RubyGems - wsv - Versions diffs - 0.9.0 → 0.10.1 - Mend

wsv 0.9.0 → 0.10.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (34) hide show

checksums.yaml +4 -4
data/CHANGELOG.md +61 -0
data/README.md +79 -19
data/lib/wsv/app.rb +39 -4
data/lib/wsv/cli.rb +49 -3
data/lib/wsv/cors.rb +30 -0
data/lib/wsv/path_resolver.rb +6 -0
data/lib/wsv/request/parser.rb +2 -2
data/lib/wsv/request/too_large.rb +18 -0
data/lib/wsv/request.rb +1 -9
data/lib/wsv/response/file_builder.rb +6 -10
data/lib/wsv/response.rb +9 -0
data/lib/wsv/server/banner.rb +53 -0
data/lib/wsv/server/browser_launcher.rb +57 -0
data/lib/wsv/server/connection.rb +96 -0
data/lib/wsv/server/connection_throttle.rb +50 -0
data/lib/wsv/server/deadline_reader.rb +23 -0
data/lib/wsv/server/url_host.rb +16 -0
data/lib/wsv/server.rb +56 -122
data/lib/wsv/status.rb +1 -0
data/lib/wsv/tls_context/resolver.rb +71 -0
data/lib/wsv/tls_context/self_signed_cert.rb +38 -0
data/lib/wsv/tls_context.rb +29 -0
data/lib/wsv/version.rb +1 -1
data/lib/wsv.rb +2 -0
data/test/app_test.rb +194 -0
data/test/browser_launcher_test.rb +57 -0
data/test/cli_test.rb +64 -0
data/test/response_test.rb +8 -0
data/test/server_test.rb +57 -2
data/test/tls_context_test.rb +169 -0
data/wsv.gemspec +7 -6
metadata +23 -9
/data/{bin → exe}/wsv +0 -0

data/lib/wsv/server/browser_launcher.rb ADDED Viewed

@@ -0,0 +1,57 @@
+# frozen_string_literal: true
+require "rbconfig"
+require_relative "url_host"
+module Wsv
+  class Server
+    # Launches the OS default browser at the served URL when `--open` is set.
+    # Best-effort: unsupported platforms or spawn failures are logged but
+    # never abort the server.
+    class BrowserLauncher
+      def initialize(host:, port:, tls:, err:)
+        @host = host
+        @port = port
+        @tls = tls
+        @err = err
+      end
+      def launch
+        command = platform_command
+        unless command
+          @err.puts "wsv: --open is not supported on this platform; skipping."
+          return
+        end
+        pid = Process.spawn(*command, url, in: :close, out: File::NULL, err: File::NULL)
+        Process.detach(pid)
+      rescue StandardError => e
+        @err.puts "wsv: failed to open browser: #{e.message}"
+      end
+      private
+      def url
+        scheme = @tls ? "https" : "http"
+        "#{scheme}://#{UrlHost.format(display_host)}:#{@port}/"
+      end
+      def display_host
+        # Wildcard binds aren't reachable; redirect to the matching loopback.
+        case @host
+        when "0.0.0.0" then "127.0.0.1"
+        when "::" then "::1"
+        else @host
+        end
+      end
+      def platform_command
+        case RbConfig::CONFIG["host_os"]
+        when /darwin/ then ["open"]
+        when /linux|bsd/ then ["xdg-open"]
+        when /mswin|mingw|cygwin/ then ["cmd.exe", "/c", "start", ""]
+        end
+      end
+    end
+  end
+end

data/lib/wsv/server/connection.rb ADDED Viewed

@@ -0,0 +1,96 @@
+# frozen_string_literal: true
+require_relative "deadline_reader"
+require_relative "../request"
+require_relative "../response"
+module Wsv
+  class Server
+    # Owns a single accepted client socket. `serve` runs the request lifecycle
+    # (parse → app → write → drain → close); `reject` writes 503 (when allowed)
+    # and closes. Both share the safe-write / drain / close primitives so a
+    # broken peer cannot leak a connection or mask errors.
+    class Connection
+      DRAIN_TIMEOUT = 5
+      def initialize(client, err:)
+        @client = client
+        @err = err
+      end
+      def serve(app, read_timeout:)
+        reader = DeadlineReader.new(@client, Time.now + read_timeout)
+        request = Request.parse(reader)
+        case request
+        when :empty
+          nil
+        when :malformed
+          write(Response.text(400))
+        else
+          write(app.call(request))
+        end
+      rescue Request::TooLarge => e
+        write(Response.text(e.status_code))
+      rescue IO::TimeoutError
+        write(Response.text(408))
+      rescue StandardError => e
+        # Treat unmapped failures as connection-scoped and close with 400 rather
+        # than letting one bad request path bring down the server.
+        @err.puts "wsv: #{e.class}: #{e.message}"
+        write(Response.text(400))
+      ensure
+        graceful_close
+      end
+      def reject(reply:)
+        write(Response.text(503)) if reply
+      ensure
+        graceful_close
+      end
+      private
+      def write(response)
+        return if @client.closed?
+        response.write_to(@client)
+      rescue Errno::EPIPE, Errno::ECONNRESET, IOError
+        nil
+      end
+      def graceful_close
+        return if @client.closed?
+        drain_recv
+      rescue StandardError
+        nil
+      ensure
+        begin
+          @client.close unless @client.closed?
+        rescue StandardError
+          nil
+        end
+      end
+      def drain_recv
+        deadline = Time.now + DRAIN_TIMEOUT
+        loop do
+          return if Time.now >= deadline
+          chunk = @client.read_nonblock(8192, exception: false)
+          case chunk
+          when nil, :wait_writable
+            # nil = EOF. :wait_writable can come back from SSLSocket during a
+            # renegotiation (read needs an underlying write). Either way,
+            # there's nothing more we can usefully drain right now.
+            return
+          when :wait_readable
+            remaining = deadline - Time.now
+            return if remaining <= 0
+            return unless @client.wait_readable([remaining, 0.2].min)
+          end
+        end
+      end
+    end
+  end
+end

data/lib/wsv/server/connection_throttle.rb ADDED Viewed

@@ -0,0 +1,50 @@
+# frozen_string_literal: true
+module Wsv
+  class Server
+    # Caps in-flight connections at `max`. `try_spawn` runs the block in a new
+    # thread when capacity is available and returns true; otherwise returns
+    # false so the caller can reject the client.
+    class ConnectionThrottle
+      def initialize(max:, err:)
+        @max = max
+        @err = err
+        @mutex = Mutex.new
+        @active = 0
+      end
+      def try_spawn(&block)
+        return false unless reserve_slot
+        begin
+          Thread.new do
+            Thread.current.report_on_exception = false
+            block.call
+          ensure
+            release_slot
+          end
+          true
+        rescue ThreadError => e
+          @err.puts "wsv: thread error: #{e.message}"
+          release_slot
+          false
+        end
+      end
+      private
+      def reserve_slot
+        @mutex.synchronize do
+          next false if @active >= @max
+          @active += 1
+          true
+        end
+      end
+      def release_slot
+        @mutex.synchronize { @active -= 1 }
+      end
+    end
+  end
+end

data/lib/wsv/server/deadline_reader.rb ADDED Viewed

@@ -0,0 +1,23 @@
+# frozen_string_literal: true
+module Wsv
+  class Server
+    # Wraps an IO with a shared deadline so each subsequent read is bounded by
+    # the time remaining until the deadline. Used to enforce a single budget
+    # across the request line and all header lines.
+    class DeadlineReader
+      def initialize(io, deadline)
+        @io = io
+        @deadline = deadline
+      end
+      def gets(eol, limit)
+        remaining = @deadline - Time.now
+        raise IO::TimeoutError if remaining <= 0
+        @io.to_io.timeout = remaining
+        @io.gets(eol, limit)
+      end
+    end
+  end
+end

data/lib/wsv/server/url_host.rb ADDED Viewed

@@ -0,0 +1,16 @@
+# frozen_string_literal: true
+module Wsv
+  class Server
+    # Formats a host for inclusion in a URL. IPv6 literals are bracketed
+    # (RFC 3986); zone identifiers (`%eth0` etc.) are percent-encoded
+    # (RFC 6874).
+    module UrlHost
+      module_function
+      def format(host)
+        host.include?(":") ? "[#{host.gsub('%', '%25')}]" : host
+      end
+    end
+  end
+end

data/lib/wsv/server.rb CHANGED Viewed

@@ -1,15 +1,17 @@
 # frozen_string_literal: true
+require "openssl"
 require "socket"
 require_relative "app"
-require_relative "request"
-require_relative "response"
+require_relative "server/banner"
+require_relative "server/browser_launcher"
+require_relative "server/connection"
+require_relative "server/connection_throttle"
 module Wsv
   class Server
     DEFAULT_READ_TIMEOUT = 10
     DEFAULT_MAX_CONNECTIONS = 8
-    DRAIN_TIMEOUT = 5
     attr_reader :host, :port, :root
@@ -20,7 +22,11 @@ module Wsv
       out: $stdout,
       err: $stderr,
       read_timeout: DEFAULT_READ_TIMEOUT,
-      max_connections: DEFAULT_MAX_CONNECTIONS
+      max_connections: DEFAULT_MAX_CONNECTIONS,
+      tls: nil,
+      spa: false,
+      open: false,
+      cors: false
     )
       @host = host
       @port = port
@@ -28,11 +34,12 @@ module Wsv
       @out = out
       @err = err
       @read_timeout = read_timeout
-      @max_connections = max_connections
-      @app = App.new(@root)
+      @tls = tls
+      @ssl_context = tls&.to_ssl_context
+      @open = open
+      @app = App.new(@root, spa: spa, cors: cors)
+      @throttle = ConnectionThrottle.new(max: max_connections, err: err)
       @running = false
-      @mutex = Mutex.new
-      @active = 0
     end
     def start
@@ -40,6 +47,7 @@ module Wsv
       @running = true
       log_startup
       trap_signals
+      open_in_browser if @open
       accept_loop
     ensure
       close
@@ -50,84 +58,8 @@ module Wsv
       close
     end
-    def handle(client)
-      reader = DeadlineReader.new(client, Time.now + @read_timeout)
-      request = Request.parse(reader)
-      case request
-      when :empty
-        nil
-      when :malformed
-        write_response(client, Response.text(400))
-      else
-        write_response(client, @app.call(request))
-      end
-    rescue Request::TooLarge => e
-      write_response(client, Response.text(e.status_code))
-    rescue IO::TimeoutError
-      write_response(client, Response.text(408))
-    rescue StandardError => e
-      @err.puts "wsv: #{e.class}: #{e.message}"
-      write_response(client, Response.text(400))
-    ensure
-      graceful_close(client)
-    end
     private
-    def write_response(client, response)
-      return if client.closed?
-      response.write_to(client)
-    rescue Errno::EPIPE, Errno::ECONNRESET, IOError
-      nil
-    end
-    def graceful_close(client)
-      return if client.closed?
-      drain_recv(client)
-    rescue StandardError
-      nil
-    ensure
-      begin
-        client.close unless client.closed?
-      rescue StandardError
-        nil
-      end
-    end
-    def drain_recv(client)
-      deadline = Time.now + DRAIN_TIMEOUT
-      loop do
-        return if Time.now >= deadline
-        chunk = client.read_nonblock(8192, exception: false)
-        case chunk
-        when nil, :wait_writable
-          return
-        when :wait_readable
-          remaining = deadline - Time.now
-          return if remaining <= 0
-          return unless client.wait_readable([remaining, 0.2].min)
-        end
-      end
-    end
-    class DeadlineReader
-      def initialize(io, deadline)
-        @io = io
-        @deadline = deadline
-      end
-      def gets(limit)
-        remaining = @deadline - Time.now
-        raise IO::TimeoutError if remaining <= 0
-        @io.timeout = remaining
-        @io.gets(limit)
-      end
-    end
     def accept_loop
       while @running
         client = nil
@@ -155,33 +87,45 @@ module Wsv
     end
     def spawn_handler(client)
-      accepted = @mutex.synchronize do
-        next false if @active >= @max_connections
-        @active += 1
-        true
+      accepted = @throttle.try_spawn do
+        Connection.new(maybe_wrap_tls(client), err: @err).serve(@app, read_timeout: @read_timeout)
+      end
+      spawn_rejection(client) unless accepted
+    end
+    # Reject in a separate thread so a slow client cannot block accept_loop
+    # via Connection#graceful_close (up to Connection::DRAIN_TIMEOUT seconds).
+    # In TLS mode `client` is the raw TCPSocket before any handshake; writing
+    # a plaintext 503 would corrupt the TLS handshake the client is about to
+    # start, so suppress the reply in that case.
+    def spawn_rejection(client)
+      reply = !@ssl_context
+      Thread.new do
+        Thread.current.report_on_exception = false
+        Connection.new(client, err: @err).reject(reply: reply)
       end
+    rescue ThreadError
+      Connection.new(client, err: @err).reject(reply: reply)
+    end
-      return reject(client) unless accepted
+    def maybe_wrap_tls(client)
+      return client unless @ssl_context
+      client.timeout = @read_timeout
+      ssl = OpenSSL::SSL::SSLSocket.new(client, @ssl_context)
+      ssl.sync_close = true
+      ssl.accept
+      ssl
+    rescue StandardError
+      # If wrapping or the handshake failed, `serve` is never called and
+      # its ensure does not get a chance to close the underlying socket.
+      # Close it here so we do not leak a TCPSocket per failed handshake.
       begin
-        Thread.new do
-          Thread.current.report_on_exception = false
-          handle(client)
-        ensure
-          @mutex.synchronize { @active -= 1 }
-        end
-      rescue ThreadError => e
-        @err.puts "wsv: thread error: #{e.message}"
-        @mutex.synchronize { @active -= 1 }
-        reject(client)
+        client.close
+      rescue StandardError
+        nil
       end
-    end
-    def reject(client)
-      write_response(client, Response.text(503))
-    ensure
-      graceful_close(client)
+      raise
     end
     def close
@@ -196,28 +140,18 @@ module Wsv
         end
       end
     rescue ArgumentError
+      # Signal.trap raises ArgumentError when called from a context that
+      # cannot install signal handlers (e.g. embedded in a non-main thread,
+      # which is how tests start the server). Skip silently in that case.
       nil
     end
     def log_startup
-      @out.puts "Serving: #{root}"
-      @out.puts "Bind:    #{url_for(host)}"
-      @out.puts "Local:   #{url_for('127.0.0.1')}" unless localhost?(host)
-      @out.puts "Stop:    Ctrl-C"
-      warn_public_bind unless localhost?(host)
-    end
-    def warn_public_bind
-      @err.puts "WARNING: binding to #{host} exposes #{root} on your network."
-      @err.puts "         Pass --host 127.0.0.1 (or omit --host) for local-only access."
-    end
-    def url_for(display_host)
-      "http://#{display_host}:#{port}/"
+      Banner.new(host: host, port: port, root: root, out: @out, err: @err, tls: @tls).emit
     end
-    def localhost?(display_host)
-      ["127.0.0.1", "localhost", "::1"].include?(display_host)
+    def open_in_browser
+      BrowserLauncher.new(host: host, port: port, tls: @tls, err: @err).launch
     end
   end
 end

data/lib/wsv/status.rb CHANGED Viewed

@@ -4,6 +4,7 @@ module Wsv
   module Status
     REASONS = {
       200 => "OK",
+      204 => "No Content",
       206 => "Partial Content",
       301 => "Moved Permanently",
       304 => "Not Modified",

data/lib/wsv/tls_context/resolver.rb ADDED Viewed

@@ -0,0 +1,71 @@
+# frozen_string_literal: true
+require "openssl"
+module Wsv
+  class TlsContext
+    class Resolver
+      XDG_DIR = "wsv"
+      CERT_FILE = "cert.pem"
+      KEY_FILE = "key.pem"
+      def self.resolve(cert_path: nil, key_path: nil)
+        new(cert_path: cert_path, key_path: key_path).resolve
+      end
+      def initialize(cert_path: nil, key_path: nil)
+        @cert_path = cert_path
+        @key_path = key_path
+      end
+      def resolve
+        return from_files(@cert_path, @key_path) if @cert_path && @key_path
+        raise ArgumentError, "--cert and --key must be provided together" if @cert_path || @key_path
+        xdg = xdg_pair
+        return from_files(*xdg) if xdg
+        ephemeral
+      end
+      private
+      def from_files(cert_path, key_path)
+        cert = OpenSSL::X509::Certificate.new(File.read(cert_path))
+        key = OpenSSL::PKey.read(File.read(key_path))
+        raise ArgumentError, "key file at #{key_path} does not contain a private key" unless key.private?
+        unless cert.check_private_key(key)
+          raise ArgumentError,
+                "TLS certificate at #{cert_path} does not match the key at #{key_path}"
+        end
+        TlsContext.new(cert: cert, key: key)
+      end
+      def ephemeral
+        key = OpenSSL::PKey::RSA.new(2048)
+        cert = SelfSignedCert.build(key)
+        TlsContext.new(cert: cert, key: key, ephemeral: true)
+      end
+      def xdg_pair
+        cert = File.join(xdg_base, XDG_DIR, CERT_FILE)
+        key  = File.join(xdg_base, XDG_DIR, KEY_FILE)
+        cert_exists = File.exist?(cert)
+        key_exists  = File.exist?(key)
+        return [cert, key] if cert_exists && key_exists
+        if cert_exists ^ key_exists
+          raise ArgumentError, "found only one of #{cert} / #{key} -- both must exist or neither"
+        end
+        nil
+      end
+      def xdg_base
+        ENV["XDG_CONFIG_HOME"] || File.join(Dir.home, ".config")
+      end
+    end
+  end
+end

data/lib/wsv/tls_context/self_signed_cert.rb ADDED Viewed

@@ -0,0 +1,38 @@
+# frozen_string_literal: true
+require "openssl"
+require "securerandom"
+module Wsv
+  class TlsContext
+    class SelfSignedCert
+      SUBJECT = "/CN=localhost"
+      SAN = "DNS:localhost,IP:127.0.0.1,IP:::1"
+      VALIDITY_SECONDS = 365 * 24 * 60 * 60
+      def self.build(key)
+        new(key).build
+      end
+      def initialize(key)
+        @key = key
+      end
+      def build
+        cert = OpenSSL::X509::Certificate.new
+        cert.version = 2
+        cert.serial = SecureRandom.random_number((2**63) - 1) + 1
+        cert.subject = OpenSSL::X509::Name.parse(SUBJECT)
+        cert.issuer = cert.subject
+        cert.public_key = @key.public_key
+        cert.not_before = Time.now - 60
+        cert.not_after = Time.now + VALIDITY_SECONDS
+        ef = OpenSSL::X509::ExtensionFactory.new(cert, cert)
+        cert.add_extension(ef.create_extension("subjectAltName", SAN))
+        cert.add_extension(ef.create_extension("basicConstraints", "CA:FALSE", true))
+        cert.sign(@key, OpenSSL::Digest.new("SHA256"))
+        cert
+      end
+    end
+  end
+end

data/lib/wsv/tls_context.rb ADDED Viewed

@@ -0,0 +1,29 @@
+# frozen_string_literal: true
+require "openssl"
+require_relative "tls_context/self_signed_cert"
+require_relative "tls_context/resolver"
+module Wsv
+  class TlsContext
+    attr_reader :cert, :key
+    def initialize(cert:, key:, ephemeral: false)
+      @cert = cert
+      @key = key
+      @ephemeral = ephemeral
+    end
+    def ephemeral?
+      @ephemeral
+    end
+    def to_ssl_context
+      ctx = OpenSSL::SSL::SSLContext.new
+      ctx.cert = @cert
+      ctx.key = @key
+      ctx.min_version = OpenSSL::SSL::TLS1_2_VERSION
+      ctx
+    end
+  end
+end

data/lib/wsv/version.rb CHANGED Viewed

@@ -1,5 +1,5 @@
 # frozen_string_literal: true
 module Wsv
-  VERSION = "0.9.0"
+  VERSION = "0.10.1"
 end

data/lib/wsv.rb CHANGED Viewed

@@ -6,7 +6,9 @@ require_relative "wsv/mime_types"
 require_relative "wsv/path_resolver"
 require_relative "wsv/request"
 require_relative "wsv/response"
+require_relative "wsv/cors"
 require_relative "wsv/app"
+require_relative "wsv/tls_context"
 require_relative "wsv/server"
 require_relative "wsv/cli"