vines 0.4.0 → 0.4.1

data/lib/vines/cluster/connection.rb

@@ -7,7 +7,7 @@ module Vines
       attr_accessor :host, :port, :database, :password
 
       def initialize
-        @redis = nil
+        @redis, @host, @port, @database, @password = nil, nil, nil, nil, nil
       end
 
       # Return a shared redis connection.

data/lib/vines/command/ldap.rb

@@ -7,7 +7,7 @@ module Vines
         raise 'vines ldap <domain>' unless opts[:args].size == 1
         require opts[:config]
         domain = opts[:args].first
-        unless storage = Config.instance.vhosts[domain].storage rescue nil
+        unless storage = Config.instance.vhost(domain).storage rescue nil
           raise "#{domain} virtual host not found in conf/config.rb"
         end
         unless storage.ldap?

data/lib/vines/command/schema.rb

@@ -7,7 +7,7 @@ module Vines
         raise 'vines schema <domain>' unless opts[:args].size == 1
         require opts[:config]
         domain = opts[:args].first
-        unless storage = Config.instance.vhosts[domain].storage rescue nil
+        unless storage = Config.instance.vhost(domain).storage rescue nil
           raise "#{domain} virtual host not found in conf/config.rb"
         end
         unless storage.respond_to?(:create_schema)

data/lib/vines/config.rb

@@ -9,7 +9,7 @@ module Vines
   class Config
     LOG_LEVELS = %w[debug info warn error fatal].freeze
 
-    attr_reader :router, :vhosts
+    attr_reader :router
 
     @@instance = nil
     def self.configure(&block)
@@ -67,13 +67,19 @@ module Vines
 
     # Return true if the domain is virtual hosted by this server.
     def vhost?(domain)
-      @vhosts.key?(domain.to_s)
+      !!vhost(domain)
+    end
+
+    # Return the Host config object for this domain if it's hosted by this
+    # server.
+    def vhost(domain)
+      @vhosts[domain.to_s]
     end
 
     # Returns the storage system for the domain or a Storage::Null instance if
     # the domain is not hosted at this server.
     def storage(domain)
-      host = @vhosts[domain.to_s]
+      host = vhost(domain)
       host ? host.storage : @null
     end
 
@@ -112,7 +118,7 @@ module Vines
 
     # Return true if private XML fragment storage is enabled for this domain.
     def private_storage?(domain)
-      host = @vhosts[domain.to_s]
+      host = vhost(domain)
       host.private_storage? if host
     end
 
@@ -191,7 +197,7 @@ module Vines
     # Return true if all JIDs are allowed to exchange cross domain messages.
     def cross_domain?(*jids)
       !jids.flatten.index do |jid|
-        !@vhosts[jid.domain].cross_domain_messages?
+        !vhost(jid.domain).cross_domain_messages?
       end
     end
   end

data/lib/vines/jid.rb

@@ -4,13 +4,13 @@ module Vines
   class JID
     include Comparable
 
-    PATTERN = /^(?:([^@]*)@)??([^@\/]*)(?:\/(.*?))?$/.freeze
+    PATTERN = /\A(?:([^@]*)@)??([^@\/]*)(?:\/(.*?))?\Z/.freeze
 
     # http://tools.ietf.org/html/rfc6122#appendix-A
-    NODE_PREP = /[[:space:][:cntrl:]"&'\/:<>@]/.freeze
+    NODE_PREP = /[[:cntrl:] "&'\/:<>@]/.freeze
 
     # http://tools.ietf.org/html/rfc3454#appendix-C
-    NAME_PREP = /[[:space:][:cntrl:]]/.freeze
+    NAME_PREP = /[[:cntrl:] ]/.freeze
 
     attr_reader :node, :domain, :resource
     attr_writer :resource

data/lib/vines/stanza/iq/disco_items.rb

@@ -15,7 +15,7 @@ module Vines
               query.default_namespace = NS
               unless to_pubsub_domain?
                 to = (validate_to || stream.domain).to_s
-                stream.config.vhosts[to].disco_items.each do |domain|
+                stream.config.vhost(to).disco_items.each do |domain|
                   query << el.document.create_element('item', 'jid' => domain)
                 end
               end

data/lib/vines/storage/local.rb

@@ -9,6 +9,7 @@ module Vines
       register :fs
 
       def initialize(&block)
+        @dir = nil
         instance_eval(&block)
         unless @dir && File.directory?(@dir) && File.writable?(@dir)
           raise 'Must provide a writable storage directory'

data/lib/vines/store.rb

@@ -6,9 +6,12 @@ module Vines
   # This uses the conf/certs/*.crt files as the list of trusted root
   # CA certificates.
   class Store
-    @@certs = nil
+    @@sources = nil
 
-    def initialize
+    # Create a certificate store to read certificate files from the given
+    # directory.
+    def initialize(dir)
+      @dir = File.expand_path(dir)
       @store = OpenSSL::X509::Store.new
       certs.each {|c| @store.add_cert(c) }
     end
@@ -37,15 +40,53 @@ module Vines
     # certificates are used to start the trust chain needed to validate certs
     # we receive from clients and servers.
     def certs
-      unless @@certs
+      unless @@sources
         pattern = /-{5}BEGIN CERTIFICATE-{5}\n.*?-{5}END CERTIFICATE-{5}\n/m
-        dir = File.join(VINES_ROOT, 'conf', 'certs')
-        certs = Dir[File.join(dir, '*.crt')].map {|f| File.read(f) }
-        certs = certs.map {|c| c.scan(pattern) }.flatten
-        certs.map! {|c| OpenSSL::X509::Certificate.new(c) }
-        @@certs = certs.reject {|c| c.not_after < Time.now }
+        pairs = Dir[File.join(@dir, '*.crt')].map do |name|
+          pems = File.read(name).scan(pattern)
+          certs = pems.map {|pem| OpenSSL::X509::Certificate.new(pem) }
+          certs.reject! {|cert| cert.not_after < Time.now }
+          [name, certs]
+        end
+        @@sources = Hash[pairs]
+      end
+      @@sources.values.flatten
+    end
+
+    # Returns a pair of file names containing the public key certificate
+    # and matching private key for the given domain. This supports using
+    # wildcard certificate files to serve several subdomains.
+    #
+    # Finding the certificate and private key file for a domain follows these steps:
+    # - look for <domain>.crt and <domain>.key files in the conf/certs directory.
+    #   if found, return those file names, else
+    # - inspect all conf/certs/*.crt files for certificates that contain the
+    #   domain name either as the subject common name (CN) or as a DNS
+    #   subjectAltName. The corresponding private key must be in a file of the
+    #   same name as the certificate's, but with a .key extension.
+    #
+    # So in the simplest configuration, the tea.wonderland.lit encryption files would
+    # be named conf/certs/tea.wonderland.lit.crt and conf/certs/tea.wonderland.lit.key.
+    #
+    # However, in the case of a wildcard certificate for *.wonderland.lit, the
+    # files would be conf/certs/wonderland.lit.crt and conf/certs/wonderland.lit.key.
+    # These same two files would be returned for the subdomains of tea.wonderland.lit,
+    # crumpets.wonderland.lit, etc.
+    def files_for_domain(domain)
+      crt = File.expand_path("#{domain}.crt", @dir)
+      key = File.expand_path("#{domain}.key", @dir)
+      return [crt, key] if File.exists?(crt) && File.exists?(key)
+
+      # might be a wildcard cert file
+      @@sources.each do |file, certs|
+        certs.each do |cert|
+          if OpenSSL::SSL.verify_certificate_identity(cert, domain)
+            key = file.chomp(File.extname(file)) + '.key'
+            return [file, key] if File.exists?(file) && File.exists?(key)
+          end
+        end
       end
-      @@certs
+      nil
     end
   end
 end

data/lib/vines/stream.rb

@@ -21,7 +21,7 @@ module Vines
       @remote_addr, @local_addr = addresses
       @user, @closed, @stanza_size = nil, false, 0
       @bucket = TokenBucket.new(100, 10)
-      @store = Store.new
+      @store = Store.new(File.join(VINES_ROOT, 'conf', 'certs'))
       @nodes = EM::Queue.new
       process_node_queue
       create_parser
@@ -71,7 +71,7 @@ module Vines
 
     # Returns the Vines::Config::Host virtual host for the stream's domain.
     def vhost
-      @config.vhosts[domain]
+      @config.vhost(domain)
     end
 
     # Reload the user's information into their active connections. Call this
@@ -118,14 +118,14 @@ module Vines
     end
 
     def encrypt
-      cert, key = tls_files
-      start_tls(:private_key_file => key, :cert_chain_file => cert, :verify_peer => true)
+      cert, key = @store.files_for_domain(domain)
+      start_tls(cert_chain_file: cert, private_key_file: key, verify_peer: true)
     end
 
     # Returns true if the TLS certificate and private key files for this domain
     # exist and can be used to encrypt this stream.
     def encrypt?
-      tls_files.all? {|f| File.exists?(f) }
+      !@store.files_for_domain(domain).nil?
     end
 
     def unbind
@@ -235,10 +235,6 @@ module Vines
       @state
     end
 
-    def tls_files
-      %w[crt key].map {|ext| File.join(VINES_ROOT, 'conf', 'certs', "#{domain}.#{ext}") }
-    end
-
     # Return true if this is a valid domain-only JID that can be used in
     # stream initiation stanza headers.
     def valid_address?(jid)

data/lib/vines/stream/client/session.rb

@@ -196,7 +196,7 @@ module Vines
 
         def unsubscribe_pubsub
           if connected?
-            @config.vhosts[@user.jid.domain].unsubscribe_pubsub(@user.jid)
+            @config.vhost(@user.jid.domain).unsubscribe_pubsub(@user.jid)
           end
         end
 

data/lib/vines/stream/http.rb

@@ -40,7 +40,9 @@ module Vines
       end
 
       def process_request(request)
-        if request.path == self.bind
+        if request.path == self.bind && request.options?
+          request.reply_to_options
+        elsif request.path == self.bind
           body = Nokogiri::XML(request.body).root
           if session = Sessions[body['sid']]
             @session = session

data/lib/vines/stream/http/ready.rb

@@ -11,7 +11,11 @@ module Vines
             raise StreamErrors::NotAuthorized
           end
           stream.parse_body(node).each do |child|
-            super(child)
+            begin
+              super(child)
+            rescue StanzaError => e
+              stream.error(e)
+            end
           end
           stream.terminate if terminate?(node)
         end

data/lib/vines/stream/http/request.rb

@@ -11,6 +11,7 @@ module Vines
         NOT_MODIFIED  = 'Not Modified'.freeze
         IF_MODIFIED   = 'If-Modified-Since'.freeze
         TEXT_PLAIN    = 'text/plain'.freeze
+        OPTIONS       = 'OPTIONS'.freeze
         CONTENT_TYPES = {
           'html'     => 'text/html; charset="utf-8"',
           'js'       => 'application/javascript; charset="utf-8"',
@@ -72,12 +73,33 @@ module Vines
           body = node.to_s
           header = [
             "HTTP/1.1 200 OK",
+            "Access-Control-Allow-Origin: *",
             "Content-Type: #{content_type}",
             "Content-Length: #{body.bytesize}"
           ].join("\r\n")
           @stream.stream_write([header, body].join("\r\n\r\n"))
         end
 
+        # Return true if the request method is OPTIONS, signaling a
+        # CORS preflight check.
+        def options?
+          @method == OPTIONS
+        end
+
+        # Send a 200 OK response, allowing any origin domain to connect to the
+        # server, in response to CORS preflight OPTIONS requests. This allows
+        # any web application using strophe.js to connect to our BOSH port.
+        def reply_to_options
+          allow = @headers['Access-Control-Request-Headers']
+          headers = [
+            "Access-Control-Allow-Origin: *",
+            "Access-Control-Allow-Methods: POST, GET, OPTIONS",
+            "Access-Control-Allow-Headers: #{allow}",
+            "Access-Control-Max-Age: #{60 * 60 * 24 * 30}"
+          ]
+          send_status(200, 'OK', headers)
+        end
+
         private
 
         # Attempt to rebuild the full request URI from the Host header. If it

data/lib/vines/version.rb

@@ -1,5 +1,5 @@
 # encoding: UTF-8
 
 module Vines
-  VERSION = '0.4.0'
+  VERSION = '0.4.1'
 end

data/test/config/host_test.rb

@@ -46,7 +46,7 @@ class HostTest < MiniTest::Unit::TestCase
         end
       end
     end
-    refute_nil config.vhosts['wonderland.lit'].storage
+    refute_nil config.vhost('wonderland.lit').storage
   end
 
   def test_ldap_added_to_storage
@@ -81,8 +81,8 @@ class HostTest < MiniTest::Unit::TestCase
       end
     end
     %w[wonderland.lit verona.lit].each do |domain|
-      refute_nil config.vhosts[domain].storage.ldap
-      assert config.vhosts[domain].storage.ldap?
+      refute_nil config.vhost(domain).storage.ldap
+      assert config.vhost(domain).storage.ldap?
     end
   end
 
@@ -225,7 +225,7 @@ class HostTest < MiniTest::Unit::TestCase
         components 'TEA' => 'secr3t', CAKE: 'Passw0rd'
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     assert_equal 2, host.components.size
     assert_equal host.components['tea.wonderland.lit'], 'secr3t'
@@ -239,7 +239,7 @@ class HostTest < MiniTest::Unit::TestCase
         components 'tea' => 'secr3t', cake: 'passw0rd'
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     refute host.component?(nil)
     refute host.component?('tea')
@@ -309,7 +309,7 @@ class HostTest < MiniTest::Unit::TestCase
         pubsub 'TEA', :CAKE
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     assert_equal 2, host.pubsubs.size
     refute_nil host.pubsubs['tea.wonderland.lit']
@@ -323,7 +323,7 @@ class HostTest < MiniTest::Unit::TestCase
         pubsub 'tea', :cake
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     refute host.pubsub?(nil)
     refute host.pubsub?('tea')
@@ -348,7 +348,7 @@ class HostTest < MiniTest::Unit::TestCase
         storage(:fs) { dir Dir.tmpdir }
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     refute host.private_storage?
   end
@@ -360,7 +360,7 @@ class HostTest < MiniTest::Unit::TestCase
         storage(:fs) { dir Dir.tmpdir }
       end
     end
-    host = config.vhosts['wonderland.lit']
+    host = config.vhost('wonderland.lit')
     refute_nil host
     assert host.private_storage?
     assert config.private_storage?('wonderland.lit')

data/test/config/pubsub_test.rb

@@ -52,7 +52,7 @@ class ConfigPubSubTest < MiniTest::Unit::TestCase
   def test_subscribe_remote_jid_is_allowed
     topic = 'remote_jids_allowed'
     jid = 'romeo@verona.lit'
-    @config.vhosts['wonderland.lit'].cross_domain_messages true
+    @config.vhost('wonderland.lit').cross_domain_messages true
     @pubsub.add_node(topic)
     @pubsub.subscribe(topic, jid)
     assert @pubsub.subscribed?(topic, jid)
@@ -105,7 +105,7 @@ class ConfigPubSubTest < MiniTest::Unit::TestCase
     alice = Vines::JID.new('alice@wonderland.lit')
     romeo = Vines::JID.new('romeo@verona.lit')
 
-    @config.vhosts['wonderland.lit'].cross_domain_messages true
+    @config.vhost('wonderland.lit').cross_domain_messages true
     def @config.router
       unless @mock_router
         @mock_router = MiniTest::Mock.new

data/test/config_test.rb

@@ -60,8 +60,10 @@ class ConfigTest < MiniTest::Unit::TestCase
         storage(:fs) { dir Dir.tmpdir }
       end
     end
-    assert_equal ['wonderland.lit'], config.vhosts.keys
+    refute_nil config.vhost('wonderland.lit')
+    refute_nil config.vhost(Vines::JID.new('wonderland.lit'))
     assert config.vhost?('wonderland.lit')
+    assert config.vhost?(Vines::JID.new('wonderland.lit'))
     refute config.vhost?('alice@wonderland.lit')
     refute config.vhost?('tea.wonderland.lit')
     refute config.vhost?('bogus')
@@ -394,8 +396,8 @@ class ConfigTest < MiniTest::Unit::TestCase
         storage(:fs) { dir Dir.tmpdir }
       end
     end
-    refute config.vhosts['wonderland.lit'].cross_domain_messages?
-    assert config.vhosts['verona.lit'].cross_domain_messages?
+    refute config.vhost('wonderland.lit').cross_domain_messages?
+    assert config.vhost('verona.lit').cross_domain_messages?
   end
 
   def test_local_jid?

data/test/jid_test.rb

@@ -115,10 +115,19 @@ class JidTest < MiniTest::Unit::TestCase
     assert_raises(ArgumentError) { Vines::JID.new(%q{alice>s@wonderland.lit}) }
     assert_raises(ArgumentError) { Vines::JID.new("alice\u0000s@wonderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new("alice\ts@wonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice\rs@wonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice\ns@wonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice\vs@wonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice\fs@wonderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new(" alice@wonderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new("alice@wonderland.lit ") }
     assert_raises(ArgumentError) { Vines::JID.new("alice s@wonderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new("alice@w onderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice@w\tonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice@w\ronderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice@w\nonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice@w\vonderland.lit") }
+    assert_raises(ArgumentError) { Vines::JID.new("alice@w\fonderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new("alice@wonderland.lit/ res") }
     assert_raises(ArgumentError) { Vines::JID.new("alice@w\u0000onderland.lit") }
     assert_raises(ArgumentError) { Vines::JID.new("alice@wonderland.lit/\u0000res") }