rack 2.2.8 → 3.0.9

data/lib/rack/auth/digest/params.rb

@@ -1,54 +1 @@
-# frozen_string_literal: true
-
-module Rack
-  module Auth
-    module Digest
-      class Params < Hash
-
-        def self.parse(str)
-          Params[*split_header_value(str).map do |param|
-            k, v = param.split('=', 2)
-            [k, dequote(v)]
-          end.flatten]
-        end
-
-        def self.dequote(str) # From WEBrick::HTTPUtils
-          ret = (/\A"(.*)"\Z/ =~ str) ? $1 : str.dup
-          ret.gsub!(/\\(.)/, "\\1")
-          ret
-        end
-
-        def self.split_header_value(str)
-          str.scan(/\w+\=(?:"[^\"]+"|[^,]+)/n)
-        end
-
-        def initialize
-          super()
-
-          yield self if block_given?
-        end
-
-        def [](k)
-          super k.to_s
-        end
-
-        def []=(k, v)
-          super k.to_s, v.to_s
-        end
-
-        UNQUOTED = ['nc', 'stale']
-
-        def to_s
-          map do |k, v|
-            "#{k}=#{(UNQUOTED.include?(k) ? v.to_s : quote(v))}"
-          end.join(', ')
-        end
-
-        def quote(str) # From WEBrick::HTTPUtils
-          '"' + str.gsub(/[\\\"]/o, "\\\1") + '"'
-        end
-
-      end
-    end
-  end
-end
+require_relative '../digest'

data/lib/rack/auth/digest/request.rb

@@ -1,43 +1 @@
-# frozen_string_literal: true
-
-require_relative '../abstract/request'
-require_relative 'params'
-require_relative 'nonce'
-
-module Rack
-  module Auth
-    module Digest
-      class Request < Auth::AbstractRequest
-        def method
-          @env[RACK_METHODOVERRIDE_ORIGINAL_METHOD] || @env[REQUEST_METHOD]
-        end
-
-        def digest?
-          "digest" == scheme
-        end
-
-        def correct_uri?
-          request.fullpath == uri
-        end
-
-        def nonce
-          @nonce ||= Nonce.parse(params['nonce'])
-        end
-
-        def params
-          @params ||= Params.parse(parts.last)
-        end
-
-        def respond_to?(sym, *)
-          super or params.has_key? sym.to_s
-        end
-
-        def method_missing(sym, *args)
-          return super unless params.has_key?(key = sym.to_s)
-          return params[key] if args.size == 0
-          raise ArgumentError, "wrong number of arguments (#{args.size} for 0)"
-        end
-      end
-    end
-  end
-end
+require_relative '../digest'

data/lib/rack/auth/digest.rb

@@ -0,0 +1,256 @@
+# frozen_string_literal: true
+
+require_relative 'abstract/handler'
+require_relative 'abstract/request'
+require 'digest/md5'
+require 'base64'
+
+module Rack
+  warn "Rack::Auth::Digest is deprecated and will be removed in Rack 3.1", uplevel: 1
+
+  module Auth
+    module Digest
+      # Rack::Auth::Digest::Nonce is the default nonce generator for the
+      # Rack::Auth::Digest::MD5 authentication handler.
+      #
+      # +private_key+ needs to set to a constant string.
+      #
+      # +time_limit+ can be optionally set to an integer (number of seconds),
+      # to limit the validity of the generated nonces.
+
+      class Nonce
+
+        class << self
+          attr_accessor :private_key, :time_limit
+        end
+
+        def self.parse(string)
+          new(*Base64.decode64(string).split(' ', 2))
+        end
+
+        def initialize(timestamp = Time.now, given_digest = nil)
+          @timestamp, @given_digest = timestamp.to_i, given_digest
+        end
+
+        def to_s
+          Base64.encode64("#{@timestamp} #{digest}").strip
+        end
+
+        def digest
+          ::Digest::MD5.hexdigest("#{@timestamp}:#{self.class.private_key}")
+        end
+
+        def valid?
+          digest == @given_digest
+        end
+
+        def stale?
+          !self.class.time_limit.nil? && (Time.now.to_i - @timestamp) > self.class.time_limit
+        end
+
+        def fresh?
+          !stale?
+        end
+
+      end
+
+      class Params < Hash
+
+        def self.parse(str)
+          Params[*split_header_value(str).map do |param|
+            k, v = param.split('=', 2)
+            [k, dequote(v)]
+          end.flatten]
+        end
+
+        def self.dequote(str) # From WEBrick::HTTPUtils
+          ret = (/\A"(.*)"\Z/ =~ str) ? $1 : str.dup
+          ret.gsub!(/\\(.)/, "\\1")
+          ret
+        end
+
+        def self.split_header_value(str)
+          str.scan(/\w+\=(?:"[^\"]+"|[^,]+)/n)
+        end
+
+        def initialize
+          super()
+
+          yield self if block_given?
+        end
+
+        def [](k)
+          super k.to_s
+        end
+
+        def []=(k, v)
+          super k.to_s, v.to_s
+        end
+
+        UNQUOTED = ['nc', 'stale']
+
+        def to_s
+          map do |k, v|
+            "#{k}=#{(UNQUOTED.include?(k) ? v.to_s : quote(v))}"
+          end.join(', ')
+        end
+
+        def quote(str) # From WEBrick::HTTPUtils
+          '"' + str.gsub(/[\\\"]/o, "\\\1") + '"'
+        end
+
+      end
+
+      class Request < Auth::AbstractRequest
+        def method
+          @env[RACK_METHODOVERRIDE_ORIGINAL_METHOD] || @env[REQUEST_METHOD]
+        end
+
+        def digest?
+          "digest" == scheme
+        end
+
+        def correct_uri?
+          request.fullpath == uri
+        end
+
+        def nonce
+          @nonce ||= Nonce.parse(params['nonce'])
+        end
+
+        def params
+          @params ||= Params.parse(parts.last)
+        end
+
+        def respond_to?(sym, *)
+          super or params.has_key? sym.to_s
+        end
+
+        def method_missing(sym, *args)
+          return super unless params.has_key?(key = sym.to_s)
+          return params[key] if args.size == 0
+          raise ArgumentError, "wrong number of arguments (#{args.size} for 0)"
+        end
+      end
+
+      # Rack::Auth::Digest::MD5 implements the MD5 algorithm version of
+      # HTTP Digest Authentication, as per RFC 2617.
+      #
+      # Initialize with the [Rack] application that you want protecting,
+      # and a block that looks up a plaintext password for a given username.
+      #
+      # +opaque+ needs to be set to a constant base64/hexadecimal string.
+      #
+      class MD5 < AbstractHandler
+
+        attr_accessor :opaque
+
+        attr_writer :passwords_hashed
+
+        def initialize(app, realm = nil, opaque = nil, &authenticator)
+          @passwords_hashed = nil
+          if opaque.nil? and realm.respond_to? :values_at
+            realm, opaque, @passwords_hashed = realm.values_at :realm, :opaque, :passwords_hashed
+          end
+          super(app, realm, &authenticator)
+          @opaque = opaque
+        end
+
+        def passwords_hashed?
+          !!@passwords_hashed
+        end
+
+        def call(env)
+          auth = Request.new(env)
+
+          unless auth.provided?
+            return unauthorized
+          end
+
+          if !auth.digest? || !auth.correct_uri? || !valid_qop?(auth)
+            return bad_request
+          end
+
+          if valid?(auth)
+            if auth.nonce.stale?
+              return unauthorized(challenge(stale: true))
+            else
+              env['REMOTE_USER'] = auth.username
+
+              return @app.call(env)
+            end
+          end
+
+          unauthorized
+        end
+
+
+        private
+
+        QOP = 'auth'
+
+        def params(hash = {})
+          Params.new do |params|
+            params['realm'] = realm
+            params['nonce'] = Nonce.new.to_s
+            params['opaque'] = H(opaque)
+            params['qop'] = QOP
+
+            hash.each { |k, v| params[k] = v }
+          end
+        end
+
+        def challenge(hash = {})
+          "Digest #{params(hash)}"
+        end
+
+        def valid?(auth)
+          valid_opaque?(auth) && valid_nonce?(auth) && valid_digest?(auth)
+        end
+
+        def valid_qop?(auth)
+          QOP == auth.qop
+        end
+
+        def valid_opaque?(auth)
+          H(opaque) == auth.opaque
+        end
+
+        def valid_nonce?(auth)
+          auth.nonce.valid?
+        end
+
+        def valid_digest?(auth)
+          pw = @authenticator.call(auth.username)
+          pw && Rack::Utils.secure_compare(digest(auth, pw), auth.response)
+        end
+
+        def md5(data)
+          ::Digest::MD5.hexdigest(data)
+        end
+
+        alias :H :md5
+
+        def KD(secret, data)
+          H "#{secret}:#{data}"
+        end
+
+        def A1(auth, password)
+          "#{auth.username}:#{auth.realm}:#{password}"
+        end
+
+        def A2(auth)
+          "#{auth.method}:#{auth.uri}"
+        end
+
+        def digest(auth, password)
+          password_hash = passwords_hashed? ? password : H(A1(auth, password))
+
+          KD password_hash, "#{auth.nonce}:#{auth.nc}:#{auth.cnonce}:#{QOP}:#{H A2(auth)}"
+        end
+
+      end
+    end
+  end
+end
+

data/lib/rack/body_proxy.rb

@@ -24,7 +24,7 @@ module Rack
       return if @closed
       @closed = true
       begin
-        @body.close if @body.respond_to? :close
+        @body.close if @body.respond_to?(:close)
       ensure
         @block.call
       end
@@ -40,6 +40,8 @@ module Rack
     def method_missing(method_name, *args, &block)
       @body.__send__(method_name, *args, &block)
     end
+    # :nocov:
     ruby2_keywords(:method_missing) if respond_to?(:ruby2_keywords, true)
+    # :nocov:
   end
 end

data/lib/rack/builder.rb

@@ -1,35 +1,35 @@
 # frozen_string_literal: true
 
+require_relative 'urlmap'
+
 module Rack
-  # Rack::Builder implements a small DSL to iteratively construct Rack
-  # applications.
+  # Rack::Builder provides a domain-specific language (DSL) to construct Rack
+  # applications. It is primarily used to parse +config.ru+ files which
+  # instantiate several middleware and a final application which are hosted
+  # by a Rack-compatible web server.
   #
   # Example:
   #
-  #  require 'rack/lobster'
-  #  app = Rack::Builder.new do
-  #    use Rack::CommonLogger
-  #    use Rack::ShowExceptions
-  #    map "/lobster" do
-  #      use Rack::Lint
-  #      run Rack::Lobster.new
-  #    end
-  #  end
+  #   app = Rack::Builder.new do
+  #     use Rack::CommonLogger
+  #     map "/ok" do
+  #       run lambda { |env| [200, {'content-type' => 'text/plain'}, ['OK']] }
+  #     end
+  #   end
   #
-  #  run app
+  #   run app
   #
   # Or
   #
-  #  app = Rack::Builder.app do
-  #    use Rack::CommonLogger
-  #    run lambda { |env| [200, {'Content-Type' => 'text/plain'}, ['OK']] }
-  #  end
+  #   app = Rack::Builder.app do
+  #     use Rack::CommonLogger
+  #     run lambda { |env| [200, {'content-type' => 'text/plain'}, ['OK']] }
+  #   end
   #
-  #  run app
+  #   run app
   #
   # +use+ adds middleware to the stack, +run+ dispatches to an application.
   # You can use +map+ to construct a Rack::URLMap in a convenient way.
-
   class Builder
 
     # https://stackoverflow.com/questions/2223882/whats-the-difference-between-utf-8-and-utf-8-without-bom
@@ -39,13 +39,11 @@ module Rack
     #
     # If the config file ends in +.ru+, it is treated as a
     # rackup file and the contents will be treated as if
-    # specified inside a Rack::Builder block, using the given
-    # options.
+    # specified inside a Rack::Builder block.
     #
     # If the config file does not end in +.ru+, it is
     # required and Rack will use the basename of the file
     # to guess which constant will be the Rack application to run.
-    # The options given will be ignored in this case.
     #
     # Examples:
     #
@@ -61,23 +59,18 @@ module Rack
     #   # requires ./my_app.rb, which should be in the
     #   # process's current directory.  After requiring,
     #   # assumes MyApp constant contains Rack application
-    def self.parse_file(config, opts = Server::Options.new)
-      if config.end_with?('.ru')
-        return self.load_file(config, opts)
+    def self.parse_file(path)
+      if path.end_with?('.ru')
+        return self.load_file(path)
       else
-        require config
-        app = Object.const_get(::File.basename(config, '.rb').split('_').map(&:capitalize).join(''))
-        return app, {}
+        require path
+        return Object.const_get(::File.basename(path, '.rb').split('_').map(&:capitalize).join(''))
       end
     end
 
     # Load the given file as a rackup file, treating the
     # contents as if specified inside a Rack::Builder block.
     #
-    # Treats the first comment at the beginning of a line
-    # that starts with a backslash as options similar to
-    # options passed on a rackup command line.
-    #
     # Ignores content in the file after +__END__+, so that
     # use of +__END__+ will not result in a syntax error.
     #
@@ -85,26 +78,20 @@ module Rack
     #
     #   $ cat config.ru
     #
-    #   #\ -p 9393
-    #
     #   use Rack::ContentLength
     #   require './app.rb'
     #   run App
-    def self.load_file(path, opts = Server::Options.new)
-      options = {}
-
-      cfgfile = ::File.read(path)
-      cfgfile.slice!(/\A#{UTF_8_BOM}/) if cfgfile.encoding == Encoding::UTF_8
+    def self.load_file(path)
+      config = ::File.read(path)
+      config.slice!(/\A#{UTF_8_BOM}/) if config.encoding == Encoding::UTF_8
 
-      if cfgfile[/^#\\(.*)/] && opts
-        warn "Parsing options from the first comment line is deprecated!"
-        options = opts.parse! $1.split(/\s+/)
+      if config[/^#\\(.*)/]
+        fail "Parsing options from the first comment line is no longer supported: #{path}"
       end
 
-      cfgfile.sub!(/^__END__\n.*\Z/m, '')
-      app = new_from_string cfgfile, path
+      config.sub!(/^__END__\n.*\Z/m, '')
 
-      return app, options
+      return new_from_string(config, path)
     end
 
     # Evaluate the given +builder_script+ string in the context of
@@ -114,14 +101,20 @@ module Rack
       # We cannot use instance_eval(String) as that would resolve constants differently.
       binding, builder = TOPLEVEL_BINDING.eval('Rack::Builder.new.instance_eval { [binding, self] }')
       eval builder_script, binding, file
-      builder.to_app
+
+      return builder.to_app
     end
 
     # Initialize a new Rack::Builder instance.  +default_app+ specifies the
     # default application if +run+ is not called later.  If a block
-    # is given, it is evaluted in the context of the instance.
+    # is given, it is evaluated in the context of the instance.
     def initialize(default_app = nil, &block)
-      @use, @map, @run, @warmup, @freeze_app = [], nil, default_app, nil, false
+      @use = []
+      @map = nil
+      @run = default_app
+      @warmup = nil
+      @freeze_app = false
+
       instance_eval(&block) if block_given?
     end
 
@@ -145,7 +138,7 @@ module Rack
     #   end
     #
     #   use Middleware
-    #   run lambda { |env| [200, { "Content-Type" => "text/plain" }, ["OK"]] }
+    #   run lambda { |env| [200, { "content-type" => "text/plain" }, ["OK"]] }
     #
     # All requests through to this application will first be processed by the middleware class.
     # The +call+ method in this example sets an additional environment key which then can be
@@ -157,24 +150,37 @@ module Rack
       end
       @use << proc { |app| middleware.new(app, *args, &block) }
     end
+    # :nocov:
     ruby2_keywords(:use) if respond_to?(:ruby2_keywords, true)
+    # :nocov:
 
-    # Takes an argument that is an object that responds to #call and returns a Rack response.
-    # The simplest form of this is a lambda object:
+    # Takes a block or argument that is an object that responds to #call and
+    # returns a Rack response.
+    #
+    # You can use a block:
+    #
+    #   run do |env|
+    #     [200, { "content-type" => "text/plain" }, ["Hello World!"]]
+    #   end
+    #
+    # You can also provide a lambda:
     #
-    #   run lambda { |env| [200, { "Content-Type" => "text/plain" }, ["OK"]] }
+    #   run lambda { |env| [200, { "content-type" => "text/plain" }, ["OK"]] }
     #
-    # However this could also be a class:
+    # You can also provide a class instance:
     #
     #   class Heartbeat
-    #     def self.call(env)
-    #      [200, { "Content-Type" => "text/plain" }, ["OK"]]
+    #     def call(env)
+    #      [200, { "content-type" => "text/plain" }, ["OK"]]
     #     end
     #   end
     #
-    #   run Heartbeat
-    def run(app)
-      @run = app
+    #   run Heartbeat.new
+    #
+    def run(app = nil, &block)
+      raise ArgumentError, "Both app and block given!" if app && block_given?
+
+      @run = app || block
     end
 
     # Takes a lambda or block that is used to warm-up the application. This block is called
@@ -195,21 +201,35 @@ module Rack
     # the Rack application specified by run inside the block.  Other requests will be sent to the
     # default application specified by run outside the block.
     #
-    #   Rack::Builder.app do
+    #   class App
+    #     def call(env)
+    #       [200, {'content-type' => 'text/plain'}, ["Hello World"]]
+    #     end
+    #   end
+    #
+    #   class Heartbeat
+    #     def call(env)
+    #       [200, { "content-type" => "text/plain" }, ["OK"]]
+    #     end
+    #   end
+    #
+    #   app = Rack::Builder.app do
     #     map '/heartbeat' do
-    #       run Heartbeat
+    #       run Heartbeat.new
     #     end
-    #     run App
+    #     run App.new
     #   end
     #
+    #   run app
+    #
     # The +use+ method can also be used inside the block to specify middleware to run under a specific path:
     #
-    #   Rack::Builder.app do
+    #   app = Rack::Builder.app do
     #     map '/heartbeat' do
     #       use Middleware
-    #       run Heartbeat
+    #       run Heartbeat.new
     #     end
-    #     run App
+    #     run App.new
     #   end
     #
     # This example includes a piece of middleware which will run before +/heartbeat+ requests hit +Heartbeat+.

data/lib/rack/cascade.rb

@@ -1,5 +1,7 @@
 # frozen_string_literal: true
 
+require_relative 'constants'
+
 module Rack
   # Rack::Cascade tries a request on several apps, and returns the
   # first response that is not 404 or 405 (or in a list of configured

data/lib/rack/chunked.rb

@@ -1,22 +1,26 @@
 # frozen_string_literal: true
 
+require_relative 'constants'
+require_relative 'utils'
+
 module Rack
+  warn "Rack::Chunked is deprecated and will be removed in Rack 3.1", uplevel: 1
 
   # Middleware that applies chunked transfer encoding to response bodies
-  # when the response does not include a Content-Length header.
+  # when the response does not include a content-length header.
   #
-  # This supports the Trailer response header to allow the use of trailing
+  # This supports the trailer response header to allow the use of trailing
   # headers in the chunked encoding.  However, using this requires you manually
   # specify a response body that supports a +trailers+ method.  Example:
   #
-  #   [200, { 'Trailer' => 'Expires'}, ["Hello", "World"]]
+  #   [200, { 'trailer' => 'expires'}, ["Hello", "World"]]
   #   # error raised
   #
   #   body = ["Hello", "World"]
   #   def body.trailers
-  #     { 'Expires' => Time.now.to_s }
+  #     { 'expires' => Time.now.to_s }
   #   end
-  #   [200, { 'Trailer' => 'Expires'}, body]
+  #   [200, { 'trailer' => 'expires'}, body]
   #   # No exception raised
   class Chunked
     include Rack::Utils
@@ -92,11 +96,10 @@ module Rack
     end
 
     # If the rack app returns a response that should have a body,
-    # but does not have Content-Length or Transfer-Encoding headers,
-    # modify the response to use chunked Transfer-Encoding.
+    # but does not have content-length or transfer-encoding headers,
+    # modify the response to use chunked transfer-encoding.
     def call(env)
-      status, headers, body = @app.call(env)
-      headers = HeaderHash[headers]
+      status, headers, body = response = @app.call(env)
 
       if chunkable_version?(env[SERVER_PROTOCOL]) &&
          !STATUS_WITH_NO_ENTITY_BODY.key?(status.to_i) &&
@@ -104,14 +107,14 @@ module Rack
          !headers[TRANSFER_ENCODING]
 
         headers[TRANSFER_ENCODING] = 'chunked'
-        if headers['Trailer']
-          body = TrailerBody.new(body)
+        if headers['trailer']
+          response[2] = TrailerBody.new(body)
         else
-          body = Body.new(body)
+          response[2] = Body.new(body)
         end
       end
 
-      [status, headers, body]
+      response
     end
   end
 end