1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
|
require 'net/http'
require 'openid'
require 'openid/util'
begin
require 'net/https'
rescue LoadError
OpenID::Util.log('WARNING: no SSL support found. Will not be able ' +
'to fetch HTTPS URLs!')
require 'net/http'
end
MAX_RESPONSE_KB = 1024
module Net
class HTTP
def post_connection_check(hostname)
check_common_name = true
cert = @socket.io.peer_cert
cert.extensions.each { |ext|
next if ext.oid != "subjectAltName"
ext.value.split(/,\s+/).each{ |general_name|
if /\ADNS:(.*)/ =~ general_name
check_common_name = false
reg = Regexp.escape($1).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
elsif /\AIP Address:(.*)/ =~ general_name
check_common_name = false
return true if $1 == hostname
end
}
}
if check_common_name
cert.subject.to_a.each{ |oid, value|
if oid == "CN"
reg = Regexp.escape(value).gsub(/\\\*/, "[^.]+")
return true if /\A#{reg}\z/i =~ hostname
end
}
end
raise OpenSSL::SSL::SSLError, "hostname does not match"
end
end
end
module OpenID
# Our HTTPResponse class extends Net::HTTPResponse with an additional
# method, final_url.
class HTTPResponse
attr_accessor :final_url
attr_accessor :_response
def self._from_net_response(response, final_url, headers=nil)
me = self.new
me._response = response
me.final_url = final_url
return me
end
def method_missing(method, *args)
@_response.send(method, *args)
end
def body=(s)
@_response.instance_variable_set('@body', s)
# XXX Hack to work around ruby's HTTP library behavior. @body
# is only returned if it has been read from the response
# object's socket, but since we're not using a socket in this
# case, we need to set the @read flag to true to avoid a bug in
# Net::HTTPResponse.stream_check when @socket is nil.
@_response.instance_variable_set('@read', true)
end
end
class FetchingError < OpenIDError
end
class HTTPRedirectLimitReached < FetchingError
end
class SSLFetchingError < FetchingError
end
@fetcher = nil
def self.fetch(url, body=nil, headers=nil,
redirect_limit=StandardFetcher::REDIRECT_LIMIT)
return fetcher.fetch(url, body, headers, redirect_limit)
end
def self.fetcher
if @fetcher.nil?
@fetcher = StandardFetcher.new
end
return @fetcher
end
def self.fetcher=(fetcher)
@fetcher = fetcher
end
# Set the default fetcher to use the HTTP proxy defined in the environment
# variable 'http_proxy'.
def self.fetcher_use_env_http_proxy
proxy_string = ENV['http_proxy']
return unless proxy_string
proxy_uri = URI.parse(proxy_string)
@fetcher = StandardFetcher.new(proxy_uri.host, proxy_uri.port,
proxy_uri.user, proxy_uri.password)
end
class StandardFetcher
USER_AGENT = "ruby-openid/#{OpenID::VERSION} (#{RUBY_PLATFORM})"
REDIRECT_LIMIT = 5
TIMEOUT = 60
attr_accessor :ca_file
attr_accessor :timeout
# I can fetch through a HTTP proxy; arguments are as for Net::HTTP::Proxy.
def initialize(proxy_addr=nil, proxy_port=nil,
proxy_user=nil, proxy_pass=nil)
@ca_file = nil
@proxy = Net::HTTP::Proxy(proxy_addr, proxy_port, proxy_user, proxy_pass)
@timeout = TIMEOUT
end
def supports_ssl?(conn)
return conn.respond_to?(:use_ssl=)
end
def make_http(uri)
http = @proxy.new(uri.host, uri.port)
http.read_timeout = @timeout
http.open_timeout = @timeout
return http
end
def set_verified(conn, verify)
if verify
conn.verify_mode = OpenSSL::SSL::VERIFY_PEER
else
conn.verify_mode = OpenSSL::SSL::VERIFY_NONE
end
end
def make_connection(uri)
conn = make_http(uri)
if !conn.is_a?(Net::HTTP)
raise RuntimeError, sprintf("Expected Net::HTTP object from make_http; got %s",
conn.class)
end
if uri.scheme == 'https'
if supports_ssl?(conn)
conn.use_ssl = true
if @ca_file
set_verified(conn, true)
conn.ca_file = @ca_file
else
Util.log("WARNING: making https request to #{uri} without verifying " +
"server certificate; no CA path was specified.")
set_verified(conn, false)
end
else
raise RuntimeError, "SSL support not found; cannot fetch #{uri}"
end
end
return conn
end
def fetch(url, body=nil, headers=nil, redirect_limit=REDIRECT_LIMIT)
unparsed_url = url.dup
url = URI::parse(url)
if url.nil?
raise FetchingError, "Invalid URL: #{unparsed_url}"
end
headers ||= {}
headers['User-agent'] ||= USER_AGENT
begin
conn = make_connection(url)
response = nil
response = conn.start {
# Check the certificate against the URL's hostname
if supports_ssl?(conn) and conn.use_ssl?
conn.post_connection_check(url.host)
end
if body.nil?
conn.request_get(url.request_uri, headers)
else
headers["Content-type"] ||= "application/x-www-form-urlencoded"
conn.request_post(url.request_uri, body, headers)
end
}
rescue RuntimeError => why
raise why
rescue OpenSSL::SSL::SSLError => why
raise SSLFetchingError, "Error connecting to SSL URL #{url}: #{why}"
rescue FetchingError => why
raise why
rescue Exception => why
# Things we've caught here include a Timeout::Error, which descends
# from SignalException.
raise FetchingError, "Error fetching #{url}: #{why}"
end
case response
when Net::HTTPRedirection
if redirect_limit <= 0
raise HTTPRedirectLimitReached.new(
"Too many redirects, not fetching #{response['location']}")
end
begin
return fetch(response['location'], body, headers, redirect_limit - 1)
rescue HTTPRedirectLimitReached => e
raise e
rescue FetchingError => why
raise FetchingError, "Error encountered in redirect from #{url}: #{why}"
end
else
return HTTPResponse._from_net_response(response, unparsed_url)
end
end
end
end
|
