class Vault::PersistentHTTP

Constants

DEFAULT_POOL_SIZE

The default connection pool size is 1/4 the allowed open files.

VERSION

The version of PersistentHTTP you are using

Attributes

ca_file[R]

An SSL certificate authority. Setting this will set verify_mode to VERIFY_PEER.

ca_path[R]

A directory of SSL certificates to be used as certificate authorities. Setting this will set verify_mode to VERIFY_PEER.

cert[R]

This client's OpenSSL::X509::Certificate

cert_store[R]

An SSL certificate store. Setting this will override the default certificate store. See verify_mode for more information.

certificate[R]

This client's OpenSSL::X509::Certificate

ciphers[R]

The ciphers allowed for SSL connections

debug_output[RW]

Sends debug_output to this IO via Net::HTTP#set_debug_output.

Never use this method in production code, it causes a serious security hole.

headers[R]

Headers that are added to every request using Net::HTTP#add_field

http_versions[R]

Maps host:port to an HTTP version. This allows us to enable version specific features.

idle_timeout[RW]

Maximum time an unused connection can remain idle before being automatically closed.

keep_alive[RW]

The value sent in the Keep-Alive header. Defaults to 30. Not needed for HTTP/1.1 servers.

This may not work correctly for HTTP/1.0 servers

This method may be removed in a future version as RFC 2616 does not require this header.

key[R]

This client's SSL private key

max_requests[RW]

Maximum number of requests on a connection before it is considered expired and automatically closed.

name[R]

A name for this connection. Allows you to keep your connections apart from everybody else's.

no_proxy[R]

List of host suffixes which will not be proxied

open_timeout[RW]

Seconds to wait until a connection is opened. See Net::HTTP#open_timeout

override_headers[R]

Headers that are added to every request using Net::HTTP#[]=

private_key[R]

This client's SSL private key

proxy_uri[R]

The URL through which requests will be proxied

read_timeout[RW]

Seconds to wait until reading one block. See Net::HTTP#read_timeout

retry_change_requests[RW]

Enable retries of non-idempotent requests that change data (e.g. POST requests) when the server has disconnected.

This will in the worst case lead to multiple requests with the same data, but it may be useful for some applications. Take care when enabling this option to ensure it is safe to POST or perform other non-idempotent requests to the server.

reuse_ssl_sessions[RW]

By default SSL sessions are reused to avoid extra SSL handshakes. Set this to false if you have problems communicating with an HTTPS server like:

SSL_connect [...] read finished A: unexpected message (OpenSSL::SSL::SSLError)
socket_options[R]

An array of options for Socket#setsockopt.

By default the TCP_NODELAY option is set on sockets.

To set additional options append them to this array:

http.socket_options << [Socket::SOL_SOCKET, Socket::SO_KEEPALIVE, 1]
ssl_timeout[R]

SSL session lifetime

ssl_version[R]

SSL version to use.

By default, the version will be negotiated automatically between client and server. Ruby 1.9 and newer only.

verify_callback[R]

SSL verification callback. Used when ca_file or ca_path is set.

verify_depth[R]

Sets the depth of SSL certificate verification

verify_mode[R]

HTTPS verify mode. Defaults to OpenSSL::SSL::VERIFY_PEER which verifies the server certificate.

If no ca_file, ca_path or cert_store is set the default system certificate store is used.

You can use verify_mode to override any default values.

Public Class Methods

detect_idle_timeout(uri, max = 10) click to toggle source

Use this method to detect the idle timeout of the host at uri. The value returned can be used to configure idle_timeout. max controls the maximum idle timeout to detect.

After

Idle timeout detection is performed by creating a connection then performing a HEAD request in a loop until the connection terminates waiting one additional second per loop.

NOTE: This may not work on ruby > 1.9.

# File lib/vault/persistent.rb, line 250
def self.detect_idle_timeout uri, max = 10
  uri = URI uri unless URI::Generic === uri
  uri += '/'

  req = Net::HTTP::Head.new uri.request_uri

  http = new 'net-http-persistent detect_idle_timeout'

  http.connection_for uri do |connection|
    sleep_time = 0

    http = connection.http

    loop do
      response = http.request req

      $stderr.puts "HEAD #{uri} => #{response.code}" if $DEBUG

      unless Net::HTTPOK === response then
        raise Error, "bad response code #{response.code} detecting idle timeout"
      end

      break if sleep_time >= max

      sleep_time += 1

      $stderr.puts "sleeping #{sleep_time}" if $DEBUG
      sleep sleep_time
    end
  end
rescue
  # ignore StandardErrors, we've probably found the idle timeout.
ensure
  return sleep_time unless $!
end
new(name=nil, proxy=nil, pool_size=DEFAULT_POOL_SIZE) click to toggle source

Creates a new PersistentHTTP.

Set name to keep your connections apart from everybody else's. Not required currently, but highly recommended. Your library name should be good enough. This parameter will be required in a future version.

proxy may be set to a URI::HTTP or :ENV to pick up proxy options from the environment. See proxy_from_env for details.

In order to use a URI for the proxy you may need to do some extra work beyond URI parsing if the proxy requires a password:

proxy = URI 'http://proxy.example'
proxy.user     = 'AzureDiamond'
proxy.password = 'hunter2'

Set pool_size to limit the maximum number of connections allowed. Defaults to 1/4 the number of allowed file handles. You can have no more than this many threads with active HTTP transactions.

# File lib/vault/persistent.rb, line 508
def initialize name=nil, proxy=nil, pool_size=DEFAULT_POOL_SIZE
  @name = name

  @debug_output     = nil
  @proxy_uri        = nil
  @no_proxy         = []
  @headers          = {}
  @override_headers = {}
  @http_versions    = {}
  @keep_alive       = 30
  @open_timeout     = nil
  @read_timeout     = nil
  @idle_timeout     = 5
  @max_requests     = nil
  @socket_options   = []
  @ssl_generation   = 0 # incremented when SSL session variables change

  @socket_options << [Socket::IPPROTO_TCP, Socket::TCP_NODELAY, 1] if
    Socket.const_defined? :TCP_NODELAY

  @pool = PersistentHTTP::Pool.new size: pool_size do |http_args|
    PersistentHTTP::Connection.new Net::HTTP, http_args, @ssl_generation
  end

  @certificate        = nil
  @ca_file            = nil
  @ca_path            = nil
  @ciphers            = nil
  @private_key        = nil
  @ssl_timeout        = nil
  @ssl_version        = nil
  @verify_callback    = nil
  @verify_depth       = nil
  @verify_mode        = nil
  @cert_store         = nil

  @generation         = 0 # incremented when proxy URI changes

  if HAVE_OPENSSL then
    @verify_mode        = OpenSSL::SSL::VERIFY_PEER
    @reuse_ssl_sessions = OpenSSL::SSL.const_defined? :Session
  end

  @retry_change_requests = false

  self.proxy = proxy if proxy
end

Public Instance Methods

ca_file=(file) click to toggle source

Sets the SSL certificate authority file.

# File lib/vault/persistent.rb, line 571
def ca_file= file
  @ca_file = file

  reconnect_ssl
end
ca_path=(path) click to toggle source

Sets the SSL certificate authority path.

# File lib/vault/persistent.rb, line 580
def ca_path= path
  @ca_path = path

  reconnect_ssl
end
can_retry?(req) click to toggle source

Is the request req idempotent or is retry_change_requests allowed.

# File lib/vault/persistent.rb, line 740
def can_retry? req
  @retry_change_requests && !idempotent?(req)
end
cert=(certificate)

For Net::HTTP parity

Alias for: certificate=
cert_store=(store) click to toggle source

Overrides the default SSL certificate store used for verifying connections.

# File lib/vault/persistent.rb, line 590
def cert_store= store
  @cert_store = store

  reconnect_ssl
end
certificate=(certificate) click to toggle source

Sets this client's OpenSSL::X509::Certificate

# File lib/vault/persistent.rb, line 559
def certificate= certificate
  @certificate = certificate

  reconnect_ssl
end
Also aliased as: cert=
ciphers=(ciphers) click to toggle source

The ciphers allowed for SSL connections

# File lib/vault/persistent.rb, line 599
def ciphers= ciphers
  @ciphers = ciphers

  reconnect_ssl
end
connection_for(uri) { |connection| ... } click to toggle source

Creates a new connection for uri

# File lib/vault/persistent.rb, line 608
def connection_for uri
  use_ssl = uri.scheme.downcase == 'https'

  net_http_args = [uri.host, uri.port]

  net_http_args.concat @proxy_args if
    @proxy_uri and not proxy_bypass? uri.host, uri.port

  connection = @pool.checkout net_http_args

  http = connection.http

  connection.ressl @ssl_generation if
    connection.ssl_generation != @ssl_generation

  if not http.started? then
    ssl   http if use_ssl
    start http
  elsif expired? connection then
    reset connection
  end

  http.read_timeout = @read_timeout if @read_timeout
  http.keep_alive_timeout = @idle_timeout if @idle_timeout

  return yield connection
rescue Errno::ECONNREFUSED
  address = http.proxy_address || http.address
  port    = http.proxy_port    || http.port

  raise Error, "connection refused: #{address}:#{port}"
rescue Errno::EHOSTDOWN
  address = http.proxy_address || http.address
  port    = http.proxy_port    || http.port

  raise Error, "host down: #{address}:#{port}"
ensure
  # Only perform checkin if we successfully checked a connection out
  if connection
    @pool.checkin net_http_args
  end
end
error_message(connection) click to toggle source

Returns an error message containing the number of requests performed on this connection

# File lib/vault/persistent.rb, line 655
def error_message connection
  connection.requests -= 1 # fixup

  age = Time.now - connection.last_use

  "after #{connection.requests} requests on #{connection.http.object_id}, " \
    "last used #{age} seconds ago"
end
escape(str) click to toggle source

URI::escape wrapper

# File lib/vault/persistent.rb, line 667
def escape str
  CGI.escape str if str
end
expired?(connection) click to toggle source

Returns true if the connection should be reset due to an idle timeout, or maximum request count, false otherwise.

# File lib/vault/persistent.rb, line 683
def expired? connection
  return true  if     @max_requests && connection.requests >= @max_requests
  return false unless @idle_timeout
  return true  if     @idle_timeout.zero?

  Time.now - connection.last_use > @idle_timeout
end
finish(connection) click to toggle source

Finishes the Net::HTTP connection

# File lib/vault/persistent.rb, line 712
def finish connection
  connection.finish

  connection.http.instance_variable_set :@ssl_session, nil unless
    @reuse_ssl_sessions
end
http_version(uri) click to toggle source

Returns the HTTP protocol version for uri

# File lib/vault/persistent.rb, line 722
def http_version uri
  @http_versions["#{uri.host}:#{uri.port}"]
end
idempotent?(req) click to toggle source

Is req idempotent according to RFC 2616?

# File lib/vault/persistent.rb, line 729
def idempotent? req
  case req
  when Net::HTTP::Delete, Net::HTTP::Get, Net::HTTP::Head,
       Net::HTTP::Options, Net::HTTP::Put, Net::HTTP::Trace then
    true
  end
end
key=(key)

For Net::HTTP parity

Alias for: private_key=
normalize_uri(uri) click to toggle source

Adds “http://” to the String uri if it is missing.

# File lib/vault/persistent.rb, line 747
def normalize_uri uri
  (uri =~ /^https?:/) ? uri : "http://#{uri}"
end
pipeline(uri, requests) { |responses| ... } click to toggle source

Pipelines requests to the HTTP server at uri yielding responses if a block is given. Returns all responses recieved.

See Net::HTTP::Pipeline for further details.

Only if net-http-pipeline was required before net-http-persistent pipeline will be present.

# File lib/vault/persistent.rb, line 762
def pipeline uri, requests, &block # :yields: responses
  connection_for uri do |connection|
    connection.http.pipeline requests, &block
  end
end
private_key=(key) click to toggle source

Sets this client's SSL private key

# File lib/vault/persistent.rb, line 771
def private_key= key
  @private_key = key

  reconnect_ssl
end
Also aliased as: key=
proxy=(proxy) click to toggle source

Sets the proxy server. The proxy may be the URI of the proxy server, the symbol :ENV which will read the proxy from the environment or nil to disable use of a proxy. See proxy_from_env for details on setting the proxy from the environment.

If the proxy URI is set after requests have been made, the next request will shut-down and re-open all connections.

The no_proxy query parameter can be used to specify hosts which shouldn't be reached via proxy; if set it should be a comma separated list of hostname suffixes, optionally with :port appended, for example example.com,some.host:8080.

# File lib/vault/persistent.rb, line 794
def proxy= proxy
  @proxy_uri = case proxy
               when :ENV      then proxy_from_env
               when URI::HTTP then proxy
               when nil       then # ignore
               else raise ArgumentError, 'proxy must be :ENV or a URI::HTTP'
               end

  @no_proxy.clear

  if @proxy_uri then
    @proxy_args = [
      @proxy_uri.host,
      @proxy_uri.port,
      unescape(@proxy_uri.user),
      unescape(@proxy_uri.password),
    ]

    @proxy_connection_id = [nil, *@proxy_args].join ':'

    if @proxy_uri.query then
      @no_proxy = CGI.parse(@proxy_uri.query)['no_proxy'].join(',').downcase.split(',').map { |x| x.strip }.reject { |x| x.empty? }
    end
  end

  reconnect
  reconnect_ssl
end
proxy_bypass?(host, port) click to toggle source

Returns true when proxy should by bypassed for host.

# File lib/vault/persistent.rb, line 868
def proxy_bypass? host, port
  host = host.downcase
  host_port = [host, port].join ':'

  @no_proxy.each do |name|
    return true if host[-name.length, name.length] == name or
       host_port[-name.length, name.length] == name
  end

  false
end
proxy_from_env() click to toggle source

Creates a URI for an HTTP proxy server from ENV variables.

If HTTP_PROXY is set a proxy will be returned.

If HTTP_PROXY_USER or HTTP_PROXY_PASS are set the URI is given the indicated user and password unless HTTP_PROXY contains either of these in the URI.

The NO_PROXY ENV variable can be used to specify hosts which shouldn't be reached via proxy; if set it should be a comma separated list of hostname suffixes, optionally with :port appended, for example example.com,some.host:8080. When set to * no proxy will be returned.

For Windows users, lowercase ENV variables are preferred over uppercase ENV variables.

# File lib/vault/persistent.rb, line 841
def proxy_from_env
  env_proxy = ENV['http_proxy'] || ENV['HTTP_PROXY']

  return nil if env_proxy.nil? or env_proxy.empty?

  uri = URI normalize_uri env_proxy

  env_no_proxy = ENV['no_proxy'] || ENV['NO_PROXY']

  # '*' is special case for always bypass
  return nil if env_no_proxy == '*'

  if env_no_proxy then
    uri.query = "no_proxy=#{escape(env_no_proxy)}"
  end

  unless uri.user or uri.password then
    uri.user     = escape ENV['http_proxy_user'] || ENV['HTTP_PROXY_USER']
    uri.password = escape ENV['http_proxy_pass'] || ENV['HTTP_PROXY_PASS']
  end

  uri
end
reconnect() click to toggle source

Forces reconnection of HTTP connections.

# File lib/vault/persistent.rb, line 883
def reconnect
  @generation += 1
end
reconnect_ssl() click to toggle source

Forces reconnection of SSL connections.

# File lib/vault/persistent.rb, line 890
def reconnect_ssl
  @ssl_generation += 1
end
request(uri, req = nil, &block) click to toggle source

Makes a request on uri. If req is nil a Net::HTTP::Get is performed against uri.

If a block is passed request behaves like Net::HTTP#request (the body of the response will not have been read).

req must be a Net::HTTPRequest subclass (see Net::HTTP for a list).

If there is an error and the request is idempotent according to RFC 2616 it will be retried automatically.

# File lib/vault/persistent.rb, line 925
def request uri, req = nil, &block
  retried      = false
  bad_response = false

  uri      = URI uri
  req      = request_setup req || uri
  response = nil

  connection_for uri do |connection|
    http = connection.http

    begin
      connection.requests += 1

      response = http.request req, &block

      if req.connection_close? or
         (response.http_version <= '1.0' and
          not response.connection_keep_alive?) or
         response.connection_close? then
        finish connection
      end
    rescue Net::HTTPBadResponse => e
      message = error_message connection

      finish connection

      raise Error, "too many bad responses #{message}" if
      bad_response or not can_retry? req

      bad_response = true
      retry
    rescue *RETRIED_EXCEPTIONS => e
      request_failed e, req, connection if
        retried or not can_retry? req

      reset connection

      retried = true
      retry
    rescue Errno::EINVAL, Errno::ETIMEDOUT => e # not retried on ruby 2
      request_failed e, req, connection if retried or not can_retry? req

      reset connection

      retried = true
      retry
    rescue Exception => e
      finish connection

      raise
    ensure
      connection.last_use = Time.now
    end
  end

  @http_versions["#{uri.host}:#{uri.port}"] ||= response.http_version

  response
end
reset(connection) click to toggle source

Finishes then restarts the Net::HTTP connection

# File lib/vault/persistent.rb, line 897
def reset connection
  http = connection.http

  finish connection

  start http
rescue Errno::ECONNREFUSED
  e = Error.new "connection refused: #{http.address}:#{http.port}"
  e.set_backtrace $@
  raise e
rescue Errno::EHOSTDOWN
  e = Error.new "host down: #{http.address}:#{http.port}"
  e.set_backtrace $@
  raise e
end
shutdown() click to toggle source

Shuts down all connections

NOTE: Calling shutdown for can be dangerous!

If any thread is still using a connection it may cause an error! Call shutdown when you are completely done making requests!

# File lib/vault/persistent.rb, line 1038
def shutdown
  @pool.available.shutdown do |http|
    http.finish
  end
end
ssl(connection) click to toggle source

Enables SSL on connection

# File lib/vault/persistent.rb, line 1047
  def ssl connection
    connection.use_ssl = true

    connection.ciphers     = @ciphers     if @ciphers
    connection.ssl_timeout = @ssl_timeout if @ssl_timeout
    connection.ssl_version = @ssl_version if @ssl_version

    connection.verify_depth = @verify_depth
    connection.verify_mode  = @verify_mode

    if OpenSSL::SSL::VERIFY_PEER == OpenSSL::SSL::VERIFY_NONE and
       not Object.const_defined?(:I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG) then
      warn <<-WARNING
                             !!!SECURITY WARNING!!!

The SSL HTTP connection to:

  #{connection.address}:#{connection.port}

                           !!!MAY NOT BE VERIFIED!!!

On your platform your OpenSSL implementation is broken.

There is no difference between the values of VERIFY_NONE and VERIFY_PEER.

This means that attempting to verify the security of SSL connections may not
work.  This exposes you to man-in-the-middle exploits, snooping on the
contents of your connection and other dangers to the security of your data.

To disable this warning define the following constant at top-level in your
application:

  I_KNOW_THAT_OPENSSL_VERIFY_PEER_EQUALS_VERIFY_NONE_IS_WRONG = nil

      WARNING
    end

    connection.ca_file = @ca_file if @ca_file
    connection.ca_path = @ca_path if @ca_path

    if @ca_file or @ca_path then
      connection.verify_callback = @verify_callback if @verify_callback
    end

    if @certificate and @private_key then
      connection.cert = @certificate
      connection.key  = @private_key
    end

    connection.cert_store = if @cert_store then
                              @cert_store
                            else
                              store = OpenSSL::X509::Store.new
                              store.set_default_paths
                              store
                            end
  end
ssl_timeout=(ssl_timeout) click to toggle source

SSL session lifetime

# File lib/vault/persistent.rb, line 1108
def ssl_timeout= ssl_timeout
  @ssl_timeout = ssl_timeout

  reconnect_ssl
end
ssl_version=(ssl_version) click to toggle source

SSL version to use

# File lib/vault/persistent.rb, line 1117
def ssl_version= ssl_version
  @ssl_version = ssl_version

  reconnect_ssl
end
start(http) click to toggle source

Starts the Net::HTTP connection

# File lib/vault/persistent.rb, line 694
def start http
  http.set_debug_output @debug_output if @debug_output
  http.open_timeout = @open_timeout if @open_timeout

  http.start

  socket = http.instance_variable_get :@socket

  if socket then # for fakeweb
    @socket_options.each do |option|
      socket.io.setsockopt(*option)
    end
  end
end
unescape(str) click to toggle source

URI::unescape wrapper

# File lib/vault/persistent.rb, line 674
def unescape str
  CGI.unescape str if str
end
verify_callback=(callback) click to toggle source

SSL verification callback.

# File lib/vault/persistent.rb, line 1148
def verify_callback= callback
  @verify_callback = callback

  reconnect_ssl
end
verify_depth=(verify_depth) click to toggle source

Sets the depth of SSL certificate verification

# File lib/vault/persistent.rb, line 1126
def verify_depth= verify_depth
  @verify_depth = verify_depth

  reconnect_ssl
end
verify_mode=(verify_mode) click to toggle source

Sets the HTTPS verify mode. Defaults to OpenSSL::SSL::VERIFY_PEER.

Setting this to VERIFY_NONE is a VERY BAD IDEA and should NEVER be used. Securely transfer the correct certificate and update the default certificate store or set the ca file instead.

# File lib/vault/persistent.rb, line 1139
def verify_mode= verify_mode
  @verify_mode = verify_mode

  reconnect_ssl
end