unicorn 4.9.0 → 5.0.0

data/lib/unicorn/ssl_client.rb

@@ -1,11 +0,0 @@
-# -*- encoding: binary -*-
-# :stopdoc:
-class Unicorn::SSLClient < Kgio::SSL
-  alias write kgio_write
-  alias close kgio_close
-
-  # this is no-op for now, to be fixed in kgio-monkey if people care
-  # about SSL support...
-  def shutdown(how = nil)
-  end
-end

data/lib/unicorn/ssl_configurator.rb

@@ -1,104 +0,0 @@
-# -*- encoding: binary -*-
-# :stopdoc:
-# This module is included in Unicorn::Configurator
-# :startdoc:
-#
-module Unicorn::SSLConfigurator
-  def ssl(&block)
-    ssl_require!
-    before = @set[:listeners].dup
-    opts = @set[:ssl_opts] = {}
-    yield
-    (@set[:listeners] - before).each do |address|
-      (@set[:listener_opts][address] ||= {})[:ssl_opts] = opts
-    end
-    ensure
-      @set.delete(:ssl_opts)
-  end
-
-  def ssl_certificate(file)
-    ssl_set(:ssl_certificate, file)
-  end
-
-  def ssl_certificate_key(file)
-    ssl_set(:ssl_certificate_key, file)
-  end
-
-  def ssl_client_certificate(file)
-    ssl_set(:ssl_client_certificate, file)
-  end
-
-  def ssl_dhparam(file)
-    ssl_set(:ssl_dhparam, file)
-  end
-
-  def ssl_ciphers(openssl_cipherlist_spec)
-    ssl_set(:ssl_ciphers, openssl_cipherlist_spec)
-  end
-
-  def ssl_crl(file)
-    ssl_set(:ssl_crl, file)
-  end
-
-  def ssl_prefer_server_ciphers(bool)
-    ssl_set(:ssl_prefer_server_ciphers, check_bool(bool))
-  end
-
-  def ssl_protocols(list)
-    ssl_set(:ssl_protocols, list)
-  end
-
-  def ssl_verify_client(on_off_optional)
-    ssl_set(:ssl_verify_client, on_off_optional)
-  end
-
-  def ssl_session_timeout(seconds)
-    ssl_set(:ssl_session_timeout, seconds)
-  end
-
-  def ssl_verify_depth(depth)
-    ssl_set(:ssl_verify_depth, depth)
-  end
-
-  # Allows specifying an engine for OpenSSL to use.  We have not been
-  # able to successfully test this feature due to a lack of hardware,
-  # Reports of success or patches to unicorn-public@bogomips.org is
-  # greatly appreciated.
-  def ssl_engine(engine)
-    ssl_warn_global(:ssl_engine)
-    ssl_require!
-    OpenSSL::Engine.load
-    OpenSSL::Engine.by_id(engine)
-    @set[:ssl_engine] = engine
-  end
-
-  def ssl_compression(bool)
-    # OpenSSL uses the SSL_OP_NO_COMPRESSION flag, Flipper follows suit
-    # with :ssl_no_compression, but we negate it to avoid exposing double
-    # negatives to the user.
-    ssl_set(:ssl_no_compression, check_bool(:ssl_compression, ! bool))
-  end
-
-private
-
-  def ssl_warn_global(func) # :nodoc:
-    Hash === @set[:ssl_opts] or return
-    warn("`#{func}' affects all SSL contexts in this process, " \
-         "not just this block")
-  end
-
-  def ssl_set(key, value) # :nodoc:
-    cur = @set[:ssl_opts]
-    Hash === cur or
-             raise ArgumentError, "#{key} must be called inside an `ssl' block"
-    cur[key] = value
-  end
-
-  def ssl_require! # :nodoc:
-    require "flipper"
-    require "unicorn/ssl_client"
-    rescue LoadError
-      warn "install 'kgio-monkey' for SSL support"
-      raise
-  end
-end

data/lib/unicorn/ssl_server.rb

@@ -1,42 +0,0 @@
-# -*- encoding: binary -*-
-# :stopdoc:
-# this module is meant to be included in Unicorn::HttpServer
-# It is an implementation detail and NOT meant for users.
-module Unicorn::SSLServer
-  attr_accessor :ssl_engine
-
-  def ssl_enable!
-    sni_hostnames = rack_sni_hostnames(@app)
-    seen = {} # we map a single SSLContext to multiple listeners
-    listener_ctx = {}
-    @listener_opts.each do |address, address_opts|
-      ssl_opts = address_opts[:ssl_opts] or next
-      listener_ctx[address] = seen[ssl_opts.object_id] ||= begin
-        unless sni_hostnames.empty?
-          ssl_opts = ssl_opts.dup
-          ssl_opts[:sni_hostnames] = sni_hostnames
-        end
-        ctx = Flipper.ssl_context(ssl_opts)
-        # FIXME: make configurable
-        ctx.session_cache_mode = OpenSSL::SSL::SSLContext::SESSION_CACHE_OFF
-        ctx
-      end
-    end
-    Unicorn::HttpServer::LISTENERS.each do |listener|
-      ctx = listener_ctx[sock_name(listener)] or next
-      listener.extend(Kgio::SSLServer)
-      listener.ssl_ctx = ctx
-      listener.kgio_ssl_class = Unicorn::SSLClient
-    end
-  end
-
-  # ugh, this depends on Rack internals...
-  def rack_sni_hostnames(rack_app) # :nodoc:
-    hostnames = {}
-    if Rack::URLMap === rack_app
-      mapping = rack_app.instance_variable_get(:@mapping)
-      mapping.each { |hostname,_,_,_| hostnames[hostname] = true }
-    end
-    hostnames.keys
-  end
-end

data/t/t0016-trust-x-forwarded-false.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 5 "trust_x_forwarded=false configuration test"
-
-t_begin "setup and start" && {
-	unicorn_setup
-	echo "trust_x_forwarded false" >> $unicorn_config
-	unicorn -D -c $unicorn_config env.ru
-	unicorn_wait_start
-}
-
-t_begin "spoofed request with X-Forwarded-Proto does not trigger" && {
-	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"http"'
-}
-
-t_begin "spoofed request with X-Forwarded-SSL does not trigger" && {
-	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"http"'
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_done

data/t/t0017-trust-x-forwarded-true.sh

@@ -1,30 +0,0 @@
-#!/bin/sh
-. ./test-lib.sh
-t_plan 5 "trust_x_forwarded=true configuration test"
-
-t_begin "setup and start" && {
-	unicorn_setup
-	echo "trust_x_forwarded true " >> $unicorn_config
-	unicorn -D -c $unicorn_config env.ru
-	unicorn_wait_start
-}
-
-t_begin "spoofed request with X-Forwarded-Proto sets 'https'" && {
-	curl -H 'X-Forwarded-Proto: https' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"https"'
-}
-
-t_begin "spoofed request with X-Forwarded-SSL sets 'https'" && {
-	curl -H 'X-Forwarded-SSL: on' http://$listen/ | \
-		grep -F '"rack.url_scheme"=>"https"'
-}
-
-t_begin "killing succeeds" && {
-	kill $unicorn_pid
-}
-
-t_begin "check stderr has no errors" && {
-	check_stderr
-}
-
-t_done

data/test/unit/test_http_parser_xftrust.rb

@@ -1,38 +0,0 @@
-# -*- encoding: binary -*-
-require './test/test_helper'
-
-include Unicorn
-
-class HttpParserXFTrustTest < Test::Unit::TestCase
-  def setup
-    assert HttpParser.trust_x_forwarded?
-  end
-
-  def test_xf_trust_false_xfp
-    HttpParser.trust_x_forwarded = false
-    parser = HttpParser.new
-    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
-                  "X-Forwarded-Proto: https\r\n\r\n"
-    env = parser.parse
-    assert_kind_of Hash, env
-    assert_equal 'foo', env['SERVER_NAME']
-    assert_equal '80', env['SERVER_PORT']
-    assert_equal 'http', env['rack.url_scheme']
-  end
-
-  def test_xf_trust_false_xfs
-    HttpParser.trust_x_forwarded = false
-    parser = HttpParser.new
-    parser.buf << "GET / HTTP/1.1\r\nHost: foo:\r\n" \
-                  "X-Forwarded-SSL: on\r\n\r\n"
-    env = parser.parse
-    assert_kind_of Hash, env
-    assert_equal 'foo', env['SERVER_NAME']
-    assert_equal '80', env['SERVER_PORT']
-    assert_equal 'http', env['rack.url_scheme']
-  end
-
-  def teardown
-    HttpParser.trust_x_forwarded = true
-  end
-end

data/test/unit/test_sni_hostnames.rb

@@ -1,47 +0,0 @@
-# -*- encoding: binary -*-
-require "test/unit"
-require "unicorn"
-
-# this tests an implementation detail, it may change so this test
-# can be removed later.
-class TestSniHostnames < Test::Unit::TestCase
-  include Unicorn::SSLServer
-
-  def setup
-    GC.start
-  end
-
-  def teardown
-    GC.start
-  end
-
-  def test_host_name_detect_one
-    app = Rack::Builder.new do
-      map "http://sni1.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-    end.to_app
-    hostnames = rack_sni_hostnames(app)
-    assert hostnames.include?("sni1.example.com")
-  end
-
-  def test_host_name_detect_multiple
-    app = Rack::Builder.new do
-      map "http://sni2.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-      map "http://sni3.example.com/" do
-        use Rack::ContentLength
-        use Rack::ContentType, "text/plain"
-        run lambda { |env| [ 200, {}, [] ] }
-      end
-    end.to_app
-    hostnames = rack_sni_hostnames(app)
-    assert hostnames.include?("sni2.example.com")
-    assert hostnames.include?("sni3.example.com")
-  end
-end