File 0002-add-no_tlsv1_1-to-binder-config-etc.patch of Package rubygem-puma

Overview Repositories Revisions Requests Users Attributes Meta

File 0002-add-no_tlsv1_1-to-binder-config-etc.patch of Package rubygem-puma

From 075606f57b588f5edf6c04f7ff42e69f4b3a9cf9 Mon Sep 17 00:00:00 2001
From: dmaiocchi <dmaiocchi@suse.com>
Date: Fri, 31 Jul 2020 18:12:26 +0200
Subject: [PATCH] add no_tlsv1_1 to binder, config, etc
---
 ext/puma_http11/org/jruby/puma/MiniSSL.java |   4 +
 lib/puma/binder.rb                          |   1 +
 lib/puma/dsl.rb                             |  68 ++++++++-
 test/test_binder.rb                         |  85 +++++++++--
 test/test_config.rb                         | 159 ++++++++++++++------
 5 files changed, 259 insertions(+), 58 deletions(-)

diff --git a/ext/puma_http11/org/jruby/puma/MiniSSL.java b/ext/puma_http11/org/jruby/puma/MiniSSL.java
index 830e5699..82464255 100644
--- a/ext/puma_http11/org/jruby/puma/MiniSSL.java
+++ b/ext/puma_http11/org/jruby/puma/MiniSSL.java
@@ -165,6 +165,10 @@ public class MiniSSL extends RubyObject {
         protocols = new String[] { "TLSv1", "TLSv1.1", "TLSv1.2" };
     }
 
+    if(miniSSLContext.callMethod(threadContext, "no_tlsv1_1").isTrue()) {
+        protocols = new String[] { "TLSv1.2" };
+    }
+
     engine.setEnabledProtocols(protocols);
     engine.setUseClientMode(false);
 
diff --git a/lib/puma/binder.rb b/lib/puma/binder.rb
index 5a2c618c..b794446e 100644
--- a/lib/puma/binder.rb
+++ b/lib/puma/binder.rb
@@ -185,6 +185,7 @@ module Puma
           end
 
           ctx.no_tlsv1 = true if params['no_tlsv1'] == 'true'
+          ctx.no_tlsv1_1 = true if params['no_tlsv1_1'] == 'true'
 
           if params['verify_mode']
             ctx.verify_mode = case params['verify_mode']
diff --git a/lib/puma/dsl.rb b/lib/puma/dsl.rb
index 8f78afba..73862845 100644
--- a/lib/puma/dsl.rb
+++ b/lib/puma/dsl.rb
@@ -1,3 +1,7 @@
+# frozen_string_literal: true
+
+require 'puma/const'
+
 module Puma
   # The methods that are available for use inside the config file.
   # These same methods are used in Puma cli and the rack handler
@@ -55,6 +59,14 @@ module Puma
       @plugins.clear
     end
 
+    def set_default_host(host)
+      @options[:default_host] = host
+    end
+
+    def default_host
+      @options[:default_host] || Configuration::DefaultTCPHost
+    end
+
     def inject(&blk)
       instance_eval(&blk)
     end
@@ -93,7 +105,12 @@ module Puma
       end
 
       if opts[:no_token]
-        auth_token = :none
+        # We need to use 'none' rather than :none because this value will be
+        # passed on to an instance of OptionParser, which doesn't support
+        # symbols as option values.
+        #
+        # See: https://github.com/puma/puma/issues/1193#issuecomment-305995488
+        auth_token = 'none'
       else
         auth_token = opts[:auth_token]
         auth_token ||= Configuration.random_token
@@ -138,7 +155,7 @@ module Puma
     # Define the TCP port to bind to. Use +bind+ for more advanced options.
     #
     def port(port, host=nil)
-      host ||= Configuration::DefaultTCPHost
+      host ||= default_host
       bind "tcp://#{host}:#{port}"
     end
 
@@ -265,6 +282,10 @@ module Puma
       @options[:redirect_append] = append
     end
 
+    def log_formatter(&block)
+      @options[:log_formatter] = block
+    end
+
     # Configure +min+ to be the minimum number of threads to use to answer
     # requests and +max+ the maximum.
     #
@@ -286,12 +307,15 @@ module Puma
     def ssl_bind(host, port, opts)
       verify = opts.fetch(:verify_mode, 'none')
       no_tlsv1 = opts.fetch(:no_tlsv1, 'false')
+      no_tlsv1_1 = opts.fetch(:no_tlsv1_1, 'false')
+      ca_additions = "&ca=#{opts[:ca]}" if ['peer', 'force_peer'].include?(verify)
 
       if defined?(JRUBY_VERSION)
         keystore_additions = "keystore=#{opts[:keystore]}&keystore-pass=#{opts[:keystore_pass]}"
-        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}"
+        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&#{keystore_additions}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
       else
-        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}"
+        ssl_cipher_filter = "&ssl_cipher_filter=#{opts[:ssl_cipher_filter]}" if opts[:ssl_cipher_filter]
+        bind "ssl://#{host}:#{port}?cert=#{opts[:cert]}&key=#{opts[:key]}#{ssl_cipher_filter}&verify_mode=#{verify}&no_tlsv1=#{no_tlsv1}&no_tlsv1_1=#{no_tlsv1_1}#{ca_additions}"
       end
     end
 
@@ -366,6 +390,21 @@ module Puma
 
     alias_method :after_worker_boot, :after_worker_fork
 
+    # Code to run out-of-band when the worker is idle.
+    # These hooks run immediately after a request has finished
+    # processing and there are no busy threads on the worker.
+    # The worker doesn't accept new requests until this code finishes.
+    #
+    # This hook is useful for running out-of-band garbage collection
+    # or scheduling asynchronous tasks to execute after a response.
+    #
+    # This can be called multiple times to add hooks.
+    #
+    def out_of_band(&block)
+      @options[:out_of_band] ||= []
+      @options[:out_of_band] << block
+    end
+
     # The directory to operate out of.
     def directory(dir)
       @options[:directory] = dir.to_s
@@ -415,6 +454,16 @@ module Puma
       @options[:prune_bundler] = answer
     end
 
+    # In environments where SIGTERM is something expected, instructing
+    # puma to shutdown gracefully ( for example in Kubernetes, where
+    # rolling restart is guaranteed usually on infrastructure level )
+    # SignalException should not be raised for SIGTERM
+    #
+    # When set to false, if puma process receives SIGTERM, it won't raise SignalException
+    def raise_exception_on_sigterm(answer=true)
+      @options[:raise_exception_on_sigterm] = answer
+    end
+
     # Additional text to display in process listing
     def tag(string)
       @options[:tag] = string.to_s
@@ -425,7 +474,14 @@ module Puma
     # that have not checked in within the given +timeout+.
     # This mitigates hung processes. Default value is 60 seconds.
     def worker_timeout(timeout)
-      @options[:worker_timeout] = Integer(timeout)
+      timeout = Integer(timeout)
+      min = Const::WORKER_CHECK_INTERVAL
+
+      if timeout <= min
+        raise "The minimum worker_timeout must be greater than the worker reporting interval (#{min})"
+      end
+
+      @options[:worker_timeout] = timeout
     end
 
     # *Cluster mode only* Set the timeout for workers to boot
@@ -494,7 +550,7 @@ module Puma
       when Hash
         if hdr = val[:header]
           @options[:remote_address] = :header
-          @options[:remote_address_header] = "HTTP_" + hdr.upcase.gsub("-", "_")
+          @options[:remote_address_header] = "HTTP_" + hdr.upcase.tr("-", "_")
         else
           raise "Invalid value for set_remote_address - #{val.inspect}"
         end
-- 
2.26.2

Places

File 0002-add-no_tlsv1_1-to-binder-config-etc.patch of Package rubygem-puma

Places