puma 2.11.3 → 2.12.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 62b8ddbb9917e4501d7b02a0b84a31adac56f5be
-  data.tar.gz: b390e97322dc3d14a51f586985c44fcc3d99b1f8
+  metadata.gz: b265c1a60c1ca0d8edcf9a4d90a834bd38de84ae
+  data.tar.gz: e6df6927092b0a4ccb22ccd25b6f637daea3bc16
 SHA512:
-  metadata.gz: 83f84184db14ac4140e72e65704fdcc97936a4e0adba8bc4e88895819db2e5ab57626e5bd594e74912f3b79bd9c54b900dd25bf61ff60277531f17c4cfdfd7b6
-  data.tar.gz: 015d21282805c0bca821b0381d675edb2356ff4f6975ba97df01612d2aa53476a2c1896d3434ec954ec3aa86c1a243e911333fcbfbf4b9b89c2500baa755bda7
+  metadata.gz: 9643ddea6fda97a21137ce6633521960a582a7bf552466272af27c27362f848366f143727da6f997bae7fa6499acf86031e7dfb73d8513d9907d413dd3429df1
+  data.tar.gz: 4a8b43b176ec67cdc8c7022c7b9d62d991088613eca8ae618030d4a499aba0386546245c79dc4cb31323ed9981bcc2d5c629a165a7e2c23a04c0880eed204486

data/DEPLOYMENT.md

@@ -76,8 +76,7 @@ puma to start running that new code. Minimizing the amount of time the server
 is unavailable would be nice as well. Here's how to do it:
 
 1. Don't use `preload!`. This dirties the master process and means it will have
-to shutdown all the workers and re-exec itself to get your new code, which means
-much higher waiting around for things to load.
+to shutdown all the workers and re-exec itself to get your new code. It is not compatible with phased-restart and `prune_bundler` as well.
 
 1. Use `prune_bundler`. This makes it so that the cluster master will detach itself
 from a Bundler context on start. This allows the cluster workers to load your app

data/Gemfile

@@ -5,9 +5,9 @@ gem "hoe-git"
 gem "hoe-ignore"
 gem "rdoc"
 gem "rake-compiler"
-gem "rack"
 gem "test-unit", "~> 3.0"
 
+gem "rack"
 gem 'minitest', '~> 4.0'
 
 gem "jruby-openssl", :platform => "jruby"

data/History.txt

@@ -1,3 +1,52 @@
+=== 2.12.0 / 2015-07-14
+
+* X bug fixes:
+  * Add thread reaping to thread pool
+  * Do not automatically use chunked responses when hijacked
+  * Do not suppress Content-Length on partial hijack
+  * Don't allow any exceptions to terminate a thread
+  * Handle ENOTCONN client disconnects when setting REMOTE_ADDR
+  * Handle very early exit of cluster mode. Fixes #722
+  * Install rack when running tests on travis to use rack/lint
+  * Make puma -v and -h return success exit code
+  * Make pumactl load config/puma.rb by default
+  * Pass options from pumactl properly when pruning. Fixes #694
+  * Remove rack dependency. Fixes #705
+  * Remove the default Content-Type: text/plain
+  * Add Client Side Certificate Auth
+
+* X doc/test changes:
+  * Added example sourcing of environment vars
+  * Added tests for bind configuration on rackup file
+  * Fix example config text
+  * Update DEPLOYMENT.md
+  * Update Readme with example of custom error handler
+  * ci: Improve Travis settings
+  * ci: Start running tests against JRuby 9k on Travis
+  * ci: Convert to container infrastructure for travisci
+
+* X ops changes:
+  * Check for system-wide rbenv
+  * capistrano: Add additional env when start rails
+
+* X PRs merged:
+  * Merge pull request #686 from jjb/patch-2
+  * Merge pull request #693 from rob-murray/update-example-config
+  * Merge pull request #697 from spk/tests-bind-on-rackup-file
+  * Merge pull request #699 from deees/fix/require_rack_builder
+  * Merge pull request #701 from deepj/master
+  * Merge pull request #702 from Jimdo/thread-reaping
+  * Merge pull request #703 from deepj/travis
+  * Merge pull request #704 from grega/master
+  * Merge pull request #709 from lian/master
+  * Merge pull request #711 from julik/master
+  * Merge pull request #712 from yakara-ltd/pumactl-default-config
+  * Merge pull request #715 from RobotJiang/master
+  * Merge pull request #725 from rwz/master
+  * Merge pull request #726 from strenuus/handle-client-disconnect
+  * Merge pull request #729 from allaire/patch-1
+  * Merge pull request #730 from iamjarvo/container-infrastructure
+
 === 2.11.3 / 2015-05-18
 
 * 5 bug fixes:

data/Manifest.txt

@@ -34,6 +34,7 @@ lib/puma/capistrano.rb
 lib/puma/cli.rb
 lib/puma/client.rb
 lib/puma/cluster.rb
+lib/puma/commonlogger.rb
 lib/puma/compat.rb
 lib/puma/configuration.rb
 lib/puma/const.rb
@@ -48,8 +49,11 @@ lib/puma/java_io_buffer.rb
 lib/puma/jruby_restart.rb
 lib/puma/minissl.rb
 lib/puma/null_io.rb
+lib/puma/rack/backports/uri/common_18.rb
+lib/puma/rack/backports/uri/common_192.rb
+lib/puma/rack/backports/uri/common_193.rb
+lib/puma/rack/builder.rb
 lib/puma/rack_default.rb
-lib/puma/rack_patch.rb
 lib/puma/reactor.rb
 lib/puma/runner.rb
 lib/puma/server.rb

data/README.md

@@ -121,6 +121,20 @@ When you use preload_app, your new code goes all in the master process, and is t
 
 Note that preload_app can’t be used with phased restart, since phased restart kills and restarts workers one-by-one, and preload_app is all about copying the code of master into the workers.
 
+### Error handler for low-level errors
+
+If puma encounters an error outside of the context of your application, it will respond with a 500 and a simple
+textual error message (see `lowlevel_error` in [this file](https://github.com/puma/puma/blob/master/lib/puma/server.rb)).
+You can specify custom behavior for this scenario. For example, you can report the error to your third-party
+error-tracking service (in this example, [rollbar](http://rollbar.com)):
+
+```ruby
+lowlevel_error_handler do |e|
+  Rollbar.critical(e)
+  [500, {}, ["An error has occured, and engineers have been informed. Please reload the page. If you continue to have problems, contact support@example.com\n"]]
+end
+```
+
 ### Binding TCP / Sockets
 
 In contrast to many other server configs which require multiple flags, Puma simply uses one URI parameter with the `-b` (or `--bind`) flag:

data/Rakefile

@@ -20,7 +20,7 @@ HOE = Hoe.spec "puma" do
 
   require_ruby_version ">= 1.8.7"
 
-  dependency "rack", [">= 1.1", "< 2.0"]
+  dependency "rack", [">= 1.1", "< 2.0"], :development
 
   extra_dev_deps << ["rake-compiler", "~> 0.8"]
 end

data/ext/puma_http11/mini_ssl.c

@@ -5,6 +5,7 @@
 #include <openssl/ssl.h>
 #include <openssl/dh.h>
 #include <openssl/err.h>
+#include <openssl/x509.h>
 
 typedef struct {
   BIO* read;
@@ -13,7 +14,17 @@ typedef struct {
   SSL_CTX* ctx;
 } ms_conn;
 
+typedef struct {
+  unsigned char* buf;
+  int bytes;
+} ms_cert_buf;
+
 void engine_free(ms_conn* conn) {
+  ms_cert_buf* cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
+  if(cert_buf) {
+    OPENSSL_free(cert_buf->buf);
+    free(cert_buf);
+  }
   SSL_free(conn->ssl);
   SSL_CTX_free(conn->ctx);
 
@@ -73,6 +84,32 @@ DH *get_dh1024() {
   return dh;
 }
 
+static int engine_verify_callback(int preverify_ok, X509_STORE_CTX* ctx) {
+  X509* err_cert;
+  SSL* ssl;
+  int bytes;
+  unsigned char* buf = NULL;
+
+  if(!preverify_ok) {
+    err_cert = X509_STORE_CTX_get_current_cert(ctx);
+    if(err_cert) {
+      /*
+       * Save the failed certificate for inspection/logging.
+       */
+      bytes = i2d_X509(err_cert, &buf);
+      if(bytes > 0) {
+        ms_cert_buf* cert_buf = (ms_cert_buf*)malloc(sizeof(ms_cert_buf));
+        cert_buf->buf = buf;
+        cert_buf->bytes = bytes;
+        ssl = X509_STORE_CTX_get_ex_data(ctx, SSL_get_ex_data_X509_STORE_CTX_idx());
+        SSL_set_app_data(ssl, cert_buf);
+      }
+    }
+  }
+
+  return preverify_ok;
+}
+
 VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
   VALUE obj;
   SSL_CTX* ctx;
@@ -86,11 +123,21 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
   ID sym_cert = rb_intern("cert");
   VALUE cert = rb_funcall(mini_ssl_ctx, sym_cert, 0);
 
+  ID sym_ca = rb_intern("ca");
+  VALUE ca = rb_funcall(mini_ssl_ctx, sym_ca, 0);
+
+  ID sym_verify_mode = rb_intern("verify_mode");
+  VALUE verify_mode = rb_funcall(mini_ssl_ctx, sym_verify_mode, 0);
+
   ctx = SSL_CTX_new(SSLv23_server_method());
   conn->ctx = ctx;
 
   SSL_CTX_use_certificate_file(ctx, RSTRING_PTR(cert), SSL_FILETYPE_PEM);
   SSL_CTX_use_PrivateKey_file(ctx, RSTRING_PTR(key), SSL_FILETYPE_PEM);
+
+  if (!NIL_P(ca)) {
+    SSL_CTX_load_verify_locations(ctx, RSTRING_PTR(ca), NULL);
+  }
   
   SSL_CTX_set_options(ctx, SSL_OP_CIPHER_SERVER_PREFERENCE | SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_SINGLE_DH_USE | SSL_OP_SINGLE_ECDH_USE);
   SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
@@ -106,10 +153,15 @@ VALUE engine_init_server(VALUE self, VALUE mini_ssl_ctx) {
     EC_KEY_free(ecdh);
   }
 
-  ssl =  SSL_new(ctx);
+  ssl = SSL_new(ctx);
   conn->ssl = ssl;
+  SSL_set_app_data(ssl, NULL);
 
-  /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
+  if (NIL_P(verify_mode)) {
+    /* SSL_set_verify(ssl, SSL_VERIFY_NONE, NULL); */
+  } else {
+    SSL_set_verify(ssl, NUM2INT(verify_mode), engine_verify_callback);
+  }
 
   SSL_set_bio(ssl, conn->read, conn->write);
 
@@ -123,6 +175,7 @@ VALUE engine_init_client(VALUE klass) {
 
   conn->ctx = SSL_CTX_new(DTLSv1_method());
   conn->ssl = SSL_new(conn->ctx);
+  SSL_set_app_data(conn->ssl, NULL);
   SSL_set_verify(conn->ssl, SSL_VERIFY_NONE, NULL);
 
   SSL_set_bio(conn->ssl, conn->read, conn->write);
@@ -151,11 +204,36 @@ VALUE engine_inject(VALUE self, VALUE str) {
 static VALUE eError;
 
 void raise_error(SSL* ssl, int result) {
-  int error = SSL_get_error(ssl, result);
-  char* msg = ERR_error_string(error, NULL);
+  char buf[512];
+  char msg[512];
+  const char* err_str;
+  int err = errno;
+  int ssl_err = SSL_get_error(ssl, result);
+  int verify_err = SSL_get_verify_result(ssl);
+
+  if(SSL_ERROR_SYSCALL == ssl_err) {
+    strerror_r(err, buf, sizeof(buf));
+    snprintf(msg, sizeof(msg), "System error: %s - %d", buf, err);
+
+  } else if(SSL_ERROR_SSL == ssl_err) {
+    if(X509_V_OK != verify_err) {
+      err_str = X509_verify_cert_error_string(verify_err);
+      snprintf(msg, sizeof(msg),
+               "OpenSSL certificate verification error: %s - %d",
+               err_str, verify_err);
+
+    } else {
+      err = ERR_get_error();
+      ERR_error_string_n(err, buf, sizeof(buf));
+      snprintf(msg, sizeof(msg), "OpenSSL error: %s - %d", buf, err);
+
+    }
+  } else {
+    snprintf(msg, sizeof(msg), "Unknown OpenSSL error: %d", ssl_err);
+  }
 
   ERR_clear_error();
-  rb_raise(eError, "OpenSSL error: %s - %d", msg, error);
+  rb_raise(eError, msg);
 }
 
 VALUE engine_read(VALUE self) {
@@ -165,6 +243,8 @@ VALUE engine_read(VALUE self) {
 
   Data_Get_Struct(self, ms_conn, conn);
 
+  ERR_clear_error();
+
   bytes = SSL_read(conn->ssl, (void*)buf, sizeof(buf));
 
   if(bytes > 0) {
@@ -174,24 +254,26 @@ VALUE engine_read(VALUE self) {
   if(SSL_want_read(conn->ssl)) return Qnil;
 
   error = SSL_get_error(conn->ssl, bytes);
-  if(error == SSL_ERROR_ZERO_RETURN || error == SSL_ERROR_SSL) {
+
+  if(error == SSL_ERROR_ZERO_RETURN) {
     rb_eof_error();
+  } else {
+    raise_error(conn->ssl, bytes);
   }
 
-  raise_error(conn->ssl, bytes);
-
   return Qnil;
 }
 
 VALUE engine_write(VALUE self, VALUE str) {
   ms_conn* conn;
-  char buf[512];
   int bytes;
 
   Data_Get_Struct(self, ms_conn, conn);
 
   StringValue(str);
 
+  ERR_clear_error();
+
   bytes = SSL_write(conn->ssl, (void*)RSTRING_PTR(str), (int)RSTRING_LEN(str));
   if(bytes > 0) {
     return INT2FIX(bytes);
@@ -225,6 +307,45 @@ VALUE engine_extract(VALUE self) {
   return Qnil;
 }
 
+VALUE engine_peercert(VALUE self) {
+  ms_conn* conn;
+  X509* cert;
+  int bytes;
+  unsigned char* buf = NULL;
+  ms_cert_buf* cert_buf = NULL;
+  VALUE rb_cert_buf;
+
+  Data_Get_Struct(self, ms_conn, conn);
+
+  cert = SSL_get_peer_certificate(conn->ssl);
+  if(!cert) {
+    /*
+     * See if there was a failed certificate associated with this client.
+     */
+    cert_buf = (ms_cert_buf*)SSL_get_app_data(conn->ssl);
+    if(!cert_buf) {
+      return Qnil;
+    }
+    buf = cert_buf->buf;
+    bytes = cert_buf->bytes;
+
+  } else {
+    bytes = i2d_X509(cert, &buf);
+    X509_free(cert);
+
+    if(bytes < 0) {
+      return Qnil;
+    }
+  }
+
+  rb_cert_buf = rb_str_new(buf, bytes);
+  if(!cert_buf) {
+    OPENSSL_free(buf);
+  }
+
+  return rb_cert_buf;
+}
+
 void Init_mini_ssl(VALUE puma) {
   VALUE mod, eng;
 
@@ -246,4 +367,6 @@ void Init_mini_ssl(VALUE puma) {
 
   rb_define_method(eng, "write",  engine_write, 1);
   rb_define_method(eng, "extract", engine_extract, 0);
+
+  rb_define_method(eng, "peercert", engine_peercert, 0);
 }

data/lib/puma/binder.rb

@@ -4,6 +4,8 @@ module Puma
   class Binder
     include Puma::Const
 
+    RACK_VERSION = [1,3].freeze
+
     def initialize(events)
       @events = events
       @listeners = []
@@ -11,17 +13,17 @@ module Puma
       @unix_paths = []
 
       @proto_env = {
-        "rack.version".freeze => Rack::VERSION,
+        "rack.version".freeze => RACK_VERSION,
         "rack.errors".freeze => events.stderr,
         "rack.multithread".freeze => true,
         "rack.multiprocess".freeze => false,
         "rack.run_once".freeze => false,
         "SCRIPT_NAME".freeze => ENV['SCRIPT_NAME'] || "",
 
-        # Rack blows up if this is an empty string, and Rack::Lint
-        # blows up if it's nil. So 'text/plain' seems like the most
-        # sensible default value.
-        "CONTENT_TYPE".freeze => "text/plain",
+        # I'd like to set a default CONTENT_TYPE here but some things
+        # depend on their not being a default set and infering
+        # it from the content. And so if i set it here, it won't
+        # infer properly.
 
         "QUERY_STRING".freeze => "",
         SERVER_PROTOCOL => HTTP_11,
@@ -87,7 +89,7 @@ module Puma
             logger.log "* Inherited #{str}"
             io = inherit_tcp_listener uri.host, uri.port, fd
           else
-            params = Rack::Utils.parse_query uri.query
+            params = Util.parse_query uri.query
 
             opt = params.key?('low_latency')
             bak = params.fetch('backlog', 1024).to_i
@@ -110,7 +112,7 @@ module Puma
             mode = nil
 
             if uri.query
-              params = Rack::Utils.parse_query uri.query
+              params = Util.parse_query uri.query
               if u = params['umask']
                 # Use Integer() to respect the 0 prefix as octal
                 umask = Integer(u)
@@ -126,7 +128,7 @@ module Puma
 
           @listeners << [str, io]
         when "ssl"
-          params = Rack::Utils.parse_query uri.query
+          params = Util.parse_query uri.query
           require 'puma/minissl'
 
           ctx = MiniSSL::Context.new
@@ -155,9 +157,28 @@ module Puma
             end
 
             ctx.cert = params['cert']
-          end
 
-          ctx.verify_mode = MiniSSL::VERIFY_NONE
+            if ['peer', 'force_peer'].include?(params['verify_mode'])
+              unless params['ca']
+                @events.error "Please specify the SSL ca via 'ca='"
+              end
+              ctx.ca = params['ca']
+            end
+
+            if  params['verify_mode']
+              ctx.verify_mode = case params['verify_mode']
+                                when "peer"
+                                  MiniSSL::VERIFY_PEER
+                                when "force_peer"
+                                  MiniSSL::VERIFY_PEER | MiniSSL::VERIFY_FAIL_IF_NO_PEER_CERT
+                                when "none"
+                                  MiniSSL::VERIFY_NONE
+                                else
+                                  @events.error "Please specify a valid verify_mode="
+                                  MiniSSL::VERIFY_NONE
+                                end
+            end
+          end
 
           if fd = @inherited_fds.delete(str)
             logger.log "* Inherited #{str}"