'
 
 Puma::Plugin.create do
   def start(launcher)

data/lib/puma/rack/builder.rb

@@ -102,13 +102,13 @@ module Puma::Rack
       begin
         info = []
         server = Rack::Handler.get(options[:server]) || Rack::Handler.default(options)
-        if server && server.respond_to?(:valid_options)
+        if server&.respond_to?(:valid_options)
           info << ""
           info << "Server-specific options for #{server.name}:"
 
           has_options = false
           server.valid_options.each do |name, description|
-            next if name.to_s =~ /^(Host|Port)[^a-zA-Z]/ # ignore handler's host and port options, we do our own.
+            next if /^(Host|Port)[^a-zA-Z]/.match? name.to_s  # ignore handler's host and port options, we do our own.
 
             info << "  -O %-21s %s" % [name, description]
             has_options = true
@@ -276,7 +276,7 @@ module Puma::Rack
       app = @map ? generate_map(@run, @map) : @run
       fail "missing run or map statement" unless app
       app = @use.reverse.inject(app) { |a,e| e[a] }
-      @warmup.call(app) if @warmup
+      @warmup&.call app
       app
     end
 
@@ -287,7 +287,7 @@ module Puma::Rack
     private
 
     def generate_map(default_app, mapping)
-      require 'puma/rack/urlmap'
+      require_relative 'urlmap'
 
       mapped = default_app ? {'/' => default_app} : {}
       mapping.each { |r,b| mapped[r] = self.class.new(default_app, &b).to_app }

data/lib/puma/rack_default.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'rack/handler/puma'
+require_relative '../rack/handler/puma'
 
 module Rack::Handler
   def self.default(options = {})

data/lib/puma/reactor.rb

@@ -1,6 +1,6 @@
 # frozen_string_literal: true
 
-require 'puma/queue_close' unless ::Queue.instance_methods.include? :close
+require_relative 'queue_close' unless ::Queue.instance_methods.include? :close
 
 module Puma
   class UnsupportedBackend < StandardError; end
@@ -50,7 +50,7 @@ module Puma
       @input << client
       @selector.wakeup
       true
-    rescue ClosedQueueError
+    rescue ClosedQueueError, IOError # Ignore if selector is already closed
       false
     end
 
@@ -61,7 +61,7 @@ module Puma
         @selector.wakeup
       rescue IOError # Ignore if selector is already closed
       end
-      @thread.join if @thread
+      @thread&.join
     end
 
     private
@@ -76,7 +76,7 @@ module Puma
 
           # Wakeup all objects that timed out.
           timed_out = @timeouts.take_while {|t| t.timeout == 0}
-          timed_out.each(&method(:wakeup!))
+          timed_out.each { |c| wakeup! c }
 
           unless @input.empty?
             until @input.empty?