wsv 0.8.0 → 0.10.0

data/lib/wsv/request.rb

@@ -1,21 +1,10 @@
 # frozen_string_literal: true
 
+require_relative "request/too_large"
+require_relative "request/parser"
+
 module Wsv
   class Request
-    REQUEST_LINE_LIMIT = 8192
-    HEADER_LINE_LIMIT = 8192
-    HEADER_COUNT_LIMIT = 100
-    HEADER_TOTAL_LIMIT = 16384
-
-    class TooLarge < StandardError
-      attr_reader :status_code
-
-      def initialize(status_code)
-        super("request exceeded size limit (#{status_code})")
-        @status_code = status_code
-      end
-    end
-
     attr_reader :method, :target, :version, :headers
 
     def initialize(method:, target:, version:, headers:)
@@ -30,39 +19,7 @@ module Wsv
     end
 
     def self.parse(io)
-      line = io.gets(REQUEST_LINE_LIMIT)
-      return :empty unless line
-      raise TooLarge, 414 if line.bytesize >= REQUEST_LINE_LIMIT && !line.end_with?("\n")
-
-      method, target, version = line.split(/\s+/, 3)
-      version = version&.strip
-      return :malformed unless method && target && version&.start_with?("HTTP/")
-
-      headers = read_headers(io)
-      new(method: method, target: target, version: version, headers: headers)
-    end
-
-    def self.read_headers(io)
-      headers = {}
-      total = 0
-      count = 0
-      while (line = io.gets(HEADER_LINE_LIMIT))
-        raise TooLarge, 431 if line.bytesize >= HEADER_LINE_LIMIT && !line.end_with?("\n")
-
-        stripped = line.delete_suffix("\r\n").delete_suffix("\n").delete_suffix("\r")
-        break if stripped.empty?
-
-        count += 1
-        raise TooLarge, 431 if count > HEADER_COUNT_LIMIT
-
-        total += line.bytesize
-        raise TooLarge, 431 if total > HEADER_TOTAL_LIMIT
-
-        name, value = stripped.split(":", 2)
-        headers[name.downcase] = value.strip if name && value
-      end
-      headers
+      Parser.new(io).parse
     end
-    private_class_method :read_headers
   end
 end

data/lib/wsv/response/file_body.rb

@@ -0,0 +1,31 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class FileBody
+      def initialize(path, offset: 0, length: nil)
+        @path = path
+        @offset = offset
+        @length = length || (File.size(path) - offset)
+      end
+
+      def to_s
+        File.open(@path, "rb") do |f|
+          f.seek(@offset)
+          f.read(@length)
+        end
+      end
+
+      def bytesize
+        @length
+      end
+
+      def write_to(io)
+        File.open(@path, "rb") do |f|
+          f.seek(@offset)
+          IO.copy_stream(f, io, @length)
+        end
+      end
+    end
+  end
+end

data/lib/wsv/response/file_builder.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "time"
+require_relative "../mime_types"
+
+module Wsv
+  class Response
+    class FileBuilder
+      def initialize(path, head: false, range: nil, status: 200)
+        @path = path
+        @head = head
+        @range = range
+        @status = status
+      end
+
+      def build
+        if @range
+          Response.new(status: 206, headers: range_headers, body: range_body)
+        else
+          Response.new(status: @status, headers: full_headers, body: full_body)
+        end
+      end
+
+      private
+
+      def size
+        @size ||= File.size(@path)
+      end
+
+      def base_headers
+        {
+          "Content-Type" => MimeTypes.for_file(@path),
+          "Last-Modified" => File.mtime(@path).httpdate,
+          "Cache-Control" => "no-cache",
+          "Accept-Ranges" => "bytes"
+        }
+      end
+
+      def range_headers
+        base_headers.merge(
+          "Content-Length" => @range.size.to_s,
+          "Content-Range" => "bytes #{@range.begin}-#{@range.end}/#{size}"
+        )
+      end
+
+      def full_headers
+        base_headers.merge("Content-Length" => size.to_s)
+      end
+
+      def range_body
+        return StringBody.new("") if @head
+
+        FileBody.new(@path, offset: @range.begin, length: @range.size)
+      end
+
+      def full_body
+        return StringBody.new("") if @head
+
+        FileBody.new(@path)
+      end
+    end
+  end
+end

data/lib/wsv/response/string_body.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class StringBody
+      def initialize(string)
+        @string = string
+      end
+
+      def to_s
+        @string
+      end
+
+      def bytesize
+        @string.bytesize
+      end
+
+      def write_to(io)
+        io.write(@string) unless @string.empty?
+      end
+    end
+  end
+end

data/lib/wsv/response/text_builder.rb

@@ -0,0 +1,35 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Response
+    class TextBuilder
+      def initialize(status, head: false, headers: {})
+        @status = status
+        @head = head
+        @extra_headers = headers
+      end
+
+      def build
+        Response.new(status: @status, headers: response_headers, body: response_body)
+      end
+
+      private
+
+      def response_body
+        @head ? "" : message
+      end
+
+      def message
+        @message ||= "#{@status} #{Status.reason(@status)}\n"
+      end
+
+      def response_headers
+        {
+          "Content-Type" => "text/plain; charset=utf-8",
+          "Content-Length" => message.bytesize.to_s,
+          "Cache-Control" => "no-cache"
+        }.merge(@extra_headers)
+      end
+    end
+  end
+end

data/lib/wsv/response.rb

@@ -1,9 +1,11 @@
 # frozen_string_literal: true
 
-require "time"
-require_relative "mime_types"
 require_relative "status"
 require_relative "version"
+require_relative "response/string_body"
+require_relative "response/file_body"
+require_relative "response/text_builder"
+require_relative "response/file_builder"
 
 module Wsv
   class Response
@@ -12,56 +14,68 @@ module Wsv
     INVALID_HEADER_NAME = /[\s:]/
     INVALID_HEADER_VALUE = /[\r\n]/
 
-    attr_reader :status, :headers, :body
+    attr_reader :status, :headers
 
     def initialize(status:, headers: {}, body: "")
-      headers.each do |name, value|
-        raise ArgumentError, "invalid header name: #{name.inspect}" if name.to_s.match?(INVALID_HEADER_NAME)
-        raise ArgumentError, "invalid header value: #{value.inspect}" if value.to_s.match?(INVALID_HEADER_VALUE)
-      end
+      validate_headers(headers)
       @status = status
       @headers = headers
-      @body = body
+      @body = body.is_a?(String) ? StringBody.new(body) : body
+    end
+
+    def body
+      @body.to_s
     end
 
     def reason
       Status.reason(status)
     end
 
+    # Returns a new Response with `extra` merged into the headers, sharing the
+    # same body object so streaming (FileBody) is preserved.
+    def with_headers(extra)
+      self.class.new(status: @status, headers: @headers.merge(extra), body: @body)
+    end
+
     def write_to(io)
       io.write "HTTP/1.1 #{status} #{reason}\r\n"
       io.write "Server: #{SERVER_NAME}\r\n"
       io.write "Connection: close\r\n"
+      unless headers.any? { |name, _value| name.to_s.casecmp?("X-Content-Type-Options") }
+        io.write "X-Content-Type-Options: nosniff\r\n"
+      end
       headers.each { |name, value| io.write "#{name}: #{value}\r\n" }
       io.write "\r\n"
-      io.write body
+      @body.write_to(io)
     end
 
-    def self.text(status, headers: {}, head: false)
-      body = "#{status} #{Status.reason(status)}\n"
-      base = {
-        "Content-Type" => "text/plain; charset=utf-8",
-        "Content-Length" => body.bytesize.to_s,
-        "Cache-Control" => "no-cache"
-      }
-      new(status: status, headers: base.merge(headers), body: head ? "" : body)
+    def self.text(status, **)
+      TextBuilder.new(status, **).build
     end
 
-    def self.file(path, head: false)
-      new(
-        status: 200,
-        headers: {
-          "Content-Type" => MimeTypes.for_file(path),
-          "Content-Length" => File.size(path).to_s,
-          "Last-Modified" => File.mtime(path).httpdate,
-          "Cache-Control" => "no-cache"
-        },
-        body: head ? "" : File.binread(path)
-      )
+    def self.file(path, **)
+      FileBuilder.new(path, **).build
     end
 
     def self.redirect(location, head: false)
-      text(301, headers: { "Location" => location }, head: head)
+      TextBuilder.new(301, head: head, headers: { "Location" => location }).build
+    end
+
+    def self.not_modified
+      new(status: 304, headers: { "Cache-Control" => "no-cache" }, body: "")
+    end
+
+    def self.range_not_satisfiable(file_size, head: false)
+      TextBuilder.new(416, head: head, headers: { "Content-Range" => "bytes */#{file_size}" }).build
+    end
+
+    private
+
+    def validate_headers(headers)
+      headers.each do |name, value|
+        raise ArgumentError, "invalid header name: #{name.inspect}" if name.to_s.match?(INVALID_HEADER_NAME)
+        raise ArgumentError, "invalid header value: #{value.inspect}" if value.to_s.match?(INVALID_HEADER_VALUE)
+      end
     end
   end
 end

data/lib/wsv/server/banner.rb

@@ -0,0 +1,56 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Server
+    # Renders the startup announcement (the "Serving / Bind / Local / Stop"
+    # block plus warnings about non-loopback binds and self-signed certs).
+    class Banner
+      def initialize(host:, port:, root:, out:, err:, tls:)
+        @host = host
+        @port = port
+        @root = root
+        @out = out
+        @err = err
+        @tls = tls
+      end
+
+      def emit
+        @out.puts "Serving: #{@root}"
+        @out.puts "Bind:    #{url_for(@host)}"
+        @out.puts "Local:   #{url_for('127.0.0.1')}" unless localhost?(@host)
+        @out.puts "Stop:    Ctrl-C"
+        warn_public_bind unless localhost?(@host)
+        warn_ephemeral_cert if @tls&.ephemeral?
+      end
+
+      private
+
+      def warn_public_bind
+        @err.puts "WARNING: binding to #{@host} exposes #{@root} on your network."
+        @err.puts "         Pass --host 127.0.0.1 (or omit --host) for local-only access."
+      end
+
+      def warn_ephemeral_cert
+        @err.puts "WARNING: serving with a self-signed certificate. Browsers will"
+        @err.puts "         show a security warning. Pass --cert / --key for a real cert."
+      end
+
+      def url_for(display_host)
+        "#{scheme}://#{format_host(display_host)}:#{@port}/"
+      end
+
+      def format_host(host)
+        # Bracket IPv6 literals per RFC 3986; zone IDs (`%eth0` etc.) need %25 per RFC 6874.
+        host.include?(":") ? "[#{host.gsub('%', '%25')}]" : host
+      end
+
+      def scheme
+        @tls ? "https" : "http"
+      end
+
+      def localhost?(display_host)
+        ["127.0.0.1", "localhost", "::1"].include?(display_host)
+      end
+    end
+  end
+end

data/lib/wsv/server/browser_launcher.rb

@@ -0,0 +1,63 @@
+# frozen_string_literal: true
+
+require "rbconfig"
+
+module Wsv
+  class Server
+    # Launches the OS default browser at the served URL when `--open` is set.
+    # Best-effort: unsupported platforms or spawn failures are logged but
+    # never abort the server.
+    class BrowserLauncher
+      def initialize(host:, port:, tls:, err:)
+        @host = host
+        @port = port
+        @tls = tls
+        @err = err
+      end
+
+      def launch
+        command = platform_command
+        unless command
+          @err.puts "wsv: --open is not supported on this platform; skipping."
+          return
+        end
+
+        pid = Process.spawn(*command, url, in: :close, out: File::NULL, err: File::NULL)
+        Process.detach(pid)
+      rescue StandardError => e
+        @err.puts "wsv: failed to open browser: #{e.message}"
+      end
+
+      private
+
+      def url
+        scheme = @tls ? "https" : "http"
+        "#{scheme}://#{url_host}:#{@port}/"
+      end
+
+      def url_host
+        host = display_host
+        # IPv6 literals must be bracketed in URLs per RFC 3986. Scoped IPv6
+        # zone identifiers use `%`, which must be percent-encoded in URLs.
+        host.include?(":") ? "[#{host.gsub('%', '%25')}]" : host
+      end
+
+      def display_host
+        # Wildcard binds aren't reachable; redirect to the matching loopback.
+        case @host
+        when "0.0.0.0" then "127.0.0.1"
+        when "::" then "::1"
+        else @host
+        end
+      end
+
+      def platform_command
+        case RbConfig::CONFIG["host_os"]
+        when /darwin/ then ["open"]
+        when /linux|bsd/ then ["xdg-open"]
+        when /mswin|mingw|cygwin/ then ["cmd.exe", "/c", "start", ""]
+        end
+      end
+    end
+  end
+end

data/lib/wsv/server/deadline_reader.rb

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+
+module Wsv
+  class Server
+    # Wraps an IO with a shared deadline so each subsequent read is bounded by
+    # the time remaining until the deadline. Used to enforce a single budget
+    # across the request line and all header lines.
+    class DeadlineReader
+      def initialize(io, deadline)
+        @io = io
+        @deadline = deadline
+      end
+
+      def gets(eol, limit)
+        remaining = @deadline - Time.now
+        raise IO::TimeoutError if remaining <= 0
+
+        @io.to_io.timeout = remaining
+        @io.gets(eol, limit)
+      end
+    end
+  end
+end

data/lib/wsv/server.rb

@@ -1,9 +1,13 @@
 # frozen_string_literal: true
 
+require "openssl"
 require "socket"
 require_relative "app"
 require_relative "request"
 require_relative "response"
+require_relative "server/banner"
+require_relative "server/browser_launcher"
+require_relative "server/deadline_reader"
 
 module Wsv
   class Server
@@ -20,7 +24,11 @@ module Wsv
       out: $stdout,
       err: $stderr,
       read_timeout: DEFAULT_READ_TIMEOUT,
-      max_connections: DEFAULT_MAX_CONNECTIONS
+      max_connections: DEFAULT_MAX_CONNECTIONS,
+      tls: nil,
+      spa: false,
+      open: false,
+      cors: false
     )
       @host = host
       @port = port
@@ -29,7 +37,10 @@ module Wsv
       @err = err
       @read_timeout = read_timeout
       @max_connections = max_connections
-      @app = App.new(@root)
+      @tls = tls
+      @ssl_context = tls&.to_ssl_context
+      @open = open
+      @app = App.new(@root, spa: spa, cors: cors)
       @running = false
       @mutex = Mutex.new
       @active = 0
@@ -40,6 +51,7 @@ module Wsv
       @running = true
       log_startup
       trap_signals
+      open_in_browser if @open
       accept_loop
     ensure
       close
@@ -66,6 +78,8 @@ module Wsv
     rescue IO::TimeoutError
       write_response(client, Response.text(408))
     rescue StandardError => e
+      # Treat unmapped failures as connection-scoped and close with 400 rather
+      # than letting one bad request path bring down the server.
       @err.puts "wsv: #{e.class}: #{e.message}"
       write_response(client, Response.text(400))
     ensure
@@ -104,6 +118,9 @@ module Wsv
         chunk = client.read_nonblock(8192, exception: false)
         case chunk
         when nil, :wait_writable
+          # nil = EOF. :wait_writable can come back from SSLSocket during a
+          # renegotiation (read needs an underlying write). Either way,
+          # there's nothing more we can usefully drain right now.
           return
         when :wait_readable
           remaining = deadline - Time.now
@@ -113,21 +130,6 @@ module Wsv
       end
     end
 
-    class DeadlineReader
-      def initialize(io, deadline)
-        @io = io
-        @deadline = deadline
-      end
-
-      def gets(limit)
-        remaining = @deadline - Time.now
-        raise IO::TimeoutError if remaining <= 0
-
-        @io.timeout = remaining
-        @io.gets(limit)
-      end
-    end
-
     def accept_loop
       while @running
         client = nil
@@ -162,18 +164,58 @@ module Wsv
         true
       end
 
-      return reject(client) unless accepted
+      return spawn_rejection(client) unless accepted
 
+      begin
+        Thread.new do
+          Thread.current.report_on_exception = false
+          handle(maybe_wrap_tls(client))
+        ensure
+          @mutex.synchronize { @active -= 1 }
+        end
+      rescue ThreadError => e
+        @err.puts "wsv: thread error: #{e.message}"
+        @mutex.synchronize { @active -= 1 }
+        spawn_rejection(client)
+      end
+    end
+
+    # Reject in a separate thread so a slow client cannot block accept_loop
+    # via graceful_close's drain_recv (up to DRAIN_TIMEOUT seconds).
+    def spawn_rejection(client)
       Thread.new do
         Thread.current.report_on_exception = false
-        handle(client)
-      ensure
-        @mutex.synchronize { @active -= 1 }
+        reject(client)
       end
+    rescue ThreadError
+      reject(client)
+    end
+
+    def maybe_wrap_tls(client)
+      return client unless @ssl_context
+
+      client.timeout = @read_timeout
+      ssl = OpenSSL::SSL::SSLSocket.new(client, @ssl_context)
+      ssl.sync_close = true
+      ssl.accept
+      ssl
+    rescue StandardError
+      # If wrapping or the handshake failed, `handle` is never called and
+      # its ensure does not get a chance to close the underlying socket.
+      # Close it here so we do not leak a TCPSocket per failed handshake.
+      begin
+        client.close
+      rescue StandardError
+        nil
+      end
+      raise
     end
 
     def reject(client)
-      write_response(client, Response.text(503))
+      # In TLS mode `client` is the raw TCPSocket before any handshake.
+      # Writing a plaintext 503 over it would corrupt the TLS handshake
+      # the client is about to start, so just close in that case.
+      write_response(client, Response.text(503)) unless @ssl_context
     ensure
       graceful_close(client)
     end
@@ -190,28 +232,18 @@ module Wsv
         end
       end
     rescue ArgumentError
+      # Signal.trap raises ArgumentError when called from a context that
+      # cannot install signal handlers (e.g. embedded in a non-main thread,
+      # which is how tests start the server). Skip silently in that case.
       nil
     end
 
     def log_startup
-      @out.puts "Serving: #{root}"
-      @out.puts "Bind:    #{url_for(host)}"
-      @out.puts "Local:   #{url_for('127.0.0.1')}" unless localhost?(host)
-      @out.puts "Stop:    Ctrl-C"
-      warn_public_bind unless localhost?(host)
-    end
-
-    def warn_public_bind
-      @err.puts "WARNING: binding to #{host} exposes #{root} on your network."
-      @err.puts "         Pass --host 127.0.0.1 (or omit --host) for local-only access."
-    end
-
-    def url_for(display_host)
-      "http://#{display_host}:#{port}/"
+      Banner.new(host: host, port: port, root: root, out: @out, err: @err, tls: @tls).emit
     end
 
-    def localhost?(display_host)
-      ["127.0.0.1", "localhost", "::1"].include?(display_host)
+    def open_in_browser
+      BrowserLauncher.new(host: host, port: port, tls: @tls, err: @err).launch
     end
   end
 end

data/lib/wsv/status.rb

@@ -4,13 +4,17 @@ module Wsv
   module Status
     REASONS = {
       200 => "OK",
+      204 => "No Content",
+      206 => "Partial Content",
       301 => "Moved Permanently",
+      304 => "Not Modified",
       400 => "Bad Request",
       403 => "Forbidden",
       404 => "Not Found",
       405 => "Method Not Allowed",
       408 => "Request Timeout",
       414 => "URI Too Long",
+      416 => "Range Not Satisfiable",
       431 => "Request Header Fields Too Large",
       503 => "Service Unavailable"
     }.freeze