rack-wwwhisper 1.0.1.pre → 1.0.2.pre

data/lib/rack/wwwhisper.rb

@@ -33,10 +33,12 @@ class WWWhisper
 
     @wwwhisper_iframe = ENV['WWWHISPER_IFRAME'] ||
       sprintf(@@DEFAULT_IFRAME, wwwhisper_path('auth/overlay.html'))
+    @wwwhisper_iframe_bytesize = Rack::Utils::bytesize(@wwwhisper_iframe)
 
     @request_config = {
+      # TODO: probably now auth can be removed.
       :auth => {
-        :forwarded_headers => ['Cookie'],
+        :forwarded_headers => ['Accept', 'Accept-Language', 'Cookie'],
         :http => wwwhisper_http,
         :uri => wwwhisper_uri,
         :send_site_url => true,
@@ -76,12 +78,45 @@ class WWWhisper
     wwwhisper_path "auth/api/is-authorized/?path=#{queried_path}"
   end
 
-  def auth_login_path()
-    wwwhisper_path 'auth/login.html'
+  def call(env)
+    req = Rack::Request.new(env)
+
+    normalize_path req
+
+    if req.path =~ %r{^#{@@WWWHISPER_PREFIX}auth}
+      # Requests to /@@WWWHISPER_PREFIX/auth/ should not be authorized,
+      # every visitor can access login pages.
+      return dispatch(req)
+    end
+
+    debug req, "sending auth request for #{req.path}"
+    auth_resp = wwwhisper_auth_request(req)
+
+    if auth_resp.code == '200'
+      debug req, 'access granted'
+      status, headers, body = dispatch(req)
+      if should_inject_iframe(status, headers)
+        body = inject_iframe(headers, body)
+      end
+      [status, headers, body]
+    else
+      debug req, {
+        '401' => 'user not authenticated',
+        '403' => 'access_denied',
+      }[auth_resp.code] || 'auth request failed'
+      sub_response_to_rack(req, auth_resp)
+    end
   end
 
-  def auth_denied_path()
-    wwwhisper_path 'auth/not_authorized.html'
+  private
+
+  def debug(req, message)
+    req.logger.debug "wwwhisper #{message}" if req.logger
+  end
+
+  def normalize_path(req)
+    req.script_name = Addressable::URI.normalize_path(req.script_name)
+    req.path_info = Addressable::URI.normalize_path(req.path_info)
   end
 
   def parse_uri(uri)
@@ -92,15 +127,6 @@ class WWWhisper
     parsed_uri
   end
 
-  def http_init(connection_id)
-    http = Net::HTTP::Persistent.new(connection_id)
-    store = OpenSSL::X509::Store.new()
-    store.set_default_paths
-    http.cert_store = store
-    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
-    return http
-  end
-
   def default_port(proto)
     {
       'http' => 80,
@@ -125,143 +151,124 @@ class WWWhisper
     "#{proto}://#{host}#{port_str}"
   end
 
-  def request_init(config, env, method, path)
+  def http_init(connection_id)
+    http = Net::HTTP::Persistent.new(connection_id)
+    store = OpenSSL::X509::Store.new()
+    store.set_default_paths
+    http.cert_store = store
+    http.verify_mode = OpenSSL::SSL::VERIFY_PEER
+    return http
+  end
+
+  def sub_request_init(config, rack_req, method, path)
     path = @aliases[path] || path
-    request = Net::HTTP.const_get(method).new(path)
-    copy_headers(config[:forwarded_headers], env, request)
-    request['Site-Url'] = site_url(env) if config[:send_site_url]
+    sub_req = Net::HTTP.const_get(method).new(path)
+    copy_headers(config[:forwarded_headers], rack_req.env, sub_req)
+    sub_req['Site-Url'] = site_url(rack_req.env) if config[:send_site_url]
     uri = config[:uri]
-    request.basic_auth(uri.user, uri.password) if uri.user and uri.password
-    request
+    sub_req.basic_auth(uri.user, uri.password) if uri.user and uri.password
+    sub_req
   end
 
   def has_value(dict, key)
     dict[key] != nil and !dict[key].empty?
   end
 
-  def copy_headers(headers_names, env, request)
+  def copy_headers(headers_names, env, sub_req)
     headers_names.each do |header|
       key = "HTTP_#{header.upcase}".gsub(/-/, '_')
-      request[header] = env[key] if has_value(env, key)
-      #puts "Sending header #{header} #{request[header]} #{key} #{env[key]}"
+      sub_req[header] = env[key] if has_value(env, key)
     end
   end
 
-  def copy_body(src_request, dst_request)
-    if dst_request.request_body_permitted? and src_request.body
-      dst_request.body_stream = src_request.body
-      dst_request.content_length = src_request.content_length
-      dst_request.content_type =
-        src_request.content_type if src_request.content_type
+  def copy_body(rack_req, sub_req)
+    if sub_req.request_body_permitted? and rack_req.body and
+        (rack_req.content_length or
+         rack_req.env['HTTP_TRANSFER_ENCODING'] == 'chunked')
+      sub_req.body_stream = rack_req.body
+      sub_req.content_length =
+        rack_req.content_length if rack_req.content_length
+      sub_req.content_type = rack_req.content_type if rack_req.content_type
     end
   end
 
-  def extract_headers(env, response)
-    headers = Rack::Utils::HeaderHash.new()
-    response.each_capitalized do |k,v|
-      #puts "Header #{k} VAL #{v}"
-      if k.to_s =~ /location/i
-        location = Addressable::URI.parse(v)
-        location.scheme, location.host, location.port = proto_host_port(env)
-        v = location.to_s
+  def sub_response_headers_to_rack(rack_req, sub_resp)
+    rack_headers = Rack::Utils::HeaderHash.new()
+    sub_resp.each_capitalized do |header, value|
+      if header == 'Location'
+        location = Addressable::URI.parse(value)
+        location.scheme, location.host, location.port =
+          proto_host_port(rack_req.env)
+        value = location.to_s
       end
-      # Transfer encoding and content-length are set correctly by Rack.
-      # TODO: what is transfer encoding?
-      headers[k] = v unless k.to_s =~ /transfer-encoding|content-length/i
-    end
-    return headers
-  end
-
-  def dispatch(env)
-    orig_request = Rack::Request.new(env)
-    if orig_request.path =~ %r{^#{@@WWWHISPER_PREFIX}}
-      debug orig_request, "passing request to wwwhisper service"
-
-      config =
-        if orig_request.path =~ %r{^#{@@WWWHISPER_PREFIX}(auth|admin)/api/}
-          @request_config[:api]
-        else
-          @request_config[:assets]
-        end
-
-      method = orig_request.request_method.capitalize
-      request = request_init(config, env, method, orig_request.fullpath)
-      copy_body(orig_request, request)
-
-      response = config[:http].request(config[:uri], request)
-      net_http_response_to_rack(env, response)
-    else
-      debug orig_request, "passing request to Rack stack"
-      @app.call(env)
+      rack_headers[header] = value
     end
+    return rack_headers
   end
 
-  def net_http_response_to_rack(env, response)
+  def sub_response_to_rack(rack_req, sub_resp)
     [
-     response.code.to_i,
-     extract_headers(env, response),
-     [(response.read_body() or '')]
+     sub_resp.code.to_i,
+     sub_response_headers_to_rack(rack_req, sub_resp),
+     [(sub_resp.read_body() or '')]
     ]
   end
 
-  def wwwhisper_auth_request(env, req)
+  def wwwhisper_auth_request(req)
     config = @request_config[:auth]
-    auth_request = request_init(config, env, 'Get', auth_query(req.path))
-    auth_response = config[:http].request(config[:uri], auth_request)
-    net_http_response_to_rack(env, auth_response)
+    auth_req = sub_request_init(config, req, 'Get', auth_query(req.path))
+    config[:http].request(config[:uri], auth_req)
   end
 
   def should_inject_iframe(status, headers)
-    status == 200 and headers['Content-Type'] =~ /text\/html/i
+    # Do not attempt to inject iframe if result is already chunked,
+    # compressed or checksummed.
+    (status == 200 and
+     headers['Content-Type'] =~ /text\/html/i and
+     not headers['Transfer-Encoding'] and
+     not headers['Content-Range'] and
+     not headers['Content-Encoding'] and
+     not headers['Content-MD5']
+     )
   end
 
   def inject_iframe(headers, body)
-    # If Content-Length is missing, Rack sets correct one.
-    headers.delete('Content-Length')
-    #todo: iterate?
-    body[0] = body[0].sub(/<\/body>/, "#{@wwwhisper_iframe}</body>")
+    total = []
+    body.each { |part|
+      total << part
+    }
+    total = total.join()
+    if idx = total.rindex('</body>')
+      total.insert(idx, @wwwhisper_iframe)
+      headers['Content-Length'] &&= (headers['Content-Length'].to_i +
+                                     @wwwhisper_iframe_bytesize).to_s
+    end
+    [total]
   end
 
-  def call(env)
-    req = Rack::Request.new(env)
+  def dispatch(orig_req)
+    if orig_req.path =~ %r{^#{@@WWWHISPER_PREFIX}}
+      debug orig_req, "passing request to wwwhisper service #{orig_req.path}"
 
-    req.path_info = Addressable::URI.normalize_path(req.path)
-    if req.path =~ %r{^#{@@WWWHISPER_PREFIX}auth}
-      # Requests to /@@WWWHISPER_PREFIX/auth/ should not be authorized,
-      # every visitor can access login pages.
-      return dispatch(env)
-    end
-    debug req, "sending auth request for #{req.path}"
-    auth_status, auth_headers, auth_body = wwwhisper_auth_request(env, req)
+      config =
+        if orig_req.path =~ %r{^#{@@WWWHISPER_PREFIX}(auth|admin)/api/}
+          @request_config[:api]
+        else
+          @request_config[:assets]
+        end
 
-    case auth_status
-    when 200
-      debug req, "access granted"
-      status, headers, body = dispatch(env)
-      inject_iframe(headers, body) if should_inject_iframe(status, headers)
-      [status, headers, body]
-    when 401, 403
-      login_needed = (auth_status == 401)
-      debug req,  login_needed ? "user not authenticated" : "access_denied"
-      req.path_info = login_needed ? auth_login_path() : auth_denied_path()
-      status, headers, body = dispatch(env)
-      auth_headers['Content-Type'] = headers['Content-Type']
-      # TODO: only here?
-      auth_headers['Content-Encoding'] = headers['Content-Encoding']
-      [auth_status, auth_headers, body]
+      method = orig_req.request_method.capitalize
+      sub_req = sub_request_init(config, orig_req, method, orig_req.fullpath)
+      copy_body(orig_req, sub_req)
+
+      sub_resp = config[:http].request(config[:uri], sub_req)
+      sub_response_to_rack(orig_req, sub_resp)
     else
-      debug req, "auth request failed"
-      [auth_status, auth_headers, auth_body]
+      debug orig_req, 'passing request to Rack stack'
+      @app.call(orig_req.env)
     end
   end
 
-  # TODO: more private
-  private
-
-  def debug(req, message)
-    req.logger.debug "wwwhisper #{message}" if req.logger
-  end
-
 end
 
 end

data/test/test_wwwhisper.rb

@@ -83,31 +83,25 @@ class TestWWWhisper < Test::Unit::TestCase
   def test_login_required
     path = '/foo/bar'
     stub_request(:get, full_url(@wwwhisper.auth_query(path))).
-      to_return(:status => 401, :body => '', :headers => {})
-    stub_request(:get, full_assets_url(@wwwhisper.auth_login_path())).
-      to_return(:status => 200, :body => 'Login required', :headers => {})
+      to_return(:status => 401, :body => 'Login required', :headers => {})
 
     get path
     assert !last_response.ok?
     assert_equal 401, last_response.status
     assert_equal 'Login required', last_response.body
     assert_requested :get, full_url(@wwwhisper.auth_query(path))
-    assert_requested :get, full_assets_url(@wwwhisper.auth_login_path())
   end
 
   def test_request_denied
     path = '/foo/bar'
     stub_request(:get, full_url(@wwwhisper.auth_query(path))).
-      to_return(:status => 403, :body => '', :headers => {})
-    stub_request(:get, full_assets_url(@wwwhisper.auth_denied_path())).
-      to_return(:status => 200, :body => 'Not authorized', :headers => {})
+      to_return(:status => 403, :body => 'Not authorized', :headers => {})
 
     get path
     assert !last_response.ok?
     assert_equal 403, last_response.status
     assert_equal 'Not authorized', last_response.body
     assert_requested :get, full_url(@wwwhisper.auth_query(path))
-    assert_requested :get, full_assets_url(@wwwhisper.auth_denied_path())
   end
 
   def test_iframe_injected_to_html_response
@@ -161,11 +155,12 @@ class TestWWWhisper < Test::Unit::TestCase
     assert_requested :get, full_url(@wwwhisper.auth_query(path))
   end
 
-  def assert_path_normalized(normalized, requested)
+  def assert_path_normalized(normalized, requested, script_name=nil)
     stub_request(:get, full_url(@wwwhisper.auth_query(normalized))).
       to_return(:status => 200, :body => '', :headers => {})
 
-    get requested
+    env = script_name ? { 'SCRIPT_NAME' => script_name } : {}
+    get(requested, {}, env)
     assert last_response.ok?
     assert_equal 'Hello World', last_response.body
     assert_requested :get, full_url(@wwwhisper.auth_query(normalized))
@@ -192,6 +187,19 @@ class TestWWWhisper < Test::Unit::TestCase
     assert_path_normalized '//', '/./././/'
   end
 
+  def test_path_normalization_with_script_name
+    assert_path_normalized '/foo/', '/', '/foo'
+    assert_path_normalized '/foo/bar/hello', '/bar/hello', '/foo'
+
+    assert_path_normalized '/baz/bar/hello', '/bar/hello', '/foo/../baz'
+
+    assert_path_normalized '/foo/baz/bar/hello', 'bar/hello', '/foo/./baz'
+
+    # Not handled too well (see comment above).
+    assert_path_normalized '/foo//', '/', '/foo/'
+    assert_path_normalized '//bar/hello', '/bar/hello', '/foo/..'
+  end
+
   def test_admin_request
     path = '/wwwhisper/admin/api/users/xyz'
     stub_request(:get, full_url(@wwwhisper.auth_query(path))).
@@ -218,22 +226,23 @@ class TestWWWhisper < Test::Unit::TestCase
   end
 
   def test_site_url
-    path = '/foo/bar'
+    path = '/wwwhisper/admin/index.html'
+
     # Site-Url header should be sent to wwwhisper backend but not to
     # assets server.
     stub_request(:get, full_url(@wwwhisper.auth_query(path))).
       with(:headers => {'Site-Url' => "#{SITE_PROTO}://#{SITE_HOST}"}).
-      to_return(:status => 401, :body => '', :headers => {})
-    stub_request(:get, full_assets_url(@wwwhisper.auth_login_path())).
+      to_return(:status => 200, :body => '', :headers => {})
+    stub_request(:get, full_assets_url(path)).
       with { |request| request.headers['Site-Url'] == nil}.
-      to_return(:status => 200, :body => 'Login required', :headers => {})
+      to_return(:status => 200, :body => 'Admin page', :headers => {})
 
     get path
-    assert !last_response.ok?
-    assert_equal 401, last_response.status
-    assert_equal 'Login required', last_response.body
+    assert last_response.ok?
+    assert_equal 200, last_response.status
+    assert_equal 'Admin page', last_response.body
     assert_requested :get, full_url(@wwwhisper.auth_query(path))
-    assert_requested :get, full_assets_url(@wwwhisper.auth_login_path())
+    assert_requested :get, full_assets_url(path)
   end
 
   def test_site_url_with_non_default_port

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: rack-wwwhisper
 version: !ruby/object:Gem::Version
-  version: 1.0.1.pre
+  version: 1.0.2.pre
   prerelease: 6
 platform: ruby
 authors:
@@ -9,7 +9,7 @@ authors:
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2013-01-09 00:00:00.000000000 Z
+date: 2013-01-11 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rack
@@ -129,6 +129,9 @@ required_ruby_version: !ruby/object:Gem::Requirement
   - - ! '>='
     - !ruby/object:Gem::Version
       version: '0'
+      segments:
+      - 0
+      hash: 3933889389209313993
 required_rubygems_version: !ruby/object:Gem::Requirement
   none: false
   requirements: