unicorn 4.7.0 → 6.0.0

data/lib/unicorn/ssl_configurator.rb

@@ -1,104 +0,0 @@
-# -*- encoding: binary -*-
-# :stopdoc:
-# This module is included in Unicorn::Configurator
-# :startdoc:
-#
-module Unicorn::SSLConfigurator
-  def ssl(&block)
-    ssl_require!
-    before = @set[:listeners].dup
-    opts = @set[:ssl_opts] = {}
-    yield
-    (@set[:listeners] - before).each do |address|
-      (@set[:listener_opts][address] ||= {})[:ssl_opts] = opts
-    end
-    ensure
-      @set.delete(:ssl_opts)
-  end
-
-  def ssl_certificate(file)
-    ssl_set(:ssl_certificate, file)
-  end
-
-  def ssl_certificate_key(file)
-    ssl_set(:ssl_certificate_key, file)
-  end
-
-  def ssl_client_certificate(file)
-    ssl_set(:ssl_client_certificate, file)
-  end
-
-  def ssl_dhparam(file)
-    ssl_set(:ssl_dhparam, file)
-  end
-
-  def ssl_ciphers(openssl_cipherlist_spec)
-    ssl_set(:ssl_ciphers, openssl_cipherlist_spec)
-  end
-
-  def ssl_crl(file)
-    ssl_set(:ssl_crl, file)
-  end
-
-  def ssl_prefer_server_ciphers(bool)
-    ssl_set(:ssl_prefer_server_ciphers, check_bool(bool))
-  end
-
-  def ssl_protocols(list)
-    ssl_set(:ssl_protocols, list)
-  end
-
-  def ssl_verify_client(on_off_optional)
-    ssl_set(:ssl_verify_client, on_off_optional)
-  end
-
-  def ssl_session_timeout(seconds)
-    ssl_set(:ssl_session_timeout, seconds)
-  end
-
-  def ssl_verify_depth(depth)
-    ssl_set(:ssl_verify_depth, depth)
-  end
-
-  # Allows specifying an engine for OpenSSL to use.  We have not been
-  # able to successfully test this feature due to a lack of hardware,
-  # Reports of success or patches to mongrel-unicorn@rubyforge.org is
-  # greatly appreciated.
-  def ssl_engine(engine)
-    ssl_warn_global(:ssl_engine)
-    ssl_require!
-    OpenSSL::Engine.load
-    OpenSSL::Engine.by_id(engine)
-    @set[:ssl_engine] = engine
-  end
-
-  def ssl_compression(bool)
-    # OpenSSL uses the SSL_OP_NO_COMPRESSION flag, Flipper follows suit
-    # with :ssl_no_compression, but we negate it to avoid exposing double
-    # negatives to the user.
-    ssl_set(:ssl_no_compression, check_bool(:ssl_compression, ! bool))
-  end
-
-private
-
-  def ssl_warn_global(func) # :nodoc:
-    Hash === @set[:ssl_opts] or return
-    warn("`#{func}' affects all SSL contexts in this process, " \
-         "not just this block")
-  end
-
-  def ssl_set(key, value) # :nodoc:
-    cur = @set[:ssl_opts]
-    Hash === cur or
-             raise ArgumentError, "#{key} must be called inside an `ssl' block"
-    cur[key] = value
-  end
-
-  def ssl_require! # :nodoc:
-    require "flipper"
-    require "unicorn/ssl_client"
-    rescue LoadError
-      warn "install 'kgio-monkey' for SSL support"
-      raise
-  end
-end

data/lib/unicorn/ssl_server.rb

@@ -1,42 +0,0 @@
-# -*- encoding: binary -*-
-# :stopdoc:
-# this module is meant to be included in Unicorn::HttpServer
-# It is an implementation detail and NOT meant for users.
-module Unicorn::SSLServer
-  attr_accessor :ssl_engine
-
-  def ssl_enable!
-    sni_hostnames = rack_sni_hostnames(@app)
-    seen = {} # we map a single SSLContext to multiple listeners
-    listener_ctx = {}
-    @listener_opts.each do |address, address_opts|
-      ssl_opts = address_opts[:ssl_opts] or next
-      listener_ctx[address] = seen[ssl_opts.object_id] ||= begin
-        unless sni_hostnames.empty?
-          ssl_opts = ssl_opts.dup
-          ssl_opts[:sni_hostnames] = sni_hostnames
-        end
-        ctx = Flipper.ssl_context(ssl_opts)
-        # FIXME: make configurable
-        ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
-        ctx
-      end
-    end
-    Unicorn::HttpServer::LISTENERS.each do |listener|
-      ctx = listener_ctx[sock_name(listener)] or next
-      listener.extend(Kgio::SSLServer)
-      listener.ssl_ctx = ctx
-      listener.kgio_ssl_class = Unicorn::SSLClient
-    end
-  end
-
-  # ugh, this depends on Rack internals...
-  def rack_sni_hostnames(rack_app) # :nodoc:
-    hostnames = {}
-    if Rack::URLMap === rack_app
-      mapping = rack_app.instance_variable_get(:@mapping)
-      mapping.each { |hostname,_,_,_| hostnames[hostname] = true }
-    end
-    hostnames.keys
-  end
-end

data/local.mk.sample

@@ -1,59 +0,0 @@
-# this is the local.mk file used by Eric Wong on his dev boxes.
-# GNUmakefile will source local.mk in the top-level source tree
-# if it is present.
-#
-# This is depends on a bunch of GNU-isms from bash, sed, touch.
-
-DLEXT := so
-
-# Avoid loading rubygems to speed up tests because gmake is
-# fork+exec heavy with Ruby.
-prefix = $(HOME)
-
-# XXX clean this up
-ifeq ($(r192),)
-  ifeq ($(r19),)
-    ifeq ($(rbx),)
-      ifeq ($(r186),)
-        RUBY := $(prefix)/bin/ruby
-      else
-        prefix := $(prefix)/r186-p114
-        export PATH := $(prefix)/bin:$(PATH)
-        RUBY := $(prefix)/bin/ruby
-      endif
-    else
-      prefix := $(prefix)/rbx
-      export PATH := $(prefix)/bin:$(PATH)
-      RUBY := $(prefix)/bin/rbx
-    endif
-  else
-    prefix := $(prefix)/ruby-1.9
-    export PATH := $(prefix)/bin:$(PATH)
-    RUBY := $(prefix)/bin/ruby --disable-gems
-  endif
-else
-  prefix := $(prefix)/ruby-1.9.2
-  export PATH := $(prefix)/bin:$(PATH)
-  RUBY := $(prefix)/bin/ruby --disable-gems
-endif
-
-# pipefail is THE reason to use bash (v3+) or never revisions of ksh93
-# SHELL := /bin/bash -e -o pipefail
-SHELL := /bin/ksh93 -e -o pipefail
-
-full-test: test-18 test-191 test-192 test-rbx test-186
-
-# FIXME: keep eye on Rubinius activity and wait for fixes from upstream
-# so we don't need RBX_SKIP anymore
-test-rbx: export RBX_SKIP := 1
-test-rbx: export RUBY := $(RUBY)
-test-rbx:
-	$(MAKE) test test-integration rbx=T 2>&1 |sed -e 's!^!rbx !'
-test-186:
-	$(MAKE) test-all r186=1 2>&1 |sed 's!^!1.8.6 !'
-test-18:
-	$(MAKE) test-all 2>&1 |sed 's!^!1.8 !'
-test-191:
-	$(MAKE) test-all r19=1 2>&1 |sed 's!^!1.9.1 !'
-test-192:
-	$(MAKE) test-all r192=1 2>&1 |sed 's!^!1.9.2 !'

data/script/isolate_for_tests

@@ -1,32 +0,0 @@
-#!/usr/bin/env ruby
-# scripts/Makefiles can read and eval the output of this script and
-# use it as RUBYLIB
-require 'rubygems'
-require 'isolate'
-fp = File.open(__FILE__, "rb")
-fp.flock(File::LOCK_EX)
-
-ruby_engine = defined?(RUBY_ENGINE) ? RUBY_ENGINE : 'ruby'
-opts = {
-  :system => false,
-  # we want "ruby-1.8.7" and not "ruby-1.8", so disable :multiruby
-  :multiruby => false,
-  :path => "tmp/isolate/#{ruby_engine}-#{RUBY_VERSION}",
-}
-
-pid = fork do
-  Isolate.now!(opts) do
-    gem 'raindrops', '0.12.0'
-    gem 'kgio-monkey', '0.4.0'
-    gem 'kgio', '2.8.1'
-    gem 'rack', '1.5.2'
-  end
-end
-_, status = Process.waitpid2(pid)
-status.success? or abort status.inspect
-lib_paths = Dir["#{opts[:path]}/gems/*-*/lib"].map { |x| File.expand_path(x) }
-dst = "tmp/isolate/#{ruby_engine}-#{RUBY_VERSION}.mk"
-File.open("#{dst}.#$$", "w") do |fp|
-  fp.puts "ISOLATE_LIBS=#{lib_paths.join(':')}"
-end
-File.rename("#{dst}.#$$", dst)

data/t/hijack.ru

@@ -1,42 +0,0 @@
-use Rack::Lint
-use Rack::ContentLength
-use Rack::ContentType, "text/plain"
-class DieIfUsed
-  def each
-    abort "body.each called after response hijack\n"
-  end
-
-  def close
-    abort "body.close called after response hijack\n"
-  end
-end
-run lambda { |env|
-  case env["PATH_INFO"]
-  when "/hijack_req"
-    if env["rack.hijack?"]
-      io = env["rack.hijack"].call
-      if io.respond_to?(:read_nonblock) &&
-         env["rack.hijack_io"].respond_to?(:read_nonblock)
-
-        # exercise both, since we Rack::Lint may use different objects
-        env["rack.hijack_io"].write("HTTP/1.0 200 OK\r\n\r\n")
-        io.write("request.hijacked")
-        io.close
-        return [ 500, {}, DieIfUsed.new ]
-      end
-    end
-    [ 500, {}, [ "hijack BAD\n" ] ]
-  when "/hijack_res"
-    r = "response.hijacked"
-    [ 200,
-      {
-        "Content-Length" => r.bytesize.to_s,
-        "rack.hijack" => proc do |io|
-          io.write(r)
-          io.close
-        end
-      },
-      DieIfUsed.new
-    ]
-  end
-}

data/t/sslgen.sh

@@ -1,71 +0,0 @@
-#!/bin/sh
-set -e
-
-lock=$0.lock
-while ! mkdir $lock 2>/dev/null
-do
-	echo >&2 "PID=$$ waiting for $lock"
-	sleep 1
-done
-pid=$$
-trap 'if test $$ -eq $pid; then rmdir $lock; fi' EXIT
-
-certinfo() {
-	echo US
-	echo Hell
-	echo A Very Special Place
-	echo Monkeys
-	echo Poo-Flingers
-	echo 127.0.0.1
-	echo kgio@bogomips.org
-}
-
-certinfo2() {
-	certinfo
-	echo
-	echo
-}
-
-ca_certinfo () {
-	echo US
-	echo Hell
-	echo An Even More Special Place
-	echo Deranged Monkeys
-	echo Poo-Hurlers
-	echo 127.6.6.6
-	echo unicorn@bogomips.org
-}
-
-openssl genrsa -out ca.key 1024
-ca_certinfo | openssl req -new -x509 -days 666 -key ca.key -out ca.crt
-
-openssl genrsa -out bad-ca.key 1024
-ca_certinfo | openssl req -new -x509 -days 666 -key bad-ca.key -out bad-ca.crt
-
-openssl genrsa -out server.key 1024
-certinfo2 | openssl req -new -key server.key -out server.csr
-
-openssl x509 -req -days 666 \
-	-in server.csr -CA ca.crt -CAkey ca.key -set_serial 1 -out server.crt
-n=2
-mk_client_cert () {
-	CLIENT=$1
-	openssl genrsa -out $CLIENT.key 1024
-	certinfo2 | openssl req -new -key $CLIENT.key -out $CLIENT.csr
-
-	openssl x509 -req -days 666 \
-		-in $CLIENT.csr -CA $CA.crt -CAkey $CA.key -set_serial $n \
-		-out $CLIENT.crt
-	rm -f $CLIENT.csr
-	n=$(($n + 1))
-}
-
-CA=ca
-mk_client_cert client1
-mk_client_cert client2
-
-CA=bad-ca mk_client_cert bad-client
-
-rm -f server.csr
-
-echo OK

data/t/t0016-trust-x-forwarded-false.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 5 "trust_x_forwarded=false configuration test"
-
-t_begin "setup and start" && {
-	unicorn_setup
-	echo "trust_x_forwarded false" >> $unicorn_config
-	unicorn -D -c $unicorn_config env.ru
-	unicorn_wait_start
-}
-
-t_begin "spoofed request with X-Forwarded-Proto does not trigger" && {
-	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"http"'
-}
-
-t_begin "spoofed request with X-Forwarded-SSL does not trigger" && {
-	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"http"'
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_done

data/t/t0017-trust-x-forwarded-true.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 5 "trust_x_forwarded=true configuration test"
-
-t_begin "setup and start" && {
-	unicorn_setup
-	echo "trust_x_forwarded true " >> $unicorn_config
-	unicorn -D -c $unicorn_config env.ru
-	unicorn_wait_start
-}
-
-t_begin "spoofed request with X-Forwarded-Proto sets 'https'" && {
-	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"https"'
-}
-
-t_begin "spoofed request with X-Forwarded-SSL sets 'https'" && {
-	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"https"'
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_done

data/t/t0200-rack-hijack.sh

@@ -1,27 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 5 "rack.hijack tests (Rack 1.5+ (Rack::VERSION >= [ 1,2]))"
-
-t_begin "setup and start" && {
-	unicorn_setup
-	unicorn -D -c $unicorn_config hijack.ru
-	unicorn_wait_start
-}
-
-t_begin "check request hijack" && {
-	test "xrequest.hijacked" = x"$(curl -sSfv http://$listen/hijack_req)"
-}
-
-t_begin "check response hijack" && {
-	test "xresponse.hijacked" = x"$(curl -sSfv http://$listen/hijack_res)"
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr" && {
-	check_stderr
-}
-
-t_done

data/t/t0600-https-server-basic.sh

@@ -1,48 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 7 "simple HTTPS connection tests"
-
-t_begin "setup and start" && {
-	rtmpfiles curl_err
-	unicorn_setup
-cat > $unicorn_config <<EOF
-ssl do
-  listen "$listen"
-  ssl_certificate "server.crt"
-  ssl_certificate_key "server.key"
-end
-pid "$pid"
-stderr_path "$r_err"
-stdout_path "$r_out"
-EOF
-	unicorn -D -c $unicorn_config env.ru
-	unicorn_wait_start
-}
-
-t_begin "single request" && {
-	curl -sSfv --cacert ca.crt https://$listen/
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_begin "multiple requests" && {
-	curl -sSfv --no-keepalive --cacert ca.crt \
-		https://$listen/ https://$listen/ 2>> $curl_err >> $tmp
-		dbgcat curl_err
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_done

data/test/unit/test_http_parser_xftrust.rb

@@ -1,38 +0,0 @@
-# -*- encoding: binary -*-
-require 'test/test_helper'
-
-include Unicorn
-
-class HttpParserXFTrustTest < Test::Unit::TestCase
-  def setup
-    assert HttpParser.trust_x_forwarded?
-  end
-
-  def test_xf_trust_false_xfp
-    HttpParser.trust_x_forwarded = false
-    parser = HttpParser.new
-    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
-                  "X-Forwarded-Proto: https\r\n\r\n"
-    env = parser.parse
-    assert_kind_of Hash, env
-    assert_equal 'foo', env['SERVER_NAME']
-    assert_equal '80', env['SERVER_PORT']
-    assert_equal 'http', env['rack.url_scheme']
-  end
-
-  def test_xf_trust_false_xfs
-    HttpParser.trust_x_forwarded = false
-    parser = HttpParser.new
-    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
-                  "X-Forwarded-SSL: on\r\n\r\n"
-    env = parser.parse
-    assert_kind_of Hash, env
-    assert_equal 'foo', env['SERVER_NAME']
-    assert_equal '80', env['SERVER_PORT']
-    assert_equal 'http', env['rack.url_scheme']
-  end
-
-  def teardown
-    HttpParser.trust_x_forwarded = true
-  end
-end

data/test/unit/test_sni_hostnames.rb

@@ -1,47 +0,0 @@
-# -*- encoding: binary -*-
-require "test/unit"
-require "unicorn"
-
-# this tests an implementation detail, it may change so this test
-# can be removed later.
-class TestSniHostnames < Test::Unit::TestCase
-  include Unicorn::SSLServer
-
-  def setup
-    GC.start
-  end
-
-  def teardown
-    GC.start
-  end
-
-  def test_host_name_detect_one
-    app = Rack::Builder.new do
-      map "http://sni1.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-    end.to_app
-    hostnames = rack_sni_hostnames(app)
-    assert hostnames.include?("sni1.example.com")
-  end
-
-  def test_host_name_detect_multiple
-    app = Rack::Builder.new do
-      map "http://sni2.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-      map "http://sni3.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-    end.to_app
-    hostnames = rack_sni_hostnames(app)
-    assert hostnames.include?("sni2.example.com")
-    assert hostnames.include?("sni3.example.com")
-  end
-end